module/ConfigurationProvider/ControlConfigurations/Services/HybridCompute.json
|
{
"FeatureName": "HybridCompute", "Reference": "aka.ms/azsktcp/hybridcompute", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_HybridCompute_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for ARC Windows Servers", "Id": "HybridCompute110", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "PolicyandReader", "MethodName": "CheckTLSVersionOnlyOnWindows", "DisplayName": "Use approved version of TLS for ARC Windows Servers", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "Check Windows Servers Minimum TLS version MUST be configured to the required minimum TLS version of 1.2", "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/828ba269-bf7f-4082-83dd-633417bc391d", "AssignmentId": "" } ] }, "ControlSettings": { "ApplicableOsTypes": [ "Windows" ] }, "Tags": [ "SDL", "Automated", "DP", "Baseline" ], "Enabled": true, "CustomTags": [ "Weekly", "SN:ARCWindowsServer_TLS" ] }, { "ControlID": "Azure_HybridCompute_SI_Remediate_Security_Vulnerabilities_SQLServer_MCSB", "Description": "[MCSB] SQL servers on ARC machines should have vulnerability findings resolved", "Id": "HybridCompute120", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] SQL servers on ARC machines should have vulnerability findings resolved", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.", "Recommendation": "To remediate SQL vulnerabilities and mitigate risks: 1. Navigate to a database in the Unhealthy databases list. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "f97aa83c-9b63-4f9a-99f6-b22c4398f936" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_HybridCompute_SI_Resolve_EndPointProtection_Issues_MCSB", "Description": "[MCSB] Endpoint protection health issues should be resolved on your Arc machines", "Id": "HybridCompute130", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Endpoint protection health issues should be resolved on your Arc machines", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities.", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical", "Tags": [ "Automated", "Baseline", "SI", "HybridCompute" ], "AssessmentProperties": { "AssessmentNames": [ "37a3689a-818e-4a0e-82ac-b1392b9bb000" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_HybridCompute_SI_Install_Log_Analytics_MCSB", "Description": "[MCSB] Log Analytics agent must be installed on your Windows Azure Arc machines", "Id": "HybridCompute140", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Log Analytics agent must be installed on your Windows Azure Arc machines", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Installing the Log Analytics agent allows Azure Monitor to collect data from your Azure VMs which can be used for detailed analysis and correlation of events.", "Recommendation": "To install and enable Log Analytics agent please refer: https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions-portal#enable-extensions", "Tags": [ "SDL", "Automated", "Baseline", "Audit" ], "AssessmentProperties": { "AssessmentNames": [ "ad15dfe5-cff8-71f9-c543-ca34d38ce205" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_HybridCompute_SI_Install_EndpointProtection_MCSB", "Description": "[MCSB] Endpoint protection must be installed on your Arc machine", "Id": "HybridCompute160", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Endpoint protection must be installed on your Arc machine", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure virtual machine without endpoint protection are exposed to viruses, spyware, and other malicious software. Endpoint protection like Antimalware for Azure provides real-time protection capability that helps identify and remove such threats", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-protection-configure", "Tags": [ "Automated", "Baseline", "SI", "HybridCompute" ], "AssessmentProperties": { "AssessmentNames": [ "4fb67663-9ab9-475d-b026-8c544cced439" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_HybridCompute_SI_Install_LogAnalyticsAgent_MCSB", "Description": "[MCSB] Log Analytics extension must be installed on your Windows Azure Arc machines", "Id": "HybridCompute150", "ControlSeverity": " High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Log Analytics extension must be installed on your Windows Azure Arc machines", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Installing the Log Analytics agent allows Azure Monitor to collect data from your Azure VMs which can be used for detailed analysis and correlation of events.", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/azure-arc/servers/concept-log-analytics-extension-deployment", "Tags": [ "Automated", "Baseline", "SI", "HybridCompute" ], "AssessmentProperties": { "AssessmentNames": [ "ad15dfe5-cff8-71f9-c543-ca34d38ce205" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*UneligibleResourceRecommendation" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] } ] } |