AzSDK

2.2.0

Framework/Configurations/SVT/Services/VirtualMachine.json

                                {

  "FeatureName": "VirtualMachine",

  "Reference": "aka.ms/azsdkosstcp/vm",

  "IsManintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_VirtualMachine_Deploy_Latest_OS_Version",

      "Description": "Virtual Machine should have latest OS version installed",

      "Id": "VirtualMachine110",

      "ControlSeverity": "Low",

      "Automated": "Yes",

      "MethodName": "CheckOSVersion",

      "Recommendation": "Update OS version to the latest available. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/update-azurermvm?view=azurermps-3.8.0",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "Deploy",

        "Windows",

        "Linux"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_VirtualMachine_Config_OS_Auto_Update_Windows",

      "Description": "OS automatic updates must be enabled on Windows Virtual Machine",

      "Id": "VirtualMachine120",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckOSAutoUpdateStatus",

      "Recommendation": "Run command: Set-AzureRmVMOperatingSystem with the '-EnableAutoUpdate' flag. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/set-azurermvmoperatingsystem?view=azurermps-3.8.0",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "Config",

        "Windows",

        "SOX"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_VirtualMachine_Config_Enable_Antimalware_Windows",

      "Description": "Antimalware must be enabled with real time protection on Windows Virtual Machine",

      "Id": "VirtualMachine130",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckAntimalwareStatus",

      "Recommendation": "Run command Set-AzureRmVMExtension -ResourceGroupName '{resourceGroupName}' -Location '{location}' -VMName '{vmName}' -Name '{ExtentionName}'-Publisher 'Microsoft.Azure.Security' -ExtensionType 'IaaSAntimalware' -TypeHandlerVersion '{versionString}' -SettingString '{settingString}'. Refer: https://blogs.msdn.microsoft.com/azuresecurity/2016/02/24/update-on-microsoft-antimalware-and-azure-resource-manager-arm-vms/, https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware, https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/set-azurermvmextension?view=azurermps-3.7.0",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "Config",

        "Windows",

        "SOX"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_VirtualMachine_Config_Enable_NSG",

      "Description": "NSG must be configured for Virtual Machine",

      "Id": "VirtualMachine140",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckNSGConfig",

      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/endpoints-in-resource-manager, https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-nsg-arm-ps",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "Config",

        "Windows",

        "Linux"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_VirtualMachine_NetSec_Justify_PublicIPs",

      "Description": "Public IPs on a Virtual Machine should carefully reviewed",

      "Id": "VirtualMachine150",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckPublicIP",

      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#a-namecreate-ip-configaadd-a-secondary-ip-configuration-to-a-nic Or Use steps on portal :VM Properties -> Network Interfaces -> <Select NIC> -> IP Configurations -> <Selec IP Configs with Public IP> -> Click “Disabled” -> Save",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "NetSec",

        "Windows",

        "Linux"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_VirtualMachine_DP_Enable_Disk_Encryption_Windows",

      "Description": "Disk encryption must be enabled on both OS and data disks for Windows Virtual Machine",

      "Id": "VirtualMachine160",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckDiskEncryption",

      "Recommendation": "Run command: Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName '{RGName}' -VMName '{VMName}' -AadClientID '{AADClientID}' -AadClientSecret '{AADClientSecret}' -DiskEncryptionKeyVaultUrl '{DiskEncryptionKeyVaultUrl}' -DiskEncryptionKeyVaultId '{KeyVaultResourceId}'. Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json, https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption, https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/set-azurermvmdiskencryptionextension?view=azurermps-3.8.0",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "DP",

        "Windows"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_VirtualMachine_Audit_ASC_Healthy",

      "Description": "Virtual Machine must be in a healthy state in Azure Security Center",

      "Id": "VirtualMachine170",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckASCStatus",

      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-recommendations",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "Audit",

        "Windows",

        "Linux"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_VirtualMachine_Audit_Enable_Diagnostics",

      "Description": "Diagnostics (IaaSDiagnostics extension on Windows; LinuxDiagnostic extension on Linux) must be enabled on Virtual Machine",

      "Id": "VirtualMachine180",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckVMDiagnostics",

      "Recommendation": "Run command: Set-AzureVMDiagnosticsExtension -DiagnosticsConfigurationPath '{DiagnosticsConfigurationPath}' -StorageAccountName '{StorageAccountName}' -StorageAccountKey '{StorageAccountName}' -StorageAccountEndpoint '{StorageAccountEndpoint}' -StorageContext '{StorageContext}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azure/set-azurevmdiagnosticsextension?view=azuresmps-3.7.0 ",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "Audit",

        "Windows",

        "Linux"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_VirtualMachine_NetSec_Dont_Open_Management_Ports",

      "Description": "Do not leave management ports open on Virtual Machines",

      "Id": "VirtualMachine190",

      "ControlSeverity": "Critical",

      "Automated": "Yes",

      "MethodName": "CheckOpenPorts",

      "Recommendation": "Run command: Set-AzureRmNetworkSecurityRuleConfig -Name '{Name}' -NetworkSecurityGroup '{PSNetworkSecurityGroup}' -Access 'Deny'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.network/set-azurermnetworksecurityruleconfig?view=azurermps-3.8.0",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "NetSec",

        "Windows",

        "Linux",

        "OwnerAccess"

      ],

      "Enabled": true

    }

  ]

}