module/ConfigurationProvider/ControlConfigurations/Services/FrontDoor.json
|
{
"FeatureName": "FrontDoor", "Reference": "aka.ms/azsktcp/frontDoor", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_FrontDoor_NetSec_Enable_WAF_Configuration", "Description": "Protect Internet First Applications with Azure FrontDoor classic and WAF", "Id": "FrontDoor110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckWAFConfiguredInFrontDoor", "DisplayName": "Protect Internet First Applications with Azure FrontDoor classic and WAF", "Rationale": "Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection for your web applications. WAF defends your web services against common exploits & vulnerablities. It keeps your service highly available for your users and helps you meet compliance requirements.", "Recommendation": "To configure WAF, Go to Azure Portal --> Web Application Firewall -> Create -> Select Policy For: Global WAF (Front Door). Select Front Door Tier: Classic. Select appropriate Resource Group & Subscription. Give the Policy a name. In association Tab, add the Front Door Hosts (Endpoints). Finally, Click on 'Review + Create' button. For more information visit: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-create-portal", "Tags": [ "Baseline", "Daily", "NetSec" ], "Enabled": true, "CustomTags": [ "Preview", "TenantBaseline", "MSD", "TBv7", "TRWave4", "TRPreview", "TRBaseline", "EDPreview", "SMTPreview", "SN:FrontDoorClassic_WAF" ] }, { "ControlID": "Azure_FrontDoor_DP_Use_Secure_TLS_Version", "Description": "Front Door Classic should have Approved Minimum TLS version", "Id": "FrontDoor120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckTLSConfigurationInFrontDoor", "DisplayName": "Front Door Classic should have Approved Minimum TLS version", "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To configure TLS Version, Go to Azure Portal --> Front Door and CDN profiles -> Select Front door with pricing tier as Classic -> Goto Front Door Designer -> Select any of the Custom domains listed -> Select Minimum TLS Version as 1.2", "Tags": [ "Baseline", "DP", "Automated" ], "Enabled": true, "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "CustomTags": [ "Preview", "Daily", "TenantBaseline", "MSD", "TBv8", "CAIPreview", "EDPreview", "SMTPreview", "SN:FRONTDOOR_TLS", "CAIWave1" ], "ControlSettings": { "MinReqTLSVersion": "1.2", "DefaultDomains": [ ".azurefd.net", ".azurefd.us" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "FrontDoorCustomHttpsMinTLSVersion" ] } }, { "ControlID": "Azure_FrontDoor_NetSec_Enable_WAF_Configuration_MCSB", "Description": "[MCSB] Web Application Firewall (WAF) should be enabled for Azure Front Door Service", "Id": "FrontDoor130", "ControlSeverity": "High", "ControlScanSource": "MDC", "Automated": "Yes", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "DisplayName": "[MCSB] Web Application Firewall (WAF) should be enabled for Azure Front Door Service", "Rationale": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.", "Recommendation": "Azure Web Application Firewall is a paid solution, refer to https://aka.ms/frontdoor-pricing for full pricing details. To manually add an Azure Web Application Firewall to your Azure Front Door Service 1. If you want to use an existing Azure Web Application Firewall for Azure Front Door Service policy, proceed to Step 2. Otherwise, open the Azure Web Application Firewall service and select 'add'. 3. On the Basics tab, in 'Policy for', select 'Global WAF (Front Door)' and in 'Policy state' select 'Enabled'. Customize the Azure Web Application Firewall as required. To finish, select 'Review + create' and 'create' the Azure Web Application Firewall. 4. Go to the Front Door service and select the Front Door service that does not have an Azure Web Application Firewall. 5. From the left sidebar, select 'Web application firewall'. 6. Select the frontend to which you're adding an Azure Web Application Firewall policy. Select 'Apply policy'. From the dropdown, select the Azure Web Application Firewall policy. Select 'Add'. 7. To save the Azure Web Application Firewall for the chosen frontend, select 'Save'. An Azure Web Application Firewall will now be applied to the Azure Front Door Service. For details, see https://aka.ms/waf-frontdoor-tutorial", "Tags": [ "Baseline", "NetSec" ], "AssessmentProperties": { "AssessmentNames": [ "0c02a769-03f1-c4d7-85a5-db5dca505c49" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] } ] } |