module/ConfigurationProvider/ControlConfigurations/Services/ServiceFabric.json
|
{
"FeatureName": "ServiceFabric", "Reference": "aka.ms/azsktcp/servicefabric", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ServiceFabric_AuthZ_Security_Mode_Enabled", "Description": "Service Fabric cluster security must be enabled using security mode option", "Id": "ServiceFabric190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecurityMode", "DisplayName": "Service Fabric cluster security must be enabled using security mode option", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "A secure cluster prevents unauthorized access to management operations, which includes deployment, upgrade, and deletion of microservices. Also provides encryption for node-to-node communication, client-to-node communication etc. In oppose to unsecure cluster which can be connected by any anonymous user.", "Recommendation": "A secure cluster must be created to prevent unauthorized access to management operations (e.g., deployment, upgrade or deletion of microservices). A secure cluster also provides encryption for node-to-node communication, client-to-node communication, etc. An insecure cluster is open to be connected by any anonymous user. An insecure cluster cannot be secured at a later time. For creating a secure cluster using (1) Azure Portal, refer: https://azure.microsoft.com/en-in/documentation/articles/service-fabric-cluster-creation-via-portal/#_3-security or using (2) ARM template refer:https://azure.microsoft.com/en-in/documentation/articles/service-fabric-cluster-creation-via-arm/", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "Information", "ServiceFabric", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_ServiceFabric_AuthN_Client_AuthN_Microsoft_Entra_ID_Only", "Description": "Client authentication must be performed only via Microsoft Entra ID", "Id": "ServiceFabric220", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "Use Microsoft Entra ID (formerly AAD) for client authentication on Service Fabric clusters", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "MethodName": "CheckAADClientAuthentication", "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.", "Recommendation": "A Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer, Visual Studio and PowerShell. Access to the cluster must be controlled using Microsoft Entra ID (formerly AAD). Refer: https://docs.microsoft.com/en-in/azure/service-fabric/service-fabric-cluster-creation-setup-aad", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "ServiceFabric", "Baseline", "Daily", "CSEOPilotSub" ], "PolicyDefinitionGuid": "b54ed75b-3e1a-44ac-a333-05ba39b99ff0", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0", "Enabled": true, "CustomTags": [ "Windows", "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "P1", "Wave7", "CSEOPilot", "EDPreview", "SMTPreview", "SN:SvcFabric_EntraIDAuth", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ], "ControlScanSource": "MDCorReader", "AssessmentProperties": { "AssessmentNames": [ "03afeb6f-7634-adb3-0a01-803b0b9cb611" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] } }, { "ControlID": "Azure_ServiceFabric_DP_Set_Property_ClusterProtectionLevel", "Description": "The ClusterProtectionLevel property must be set to EncryptAndSign for Service Fabric clusters", "Id": "ServiceFabric230", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckClusterProtectionLevel", "DisplayName": "The ClusterProtectionLevel property must be set to EncryptAndSign for Service Fabric clusters", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "With cluster protection level set to 'EncryptAndSign', all the node-to-node messages are encrypted and digitally signed. This protects the intra-cluster communication from eavesdropping/tampering/man-in-the-middle attacks on the network.", "Recommendation": "Using Azure Portal: Go to the Service Fabric Cluster resource > Settings > Custom fabric settings > Edit the parameter - 'ClusterProtectionLevel' (add, if absent). Set its value to 'EncryptAndSign'. > Save.", "Tags": [ "SDL", "TCP", "Automated", "DP", "ServiceFabric", "Baseline", "Daily", "CSEOPilotP1", "CSEOPilotSub" ], "ControlScanSource": "MDCorReader", "AssessmentProperties": { "AssessmentNames": [ "7f04fc0c-4a3d-5c7e-ce19-666cb871b510" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": true, "CustomTags": [ "Windows", "Linux", "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave8", "EDPreview", "SMTPreview", "SN:SvcFabric_ClusterProtectionLevel", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_ServiceFabric_AuthN_NSG_Enabled", "Description": "Network security group (NSG) must be enabled on subnets of Service Fabric cluster", "Id": "ServiceFabric240", "ControlSeverity": "Medium", "Automated": "Yes", "DisplayName": "Enable Firewall/NSGs on subnet of Service Fabric cluster", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "MethodName": "CheckNSGConfigurations", "Rationale": "Use of appropriate NSG rules can limit exposure of Service Fabric cluster in multiple scenarios. For example, RDP connections can be restricted only for specific admin machines. Incoming requests to microservices may be restricted to specific clients. Also, deployments can be restricted to happen only from an allowed range of IP addresses.", "Recommendation": "NSG contains a list of Access Control List (ACL) rules that allow or deny network traffic to Service Fabric node instances in a Virtual Network. NSGs can be associated with either subnets or individual node/VM instances within a subnet. NSG must be used in following scenarios: (1) Restrict RDP connection only from admin machine IP, (2) Restrict microservice incoming request from trusted source IP, (3) Lock down the remote address ranges allowed for microservice deployments. Refer: https://azure.microsoft.com/en-in/documentation/articles/virtual-networks-create-nsg-arm-pportal/", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "ServiceFabric", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "RestrictedPorts": "445,3389,5985,22" }, "CustomTags": [ "Windows", "Linux", "P1", "ExcludeERVnetConnectedInstance", "SN:SVC_fab_fw_NSG", "CSEOBaseline", "CSEOPilot" ] }, { "ControlID": "Azure_ServiceFabric_Audit_Publicly_Exposed_Load_Balancer_Ports", "Description": "Monitor publicly exposed ports on load balancers used by Service Fabric cluster", "Id": "ServiceFabric270", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckLBExposedPorts", "DisplayName": "Monitor publicly exposed ports on load balancers used by Service Fabric cluster", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Publically exposed ports must be monitored to detect suspicious and malicious activities early and respond in a timely manner.", "Recommendation": "Azure load balancer maps the public IP address and port number of incoming traffic to the private IP address and port number of the Service Fabric nodes (ports number opened by microservices). Intranet microservice ports must not be exposed to the internet. Moreover, publicly exposed IP address/port numbers must be monitored using Azure load balancer rules as follows: Azure Portal --> Load Balancers --> <Load Balancer Name> --> Load Balancing Rules --> Validate mapping of public end port with backend port.", "Tags": [ "SDL", "TCP", "Manual", "Audit", "ServiceFabric", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "RestrictedPorts": [ 19000, 19080, 445, 3389, 5985, 22 ] }, "CustomTags": [ "Windows", "Linux", "ExcludeERVnetConnectedInstance" ] }, { "ControlID": "Azure_ServiceFabric_DP_Dont_Expose_Reverse_Proxy_Port", "Description": "Reverse proxy port must not be exposed publicly for Service Fabric clusters", "Id": "ServiceFabric290", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckReverseProxyPort", "DisplayName": "Reverse proxy port must not be exposed publicly for Service Fabric clusters", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Configuring the reverse proxy's port in Load Balancer with public IP will expose all microservices with HTTP endpoint. Microservices meant to be internal may be discoverable by a determined malicious user.", "Recommendation": "Check that reverse proxy port is not exposed through Azure Load Balancer rules as follows: Azure Portal --> Load Balancers --> <Load Balancer Name> --> Load Balancing Rules --> Validate reverse proxy port is not exposed.", "Tags": [ "SDL", "TCP", "Automated", "DP", "ServiceFabric", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "CustomTags": [ "Windows", "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "ExcludeERVnetConnectedInstance", "CSEOPilot", "Wave8", "CAIPreview", "EDPreview", "SMTPreview", "SN:SvcFabric_ProxyPort" ] }, { "ControlID": "Azure_ServiceFabric_SI_Set_Auto_Update_Cluster", "Description": "Upgrade mode should be set to automatic for cluster", "Id": "ServiceFabric300", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckClusterUpgradeMode", "DisplayName": "Upgrade mode should be set to automatic for cluster", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Clusters with unsupported fabric version can become targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in software.", "Recommendation": "You can set your cluster to receive automatic fabric upgrades as they are released by Microsoft, for details please refer: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-upgrade", "Tags": [ "SDL", "TCP", "Automated", "SI", "ServiceFabric", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "UpgradeMode" ] }, "Enabled": true, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_ServiceFabric_DP_Dont_Have_Plaintext_Secrets", "Description": "Service Fabric must not have secrets/credentials present in plain text", "Id": "ServiceFabric310", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "AvoidPlaintextSecretsAsync", "DisplayName": "Service Fabric must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials using the API information available in Source, rotate those credentials and remove them. Use KeyVault to store secrets/credentials.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline" ], "Enabled": true, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv10", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:ServiceFabric_AvoidSecrets", "CAIWave1", "Secrets" ] }, { "ControlID": "Azure_ServiceFabric_DP_Set_Property_ClusterProtectionLevel_MCSB", "Description": "[MCSB] Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Id": "ServiceFabric330", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "With cluster protection level set to 'EncryptAndSign', all the node-to-node messages are encrypted and digitally signed. This protects the intra-cluster communication from eavesdropping/tampering/man-in-the-middle attacks on the network.", "Recommendation": "To configure 'ClusterProtectionLevel' property using Azure Portal, go to Azure Portal --> Service Fabric Cluster --> Settings --> Custom fabric settings --> Edit the parameter - 'ClusterProtectionLevel' (add, if absent). Set its value to 'EncryptAndSign' --> Save.", "Tags": [ "ServiceFabric", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "7f04fc0c-4a3d-5c7e-ce19-666cb871b510" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ServiceFabric_DP_Set_Property_ClusterProtectionLevel_KR51", "Description": "[KR51] Protection level for Service Fabric Clusters must be encrypted and signed.", "Id": "ServiceFabric340", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Protection level for Service Fabric clusters must be Encrypted and signed.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "With cluster protection level set to 'EncryptAndSign', all the node-to-node messages are encrypted and digitally signed. This protects the intra-cluster communication from eavesdropping/tampering/man-in-the-middle attacks on the network.", "Recommendation": "Using Azure Portal: Go to the Service Fabric Cluster resource > Settings > Custom fabric settings > Edit the parameter - 'ClusterProtectionLevel' (add, if absent). Set its value to 'EncryptAndSign'. > Save.", "Tags": [ "Baseline", "Automated", "ServiceFabric", "DP" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Deny", "DefinitionType": "Definition", "DisplayName": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Description": "Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_ServiceFabric_AuthN_Client_Use_AAD_Only_KR51", "Description": "[KR51] Use Azure Active directory for client authentication on Service Fabric clusters.", "Id": "ServiceFabric350", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Use Azure Active directory for client authentication on Service Fabric clusters.", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.", "Recommendation": "A Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer, Visual Studio and PowerShell. Access to the cluster must be controlled using AAD. Refer: https://docs.microsoft.com/en-in/azure/service-fabric/service-fabric-cluster-creation-setup-aad", "Tags": [ "Baseline", "Automated", "ServiceFabric", "AuthN" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Deny", "DefinitionType": "Definition", "DisplayName": "Service Fabric clusters should only use Azure Active Directory for client authentication", "Description": "Perform Client authentication only via Azure Active Directory in Service Fabric", "Id": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] } ] } |