Framework/Configurations/SVT/Services/CloudService.json
|
{
"FeatureName": "CloudService", "Reference": "aka.ms/azsdkosstcp", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_CloudService_AuthN_Use_AAD_for_Client_AuthN", "Id": "CloudService01", "ControlSeverity": "High", "Description": "Cloud Service must authenticate users using Azure Active Directory backed credentials", "Automated": "No", "Recommendation": "Create an AAD App. Configure the App with your cloud service URLs to enforce AAD auth for every request. Refer: https://blogs.msdn.microsoft.com/visualstudio/2014/11/19/connecting-to-cloud-services/", "Tags": [ "SDL" ], "Enabled": true }, { "ControlID": "Azure_CloudService_DP_DontAllow_HTTP_Access_InstanceEndpoints", "Id": "CloudService02", "ControlSeverity": "High", "Description": "Cloud Service must only be accessible over HTTPS. Enable https for InstanceEndpoints.", "Automated": "Yes", "Recommendation": "Get an SSL certificate from a trusted certficiate provider. Upload that certificate to cloud service. Update instance endpoints by renaming HTTP to HTTPS in .csdef. Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceHttpCertificateSSLOnInstanceEndpoints" }, { "ControlID": "Azure_CloudService_DP_DontAllow_HTTP_Access_InputEndpoints", "Id": "CloudService03", "ControlSeverity": "High", "Description": "Cloud Service must only be accessible over HTTPS. Enable https for InputEndpoints.", "Automated": "Yes", "Recommendation": "Get an SSL certificate from a trusted certificate provider. Upload that certificate to cloud service. Update input endpoints by renaming HTTP to HTTPS in .csdef. Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceHttpCertificateSSLOnInputEndpoints" }, { "ControlID": "Azure_CloudService_DP_Use_Approved_IPRanges_on_InstanceEndpoints", "Id": "CloudService04", "ControlSeverity": "Medium", "Description": "Use approved IP Address Ranges for Instance Endpoints", "Recommendation": "Get a reserved Public IP for your subscription and update cloud service config file under PublicIP section. Upload the updated .cscfg file to your cloud service. Refer: https://azure.microsoft.com/en-in/blog/reserved-ip-addresses/", "Automated": "Yes", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceInstanceEndpointsIPSettings" }, { "ControlID": "Azure_CloudService_DP_Validate_InternalEndpoints", "Id": "CloudService05", "ControlSeverity": "Medium", "Description": "Remove unused internal endpoints", "Recommendation": "Remove unused internal endpoints from .csdef and redploy your cloud service to reflect the new changes. Refer: https://azure.microsoft.com/en-us/documentation/articles/cloud-services-enable-communication-role-instances", "Automated": "Yes", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceInputEndpoints" }, { "ControlID": "Azure_CloudService_Config_Disable_RemoteDebugging", "Id": "CloudService06", "ControlSeverity": "High", "Description": "Remote debugging must be turned off", "Recommendation": "Remove [Microsoft.WindowsAzure.Plugins.RemoteDebugger*] endpoints from .csdef and redploy your cloud service to reflect the new changes. Refer: https://docs.microsoft.com/en-us/azure/vs-azure-tools-debug-cloud-services-virtual-machines", "Automated": "Yes", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceRemoteDebuggingStatus" }, { "ControlID": "Azure_CloudService_DP_CNAME_with_SSL", "Id": "CloudService07", "ControlSeverity": "Medium", "Description": "A CNAME should be configured for the cloud service.", "Recommendation": "Get an SSL certificate for your CNAME from a trusted certificate provider and upload the same to your cloud service. Map the VIP of your cloud service at your DNS registrar's website. Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-custom-domain-name", "Automated": "No", "Tags": [ "SDL" ], "Enabled": true }, { "ControlID": "Azure_CloudService_Config_Auto_OSUpdate", "Id": "CloudService08", "ControlSeverity": "High", "Description": "Automatic OS Updates should be turned ON", "Recommendation": "To enable automatic updates: Go to manage Azure portal --> your cloud service --> under configure tab --> set operating system version to automatic.", "Automated": "No", "Tags": [ "SDL" ], "Enabled": true }, { "ControlID": "Azure_CloudService_Config_Enable_AntiMalware", "Id": "CloudService09", "ControlSeverity": "High", "Description": "Enable the Antimalware extension for the cloud service roles", "Automated": "Yes", "Recommendation": "To enable Antimalware: Go to Azure portal --> your cloud service --> Antimalware under Settings section--> select role and enable Antimalware.", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceAntiMalwareStatus" }, { "ControlID": "Azure_CloudService_Config_Disable_RemoteDesktop_Access", "Id": "CloudService10", "ControlSeverity": "High", "Description": "Remote Desktop (RDP) access must be disabled on cloud service roles", "Recommendation": "Go to Azure portal --> your cloud service --> Remote Desktop under Settings section --> disable Remote Desktop", "Automated": "Yes", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceRemoteDesktopAccess" } ] } |