module/ConfigurationProvider/ControlConfigurations/Services/VirtualMachine.json
|
{
"FeatureName": "VirtualMachine", "Reference": "aka.ms/azsktcp/virtualmachine", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_VirtualMachine_SI_Enable_Antimalware", "Description": "Antimalware must be enabled with real time protection on Virtual Machine", "Id": "VirtualMachine130", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckAntimalwareExtensionStatus", "DisplayName": "Ensure all devices have anti-malware protection installed and enabled", "Category": "Deploy antimalware extension", "ControlRequirements": "Anti-malware must be up to date and running", "AssessmentName": "83f577bd-a1b6-b7e1-0891-12ca19d1e6df", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [ "83f577bd-a1b6-b7e1-0891-12ca19d1e6df" ] }, "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9", "Rationale": "Enabling antimalware protection minimizes the risks from existing and new attacks from various types of malware. Microsoft Antimalware provide real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, exclusion event collection etc.", "Recommendation": "To install antimalware, Go to Azure Portal --> VM Properties --> Extensions --> Add 'Microsoft Antimalware' --> Enable Real-Time Protection and Scheduled Scan --> Click Ok. If antimalware is already present on VM, validate and resolve endpoint protection recommendations in MDC. Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection, https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions", "AntiMalwareExtension" ] }, "Enabled": true, "PolicyDefinitionGuid": "af6cd1bd-1635-48cb-bde7-5b15693900b9", "ControlSettings": { "ReqExtensionType": "IaaSAntimalware", "ReqExtensionPublisher": "Microsoft.Azure.Security", "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "SOX", "MSD", "Prod", "TenantBaseline", "P0", "Wave2", "CAIPreview", "EDPreview", "SMTPreview", "SN:Anti-Malware" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Antimalware_Trial", "Description": "[Trial] Antimalware must be enabled with real time protection on Virtual Machine", "Id": "VirtualMachine390", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckAntimalwareExtensionStatusTrial", "DisplayName": "[Trial] Ensure all devices have anti-malware protection installed and enabled", "Category": "Deploy antimalware extension", "ControlRequirements": "Anti-malware must be up to date and running", "ControlScanSource": "Reader", "Rationale": "Enabling antimalware protection minimizes the risks from existing and new attacks from various types of malware. Microsoft Antimalware provide real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, exclusion event collection etc.", "Recommendation": "To install antimalware, Go to Azure Portal --> VM Properties --> Extensions --> Add 'Microsoft Antimalware' --> Enable Real-Time Protection and Scheduled Scan --> Click Ok. If antimalware is already present on VM, validate and resolve endpoint protection recommendations in MDC. Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection, https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "VirtualMachine", "ExcludeDatabricks", "ExcludeKubernetes", "Baseline", "Daily" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType" ] }, "Enabled": false, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows", "Linux", "Trial" ] }, { "ControlID": "Azure_VirtualMachine_Config_Enable_NSG", "Description": "NSG must be configured for Virtual Machine", "Id": "VirtualMachine140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGConfig", "ControlScanSource": "MDCandReader", "DisplayName": "Internet-facing virtual machines must be protected with Network Security Groups", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Restricting inbound and outbound traffic via NSGs limits the network exposure of a VM by reducing the attack surface.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/endpoints-in-resource-manager, https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-nsg-arm-ps", "AssessmentProperties": { "AssessmentNames": [ "483f12ed-ae23-447e-a2de-a67a10db4353" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "SDL", "TCP", "Automated", "Config", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "NICs" ] }, "CustomTags": [ "Windows", "Linux", "ExcludeERVnetConnectedInstance", "ActiveBaseline", "TenantBaseline", "P0", "Wave1", "SN:Ext_VM_NSG", "MSD", "Prod", "EDPreview", "SMTPreview", "CSEOBaseline", "CSEOPilot", "TRWave4", "TRPreview", "TRBaseline" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Justify_PublicIPs", "Description": "Public IPs on a Virtual Machine should be carefully reviewed", "Id": "VirtualMachine150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIP", "DisplayName": "Public IPs on a Virtual Machine should be carefully reviewed", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Public IPs provide direct access over the internet exposing the VM to attacks over the public network. Hence each public IP on a VM must be reviewed carefully.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Network Interfaces --> <Select NIC> --> IP Configurations --> <Select IP Configs with Public IP> --> Click 'Disabled' --> Save. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address ", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Weekly" ], "Enabled": true, "DataObjectProperties": [ "PublicIpAllocationMethod", "IpConfiguration", "Id", "DnsSettings" ], "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_DP_Enable_Disk_Encryption", "Description": "Disk encryption must be enabled on both OS and data disks for Windows Virtual Machine", "Id": "VirtualMachine160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDiskEncryption", "DisplayName": "Disk encryption should be applied on virtual machines", "Category": "Encrypt data at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "AssessmentName": "d57a4221-a804-52ca-3dea-768284f06bb7", "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "d57a4221-a804-52ca-3dea-768284f06bb7" ] }, "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. In the case of VMs, both OS and data disks may contain sensitive information that needs to be protected at rest. Hence disk encryption must be enabled for both.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json. Note: After enabling disk encryption, it takes some time for changes to reflect in Microsoft Defender for Cloud (MDC). Thus, if you scan immediately, the control may still fail even though the VM itself shows as encrypted. Please wait a few hours to ascertain the fix.", "Tags": [ "SDL", "TCP", "Automated", "DP", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Weekly" ], "Enabled": true, "PolicyDefinitionGuid": "0961003e-5a0a-4549-abde-af6a37f2724d", "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows" ] }, { "ControlID": "Azure_VirtualMachine_SI_MDC_OS_Vulnerabilities", "Description": "Virtual Machine must be in a healthy state in Microsoft Defender for Cloud", "Id": "VirtualMachine171", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDCandReader", "MethodName": "CheckMDCVMSecurityBaselineStatus", "DisplayName": "Virtual Machine must be in a healthy state in Microsoft Defender for Cloud", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Microsoft Defender for Cloud raises alerts (which are typically indicative of resources that are not compliant with some baseline security protection). It is important that these alerts/actions are resolved promptly in order to eliminate the exposure to attacks.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-remediate-os-vulnerabilities", "Tags": [ "SDL", "TCP", "Automated", "Audit", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Weekly" ], "Enabled": true, "AssessmentProperties": { "AssessmentNames": [ "181ac480-f7c4-544b-9865-11b8ffe87f47" ] }, "ControlSettings": { "MDCApprovedBaselineStatuses": { "Windows": [ "Healthy" ], "Linux": [ "Healthy" ] } }, "ControlEvaluationDetails": { "RequiredProperties": [ "OSType" ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_SI_Missing_OS_Patches", "Description": "Virtual Machines must have all the required OS patches installed.", "Id": "VirtualMachine172", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckVMOSPatches", "DisplayName": "Patch virtual machines to protect against vulnerabilities", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "Reader", "Rationale": "Un-patched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-system-updates . It takes 24 hours to reflect the latest status at MDC.", "Tags": [ "SDL", "TCP", "Audit", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "SOX", "P0", "MSD", "Prod", "TenantBaseline", "Wave2", "EDPreview", "SMTPreview", "SN:Patching" ] }, { "ControlID": "Azure_VirtualMachine_SI_Missing_OS_Patches_Trial", "Description": "[Trial] Virtual Machines must have all the required OS patches installed.", "Id": "VirtualMachine174", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckVMOSPatchesTrial", "DisplayName": "[Trial] Patch virtual machines to protect against vulnerabilities", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "Reader", "Rationale": "Un-patched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-system-updates . It takes 24 hours to reflect the latest status at MDC.", "Tags": [ "SDL", "TCP", "Audit", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "Enabled": false, "ControlSettings": { "ApplicableOsTypes": [ "Windows", "Linux" ], "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "Trial" ] }, { "ControlID": "Azure_VirtualMachine_SI_MDC_Recommendations", "Description": "Virtual Machine must implement all the flagged MDC recommendations.", "Id": "VirtualMachine173", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDCandReader", "MethodName": "CheckMDCVMRecommendations", "DisplayName": "Virtual Machine must implement all the flagged MDC recommendations", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentProperties": { "AssessmentNames": [ "d57a4221-a804-52ca-3dea-768284f06bb7", "35f45c95-27cf-4e52-891f-8390d1de5828", "ffff0522-1e88-47fc-8382-2a80ba848f5d" ] }, "Rationale": "Microsoft Defender for Cloud provide various security recommendations for resources that are not compliant with some baseline security protection. It is important that these recommendations are resolved promptly in order to eliminate the exposure to attacks.", "Recommendation": "First, examine the detailed AzSK log file for this VM to find out the specific recommendations this control is currently failing for. Review the MDC documentation for those recommendations and implement the suggested fixes. (Note: Not all MDC recommendations are flagged by AzSK. So the first step is critical.). Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-virtual-machine-recommendations", "Tags": [ "SDL", "TCP", "Automated", "Audit", "ERvNet", "VirtualMachine", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_Audit_Enable_Diagnostics", "Description": "Diagnostics (IaaSDiagnostics extension on Windows; LinuxDiagnostic extension on Linux) must be enabled on Virtual Machine", "Id": "VirtualMachine180", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Reader", "MethodName": "CheckVMDiagnostics", "DisplayName": "Diagnostics must be enabled on the Virtual Machine", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Diagnostics logs are needed for creating activity trail while investigating an incident or a compromise.", "Recommendation": "Go to Azure Portal --> VM Properties --> Diagnostics settings --> Enable guest-level-monitoring. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/azure-diagnostics", "Tags": [ "SDL", "TCP", "Automated", "Audit", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "RequiredDiagnosticsExtensions": { "Windows": [ { "ExtensionType": "IaaSDiagnostics", "Publisher": "Microsoft.Azure.Diagnostics" } ], "Linux": [ { "ExtensionType": "LinuxDiagnostic", "Publisher": "Microsoft.Azure.Diagnostics" } ] } }, "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Vuln_Solution", "Description": "Vulnerability assessment solution should be installed on VM", "Id": "VirtualMachine200", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "CheckVulnAgentStatus", "DisplayName": "Install DSRE Qualys Cloud Agent on assets", "Category": "Vulnerability assessments must be enabled on all services", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "ffff0522-1e88-47fc-8382-2a80ba848f5d" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*SecurityApplianceIrrelevantRecommendation|SecurityApplianceNonRelevantRecommendation(.)*" } ] }, "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising a VM/container with such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "To install vulnerability assessment solution, please refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-vulnerability-assessment-recommendations", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "ERvNet", "ExcludeDatabricks", "ExcludeKubernetes", "VirtualMachine", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "Enabled": false, "ControlSettings": { "Windows": { "ExtensionType": "QualysAgent", "ExtensionPublisher": "Qualys" }, "Linux": { "ExtensionType": "QualysAgentLinux", "ExtensionPublisher": "Qualys" }, "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows", "Linux", "ActiveBaseline", "P1", "Wave99", "SN:InstallQualys" ] }, { "ControlID": "Azure_VirtualMachine_SI_Deploy_GuestConfig_Extension", "Description": "Guest Configuration extension must be deployed to the VM using Azure Policy assignment.", "Id": "VirtualMachine210", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckGuestConfigExtension", "DisplayName": "Guest Configuration extension must be deployed to the VM using Azure Policy assignment.", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Installing Guest configuration extension on VM allows you to run In-Guest Policy on the VM, making it possible to monitor system and security policies for compliance checks in the VM.", "Recommendation": "This control checks that the VM meets the following criteria: [a] Guest Configuration Extension is installed and provisioned successfully, [b] 'SystemAssigned' managed identity (MSI) is enabled for the VM. Both, the required Guest Configuration extension and a system-assigned MSI, will be automatically deployed and configured when the machine is in scope for an Azure Policy assignment that includes definitions in the Guest Configuration category.", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "ExcludeKubernetes", "Baseline" ], "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "6c99f570-2ce7-46bc-8175-cde013df43bc" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "Enabled": true, "ControlSettings": { "AssessmentIdForMI": { "AssessmentID": "69133b6b-695a-43eb-a763-221e19556755" }, "Windows": { "ExtensionType": "ConfigurationForWindows", "ExtensionPublisher": "Microsoft.GuestConfiguration", "ProvisioningState": "Succeeded" }, "Linux": { "ExtensionType": "ConfigurationForLinux", "ExtensionPublisher": "Microsoft.GuestConfiguration", "ProvisioningState": "Succeeded" }, "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows", "Linux", "Daily", "Preview", "TenantBaseline", "MSD", "TBv9", "TRWave4", "TRPreview", "TRBaseline", "EDPreview", "SMTPreview", "SN:VM_GuestConfigPrereq" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Monitoring_Agent_MDC", "Description": "Ensure the MMA on your VM is healthy (running successfully)", "Id": "VirtualMachine350", "ControlSeverity": "Medium", "Automated": "Yes", "Rationale": "One or more extensions may be required for maintaining data plane security hygiene and visibility for all Azure VMs in use at an Org. It is important to ensure all required extensions are installed and in healthy provisioning state.", "DisplayName": "Ensure the MMA on your VM is healthy (running successfully)", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-install?context=/azure/virtual-machines/context/context", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "VirtualMachine", "ExcludeDatabricks", "Baseline" ], "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "d1db3318-01ff-16de-29eb-28b344515626" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": true, "CustomTags": [ "Windows", "Linux", "Weekly" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Monitoring_Agent", "Description": "Ensure MMA or AMA is running on your VM.", "Id": "VirtualMachine230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMonitoringExtension", "Rationale": "One or more extensions may be required for maintaining data plane security hygiene and visibility for all Azure VMs in use at an Org. It is important to ensure all required extensions are installed and in healthy provisioning state.", "DisplayName": "Ensure MMA or AMA is running on your VM.", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-install?context=/azure/virtual-machines/context/context", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Windows", "Baseline", "Linux" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "Enabled": false, "ControlSettings": { "ExtensionsForWindows": [ { "ExtensionType": "MicrosoftMonitoringAgent", "Publisher": "Microsoft.EnterpriseCloud.Monitoring" }, { "ExtensionType": "AzureMonitorWindowsAgent", "Publisher": "Microsoft.Azure.Monitor" } ], "ExtensionsForLinux": [ { "ExtensionType": "OmsAgentForLinux", "Publisher": "Microsoft.EnterpriseCloud.Monitoring" }, { "ExtensionType": "AzureMonitorLinuxAgent", "Publisher": "Microsoft.Azure.Monitor" } ], "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Daily", "Windows", "Linux", "SN:VM_MonitoringAgent" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Dont_Open_Restricted_Ports", "Description": "Do not leave restricted ports open on Virtual Machines", "Id": "VirtualMachine240", "ControlSeverity": "Critical", "ControlScanSource": "MDCandReader", "Automated": "Yes", "MethodName": "CheckRestrictedPorts", "DisplayName": "Management ports must not be open on machines", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, WINRM-5986, SSH-22, SMB-445) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "OwnerAccess", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily", "CSEOPilotSub" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "NICs" ] }, "AssessmentProperties": { "AssessmentNames": [ "805651bc-6ecd-4c73-9b55-97a19d0582d0" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "Healthy", "EffectiveVerificationResult": "Verify" }, { "AssessmentStatusCode": "Healthy", "EffectiveVerificationResult": "Passed", "AssessmentStatusCausePatterns": "(.)*JitIsEnabled(.)*" } ] }, "Enabled": true, "ControlSettings": { "RestrictedPortsForWindows": "445,3389,5985,5986", "RestrictedPortsForLinux": "445,3389,22", "JITRuleNamePrefix": [ "SecurityCenter-JITRule", "MicrosoftDefenderForCloud-JITRule" ], "PrivateIpAddressPrefixesToExclude": [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ], "SourcesToExclude": [ "AzureLoadBalancer" ], "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "ExcludeERVnetConnectedInstance", "ActiveBaseline", "P0", "TenantBaseline", "Wave1", "SN:AZ_VM_port", "CSEOBaseline", "MSD", "Prod", "EDPreview", "SMTPreview", "CSEOPilot" ] }, { "ControlID": "Azure_VirtualMachine_SI_Deploy_Data_Collection_Extension", "Description": "Network traffic data collection agent should be installed on Windows/Linux virtual machines", "Id": "VirtualMachine250", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckDataCollectionExtension", "DisplayName": "[Preview]: Install Network data collection agents", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "AssessmentName": "8c3e93d3-0276-4d06-b20a-9a9f3012742c", "ControlScanSource": "MDCorReader", "AssessmentProperties": { "AssessmentNames": [ "820832fc-6403-caaa-18b0-3a43cda5e649", "fd5fb6c4-5c3c-1741-c90f-a9e092faf4ce" ] }, "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602", "Rationale": "Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "ExcludeDatabricks", "ERvNet", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "Enabled": true, "ControlSettings": { "Windows": { "ExtensionType": "DependencyAgentWindows", "ExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent" }, "Linux": { "ExtensionType": "DependencyAgentLinux", "ExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent" }, "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "P1", "SN:Ntwk_agents" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Apply_MDC_Network_Recommendations", "Description": "Adaptive Network Hardening uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to further restrict NSGs rules for an improved security posture.", "Id": "VirtualMachine260", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "", "DisplayName": "Apply Adaptive Network Hardening to Internet facing virtual machines", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "AssessmentName": "f9f0eed0-f143-47bf-b856-671ea2eeed62", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "f9f0eed0-f143-47bf-b856-671ea2eeed62" ] }, "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6", "Rationale": "Adaptive Network Hardening uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to further restrict NSGs rules for an improved security posture.", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening#what-is-adaptive-network-hardening", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "ExcludeDatabricks", "ExcludeKubernetes", "Baseline", "Daily" ], "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "Enabled": true, "CustomTags": [ "Windows", "Linux", "MSD", "Prod", "TenantBaseline", "P1", "Wave3", "EDPreview", "SMTPreview", "SN:Net_Hardening" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Security_Vulnerabilities", "Description": "Vulnerabilities in security configuration on your machines should be remediated", "Id": "VirtualMachine290", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "", "DisplayName": "Vulnerabilities in security configuration on your machines must be remediated.", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "181ac480-f7c4-544b-9865-11b8ffe87f47", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "181ac480-f7c4-544b-9865-11b8ffe87f47" ] }, "PolicyDefinitionId": "", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "Go to security center --> Compute & apps --> VMs and Servers --> Click on VM name --> Click on VM Vulnerability remediation recommendation --> Click on Take Action --> Remediate list of vulnerabilities", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "ERvNet", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Container_Security_Vulnerabilities", "Description": "Vulnerabilities in container security configurations should be remediated", "Id": "VirtualMachine280", "DisplayName": "Vulnerabilities in container security configurations must be remediated", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "0677209d-e675-2c6f-e91a-54cef2878663", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "0677209d-e675-2c6f-e91a-54cef2878663" ], "ResourceDetails": { "HasExtendedResourceId": true }, "AssessmentStatusMappings": [ { "AssessmentStatusCode": "AssignmentNotFound", "EffectiveVerificationResult": "NotApplicable" } ] }, "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "Recommendation": "Go to security center --> Compute & apps --> Containers --> Click on VM name --> Click on VM Container Vulnerability remediation recommendation --> Click on Take Action --> Remediate list of vulnerabilities", "Tags": [ "SDL", "TCP", "Automated", "Config", "VirtualMachine", "Baseline", "Weekly", "ExcludedControl", "ExcludeDatabricks" ], "Enabled": true, "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising a VM/container with such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner. Unpatched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [] }, { "ControlID": "Azure_VirtualMachine_Just_In_Time_Network_Access_Control", "Description": "Possible network Just In Time (JIT) access will be monitored by Microsoft Defender for Cloud as recommendations", "Id": "VirtualMachine281", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "", "DisplayName": "Just-In-Time network access control must be applied on virtual machines", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "AssessmentName": "805651bc-6ecd-4c73-9b55-97a19d0582d0", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "805651bc-6ecd-4c73-9b55-97a19d0582d0" ] }, "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c", "Rationale": "For new deployments, require Just-In-Time network access control on virtual machines.(Effect type \"Deny\") *For existing VMs, force the deployment of require Just-In-Time network access on virtual machines. (Effect type \"DeployIfNotExists\")", "Recommendation": "Go to Security Center --> Just in time VM access --> Go to Not Configured --> Select your VM --> Click on Enable JIT on 1 VMs", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "Baseline", "Weekly", "ExcludedControl", "ExcludeDatabricks", "ExcludeKubernetes" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Assessment_Soln_Vulnerabilities", "Description": "Vulnerabilities should be remediated by a Vulnerability Assessment solution", "Id": "VirtualMachine300", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "", "DisplayName": "Vulnerabilities must be remediated by a Vulnerability Assessment solution", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "71992a2a-d168-42e0-b10e-6b45fa2ecddb", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "71992a2a-d168-42e0-b10e-6b45fa2ecddb" ] }, "PolicyDefinitionId": "", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "Go to security center --> Compute & apps --> VMs and Servers --> Click on VM name --> Click on VM Vulnerability remediation recommendation by Assessment solution --> Click on Take Action --> Remediate list of vulnerabilities", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "Baseline", "Weekly", "ExcludedControl", "ExcludeDatabricks", "ExcludeKubernetes" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Open_Allowed_Ports_Only", "Description": "Only allowed ports must be opened on Virtual Machines", "Id": "VirtualMachine310", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckAllowedPorts", "DisplayName": "Only allowed ports must be opened on Virtual Machines", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "OwnerAccess", "VirtualMachine", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "NICs" ] }, "Enabled": true, "ControlSettings": { "AllowedPortsForWindows": "443,80", "AllowedPortsForLinux": "443,80", "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "ExcludeERVnetConnectedInstance" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Sense_Agent_Trial", "Description": "[Trial] Sense Agent provides TVM data and other enhanced telemetry to the backend DSRE/CDG MDATP instance.", "Id": "VirtualMachine380", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "CheckSenseAgentStatus", "DisplayName": "[Trial] Ensure Sense Agent is installed and healthy", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlScanSource": "Reader", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising a VM/container with such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "NA", "Tags": [ "SI", "VirtualMachine", "Baseline", "Daily", "ExcludeDatabricks", "ExcludeKubernetes" ], "ControlSettings": { "ApplicableOsTypes": [ "Windows", "Linux" ], "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "OSType" ] }, "Enabled": false, "CustomTags": [ "Windows", "Linux", "Trial" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Sense_Agent", "Description": "Ensure Sense Agent is installed and healthy", "Id": "VirtualMachine320", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "CheckSenseAgentStatus", "DisplayName": "Ensure Sense Agent is installed and healthy", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlScanSource": "Reader", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising a VM/container with such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "NA", "Tags": [ "SI", "VirtualMachine", "Baseline", "ExcludeDatabricks", "ExcludeKubernetes" ], "ControlSettings": { "ApplicableOsTypes": [ "Windows" ], "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "OSType" ] }, "Enabled": true, "CustomTags": [ "Windows", "Linux", "Daily", "P0", "MSD", "TenantBaseline", "Wave6", "CAIPreview", "EDPreview", "SMTPreview", "TBv12", "SN:SENSE_Agent" ] }, { "ControlID": "Azure_VirtualMachine_DP_Avoid_Plaintext_Secrets", "Description": "Virtual Machines must not have secrets/credentials present in plain text", "Id": "VirtualMachine400", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "AvoidPlaintextSecretsAsync", "DisplayName": "Virtual Machines must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials using the API information available in Source, rotate those credentials and remove them. Use KeyVault to store secrets/credentials.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily" ], "Enabled": true, "CustomTags": [ "Preview", "TenantBaseline", "EDPreview", "SMTPreview", "MSD", "TBv7", "CAIPreview", "SN:VirtualMachine_AvoidSecrets", "CAIWave1", "Secrets" ] }, { "ControlID": "Azure_VirtualMachine_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Windows Servers", "Id": "VirtualMachine420", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "PolicyandReader", "MethodName": "CheckTLSVersionOnlyOnWindows", "DisplayName": "Use approved version of TLS for Windows Servers", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "Check Windows Servers Minimum TLS version MUST be configured to the required minimum TLS version of 1.2", "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/828ba269-bf7f-4082-83dd-633417bc391d", "AssignmentId": "" } ] }, "ControlSettings": { "ApplicableOsTypes": [ "Windows" ] }, "Tags": [ "SDL", "Automated", "DP", "Baseline" ], "Enabled": true, "CustomTags": [ "Weekly", "SN:WindowsServer_TLS" ] }, { "ControlID": "Azure_VirtualMachine_SI_Install_System_Updates_MCSB", "Description": "[MCSB] System updates should be installed on your machines", "Id": "VirtualMachine490", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] System updates should be installed on your machines", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Machines with missing updates are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems.", "Recommendation": "Click an identified outstanding update. In the Missing system updates pane, click the support link (when exists) and follow the instructions.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "4ab6e3c5-74dd-8b35-9ab9-f61b30875b27" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Deploy_GuestConfig_Extension_MCSB", "Description": "[MCSB] Virtual machine Guest Configuration extension should be deployed with system-assigned managed identity", "Id": "VirtualMachine500", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Virtual machine Guest Configuration extension should be deployed with system-assigned managed identity", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Installing Guest configuration extension with system-assigned managed identity on VM allows you to run In-Guest Policy on the VM, making it possible to monitor system and security policies for compliance checks in the VM.", "Recommendation": "To enable a system-assigned managed identity, deploy the 'Enable a system-assigned managed identity' initiative: 1. Register the resource provider. 2. Deploy requirements for Azure virtual machines. Learn more about configuring the Guest Configuration prerequisites at https://docs.microsoft.com/azure/governance/policy/concepts/guest-configuration#enable-guest-configuration", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "69133b6b-695a-43eb-a763-221e19556755" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ], "ResourceDetails": { "HasExtendedResourceId": true, "ExtendedIdResourceTypes": [ "Microsoft.Compute/Virtualmachines/extensions" ] } }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Security_Vulnerabilities_Linux_MCSB", "Description": "[MCSB] Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)", "Id": "VirtualMachine510", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "1. Go to security recommendations in MDC portal. 2. Select any of the findings. 3. On the right pane opened, follow the instructions under 'Remediation' if exist.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "1f655fb7-63ca-4980-91a3-56dbc2b715c6" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Security_Vulnerabilities_Windows_MCSB", "Description": "[MCSB] Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)", "Id": "VirtualMachine520", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "1. Go to security recommendations in MDC portal. 2. Select any of the findings. 3. On the right pane opened, follow the instructions under 'Remediation' if exist.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "8c3d9ad0-3639-4686-9cd2-2b2ab2609bda" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Security_Vulnerabilities_SQLServer_MCSB", "Description": "[MCSB] SQL servers on machines should have vulnerability findings resolved", "Id": "VirtualMachine530", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] SQL servers on machines should have vulnerability findings resolved", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.", "Recommendation": "To remediate SQL vulnerabilities and mitigate risks: 1. Navigate to a database in the Unhealthy databases list. 2. Review the set of Failed security checks found by the scan, which are sorted from high to low risk. 3. Click on each vulnerability to view its details and explicit remediation instructions and scripts 4. Either remediate the vulnerability using the provided script, or set the result as an acceptable baseline for the check so that it will be considered passing in subsequent scans.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "f97aa83c-9b63-4f9a-99f6-b22c4398f936" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Apply_Adaptive_Network_Hardening_Recommendations_MCSB", "Description": "[MCSB] Adaptive network hardening recommendations should be applied on internet facing virtual machines", "Id": "VirtualMachine540", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Adaptive network hardening recommendations should be applied on internet facing virtual machines", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "Rationale": "Adaptive Network Hardening uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to further restrict NSGs rules for an improved security posture.", "Recommendation": "To apply network recommendations, please refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening#what-is-adaptive-network-hardening", "AssessmentProperties": { "AssessmentNames": [ "f9f0eed0-f143-47bf-b856-671ea2eeed62" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "SDL", "Automated", "NetSec", "VirtualMachine", "Baseline" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Restrict_Network_Ports_NSG_MCSB", "Description": "[MCSB] All network ports should be restricted on network security groups associated to your virtual machine", "Id": "VirtualMachine550", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] All network ports should be restricted on network security groups associated to your virtual machine", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "Rationale": "Open network ports expose a virtual machine to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "To restrict access to your virtual machines edit the inbound rules from azure Portal: Go to Azure Portal --> 2.virtual machines service --> Select Virtual machine --> 'Networking' blade --> click Network Security Group with overly permissive rules('Any->Any') --> click on each of the rules that are overly permissive --> Apply less permissive source IP ranges --> click 'Save'. If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.", "AssessmentProperties": { "AssessmentNames": [ "3b20e985-f71f-483b-b078-f30d73936d43" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "SDL", "Automated", "NetSec", "VirtualMachine", "Baseline" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Configure_NSG_MCSB", "Description": "[MCSB] Virtual machines should be protected with Network Security Groups", "Id": "VirtualMachine560", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Virtual machines should be protected with Network Security Groups", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Restricting inbound and outbound traffic via NSGs limits the network exposure of a VM by reducing the attack surface.", "Recommendation": "To enable Network Security Group, please refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/endpoints-in-resource-manager, https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-nsg-arm-ps", "AssessmentProperties": { "AssessmentNames": [ "483f12ed-ae23-447e-a2de-a67a10db4353", "a9341235-9389-42f0-a0bf-9bfb57960d44" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "SDL", "Automated", "NetSec", "VirtualMachine", "Baseline" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Dont_Open_Restricted_Ports_MCSB", "Description": "[MCSB] Management ports should be closed on your virtual machines", "Id": "VirtualMachine590", "ControlSeverity": "High", "ControlScanSource": "MDC", "Automated": "Yes", "DisplayName": "[MCSB] Management ports should be closed on your virtual machines", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, WINRM-5986, SSH-22, SMB-445) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "bc303248-3d14-44c2-96a0-55f5c326b5fe" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Enable_Just_In_Time_Network_Access_Control_MCSB", "Description": "[MCSB] Management ports of virtual machines should be protected with just-in-time network access control", "Id": "VirtualMachine600", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Management ports of virtual machines should be protected with just-in-time network access control", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "805651bc-6ecd-4c73-9b55-97a19d0582d0" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Rationale": "Defender for Cloud has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks.", "Recommendation": "Refer: https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage", "Tags": [ "SDL", "Automated", "NetSec", "VirtualMachine", "Baseline" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_DP_Use_Secure_TLS_Version_MCSB", "Description": "[MCSB] Windows web servers should be configured to use secure communication protocols", "Id": "VirtualMachine610", "ControlSeverity": "High", "ControlScanSource": "MDC", "Automated": "Yes", "DisplayName": "[MCSB] Windows web servers should be configured to use secure communication protocols", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To configure Windows Web servers TLS version, go to Azure portal --> Create an Azure Key Vault --> Generate or upload a certificate to the key vault --> Create a VM and Install the web server --> Install the certificate into VM and configure server with TLS version 1.2.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Tags": [ "DP", "VirtualMachine", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "87448ec1-55f6-3746-3f79-0f35beee76b4" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_DP_Enable_Disk_Encryption_MCSB", "Description": "[MCSB] Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources", "Id": "VirtualMachine620", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. In the case of VMs, both OS and data disks may contain sensitive information that needs to be protected at rest. Hence disk encryption must be enabled for both.", "Recommendation": "To encrypt data in virtual machines, please refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json. Note: After enabling disk encryption, it takes some time for changes to reflect in Microsoft Defender for Cloud (MDC). Thus, if you scan immediately, the control may still fail even though the VM itself shows as encrypted. Please wait a few hours to ascertain the fix.", "Tags": [ "VirtualMachine", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "d57a4221-a804-52ca-3dea-768284f06bb7" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_AuthN_Use_SSH_Keys_Linux_MCSB", "Description": "[MCSB] Authentication to Linux machines should require SSH keys", "Id": "VirtualMachine630", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Authentication to Linux machines should require SSH keys", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys.", "Recommendation": "To authenticate Linux VM using SSH keys, please refer: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed", "Tags": [ "Automated", "AuthN", "Baseline", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "22441184-2f7b-d4a0-e00b-4c5eaef4afc9" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_BCDR_Enable_Backup_MCSB", "Description": "[MCSB] Azure Backup should be enabled for Virtual Machines", "Id": "VirtualMachine650", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Azure Backup should be enabled for Virtual Machines", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs.", "Recommendation": "To enable Azure Backup for VM, please refer: https://learn.microsoft.com/en-us/azure/backup/backup-during-vm-creation#start-a-backup-after-creating-the-vm", "Tags": [ "Automated", "BCDR", "Baseline", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "f2f595ec-5dc6-68b4-82ef-b63563e9c610" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Enable_vTPM_MCSB", "Description": "[MCSB] vTPM should be enabled on supported virtual machines", "Id": "VirtualMachine660", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] vTPM should be enabled on supported virtual machines", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm", "Tags": [ "Automated", "NetSec", "Baseline", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "861bbc73-0a55-8d1d-efc6-e92d9e1176e0" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Install_Guest_Extension_Windows_MCSB", "Description": "[MCSB] Guest Attestation extension should be installed on supported windows virtual machines", "Id": "VirtualMachine670", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Guest Attestation extension should be installed on supported windows virtual machines", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/features-windows#azure-portal", "Tags": [ "Automated", "SI", "Baseline", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "874b14bd-b49e-495a-88c6-46acb89b0a33" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Install_Guest_Extension_Linux_MCSB", "Description": "[MCSB] Guest Attestation extension should be installed on supported linux virtual machines", "Id": "VirtualMachine680", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Guest Attestation extension should be installed on supported linux virtual machines", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/features-windows#azure-portal", "Tags": [ "Automated", "SI", "Baseline", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "e94a7421-fc27-7a4d-e9ba-2ba01384cacd" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_AuthN_Enable_Microsoft_Entra_ID_Auth_Linux", "Description": "Entra ID (formerly AAD) extension must be deployed to the Linux VM.", "Id": "VirtualMachine690", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "Reader", "MethodName": "CheckAADExtensionTrial", "DisplayName": "Entra ID (formerly AAD) extension must be deployed to the Linux VM.", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Installing AAD extension on VM allows you to login into VM using Azure AD, making it possible to login user without password and improves authentication security.", "Recommendation": "To install AAD Extension in Virtual Machine, Go to Azure Portal --> Virtual Machine --> Settings --> Extensions+Applications --> Click Add --> Select AADSSHForLinuxVM --> Click Next --> Click Review+Create.", "Enabled": true, "ControlSettings": { "Linux": { "ExtensionType": "AADSSHLoginForLinux", "ExtensionPublisher": "Microsoft.Azure.ActiveDirectory", "ProvisioningState": "Succeeded" }, "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "Tags": [ "Automated", "AuthN", "Baseline", "VirtualMachine", "ExcludeDatabricks" ], "CustomTags": [ "Daily", "Preview", "TenantBaseline", "MSD", "TBv9", "CAIPreview", "EDPreview", "SMTPreview", "SN:LINUX_VM_EntraIDAuth" ] }, { "ControlID": "Azure_VirtualMachine_SI_Resolve_EndPointProtection_Issues_MCSB", "Description": "[MCSB] Endpoint protection health issues should be resolved on your machines.", "Id": "VirtualMachine770", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Endpoint protection health issues should be resolved on your machines", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities.", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "37a3689a-818e-4a0e-82ac-b1392b9bb000" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Install_Guest_Configuration_Extension_MCSB", "Description": "[MCSB] Guest Configuration extension should be installed on your machines", "Id": "VirtualMachine780", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Guest Configuration extension should be installed on your machines", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/guest-configuration", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "6c99f570-2ce7-46bc-8175-cde013df43bc" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Vulnerabilities_MCSB", "Description": "[MCSB] Vulnerabilities in container security configurations should be remediated", "Id": "VirtualMachine700", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Vulnerabilities in container security configurations should be remediated", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.", "Recommendation": "To remediate vulnerabilities in Virtual Machines please refer: https://learn.microsoft.com/en-us/azure/defender-for-cloud/remediate-vulnerability-findings-vm#view-findings-from-the-scans-of-your-virtual-machines", "Tags": [ "Automated", "SI", "Baseline", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "0677209d-e675-2c6f-e91a-54cef2878663" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "NonDockerNonRelevantRecommendation(.)*" }, { "AssessmentStatusCode": "AssignmentNotFound", "EffectiveVerificationResult": "NotApplicable" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Monitor_Endpoint_MCSB", "Description": "[MCSB] Monitor missing Endpoint Protection in Microsoft Defender for Cloud", "Id": "VirtualMachine710", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Monitor missing Endpoint Protection in Microsoft Defender for Cloud", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Servers without an installed Endpoint Protection agent will be monitored by Microsoft Defender for Cloud as recommendations.", "Recommendation": "To enable Endpoint Protection in VM, Go to Azure Portal --> Microsoft defender for cloud --> Click security posture --> Select the environment and click view recommendations --> Click on the policy --> Select VMs that need endpoint protection --> Click Install on VMs", "Tags": [ "Automated", "SI", "Baseline", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a", "83f577bd-a1b6-b7e1-0891-12ca19d1e6df" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Update_Adaptive_Control_Policy_Rules_MCSB", "Description": "[MCSB] Allowlist rules in your adaptive application control policy must be updated", "Id": "VirtualMachine720", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Allowlist rules in your adaptive application control policy must be updated", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications.", "Recommendation": "To enable allowlist rules for VMs in Microsoft Defender for Cloud please refer: https://learn.microsoft.com/en-us/azure/defender-for-cloud/adaptive-application-controls#enable-application-controls-on-a-group-of-machines", "Tags": [ "Automated", "SI", "Baseline", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "1234abcd-1b53-4fd4-9835-2c2fa3935313" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "DatabricksIrrelevantRecommendation(.)*|ServersStandardTierOnly(.)*|MissingDataOrUnsupported(.)*" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Disable_IP_Forwarding_MCSB", "Description": "[MCSB] IP forwarding on your virtual machine must be disabled", "Id": "VirtualMachine790", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] IP forwarding on your virtual machine must be disabled", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations.IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.", "Recommendation": "Please refer:https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-network-network-interface-addresses?tabs=nic-address-portal", "Tags": [ "Automated", "Baseline", "NetSec", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "c3b51c94-588b-426b-a892-24696f9e54cc" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_SecureBoot_Windows_MCSB", "Description": "[MCSB] Secure Boot must be enabled on supported Windows virtual machines", "Id": "VirtualMachine730", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Secure Boot must be enabled on supported Windows virtual machines", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "69ad830b-d98c-b1cf-2158-9d69d38c7093" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*DatabricksIrrelevantRecommendation" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Vulnerability_Assessment_MCSB", "Description": "[MCSB] A vulnerability assessment solution must be enabled on your virtual machines.", "Id": "VirtualMachine740", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] A vulnerability assessment solution must be enabled on your virtual machines.", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.", "Recommendation": "To install vulnerability assessment solution, please refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-vulnerability-assessment-recommendations", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "1195afff-c881-495e-9bc5-1486211ae03f", "ffff0522-1e88-47fc-8382-2a80ba848f5d" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Security_Configuration_MCSB", "Description": "[MCSB] Vulnerabilities in security configuration on your machines should be remediated.", "Id": "VirtualMachine750", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Vulnerabilities in security configuration on your machines should be remediated.", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Remediate vulnerabilities in security configuration on your machines to protect them from attacks.", "Recommendation": "1. Click any of the configuration vulnerability rules 2. In the Vulnerability details pane, see the remediation description and follow the instructions.", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "c476dc48-8110-4139-91af-c8d940896b98" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*VmNotReportingHB|VmReportingHBButNotMainTable(.)*" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Security_Vulnerabilities_MCSB", "Description": "[MCSB] Vulnerabilities in security configuration on your machines should be remediated", "Id": "VirtualMachine800", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Vulnerabilities in security configuration on your machines must be remediated.", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "Go to security center --> Compute & apps --> VMs and Servers --> Click on VM name --> Click on VM Vulnerability remediation recommendation --> Click on Take Action --> Remediate list of vulnerabilities.", "AssessmentProperties": { "AssessmentNames": [ "181ac480-f7c4-544b-9865-11b8ffe87f47" ] }, "Tags": [ "Automated", "SI", "VirtualMachine", "Baseline" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ], "Enabled": false, "CustomTags": [ "MCSB", "Daily" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Windows_Defender_Exploit_Guard_MCSB", "Description": "[MCSB] Windows Defender Exploit Guard must be enabled on machines", "Id": "VirtualMachine810", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Windows Defender Exploit Guard must be enabled on machines", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Enabling exploit guards helps us in securing VMs from threats with multiple preventive steps like Attack Surface Reduction, Controlled folder access, Exploit protection, Network protection.", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "22489c48-27d1-4e40-9420-4303ad9cffef" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "ManagedIdentityMissing(.)*|GCExtensionIdentityMissing(.)*" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Install_Network_Traffic_Data_Collection_Agent_MCSB", "Description": "[MCSB] Network traffic data collection agent must be installed on your virtual machines", "Id": "VirtualMachine820", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Network traffic data collection agent must be installed on your virtual machines", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", "Recommendation": "To install Network traffic data collection agent in Azure VM using portal, Go to Azure Portal --> VM --> Properties --> Extensions+Applications --> Click 'Add' --> Select 'DependencyAgentWindows/DependencyAgentLinux' --> Click 'Next' --> Click Add", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "820832fc-6403-caaa-18b0-3a43cda5e649", "fd5fb6c4-5c3c-1741-c90f-a9e092faf4ce" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Install_Log_Analytics_Agent_MCSB", "Description": "[MCSB] Log Analytics agent must be installed on your virtual machine for Azure Security Center monitoring.", "Id": "VirtualMachine830", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Log Analytics agent must be installed on your virtual machine for Azure Security Center monitoring.", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Installing the Log Analytics agent allows Azure Monitor to collect data from your Azure VMs which can be used for detailed analysis and correlation of events.", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "d1db3318-01ff-16de-29eb-28b344515626" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*UneligibleResourceRecommendation" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Install_EndpointProtection_MCSB", "Description": "[MCSB] Endpoint protection must be installed on your machines", "Id": "VirtualMachine840", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Endpoint protection must be installed on your machines", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure virtual machine without endpoint protection are exposed to viruses, spyware, and other malicious software. Endpoint protection like Antimalware for Azure provides real-time protection capability that helps identify and remove such threats", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-protection-configure", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "4fb67663-9ab9-475d-b026-8c544cced439" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Adaptive_Application_Controls_MCSB", "Description": "[MCSB] Adaptive application controls for defining safe applications must be enabled on your machines", "Id": "VirtualMachine850", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Adaptive application controls for defining safe applications must be enabled on your machines", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/defender-for-cloud/adaptive-application-controls", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "35f45c95-27cf-4e52-891f-8390d1de5828" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*MissingDataOrUnsupported" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_SI_Migrate_To_Azure_Resource_Manager_Resources_MCSB", "Description": "[MCSB] Virtual machines must be migrated to new Azure Resource Manager resources", "Id": "VirtualMachine860", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Virtual machines must be migrated to new Azure Resource Manager resources", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/virtual-machines/migration-classic-resource-manager-cli", "Tags": [ "Automated", "Baseline", "SI", "VirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "12018f4f-3d10-999b-e4c4-86ec25be08a1" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_VirtualMachine_AuthN_Enable_AAD_Auth_Windows", "Description": "AAD extension must be deployed to the Windows VM", "Id": "VirtualMachine870", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "Reader", "MethodName": "CheckAADExtensionForWindows", "DisplayName": "AAD extension must be deployed to the Windows VM", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Installing AAD extension on VM allows you to login into VM using Azure AD, making it possible to login user without password and improves authentication security.", "Recommendation": "To install AAD Extension in Virtual Machine, Go to Azure Portal --> Virtual Machine --> Settings --> Extensions+Applications --> Click Add --> Select 'Azure AD based Windows Login' --> Click Next --> Click Review+Create.", "Enabled": true, "ControlSettings": { "Windows": { "ExtensionType": "AADLoginForWindows", "ExtensionPublisher": "Microsoft.Azure.ActiveDirectory", "ProvisioningState": "Succeeded" }, "ExcludeBasedOnExtension": { "Windows": { "AllMandatory": false, "Extensions": [ { "Type": "Compute.AKS.Windows.Billing", "Publisher": "Microsoft.AKS", "ExclusionMessage": "VM is part of AKS cluster." } ] } }, "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "Tags": [ "Automated", "AuthN", "Baseline", "VirtualMachine", "ExcludeDatabricks" ], "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_VirtualMachine_Audit_Enable_DataCollectionRule", "Description": "Enable security logging in Azure Virtual Machines", "Id": "VirtualMachine880", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMDataCollectionRules", "DisplayName": "Enable security logging in Azure Virtual Machines", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing logs must be enabled as they provide details for investigation in case of a security breach for threats", "Recommendation": "You can change the data collection rules from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-data-collection and while configuring or updating the data collection rule ['audit success','audit failure'] logs should be enabled.", "Tags": [ "VirtualMachine", "Baseline", "Audit", "Diagnostics", "ExcludeDatabricks", "ExcludeKubernetes", "ExcludeServiceFabric" ], "ControlEvaluationDetails": { "RequiredProperties": [ "Extensions", "DataCollectionRules" ] }, "Enabled": true, "ControlSettings": { "ExcludeADBVM": true, "RequiredOsType": [ "Windows" ], "ExcludeBasedOnExtension": { "Windows": { "AllMandatory": false, "Extensions": [ { "Type": "Compute.AKS.Windows.Billing", "Publisher": "Microsoft.AKS", "ExclusionMessage": "VM is part of AKS cluster." }, { "Type": "ServiceFabricNode", "Publisher": "Microsoft.Azure.ServiceFabric", "ExclusionMessage": "VM is part of Service fabric cluster." } ] } }, "Windows": { "ExtensionType": "AzureMonitorWindowsAgent", "ExtensionPublisher": "Microsoft.Azure.Monitor", "ProvisioningState": "Succeeded", "RequiredDiagnosticLogs": [ "Audit Failure", "Audit Success" ], "RequiredAuditLogsValue": "13510798882111488", "AuditLogsConfig": [ { "Name": "Audit Failure", "Value": "4503599627370496" }, { "Name": "Audit Success", "Value": "9007199254740992" } ] } }, "CustomTags": [ "Daily", "TenantBaseline", "TBv14", "SN:VirtualMachine_Logging" ] } ] } |