AzTS

1.0.3

module/ConfigurationProvider/ControlConfigurations/Services/CloudService.json

{
  "FeatureName": "CloudService",
  "Reference": "aka.ms/azsktcp/cloudservice",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_CloudService_DP_DontAllow_HTTP_Access_InputEndpoints",
      "Description": "Cloud Service must only be accessible over HTTPS. Enable https for InputEndpoints.",
      "Id": "CloudService03",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "Get an SSL certificate from a trusted certificate provider. Refer https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal for more information on how to use this certificate and configure TLS for the Cloud Service endpoints.",
      "Tags": [
        "SDL",
        "Automated",
        "DP",
        "Classic",
        "Baseline",
        "Daily",
        "CSEOPilotSub"
      ],
      "Enabled": true,
      "MethodName": "CheckCloudServiceHttpCertificateSSLOnInputEndpoints",
      "DisplayName": "Encrypt data in transit for Cloud service role",
      "Category": "Encrypt data in transit",
      "ControlRequirements": "Data must be encrypted in transit and at rest",
      "CustomTags": [
        "TenantBaseline",
        "CSEOBaseline",
        "MSD",
        "Prod",
        "P2",
        "Wave7",
        "CSEOPilot",
        "CAIPreview",
        "EDPreview",
        "SMTPreview",
        "SN:CloudSvc_EncryptDataTransit"
      ]
    },
    {
      "ControlID": "Azure_CloudService_SI_Auto_OSUpdate",
      "Description": "Set automatic update for Cloud Service OS version.",
      "Id": "CloudService08",
      "ControlSeverity": "High",
      "Rationale": "Cloud services where automatic updates are disabled are likely to miss important security patches (human error, forgetfulness). This may lead to compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.",
      "Recommendation": "To enable automatic updates: Go to manage Azure portal --> your cloud service --> under settings section select configuration tab --> set OS version to automatic from drop-down menu --> select save.",
      "Automated": "Yes",
      "Tags": [
        "SDL",
        "Automated",
        "SI",
        "Classic",
        "Baseline",
        "Daily",
        "CSEOPilotP1",
        "CSEOPilotSub"
      ],
      "DisplayName": "Set automatic update for Cloud Service OS version",
      "Category": "Vulnerabilities must be remediated",
      "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance",
      "Enabled": true,
      "MethodName": "CheckCloudServiceOSPatchStatus",
      "CustomTags": [
        "CSEOBaseline",
        "MSD",
        "Prod",
        "CSEOPilot",
        "TenantBaseline",
        "P1",
        "Wave7",
        "CAIPreview",
        "EDPreview",
        "SMTPreview",
        "SN:CloudSvc_Autoupdate"
      ]
    },
    {
      "ControlID": "Azure_CloudService_SI_Enable_AntiMalware",
      "Description": "Enable the Antimalware extension for the cloud service roles",
      "Id": "CloudService09",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "Rationale": "Antimalware provides real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, exclusion event collection etc.",
      "Recommendation": "To enable Antimalware: Go to Azure portal --> your cloud service --> Antimalware under Settings section --> select role and enable Antimalware.",
      "Tags": [
        "SDL",
        "Automated",
        "Classic",
        "OwnerAccess",
        "SI",
        "Baseline",
        "Daily",
        "CSEOPilotSub"
      ],
      "Enabled": true,
      "MethodName": "CheckCloudServiceAntiMalwareStatus",
      "DisplayName": "Antimalware extension must be installed on cloud service roles",
      "Category": "Deploy antimalware extension",
      "ControlRequirements": "Anti-malware must be up to date and running",
      "CustomTags": [
        "TenantBaseline",
        "CSEOBaseline",
        "MSD",
        "Prod",
        "CSEOPilot",
        "Wave7",
        "EDPreview",
        "SMTPreview",
        "SN:CloudSvc_AntiMalware"
      ]
    },
    {
      "ControlID": "Azure_CloudService_SI_Disable_RemoteDesktop_Access",
      "Description": "Disable Remote Desktop (RDP) access on cloud service roles",
      "Id": "CloudService10",
      "ControlSeverity": "High",
      "Rationale": "Remote desktop access requires inbound ports to be opened. These ports become easy targets for compromise from various internet based attacks.",
      "Recommendation": "From Azure Portal: After logging into subscription, go under Home -> All Resources -> Select the Cloud service resource type -> Remote Desktop. Under \"Remote Desktop\", make sure to select \"Disabled\" toggle option. From PowerShell: Refer https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-role-enable-remote-desktop-powershell to remove Remote Desktop Extension from a Service. Refer https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/remove-azureserviceremotedesktopextension?view=azuresmps-4.0.0 to know more about Remove-AzureServiceRemoteDesktopExtension command.",
      "Automated": "Yes",
      "DisplayName": "Disable Remote Desktop (RDP) access on cloud service roles",
      "Category": "Management interfaces and ports must not be open",
      "ControlRequirements": "Restrict network traffic flows",
      "Tags": [
        "SDL",
        "Automated",
        "Classic",
        "OwnerAccess",
        "SI",
        "Baseline",
        "Daily",
        "CSEOPilotSub"
      ],
      "Enabled": true,
      "MethodName": "CheckCloudServiceRemoteDesktopAccess",
      "CustomTags": [
        "CSEOBaseline",
        "MSD",
        "Prod",
        "TenantBaseline",
        "P1",
        "Wave5",
        "CSEOPilot",
        "CAIPreview",
        "EDPreview",
        "SMTPreview",
        "SN:RDP_disable"
      ],
      "ControlEvaluationDetails": {
        "RequiredProperties": [
          "CloudServices",
          "CloudServiceDeploymentSlots",
          "CloudServiceRoles",
          "CloudServiceConfiguration",
          "CloudServiceRemoteAccessPlugin",
          "CloudServiceExtensions"
        ]
      }
    },
    {
      "ControlID": "Azure_CloudService_DP_Avoid_Plaintext_Secrets",
      "Description": "Cloud Services must not have secrets/credentials present in plain text",
      "Id": "CloudService11",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "AvoidPlaintextSecretsAsync",
      "DisplayName": "Cloud Services must not have secrets/credentials present in plain text",
      "Category": "Credentials Access",
      "ControlRequirements": "Eliminating plain text credentials",
      "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.",
      "Recommendation": "Find detected secrets/credentials using the API information available in Source, rotate those credentials and remove them. Use KeyVault to store secrets/credentials.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP",
        "Baseline",
        "Daily"
      ],
      "Enabled": true,
      "CustomTags": [
        "Preview",
        "TenantBaseline",
        "MSD",
        "TBv7",
        "CAIPreview",
        "EDPreview",
        "SMTPreview",
        "SN:CloudService_AvoidSecrets",
        "CAIWave1",
        "Secrets"
      ]
    }
  ]
}