Framework/Configurations/SVT/Services/CloudService.json
|
{
"FeatureName": "CloudService", "Reference": "aka.ms/azsdkosstcp", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_CloudService_AuthN_Use_AAD_for_Client_AuthN", "Id": "CloudService01", "ControlSeverity": "High", "Description": "Cloud Service must authenticate users using Azure Active Directory backed credentials", "Automated": "No", "Recommendation": "Create an AAD App. Configure the App with your cloud service urls to enforce AAD auth for every request.Refer:https://blogs.msdn.microsoft.com/visualstudio/2014/11/19/connecting-to-cloud-services/", "Tags": [ "SDL" ], "Enabled": true }, { "ControlID": "Azure_CloudService_DP_DontAllow_HTTP_Access_InstanceEndpoints", "Id": "CloudService02", "ControlSeverity": "High", "Description": "Cloud Service must only be accessible over HTTPS.", "Automated": "Yes", "Recommendation": "Get an SSL certificate from the trusted SSL provider. Upload that certificate to cloud service. Update instance endpoints by renaming HTTP to HTTPS in .csdef.Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceHttpCertificateSSLOnInstanceEndpoints" }, { "ControlID": "Azure_CloudService_DP_DontAllow_HTTP_Access_InputEndpoints", "Id": "CloudService03", "ControlSeverity": "High", "Description": "Cloud Service must only be accessible over HTTPS.", "Automated": "Yes", "Recommendation": "Get an SSL certificate from the SSL provider. Upload that certificate to cloud service. Update input endpoints by renaming HTTP to HTTPS in .csdef.Refer:https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceHttpCertificateSSLOnInputEndpoints" }, { "ControlID": "Azure_CloudService_DP_Use_Approved_IPRanges_on_InstanceEndpoints", "Id": "CloudService04", "ControlSeverity": "Medium", "Description": "Use approved IP Address Ranges for Instance Endpoints", "Recommendation": "Get a reserved Public IP for your subscription and update cloud service config file under PublicIP section. Upload the updated .cscfg file to your cloud service.Refer:https://azure.microsoft.com/en-in/blog/reserved-ip-addresses/", "Automated": "Yes", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceInstanceEndpointsIPSettings" }, { "ControlID": "Azure_CloudService_DP_Validate_InternalEndpoints", "Id": "CloudService05", "ControlSeverity": "Medium", "Description": "Remove un-used internal endpoints", "Recommendation": "Remove un-used internal endpoints from .csdef and redploy your cloud service to reflect the new changes.Refer:https://azure.microsoft.com/en-us/documentation/articles/cloud-services-enable-communication-role-instances", "Automated": "Yes", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceInputEndpoints" }, { "ControlID": "Azure_CloudService_Config_Disable_RemoteDebugging", "Id": "CloudService06", "ControlSeverity": "High", "Description": "Remote debugging must be turned off", "Recommendation": "Remove [Microsoft.WindowsAzure.Plugins.RemoteDebugger*] endpoints from .csdef and redploy your cloud service to reflect the new changes.Refer:https://docs.microsoft.com/en-us/azure/vs-azure-tools-debug-cloud-services-virtual-machines", "Automated": "Yes", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceRemoteDebuggingStatus" }, { "ControlID": "Azure_CloudService_DP_CNAME_with_SSL", "Id": "CloudService07", "ControlSeverity": "Medium", "Description": "CNAME should be configured for the cloud service.", "Recommendation": "Get an SSL certificate for your CNAME from trusted SSL provider and upload the same to your cloud service from portal. Map the VIP of your cloud service at your DNS registar's website. Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-custom-domain-name", "Automated": "No", "Tags": [ "SDL" ], "Enabled": true }, { "ControlID": "Azure_CloudService_Config_Auto_OSUpdate", "Id": "CloudService08", "ControlSeverity": "High", "Description": "Automatic OS Updates should be turned ON", "Recommendation": "Go to manage Azure portal --> your cloud service --> under configure tab--> set operating system version to automatic.", "Automated": "No", "Tags": [ "SDL" ], "Enabled": true }, { "ControlID": "Azure_CloudService_Config_Enable_AntiMalware", "Id": "CloudService09", "ControlSeverity": "High", "Description": "Enable the Antimalware extension.", "Automated": "Yes", "Recommendation": "Go to Azure portal --> your cloud service --> Antimalware under Settings section--> select role and enable antimalware.", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceAntiMalwareStatus" }, { "ControlID": "Azure_CloudService_Config_Disable_RemoteDesktop_Access", "Id": "CloudService10", "ControlSeverity": "High", "Description": "Remote Desktop access is not permitted", "Recommendation": "Go to Azure portal --> your cloud service --> Remote Desktop under Settings section--> disable remote desktop", "Automated": "Yes", "Tags": [ "SDL" ], "Enabled": true, "MethodName": "CheckCloudServiceRemoteDesktopAccess" } ] } |