module/ConfigurationProvider/ControlConfigurations/Services/CloudService.json
|
{
"FeatureName": "CloudService", "Reference": "aka.ms/azsktcp/cloudservice", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_CloudService_AuthN_Use_AAD_for_Client_AuthN", "Description": "Cloud Service must authenticate users using Azure Active Directory backed credentials", "Id": "CloudService01", "ControlSeverity": "High", "Automated": "No", "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.", "Recommendation": "Create an AAD App. Configure the App with your cloud service URLs to enforce AAD auth for every request. Refer: https://blogs.msdn.microsoft.com/visualstudio/2014/11/19/connecting-to-cloud-services/", "Tags": [ "SDL", "AuthN", "Classic", "Manual" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_CloudService_DP_DontAllow_HTTP_Access_InputEndpoints", "Description": "Cloud Service must only be accessible over HTTPS. Enable https for InputEndpoints.", "Id": "CloudService03", "ControlSeverity": "High", "Automated": "Yes", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.", "Recommendation": "Get an SSL certificate from a trusted certificate provider. Refer https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal for more information on how to use this certificate and configure TLS for the Cloud Service endpoints.", "Tags": [ "SDL", "Automated", "DP", "Classic", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "MethodName": "CheckCloudServiceHttpCertificateSSLOnInputEndpoints", "DisplayName": "Encrypt data in transit for Cloud service role", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "CustomTags": [ "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "P2", "Wave7", "ShadowITActiveBaseline", "CSEOPilot", "SN:CloudSvc_EncryptDataTransit" ] }, { "ControlID": "Azure_CloudService_SI_Validate_InternalEndpoints", "Description": "Remove unused internal endpoints", "Id": "CloudService04", "ControlSeverity": "Medium", "Rationale": "Internal endpoints are available for instance-to-instance communication with in cloud service. Exploitation of one such internal instance can put all the other internal instances at risk with which it has open communication channels.", "Recommendation": "Remove unused internal endpoints from .csdef and redeploy your cloud service to reflect the new changes. Refer: https://azure.microsoft.com/en-us/documentation/articles/cloud-services-enable-communication-role-instances", "Automated": "Yes", "Tags": [ "SDL", "Automated", "Classic", "OwnerAccess", "SI" ], "Enabled": false, "MethodName": "CheckCloudServiceInstanceEndpoints", "CustomTags": [] }, { "ControlID": "Azure_CloudService_SI_Validate_InputEndpoints", "Description": "Remove unused input endpoints", "Id": "CloudService05", "ControlSeverity": "Medium", "Rationale": "The input endpoint is used when you want to expose a port to the outside from a cloud service. Such unintended open connections expose cloud service instances to a high level of risk from internet-based attacks that attempt to brute force credentials to gain access to the machine.", "Recommendation": "Remove unused input endpoints from .csdef and redeploy your cloud service to reflect the new changes. Refer: https://azure.microsoft.com/en-us/documentation/articles/cloud-services-enable-communication-role-instances", "Automated": "Yes", "Tags": [ "SDL", "Automated", "SI", "Classic" ], "Enabled": false, "MethodName": "CheckCloudServiceInputEndpoints", "CustomTags": [] }, { "ControlID": "Azure_CloudService_SI_Disable_RemoteDebugging", "Description": "Remote debugging must be turned off", "Id": "CloudService06", "ControlSeverity": "High", "Rationale": "Remote debugging requires inbound ports to be opened. These ports become easy targets for compromise from various internet-based attacks.", "Recommendation": "Remove [Microsoft.WindowsAzure.Plugins.RemoteDebugger*] endpoints from .csdef and redeploy your cloud service to reflect the new changes. Refer: https://docs.microsoft.com/en-us/azure/vs-azure-tools-debug-cloud-services-virtual-machines", "Automated": "Yes", "Tags": [ "SDL", "Automated", "Classic", "OwnerAccess", "SI" ], "Enabled": false, "MethodName": "CheckCloudServiceRemoteDebuggingStatus", "CustomTags": [] }, { "ControlID": "Azure_CloudService_DP_CNAME_with_SSL", "Description": "A CNAME should be configured for the cloud service.", "Id": "CloudService07", "ControlSeverity": "Medium", "Rationale": "Use of custom domain protects a web application from common attacks such as phishing, session hijacking and other DNS-related attacks.", "Recommendation": "Get an SSL certificate for your CNAME from a trusted certificate provider and upload the same to your cloud service. Map the VIP of your cloud service at your DNS registrar's website. Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-custom-domain-name", "Automated": "No", "Tags": [ "SDL", "Classic", "OwnerAccess", "Manual", "DP" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_CloudService_SI_Auto_OSUpdate", "Description": "Set automatic update for Cloud Service OS version.", "Id": "CloudService08", "ControlSeverity": "High", "Rationale": "Cloud services where automatic updates are disabled are likely to miss important security patches (human error, forgetfulness). This may lead to compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "Recommendation": "To enable automatic updates: Go to manage Azure portal --> your cloud service --> under settings section select configuration tab --> set OS version to automatic from drop-down menu --> select save.", "Automated": "Yes", "Tags": [ "SDL", "Automated", "SI", "Classic", "Baseline", "Daily", "CSEOPilotP1", "CSEOPilotSub" ], "DisplayName": "Set automatic update for Cloud Service OS version", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Enabled": true, "MethodName": "CheckCloudServiceOSPatchStatus", "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "TenantBaseline", "P1", "Wave7", "ShadowITActiveBaseline", "SN:CloudSvc_Autoupdate" ] }, { "ControlID": "Azure_CloudService_SI_Enable_AntiMalware", "Description": "Enable the Antimalware extension for the cloud service roles", "Id": "CloudService09", "ControlSeverity": "High", "Automated": "Yes", "Rationale": "Antimalware provides real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, exclusion event collection etc.", "Recommendation": "To enable Antimalware: Go to Azure portal --> your cloud service --> Antimalware under Settings section --> select role and enable Antimalware.", "Tags": [ "SDL", "Automated", "Classic", "OwnerAccess", "SI", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "MethodName": "CheckCloudServiceAntiMalwareStatus", "DisplayName": "Antimalware extension must be installed on cloud service roles", "Category": "Deploy antimalware extension", "ControlRequirements": "Anti-malware must be up to date and running", "CustomTags": [ "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "Wave7", "ShadowITActiveBaseline", "SN:CloudSvc_AntiMalware" ] }, { "ControlID": "Azure_CloudService_SI_Disable_RemoteDesktop_Access", "Description": "Disable Remote Desktop (RDP) access on cloud service roles", "Id": "CloudService10", "ControlSeverity": "High", "Rationale": "Remote desktop access requires inbound ports to be opened. These ports become easy targets for compromise from various internet based attacks.", "Recommendation": "From Azure Portal: After logging into subscription, go under Home -> All Resources -> Select the Cloud service resource type -> Remote Desktop. Under \"Remote Desktop\", make sure to select \"Disabled\" toggle option. From PowerShell: Refer https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-role-enable-remote-desktop-powershell to remove Remote Desktop Extension from a Service. Refer https://docs.microsoft.com/en-us/powershell/module/servicemanagement/azure.service/remove-azureserviceremotedesktopextension?view=azuresmps-4.0.0 to know more about Remove-AzureServiceRemoteDesktopExtension command.", "Automated": "Yes", "DisplayName": "Disable Remote Desktop (RDP) access on cloud service roles", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "Tags": [ "SDL", "Automated", "Classic", "OwnerAccess", "SI", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "MethodName": "CheckCloudServiceRemoteDesktopAccess", "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "TenantBaseline", "P1", "Wave5", "ShadowITActiveBaseline", "CSEOPilot", "SN:RDP_disable" ], "ControlEvaluationDetails": { "RequiredProperties": [ "CloudServices", "CloudServiceDeploymentSlots", "CloudServiceRoles", "CloudServiceConfiguration", "CloudServiceRemoteAccessPlugin", "CloudServiceExtensions" ] } }, { "ControlID": "Azure_CloudService_DP_Avoid_Plaintext_Secrets_Trial", "Description": "CloudService must not have secrets/credentials present in plain text", "Id": "CloudService11", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "AvoidPlaintextSecrets", "DisplayName": "CloudService must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials using the API information available in Source, rotate those credentials and remove them. Use KeyVault to store secrets/credentials.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily", "Trial" ], "Enabled": true } ] } |