module/ConfigurationProvider/ControlConfigurations/Services/VirtualMachine.json
|
{
"FeatureName": "VirtualMachine", "Reference": "aka.ms/azsktcp/virtualmachine", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_VirtualMachine_Deploy_Latest_OS_Version", "Description": "Virtual Machine should have latest OS version installed", "Id": "VirtualMachine110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckOSVersion", "Rationale": "Being on the latest OS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "Run command 'Update-AzVM -ResourceGroupName {resourceGroupName} -VM (Get-AzVM -ResourceGroupName {resourceGroupName} -Name {vmName})' . Run 'Get-Help Update-AzVM -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "Deploy", "ERvNet", "VirtualMachine", "ExcludeKubernetes", "ExcludeDatabricks" ], "Enabled": false, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Antimalware", "Description": "Antimalware must be enabled with real time protection on Virtual Machine", "Id": "VirtualMachine130", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckAntimalwareExtensionStatus", "DisplayName": "Ensure all devices have anti-malware protection installed and enabled", "Category": "Deploy antimalware extension", "ControlRequirements": "Anti-malware must be up to date and running", "AssessmentName": "83f577bd-a1b6-b7e1-0891-12ca19d1e6df", "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [ "83f577bd-a1b6-b7e1-0891-12ca19d1e6df" ] }, "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9", "Rationale": "Enabling antimalware protection minimizes the risks from existing and new attacks from various types of malware. Microsoft Antimalware provide real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, exclusion event collection etc.", "Recommendation": "To install antimalware, Go to Azure Portal --> VM Properties --> Extensions --> Add 'Microsoft Antimalware' --> Enable Real-Time Protection and Scheduled Scan --> Click Ok. If antimalware is already present on VM, validate and resolve endpoint protection recommendations in MDC. Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection, https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions", "AntiMalwareExtension" ] }, "Enabled": true, "PolicyDefinitionGuid": "af6cd1bd-1635-48cb-bde7-5b15693900b9", "ControlSettings": { "ReqExtensionType": "IaaSAntimalware", "ReqExtensionPublisher": "Microsoft.Azure.Security", "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "SOX", "MSD", "Prod", "TenantBaseline", "P0", "Wave2", "ShadowITActiveBaseline", "SN:Anti-Malware" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Antimalware_Trial", "Description": "[Trial] Antimalware must be enabled with real time protection on Virtual Machine", "Id": "VirtualMachine390", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckAntimalwareExtensionStatusTrial", "DisplayName": "[Trial] Ensure all devices have anti-malware protection installed and enabled", "Category": "Deploy antimalware extension", "ControlRequirements": "Anti-malware must be up to date and running", "ControlScanSource": "Reader", "Rationale": "Enabling antimalware protection minimizes the risks from existing and new attacks from various types of malware. Microsoft Antimalware provide real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, exclusion event collection etc.", "Recommendation": "To install antimalware, Go to Azure Portal --> VM Properties --> Extensions --> Add 'Microsoft Antimalware' --> Enable Real-Time Protection and Scheduled Scan --> Click Ok. If antimalware is already present on VM, validate and resolve endpoint protection recommendations in MDC. Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection, https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "VirtualMachine", "ExcludeDatabricks", "ExcludeKubernetes", "Baseline", "Daily" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType" ] }, "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows", "Linux", "Trial" ] }, { "ControlID": "Azure_VirtualMachine_Config_Enable_NSG", "Description": "NSG must be configured for Virtual Machine", "Id": "VirtualMachine140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGConfig", "DisplayName": "Internet-facing virtual machines must be protected with Network Security Groups", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Restricting inbound and outbound traffic via NSGs limits the network exposure of a VM by reducing the attack surface.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/endpoints-in-resource-manager, https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-nsg-arm-ps", "Tags": [ "SDL", "TCP", "Automated", "Config", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "NICs" ] }, "CustomTags": [ "Windows", "Linux", "ExcludeERVnetConnectedInstance", "ActiveBaseline", "TenantBaseline", "P0", "Wave1", "ShadowITActiveBaseline", "SN:Ext_VM_NSG", "MSD", "Prod", "CSEOBaseline", "CSEOPilot" ] }, { "ControlID": "Azure_VirtualMachine_Config_Enable_NSG_Trial", "Description": "[Trial] NSG must be configured for Virtual Machine", "Id": "VirtualMachine410", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGConfig", "ControlScanSource": "MDCOrReader", "DisplayName": "[Trial] Internet-facing virtual machines must be protected with Network Security Groups", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Restricting inbound and outbound traffic via NSGs limits the network exposure of a VM by reducing the attack surface.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/endpoints-in-resource-manager, https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-nsg-arm-ps", "AssessmentProperties": { "AssessmentNames": [ "483f12ed-ae23-447e-a2de-a67a10db4353" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Passed", "AssessmentStatusCausePatterns": "(.)*NonInternetFacingVms(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "SDL", "TCP", "Automated", "Config", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "NICs" ] }, "CustomTags": [ "Trial", "Daily" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Justify_PublicIPs", "Description": "Public IPs on a Virtual Machine should be carefully reviewed", "Id": "VirtualMachine150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIP", "DisplayName": "Public IPs on a Virtual Machine should be carefully reviewed", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Public IPs provide direct access over the internet exposing the VM to attacks over the public network. Hence each public IP on a VM must be reviewed carefully.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Network Interfaces --> <Select NIC> --> IP Configurations --> <Select IP Configs with Public IP> --> Click 'Disabled' --> Save. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address ", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Weekly" ], "Enabled": true, "DataObjectProperties": [ "PublicIpAllocationMethod", "IpConfiguration", "Id", "DnsSettings" ], "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_DP_Enable_Disk_Encryption", "Description": "Disk encryption must be enabled on both OS and data disks for Windows Virtual Machine", "Id": "VirtualMachine160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDiskEncryption", "DisplayName": "Disk encryption should be applied on virtual machines", "Category": "Encrypt data at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "AssessmentName": "d57a4221-a804-52ca-3dea-768284f06bb7", "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "d57a4221-a804-52ca-3dea-768284f06bb7" ] }, "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. In the case of VMs, both OS and data disks may contain sensitive information that needs to be protected at rest. Hence disk encryption must be enabled for both.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json. Note: After enabling disk encryption, it takes some time for changes to reflect in Microsoft Defender for Cloud (MDC). Thus, if you scan immediately, the control may still fail even though the VM itself shows as encrypted. Please wait a few hours to ascertain the fix.", "Tags": [ "SDL", "TCP", "Automated", "DP", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Weekly" ], "Enabled": true, "PolicyDefinitionGuid": "0961003e-5a0a-4549-abde-af6a37f2724d", "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows" ] }, { "ControlID": "Azure_VirtualMachine_SI_MDC_OS_Vulnerabilities", "Description": "Virtual Machine must be in a healthy state in Microsoft Defender for Cloud", "Id": "VirtualMachine171", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDCandReader", "MethodName": "CheckMDCVMSecurityBaselineStatus", "DisplayName": "Virtual Machine must be in a healthy state in Microsoft Defender for Cloud", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Microsoft Defender for Cloud raises alerts (which are typically indicative of resources that are not compliant with some baseline security protection). It is important that these alerts/actions are resolved promptly in order to eliminate the exposure to attacks.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-remediate-os-vulnerabilities", "Tags": [ "SDL", "TCP", "Automated", "Audit", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Weekly" ], "Enabled": true, "AssessmentProperties": { "AssessmentNames": [ "181ac480-f7c4-544b-9865-11b8ffe87f47" ] }, "ControlSettings": { "MDCApprovedBaselineStatuses": { "Windows": [ "Healthy" ], "Linux": [ "Healthy" ] } }, "ControlEvaluationDetails": { "RequiredProperties": [ "OSType" ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_SI_Missing_OS_Patches", "Description": "Virtual Machines must have all the required OS patches installed.", "Id": "VirtualMachine172", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckVMOSPatches", "DisplayName": "Patch virtual machines to protect against vulnerabilities", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "Reader", "Rationale": "Un-patched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-system-updates . It takes 24 hours to reflect the latest status at MDC.", "Tags": [ "SDL", "TCP", "Audit", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "SOX", "P0", "MSD", "Prod", "TenantBaseline", "Wave2", "ShadowITActiveBaseline", "SN:Patching" ] }, { "ControlID": "Azure_VirtualMachine_SI_MDC_Recommendations", "Description": "Virtual Machine must implement all the flagged MDC recommendations.", "Id": "VirtualMachine173", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDCandReader", "MethodName": "CheckMDCVMRecommendations", "DisplayName": "Virtual Machine must implement all the flagged MDC recommendations", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentProperties": { "AssessmentNames": [ "d57a4221-a804-52ca-3dea-768284f06bb7", "35f45c95-27cf-4e52-891f-8390d1de5828", "ffff0522-1e88-47fc-8382-2a80ba848f5d" ] }, "Rationale": "Microsoft Defender for Cloud provide various security recommendations for resources that are not compliant with some baseline security protection. It is important that these recommendations are resolved promptly in order to eliminate the exposure to attacks.", "Recommendation": "First, examine the detailed AzSK log file for this VM to find out the specific recommendations this control is currently failing for. Review the MDC documentation for those recommendations and implement the suggested fixes. (Note: Not all MDC recommendations are flagged by AzSK. So the first step is critical.). Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-virtual-machine-recommendations", "Tags": [ "SDL", "TCP", "Automated", "Audit", "ERvNet", "VirtualMachine", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_Audit_Enable_Diagnostics", "Description": "Diagnostics (IaaSDiagnostics extension on Windows; LinuxDiagnostic extension on Linux) must be enabled on Virtual Machine", "Id": "VirtualMachine180", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Reader", "MethodName": "CheckVMDiagnostics", "DisplayName": "Diagnostics must be enabled on the Virtual Machine", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Diagnostics logs are needed for creating activity trail while investigating an incident or a compromise.", "Recommendation": "Go to Azure Portal --> VM Properties --> Diagnostics settings --> Enable guest-level-monitoring. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/azure-diagnostics", "Tags": [ "SDL", "TCP", "Automated", "Audit", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "RequiredDiagnosticsExtensions": { "Windows": [ { "ExtensionType": "IaaSDiagnostics", "Publisher": "Microsoft.Azure.Diagnostics" } ], "Linux": [ { "ExtensionType": "LinuxDiagnostic", "Publisher": "Microsoft.Azure.Diagnostics" } ] } }, "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Dont_Open_Management_Ports", "Description": "Do not leave management ports open on Virtual Machines", "Id": "VirtualMachine190", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckOpenPorts", "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22, SMB-445) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "OwnerAccess", "VirtualMachine", "ExcludedControl" ], "Enabled": false, "CustomTags": [ "Windows", "Linux", "Wave1", "SN:Mgmt_ports" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Vuln_Solution", "Description": "Vulnerability assessment solution should be installed on VM", "Id": "VirtualMachine200", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "CheckVulnAgentStatus", "DisplayName": "Install DSRE Qualys Cloud Agent on assets", "Category": "Vulnerability assessments must be enabled on all services", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "ffff0522-1e88-47fc-8382-2a80ba848f5d" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*SecurityApplianceIrrelevantRecommendation|SecurityApplianceNonRelevantRecommendation(.)*" } ] }, "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising a VM/container with such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "To install vulnerability assessment solution, please refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-vulnerability-assessment-recommendations", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "ERvNet", "ExcludeDatabricks", "ExcludeKubernetes", "VirtualMachine", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "Enabled": true, "ControlSettings": { "Windows": { "ExtensionType": "QualysAgent", "ExtensionPublisher": "Qualys" }, "Linux": { "ExtensionType": "QualysAgentLinux", "ExtensionPublisher": "Qualys" }, "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows", "Linux", "ActiveBaseline", "P1", "Wave99", "SN:InstallQualys" ] }, { "ControlID": "Azure_VirtualMachine_SI_Deploy_GuestConfig_Extension", "Description": "Guest Configuration extension must be deployed to the VM using Azure Policy assignment", "Id": "VirtualMachine210", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckGuestConfigExtension", "DisplayName": "Guest Configuration extension must be deployed to the VM using Azure Policy assignment", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Installing Guest configuration extension on VM allows you to run In-Guest Policy on the VM, making it possible to monitor system and security policies for compliance checks in the VM.", "Recommendation": "This control checks that the VM meets the following criteria: [a] Guest Configuration Extension is installed and provisioned successfully, [b] 'SystemAssigned' managed identity (MSI) is enabled for the VM. Both, the required Guest Configuration extension and a system-assigned MSI, will be automatically deployed and configured when the machine is in scope for an Azure Policy assignment that includes definitions in the Guest Configuration category.", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "ExcludeKubernetes", "Baseline", "Daily", "CSEOPilotSub" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "Enabled": true, "ControlSettings": { "Windows": { "ExtensionType": "ConfigurationForWindows", "ExtensionPublisher": "Microsoft.GuestConfiguration", "RequiredVersion": "1.11.0" }, "Linux": { "ExtensionType": "ConfigurationForLinux", "ExtensionPublisher": "Microsoft.GuestConfiguration", "RequiredVersion": "1.9.0" }, "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows", "Linux", "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave7", "ShadowITActiveBaseline", "SN:VM_GuestConfigPrereq" ] }, { "ControlID": "Azure_VirtualMachine_SI_Deploy_GuestConfig_Extension_Trial", "Description": "[Trial] Guest Configuration extension must be deployed to the VM using Azure Policy assignment", "Id": "VirtualMachine430", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckGuestConfigExtensionTrial", "DisplayName": "[Trial] Guest Configuration extension must be deployed to the VM using Azure Policy assignment", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Installing Guest configuration extension on VM allows you to run In-Guest Policy on the VM, making it possible to monitor system and security policies for compliance checks in the VM.", "Recommendation": "This control checks that the VM meets the following criteria: [a] Guest Configuration Extension is installed and provisioned successfully, [b] 'SystemAssigned' managed identity (MSI) is enabled for the VM. Both, the required Guest Configuration extension and a system-assigned MSI, will be automatically deployed and configured when the machine is in scope for an Azure Policy assignment that includes definitions in the Guest Configuration category.", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "ExcludeKubernetes", "Baseline" ], "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "6c99f570-2ce7-46bc-8175-cde013df43bc" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "Enabled": true, "ControlSettings": { "AssessmentIdForMI": { "AssessmentID":"69133b6b-695a-43eb-a763-221e19556755" }, "Windows": { "ExtensionType": "ConfigurationForWindows", "ExtensionPublisher": "Microsoft.GuestConfiguration", "RequiredVersion": "1.11.0" }, "Linux": { "ExtensionType": "ConfigurationForLinux", "ExtensionPublisher": "Microsoft.GuestConfiguration", "RequiredVersion": "1.9.0" }, "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows", "Linux", "SN:VM_GuestConfigPrereqTrial", "Trial", "Daily" ] }, { "ControlID": "Azure_VirtualMachine_SI_GuestConfig_Policy_Health", "Description": "Guest config extension should report compliant status for all in-guest policies.", "Id": "VirtualMachine220", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckGuestConfigPolicyStatus", "Rationale": "In-guest policies cover various native (data-plane) security requirements for a VM. A VM that is compliant to these requirements has a lower overall exposure to getting compromised.", "Recommendation": "Run Get-AzVMGuestPolicyStatus -ResourceGroupName <VM Resource group name> -VMName <VM Name> to get further details like Compliance reason, last check time etc. and ensure that the issues are resolved.", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks" ], "Enabled": false, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Monitoring_Agent", "Description": "Ensure the MMA on your VM is healthy (running successfully)", "Id": "VirtualMachine230", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "CheckRequiredExtensions", "Rationale": "One or more extensions may be required for maintaining data plane security hygiene and visibility for all Azure VMs in use at an Org. It is important to ensure all required extensions are installed and in healthy provisioning state.", "DisplayName": "Ensure the MMA on your VM is healthy (running successfully)", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-install?context=/azure/virtual-machines/context/context", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "ERvNet", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "Enabled": true, "ControlSettings": { "ExtensionsForWindows": [ { "ExtensionType": "MicrosoftMonitoringAgent", "Publisher": "Microsoft.EnterpriseCloud.Monitoring" } ], "ExtensionsForLinux": [ { "ExtensionType": "OmsAgentForLinux", "Publisher": "Microsoft.EnterpriseCloud.Monitoring" } ], "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "TenantBaseline", "Wave3", "ShadowITActiveBaseline", "SN:MMA_Health", "MSD", "Prod", "CSEOBaseline", "CSEOPilot", "P1" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Monitoring_Agent_Trial", "Description": "[Trial] Ensure the MMA on your VM is healthy (running successfully)", "Id": "VirtualMachine350", "ControlSeverity": "Medium", "Automated": "Yes", "Rationale": "One or more extensions may be required for maintaining data plane security hygiene and visibility for all Azure VMs in use at an Org. It is important to ensure all required extensions are installed and in healthy provisioning state.", "DisplayName": "[Trial] Ensure the MMA on your VM is healthy (running successfully)", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-install?context=/azure/virtual-machines/context/context", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "d1db3318-01ff-16de-29eb-28b344515626" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": true, "CustomTags": [ "Windows", "Linux", "Trial" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Monitoring_Agent_NonAzTS_Trial", "Description": "[Trial] Ensure the MMA on your VM is healthy (running successfully)", "Id": "VirtualMachine360", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "EvaluateExtScannedControls", "Rationale": "One or more extensions may be required for maintaining data plane security hygiene and visibility for all Azure VMs in use at an Org. It is important to ensure all required extensions are installed and in healthy provisioning state.", "DisplayName": "[Trial][Non-AzTS] Ensure the MMA on your VM is healthy (running successfully)", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-install?context=/azure/virtual-machines/context/context", "Tags": [ "SDL", "TCP", "Automated", "Config", "SI", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "Trial" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Dont_Open_Restricted_Ports", "Description": "Do not leave restricted ports open on Virtual Machines", "Id": "VirtualMachine240", "ControlSeverity": "Critical", "ControlScanSource": "MDCandReader", "Automated": "Yes", "MethodName": "CheckRestrictedPorts", "DisplayName": "Management ports must not be open on machines", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, WINRM-5986, SSH-22, SMB-445) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "OwnerAccess", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily", "CSEOPilotSub" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "NICs" ] }, "AssessmentProperties": { "AssessmentNames": [ "805651bc-6ecd-4c73-9b55-97a19d0582d0" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "Healthy", "EffectiveVerificationResult": "Verify" }, { "AssessmentStatusCode": "Healthy", "EffectiveVerificationResult": "Passed", "AssessmentStatusCausePatterns": "(.)*JitIsEnabled(.)*" } ] }, "Enabled": true, "ControlSettings": { "RestrictedPortsForWindows": "445,3389,5985,5986", "RestrictedPortsForLinux": "445,3389,22", "JITRuleNamePrefix": "SecurityCenter-JITRule", "PrivateIpAddressPrefixesToExclude": [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ], "SourcesToExclude": [ "AzureLoadBalancer" ], "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "ExcludeERVnetConnectedInstance", "ActiveBaseline", "P0", "TenantBaseline", "Wave1", "ShadowITActiveBaseline", "SN:AZ_VM_port", "CSEOBaseline", "MSD", "Prod", "CSEOPilot" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Dont_Open_Restricted_Ports_Trial", "Description": "[Trial] Do not leave restricted ports open on Virtual Machines", "Id": "VirtualMachine245", "ControlSeverity": "Critical", "ControlScanSource": "MDCandReader", "Automated": "Yes", "MethodName": "CheckRestrictedPorts", "DisplayName": "[Trial] Management ports must not be open on machines", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, WINRM-5986, SSH-22, SMB-445) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "OwnerAccess", "VirtualMachine", "ExcludeDatabricks", "Baseline", "Daily" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "NICs" ] }, "AssessmentProperties": { "AssessmentNames": [ "805651bc-6ecd-4c73-9b55-97a19d0582d0" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "Healthy", "EffectiveVerificationResult": "Verify" }, { "AssessmentStatusCode": "Healthy", "EffectiveVerificationResult": "Passed", "AssessmentStatusCausePatterns": "(.)*JitIsEnabled(.)*" } ] }, "Enabled": true, "ControlSettings": { "RestrictedPortsForWindows": "445,3389,5985,5986", "RestrictedPortsForLinux": "445,3389,22", "JITRuleNamePrefix": "SecurityCenter-JITRule", "PrivateIpAddressPrefixesToExclude": [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ], "SourcesToExclude": [ "AzureLoadBalancer" ], "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "ExcludeERVnetConnectedInstance", "SN:AZ_VM_port_trial" ] }, { "ControlID": "Azure_VirtualMachine_SI_Deploy_Data_Collection_Extension", "Description": "Network traffic data collection agent should be installed on Windows/Linux virtual machines", "Id": "VirtualMachine250", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckDataCollectionExtension", "DisplayName": "[Preview]: Install Network data collection agents", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "AssessmentName": "8c3e93d3-0276-4d06-b20a-9a9f3012742c", "ControlScanSource": "MDCorReader", "AssessmentProperties": { "AssessmentNames": [ "8c3e93d3-0276-4d06-b20a-9a9f3012742c", "24d8af06-d441-40b4-a49c-311421aa9f58" ] }, "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602", "Rationale": "Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "ExcludeDatabricks", "ERvNet", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "Extensions" ] }, "Enabled": true, "ControlSettings": { "Windows": { "ExtensionType": "DependencyAgentWindows", "ExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent" }, "Linux": { "ExtensionType": "DependencyAgentLinux", "ExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent" }, "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "P1", "SN:Ntwk_agents" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Apply_MDC_Network_Recommendations", "Description": "Adaptive Network Hardening uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to further restrict NSGs rules for an improved security posture.", "Id": "VirtualMachine260", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "", "DisplayName": "Apply Adaptive Network Hardening to Internet facing virtual machines", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "AssessmentName": "f9f0eed0-f143-47bf-b856-671ea2eeed62", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "f9f0eed0-f143-47bf-b856-671ea2eeed62" ] }, "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6", "Rationale": "Adaptive Network Hardening uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to further restrict NSGs rules for an improved security posture.", "Recommendation": "Please refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-network-hardening#what-is-adaptive-network-hardening", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "ExcludeDatabricks", "ExcludeKubernetes", "Baseline", "Daily" ], "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "Enabled": true, "CustomTags": [ "Windows", "Linux", "MSD", "Prod", "TenantBaseline", "P1", "Wave3", "ShadowITActiveBaseline", "SN:Net_Hardening" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Security_Vulnerabilities", "Description": "Vulnerabilities in security configuration on your machines should be remediated", "Id": "VirtualMachine290", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "", "DisplayName": "Vulnerabilities in security configuration on your machines must be remediated.", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "181ac480-f7c4-544b-9865-11b8ffe87f47", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "181ac480-f7c4-544b-9865-11b8ffe87f47" ] }, "PolicyDefinitionId": "", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "Go to security center --> Compute & apps --> VMs and Servers --> Click on VM name --> Click on VM Vulnerability remediation recommendation --> Click on Take Action --> Remediate list of vulnerabilities", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "ERvNet", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Container_Security_Vulnerabilities", "Description": "Vulnerabilities in container security configurations should be remediated", "Id": "VirtualMachine280", "DisplayName": "Vulnerabilities in container security configurations must be remediated", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "0677209d-e675-2c6f-e91a-54cef2878663", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "0677209d-e675-2c6f-e91a-54cef2878663" ], "ResourceDetails": { "HasExtendedResourceId": true }, "AssessmentStatusMappings": [ { "AssessmentStatusCode": "AssignmentNotFound", "EffectiveVerificationResult": "NotApplicable" } ] }, "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "Recommendation": "Go to security center --> Compute & apps --> Containers --> Click on VM name --> Click on VM Container Vulnerability remediation recommendation --> Click on Take Action --> Remediate list of vulnerabilities", "Tags": [ "SDL", "TCP", "Automated", "Config", "VirtualMachine", "Baseline", "Weekly", "ExcludedControl", "ExcludeDatabricks" ], "Enabled": true, "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising a VM/container with such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner. Unpatched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [] }, { "ControlID": "Azure_VirtualMachine_Just_In_Time_Network_Access_Control", "Description": "Possible network Just In Time (JIT) access will be monitored by Microsoft Defender for Cloud as recommendations", "Id": "VirtualMachine281", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "", "DisplayName": "Just-In-Time network access control must be applied on virtual machines", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "AssessmentName": "805651bc-6ecd-4c73-9b55-97a19d0582d0", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "805651bc-6ecd-4c73-9b55-97a19d0582d0" ] }, "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c", "Rationale": "For new deployments, require Just-In-Time network access control on virtual machines.(Effect type \"Deny\") *For existing VMs, force the deployment of require Just-In-Time network access on virtual machines. (Effect type \"DeployIfNotExists\")", "Recommendation": "Go to Security Center --> Just in time VM access --> Go to Not Configured --> Select your VM --> Click on Enable JIT on 1 VMs", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "Baseline", "Weekly", "ExcludedControl", "ExcludeDatabricks", "ExcludeKubernetes" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows" ] }, { "ControlID": "Azure_VirtualMachine_SI_Remediate_Assessment_Soln_Vulnerabilities", "Description": "Vulnerabilities should be remediated by a Vulnerability Assessment solution", "Id": "VirtualMachine300", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "", "DisplayName": "Vulnerabilities must be remediated by a Vulnerability Assessment solution", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "71992a2a-d168-42e0-b10e-6b45fa2ecddb", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "71992a2a-d168-42e0-b10e-6b45fa2ecddb" ] }, "PolicyDefinitionId": "", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "Go to security center --> Compute & apps --> VMs and Servers --> Click on VM name --> Click on VM Vulnerability remediation recommendation by Assessment solution --> Click on Take Action --> Remediate list of vulnerabilities", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VirtualMachine", "Baseline", "Weekly", "ExcludedControl", "ExcludeDatabricks", "ExcludeKubernetes" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_VirtualMachine_NetSec_Open_Allowed_Ports_Only", "Description": "Only allowed ports must be opened on Virtual Machines", "Id": "VirtualMachine310", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckAllowedPorts", "DisplayName": "Only allowed ports must be opened on Virtual Machines", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Open remote management ports expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "OwnerAccess", "VirtualMachine", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "OSType", "NICs" ] }, "Enabled": true, "ControlSettings": { "AllowedPortsForWindows": "443,80", "AllowedPortsForLinux": "443,80", "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" } ] }, "CustomTags": [ "Windows", "Linux", "ExcludeERVnetConnectedInstance" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Sense_Agent", "Description": "Sense Agent provides TVM data and other enhanced telemetry to the backend DSRE/CDG MDATP instance.", "Id": "VirtualMachine320", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "CheckSenseAgentStatus", "DisplayName": "Ensure Sense Agent is installed and healthy", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlScanSource": "Reader", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising a VM/container with such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "NA", "Tags": [ "SI", "VirtualMachine", "Baseline", "Daily", "ExcludeDatabricks", "ExcludeKubernetes" ], "ControlSettings": { "ApplicableOsTypes": [ "Windows" ], "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "OSType" ] }, "Enabled": true, "CustomTags": [ "Windows", "P0", "MSD", "Prod", "TenantBaseline", "Wave6", "ShadowITActiveBaseline", "SN:SENSE_Agent" ] }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Sense_Agent_Trial", "Description": "[Trial] Sense Agent provides TVM data and other enhanced telemetry to the backend DSRE/CDG MDATP instance.", "Id": "VirtualMachine380", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "CheckSenseAgentStatus", "DisplayName": "[Trial] Ensure Sense Agent is installed and healthy", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlScanSource": "Reader", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising a VM/container with such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "NA", "Tags": [ "SI", "VirtualMachine", "Baseline", "Daily", "ExcludeDatabricks", "ExcludeKubernetes" ], "ControlSettings": { "ApplicableOsTypes": [ "Windows", "Linux" ], "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "vendor", "TagValue": "Databricks" }, { "Description": "VM is part of AKS cluster.", "TagName": "orchestrator", "TagValue": "kubernetes" } ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "OSType" ] }, "Enabled": true, "CustomTags": [ "Windows", "Linux", "Trial" ] }, { "ControlID": "Azure_VirtualMachine_DP_Avoid_Plaintext_Secrets_Trial", "Description": "Virtual Machines must not have secrets/credentials present in plain text", "Id": "VirtualMachine400", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "AvoidPlaintextSecrets", "DisplayName": "Virtual Machines must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials using the API information available in Source, rotate those credentials and remove them. Use KeyVault to store secrets/credentials.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily", "Trial" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_DP_Use_Secure_TLS_Version_Trial", "Description": "[Trial] Use approved version of TLS for Windows Servers", "Id": "VirtualMachine420", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "PolicyandReader", "MethodName": "CheckTLSVersionOnlyOnWindows", "DisplayName": "[Trial] Use approved version of TLS for Windows Servers", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Recommendation": "Check Windows Servers Minimum TLS version MUST be configured to the required minimum TLS version of 1.2", "CustomPolicyProperties": { "PolicyDefinitionIds": [ "/providers/Microsoft.Authorization/policyDefinitions/828ba269-bf7f-4082-83dd-633417bc391d" ] }, "ControlSettings": { "ApplicableOsTypes": [ "Windows" ] }, "Tags": [ "SDL", "Automated", "DP", "Baseline" ], "Enabled": true, "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "CustomTags": [ "Daily", "Trial", "SN:WindowsServer_TLS" ] } ] } |