Framework/Configurations/SVT/Services/ApplicationProxy.json

{
  "FeatureName": "ApplicationProxy",
  "Reference": "aka.ms/azsktcp/appproxy",
  "IsMaintenanceMode": false,
    "Controls": [
      {
        "ControlID": "Azure_ApplicationProxy_Deploy_Only_Secure_Apps",
        "Description": "Only security compliant apps should be onboarded to AAD App Proxy.",
        "Id": "ApplicationProxy110",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "AAD App proxy facilitates remote access to your on-prem apps. If these apps have not been designed and implemented securely, then security issues of your apps get exposed to the internet.",
        "Recommendation": "Ensure that apps you expose via App Proxy have been built using secure development standards/process such as SDL (Refer: https://www.microsoft.com/en-us/sdl)",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "Deploy",
          "ApplicationProxy"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ApplicationProxy_AuthN_Use_AAD_PreAuth",
        "Description": "AAD Authentication must be enabled as a pre-authentication method on your app.",
        "Id": "ApplicationProxy120",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Pre-authentication by its very nature, blocks a significant number of anonymous attacks, because only authenticated identities can access the back-end application.",
        "Recommendation": "AAD Application Administrator (or higher privilege role) can check app pre-authentication configuration from portal or by running command 'Get-AzureADApplicationProxyApplication -ObjectId <AADAppID>'. To enable AAD Auth run command 'Set-AzureADApplicationProxyApplication -ObjectId <AppObjectID> -ExternalAuthenticationType AadPreAuthentication'. Refer: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-publish-azure-portal#publish-an-on-premises-app-for-remote-access.",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "AuthN",
          "ApplicationProxy"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ApplicationProxy_DP_Remove_Connector_Machine_Logs",
        "Description": "Delete personal data captured in logs on connector machine periodically or turn off connector machine logging if not required.",
        "Id": "ApplicationProxy130",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Connector machine logs may contain personal data. This needs to be handled with care and purged when not needed in keeping with good privacy principles.",
        "Recommendation": "Turn off logging/delete personal data regularly on all connector machines. Refer: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-remove-personal-data",
        "Tags": [
            "SDL",
            "TCP",
            "Manual",
            "DP",
            "ApplicationProxy"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ApplicationProxy_Config_Enable_HTTPOnly_Cookie",
        "Description": "HTTP-Only cookie must be enabled while configuring App Proxy wherever possible.",
        "Id": "ApplicationProxy140",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Using an HTTP-Only cookie protects against cross site scripting (XSS) attacks by disallowing cookie access to client side scripts.",
        "Recommendation": "AAD Application Administrator (or higher privilege role) can check app cookie setting from portal or by running command 'Get-AzureADApplicationProxyApplication -ObjectId <AADAppID>'. To enable HTTP-Only cookie, run command 'Set-AzureADApplicationProxyApplication -ObjectId <AADAppID> -IsHttpOnlyCookieEnabled $true'. Refer: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-publish-azure-portal#publish-an-on-premises-app-for-remote-access.",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "Config",
          "ApplicationProxy"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_ApplicationProxy_SI_Lockdown_ConnectorMachine",
        "Description": "Use a security hardened, locked down OS image for the connector machine.",
        "Id": "ApplicationProxy150",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "The connector machine is serving as a 'gateway' into the corporate environment allowing internet based client endpoints access to enterprise data. Using a locked-down, secure baseline configuration ensures that this machine does not get leveraged as an entry point to attack the applications/corporate network.",
        "Recommendation": "Use a locked down OS configuration. Ensure that the system is always fully patched, has real-time malware protection enabled, OS firewall and disk encryption turned on, etc. Also, monitor this VM just like you'd monitor a high-value asset.",
           "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "Config",
          "ApplicationProxy"
        ],
        "Enabled": true
      }
    ]
}