AzSK

4.5.1

Framework/Configurations/SVT/Services/ApplicationProxy.json

                                {

  "FeatureName": "ApplicationProxy",

  "Reference": "aka.ms/azsktcp/appproxy",

  "IsMaintenanceMode": false,

    "Controls": [

      {

        "ControlID": "Azure_ApplicationProxy_Deploy_Only_Secure_Apps",

        "Description": "Only security compliant apps should be onboarded to AAD App Proxy.", 

        "Id": "ApplicationProxy110",

        "ControlSeverity": "High",

        "Automated": "No",

        "MethodName": "",

        "Rationale": "AAD App proxy facilitates remote access to your on-prem apps. If these apps have not been designed and implemented securely, then security issues of your apps get exposed to the internet.",

        "Recommendation": "Ensure that apps you expose via App Proxy have been built using secure development standards/process such as SDL (Refer: https://www.microsoft.com/en-us/sdl)",

        "Tags": [

          "SDL",

          "TCP",

          "Manual",

          "Deploy",

          "ApplicationProxy"

        ],

        "Enabled": true

      },

      {

        "ControlID": "Azure_ApplicationProxy_AuthN_Use_AAD_PreAuth",

        "Description": "AAD Authentication must be enabled as a pre-authentication method on your app.",

        "Id": "ApplicationProxy120",

        "ControlSeverity": "High",

        "Automated": "No",

        "MethodName": "",

        "Rationale": "Pre-authentication by its very nature, blocks a significant number of anonymous attacks, because only authenticated identities can access the back-end application.",

        "Recommendation": "AAD Application Administrator (or higher privilege role) can check app pre-authentication configuration from portal or by running command 'Get-AzureADApplicationProxyApplication -ObjectId <AADAppID>'. To enable AAD Auth run command 'Set-AzureADApplicationProxyApplication -ObjectId <AppObjectID> -ExternalAuthenticationType AadPreAuthentication'. Refer: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-publish-azure-portal#publish-an-on-premises-app-for-remote-access.",

        "Tags": [

          "SDL",

          "TCP",

          "Manual",

          "AuthN",

          "ApplicationProxy"

        ],

        "Enabled": true

      },

      {

        "ControlID": "Azure_ApplicationProxy_DP_Remove_Connector_Machine_Logs",

        "Description": "Delete personal data captured in logs on connector machine periodically or turn off connector machine logging if not required.",

        "Id": "ApplicationProxy130",

        "ControlSeverity": "High",

        "Automated": "No",

        "MethodName": "",

        "Rationale": "Connector machine logs may contain personal data. This needs to be handled with care and purged when not needed in keeping with good privacy principles.",

        "Recommendation": "Turn off logging/delete personal data regularly on all connector machines. Refer: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-remove-personal-data",

        "Tags": [

            "SDL",

            "TCP",

            "Manual",

            "DP",

            "ApplicationProxy"

        ],

        "Enabled": true

      },

      {

        "ControlID": "Azure_ApplicationProxy_Config_Enable_HTTPOnly_Cookie",

        "Description": "HTTP-Only cookie must be enabled while configuring App Proxy wherever possible.",

        "Id": "ApplicationProxy140",

        "ControlSeverity": "High",

        "Automated": "No",

        "MethodName": "",

        "Rationale": "Using an HTTP-Only cookie protects against cross site scripting (XSS) attacks by disallowing cookie access to client side scripts.",

        "Recommendation": "AAD Application Administrator (or higher privilege role) can check app cookie setting from portal or by running command 'Get-AzureADApplicationProxyApplication -ObjectId <AADAppID>'. To enable HTTP-Only cookie, run command 'Set-AzureADApplicationProxyApplication -ObjectId <AADAppID> -IsHttpOnlyCookieEnabled `$true'. Refer: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-publish-azure-portal#publish-an-on-premises-app-for-remote-access.",

        "Tags": [

          "SDL",

          "TCP",

          "Manual",

          "Config",

          "ApplicationProxy"

        ],

        "Enabled": true

      },

      {

        "ControlID": "Azure_ApplicationProxy_SI_Lockdown_ConnectorMachine",

        "Description": "Use a security hardened, locked down OS image for the connector machine.",

        "Id": "ApplicationProxy150",

        "ControlSeverity": "High",

        "Automated": "No",

        "MethodName": "",

        "Rationale": "The connector machine is serving as a 'gateway' into the corporate environment allowing internet based client endpoints access to enterprise data. Using a locked-down, secure baseline configuration ensures that this machine does not get leveraged as an entry point to attack the applications/corporate network.",

        "Recommendation": "Use a locked down OS configuration. Ensure that the system is always fully patched, has real-time malware protection enabled, OS firewall and disk encryption turned on, etc. Also, monitor this VM just like you'd monitor a high-value asset.",

           "Tags": [

          "SDL",

          "TCP",

          "Manual",

          "Config",

          "ApplicationProxy"

        ],

        "Enabled": true

      }

    ]

}