last sync: 2023-Jan-27 18:40:07 UTC

Compliance controls aggregated

Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy PolicySet
ACAT_Security_Policies ACAT_Security_Policies ACAT Security Policies Guidelines for M365 Certification Protecting systems and resources Shared n/a Ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. link count: 024
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), App Service Environment should have TLS 1.0 and 1.1 disabled (d6545c6b-dd9d-4265-91e6-0b451e2f1c50), Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection (711c24bb-7f18-4578-b192-81a6161e1f17), Azure SQL Database should be running TLS version 1.2 or newer (32e6bbec-16b6-44c2-be37-c5b672d103cf), Azure Synapse Analytics dedicated SQL pools should enable encryption (cfaf0007-99c7-4b01-b36b-4048872ac978), Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium (f516dc7a-4543-4d40-aad6-98f76a706b50), Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6), Disk encryption should be enabled on Azure Data Explorer (f4b53539-8df9-40e4-86c6-6b607703bd4e), Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows (610b6183-5f00-4d68-86d2-4ab4cb3a67a5), Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) (6484db87-a62d-4327-9f07-80a2cbdf333a), Linux virtual machines should have Azure Monitor Agent installed (1afdc4b6-581a-45fb-b630-f1e6051e3e7a), SQL Managed Instance should have the minimal TLS version of 1.2 (a8793640-60f7-487c-b5c3-1d37215905c4), Storage accounts should have the specified minimum TLS version (fe83a0eb-a853-422d-aac2-1bffd182c5d0), Subscription should configure the Azure Firewall Premium to provide additional layer of protection (f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf), Vulnerability assessment should be enabled on your Synapse workspaces (0049a6b3-a662-4f3e-8635-39cf44ace45a), Web Application Firewall (WAF) should enable all firewall rules for Application Gateway (632d3993-e2c0-44ea-a7db-2eca131f356d), Web Application Firewall (WAF) should use the specified mode for Application Gateway (12430be1-6cc8-4527-a9a8-e3d38f250096), Windows machines should configure Windows Defender to update protection signatures within one day (d96163de-dbe0-45ac-b803-0e9ca0f5764e), Windows machines should enable Windows Defender Real-time protection (b3248a42-b1c1-41a4-87bc-8bad3d845589), Windows machines should schedule Windows Defender to perform a scheduled scan every day (3810e389-1d92-4f77-9267-33bdcf0bd225), Windows machines should use the default NTP server (2454bbee-dc19-442f-83fc-7f3114cafd91), Windows virtual machines should have Azure Monitor Agent installed (c02729e5-e5e7-4458-97fa-2b5ad0661f28)
ACAT for Microsoft 365 Certification (80307b86-ab81-45ab-bf4f-4e0b93cf3dd5)
AU_ISM 1139 AU_ISM_1139 AU ISM 1139 Guidelines for Cryptography - Transport Layer Security Using Transport Layer Security - 1139 n/a Only the latest version of TLS is used. link count: 006
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), App Service apps should use the latest TLS version (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6), Function apps should use the latest TLS version (f9d614c5-c173-4d56-95a7-b4437057d193), Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1144 AU_ISM_1144 AU ISM 1144 Guidelines for System Management - System patching When to patch security vulnerabilities - 1144 n/a Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. link count: 007
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9), SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1173 AU_ISM_1173 AU ISM 1173 Guidelines for System Hardening - Authentication hardening Multi-factor authentication - 1173 n/a Multi-factor authentication is used to authenticate all privileged users and any other positions of trust. link count: 002
MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3), MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1182 AU_ISM_1182 AU ISM 1182 Guidelines for Networking - Network design and configuration Network access controls - 1182 n/a Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes. link count: 003
Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6), Internet-facing virtual machines should be protected with network security groups (f6de0be7-9a8a-4b8a-b349-43cf02d22f7c), Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1260 AU_ISM_1260 AU ISM 1260 Guidelines for Database Systems - Database management system software Database administrator accounts - 1260 n/a Default database administrator accounts are disabled, renamed or have their passphrases changed. link count: 001
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1261 AU_ISM_1261 AU ISM 1261 Guidelines for Database Systems - Database management system software Database administrator accounts - 1261 n/a Database administrator accounts are not shared across different databases. link count: 001
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1262 AU_ISM_1262 AU ISM 1262 Guidelines for Database Systems - Database management system software Database administrator accounts - 1262 n/a Database administrators have unique and identifiable accounts. link count: 001
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1263 AU_ISM_1263 AU ISM 1263 Guidelines for Database Systems - Database management system software Database administrator accounts - 1263 n/a Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases. link count: 001
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1264 AU_ISM_1264 AU ISM 1264 Guidelines for Database Systems - Database management system software Database administrator accounts - 1264 n/a Database administrator access is restricted to defined roles rather than accounts with default administrative permissions, or all permissions. link count: 001
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1277 AU_ISM_1277 AU ISM 1277 Guidelines for Database Systems - Database servers Communications between database servers and web servers - 1277 n/a Data communicated between database servers and web applications is encrypted. link count: 006
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6), Only secure connections to your Azure Cache for Redis should be enabled (22bee202-a82f-4305-9a2a-6d7f44d4dedb), Secure transfer to storage accounts should be enabled (404c3081-a854-4457-ae30-26a93ef643f9), Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1288 AU_ISM_1288 AU ISM 1288 Guidelines for Gateways - Content filtering Antivirus scanning - 1288 n/a Antivirus scanning, using multiple different scanning engines, is performed on all content. link count: 003
Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de), Microsoft IaaSAntimalware extension should be deployed on Windows servers (9b597639-28e4-48eb-b506-56b05d366257), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1384 AU_ISM_1384 AU ISM 1384 Guidelines for System Hardening - Authentication hardening Multi-factor authentication - 1384 n/a Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions. link count: 003
MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3), MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed), MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1386 AU_ISM_1386 AU ISM 1386 Guidelines for System Management - System administration Restriction of management traffic flows - 1386 n/a Management traffic is only allowed to originate from network zones that are used to administer systems and applications. link count: 003
App Service apps should have remote debugging turned off (cb510bfd-1cba-4d9f-a230-cb0976f4bb71), Function apps should have remote debugging turned off (0e60b895-3786-45da-8377-9c6b4b6ac5f9), Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1407 AU_ISM_1407 AU ISM 1407 Guidelines for System Hardening - Operating system hardening Operating system versions - 1407 n/a The latest version (N), or N-1 version, of an operating system is used for SOEs. link count: 002
System updates on virtual machine scale sets should be installed (c3f317a7-a95c-4547-b7e7-11017ebdf2fe), System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1417 AU_ISM_1417 AU ISM 1417 Guidelines for System Hardening - Operating system hardening Antivirus software - 1417 n/a Antivirus software is implemented on workstations and servers and configured with: • signature-based detection enabled and set to a high level • heuristic-based detection enabled and set to a high level • detection signatures checked for currency and updated on at least a daily basis • automatic and regular scanning configured for all fixed disks and removable media. link count: 003
Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de), Microsoft IaaSAntimalware extension should be deployed on Windows servers (9b597639-28e4-48eb-b506-56b05d366257), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1424 AU_ISM_1424 AU ISM 1424 Guidelines for Software Development - Web application development Web browser-based security controls - 1424 n/a Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers. link count: 001
App Service apps should not have CORS configured to allow every resource to access your apps (5744710e-cc2f-4ee8-8809-3b11e89f4bc9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1425 AU_ISM_1425 AU ISM 1425 Guidelines for Database Systems - Database servers Protecting database server contents - 1425 n/a Hard disks of database servers are encrypted using full disk encryption. link count: 002
Transparent Data Encryption on SQL databases should be enabled (17k78e20-9358-41c9-923c-fb736d382a12), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1431 AU_ISM_1431 AU ISM 1431 Guidelines for Networking - Service continuity for online services Denial of service strategies - 1431 n/a Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically: • their capacity to withstand denial-of-service attacks • any costs likely to be incurred as a result of denial-of-service attacks • thresholds for notification of denial-of-service attacks • thresholds for turning off online services during denial-of-service attacks • pre-approved actions that can be undertaken during denial-of-service attacks • denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible. link count: 001
Azure DDoS Protection Standard should be enabled (a7aca53f-2ed4-4466-a25e-0b45ade68efd)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1472 AU_ISM_1472 AU ISM 1472 Guidelines for System Management - System patching When to patch security vulnerabilities - 1472 n/a Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users. link count: 007
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9), SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1490 AU_ISM_1490 AU ISM 1490 Guidelines for System Hardening - Operating system hardening Application control - 1490 n/a Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. link count: 001
Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1494 AU_ISM_1494 AU ISM 1494 Guidelines for System Management - System patching When to patch security vulnerabilities - 1494 n/a Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. link count: 007
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9), SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1495 AU_ISM_1495 AU ISM 1495 Guidelines for System Management - System patching When to patch security vulnerabilities - 1495 n/a Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users. link count: 007
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9), SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1496 AU_ISM_1496 AU ISM 1496 Guidelines for System Management - System patching When to patch security vulnerabilities - 1496 n/a Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users. link count: 007
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9), SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1503 AU_ISM_1503 AU ISM 1503 Guidelines for Personnel Security - Access to systems and their resources Standard access to systems - 1503 n/a Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. link count: 006
A maximum of 3 owners should be designated for your subscription (4f11b553-d42e-4e3a-89be-32ca364cad4c), Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6), There should be more than one owner assigned to your subscription (09024ccc-0c5f-475e-9457-b7c0d9ed487b)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1507 AU_ISM_1507 AU ISM 1507 Guidelines for Personnel Security - Access to systems and their resources Privileged access to systems - 1507 n/a Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis. link count: 004
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1508 AU_ISM_1508 AU ISM 1508 Guidelines for Personnel Security - Access to systems and their resources Privileged access to systems - 1508 n/a Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. link count: 007
A maximum of 3 owners should be designated for your subscription (4f11b553-d42e-4e3a-89be-32ca364cad4c), Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6), Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c), There should be more than one owner assigned to your subscription (09024ccc-0c5f-475e-9457-b7c0d9ed487b)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1511 AU_ISM_1511 AU ISM 1511 Guidelines for System Management - Data backup and restoration Performing backups - 1511 n/a Backups of important data, software and configuration settings are performed at least daily. link count: 001
Audit virtual machines without disaster recovery configured (0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1537 AU_ISM_1537 AU ISM 1537 Guidelines for System Monitoring - Event logging and auditing Events to be logged - 1537 n/a The following events are logged for databases: • access to particularly important data • addition of new users, especially privileged users • any query containing comments • any query containing multiple embedded queries • any query or database alerts or failures • attempts to elevate privileges • attempted access that is successful or unsuccessful • changes to the database structure • changes to user roles or database permissions • database administrator actions • database logons and logoffs • modifications to data • use of executable commands. link count: 003
Audit diagnostic setting for selected resource types (7f89b1eb-583c-429a-8828-af049802c1d9), Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1546 AU_ISM_1546 AU ISM 1546 Guidelines for System Hardening - Authentication hardening Authenticating to systems - 1546 n/a Users are authenticated before they are granted access to a system and its resources. link count: 007
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Audit Linux machines that allow remote connections from accounts without passwords (ea53dbee-c6c9-4f0e-9f9e-de0039b78023), Audit Linux machines that have accounts without passwords (f6ec09a3-78bf-4f8f-99dc-6c77182d0f99), Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da), Service Fabric clusters should only use Azure Active Directory for client authentication (b54ed75b-3e1a-44ac-a333-05ba39b99ff0), Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 1552 AU_ISM_1552 AU ISM 1552 Guidelines for Software Development - Web application development Web application interactions - 1552 n/a All web application content is offered exclusively using HTTPS. link count: 003
App Service apps should only be accessible over HTTPS (a4af4a39-4135-47fb-b175-47fbdf85311d), Function apps should only be accessible over HTTPS (6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab), Only secure connections to your Azure Cache for Redis should be enabled (22bee202-a82f-4305-9a2a-6d7f44d4dedb)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 380 AU_ISM_380 AU ISM 380 Guidelines for System Hardening - Operating system hardening Operating system configuration - 380 n/a Unneeded operating system accounts, software, components, services and functionality are removed or disabled. link count: 002
Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474), Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 414 AU_ISM_414 AU ISM 414 Guidelines for Personnel Security - Access to systems and their resources User identification - 414 n/a Personnel granted access to a system and its resources are uniquely identifiable. link count: 003
MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3), MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed), MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 415 AU_ISM_415 AU ISM 415 Guidelines for Personnel Security - Access to systems and their resources User identification - 415 n/a The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable. link count: 004
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 421 AU_ISM_421 AU ISM 421 Guidelines for System Hardening - Authentication hardening Single-factor authentication - 421 n/a Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words. link count: 004
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6), Windows machines should meet requirements for 'Security Settings - Account Policies' (f2143251-70de-4e81-87a8-36cee5a2f29d)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 430 AU_ISM_430 AU ISM 430 Guidelines for Personnel Security - Access to systems and their resources Suspension of access to systems - 430 n/a Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access. link count: 002
Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474), Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 441 AU_ISM_441 AU ISM 441 Guidelines for Personnel Security - Access to systems and their resources Temporary access to systems - 441 n/a When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only data required for them to undertake their duties. link count: 004
Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474), Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 445 AU_ISM_445 AU ISM 445 Guidelines for Personnel Security - Access to systems and their resources Privileged access to systems - 445 n/a Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access. link count: 004
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 459 AU_ISM_459 AU ISM 459 Guidelines for Cryptography - Cryptographic fundamentals Encrypting data at rest - 459 n/a Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition. link count: 001
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 520 AU_ISM_520 AU ISM 520 Guidelines for Networking - Network design and configuration Network access controls - 520 n/a Network access controls are implemented on networks to prevent the connection of unauthorised network devices. link count: 001
Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 582 AU_ISM_582 AU ISM 582 Guidelines for System Monitoring - Event logging and auditing Events to be logged - 582 n/a The following events are logged for operating systems: • access to important data and processes • application crashes and any error messages • attempts to use special privileges • changes to accounts • changes to security policy • changes to system configurations • Domain Name System (DNS) and Hypertext Transfer Protocol requests • failed attempts to access data and system resources • service failures and restarts • system startup and shutdown • transfer of data to and from external media • user or group management • use of special privileges. link count: 002
Audit diagnostic setting for selected resource types (7f89b1eb-583c-429a-8828-af049802c1d9), Virtual machines should be connected to a specified workspace (f47b5582-33ec-4c5c-87c0-b010a6b2e917)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 940 AU_ISM_940 AU ISM 940 Guidelines for System Management - System patching When to patch security vulnerabilities - 940 n/a Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users. link count: 007
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9), SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
AU_ISM 947 AU_ISM_947 AU ISM 947 Guidelines for Media - Media usage Using media for data transfers - 947 n/a When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer. link count: 001
MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
[Preview]: Australian Government ISM PROTECTED (27272c0b-c225-4cc3-b8b0-f2534b093077)
Azure_Security_Benchmark_v1.0 1.1 Azure_Security_Benchmark_v1.0_1.1 Azure Security Benchmark 1.1 Network Security Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Customer Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service. Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall. General Information on Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview How to create a Virtual Network: https://docs.microsoft.com/azure/virtual-network/quick-create-portal How to create an NSG with a security configuration: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal n/a link count: 021
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c), [Preview]: Container Registry should use a virtual network service endpoint (c4857be7-912a-4c75-87e6-e30292bcdf78), Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6), App Service apps should use a virtual network service endpoint (2d21331d-a4c2-4def-a9ad-ee4e1e023beb), Authorized IP ranges should be defined on Kubernetes Services (0e246bcf-5f6f-4f87-bc6f-775d4712c7ea), Cosmos DB should use a virtual network service endpoint (e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9), Event Hub should use a virtual network service endpoint (d63edb4a-c612-454d-b47d-191a724fcbf0), Internet-facing virtual machines should be protected with network security groups (f6de0be7-9a8a-4b8a-b349-43cf02d22f7c), IP Forwarding on your virtual machine should be disabled (bd352bd5-2853-4985-bf0d-73806b4a5744), Key Vault should use a virtual network service endpoint (ea4d6841-2173-4317-9747-ff522a45120f), Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c), Management ports should be closed on your virtual machines (22730e10-96f6-4aac-ad84-9383d35b5917), Private endpoint should be enabled for MariaDB servers (0a1302fb-a631-4106-9753-f3d494733990), Private endpoint should be enabled for MySQL servers (7595c971-233d-4bcf-bd18-596129188c49), Private endpoint should be enabled for PostgreSQL servers (0564d078-92f5-4f97-8398-b9f58a51f70b), SQL Server should use a virtual network service endpoint (ae5d2f14-d830-42b6-9899-df6cfe9c71a3), Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c), Storage Accounts should use a virtual network service endpoint (60d21c4f-21a3-4d94-85f4-b924e6aeeda4), Subnets should be associated with a Network Security Group (e71308d3-144b-4262-b144-efdc3cc90517), Virtual machines should be connected to an approved virtual network (d416745a-506c-48b6-8ab1-83cb814bcaa3), Virtual networks should use specified virtual network gateway (f1776c76-f58c-4245-a8d0-2b207198dc8b)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 1.11 Azure_Security_Benchmark_v1.0_1.11 Azure Security Benchmark 1.11 Network Security Use automated tools to monitor network resource configurations and detect changes Customer Use Azure Policy to validate (and/or remediate) configuration for network resources. How to configure and manage Azure Policy: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Azure Policy samples for networking: https://docs.microsoft.com/azure/governance/policy/samples/#network n/a link count: 007
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6), Windows machines should meet requirements for 'Administrative Templates - Network' (67e010c1-640d-438e-a3a5-feaccb533a98), Windows machines should meet requirements for 'Security Options - Microsoft Network Server' (caf2d518-f029-4f6b-833b-d7081702f253), Windows machines should meet requirements for 'Security Options - Network Access' (3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd), Windows machines should meet requirements for 'Security Options - Network Security' (1221c620-d201-468c-81e7-2817e6107e84)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 1.2 Azure_Security_Benchmark_v1.0_1.2 Azure Security Benchmark 1.2 Network Security Monitor and log the configuration and traffic of Vnets, Subnets, and NICs Customer Use Azure Security Center and follow network protection recommendations to help secure your network resources in Azure. Enable NSG flow logs and send logs into a Storage Account for traffic audit. How to Enable NSG Flow Logs: https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal Understand Network Security provided by Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-network-recommendations n/a link count: 001
Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 1.3 Azure_Security_Benchmark_v1.0_1.3 Azure Security Benchmark 1.3 Network Security Protect critical web applications Customer Deploy Azure Web Application Firewall (WAF) in front of critical web applications for additional inspection of incoming traffic. Enable Diagnostic Setting for WAF and ingest logs into a Storage Account, Event Hub, or Log Analytics Workspace. How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/ag/create-waf-policy-ag n/a link count: 005
App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609), App Service apps should have remote debugging turned off (cb510bfd-1cba-4d9f-a230-cb0976f4bb71), App Service apps should not have CORS configured to allow every resource to access your apps (5744710e-cc2f-4ee8-8809-3b11e89f4bc9), Function apps should have remote debugging turned off (0e60b895-3786-45da-8377-9c6b4b6ac5f9), Function apps should not have CORS configured to allow every resource to access your apps (0820b7b9-23aa-4725-a1ce-ae4558f718e5)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 1.4 Azure_Security_Benchmark_v1.0_1.4 Azure Security Benchmark 1.4 Network Security Deny communications with known malicious IP addresses Customer Enable DDoS Standard protection on your Azure Virtual Networks to guard against DDoS attacks. Use Azure Security Center Integrated Threat Intelligence to deny communications with known malicious IP addresses. Deploy Azure Firewall at each of the organization's network boundaries with Threat Intelligence enabled and configured to "Alert and deny" for malicious network traffic. Use Azure Security Center Just In Time Network access to configure NSGs to limit exposure of endpoints to approved IP addresses for a limited period. Use Azure Security Center Adaptive Network Hardening to recommend NSG configurations that limit ports and source IPs based on actual traffic and threat intelligence. How to configure DDoS protection: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection How to deploy Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal Understand Azure Security Center Integrated Threat Intelligence: https://docs.microsoft.com/azure/security-center/security-center-alerts-service-layer Understand Azure Security Center Adaptive Network Hardening: https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening Understand Azure Security Center Just In Time Network Access Control: https://docs.microsoft.com/azure/security-center/security-center-just-in-time n/a link count: 004
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c), Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6), Azure DDoS Protection Standard should be enabled (a7aca53f-2ed4-4466-a25e-0b45ade68efd), Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 1.5 Azure_Security_Benchmark_v1.0_1.5 Azure Security Benchmark 1.5 Network Security Record network packets and flow logs Customer Record NSG flow logs into a storage account to generate flow records. If required for investigating anomalous activity, enable Network Watcher packet capture. How to Enable NSG Flow Logs: https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal How to enable Network Watcher: https://docs.microsoft.com/azure/network-watcher/network-watcher-create n/a link count: 001
Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 10.4 Azure_Security_Benchmark_v1.0_10.4 Azure Security Benchmark 10.4 Incident Response Provide security incident contact details and configure alert notifications for security incidents Customer Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved. How to set the Azure Security Center Security Contact: https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details n/a link count: 001
Subscriptions should have a contact email address for security issues (4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 2.2 Azure_Security_Benchmark_v1.0_2.2 Azure Security Benchmark 2.2 Logging and Monitoring Configure central security log management Customer Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage. Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM. How to onboard Azure Sentinel: https://docs.microsoft.com/azure/sentinel/quickstart-onboard How to collect platform logs and metrics with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings How to collect Azure Virtual Machine internal host logs with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/learn/quick-collect-azurevm How to get started with Azure Monitor and third-party SIEM integration: https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools/ n/a link count: 006
Audit Windows machines on which the Log Analytics agent is not connected as expected (6265018c-d7e2-432f-a75d-094d5f6f4465), Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17), Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' (1a4e592a-6a6e-44a5-9814-e36264ca96e7), Azure Monitor should collect activity logs from all regions (41388f1c-2db0-4c25-95b2-35d7f5ccbfa9), The Log Analytics extension should be installed on Virtual Machine Scale Sets (efbde977-ba53-4479-b8e9-10b957924fbf), Virtual machines should have the Log Analytics extension installed (a70ca396-0a34-413a-88e1-b956c1e683be)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 2.3 Azure_Security_Benchmark_v1.0_2.3 Azure Security Benchmark 2.3 Logging and Monitoring Enable audit logging for Azure resources Customer Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. How to collect platform logs and metrics with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview n/a link count: 015
App Service apps should have resource logs enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510), Audit diagnostic setting for selected resource types (7f89b1eb-583c-429a-8828-af049802c1d9), Auditing on SQL server should be enabled (a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9), Resource logs in Azure Data Lake Store should be enabled (057ef27e-665e-4328-8ea3-04b3122bd9fb), Resource logs in Azure Stream Analytics should be enabled (f9be5368-9bf5-4b84-9e0a-7850da98bb46), Resource logs in Batch accounts should be enabled (428256e6-1fac-4f48-a757-df34c2b3336d), Resource logs in Data Lake Analytics should be enabled (c95c74d9-38fe-4f0d-af86-0c7d626a315c), Resource logs in Event Hub should be enabled (83a214f7-d01a-484b-91a9-ed54470c9a6a), Resource logs in IoT Hub should be enabled (383856f8-de7f-44a2-81fc-e5135b5c2aa4), Resource logs in Key Vault should be enabled (cf820ca0-f99e-4f3e-84fb-66e913812d21), Resource logs in Logic Apps should be enabled (34f95f76-5386-4de7-b824-0d8478470c9d), Resource logs in Search services should be enabled (b4330a05-a843-4bc8-bf9a-cacce50c67f4), Resource logs in Service Bus should be enabled (f8d36e2f-389b-4ee4-898d-21aeb69a0f45), Resource logs in Virtual Machine Scale Sets should be enabled (7c1b1214-f927-48bf-8882-84f0af6588b1), SQL Auditing settings should have Action-Groups configured to capture critical activities (7ff426e2-515f-405a-91c8-4f2333442eb5)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 2.4 Azure_Security_Benchmark_v1.0_2.4 Azure Security Benchmark 2.4 Logging and Monitoring Collect security logs from operating systems Customer If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. If the compute resource is owned by your organization, it's your responsibility to monitor it. You can use Azure Security Center to monitor the OS. Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files. How to collect Azure Virtual Machine internal host logs with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/learn/quick-collect-azurevm Understand Azure Security Center data collection: https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection n/a link count: 004
Audit Windows machines on which the Log Analytics agent is not connected as expected (6265018c-d7e2-432f-a75d-094d5f6f4465), Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17), The Log Analytics extension should be installed on Virtual Machine Scale Sets (efbde977-ba53-4479-b8e9-10b957924fbf), Virtual machines should have the Log Analytics extension installed (a70ca396-0a34-413a-88e1-b956c1e683be)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 2.5 Azure_Security_Benchmark_v1.0_2.5 Azure Security Benchmark 2.5 Logging and Monitoring Configure security log storage retention Customer Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage. How to set log retention parameters for Log Analytics Workspaces: https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period n/a link count: 001
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher (89099bee-89e0-4b26-a5f4-165451757743)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 2.7 Azure_Security_Benchmark_v1.0_2.7 Azure Security Benchmark 2.7 Logging and Monitoring Enable alerts for anomalous activity Customer Use Azure Security Center with Log Analytics Workspace for monitoring and alerting on anomalous activity found in security logs and events. Alternatively, you may enable and on-board data to Azure Sentinel. How to onboard Azure Sentinel: https://docs.microsoft.com/azure/sentinel/quickstart-onboard How to manage alerts in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-managing-and-responding-alerts How to alert on log analytics log data: https://docs.microsoft.com/azure/azure-monitor/learn/tutorial-response n/a link count: 002
Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 2.8 Azure_Security_Benchmark_v1.0_2.8 Azure Security Benchmark 2.8 Logging and Monitoring Centralize anti-malware logging Customer Enable antimalware event collection for Azure Virtual Machines and Cloud Services. How to configure Microsoft Antimalware for Virtual Machines: https://docs.microsoft.com/powershell/module/servicemanagement/azure/set-azurevmmicrosoftantimalwareextension?view=azuresmps-4.0.0 How to configure Microsoft Antimalware for Cloud Services: https://docs.microsoft.com/powershell/module/servicemanagement/azure/set-azureserviceantimalwareextension?view=azuresmps-4.0.0 Understand Microsoft Antimalware: https://docs.microsoft.com/azure/security/fundamentals/antimalware n/a link count: 003
Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de), Microsoft Antimalware for Azure should be configured to automatically update protection signatures (c43e4a30-77cb-48ab-a4dd-93f175c63b57), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 3.1 Azure_Security_Benchmark_v1.0_3.1 Azure Security Benchmark 3.1 Identity and Access Control Maintain an inventory of administrative accounts Customer Azure AD has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups. How to get a directory role in Azure AD with PowerShell: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0 How to get members of a directory role in Azure AD with PowerShell: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0 n/a link count: 004
A maximum of 3 owners should be designated for your subscription (4f11b553-d42e-4e3a-89be-32ca364cad4c), Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), There should be more than one owner assigned to your subscription (09024ccc-0c5f-475e-9457-b7c0d9ed487b)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 3.10 Azure_Security_Benchmark_v1.0_3.10 Azure Security Benchmark 3.10 Identity and Access Control Regularly review and reconcile user access Customer Azure AD provides logs to help discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access. Understand Azure AD reporting: https://docs.microsoft.com/azure/active-directory/reports-monitoring/ How to use Azure Identity Access Reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview n/a link count: 005
Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474), Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60), External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 3.3 Azure_Security_Benchmark_v1.0_3.3 Azure Security Benchmark 3.3 Identity and Access Control Use dedicated administrative accounts Customer Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts. You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager. Learn more: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/ n/a link count: 005
A maximum of 3 owners should be designated for your subscription (4f11b553-d42e-4e3a-89be-32ca364cad4c), Audit Windows machines missing any of specified members in the Administrators group (30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7), Audit Windows machines that have extra accounts in the Administrators group (3d2a3320-2a72-4c67-ac5f-caa40fbee2b2), Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f), There should be more than one owner assigned to your subscription (09024ccc-0c5f-475e-9457-b7c0d9ed487b)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 3.5 Azure_Security_Benchmark_v1.0_3.5 Azure Security Benchmark 3.5 Identity and Access Control Use multi-factor authentication for all Azure Active Directory based access Customer Enable Azure AD MFA and follow Azure Security Center Identity and Access Management recommendations. How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted How to monitor identity and access within Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-identity-access n/a link count: 003
MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3), MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed), MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 3.9 Azure_Security_Benchmark_v1.0_3.9 Azure Security Benchmark 3.9 Identity and Access Control Use Azure Active Directory Customer Use Azure Active Directory (AAD) as the central authentication and authorization system. AAD protects data by using strong encryption for data at rest and in transit. AAD also salts, hashes, and securely stores user credentials. How to create and configure an AAD instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant n/a link count: 002
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9), Service Fabric clusters should only use Azure Active Directory for client authentication (b54ed75b-3e1a-44ac-a333-05ba39b99ff0)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 4.4 Azure_Security_Benchmark_v1.0_4.4 Azure Security Benchmark 4.4 Data Protection Encrypt all sensitive information in transit Shared Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater. Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable. Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit n/a link count: 010
App Service apps should only be accessible over HTTPS (a4af4a39-4135-47fb-b175-47fbdf85311d), App Service apps should require FTPS only (4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b), App Service apps should use the latest TLS version (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b), Enforce SSL connection should be enabled for MySQL database servers (e802a67a-daf5-4436-9ea6-f6d821dd0c5d), Enforce SSL connection should be enabled for PostgreSQL database servers (d158790f-bfb0-486c-8631-2dc6b4e8e6af), Function apps should only be accessible over HTTPS (6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab), Function apps should require FTPS only (399b2637-a50f-4f95-96f8-3a145476eb15), Function apps should use the latest TLS version (f9d614c5-c173-4d56-95a7-b4437057d193), Only secure connections to your Azure Cache for Redis should be enabled (22bee202-a82f-4305-9a2a-6d7f44d4dedb), Secure transfer to storage accounts should be enabled (404c3081-a854-4457-ae30-26a93ef643f9)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 4.5 Azure_Security_Benchmark_v1.0_4.5 Azure Security Benchmark 4.5 Data Protection Use an active discovery tool to identify sensitive data Customer When no feature is available for your specific service in Azure, use a third-party active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site, or at a remote service provider, and update the organization's sensitive information inventory. Use Azure Information Protection for identifying sensitive information within Office 365 documents. Use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases. How to implement Azure SQL Data Discovery: https://docs.microsoft.com/azure/sql-database/sql-database-data-discovery-and-classification How to implement Azure Information Protection: https://docs.microsoft.com/azure/information-protection/deployment-roadmap n/a link count: 002
Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 4.6 Azure_Security_Benchmark_v1.0_4.6 Azure Security Benchmark 4.6 Data Protection Use Azure RBAC to control access to resources Customer Use Azure AD RBAC to control access to data and resources, otherwise use service specific access control methods. How to configure RBAC in Azure: https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal n/a link count: 002
Audit usage of custom RBAC roles (a451c1ef-c6ca-483d-87ed-f49761e3ffb5), Role-Based Access Control (RBAC) should be used on Kubernetes Services (ac4a19c2-fa67-49b4-8ae5-0b2e78c49457)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 4.8 Azure_Security_Benchmark_v1.0_4.8 Azure Security Benchmark 4.8 Data Protection Encrypt sensitive information at rest Customer Use encryption at rest on all Azure resources. Microsoft recommends allowing Azure to manage your encryption keys, however there is the option for you to manage your own keys in some instances. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest How to configure customer managed encryption keys: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal n/a link count: 007
[Deprecated]: Unattached disks should be encrypted (2c89a2e5-7285-40fe-afe0-ae8654b92fb2), Automation account variables should be encrypted (3657f5a0-770e-44a3-b44e-9431ba1e9735), Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign (617c02be-7f02-4efd-8836-3180d47b6c68), SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2), SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8), Transparent Data Encryption on SQL databases should be enabled (17k78e20-9358-41c9-923c-fb736d382a12), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 4.9 Azure_Security_Benchmark_v1.0_4.9 Azure Security Benchmark 4.9 Data Protection Log and alert on changes to critical Azure resources Customer Use Azure Monitor with the Azure Activity Log to create alerts for when changes take place to critical Azure resources. How to create alerts for Azure Activity Log events: https://docs.microsoft.com/azure/azure-monitor/platform/alerts-activity-log n/a link count: 001
Azure Monitor should collect activity logs from all regions (41388f1c-2db0-4c25-95b2-35d7f5ccbfa9)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 5.1 Azure_Security_Benchmark_v1.0_5.1 Azure Security Benchmark 5.1 Vulnerability Management Run automated vulnerability scanning tools Customer Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. How to implement Azure Security Center vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations n/a link count: 003
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 5.2 Azure_Security_Benchmark_v1.0_5.2 Azure Security Benchmark 5.2 Vulnerability Management Deploy automated operating system patch management solution Customer Use Azure "Update Management" to ensure the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. How to configure Update Management for virtual machines in Azure: https://docs.microsoft.com/azure/automation/automation-update-management Understand Azure security policies monitored by Security Center: https://docs.microsoft.com/azure/security-center/security-center-policy-definitions n/a link count: 002
System updates on virtual machine scale sets should be installed (c3f317a7-a95c-4547-b7e7-11017ebdf2fe), System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 5.3 Azure_Security_Benchmark_v1.0_5.3 Azure Security Benchmark 5.3 Vulnerability Management Deploy automated third-party software patch management solution Customer Use a third-party patch management solution. Customers already leveraging System Center Configuration Manager in their environment may leverage System Center Updates Publisher, allowing them to publish custom updates into Windows Server Update Service. This allows Update Manager to patch machines that use System Center Configuration Manager as their update repository with third-party software. n/a link count: 006
App Service apps that use Java should use the latest 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed), App Service apps that use PHP should use the latest 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3), App Service apps that use Python should use the latest 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73), Function apps that use Java should use the latest 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc), Function apps that use Python should use the latest 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73), Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version (fb893a29-21bb-418c-a157-e99480ec364c)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 5.5 Azure_Security_Benchmark_v1.0_5.5 Azure Security Benchmark 5.5 Vulnerability Management Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Customer Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool. n/a link count: 004
SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 6.10 Azure_Security_Benchmark_v1.0_6.10 Azure Security Benchmark 6.10 Inventory and Asset Management Implement approved application list Customer Use Azure Security Center Adaptive Application Controls to specify which file types a rule may or may not apply to. Implement third party solution if this does not meet the requirement. How to use Azure Security Center Adaptive Application Controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application n/a link count: 001
Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 6.8 Azure_Security_Benchmark_v1.0_6.8 Azure Security Benchmark 6.8 Inventory and Asset Management Use only approved applications Customer Use Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines. How to use Azure Security Center Adaptive Application Controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application n/a link count: 001
Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 6.9 Azure_Security_Benchmark_v1.0_6.9 Azure Security Benchmark 6.9 Inventory and Asset Management Use only approved Azure services Customer Use Azure Policy to restrict which services you can provision in your environment. How to configure and manage Azure Policy: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage How to deny a specific resource type with Azure Policy: https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types n/a link count: 002
Storage accounts should be migrated to new Azure Resource Manager resources (37e0d2fe-28a5-43d6-a273-67d37d1f5606), Virtual machines should be migrated to new Azure Resource Manager resources (1d84d5fb-01f6-4d12-ba4f-4a26081d403d)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 7.10 Azure_Security_Benchmark_v1.0_7.10 Azure Security Benchmark 7.10 Secure Configuration Implement automated configuration monitoring for operating systems Customer Use Azure Security Center to perform baseline scans for OS and Docker Settings for containers. Understand Azure Security Center container recommendations: https://docs.microsoft.com/azure/security-center/security-center-container-recommendations n/a link count: 003
Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 7.11 Azure_Security_Benchmark_v1.0_7.11 Azure Security Benchmark 7.11 Secure Configuration Manage Azure secrets securely Customer Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications. How to integrate with Azure Managed Identities: https://docs.microsoft.com/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity How to create a Key Vault: https://docs.microsoft.com/azure/key-vault/quick-create-portal How to provide Key Vault authentication with a managed identity: https://docs.microsoft.com/azure/key-vault/managed-identity n/a link count: 001
Key vaults should have purge protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 7.12 Azure_Security_Benchmark_v1.0_7.12 Azure Security Benchmark 7.12 Secure Configuration Manage identities securely and automatically Customer Use Managed Identities to provide Azure services with an automatically managed identity in Azure AD. Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. How to configure Managed Identities: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm n/a link count: 002
App Service apps should use managed identity (2b9ad585-36bc-4615-b300-fd4435808332), Function apps should use managed identity (0da106f2-4ca3-48e8-bc85-c638fe6aea8f)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 7.4 Azure_Security_Benchmark_v1.0_7.4 Azure Security Benchmark 7.4 Secure Configuration Maintain secure operating system configurations Shared Base operating system images are managed and maintained by Microsoft. However, you can apply security settings required by your organization using AzureResources Manager templates and/or Desired State Configuration. How to create an Azure Virtual Machine from an AzureResources Manager template: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template Understand Desired State Configuration for Azure Virtual Machines: https://docs.microsoft.com/azure/virtual-machines/extensions/dsc-overview n/a link count: 003
Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 8.1 Azure_Security_Benchmark_v1.0_8.1 Azure Security Benchmark 8.1 Malware Defense Use centrally managed anti-malware software Customer Use Microsoft Antimalware for Azure Cloud Services and Virtual Machines to continuously monitor and defend your resources. For Linux, use third party antimalware solution. How to configure Microsoft Antimalware for Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware n/a link count: 002
Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 8.3 Azure_Security_Benchmark_v1.0_8.3 Azure Security Benchmark 8.3 Malware Defense Ensure anti-malware software and signatures are updated Customer Microsoft Antimalware will automatically install the latest signatures and engine updates by default. Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. For Linux, use third party antimalware solution. How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware n/a link count: 001
Microsoft Antimalware for Azure should be configured to automatically update protection signatures (c43e4a30-77cb-48ab-a4dd-93f175c63b57)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 9.1 Azure_Security_Benchmark_v1.0_9.1 Azure Security Benchmark 9.1 Data Recovery Ensure regular automated back ups Customer Enable Azure Backup and configure the backup source (Azure VMs, SQL Server, or File Shares), as well as the desired frequency and retention period. How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ n/a link count: 005
Azure Backup should be enabled for Virtual Machines (013e242c-8828-4970-87b3-ab247555486d), Geo-redundant backup should be enabled for Azure Database for MariaDB (0ec47710-77ff-4a3d-9181-6aa50af424d0), Geo-redundant backup should be enabled for Azure Database for MySQL (82339799-d096-41ae-8538-b108becf0970), Geo-redundant backup should be enabled for Azure Database for PostgreSQL (48af4db5-9b8b-401c-8e74-076be876a430), Long-term geo-redundant backup should be enabled for Azure SQL Databases (d38fc420-0735-4ef3-ac11-c806f651a570)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 9.2 Azure_Security_Benchmark_v1.0_9.2 Azure Security Benchmark 9.2 Data Recovery Perform complete system backups and backup any customer managed keys Customer Enable Azure Backup and target VM(s), as well as the desired frequency and retention periods. Backup customer managed keys within Azure Key Vault. How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ How to backup key vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0 n/a link count: 005
Azure Backup should be enabled for Virtual Machines (013e242c-8828-4970-87b3-ab247555486d), Geo-redundant backup should be enabled for Azure Database for MariaDB (0ec47710-77ff-4a3d-9181-6aa50af424d0), Geo-redundant backup should be enabled for Azure Database for MySQL (82339799-d096-41ae-8538-b108becf0970), Geo-redundant backup should be enabled for Azure Database for PostgreSQL (48af4db5-9b8b-401c-8e74-076be876a430), Long-term geo-redundant backup should be enabled for Azure SQL Databases (d38fc420-0735-4ef3-ac11-c806f651a570)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v1.0 9.4 Azure_Security_Benchmark_v1.0_9.4 Azure Security Benchmark 9.4 Data Recovery Ensure protection of backups and customer managed keys Customer For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). You may enable Soft-Delete in Key Vault to protect keys against accidental or malicious deletion. How to enable Soft-Delete in Key Vault: https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal n/a link count: 001
Key vaults should have purge protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53)
[Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92)
Azure_Security_Benchmark_v2.0 AM-3 Azure_Security_Benchmark_v2.0_AM-3 Azure Security Benchmark AM-3 Asset Management Use only approved Azure services Customer Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected. Configure and manage Azure Policy: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage How to deny a specific resource type with Azure Policy: https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types How to create queries with Azure Resource Graph Explorer: https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal n/a link count: 002
Storage accounts should be migrated to new Azure Resource Manager resources (37e0d2fe-28a5-43d6-a273-67d37d1f5606), Virtual machines should be migrated to new Azure Resource Manager resources (1d84d5fb-01f6-4d12-ba4f-4a26081d403d)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 AM-6 Azure_Security_Benchmark_v2.0_AM-6 Azure Security Benchmark AM-6 Asset Management Use only approved applications in compute resources Customer Ensure that only authorized software executes, and all unauthorized software is blocked from executing on Azure Virtual Machines. Use Azure Security Center (ASC) adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines. Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure Portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace. Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources. You can also use a third-party solution to discover and identify unapproved software. How to use Azure Security Center adaptive application controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application Understand Azure Automation Change Tracking and Inventory: https://docs.microsoft.com/azure/automation/change-tracking How to control PowerShell script execution in Windows environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 n/a link count: 001
Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 BR-1 Azure_Security_Benchmark_v2.0_BR-1 Azure Security Benchmark BR-1 Backup and Recovery Ensure regular automated backups Customer Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be defined by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO). Enable Azure Backup and configure the backup source (e.g. Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period. For a higher level of protection, you can enable geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore. Enterprise-scale business continuity and disaster recovery: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ How to enable cross region restore: https://docs.microsoft.com/azure/backup/backup-azure-arm-restore-vms#cross-region-restore n/a link count: 005
Azure Backup should be enabled for Virtual Machines (013e242c-8828-4970-87b3-ab247555486d), Geo-redundant backup should be enabled for Azure Database for MariaDB (0ec47710-77ff-4a3d-9181-6aa50af424d0), Geo-redundant backup should be enabled for Azure Database for MySQL (82339799-d096-41ae-8538-b108becf0970), Geo-redundant backup should be enabled for Azure Database for PostgreSQL (48af4db5-9b8b-401c-8e74-076be876a430), Long-term geo-redundant backup should be enabled for Azure SQL Databases (d38fc420-0735-4ef3-ac11-c806f651a570)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 BR-2 Azure_Security_Benchmark_v2.0_BR-2 Azure Security Benchmark BR-2 Backup and Recovery Encrypt backup data Customer Ensure your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. For regular Azure service backups, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope. Use role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer managed keys. Additionally, you can enable advanced security features to require MFA before backups can be altered or deleted. Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk How to backup Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0 Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks n/a link count: 005
Azure Backup should be enabled for Virtual Machines (013e242c-8828-4970-87b3-ab247555486d), Geo-redundant backup should be enabled for Azure Database for MariaDB (0ec47710-77ff-4a3d-9181-6aa50af424d0), Geo-redundant backup should be enabled for Azure Database for MySQL (82339799-d096-41ae-8538-b108becf0970), Geo-redundant backup should be enabled for Azure Database for PostgreSQL (48af4db5-9b8b-401c-8e74-076be876a430), Long-term geo-redundant backup should be enabled for Azure SQL Databases (d38fc420-0735-4ef3-ac11-c806f651a570)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 BR-4 Azure_Security_Benchmark_v2.0_BR-4 Azure Security Benchmark BR-4 Backup and Recovery Mitigate risk of lost keys Customer Ensure you have measures in place to prevent and recover from loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion. How to enable soft delete and purge protection in Key Vault: https://docs.microsoft.com/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal n/a link count: 002
Key vaults should have purge protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53), Key vaults should have soft delete enabled (1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 DP-2 Azure_Security_Benchmark_v2.0_DP-2 Azure Security Benchmark DP-2 Data Protection Protect sensitive data Shared Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases). To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems. For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities. Azure Role Based Access Control (RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview Understand customer data protection in Azure: https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data n/a link count: 007
[Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751), Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa), Transparent Data Encryption on SQL databases should be enabled (17k78e20-9358-41c9-923c-fb736d382a12), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 DP-3 Azure_Security_Benchmark_v2.0_DP-3 Azure Security Benchmark DP-3 Data Protection Monitor for unauthorized transfer of sensitive data Shared Monitor for unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration. Azure Storage Advanced Threat Protection (ATP) and Azure SQL ATP can alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive information. Azure Information protection (AIP) provides monitoring capabilities for information that has been classified and labelled. If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution to enforce detective and/or preventative controls to prevent data exfiltration. Enable Azure SQL ATP: https://docs.microsoft.com/azure/azure-sql/database/threat-detection-overview Enable Azure Storage ATP: https://docs.microsoft.com/azure/storage/common/storage-advanced-threat-protection?tabs=azure-security-center n/a link count: 004
Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 DP-4 Azure_Security_Benchmark_v2.0_DP-4 Azure Security Benchmark DP-4 Data Protection Encrypt sensitive information in transit Shared To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled. By default, Azure provides encryption for data in transit between Azure data centers. Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit n/a link count: 012
App Service apps should only be accessible over HTTPS (a4af4a39-4135-47fb-b175-47fbdf85311d), App Service apps should require FTPS only (4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b), App Service apps should use the latest TLS version (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b), Enforce SSL connection should be enabled for MySQL database servers (e802a67a-daf5-4436-9ea6-f6d821dd0c5d), Enforce SSL connection should be enabled for PostgreSQL database servers (d158790f-bfb0-486c-8631-2dc6b4e8e6af), Function apps should only be accessible over HTTPS (6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab), Function apps should require FTPS only (399b2637-a50f-4f95-96f8-3a145476eb15), Function apps should use the latest TLS version (f9d614c5-c173-4d56-95a7-b4437057d193), Kubernetes clusters should be accessible only over HTTPS (1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d), Only secure connections to your Azure Cache for Redis should be enabled (22bee202-a82f-4305-9a2a-6d7f44d4dedb), Secure transfer to storage accounts should be enabled (404c3081-a854-4457-ae30-26a93ef643f9), Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 DP-5 Azure_Security_Benchmark_v2.0_DP-5 Azure Security Benchmark DP-5 Data Protection Encrypt sensitive data at rest Shared To complement access controls, data at rest should be protected against ‘out of band’ attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. Azure provides encryption for data at rest by default. For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. Azure manages your encryption keys by default, but Azure provides options to manage your own keys (customer managed keys) for certain Azure services. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services How to configure customer managed encryption keys: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-at-rest n/a link count: 013
Automation account variables should be encrypted (3657f5a0-770e-44a3-b44e-9431ba1e9735), Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest (1f905d99-2ab7-462c-a6b0-f709acca6c8f), Azure Machine Learning workspaces should be encrypted with a customer-managed key (ba769a63-b8cc-4b2d-abf6-ac33c7204be8), Cognitive Services accounts should enable data encryption with a customer-managed key (67121cc7-ff39-4ab8-b7e3-95b84dab487d), Container registries should be encrypted with a customer-managed key (5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580), MySQL servers should use customer-managed keys to encrypt data at rest (83cef61d-dbd1-4b20-a4fc-5fbc7da10833), PostgreSQL servers should use customer-managed keys to encrypt data at rest (18adea5e-f416-4d0f-8aa8-d24321e3e274), Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign (617c02be-7f02-4efd-8836-3180d47b6c68), SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2), SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8), Storage accounts should use customer-managed key for encryption (6fac406b-40ca-413b-bf8e-0bf964659c25), Transparent Data Encryption on SQL databases should be enabled (17k78e20-9358-41c9-923c-fb736d382a12), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 ES-1 Azure_Security_Benchmark_v2.0_ES-1 Azure Security Benchmark ES-1 Endpoint Security Use Endpoint Detection and Response (EDR) Customer Enable Endpoint Detection and Response (EDR) capabilities for servers and clients and integrate with SIEM and Security Operations processes. Microsoft Defender Advanced Threat Protection provides EDR capability as part of an enterprise endpoint security platform to prevent, detect, investigate, and respond to advanced threats. Microsoft Defender Advanced Threat Protection Overview: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection Microsoft Defender ATP service for Windows servers: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints Microsoft Defender ATP service for non-Windows servers: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows n/a link count: 001
Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 ES-2 Azure_Security_Benchmark_v2.0_ES-2 Azure Security Benchmark ES-2 Endpoint Security Use centrally managed modern anti-malware software Customer Use a centrally managed endpoint anti-malware solution capable of real time and periodic scanning Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations. Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). For Linux VMs, use third-party antimalware solution. Also, you can use Azure Security Center's Threat detection for data services to detect malware uploaded to Azure Storage accounts. How to configure Microsoft Antimalware for Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware Supported endpoint protection solutions: https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- n/a link count: 003
Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9), Windows Defender Exploit Guard should be enabled on your machines (bed48b13-6647-468e-aa2f-1af1d3f4dd40)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 ES-3 Azure_Security_Benchmark_v2.0_ES-3 Azure Security Benchmark ES-3 Endpoint Security Ensure anti-malware software and signatures are updated Customer Ensure anti-malware signatures are updated rapidly and consistently. Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, use third-party antimalware solution. How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware Endpoint protection assessment and recommendations in Azure Security Center:https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection n/a link count: 002
Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 IM-1 Azure_Security_Benchmark_v2.0_IM-1 Azure Security Benchmark IM-1 Identity Management Standardize Azure Active Directory as the central identity and authentication system Customer Azure Active Directory (Azure AD) is Azure's default identity and access management service. You should standardize on Azure AD to govern your organization’s identity and access management in: - Microsoft cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. - Your organization's resources, such as applications on Azure or your corporate network resources. Securing Azure AD should be a high priority in your organization’s cloud security practice. Azure AD provides an identity secure score to help you assess your identity security posture relative to Microsoft’s best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture. Note: Azure AD supports external identity providers, which allow users without a Microsoft account to sign in to their applications and resources with their external identity. Tenancy in Azure AD: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps How to create and configure an Azure AD instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant Define Azure AD tenants: https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers What is the identity secure score in Azure AD: https://docs.microsoft.com/azure/active-directory/fundamentals/identity-secure-score n/a link count: 004
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9), App Service apps should use managed identity (2b9ad585-36bc-4615-b300-fd4435808332), Function apps should use managed identity (0da106f2-4ca3-48e8-bc85-c638fe6aea8f), Service Fabric clusters should only use Azure Active Directory for client authentication (b54ed75b-3e1a-44ac-a333-05ba39b99ff0)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 IM-2 Azure_Security_Benchmark_v2.0_IM-2 Azure Security Benchmark IM-2 Identity Management Manage application identities securely and automatically Customer For non-human accounts such as services or automation, use Azure managed identities, instead of creating a more powerful human account to access resources or execute code. Azure managed identities can authenticate to Azure services and resources that support Azure AD authentication. Authentication is enabled through pre-defined access grant rules, avoiding hard-coded credentials in source code or configuration files. For services that do not support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level instead. It is recommended to configure service principals with certificate credentials and fall back to client secrets. In both cases, Azure Key Vault can be used in conjunction with Azure managed identities, so that the runtime environment (such as an Azure function) can retrieve the credential from the key vault. Azure managed identities: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview Services that support managed identities for Azure resources: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities Azure service principal: https://docs.microsoft.com/powershell/azure/create-azure-service-principal-azureps Create a service principal with certificates: https://docs.microsoft.com/azure/active-directory/develop/howto-authenticate-service-principal-powershell Use Azure Key Vault for security principal registration: https://docs.microsoft.com/azure/key-vault/general/authentication#security-principal-registration n/a link count: 002
App Service apps should use managed identity (2b9ad585-36bc-4615-b300-fd4435808332), Function apps should use managed identity (0da106f2-4ca3-48e8-bc85-c638fe6aea8f)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 IM-4 Azure_Security_Benchmark_v2.0_IM-4 Azure Security Benchmark IM-4 Identity Management Use strong authentication controls for all Azure Active Directory based access Customer Azure AD supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods. - Multi-factor authentication: Enable Azure AD MFA and follow Azure Security Center identity and access management recommendations for your MFA setup. MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. - Passwordless authentication: Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards. For administrator and privileged users, ensure the highest level of the strong authentication method is used, followed by rolling out the appropriate strong authentication policy to other users. If legacy password-based authentication is still used for Azure AD authentication, please be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. When using password-based authentication, Azure AD provides a password protection capability that prevents users from setting passwords that are easy to guess. Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (e.g. branding, cultural references, etc.). This password protection can be used for cloud-only and hybrid accounts. Note: Authentication based on password credentials alone is susceptible to popular attack methods. For higher security, use strong authentication such as MFA and a strong password policy. For third-party applications and marketplace services that may have default passwords, you should change them during initial service setup. How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted Introduction to passwordless authentication options for Azure Active Directory: https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless Azure AD default password policy: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts Eliminate bad passwords using Azure AD Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad n/a link count: 003
MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3), MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed), MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 IR-2 Azure_Security_Benchmark_v2.0_IR-2 Azure Security Benchmark IR-2 Incident Response Preparation - setup incident notification Customer Set up security incident contact information in Azure Security Center. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alert and notification in different Azure services based on your incident response needs. How to set the Azure Security Center security contact: https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details n/a link count: 003
Email notification for high severity alerts should be enabled (6e2593d9-add6-4083-9c9b-4b7d2188c899), Email notification to subscription owner for high severity alerts should be enabled (0b15565f-aa9e-48ba-8619-45960f2c314d), Subscriptions should have a contact email address for security issues (4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 IR-3 Azure_Security_Benchmark_v2.0_IR-3 Azure Security Benchmark IR-3 Incident Response Detection and analysis - create incidents based on high quality alerts Customer Ensure you have a process to create high quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don’t waste time on false positives. High quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. Azure Security Center provides high quality alerts across many Azure assets. You can use the ASC data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. How to configure export: https://docs.microsoft.com/azure/security-center/continuous-export How to stream alerts into Azure Sentinel: https://docs.microsoft.com/azure/sentinel/connect-azure-security-center n/a link count: 009
[Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4), [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a), Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 IR-5 Azure_Security_Benchmark_v2.0_IR-5 Azure Security Benchmark IR-5 Incident Response Detection and analysis - prioritize incidents Customer Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity. Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred. Security alerts in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-alerts-overview Use tags to organize your Azure resources: https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags n/a link count: 009
[Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4), [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a), Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 LT-1 Azure_Security_Benchmark_v2.0_LT-1 Azure Security Benchmark LT-1 Logging and Threat Detection Enable threat detection for Azure resources Customer Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data. Use the Azure Security Center built-in threat detection capability, which is based on monitoring Azure service telemetry and analyzing service logs. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the system and copies the data to your workspace for analysis. In addition, use Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. The rules generate incidents when the criteria are matched, so that you can investigate each incident. Azure Sentinel can also import third party threat intelligence to enhance its threat detection capability. Threat protection in Azure Security Center: https://docs.microsoft.com/azure/security-center/threat-protection Azure Security Center security alerts reference guide: https://docs.microsoft.com/azure/security-center/alerts-reference Create custom analytics rules to detect threats: https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom Cyber threat intelligence with Azure Sentinel: https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence n/a link count: 009
[Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4), [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a), Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 LT-2 Azure_Security_Benchmark_v2.0_LT-2 Azure Security Benchmark LT-2 Logging and Threat Detection Enable threat detection for Azure identity and access management Customer Azure AD provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: - Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities. - Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies. - Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. - Users flagged for risk - A risky user is an indicator for a user account that might have been compromised. Azure Security Center can also alert on certain suspicious activities such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Azure Security Center’s Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. Audit activity reports in Azure AD: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs Enable Azure Identity Protection: https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection Threat protection in Azure Security Center: https://docs.microsoft.com/azure/security-center/threat-protection n/a link count: 009
[Deprecated]: Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4), [Deprecated]: Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a), Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 LT-3 Azure_Security_Benchmark_v2.0_LT-3 Azure Security Benchmark LT-3 Logging and Threat Detection Enable logging for Azure network activities Customer Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights. Ensure you are collecting DNS query logs to assist in correlating other network data. How to enable network security group flow logs: https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal Azure Firewall logs and metrics: https://docs.microsoft.com/azure/firewall/logs-and-metrics How to enable and use Traffic Analytics: https://docs.microsoft.com/azure/network-watcher/traffic-analytics Monitoring with Network Watcher: https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview Azure networking monitoring solutions in Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics Gather insights about your DNS infrastructure with the DNS Analytics solution: https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics n/a link count: 003
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines (04c4380f-3fae-46e8-96c9-30193528f602), [Preview]: Network traffic data collection agent should be installed on Windows virtual machines (2f2ee1de-44aa-4762-b6bd-0893fc3f306d), Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 LT-4 Azure_Security_Benchmark_v2.0_LT-4 Azure Security Benchmark LT-4 Logging and Threat Detection Enable logging for Azure resources Shared Enable logging for Azure resources to meet the requirements for compliance, threat detection, hunting, and incident investigation. You can use Azure Security Center and Azure Policy to enable resource logs and log data collecting on Azure resources for access to audit, security, and resource logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview Understand Azure Security Center data collection: https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection Enable and configure antimalware monitoring: https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets n/a link count: 013
App Service apps should have resource logs enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510), Auditing on SQL server should be enabled (a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9), Resource logs in Azure Data Lake Store should be enabled (057ef27e-665e-4328-8ea3-04b3122bd9fb), Resource logs in Azure Stream Analytics should be enabled (f9be5368-9bf5-4b84-9e0a-7850da98bb46), Resource logs in Batch accounts should be enabled (428256e6-1fac-4f48-a757-df34c2b3336d), Resource logs in Data Lake Analytics should be enabled (c95c74d9-38fe-4f0d-af86-0c7d626a315c), Resource logs in Event Hub should be enabled (83a214f7-d01a-484b-91a9-ed54470c9a6a), Resource logs in IoT Hub should be enabled (383856f8-de7f-44a2-81fc-e5135b5c2aa4), Resource logs in Key Vault should be enabled (cf820ca0-f99e-4f3e-84fb-66e913812d21), Resource logs in Logic Apps should be enabled (34f95f76-5386-4de7-b824-0d8478470c9d), Resource logs in Search services should be enabled (b4330a05-a843-4bc8-bf9a-cacce50c67f4), Resource logs in Service Bus should be enabled (f8d36e2f-389b-4ee4-898d-21aeb69a0f45), Resource logs in Virtual Machine Scale Sets should be enabled (7c1b1214-f927-48bf-8882-84f0af6588b1)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 LT-5 Azure_Security_Benchmark_v2.0_LT-5 Azure Security Benchmark LT-5 Logging and Threat Detection Centralize security log management and analysis Customer Centralize logging storage and analysis to enable correlation. For each log source, ensure you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements. Ensure you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage. In addition, enable and onboard data to Azure Sentinel or a third-party SIEM. Many organizations choose to use Azure Sentinel for “hot” data that is used frequently and Azure Storage for “cold” data that is used less frequently. How to collect platform logs and metrics with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings How to onboard Azure Sentinel: https://docs.microsoft.com/azure/sentinel/quickstart-onboard n/a link count: 005
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines (842c54e8-c2f9-4d79-ae8d-38d8b8019373), [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines (d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e), Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17), Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring (a4fe33eb-e377-4efb-ab31-0784311bc499), Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring (a3a6ea0c-e018-4933-9ef0-5aaa1501449b)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 NS-1 Azure_Security_Benchmark_v2.0_NS-1 Azure Security Benchmark NS-1 Network Security Implement security for internal traffic Customer Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group (NSG) and/or Azure Firewall. Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on network security group rules. For specific well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach. This might not scale well if you have many applications and endpoints interacting with each other. You can also use Azure Firewall in circumstances where central management is required over a large number of enterprise segments or spokes (in a hub/spoke topology). Use Azure Security Center Adaptive Network Hardening to recommend network security group configurations that limit ports and source IPs based with the reference to external network traffic rules. Use Azure Sentinel to discover the use of legacy insecure protocols such as SSL/TLSv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos. How to create a network security group with security rules: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal Adaptive Network Hardening in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening Azure Sentinel insecure protocols workbook:https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks n/a link count: 020
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c), Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6), API Management services should use a virtual network (ef619a2c-cc4d-4d03-b2ba-8c94a834d85b), Authorized IP ranges should be defined on Kubernetes Services (0e246bcf-5f6f-4f87-bc6f-775d4712c7ea), Azure Cosmos DB accounts should have firewall rules (862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb), Azure Key Vault should have firewall enabled (55615ac9-af46-4a59-874e-391cc3dfb490), Cognitive Services accounts should disable public network access (0725b4dd-7e76-479c-a735-68e7ee23d5ca), Cognitive Services accounts should restrict network access (037eea7a-bd0a-46c5-9a66-03aea78705d3), Container registries should not allow unrestricted network access (d0793b48-0edc-4296-a390-4c75d1bdfd71), Internet-facing virtual machines should be protected with network security groups (f6de0be7-9a8a-4b8a-b349-43cf02d22f7c), IP Forwarding on your virtual machine should be disabled (bd352bd5-2853-4985-bf0d-73806b4a5744), Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c), Management ports should be closed on your virtual machines (22730e10-96f6-4aac-ad84-9383d35b5917), Public network access on Azure SQL Database should be disabled (1b8ca024-1d5c-4dec-8995-b1a932b41780), Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077), Public network access should be disabled for MySQL servers (d9844e8a-1437-4aeb-a32c-0c992f056095), Public network access should be disabled for PostgreSQL servers (b52376f7-9612-48a1-81cd-1ffe4b61032c), Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c), Storage accounts should restrict network access using virtual network rules (2a1a9cdf-e04d-429a-8416-3bfb72a1b26f), Subnets should be associated with a Network Security Group (e71308d3-144b-4262-b144-efdc3cc90517)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 NS-2 Azure_Security_Benchmark_v2.0_NS-2 Azure Security Benchmark NS-2 Network Security Connect private networks together Customer Use Azure ExpressRoute or Azure virtual private network (VPN) to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections do not go over the public internet , and they offer more reliability, faster speeds, and lower latencies than typical internet connections. For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute. To connect two or more virtual networks in Azure together, use virtual network peering or Private Link. Network traffic between peered virtual networks is private and is kept on the Azure backbone network. What are the ExpressRoute connectivity models: https://docs.microsoft.com/azure/expressroute/expressroute-connectivity-models Azure VPN overview: https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways Virtual network peering: https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-service-overview n/a link count: 015
[Deprecated]: Azure Cache for Redis should reside within a virtual network (7d092e0a-7acd-40d2-a975-dca21cae48c4), [Preview]: Private endpoint should be configured for Key Vault (5f0bc445-3935-4915-9981-011aa2b46147), App Configuration should use private link (ca610c1d-041c-4332-9d88-7ed3094967c7), Azure Event Grid domains should use private link (9830b652-8523-49cc-b1b3-e17dce1127ca), Azure Event Grid topics should use private link (4b90e17e-8448-49db-875e-bd83fb6f804f), Azure Machine Learning workspaces should use private link (40cec1dd-a100-4920-b15b-3024fe8901ab), Azure SignalR Service should use private link (2393d2cf-a342-44cd-a2e2-fe0188fd1234), Azure Spring Cloud should use network injection (af35e2a4-ef96-44e7-a9ae-853dd97032c4), Container registries should use private link (e8eef0a8-67cf-4eb4-9386-14b0e78733d4), Private endpoint connections on Azure SQL Database should be enabled (7698e800-9299-47a6-b3b6-5a0fee576eed), Private endpoint should be enabled for MariaDB servers (0a1302fb-a631-4106-9753-f3d494733990), Private endpoint should be enabled for MySQL servers (7595c971-233d-4bcf-bd18-596129188c49), Private endpoint should be enabled for PostgreSQL servers (0564d078-92f5-4f97-8398-b9f58a51f70b), Storage accounts should use private link (6edd7eda-6dd8-40f7-810d-67160c639cd9), VM Image Builder templates should use private link (2154edb9-244f-4741-9970-660785bccdaa)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 NS-3 Azure_Security_Benchmark_v2.0_NS-3 Azure Security Benchmark NS-3 Network Security Establish private network access to Azure services Customer Use Azure Private Link to enable private access to Azure services from your virtual networks, without crossing the internet. In situations where Azure Private Link is not yet available, use Azure Virtual Network service endpoints. Azure Virtual Network service endpoints provide secure access to services via an optimized route over the Azure backbone network. Private access is an additional defense in depth measure in addition to authentication and traffic security offered by Azure services. Understand Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview Understand Virtual Network service endpoints: https://docs.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview n/a link count: 013
[Preview]: Private endpoint should be configured for Key Vault (5f0bc445-3935-4915-9981-011aa2b46147), App Configuration should use private link (ca610c1d-041c-4332-9d88-7ed3094967c7), Azure Event Grid domains should use private link (9830b652-8523-49cc-b1b3-e17dce1127ca), Azure Event Grid topics should use private link (4b90e17e-8448-49db-875e-bd83fb6f804f), Azure Machine Learning workspaces should use private link (40cec1dd-a100-4920-b15b-3024fe8901ab), Azure SignalR Service should use private link (2393d2cf-a342-44cd-a2e2-fe0188fd1234), Container registries should use private link (e8eef0a8-67cf-4eb4-9386-14b0e78733d4), Private endpoint connections on Azure SQL Database should be enabled (7698e800-9299-47a6-b3b6-5a0fee576eed), Private endpoint should be enabled for MariaDB servers (0a1302fb-a631-4106-9753-f3d494733990), Private endpoint should be enabled for MySQL servers (7595c971-233d-4bcf-bd18-596129188c49), Private endpoint should be enabled for PostgreSQL servers (0564d078-92f5-4f97-8398-b9f58a51f70b), Storage accounts should use private link (6edd7eda-6dd8-40f7-810d-67160c639cd9), VM Image Builder templates should use private link (2154edb9-244f-4741-9970-660785bccdaa)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 NS-4 Azure_Security_Benchmark_v2.0_NS-4 Azure Security Benchmark NS-4 Network Security Protect applications and services from external network attacks Customer Protect Azure resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application specific attacks, and unsolicited and potentially malicious internet traffic. Azure includes native capabilities for this: - Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. - Use Web Application Firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services, and APIs against application layer attacks. - Protect your assets against DDoS attacks by enabling DDoS standard protection on your Azure virtual networks. - Use Azure Security Center to detect misconfiguration risks related to the above. Azure Firewall Documentation: https://docs.microsoft.com/azure/firewall/ How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview Manage Azure DDoS Protection Standard using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection n/a link count: 015
[Deprecated]: RDP access from the Internet should be blocked (e372f825-a257-4fb8-9175-797a8a8627d6), [Deprecated]: SSH access from the Internet should be blocked (2c89a2e5-7285-40fe-afe0-ae8654b92fab), [Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c), Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6), Authorized IP ranges should be defined on Kubernetes Services (0e246bcf-5f6f-4f87-bc6f-775d4712c7ea), Azure Cosmos DB accounts should have firewall rules (862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb), Azure DDoS Protection Standard should be enabled (a7aca53f-2ed4-4466-a25e-0b45ade68efd), Azure Key Vault should have firewall enabled (55615ac9-af46-4a59-874e-391cc3dfb490), Azure Web Application Firewall should be enabled for Azure Front Door entry-points (055aa869-bc98-4af8-bafc-23f1ab6ffe2c), Internet-facing virtual machines should be protected with network security groups (f6de0be7-9a8a-4b8a-b349-43cf02d22f7c), IP Forwarding on your virtual machine should be disabled (bd352bd5-2853-4985-bf0d-73806b4a5744), Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c), Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c), Subnets should be associated with a Network Security Group (e71308d3-144b-4262-b144-efdc3cc90517), Web Application Firewall (WAF) should be enabled for Application Gateway (564feb30-bf6a-4854-b4bb-0d2d2d1e6c66)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 NS-5 Azure_Security_Benchmark_v2.0_NS-5 Azure Security Benchmark NS-5 Network Security Deploy intrusion detection/intrusion prevention systems (IDS/IPS) Customer Use Azure Firewall threat intelligence-based filtering to alert on and/or block traffic to and from known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. When payload inspection is required, you can deploy a third-party intrusion detection/intrusion prevent system (IDS/IPS) from Azure Marketplace with payload inspection capabilities. Alternately you can use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with or instead of network-based IDS/IPS. Note: If you have a regulatory or other requirement for IDS/IPS use, ensure that it is always tuned to provide high quality alerts to your SIEM solution. How to deploy Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal Azure Marketplace includes third party IDS capabilities: https://azuremarketplace.microsoft.com/marketplace?search=IDS Microsoft Defender ATP EDR capability: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response n/a link count: 001
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 PA-1 Azure_Security_Benchmark_v2.0_PA-1 Azure Security Benchmark PA-1 Privileged Access Protect and limit highly privileged users Customer Limit the number of highly privileged user accounts, and protect these accounts at an elevated level. The most critical built-in roles in Azure AD are Global Administrator and the Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment: - Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities. - Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. Note: You may have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. And you may also want to apply similar controls to the administrator account of critical business assets. You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization. Administrator role permissions in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles Use Azure Privileged Identity Management security alerts: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts Securing privileged access for hybrid and cloud deployments in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure n/a link count: 004
A maximum of 3 owners should be designated for your subscription (4f11b553-d42e-4e3a-89be-32ca364cad4c), Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), There should be more than one owner assigned to your subscription (09024ccc-0c5f-475e-9457-b7c0d9ed487b)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 PA-3 Azure_Security_Benchmark_v2.0_PA-3 Azure Security Benchmark PA-3 Privileged Access Review and reconcile user access regularly Customer Review user accounts and access assignment regularly to ensure the accounts and their level of access are valid. You can use Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management to create an access review report workflow that facilitates the review process. In addition, Azure Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured. Note: Some Azure services support local users and roles that aren't managed through Azure AD. You must manage these users separately. Create an access review of Azure resource roles in Privileged Identity Management(PIM): https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review How to use Azure AD identity and access reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview n/a link count: 005
Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474), Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60), External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 PA-7 Azure_Security_Benchmark_v2.0_PA-7 Azure Security Benchmark PA-7 Privileged Access Follow just enough administration (least privilege principle) Customer Azure role-based access control (Azure RBAC) allows you to manage Azure resource access through role assignments. You can assign these roles to users, group service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges complement the just in time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically. Use built-in roles to allocate permission and only create custom role when required. What is Azure role-based access control (Azure RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview How to configure Azure RBAC: https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal How to use Azure AD identity and access reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview n/a link count: 003
[Deprecated]: Custom subscription owner roles should not exist (10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9), Audit usage of custom RBAC roles (a451c1ef-c6ca-483d-87ed-f49761e3ffb5), Role-Based Access Control (RBAC) should be used on Kubernetes Services (ac4a19c2-fa67-49b4-8ae5-0b2e78c49457)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 PV-2 Azure_Security_Benchmark_v2.0_PV-2 Azure Security Benchmark PV-2 Posture and Vulnerability Management Sustain secure configurations for Azure services Customer Use Azure Security Center to monitor your configuration baseline and use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure compute resources, including VMs, containers, and others. Understand Azure Policy effects: https://docs.microsoft.com/azure/governance/policy/concepts/effects Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage n/a link count: 019
App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609), App Service apps should have remote debugging turned off (cb510bfd-1cba-4d9f-a230-cb0976f4bb71), App Service apps should not have CORS configured to allow every resource to access your apps (5744710e-cc2f-4ee8-8809-3b11e89f4bc9), Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters (0a15ec92-a229-4763-bb14-0ea34a568f8d), Function apps should have 'Client Certificates (Incoming client certificates)' enabled (eaebaea7-8013-4ceb-9d14-7eb32271373c), Function apps should have remote debugging turned off (0e60b895-3786-45da-8377-9c6b4b6ac5f9), Function apps should not have CORS configured to allow every resource to access your apps (0820b7b9-23aa-4725-a1ce-ae4558f718e5), Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits (e345eecc-fa47-480f-9e88-67dcc122b164), Kubernetes cluster containers should not share host process ID or host IPC namespace (47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8), Kubernetes cluster containers should only use allowed AppArmor profiles (511f5417-5d12-434d-ab2e-816901e72a5e), Kubernetes cluster containers should only use allowed capabilities (c26596ff-4d70-4e6a-9a30-c2506bd2f80c), Kubernetes cluster containers should only use allowed images (febd0533-8e55-448f-b837-bd0e06f16469), Kubernetes cluster containers should run with a read only root file system (df49d893-a74c-421d-bc95-c663042e5b80), Kubernetes cluster pod hostPath volumes should only use allowed host paths (098fc59e-46c7-4d99-9b16-64990e543d75), Kubernetes cluster pods and containers should only run with approved user and group IDs (f06ddb64-5fa3-4b77-b166-acb36f7f6042), Kubernetes cluster pods should only use approved host network and port range (82985f06-dc18-4a48-bc1c-b9f4f0098cfe), Kubernetes cluster services should listen only on allowed ports (233a2a17-77ca-4fb1-9b6b-69223d272a44), Kubernetes cluster should not allow privileged containers (95edb821-ddaf-4404-9732-666045e056b4), Kubernetes clusters should not allow container privilege escalation (1c6e92c9-99f0-4e55-9cf2-0c234dc48f99)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 PV-4 Azure_Security_Benchmark_v2.0_PV-4 Azure Security Benchmark PV-4 Posture and Vulnerability Management Sustain secure configurations for compute resources Shared Use Azure Security Center and Azure Policy to regularly assess and remediate configuration risks on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system required by your organization. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Also, note that Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. Azure Security Center can also scan vulnerabilities in container images and perform continuous monitoring of your Docker configuration in containers, based on the CIS Docker Benchmark. You can use the Azure Security Center recommendations page to view recommendations and remediate issues. How to implement Azure Security Center vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations How to create an Azure virtual machine from an ARM template: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template Azure Automation State Configuration overview: https://docs.microsoft.com/azure/automation/automation-dsc-overview Create a Windows virtual machine in the Azure portal: https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal Information on how to download template for a VM: https://docs.microsoft.com/azure/virtual-machines/windows/download-template Sample script to upload a VHD to Azure and create a new VM: https://docs.microsoft.com/azure/virtual-machines/scripts/virtual-machines-windows-powershell-upload-generalized-script Container security in Azure Security Center: https://docs.microsoft.com/azure/security-center/container-security n/a link count: 003
Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 PV-6 Azure_Security_Benchmark_v2.0_PV-6 Azure Security Benchmark PV-6 Posture and Vulnerability Management Perform software vulnerability assessments Customer Follow recommendations from Azure Security Center for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Azure Security Center has a built-in vulnerability scanner for virtual machine scan. Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you can pivot into the selected scan solution's portal to view historical scan data. How to implement Azure Security Center vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Integrated vulnerability scanner for virtual machines: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment SQL vulnerability assessment: https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment Exporting Azure Security Center vulnerability scan results: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results n/a link count: 005
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9), Container registry images should have vulnerability findings resolved (5f0f936f-2f01-4bf5-b6be-d423792fa562), SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v2.0 PV-7 Azure_Security_Benchmark_v2.0_PV-7 Azure Security Benchmark PV-7 Posture and Vulnerability Management Rapidly and automatically remediate software vulnerabilities Customer Rapidly deploy software updates to remediate software vulnerabilities in operating systems and applications. Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment, taking into account which applications present a high security risk and which ones require high uptime. Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager. How to configure Update Management for virtual machines in Azure: https://docs.microsoft.com/azure/automation/automation-update-management Manage updates and patches for your Azure VMs: https://docs.microsoft.com/azure/automation/automation-tutorial-update-management n/a link count: 008
App Service apps that use Java should use the latest 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed), App Service apps that use PHP should use the latest 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3), App Service apps that use Python should use the latest 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73), Function apps that use Java should use the latest 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc), Function apps that use Python should use the latest 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73), Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version (fb893a29-21bb-418c-a157-e99480ec364c), System updates on virtual machine scale sets should be installed (c3f317a7-a95c-4547-b7e7-11017ebdf2fe), System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60)
[Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b)
Azure_Security_Benchmark_v3.0 AM-2 Azure_Security_Benchmark_v3.0_AM-2 Azure Security Benchmark AM-2 Asset Management Use only approved services Shared **Security Principle:** Ensure that only approved cloud services can be used, by auditing and restricting which services users can provision in the environment. **Azure Guidance:** Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected. **Implementation and additional context:** Configure and manage Azure Policy: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage How to deny a specific resource type with Azure Policy: https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types How to create queries with Azure Resource Graph Explorer: https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal n/a link count: 002
Storage accounts should be migrated to new Azure Resource Manager resources (37e0d2fe-28a5-43d6-a273-67d37d1f5606), Virtual machines should be migrated to new Azure Resource Manager resources (1d84d5fb-01f6-4d12-ba4f-4a26081d403d)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 AM-5 Azure_Security_Benchmark_v3.0_AM-5 Azure Security Benchmark AM-5 Asset Management Use only approved applications in virtual machine Shared **Security Principle:** Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment. **Azure Guidance:** Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines. Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace. Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources. You can also use a third-party solution to discover and identify unapproved software. **Implementation and additional context:** How to use Microsoft Defender for Cloud adaptive application controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application Understand Azure Automation Change Tracking and Inventory: https://docs.microsoft.com/azure/automation/change-tracking How to control PowerShell script execution in Windows environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 n/a link count: 002
Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc), Allowlist rules in your adaptive application control policy should be updated (123a3936-f020-408a-ba0c-47873faf1534)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 BR-1 Azure_Security_Benchmark_v3.0_BR-1 Azure Security Benchmark BR-1 Backup and Recovery Ensure regular automated backups Shared **Security Principle:** Ensure backup of business-critical resources, either during resource creation or enforced through policy for existing resources. **Azure Guidance:** For Azure Backup supported resources, enable Azure Backup and configure the backup source (such as Azure VMs, SQL Server, HANA databases, or File Shares) on the desired frequency and retention period. For Azure VM, you can use Azure Policy to have backup automatically enabled using Azure Policy. For resources not supported by Azure Backup, enable the backup as part of its resource creation. Where applicable, use built-in policies (Azure Policy) to ensure that your Azure resources are configured for backup. **Implementation and additional context:** How to enable Azure Backup: https://docs.microsoft.com/azure/backup/ Auto-Enable Backup on VM Creation using Azure Policy: https://docs.microsoft.com/azure/backup/backup-azure-auto-enable-backup n/a link count: 004
Azure Backup should be enabled for Virtual Machines (013e242c-8828-4970-87b3-ab247555486d), Geo-redundant backup should be enabled for Azure Database for MariaDB (0ec47710-77ff-4a3d-9181-6aa50af424d0), Geo-redundant backup should be enabled for Azure Database for MySQL (82339799-d096-41ae-8538-b108becf0970), Geo-redundant backup should be enabled for Azure Database for PostgreSQL (48af4db5-9b8b-401c-8e74-076be876a430)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 BR-2 Azure_Security_Benchmark_v3.0_BR-2 Azure Security Benchmark BR-2 Backup and Recovery Protect backup and recovery data Shared **Security Principle:** Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/malware and malicious insiders. The security controls that should be applied include user and network access control, data encryption at-rest and in-transit. **Azure Guidance:** Use Azure RBAC and multi-factor-authentication to secure the critical Azure Backup operations (such as delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults. For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the Azure Key Vault is also in the backup scope. If you use customer-managed key options, use soft delete and purge protection in Azure Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. Safeguard backup data from accidental or malicious deletion (such as ransomware attacks/attempts to encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable cross-region restore to ensure backup data is restorable when there is a disaster in primary region. Note: If you use resource's native backup feature or backup services other than Azure Backup, refer to the Azure Security Benchmark (and service baselines) to implement the above controls. **Implementation and additional context:** Overview of security features in Azure Backup: https://docs.microsoft.com/azure/backup/security-overview Encryption of backup data using customer-managed keys: https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks Azure Backup - set cross region restore https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-cross-region-restore n/a link count: 004
Azure Backup should be enabled for Virtual Machines (013e242c-8828-4970-87b3-ab247555486d), Geo-redundant backup should be enabled for Azure Database for MariaDB (0ec47710-77ff-4a3d-9181-6aa50af424d0), Geo-redundant backup should be enabled for Azure Database for MySQL (82339799-d096-41ae-8538-b108becf0970), Geo-redundant backup should be enabled for Azure Database for PostgreSQL (48af4db5-9b8b-401c-8e74-076be876a430)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 DP-2 Azure_Security_Benchmark_v3.0_DP-2 Azure Security Benchmark DP-2 Data Protection Monitor anomalies and threats targeting sensitive data Shared **Security Principle:** Monitor for anomalies around sensitive data, such as unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration. **Azure Guidance:** Use Azure Information protection (AIP) to monitor the data that has been classified and labeled. Use Azure Defender for Storage, Azure Defender for SQL and Azure Cosmos DB to alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive data information. Note: If required for compliance of data loss prevention (DLP), you can use a host based DLP solution from Azure Marketplace or a Microsoft 365 DLP solution to enforce detective and/or preventative controls to prevent data exfiltration. **Implementation and additional context:** Enable Azure Defender for SQL: https://docs.microsoft.com/azure/azure-sql/database/azure-defender-for-sql Enable Azure Defender for Storage: https://docs.microsoft.com/azure/storage/common/storage-advanced-threat-protection?tabs=azure-security-center n/a link count: 005
Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for open-source relational databases should be enabled (0a9fbe0d-c5c4-4da8-87d8-f4fd77338835), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 DP-3 Azure_Security_Benchmark_v3.0_DP-3 Azure Security Benchmark DP-3 Data Protection Encrypt sensitive data in transit Shared **Security Principle:** Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. **Azure Guidance:** Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default. **Implementation and additional context:** Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Enforce secure transfer in Azure storage: https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account n/a link count: 012
App Service apps should only be accessible over HTTPS (a4af4a39-4135-47fb-b175-47fbdf85311d), App Service apps should require FTPS only (4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b), App Service apps should use the latest TLS version (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b), Enforce SSL connection should be enabled for MySQL database servers (e802a67a-daf5-4436-9ea6-f6d821dd0c5d), Enforce SSL connection should be enabled for PostgreSQL database servers (d158790f-bfb0-486c-8631-2dc6b4e8e6af), Function apps should only be accessible over HTTPS (6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab), Function apps should require FTPS only (399b2637-a50f-4f95-96f8-3a145476eb15), Function apps should use the latest TLS version (f9d614c5-c173-4d56-95a7-b4437057d193), Kubernetes clusters should be accessible only over HTTPS (1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d), Only secure connections to your Azure Cache for Redis should be enabled (22bee202-a82f-4305-9a2a-6d7f44d4dedb), Secure transfer to storage accounts should be enabled (404c3081-a854-4457-ae30-26a93ef643f9), Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 DP-4 Azure_Security_Benchmark_v3.0_DP-4 Azure Security Benchmark DP-4 Data Protection Enable data at rest encryption by default Shared **Security Principle:** To complement access controls, data at rest should be protected against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. **Azure Guidance:** Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key. Where technically feasible and not enabled by default, you can enable data at rest encryption in the Azure services, or in your VMs for storage level, file level, or database level encryption. **Implementation and additional context:** Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models n/a link count: 006
[Preview]: Linux machines should encrypt temp disks, caches, and data flows between Compute and Storage resources. (ca88aadc-6e2b-416c-9de2-5a0f01d1693f), [Preview]: Windows machines should encrypt temp disks, caches, and data flows between Compute and Storage resources. (3dc5edcd-002d-444c-b216-e123bbfa37c0), Automation account variables should be encrypted (3657f5a0-770e-44a3-b44e-9431ba1e9735), Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign (617c02be-7f02-4efd-8836-3180d47b6c68), Transparent Data Encryption on SQL databases should be enabled (17k78e20-9358-41c9-923c-fb736d382a12), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 DP-5 Azure_Security_Benchmark_v3.0_DP-5 Azure Security Benchmark DP-5 Data Protection Use customer-managed key option in data at rest encryption when required Shared **Security Principle:** If required for regulatory compliance, define the use case and service scope where customer-managed key option is needed. Enable and implement data at rest encryption using customer-managed key in services. **Azure Guidance:** Azure also provides encryption option using keys managed by yourself (customer-managed keys) for certain services. However, using customer-managed key option requires additional operational efforts to manage the key lifecycle. This may include encryption key generation, rotation, revoke and access control, etc. **Implementation and additional context:** Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Services that support encryption using customer-managed key: https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services How to configure customer managed encryption keys in Azure Storage: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal n/a link count: 009
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest (1f905d99-2ab7-462c-a6b0-f709acca6c8f), Azure Machine Learning workspaces should be encrypted with a customer-managed key (ba769a63-b8cc-4b2d-abf6-ac33c7204be8), Cognitive Services accounts should enable data encryption with a customer-managed key (67121cc7-ff39-4ab8-b7e3-95b84dab487d), Container registries should be encrypted with a customer-managed key (5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580), MySQL servers should use customer-managed keys to encrypt data at rest (83cef61d-dbd1-4b20-a4fc-5fbc7da10833), PostgreSQL servers should use customer-managed keys to encrypt data at rest (18adea5e-f416-4d0f-8aa8-d24321e3e274), SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2), SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8), Storage accounts should use customer-managed key for encryption (6fac406b-40ca-413b-bf8e-0bf964659c25)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 DP-6 Azure_Security_Benchmark_v3.0_DP-6 Azure Security Benchmark DP-6 Data Protection Use a secure key management process Shared **Security Principle:** Document and implement an enterprise cryptographic key management standard, processes, and procedures to control your key lifecycle. When there is a need to use customer-managed key in the services, use a secured key vault service for key generation, distribution, and storage. Rotate and revoke your keys based on the defined schedule and when there is a key retirement or compromise. **Azure Guidance:** Use Azure Key Vault to create and control your encryption keys life cycle, including key generation, distribution, and storage. Rotate and revoke your keys in Azure Key Vault and your service based on the defined schedule and when there is a key retirement or compromise. When there is a need to use customer-managed key (CMK) in the workload services or applications, ensure you follow the best practices: - Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your key vault. - Ensure keys are registered with Azure Key Vault and implement via key IDs in each service or application. If you need to bring your own key (BYOK) to the services (i.e., importing HSM-protected keys from your on-premises HSMs into Azure Key Vault), follow the recommended guideline to perform the key generation and key transfer. Note: Refer to the below for the FIPS 140-2 level for Azure Key Vault types and FIPS compliance level. - Software-protected keys in vaults (Premium & Standard SKUs): FIPS 140-2 Level 1 - HSM-protected keys in vaults (Premium SKU): FIPS 140-2 Level 2 - HSM-protected keys in Managed HSM: FIPS 140-2 Level 3 **Implementation and additional context:** Azure Key Vault overview: https://docs.microsoft.com/azure/key-vault/general/overview Azure data encryption at rest--Key Hierarchy: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#key-hierarchy BYOK(Bring Your Own Key) specification: https://docs.microsoft.com/azure/key-vault/keys/byok-specification n/a link count: 002
Key Vault keys should have an expiration date (152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0), Key Vault secrets should have an expiration date (98728c90-32c7-4049-8429-847dc0f4fe37)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 DP-7 Azure_Security_Benchmark_v3.0_DP-7 Azure Security Benchmark DP-7 Data Protection Use a secure certificate management process Shared **Security Principle:** Document and implement an enterprise certificate management standard, processes and procedures which includes the certificate lifecycle control, and certificate policies (if a public key infrastructure is needed). Ensure certificates used by the critical services in your organization are inventoried, tracked, monitored, and renewed timely using automated mechanism to avoid service disruption. **Azure Guidance:** Use Azure Key Vault to create and control the certificate lifecycle, including creation/import, rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in Azure Key Vault and Azure service (if supported) based on the defined schedule and when there is a certificate expiration. If automatic rotation is not supported in the front application, use a manual rotation in Azure Key Vault. Avoid using self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instead, you can create public signed certificate in Azure Key Vault. The following CAs are the current partnered providers with Azure Key Vault. - DigiCert: Azure Key Vault offers OV TLS/SSL certificates with DigiCert. - GlobalSign: Azure Key Vault offers OV TLS/SSL certificates with GlobalSign. Note: Use only approved Certificate Authority (CA) and ensure the known bad CA root/intermediate certificates and certificates issued by these CAs are disabled. **Implementation and additional context:** Get started with Key Vault certificates: https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios Certificate Access Control in Azure Key Vault: https://docs.microsoft.com/azure/key-vault/certificates/certificate-access-control n/a link count: 001
[Preview]: Certificates should have the specified maximum validity period (0a075868-4c26-42ef-914c-5bc007359560)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 DP-8 Azure_Security_Benchmark_v3.0_DP-8 Azure Security Benchmark DP-8 Data Protection Ensure security of key and certificate repository Shared **Security Principle:** Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security. **Azure Guidance:** Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls: - Restrict the access to keys and certificates in Azure Key Vault using built-in access policies or Azure RBAC to ensure the least privileges principle are in place for management plane access and data plane access. - Secure the Azure Key Vault using Private Link and Azure Firewall to ensure the minimal exposure of the service - Ensure separation of duties is place for users who manages encryption keys not have the ability to access encrypted data, and vice versa. - Use managed identity to access keys stored in the Azure Key Vault in your workload applications. - Never have the keys stored in plaintext format outside of the Azure Key Vault. - When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. - Backup your keys and certificates using the Azure Key Vault. Enable soft delete and purge protection to avoid accidental deletion of keys. - Turn on Azure Key Vault logging to ensure the critical management plane and data plane activities are logged. **Implementation and additional context:** Azure Key Vault overview: https://docs.microsoft.com/azure/key-vault/general/overview Azure Key Vault security best practices: https://docs.microsoft.com/azure/key-vault/general/best-practices Use managed identity to access Azure Key Vault: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad n/a link count: 006
[Preview]: Private endpoint should be configured for Key Vault (5f0bc445-3935-4915-9981-011aa2b46147), Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Azure Key Vault should have firewall enabled (55615ac9-af46-4a59-874e-391cc3dfb490), Key vaults should have purge protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53), Key vaults should have soft delete enabled (1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d), Resource logs in Key Vault should be enabled (cf820ca0-f99e-4f3e-84fb-66e913812d21)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 DS-6 Azure_Security_Benchmark_v3.0_DS-6 Azure Security Benchmark DS-6 DevOps Security Enforce security of workload throughout DevOps lifecycle Shared **Security Principle:** Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment stage. Use Azure Security Benchmark to evaluate the controls (such as network security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your DevOps process: - Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure management (infrastructure as code), and testing to reduce human error and attack surface. - Ensure VMs, container images and other artifacts are secure from malicious manipulation. - Scan the workload artifacts (in other words, container images, dependencies, SAST and DAST scans) prior to the deployment in the CI/CD workflow - Deploy vulnerability assessment and threat detection capability into the production environment and continuously use these capabilities in the run-time. **Azure Guidance:** Guidance for Azure VMs: - Use Azure Shared Image Gallery to share and control access to your images by different users, service principals, or AD groups within your organization. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. - Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions, and packages. Through custom images, Azure Resource Manager template, and/or Azure Policy guest configuration to deploy and enforce these the configuration baseline. Guidance for Azure container services: - Use Azure Container Registry (ACR) to create your private container registry where a granular access can be restricted through Azure RBAC, so only authorized services and accounts can access the containers in the private registry. - Use Defender for Azure Container Registry for vulnerability assessment of the images in your private Azure Container Registry. In addition, you can use Microsoft Defender for Cloud to ingrate container images scan as part of your CI/CD workflows. For Azure serverless services, adopt the similar controls to ensure security controls are shift left to the stage prior to the deployment. **Implementation and additional context:** Shared Image Gallery overview: https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Security considerations for Azure Container: https://docs.microsoft.com/azure/container-instances/container-instances-image-security Azure Defender for container registries: https://docs.microsoft.com/azure/security-center/defender-for-container-registries-introduction n/a link count: 003
Container registry images should have vulnerability findings resolved (5f0f936f-2f01-4bf5-b6be-d423792fa562), Running container images should have vulnerability findings resolved (0fc39691-5a3f-4e3e-94ee-2e6447309ad9), Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 ES-1 Azure_Security_Benchmark_v3.0_ES-1 Azure Security Benchmark ES-1 Endpoint Security Use Endpoint Detection and Response (EDR) Shared **Security Principle:** Enable Endpoint Detection and Response (EDR) capabilities for VMs and integrate with SIEM and security operations processes. **Azure Guidance:** Azure Defender for servers (with Microsoft Defender for Endpoint integrated) provides EDR capability to prevent, detect, investigate, and respond to advanced threats. Use Microsoft Defender for Cloud to deploy Azure Defender for servers for your endpoint and integrate the alerts to your SIEM solution such as Azure Sentinel. **Implementation and additional context:** Azure Defender for servers introduction: https://docs.microsoft.com/azure/security-center/defender-for-servers-introduction Microsoft Defender for Endpoint overview: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide Microsoft Defender for Cloud feature coverage for machines: https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows Connector for Defender for servers integration into SIEM: https://docs.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows n/a link count: 001
Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 ES-2 Azure_Security_Benchmark_v3.0_ES-2 Azure Security Benchmark ES-2 Endpoint Security Use modern anti-malware software Shared **Security Principle:** Use anti-malware solutions capable of real-time protection and periodic scanning. **Azure Guidance:** Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured, and report the endpoint protection running status and make recommendations. Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection), and Microsoft Defender for Cloud to discover and assess the health status. For Linux VMs, use Microsoft Defender for Endpoint on Linux. Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts. **Implementation and additional context:** Supported endpoint protection solutions: https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- How to configure Microsoft Antimalware for Cloud Services and virtual machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware n/a link count: 005
Endpoint protection health issues should be resolved on your machines (8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2), Endpoint protection should be installed on your machines (1f7c564c-0a90-4d44-b7e1-9d456cffaee8), Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9), Windows Defender Exploit Guard should be enabled on your machines (bed48b13-6647-468e-aa2f-1af1d3f4dd40)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 ES-3 Azure_Security_Benchmark_v3.0_ES-3 Azure Security Benchmark ES-3 Endpoint Security Ensure anti-malware software and signatures are updated Shared **Security Principle:** Ensure anti-malware signatures are updated rapidly and consistently for the anti-malware solution. **Azure Guidance:** Follow recommendations in Microsoft Defender for Cloud: "Compute & Apps" to keep all endpoints up to date with the latest signatures. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, ensure the signatures are updated in the third-party anti-malware solution. **Implementation and additional context:** How to deploy Microsoft Antimalware for Cloud Services and virtual machine: https://docs.microsoft.com/azure/security/fundamentals/antimalware Endpoint protection assessment and recommendations in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection n/a link count: 001
Endpoint protection health issues should be resolved on your machines (8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 IM-1 Azure_Security_Benchmark_v3.0_IM-1 Azure Security Benchmark IM-1 Identity Management Use centralized identity and authentication system Shared **Security Principle:** Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. **Azure Guidance:** Azure Active Directory (Azure AD) is Azure's identity and authentication management service. You should standardize on Azure AD to govern your organization's identity and authentication in: - Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. - Your enterprise identities in Active Directory by synchronization to Azure AD to ensure a consistent and centrally managed identity strategy. Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Azure AD. This could be an Azure AD Enterprise Directory, Business to Business configuration, or Business to consumer configuration. **Implementation and additional context:** Tenancy in Azure AD: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps How to create and configure an Azure AD instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant Define Azure AD tenants: https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers n/a link count: 003
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9), Cosmos DB database accounts should have local authentication methods disabled (5450f5bd-9c72-4390-a9c4-a7aba4edfdd2), Service Fabric clusters should only use Azure Active Directory for client authentication (b54ed75b-3e1a-44ac-a333-05ba39b99ff0)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 IM-3 Azure_Security_Benchmark_v3.0_IM-3 Azure Security Benchmark IM-3 Identity Management Manage application identities securely and automatically Shared **Security Principle:** Use managed application identities instead of creating human accounts for applications to access resources and execute code. Managed application identities provide benefits such as reducing the exposure of credentials. Automate the rotation of credential to ensure the security of the identities. **Azure Guidance:** Use Azure managed identities, which can authenticate to Azure services and resources that support Azure AD authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files. For services that don't support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level. It is recommended to configure service principals with certificate credentials and fall back to client secrets for authentication. **Implementation and additional context:** Azure managed identities: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview Services that support managed identities for Azure resources: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities Azure service principal: https://docs.microsoft.com/powershell/azure/create-azure-service-principal-azureps Create a service principal with certificates: https://docs.microsoft.com/azure/active-directory/develop/howto-authenticate-service-principal-powershell n/a link count: 003
App Service apps should use managed identity (2b9ad585-36bc-4615-b300-fd4435808332), Function apps should use managed identity (0da106f2-4ca3-48e8-bc85-c638fe6aea8f), Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity (d26f7642-7545-4e18-9b75-8c9bbdee3a9a)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 IM-6 Azure_Security_Benchmark_v3.0_IM-6 Azure Security Benchmark IM-6 Identity Management Use strong authentication controls Shared **Security Principle:** Enforce strong authentication controls (strong passwordless authentication or multi-factor authentication) with your centralized identity and authentication management system for all access to resources. Authentication based on password credentials alone is considered legacy, as it is insecure and does not stand up to popular attack methods. When deploying strong authentication, configure administrators and privileged users first, to ensure the highest level of the strong authentication method, quickly followed by rolling out the appropriate strong authentication policy to all users. Note: If legacy password-based authentication is required for legacy applications and scenarios, ensure password security best practices such as complexity requirements, are followed. **Azure Guidance:** Azure AD supports strong authentication controls through passwordless methods and multi-factor authentication (MFA). - Passwordless authentication: Use passwordless authentication as your default authentication method. There are three options available in passwordless authentication: Windows Hello for Business, Microsoft Authenticator app phone sign-in, and FIDO 2Keys. In addition, customers can use on-premises authentication methods such as smart cards. - Multi-factor authentication: Azure MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. Enable Azure MFA and follow Microsoft Defender for Cloud identity and access management recommendations for your MFA setup. If legacy password-based authentication is still used for Azure AD authentication, be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. For third-party applications and services that may have default IDs and passwords, you should disable or change them during initial service setup. **Implementation and additional context:** How to enable MFA in Azure: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted Introduction to passwordless authentication options for Azure Active Directory: https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless Azure AD default password policy: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts Eliminate bad passwords using Azure AD Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad Block legacy authentication: https://docs.microsoft.com/azure/active-directory/conditional-access/block-legacy-authentication n/a link count: 007
Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a), Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4), Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52), Authentication to Linux machines should require SSH keys (630c64f9-8b6b-4c64-b511-6544ceff6fd6), MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3), MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed), MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 IR-2 Azure_Security_Benchmark_v3.0_IR-2 Azure Security Benchmark IR-2 Incident Response Preparation - setup incident notification Shared **Security Principle:** Ensure the security alerts and incident notification from the cloud service provider's platform and your environments can be received by correct contact in your incident response organization. **Azure Guidance:** Set up security incident contact information in Microsoft Defender for Cloud. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alert and notification in different Azure services based on your incident response needs. **Implementation and additional context:** How to set the Microsoft Defender for Cloud security contact: https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details n/a link count: 003
Email notification for high severity alerts should be enabled (6e2593d9-add6-4083-9c9b-4b7d2188c899), Email notification to subscription owner for high severity alerts should be enabled (0b15565f-aa9e-48ba-8619-45960f2c314d), Subscriptions should have a contact email address for security issues (4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 IR-3 Azure_Security_Benchmark_v3.0_IR-3 Azure Security Benchmark IR-3 Incident Response Detection and analysis - create incidents based on high-quality alerts Shared **Security Principle:** Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives. High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. **Azure Guidance:** Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. **Implementation and additional context:** How to configure export: https://docs.microsoft.com/azure/security-center/continuous-export How to stream alerts into Azure Sentinel: https://docs.microsoft.com/azure/sentinel/connect-azure-security-center n/a link count: 014
Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for DNS should be enabled (bdc59948-5574-49b3-bb91-76b7c986428d), Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Azure Defender for open-source relational databases should be enabled (0a9fbe0d-c5c4-4da8-87d8-f4fd77338835), Azure Defender for Resource Manager should be enabled (c3d20c29-b36d-48fe-808b-99a87530ad99), Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa), Microsoft Defender CSPM should be enabled (1f90fc71-a595-4066-8974-d4d0802e8ef0), Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38), Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers (938c4981-c2c9-4168-9cd6-972b8675f906)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 IR-4 Azure_Security_Benchmark_v3.0_IR-4 Azure Security Benchmark IR-4 Incident Response Detection and analysis - investigate an incident Shared **Security Principle:** Ensure security operation team can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference. **Azure Guidance:** The data sources for investigation are the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include: - Network data: Use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information. - Snapshots of running systems: a) Azure virtual machine's snapshot capability, to create a snapshot of the running system's disk. b) The operating system's native memory dump capability, to create a snapshot of the running system's memory. c) The snapshot feature of the Azure services or your software's own capability, to create snapshots of the running systems. Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes. **Implementation and additional context:** Snapshot a Windows machine's disk: https://docs.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk Snapshot a Linux machine's disk: https://docs.microsoft.com/azure/virtual-machines/linux/snapshot-copy-managed-disk Microsoft Azure Support diagnostic information and memory dump collection: https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/ Investigate incidents with Azure Sentinel: https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases n/a link count: 001
Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 IR-5 Azure_Security_Benchmark_v3.0_IR-5 Azure Security Benchmark IR-5 Incident Response Detection and analysis - prioritize incidents Shared **Security Principle:** Provide context to security operations teams to help them determine which incidents ought to first be focused on, based on alert severity and asset sensitivity defined in your organization’s incident response plan. **Azure Guidance:** Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred. **Implementation and additional context:** Security alerts in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/security-center-alerts-overview Use tags to organize your Azure resources: https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags n/a link count: 014
Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for DNS should be enabled (bdc59948-5574-49b3-bb91-76b7c986428d), Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Azure Defender for open-source relational databases should be enabled (0a9fbe0d-c5c4-4da8-87d8-f4fd77338835), Azure Defender for Resource Manager should be enabled (c3d20c29-b36d-48fe-808b-99a87530ad99), Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa), Microsoft Defender CSPM should be enabled (1f90fc71-a595-4066-8974-d4d0802e8ef0), Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38), Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers (938c4981-c2c9-4168-9cd6-972b8675f906)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 LT-1 Azure_Security_Benchmark_v3.0_LT-1 Azure Security Benchmark LT-1 Logging and Threat Detection Enable threat detection capabilities Shared **Security Principle:** To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. **Azure Guidance:** Use the threat detection capability of Azure Defender services in Microsoft Defender for Cloud for the respective Azure services. For threat detection not included in Azure Defender services, refer to the Azure Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Extract the alerts to your Azure Monitor or Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Defender for IoT to inventory assets and detect threats and vulnerabilities. For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Azure Sentinel. **Implementation and additional context:** Introduction to Azure Defender: https://docs.microsoft.com/azure/security-center/azure-defender Microsoft Defender for Cloud security alerts reference guide: https://docs.microsoft.com/azure/security-center/alerts-reference Create custom analytics rules to detect threats: https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom Cyber threat intelligence with Azure Sentinel: https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence n/a link count: 017
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed (8dfab9c4-fe7b-49ad-85e4-1e9be085358f), Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for DNS should be enabled (bdc59948-5574-49b3-bb91-76b7c986428d), Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Azure Defender for open-source relational databases should be enabled (0a9fbe0d-c5c4-4da8-87d8-f4fd77338835), Azure Defender for Resource Manager should be enabled (c3d20c29-b36d-48fe-808b-99a87530ad99), Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa), Azure Kubernetes Service clusters should have Defender profile enabled (a1840de2-8088-4ea8-b153-b4c723e9cb01), Microsoft Defender CSPM should be enabled (1f90fc71-a595-4066-8974-d4d0802e8ef0), Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38), Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers (938c4981-c2c9-4168-9cd6-972b8675f906), Windows Defender Exploit Guard should be enabled on your machines (bed48b13-6647-468e-aa2f-1af1d3f4dd40)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 LT-2 Azure_Security_Benchmark_v3.0_LT-2 Azure Security Benchmark LT-2 Logging and Threat Detection Enable threat detection for identity and access management Shared **Security Principle:** Detect threats for identities and access management by monitoring the user and application sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprecated accounts in the subscription, should be alerted. **Azure Guidance:** Azure AD provides the following logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: - Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities. - Audit logs: Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies. - Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. - Users flagged for risk: A risky user is an indicator for a user account that might have been compromised. Azure AD also provides an Identity Protection module to detect, and remediate risks related to user accounts and sign-in behaviors. Examples risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The policies in the Azure AD Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts. In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspicious activities such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. **Implementation and additional context:** Audit activity reports in Azure AD: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs Enable Azure Identity Protection: https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection Threat protection in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/threat-protection n/a link count: 017
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed (8dfab9c4-fe7b-49ad-85e4-1e9be085358f), Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for DNS should be enabled (bdc59948-5574-49b3-bb91-76b7c986428d), Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Azure Defender for open-source relational databases should be enabled (0a9fbe0d-c5c4-4da8-87d8-f4fd77338835), Azure Defender for Resource Manager should be enabled (c3d20c29-b36d-48fe-808b-99a87530ad99), Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa), Azure Kubernetes Service clusters should have Defender profile enabled (a1840de2-8088-4ea8-b153-b4c723e9cb01), Microsoft Defender CSPM should be enabled (1f90fc71-a595-4066-8974-d4d0802e8ef0), Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38), Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers (938c4981-c2c9-4168-9cd6-972b8675f906), Windows Defender Exploit Guard should be enabled on your machines (bed48b13-6647-468e-aa2f-1af1d3f4dd40)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 LT-3 Azure_Security_Benchmark_v3.0_LT-3 Azure Security Benchmark LT-3 Logging and Threat Detection Enable logging for security investigation Shared **Security Principle:** Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes. **Azure Guidance:** Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applications inside in your VMs and other log types. Be mindful about different type of logs for security, audit, and other operation logs at the management/control plane and data plane tiers. There are three types of the logs available at the Azure platform: - Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting a secret from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. - Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the management plane). You can use the Activity Log to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription. - Azure Active Directory logs: Logs of the history of sign-in activity and audit trail of changes made in the Azure Active Directory for a particular tenant. You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resources. **Implementation and additional context:** Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview Understand Microsoft Defender for Cloud data collection: https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection Enable and configure antimalware monitoring: https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets Operating systems and application logs inside in your compute resources: https://docs.microsoft.com/azure/azure-monitor/agents/data-sources#operating-system-guest n/a link count: 013
App Service apps should have resource logs enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510), Auditing on SQL server should be enabled (a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9), Resource logs in Azure Data Lake Store should be enabled (057ef27e-665e-4328-8ea3-04b3122bd9fb), Resource logs in Azure Stream Analytics should be enabled (f9be5368-9bf5-4b84-9e0a-7850da98bb46), Resource logs in Batch accounts should be enabled (428256e6-1fac-4f48-a757-df34c2b3336d), Resource logs in Data Lake Analytics should be enabled (c95c74d9-38fe-4f0d-af86-0c7d626a315c), Resource logs in Event Hub should be enabled (83a214f7-d01a-484b-91a9-ed54470c9a6a), Resource logs in IoT Hub should be enabled (383856f8-de7f-44a2-81fc-e5135b5c2aa4), Resource logs in Key Vault should be enabled (cf820ca0-f99e-4f3e-84fb-66e913812d21), Resource logs in Logic Apps should be enabled (34f95f76-5386-4de7-b824-0d8478470c9d), Resource logs in Search services should be enabled (b4330a05-a843-4bc8-bf9a-cacce50c67f4), Resource logs in Service Bus should be enabled (f8d36e2f-389b-4ee4-898d-21aeb69a0f45), Resource logs in Virtual Machine Scale Sets should be enabled (7c1b1214-f927-48bf-8882-84f0af6588b1)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 LT-4 Azure_Security_Benchmark_v3.0_LT-4 Azure Security Benchmark LT-4 Logging and Threat Detection Enable network logging for security investigation Shared **Security Principle:** Enable logging for your network services to support network-related incident investigations, threat hunting, and security alert generation. The network logs may include logs from network services such as IP filtering, network and application firewall, DNS, flow monitoring and so on. **Azure Guidance:** Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs for security analysis to support incident investigations, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights. Collect DNS query logs to assist in correlating other network data. **Implementation and additional context:** How to enable network security group flow logs: https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal Azure Firewall logs and metrics: https://docs.microsoft.com/azure/firewall/logs-and-metrics Azure networking monitoring solutions in Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics Gather insights about your DNS infrastructure with the DNS Analytics solution: https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics n/a link count: 002
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines (04c4380f-3fae-46e8-96c9-30193528f602), [Preview]: Network traffic data collection agent should be installed on Windows virtual machines (2f2ee1de-44aa-4762-b6bd-0893fc3f306d)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 LT-5 Azure_Security_Benchmark_v3.0_LT-5 Azure Security Benchmark LT-5 Logging and Threat Detection Centralize security log management and analysis Shared **Security Principle:** Centralize logging storage and analysis to enable correlation across log data. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements. **Azure Guidance:** Ensure that you are integrating Azure activity logs into a centralized Log Analytics workspace. Use Azure Monitor to query and perform analytics and create alert rules using the logs aggregated from Azure services, endpoint devices, network resources, and other security systems. In addition, enable and onboard data to Azure Sentinel which provides the security information event management (SIEM) and security orchestration automated response (SOAR) capability. **Implementation and additional context:** How to collect platform logs and metrics with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings How to onboard Azure Sentinel: https://docs.microsoft.com/azure/sentinel/quickstart-onboard n/a link count: 007
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines (842c54e8-c2f9-4d79-ae8d-38d8b8019373), [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines (d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e), Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17), Linux machines should have Log Analytics agent installed on Azure Arc (1e7fed80-8321-4605-b42c-65fc300f23a3), Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring (a4fe33eb-e377-4efb-ab31-0784311bc499), Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring (a3a6ea0c-e018-4933-9ef0-5aaa1501449b), Windows machines should have Log Analytics agent installed on Azure Arc (4078e558-bda6-41fb-9b3c-361e8875200d)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 LT-6 Azure_Security_Benchmark_v3.0_LT-6 Azure Security Benchmark LT-6 Logging and Threat Detection Configure log storage retention Shared **Security Principle:** Plan your log retention strategy according to your compliance, regulation, and business requirements. Configure the log retention policy at the individual logging services to ensure the logs are archived appropriately. **Azure Guidance:** Logs such as Azure Activity Logs events are retained for 90 days then deleted. You should create a diagnostic setting and route the log entries to another location (such as Azure Monitor Log Analytics workspace, Event Hubs or Azure Storage) based on your needs. This strategy also applies to the other resource logs and resources managed by yourself such as logs in the operating systems and applications inside the VMs. You have the log retention option as below: - Use Azure Monitor Log Analytics workspace for a log retention period of up to 1 year or per your response team requirements. - Use Azure Storage, Data Explorer or Data Lake for long-term and archival storage for greater than 1 year and to meet your security compliance requirements. - Use Azure Event Hubs to forward logs to outside of Azure. Note: Azure Sentinel uses Log Analytics workspace as its backend for log storage. You should consider a long-term storage strategy if you plan to retain SIEM logs for longer time. **Implementation and additional context:** Change the data retention period in Log Analytics: https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period How to configure retention policy for Azure Storage account logs: https://docs.microsoft.com/azure/storage/common/storage-monitor-storage-account#configure-logging Microsoft Defender for Cloud alerts and recommendations export: https://docs.microsoft.com/azure/security-center/continuous-export n/a link count: 001
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher (89099bee-89e0-4b26-a5f4-165451757743)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 NS-1 Azure_Security_Benchmark_v3.0_NS-1 Azure Security Benchmark NS-1 Network Security Establish network segmentation boundaries Shared **Security Principle:** Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks. Examples of high-risk workload include: - An application storing or processing highly sensitive data. - An external network-facing application accessible by the public or users outside of your organization. - An application using insecure architecture or containing vulnerabilities that cannot be easily remediated. To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic. **Azure Guidance:** Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs can be deployed into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub-networks. Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address, or destination IP address. You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on explicit IP addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. **Implementation and additional context:** Azure Virtual Network concepts and best practices: https://docs.microsoft.com/azure/virtual-network/concepts-and-best-practices Add, change, or delete a virtual network subnet: https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet How to create a network security group with security rules: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic Understand and use application security groups: https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#application-security-groups n/a link count: 005
Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6), All network ports should be restricted on network security groups associated to your virtual machine (9daedab3-fb2d-461e-b861-71790eead4f6), Internet-facing virtual machines should be protected with network security groups (f6de0be7-9a8a-4b8a-b349-43cf02d22f7c), Non-internet-facing virtual machines should be protected with network security groups (bb91dfba-c30d-4263-9add-9c2384e659a6), Subnets should be associated with a Network Security Group (e71308d3-144b-4262-b144-efdc3cc90517)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 NS-10 Azure_Security_Benchmark_v3.0_NS-10 Azure Security Benchmark NS-10 Network Security Ensure Domain Name System (DNS) security Shared **Security Principle:** Ensure that Domain Name System (DNS) security configuration protects against known risks: - Use trusted authoritative and recursive DNS services across your cloud environment to ensure the client (such as operating systems and applications) receive the correct resolution result. - Separate the public and private DNS resolution so the DNS resolution process for the private network can be isolated from the public network. - Ensure your DNS security strategy also includes mitigations against common attacks, such as dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, and so on. **Azure Guidance:** Use Azure recursive DNS or a trusted external DNS server in your workload recursive DNS setup, such as in VM's operating system or in the application. Use Azure Private DNS for private DNS zone setup where the DNS resolution process does not leave the virtual network. Use a custom DNS to restrict the DNS resolution which only allows the trusted resolution to your client. Use Azure Defender for DNS for the advanced protection against the following security threats to your workload or your DNS service: - Data exfiltration from your Azure resources using DNS tunneling - Malware communicating with command-and-control server - Communication with malicious domains as phishing and crypto mining - DNS attacks in communication with malicious DNS resolvers You can also use Azure Defender for App Service to detect dangling DNS records if you decommission an App Service website without removing its custom domain from your DNS registrar. **Implementation and additional context:** Azure DNS overview: https://docs.microsoft.com/azure/dns/dns-overview Secure Domain Name System (DNS) Deployment Guide: https://csrc.nist.gov/publications/detail/sp/800-81/2/final Azure Private DNS: https://docs.microsoft.com/azure/dns/private-dns-overview Azure Defender for DNS: https://docs.microsoft.com/azure/security-center/defender-for-dns-introduction Prevent dangling DNS entries and avoid subdomain takeover: https://docs.microsoft.com/azure/security/fundamentals/subdomain-takeover n/a link count: 001
Azure Defender for DNS should be enabled (bdc59948-5574-49b3-bb91-76b7c986428d)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 NS-2 Azure_Security_Benchmark_v3.0_NS-2 Azure Security Benchmark NS-2 Network Security Secure cloud services with network controls Shared **Security Principle:** Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. **Azure Guidance:** Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. You should also disable or restrict public network access to services where feasible. For certain services, you also have the option to deploy VNet integration for the service where you can restrict the VNET to establish a private access point for the service. **Implementation and additional context:** Understand Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview n/a link count: 029
[Preview]: Private endpoint should be configured for Key Vault (5f0bc445-3935-4915-9981-011aa2b46147), [Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751), API Management services should use a virtual network (ef619a2c-cc4d-4d03-b2ba-8c94a834d85b), App Configuration should use private link (ca610c1d-041c-4332-9d88-7ed3094967c7), Authorized IP ranges should be defined on Kubernetes Services (0e246bcf-5f6f-4f87-bc6f-775d4712c7ea), Azure Cache for Redis should use private link (7803067c-7d34-46e3-8c79-0ca68fc4036d), Azure Cosmos DB accounts should have firewall rules (862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb), Azure Event Grid domains should use private link (9830b652-8523-49cc-b1b3-e17dce1127ca), Azure Event Grid topics should use private link (4b90e17e-8448-49db-875e-bd83fb6f804f), Azure Key Vault should have firewall enabled (55615ac9-af46-4a59-874e-391cc3dfb490), Azure Machine Learning workspaces should use private link (40cec1dd-a100-4920-b15b-3024fe8901ab), Azure SignalR Service should use private link (2393d2cf-a342-44cd-a2e2-fe0188fd1234), Azure Spring Cloud should use network injection (af35e2a4-ef96-44e7-a9ae-853dd97032c4), Cognitive Services accounts should disable public network access (0725b4dd-7e76-479c-a735-68e7ee23d5ca), Cognitive Services accounts should restrict network access (037eea7a-bd0a-46c5-9a66-03aea78705d3), Container registries should not allow unrestricted network access (d0793b48-0edc-4296-a390-4c75d1bdfd71), Container registries should use private link (e8eef0a8-67cf-4eb4-9386-14b0e78733d4), Private endpoint connections on Azure SQL Database should be enabled (7698e800-9299-47a6-b3b6-5a0fee576eed), Private endpoint should be enabled for MariaDB servers (0a1302fb-a631-4106-9753-f3d494733990), Private endpoint should be enabled for MySQL servers (7595c971-233d-4bcf-bd18-596129188c49), Private endpoint should be enabled for PostgreSQL servers (0564d078-92f5-4f97-8398-b9f58a51f70b), Public network access on Azure SQL Database should be disabled (1b8ca024-1d5c-4dec-8995-b1a932b41780), Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077), Public network access should be disabled for MySQL servers (d9844e8a-1437-4aeb-a32c-0c992f056095), Public network access should be disabled for PostgreSQL servers (b52376f7-9612-48a1-81cd-1ffe4b61032c), Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c), Storage accounts should restrict network access using virtual network rules (2a1a9cdf-e04d-429a-8416-3bfb72a1b26f), Storage accounts should use private link (6edd7eda-6dd8-40f7-810d-67160c639cd9), VM Image Builder templates should use private link (2154edb9-244f-4741-9970-660785bccdaa)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 NS-3 Azure_Security_Benchmark_v3.0_NS-3 Azure Security Benchmark NS-3 Network Security Deploy firewall at the edge of enterprise network Shared **Security Principle:** Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom routes for your subnet to override the system route when you need to force the network traffic to go through a network appliance for security control purpose. At a minimum, block known bad IP addresses and high-risk protocols, such as remote management (for example, RDP and SSH) and intranet protocols (for example, SMB and Kerberos). **Azure Guidance:** Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). If you have a complex network topology, such as a hub/spoke setup, you may need to create user-defined routes (UDR) to ensure the traffic goes through the desired route. For example, you have option to use an UDR to redirect egress internet traffic through a specific Azure Firewall or a network virtual appliance. **Implementation and additional context:** How to deploy Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal Virtual network traffic routing: https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview n/a link count: 004
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c), IP Forwarding on your virtual machine should be disabled (bd352bd5-2853-4985-bf0d-73806b4a5744), Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c), Management ports should be closed on your virtual machines (22730e10-96f6-4aac-ad84-9383d35b5917)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 NS-5 Azure_Security_Benchmark_v3.0_NS-5 Azure Security Benchmark NS-5 Network Security Deploy DDOS protection Shared **Security Principle:** Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks. **Azure Guidance:** Enable DDoS standard protection plan on your VNet to protect resources that are exposed to the public networks. **Implementation and additional context:** Manage Azure DDoS Protection Standard using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection n/a link count: 001
Azure DDoS Protection Standard should be enabled (a7aca53f-2ed4-4466-a25e-0b45ade68efd)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 NS-6 Azure_Security_Benchmark_v3.0_NS-6 Azure Security Benchmark NS-6 Network Security Deploy web application firewall Shared **Security Principle:** Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks. **Azure Guidance:** Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services and APIs against application layer attacks at the edge of your network. Set your WAF in "detection" or "prevention mode," depending on your needs and threat landscape. Choose a built-in ruleset, such as OWASP Top 10 vulnerabilities, and tune it to your application. **Implementation and additional context:** How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview n/a link count: 002
Azure Web Application Firewall should be enabled for Azure Front Door entry-points (055aa869-bc98-4af8-bafc-23f1ab6ffe2c), Web Application Firewall (WAF) should be enabled for Application Gateway (564feb30-bf6a-4854-b4bb-0d2d2d1e6c66)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 NS-7 Azure_Security_Benchmark_v3.0_NS-7 Azure Security Benchmark NS-7 Network Security Simplify network security configuration Shared **Security Principle:** When managing a complex network environment, use tools to simplify, centralize and enhance the network security management. **Azure Guidance:** Use the following features to simplify the implementation and management of the NSG and Azure Firewall rules: - Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend NSG hardening rules that further limit ports, protocols and source IPs based on threat intelligence and traffic analysis result. - Use Azure Firewall Manager to centralize the firewall policy and route management of the virtual network. To simplify the firewall rules and network security groups implementation, you can also use the Azure Firewall Manager ARM (Azure Resource Manager) template. **Implementation and additional context:** Adaptive Network Hardening in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening Azure Firewall Manager: https://docs.microsoft.com/azure/firewall-manager/overview Create an Azure Firewall and a firewall policy - ARM template https://docs.microsoft.com/azure/firewall-manager/quick-firewall-policy n/a link count: 001
Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 NS-8 Azure_Security_Benchmark_v3.0_NS-8 Azure Security Benchmark NS-8 Network Security Detect and disable insecure services and protocols Shared **Security Principle:** Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible. **Azure Guidance:** Use Azure Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos. Disable insecure services and protocols that do not meet the appropriate security standard. Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through network security group, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface. **Implementation and additional context:** Azure Sentinel insecure protocols workbook: https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks n/a link count: 002
App Service apps should use the latest TLS version (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b), Function apps should use the latest TLS version (f9d614c5-c173-4d56-95a7-b4437057d193)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 PA-1 Azure_Security_Benchmark_v3.0_PA-1 Azure Security Benchmark PA-1 Privileged Access Separate and limit highly privileged/administrative users Shared **Security Principle:** Ensure you are identifying all high business impact accounts. Limit the number of privileged/administrative accounts in your cloud's control plane, management plane and data/workload plane. **Azure Guidance:** Azure Active Directory (Azure AD) is Azure's default identity and access management service. The most critical built-in roles in Azure AD are Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment: - Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities. - Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. Outside of the Azure AD, Azure has built-in roles that can be critical for privileged access at the resource level. - Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. - Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. - User Access Administrator: Lets you manage user access to Azure resources. Note: You may have other critical roles that need to be governed if you use custom roles in the Azure AD level or resource level with certain privileged permissions assigned. Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets. **Implementation and additional context:** Administrator role permissions in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles Use Azure Privileged Identity Management security alerts: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts Securing privileged access for hybrid and cloud deployments in Azure AD: https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure n/a link count: 006
A maximum of 3 owners should be designated for your subscription (4f11b553-d42e-4e3a-89be-32ca364cad4c), Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5), Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046), There should be more than one owner assigned to your subscription (09024ccc-0c5f-475e-9457-b7c0d9ed487b)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 PA-2 Azure_Security_Benchmark_v3.0_PA-2 Azure Security Benchmark PA-2 Privileged Access Avoid standing access for accounts and permissions Shared **Security Principle:** Instead of creating standing privileges, use just-in-time (JIT) mechanism to assign privileged access to the different resource tiers. **Azure Guidance:** Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT is a model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization. Restrict inbound traffic to your sensitive virtual machines (VM) management ports with Microsoft Defender for Cloud's just-in-time (JIT) for VM access feature. This ensures the privileged access to the VM are granted only when users need it. **Implementation and additional context:** Azure PIM just-in-time access deployment: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan n/a link count: 001
Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 PA-4 Azure_Security_Benchmark_v3.0_PA-4 Azure Security Benchmark PA-4 Privileged Access Review and reconcile user access regularly Shared **Security Principle:** Conduct regular review of privileged account entitlements. Ensure the access granted to the accounts are valid for administration of control plane, management plane, and workloads. **Azure Guidance:** Review all privileged accounts and the access entitlements in Azure including such as Azure tenant, Azure services, VM/IaaS, CI/CD processes, and enterprise management and security tools. Use Azure AD access reviews to review Azure AD roles and Azure resource access roles, group memberships, access to enterprise applications. Azure AD reporting can also provide logs to help discover stale accounts, accounts not being used for certain amount of time. In addition, Azure AD Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created for a specific role, and to identify administrator accounts that are stale or improperly configured. **Implementation and additional context:** Create an access review of Azure resource roles in Privileged Identity Management (PIM): https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review How to use Azure AD identity and access reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview n/a link count: 010
Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5), Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be), Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474), Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60), External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4), Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046), Guest accounts with read permissions on Azure resources should be removed (e9ac8f8e-ce22-4355-8f04-99b911d6be52), Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 PA-7 Azure_Security_Benchmark_v3.0_PA-7 Azure Security Benchmark PA-7 Privileged Access Follow just enough administration (least privilege) principle Shared **Security Principle:** Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments. **Azure Guidance:** Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC, you can assign roles to users, group service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges will complement the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically. If required, you can also use PIM to define the time-length (time-bound-assignment) condition in role assignment where a user can activate or use the role only within start and end dates. Note: Use Azure built-in roles to allocate permissions and only create custom roles when required. **Implementation and additional context:** What is Azure role-based access control (Azure RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview How to configure RBAC in Azure: https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal How to use Azure AD identity and access reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview Azure AD Privileged Identity Management - Time-bound assignment: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do n/a link count: 002
Audit usage of custom RBAC roles (a451c1ef-c6ca-483d-87ed-f49761e3ffb5), Role-Based Access Control (RBAC) should be used on Kubernetes Services (ac4a19c2-fa67-49b4-8ae5-0b2e78c49457)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 PV-2 Azure_Security_Benchmark_v3.0_PV-2 Azure Security Benchmark PV-2 Posture and Vulnerability Management Audit and enforce secure configurations Shared **Security Principle:** Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration. **Azure Guidance:** Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources. For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or use third-party tooling to implement the configuration audit and enforcement. **Implementation and additional context:** Understand Azure Policy effects: https://docs.microsoft.com/azure/governance/policy/concepts/effects Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Get compliance data of Azure resources: https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data n/a link count: 024
[Preview]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed (6b2122c1-8120-4ff5-801b-17625a355590), [Preview]: Kubernetes clusters should gate deployment of vulnerable images (13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759), App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609), App Service apps should have remote debugging turned off (cb510bfd-1cba-4d9f-a230-cb0976f4bb71), App Service apps should not have CORS configured to allow every resource to access your apps (5744710e-cc2f-4ee8-8809-3b11e89f4bc9), Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters (0a15ec92-a229-4763-bb14-0ea34a568f8d), Function apps should have 'Client Certificates (Incoming client certificates)' enabled (eaebaea7-8013-4ceb-9d14-7eb32271373c), Function apps should have remote debugging turned off (0e60b895-3786-45da-8377-9c6b4b6ac5f9), Function apps should not have CORS configured to allow every resource to access your apps (0820b7b9-23aa-4725-a1ce-ae4558f718e5), Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits (e345eecc-fa47-480f-9e88-67dcc122b164), Kubernetes cluster containers should not share host process ID or host IPC namespace (47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8), Kubernetes cluster containers should only use allowed AppArmor profiles (511f5417-5d12-434d-ab2e-816901e72a5e), Kubernetes cluster containers should only use allowed capabilities (c26596ff-4d70-4e6a-9a30-c2506bd2f80c), Kubernetes cluster containers should only use allowed images (febd0533-8e55-448f-b837-bd0e06f16469), Kubernetes cluster containers should run with a read only root file system (df49d893-a74c-421d-bc95-c663042e5b80), Kubernetes cluster pod hostPath volumes should only use allowed host paths (098fc59e-46c7-4d99-9b16-64990e543d75), Kubernetes cluster pods and containers should only run with approved user and group IDs (f06ddb64-5fa3-4b77-b166-acb36f7f6042), Kubernetes cluster pods should only use approved host network and port range (82985f06-dc18-4a48-bc1c-b9f4f0098cfe), Kubernetes cluster services should listen only on allowed ports (233a2a17-77ca-4fb1-9b6b-69223d272a44), Kubernetes cluster should not allow privileged containers (95edb821-ddaf-4404-9732-666045e056b4), Kubernetes clusters should disable automounting API credentials (423dd1ba-798e-40e4-9c4d-b6902674b423), Kubernetes clusters should not allow container privilege escalation (1c6e92c9-99f0-4e55-9cf2-0c234dc48f99), Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities (d2e7ea85-6b44-4317-a0be-1b951587f626), Kubernetes clusters should not use the default namespace (9f061a12-e40d-4183-a00e-171812443373)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 PV-4 Azure_Security_Benchmark_v3.0_PV-4 Azure Security Benchmark PV-4 Posture and Vulnerability Management Audit and enforce secure configurations for compute resources Shared **Security Principle:** Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration in compute resources. **Azure Guidance:** Use Microsoft Defender for Cloud and Azure Policy guest configuration agent to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. **Implementation and additional context:** How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations How to create an Azure virtual machine from an ARM template: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template Azure Automation State Configuration overview: https://docs.microsoft.com/azure/automation/automation-dsc-overview Create a Windows virtual machine in the Azure portal: https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal Container security in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/container-security n/a link count: 010
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines (672fe5a1-2fcd-42d7-b85d-902b6e28c6ff), [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets (a21f8c92-9e22-4f09-b759-50500d1d2dda), [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines (1cb4d9c2-f88f-4069-bee0-dba239a57b09), [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets (f655e522-adff-494d-95c2-52d4f6d56a42), [Preview]: Secure Boot should be enabled on supported Windows virtual machines (97566dd7-78ae-4997-8b36-1c7bfe0d8121), [Preview]: vTPM should be enabled on supported virtual machines (1c30f9cd-b84c-49cc-aa2c-9288447cc3b3), Guest Configuration extension should be installed on your machines (ae89ebca-1c92-4898-ac2c-9f63decb045c), Linux machines should meet requirements for the Azure compute security baseline (fc9b3da7-8347-4380-8e70-0a0361d8dedd), Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity (d26f7642-7545-4e18-9b75-8c9bbdee3a9a), Windows machines should meet requirements of the Azure compute security baseline (72650e9f-97bc-4b2a-ab5f-9781a9fcecbc)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 PV-5 Azure_Security_Benchmark_v3.0_PV-5 Azure Security Benchmark PV-5 Posture and Vulnerability Management Perform vulnerability assessments Shared **Security Principle:** Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all type of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on. Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning. **Azure Guidance:** Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machine scan. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Note: Azure Defender services (including Defender for server, container registry, App Service, SQL, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool. Note: Ensure your setup email notifications in Microsoft Defender for Cloud. **Implementation and additional context:** How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Integrated vulnerability scanner for virtual machines: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment SQL vulnerability assessment: https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment Exporting Microsoft Defender for Cloud vulnerability scan results: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results n/a link count: 003
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
Azure_Security_Benchmark_v3.0 PV-6 Azure_Security_Benchmark_v3.0_PV-6 Azure Security Benchmark PV-6 Posture and Vulnerability Management Rapidly and automatically remediate vulnerabilities Shared **Security Principle:** Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority. **Azure Guidance:** Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager. Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime. **Implementation and additional context:** How to configure Update Management for virtual machines in Azure: https://docs.microsoft.com/azure/automation/update-management/overview Manage updates and patches for your Azure VMs: https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm n/a link count: 016
[Preview]: Machines should be configured to periodically check for missing system updates (bd876905-5b84-4f73-ab2d-2e7a7c4568d9), [Preview]: System updates should be installed on your machines (powered by Update Center) (f85bf3e0-d513-442e-89c3-1784ad63382b), App Service apps that use Java should use the latest 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed), App Service apps that use PHP should use the latest 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3), App Service apps that use Python should use the latest 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73), Container registry images should have vulnerability findings resolved (5f0f936f-2f01-4bf5-b6be-d423792fa562), Function apps that use Java should use the latest 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc), Function apps that use Python should use the latest 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73), Running container images should have vulnerability findings resolved (0fc39691-5a3f-4e3e-94ee-2e6447309ad9), SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), SQL servers on machines should have vulnerability findings resolved (6ba6d016-e7c3-4842-b8f2-4992ebc0d72d), System updates on virtual machine scale sets should be installed (c3f317a7-a95c-4547-b7e7-11017ebdf2fe), System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60), Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
Azure Security Benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8)
CCCS AC-17(1) CCCS_AC-17(1) CCCS AC-17(1) Access Control Remote Access | Automated Monitoring / Control n/a The information system monitors and controls remote access methods. link count: 007
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), App Service apps should have remote debugging turned off (cb510bfd-1cba-4d9f-a230-cb0976f4bb71), Audit Linux machines that allow remote connections from accounts without passwords (ea53dbee-c6c9-4f0e-9f9e-de0039b78023), Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da), Function apps should have remote debugging turned off (0e60b895-3786-45da-8377-9c6b4b6ac5f9), Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS AC-2 CCCS_AC-2 CCCS AC-2 Access Control Account Management n/a (A) The organization identifies and selects which types of information system accounts support organizational missions/business functions. (B) The organization assigns account managers for information system accounts. (C) The organization establishes conditions for group and role membership. (D) The organization specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account. (E) The organization requires approvals by responsible managers for requests to create information system accounts. (F) The organization creates, enables, modifies, disables, and removes information system accounts in accordance with information system account management procedures. (G) The organization monitors the use of information system accounts. (H) The organization notifies account managers: (a) When accounts are no longer required; (b) When users are terminated or transferred; and (c) When individual information system usage or need-to-know changes. (I) The organization authorizes access to the information system based on: (a) A valid access authorization; (b) Intended system usage; and (c) Other attributes as required by the organization or associated missions/business functions. (J) The organization reviews accounts for compliance with account management requirements at least annually. (K) The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. link count: 005
Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474), Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60), External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS AC-2(7) CCCS_AC-2(7) CCCS AC-2(7) Access Control Account Management | Role-Based Schemes n/a (a) The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; (b) The organization monitors privileged role assignments; and (c) The organization disables (or revokes) privileged user assignments within 24 hours or sooner when privileged role assignments are no longer appropriate. link count: 002
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9), Service Fabric clusters should only use Azure Active Directory for client authentication (b54ed75b-3e1a-44ac-a333-05ba39b99ff0)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS AC-4 CCCS_AC-4 CCCS AC-4 Access Control Information Flow Enforcement n/a (A) The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on deny all, approve by exception information flow policies. link count: 001
App Service apps should not have CORS configured to allow every resource to access your apps (5744710e-cc2f-4ee8-8809-3b11e89f4bc9)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS AC-5 CCCS_AC-5 CCCS AC-5 Access Control Separation of Duties n/a (A) The organization: (a) Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions; (b) Documents separation of duties of individuals; and (c) Defines information system access authorizations to support separation of duties. link count: 007
A maximum of 3 owners should be designated for your subscription (4f11b553-d42e-4e3a-89be-32ca364cad4c), Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Audit Windows machines missing any of specified members in the Administrators group (30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7), Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6), There should be more than one owner assigned to your subscription (09024ccc-0c5f-475e-9457-b7c0d9ed487b)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS AC-6 CCCS_AC-6 CCCS AC-6 Access Control Least Privilege n/a (A) The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. link count: 007
A maximum of 3 owners should be designated for your subscription (4f11b553-d42e-4e3a-89be-32ca364cad4c), Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Audit Windows machines missing any of specified members in the Administrators group (30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7), Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6), There should be more than one owner assigned to your subscription (09024ccc-0c5f-475e-9457-b7c0d9ed487b)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS AU-12 CCCS_AU-12 CCCS AU-12 Audit and Accountability Audit Generation n/a (A) The information system provides audit record generation capability for the auditable events defined in AU-2 a. of all information system and network components where audit capability is deployed/available. (B) The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. (C) The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. link count: 007
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images (32133ab0-ee4b-4b44-98d6-042180979d50), Audit diagnostic setting for selected resource types (7f89b1eb-583c-429a-8828-af049802c1d9), Auditing on SQL server should be enabled (a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9), Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images (5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138), Virtual machines should be connected to a specified workspace (f47b5582-33ec-4c5c-87c0-b010a6b2e917)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS AU-3 CCCS_AU-3 CCCS AU-3 Audit and Accountability Content of Audit Records n/a (A) The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. link count: 003
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images (32133ab0-ee4b-4b44-98d6-042180979d50), Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images (5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138), Virtual machines should be connected to a specified workspace (f47b5582-33ec-4c5c-87c0-b010a6b2e917)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS AU-5 CCCS_AU-5 CCCS AU-5 Audit and Accountability Response to Audit Processing Failures n/a (A) The information system alerts organization-defined personnel or roles in the event of an audit processing failure; and (B) The information system overwrites the oldest audit records. link count: 004
Audit diagnostic setting for selected resource types (7f89b1eb-583c-429a-8828-af049802c1d9), Auditing on SQL server should be enabled (a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9), Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS CM-11 CCCS_CM-11 CCCS CM-11 Configuration Management User-Installed Software n/a (A) The organization establishes organization-defined policies governing the installation of software by users. (B) The organization enforces software installation policies through organization-defined methods. (C) The organization monitors policy compliance continuously via 7(5). link count: 001
Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS CM-7(5) CCCS_CM-7(5) CCCS CM-7(5) Configuration Management Least Functionality | Authorized Software / Whitelisting n/a (a) The organization identifie authorized software programs in baseline configuration and information system component inventory; (b) The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) The organization reviews and updates the list of authorized software programs at least annually or when there is a change. link count: 001
Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS CP-7 CCCS_CP-7 CCCS CP-7 Contingency Planning Alternative Processing Site n/a (A) The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. (B) The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption. (C) The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. link count: 001
Audit virtual machines without disaster recovery configured (0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS IA-2(1) CCCS_IA-2(1) CCCS IA-2(1) Identification and Authentication Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts n/a The information system implements multifactor authentication for network access to privileged accounts. link count: 002
MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3), MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS IA-5 CCCS_IA-5 CCCS IA-5 Identification and Authentication Authenticator Management n/a (A) The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. (B) The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization. (C) The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. (D) The organization manages information system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators. (E) The organization manages information system authenticators by changing the default content of authenticators prior to information system installation. (F) The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. (G) The organization manages information system authenticators by changing/refreshing authenticators in accordance with CCCS’s ITSP.30.031. (H) The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification. (I) The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. (J) The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. link count: 005
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Audit Linux machines that do not have the passwd file permissions set to 0644 (e6955644-301c-44b5-a4c4-528577de6861), Audit Linux machines that have accounts without passwords (f6ec09a3-78bf-4f8f-99dc-6c77182d0f99), Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS IA-5(1) CCCS_IA-5(1) CCCS IA-5(1) Identification and Authentication Authenticator Management | Password-Based Authentication n/a (a) The information system, for password-based authentication, enforces minimum password complexity of case sensitive, minimum of eight characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters; (b) The information system, for password-based authentication, enforces that at least one of the characters are changed when new passwords are created; (c) The information system, for password-based authentication, stores and transmits only cryptographically-protected passwords; (d) The information system, for password-based authentication, enforces password minimum and maximum lifetime restrictions of one-day minimum, sixty-day maximum; (e) The information system, for password-based authentication prohibits password reuse for 24 generations; and (f) The information system, for password-based authentication allows the use of a temporary password for system logons with an immediate change to a permanent password. link count: 008
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e), Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6), Audit Windows machines that allow re-use of the previous 24 passwords (5b054a0d-39e2-4d53-bea3-9734cad2c69b), Audit Windows machines that do not have a maximum password age of 70 days (4ceb8dc2-559c-478b-a15b-733fbf1e3738), Audit Windows machines that do not have a minimum password age of 1 day (237b38db-ca4d-4259-9e47-7882441ca2c0), Audit Windows machines that do not have the password complexity setting enabled (bf16e0bb-31e1-4646-8202-60a235cc7e74), Audit Windows machines that do not restrict the minimum password length to 14 characters (a2d0e922-65d0-40c4-8f87-ea6da2d307a2), Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS RA-5 CCCS_RA-5 CCCS RA-5 Risk Assessment Vulnerability Scanning n/a (A) The organization scans for vulnerabilities in the information system and hosted applications monthly for operating systems/infrastructure, web applications, and database management systems and when new vulnerabilities potentially affecting the system/applications are identified and reported. (B) The organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: (a) Enumerating platforms, software flaws, and improper configurations; (b) Formatting checklists and test procedures; and (c) Measuring vulnerability impact. (C) The organization analyzes vulnerability scan reports and results from security control assessments. (D) The organization remediates legitimate vulnerabilities within 30 days for high-risk vulnerabilities and 90 days for moderate-risk vulnerabilities from the date of discovery in accordance with an organizational assessment of risk. (E) The organization shares information obtained from the vulnerability scanning process and security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). link count: 006
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9), Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS SC-28 CCCS_SC-28 CCCS SC-28 System and Communications Protection Protection of Information at Rest n/a (A) The information system protects the confidentiality and integrity ofall information not cleared for public release and all data with a higher than low integrity requirement. link count: 004
Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Transparent Data Encryption on SQL databases should be enabled (17k78e20-9358-41c9-923c-fb736d382a12), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS SC-5 CCCS_SC-5 CCCS SC-5 System and Communications Protection Denial of Service Protection n/a (A) The information system protects against or limits the effects of the following denial of service attempts that attack bandwidth, transactional capacity and storage by employing geo-replication, IP address blocking, and network-based DDoS protections. link count: 001
Azure DDoS Protection Standard should be enabled (a7aca53f-2ed4-4466-a25e-0b45ade68efd)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS SC-7 CCCS_SC-7 CCCS SC-7 System and Communications Protection Boundary Protection n/a (A) The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. (B) The information system implements sub-networks for publicly accessible system components that are physically or logically separated from internal organizational networks. (C) The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. link count: 003
Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6), All network ports should be restricted on network security groups associated to your virtual machine (9daedab3-fb2d-461e-b861-71790eead4f6), Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS SC-7(3) CCCS_SC-7(3) CCCS SC-7(3) System and Communications Protection Boundary Protection | Access Points n/a The organization limits the number of external network connections to the information system. link count: 001
Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS SC-7(4) CCCS_SC-7(4) CCCS SC-7(4) System and Communications Protection Boundary Protection | External Telecommunications Services n/a (a) The organization implements a managed interface for each external telecommunication service; (b) The organization establishes a traffic flow policy for each managed interface; (c) The organization protects the confidentiality and integrity of the information being transmitted across each interface; (d) The organization documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and (e) The organization reviews exceptions to the traffic flow policy at least annually and removes exceptions that are no longer supported by an explicit mission/business need. link count: 001
Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS SC-8(1) CCCS_SC-8(1) CCCS SC-8(1) System and Communications Protection Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by physical security safeguards applied in applied in accordance with, or uses an adequate risk-based approach aligned with the practices specified in TBS and RCMP physical security standards and any related provisions of the Industrial Security Program. The cryptography must be compliant with the requirements of control SC-13. link count: 005
App Service apps should only be accessible over HTTPS (a4af4a39-4135-47fb-b175-47fbdf85311d), Function apps should only be accessible over HTTPS (6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab), Only secure connections to your Azure Cache for Redis should be enabled (22bee202-a82f-4305-9a2a-6d7f44d4dedb), Secure transfer to storage accounts should be enabled (404c3081-a854-4457-ae30-26a93ef643f9), Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS SI-2 CCCS_SI-2 CCCS SI-2 System and Information Integrity Flaw Remediation n/a (A) The organization identifies, reports, and corrects information system flaws. (B) The organization tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation. (C) The organization installs security-relevant software and firmware updates within 30 days of release of the release of the updates. (D) The organization incorporates flaw remediation into the organizational configuration management process. link count: 005
SQL databases should have vulnerability findings resolved (feedbf84-6b99-488c-acc2-71c829aa5ffc), System updates on virtual machine scale sets should be installed (c3f317a7-a95c-4547-b7e7-11017ebdf2fe), System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15), Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS SI-3 CCCS_SI-3 CCCS SI-3 System and Information Integrity Malicious Code Protection n/a (A) The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code. (B) The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. (C) The organization configures malicious code protection mechanisms to: (a) Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and (b) Block and quarantine malicious code; send alert to the key role as defined in the system and information integrity policy in response to malicious code detection. (D) The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. link count: 002
Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS SI-3(1) CCCS_SI-3(1) CCCS SI-3(1) System and Information Integrity Malicious Code Protection | Central Management n/a The organization centrally manages malicious code protection mechanisms. link count: 002
Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CCCS SI-4 CCCS_SI-4 CCCS SI-4 System and Information Integrity Information System Monitoring n/a (A) The organization monitors the information system to detect: (a) Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and (b) Unauthorized local, network, and remote connections; (B) The organization identifies unauthorized use of the information system through organization-defined techniques and methods. (C) The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. (D) The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. (E) The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. (F) The organization obtains legal opinion with regard to information system monitoring activities in accordance with orgnanizational policies, directives and standards. (G) The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. link count: 005
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images (32133ab0-ee4b-4b44-98d6-042180979d50), Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images (5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138), Virtual machines should be connected to a specified workspace (f47b5582-33ec-4c5c-87c0-b010a6b2e917)
Canada Federal PBMM (4c4a5f27-de81-430b-b4e5-9cbd50595a87)
CIS_Azure_1.1.0 1.1 CIS_Azure_1.1.0_1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like - Service Co-Administrators - Subscription Owners - Contributors link count: 003
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3), MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.10 CIS_Azure_1.1.0_1.10 CIS Microsoft Azure Foundations Benchmark recommendation 1.10 1 Identity and Access Management Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' Shared The customer is responsible for implementing this recommendation. Require administrators to provide consent for the apps before use. link count: 003
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.11 CIS_Azure_1.1.0_1.11 CIS Microsoft Azure Foundations Benchmark recommendation 1.11 1 Identity and Access Management Ensure that 'Users can register applications' is set to 'No' Shared The customer is responsible for implementing this recommendation. Require administrators to register third-party applications. link count: 003
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.12 CIS_Azure_1.1.0_1.12 CIS Microsoft Azure Foundations Benchmark recommendation 1.12 1 Identity and Access Management Ensure that 'Guest user permissions are limited' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Limit guest user permissions. link count: 008
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.13 CIS_Azure_1.1.0_1.13 CIS Microsoft Azure Foundations Benchmark recommendation 1.13 1 Identity and Access Management Ensure that 'Members can invite' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict invitations to administrators only. link count: 008
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.14 CIS_Azure_1.1.0_1.14 CIS Microsoft Azure Foundations Benchmark recommendation 1.14 1 Identity and Access Management Ensure that 'Guests can invite' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict guest invitations. link count: 008
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.15 CIS_Azure_1.1.0_1.15 CIS Microsoft Azure Foundations Benchmark recommendation 1.15 1 Identity and Access Management Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Restrict access to the Azure AD administration portal to administrators only. link count: 007
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.16 CIS_Azure_1.1.0_1.16 CIS Microsoft Azure Foundations Benchmark recommendation 1.16 1 Identity and Access Management Ensure that 'Self-service group management enabled' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict group creation to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.17 CIS_Azure_1.1.0_1.17 CIS Microsoft Azure Foundations Benchmark recommendation 1.17 1 Identity and Access Management Ensure that 'Users can create security groups' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict security group creation to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.18 CIS_Azure_1.1.0_1.18 CIS Microsoft Azure Foundations Benchmark recommendation 1.18 1 Identity and Access Management Ensure that 'Users who can manage security groups' is set to 'None' Shared The customer is responsible for implementing this recommendation. Restrict security group management to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.19 CIS_Azure_1.1.0_1.19 CIS Microsoft Azure Foundations Benchmark recommendation 1.19 1 Identity and Access Management Ensure that 'Users can create Office 365 groups' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict Office 365 group creation to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.2 CIS_Azure_1.1.0_1.2 CIS Microsoft Azure Foundations Benchmark recommendation 1.2 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all non-privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all non-privileged users. link count: 002
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.20 CIS_Azure_1.1.0_1.20 CIS Microsoft Azure Foundations Benchmark recommendation 1.20 1 Identity and Access Management Ensure that 'Users who can manage Office 365 groups' is set to 'None' Shared The customer is responsible for implementing this recommendation. Restrict Office 365 group management to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.22 CIS_Azure_1.1.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link count: 008
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), Authorize remote access (dad8a2e9-6f27-4fc2-8933-7e99fe700c9c), Document mobility training (83dfb2b8-678b-20a0-4c44-5c75ada023e6), Document remote access guidelines (3d492600-27ba-62cc-a1c3-66eb919f6a0d), Identify and authenticate network devices (ae5345d5-8dab-086a-7290-db43a3272198), Implement controls to secure alternate work sites (cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e), Provide privacy training (518eafdd-08e5-37a9-795b-15a8d798056d), Satisfy token quality requirements (056a723b-4946-9d2a-5243-3aa27c4d31a1)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.23 CIS_Azure_1.1.0_1.23 CIS Microsoft Azure Foundations Benchmark recommendation 1.23 1 Identity and Access Management Ensure that no custom subscription owner roles are created Shared The customer is responsible for implementing this recommendation. Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. link count: 006
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.3 CIS_Azure_1.1.0_1.3 CIS Microsoft Azure Foundations Benchmark recommendation 1.3 1 Identity and Access Management Ensure that there are no guest users Shared The customer is responsible for implementing this recommendation. Do not add guest users if not needed. link count: 008
Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60), External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4), Reassign or remove user privileges as needed (7805a343-275c-41be-9d62-7215b96212d8), Review account provisioning logs (a830fe9e-08c9-a4fb-420c-6f6bf1702395), Review user accounts (79f081c7-1634-01a1-708e-376197999289), Review user privileges (f96d2186-79df-262d-3f76-f371e3b71798)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.4 CIS_Azure_1.1.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link count: 003
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), Identify and authenticate network devices (ae5345d5-8dab-086a-7290-db43a3272198), Satisfy token quality requirements (056a723b-4946-9d2a-5243-3aa27c4d31a1)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.6 CIS_Azure_1.1.0_1.6 CIS Microsoft Azure Foundations Benchmark recommendation 1.6 1 Identity and Access Management Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' Shared The customer is responsible for implementing this recommendation. Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0. link count: 004
Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.7 CIS_Azure_1.1.0_1.7 CIS Microsoft Azure Foundations Benchmark recommendation 1.7 1 Identity and Access Management Ensure that 'Notify users on password resets?' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Ensure that users are notified on their primary and secondary emails on password resets. link count: 005
Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Implement training for protecting authenticators (e4b00788-7e1c-33ec-0418-d048508e095b), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.8 CIS_Azure_1.1.0_1.8 CIS Microsoft Azure Foundations Benchmark recommendation 1.8 1 Identity and Access Management Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Ensure that all administrators are notified if any other administrator resets their password. link count: 010
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Implement training for protecting authenticators (e4b00788-7e1c-33ec-0418-d048508e095b), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Monitor privileged role assignment (ed87d27a-9abf-7c71-714c-61d881889da4), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84), Restrict access to privileged accounts (873895e8-0e3a-6492-42e9-22cd030e9fcd), Revoke privileged roles as appropriate (32f22cfa-770b-057c-965b-450898425519), Use privileged identity management (e714b481-8fac-64a2-14a9-6f079b2501a4)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 1.9 CIS_Azure_1.1.0_1.9 CIS Microsoft Azure Foundations Benchmark recommendation 1.9 1 Identity and Access Management Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' Shared The customer is responsible for implementing this recommendation. Require administrators to provide consent for the apps before use. link count: 003
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.1 CIS_Azure_1.1.0_2.1 CIS Microsoft Azure Foundations Benchmark recommendation 2.1 2 Security Center Ensure that standard pricing tier is selected Shared The customer is responsible for implementing this recommendation. The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. link count: 015
Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.10 CIS_Azure_1.1.0_2.10 CIS Microsoft Azure Foundations Benchmark recommendation 2.10 2 Security Center Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable vulnerability assessment recommendations for virtual machines. link count: 001
A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.11 CIS_Azure_1.1.0_2.11 CIS Microsoft Azure Foundations Benchmark recommendation 2.11 2 Security Center Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable storage encryption recommendations. link count: 004
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.12 CIS_Azure_1.1.0_2.12 CIS Microsoft Azure Foundations Benchmark recommendation 2.12 2 Security Center Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable JIT Network Access for virtual machines. link count: 002
Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Management ports of virtual machines should be protected with just-in-time network access control (b0f33259-77d7-4c9e-aac6-3aabcfae693c)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.13 CIS_Azure_1.1.0_2.13 CIS Microsoft Azure Foundations Benchmark recommendation 2.13 2 Security Center Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable adaptive application controls. link count: 001
Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.14 CIS_Azure_1.1.0_2.14 CIS Microsoft Azure Foundations Benchmark recommendation 2.14 2 Security Center Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable SQL auditing recommendations. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Auditing on SQL server should be enabled (a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.15 CIS_Azure_1.1.0_2.15 CIS Microsoft Azure Foundations Benchmark recommendation 2.15 2 Security Center Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable SQL encryption recommendations. link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Transparent Data Encryption on SQL databases should be enabled (17k78e20-9358-41c9-923c-fb736d382a12)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.16 CIS_Azure_1.1.0_2.16 CIS Microsoft Azure Foundations Benchmark recommendation 2.16 2 Security Center Ensure that 'Security contact emails' is set Shared The customer is responsible for implementing this recommendation. Provide a security contact email address. link count: 001
Subscriptions should have a contact email address for security issues (4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.18 CIS_Azure_1.1.0_2.18 CIS Microsoft Azure Foundations Benchmark recommendation 2.18 2 Security Center Ensure that 'Send email notification for high severity alerts' is set to 'On' Shared The customer is responsible for implementing this recommendation. Enable emailing security alerts to the security contact. link count: 001
Email notification for high severity alerts should be enabled (6e2593d9-add6-4083-9c9b-4b7d2188c899)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.19 CIS_Azure_1.1.0_2.19 CIS Microsoft Azure Foundations Benchmark recommendation 2.19 2 Security Center Ensure that 'Send email also to subscription owners' is set to 'On' Shared The customer is responsible for implementing this recommendation. Enable security alert emails to subscription owners. link count: 001
Email notification to subscription owner for high severity alerts should be enabled (0b15565f-aa9e-48ba-8619-45960f2c314d)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.2 CIS_Azure_1.1.0_2.2 CIS Microsoft Azure Foundations Benchmark recommendation 2.2 2 Security Center Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Shared The customer is responsible for implementing this recommendation. Enable automatic provisioning of the monitoring agent to collect security data. link count: 003
Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17), Document security operations (2c6bee3a-2180-2430-440d-db3c7a849870), Turn on sensors for endpoint security solution (5fc24b95-53f7-0ed1-2330-701b539b97fe)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.3 CIS_Azure_1.1.0_2.3 CIS Microsoft Azure Foundations Benchmark recommendation 2.3 2 Security Center Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable system updates recommendations for virtual machines. link count: 002
Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b), System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.4 CIS_Azure_1.1.0_2.4 CIS Microsoft Azure Foundations Benchmark recommendation 2.4 2 Security Center Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable Monitor OS vulnerability recommendations for virtual machines. link count: 003
Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b), Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.5 CIS_Azure_1.1.0_2.5 CIS Microsoft Azure Foundations Benchmark recommendation 2.5 2 Security Center Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable Endpoint protection recommendations for virtual machines. link count: 008
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.6 CIS_Azure_1.1.0_2.6 CIS Microsoft Azure Foundations Benchmark recommendation 2.6 2 Security Center Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable Disk encryption recommendations for virtual machines. link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.7 CIS_Azure_1.1.0_2.7 CIS Microsoft Azure Foundations Benchmark recommendation 2.7 2 Security Center Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable Network security group recommendations for virtual machines. link count: 003
Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6), Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.8 CIS_Azure_1.1.0_2.8 CIS Microsoft Azure Foundations Benchmark recommendation 2.8 2 Security Center Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable Web application firewall recommendations for virtual machines. link count: 002
Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 2.9 CIS_Azure_1.1.0_2.9 CIS Microsoft Azure Foundations Benchmark recommendation 2.9 2 Security Center Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable next generation firewall recommendations for virtual machines. link count: 004
Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0), Internet-facing virtual machines should be protected with network security groups (f6de0be7-9a8a-4b8a-b349-43cf02d22f7c), Subnets should be associated with a Network Security Group (e71308d3-144b-4262-b144-efdc3cc90517)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 3.1 CIS_Azure_1.1.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link count: 004
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93), Secure transfer to storage accounts should be enabled (404c3081-a854-4457-ae30-26a93ef643f9)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 3.2 CIS_Azure_1.1.0_3.2 CIS Microsoft Azure Foundations Benchmark recommendation 3.2 3 Storage Accounts Ensure that storage account access keys are periodically regenerated Shared The customer is responsible for implementing this recommendation. Regenerate storage account access keys periodically. link count: 007
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 3.3 CIS_Azure_1.1.0_3.3 CIS Microsoft Azure Foundations Benchmark recommendation 3.3 3 Storage Accounts Ensure Storage logging is enabled for Queue service for read, write, and delete requests Shared The customer is responsible for implementing this recommendation. The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 3.4 CIS_Azure_1.1.0_3.4 CIS Microsoft Azure Foundations Benchmark recommendation 3.4 3 Storage Accounts Ensure that shared access signature tokens expire within an hour Shared The customer is responsible for implementing this recommendation. Expire shared access signature tokens within an hour. link count: 003
Disable authenticators upon termination (d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10), Revoke privileged roles as appropriate (32f22cfa-770b-057c-965b-450898425519), Terminate user session automatically (4502e506-5f35-0df4-684f-b326e3cc7093)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 3.5 CIS_Azure_1.1.0_3.5 CIS Microsoft Azure Foundations Benchmark recommendation 3.5 3 Storage Accounts Ensure that shared access signature tokens are allowed only over https Shared The customer is responsible for implementing this recommendation. Shared access signature tokens should be allowed only over HTTPS protocol. link count: 003
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 3.6 CIS_Azure_1.1.0_3.6 CIS Microsoft Azure Foundations Benchmark recommendation 3.6 3 Storage Accounts Ensure that 'Public access level' is set to Private for blob containers Shared The customer is responsible for implementing this recommendation. Disable anonymous access to blob containers. link count: 007
[Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751), Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 3.7 CIS_Azure_1.1.0_3.7 CIS Microsoft Azure Foundations Benchmark recommendation 3.7 3 Storage Accounts Ensure default network access rule for Storage Accounts is set to deny Shared The customer is responsible for implementing this recommendation. Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. link count: 001
Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 3.8 CIS_Azure_1.1.0_3.8 CIS Microsoft Azure Foundations Benchmark recommendation 3.8 3 Storage Accounts Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Shared The customer is responsible for implementing this recommendation. Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. link count: 006
Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0), Establish firewall and router configuration standards (398fdbd8-56fd-274d-35c6-fa2d3b2755a1), Establish network segmentation for card holder data environment (f476f3b0-4152-526e-a209-44e5f8c968d7), Identify and manage downstream information exchanges (c7fddb0e-3f44-8635-2b35-dc6b8e740b7c), Storage accounts should allow access from trusted Microsoft services (c9d007d0-c057-4772-b18c-01e546713bcd)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.1 CIS_Azure_1.1.0_4.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.1 4 Database Services Ensure that 'Auditing' is set to 'On' Shared The customer is responsible for implementing this recommendation. Enable auditing on SQL Servers. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Auditing on SQL server should be enabled (a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.10 CIS_Azure_1.1.0_4.10 CIS Microsoft Azure Foundations Benchmark recommendation 4.10 4 Database Services Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) Shared The customer is responsible for implementing this recommendation. TDE with BYOK support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with BYOK support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (BYOK). link count: 006
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2), SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.11 CIS_Azure_1.1.0_4.11 CIS Microsoft Azure Foundations Benchmark recommendation 4.11 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'MYSQL' Servers. link count: 004
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Enforce SSL connection should be enabled for MySQL database servers (e802a67a-daf5-4436-9ea6-f6d821dd0c5d), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.12 CIS_Azure_1.1.0_4.12 CIS Microsoft Azure Foundations Benchmark recommendation 4.12 4 Database Services Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_checkpoints' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Log checkpoints should be enabled for PostgreSQL database servers (eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.13 CIS_Azure_1.1.0_4.13 CIS Microsoft Azure Foundations Benchmark recommendation 4.13 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'PostgreSQL' Servers. link count: 004
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Enforce SSL connection should be enabled for PostgreSQL database servers (d158790f-bfb0-486c-8631-2dc6b4e8e6af), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.14 CIS_Azure_1.1.0_4.14 CIS Microsoft Azure Foundations Benchmark recommendation 4.14 4 Database Services Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_connections' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Log connections should be enabled for PostgreSQL database servers (eb6f77b9-bd53-4e35-a23d-7f65d5f0e442), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.15 CIS_Azure_1.1.0_4.15 CIS Microsoft Azure Foundations Benchmark recommendation 4.15 4 Database Services Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_disconnections' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Disconnections should be logged for PostgreSQL database servers. (eb6f77b9-bd53-4e35-a23d-7f65d5f0e446), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.16 CIS_Azure_1.1.0_4.16 CIS Microsoft Azure Foundations Benchmark recommendation 4.16 4 Database Services Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_duration' on 'PostgreSQL Servers'. link count: 004
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.17 CIS_Azure_1.1.0_4.17 CIS Microsoft Azure Foundations Benchmark recommendation 4.17 4 Database Services Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'connection_throttling' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Connection throttling should be enabled for PostgreSQL database servers (5345bb39-67dc-4960-a1bf-427e16b9a0bd), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.18 CIS_Azure_1.1.0_4.18 CIS Microsoft Azure Foundations Benchmark recommendation 4.18 4 Database Services Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_retention_days' on 'PostgreSQL Servers'. link count: 004
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.19 CIS_Azure_1.1.0_4.19 CIS Microsoft Azure Foundations Benchmark recommendation 4.19 4 Database Services Ensure that Azure Active Directory Admin is configured Shared The customer is responsible for implementing this recommendation. Use Azure Active Directory Authentication for authentication with SQL Database. link count: 004
Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.2 CIS_Azure_1.1.0_4.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.2 4 Database Services Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly Shared The customer is responsible for implementing this recommendation. Configure the 'AuditActionGroups' property to appropriate groups to capture all the critical activities on the SQL Server and all the SQL databases hosted on the SQL server. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34), SQL Auditing settings should have Action-Groups configured to capture critical activities (7ff426e2-515f-405a-91c8-4f2333442eb5)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.3 CIS_Azure_1.1.0_4.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.3 4 Database Services Ensure that 'Auditing' Retention is 'greater than 90 days' Shared The customer is responsible for implementing this recommendation. SQL Server Audit Retention should be configured to be greater than 90 days. link count: 005
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1), SQL servers with auditing to storage account destination should be configured with 90 days retention or higher (89099bee-89e0-4b26-a5f4-165451757743)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.4 CIS_Azure_1.1.0_4.4 CIS Microsoft Azure Foundations Benchmark recommendation 4.4 4 Database Services Ensure that 'Advanced Data Security' on a SQL server is set to 'On' Shared The customer is responsible for implementing this recommendation. Enable "Advanced Data Security" on critical SQL Servers. link count: 003
Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.5 CIS_Azure_1.1.0_4.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.5 4 Database Services Ensure that 'Threat Detection types' is set to 'All' Shared The customer is responsible for implementing this recommendation. Enable all types of threat detection on SQL servers. link count: 001
Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.6 CIS_Azure_1.1.0_4.6 CIS Microsoft Azure Foundations Benchmark recommendation 4.6 4 Database Services Ensure that 'Send alerts to' is set Shared The customer is responsible for implementing this recommendation. Provide the email address where alerts will be sent when anomalous activities are detected on SQL servers. link count: 003
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.7 CIS_Azure_1.1.0_4.7 CIS Microsoft Azure Foundations Benchmark recommendation 4.7 4 Database Services Ensure that 'Email service and co-administrators' is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable service and co-administrators to receive security alerts from the SQL server. link count: 003
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.8 CIS_Azure_1.1.0_4.8 CIS Microsoft Azure Foundations Benchmark recommendation 4.8 4 Database Services Ensure that Azure Active Directory Admin is configured Shared The customer is responsible for implementing this recommendation. Use Azure Active Directory Authentication for authentication with SQL Database. link count: 005
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9), Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 4.9 CIS_Azure_1.1.0_4.9 CIS Microsoft Azure Foundations Benchmark recommendation 4.9 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Transparent Data Encryption on SQL databases should be enabled (17k78e20-9358-41c9-923c-fb736d382a12)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.1.1 CIS_Azure_1.1.0_5.1.1 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 5 Logging and Monitoring Ensure that a Log Profile exists Shared The customer is responsible for implementing this recommendation. Enable log profile for exporting activity logs. link count: 005
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Azure subscriptions should have a log profile for Activity Log (7796937f-307b-4598-941c-67d3a05ebfe7), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.1.2 CIS_Azure_1.1.0_5.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 5 Logging and Monitoring Ensure that Activity Log Retention is set 365 days or greater Shared The customer is responsible for implementing this recommendation. Ensure activity log retention is set for 365 days or greater. link count: 004
Activity log should be retained for at least one year (b02aacc0-b073-424e-8298-42b22829ee0a), Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.1.3 CIS_Azure_1.1.0_5.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 5 Logging and Monitoring Ensure audit profile captures all the activities Shared The customer is responsible for implementing this recommendation. The log profile should be configured to export all activities from the control/management plane. link count: 005
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' (1a4e592a-6a6e-44a5-9814-e36264ca96e7), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.1.4 CIS_Azure_1.1.0_5.1.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 5 Logging and Monitoring Ensure the log profile captures activity logs for all regions including global Shared The customer is responsible for implementing this recommendation. Configure the log profile to export activities from all Azure supported regions/locations including global. link count: 005
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Azure Monitor should collect activity logs from all regions (41388f1c-2db0-4c25-95b2-35d7f5ccbfa9), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.1.5 CIS_Azure_1.1.0_5.1.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 5 Logging and Monitoring Ensure the storage container storing the activity logs is not publicly accessible Shared The customer is responsible for implementing this recommendation. The storage account container containing the activity log export should not be publicly accessible. link count: 003
[Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751), Enable dual or joint authorization (2c843d78-8f64-92b5-6a9b-e8186c0e7eb6), Protect audit information (0e696f5a-451f-5c15-5532-044136538491)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.1.6 CIS_Azure_1.1.0_5.1.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6 5 Logging and Monitoring Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Shared The customer is responsible for implementing this recommendation. The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). link count: 004
Enable dual or joint authorization (2c843d78-8f64-92b5-6a9b-e8186c0e7eb6), Maintain integrity of audit system (c0559109-6a27-a217-6821-5a6d44f92897), Protect audit information (0e696f5a-451f-5c15-5532-044136538491), Storage account containing the container with activity logs must be encrypted with BYOK (fbb99e8e-e444-4da0-9ff1-75c92f5a85b2)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.1.7 CIS_Azure_1.1.0_5.1.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7 5 Logging and Monitoring Ensure that logging for Azure KeyVault is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. link count: 006
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Resource logs in Azure Key Vault Managed HSM should be enabled (a2a5b911-5617-447e-a49e-59dbe0e0434b), Resource logs in Key Vault should be enabled (cf820ca0-f99e-4f3e-84fb-66e913812d21), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.2.1 CIS_Azure_1.1.0_5.2.1 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create Policy Assignment Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create Policy Assignment event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Policy operations (c5447c04-a4d7-4ba8-a263-c9ee321a6858), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.2.2 CIS_Azure_1.1.0_5.2.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.2.3 CIS_Azure_1.1.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.2.4 CIS_Azure_1.1.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Network Security Group Rule event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.2.5 CIS_Azure_1.1.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5 Logging and Monitoring Ensure that activity log alert exists for the Delete Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group Rule event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.2.6 CIS_Azure_1.1.0_5.2.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Security Solution event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Security operations (3b980d31-7904-4bb7-8575-5665739a8052), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.2.7 CIS_Azure_1.1.0_5.2.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Security Solution event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Security operations (3b980d31-7904-4bb7-8575-5665739a8052), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.2.8 CIS_Azure_1.1.0_5.2.8 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 5.2.9 CIS_Azure_1.1.0_5.2.9 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 5 Logging and Monitoring Ensure that Activity Log Alert exists for Update Security Policy Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Update Security Policy event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Security operations (3b980d31-7904-4bb7-8575-5665739a8052), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 6.3 CIS_Azure_1.1.0_6.3 CIS Microsoft Azure Foundations Benchmark recommendation 6.3 6 Networking Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) Shared The customer is responsible for implementing this recommendation. Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). link count: 002
Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 6.4 CIS_Azure_1.1.0_6.4 CIS Microsoft Azure Foundations Benchmark recommendation 6.4 6 Networking Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Shared The customer is responsible for implementing this recommendation. Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days. link count: 003
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 6.5 CIS_Azure_1.1.0_6.5 CIS Microsoft Azure Foundations Benchmark recommendation 6.5 6 Networking Ensure that Network Watcher is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable Network Watcher for Azure subscriptions. link count: 002
Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6), Verify security functions (ece8bb17-4080-5127-915f-dc7267ee8549)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 7.1 CIS_Azure_1.1.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure that 'OS disk' are encrypted Shared The customer is responsible for implementing this recommendation. Ensure that OS disks (boot volumes) are encrypted, where possible. link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 7.2 CIS_Azure_1.1.0_7.2 CIS Microsoft Azure Foundations Benchmark recommendation 7.2 7 Virtual Machines Ensure that 'Data disks' are encrypted Shared The customer is responsible for implementing this recommendation. Ensure that data disks (non-boot volumes) are encrypted, where possible. link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 7.3 CIS_Azure_1.1.0_7.3 CIS Microsoft Azure Foundations Benchmark recommendation 7.3 7 Virtual Machines Ensure that 'Unattached disks' are encrypted Shared The customer is responsible for implementing this recommendation. Ensure that unattached disks in a subscription are encrypted. link count: 004
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 7.4 CIS_Azure_1.1.0_7.4 CIS Microsoft Azure Foundations Benchmark recommendation 7.4 7 Virtual Machines Ensure that only approved extensions are installed Shared The customer is responsible for implementing this recommendation. Only install organization-approved extensions on VMs. link count: 001
Only approved VM extensions should be installed (c0e996f8-39cf-4af9-9f45-83fbde810432)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 7.5 CIS_Azure_1.1.0_7.5 CIS Microsoft Azure Foundations Benchmark recommendation 7.5 7 Virtual Machines Ensure that the latest OS Patches for all Virtual Machines are applied Shared The customer is responsible for implementing this recommendation. Ensure that the latest OS patches for all virtual machines are applied. link count: 002
Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b), System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 7.6 CIS_Azure_1.1.0_7.6 CIS Microsoft Azure Foundations Benchmark recommendation 7.6 7 Virtual Machines Ensure that the endpoint protection for all Virtual Machines is installed Shared The customer is responsible for implementing this recommendation. Install endpoint protection for all virtual machines. link count: 011
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Document security operations (2c6bee3a-2180-2430-440d-db3c7a849870), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Turn on sensors for endpoint security solution (5fc24b95-53f7-0ed1-2330-701b539b97fe), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65), Verify software, firmware and information integrity (db28735f-518f-870e-15b4-49623cbe3aa0)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 8.1 CIS_Azure_1.1.0_8.1 CIS Microsoft Azure Foundations Benchmark recommendation 8.1 8 Other Security Considerations Ensure that the expiration date is set on all keys Shared The customer is responsible for implementing this recommendation. Ensure that all keys in Azure Key Vault have an expiration time set. link count: 008
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Key Vault keys should have an expiration date (152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 8.2 CIS_Azure_1.1.0_8.2 CIS Microsoft Azure Foundations Benchmark recommendation 8.2 8 Other Security Considerations Ensure that the expiration date is set on all Secrets Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in the Azure Key Vault have an expiration time set. link count: 008
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Key Vault secrets should have an expiration date (98728c90-32c7-4049-8429-847dc0f4fe37), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 8.3 CIS_Azure_1.1.0_8.3 CIS Microsoft Azure Foundations Benchmark recommendation 8.3 8 Other Security Considerations Ensure that Resource Locks are set for mission critical Azure resources Shared The customer is responsible for implementing this recommendation. Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These are very useful when there is have an important resource in a subscription that users should not be able to delete or change and can help prevent accidental and malicious changes or deletion. link count: 001
Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 8.4 CIS_Azure_1.1.0_8.4 CIS Microsoft Azure Foundations Benchmark recommendation 8.4 8 Other Security Considerations Ensure the key vault is recoverable Shared The customer is responsible for implementing this recommendation. The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. link count: 003
Azure Key Vault Managed HSM should have purge protection enabled (c39ba22d-4428-4149-b981-70acb31fc383), Key vaults should have purge protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53), Maintain availability of information (3ad7f0bc-3d03-0585-4d24-529779bb02c2)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 8.5 CIS_Azure_1.1.0_8.5 CIS Microsoft Azure Foundations Benchmark recommendation 8.5 8 Other Security Considerations Enable role-based access control (RBAC) within Azure Kubernetes Services Shared The customer is responsible for implementing this recommendation. Ensure that RBAC is enabled on all Azure Kubernetes Services Instances link count: 007
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838), Role-Based Access Control (RBAC) should be used on Kubernetes Services (ac4a19c2-fa67-49b4-8ae5-0b2e78c49457)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 9.1 CIS_Azure_1.1.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set on Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link count: 005
App Service apps should have authentication enabled (95bccee9-a7f8-4bec-9ee9-62c3473701fc), Authenticate to cryptographic module (6f1de470-79f3-1572-866e-db0771352fc8), Enforce user uniqueness (e336d5f4-4d8f-0059-759c-ae10f63d1747), Function apps should have authentication enabled (c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8), Support personal verification credentials issued by legal authorities (1d39b5d9-0392-8954-8359-575ce1957d1a)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 9.10 CIS_Azure_1.1.0_9.10 CIS Microsoft Azure Foundations Benchmark recommendation 9.10 9 AppService Ensure that 'HTTP Version' is the latest, if used to run the web app Shared The customer is responsible for implementing this recommendation. Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. link count: 003
App Service apps should use latest 'HTTP Version' (8c122334-9d20-4eb8-89ea-ac9a705b74ae), Function apps should use latest 'HTTP Version' (e2c1c086-2d84-4019-bff3-c44ccd95113c), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 9.2 CIS_Azure_1.1.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link count: 004
App Service apps should only be accessible over HTTPS (a4af4a39-4135-47fb-b175-47fbdf85311d), Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 9.3 CIS_Azure_1.1.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure web app is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link count: 005
App Service apps should use the latest TLS version (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b), Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Function apps should use the latest TLS version (f9d614c5-c173-4d56-95a7-b4437057d193), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 9.4 CIS_Azure_1.1.0_9.4 CIS Microsoft Azure Foundations Benchmark recommendation 9.4 9 AppService Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Shared The customer is responsible for implementing this recommendation. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. link count: 003
App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609), Authenticate to cryptographic module (6f1de470-79f3-1572-866e-db0771352fc8), Function apps should have 'Client Certificates (Incoming client certificates)' enabled (eaebaea7-8013-4ceb-9d14-7eb32271373c)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 9.5 CIS_Azure_1.1.0_9.5 CIS Microsoft Azure Foundations Benchmark recommendation 9.5 9 AppService Ensure that Register with Azure Active Directory is enabled on App Service Shared The customer is responsible for implementing this recommendation. Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. link count: 006
App Service apps should use managed identity (2b9ad585-36bc-4615-b300-fd4435808332), Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Function apps should use managed identity (0da106f2-4ca3-48e8-bc85-c638fe6aea8f), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 9.6 CIS_Azure_1.1.0_9.6 CIS Microsoft Azure Foundations Benchmark recommendation 9.6 9 AppService Ensure that '.Net Framework' version is the latest, if used as a part of the web app Shared The customer is responsible for implementing this recommendation. Periodically, newer versions are released for .Net Framework software either due to security flaws or to include additional functionality. Using the latest .Net framework version for web apps is recommended in order to to take advantage of security fixes, if any, and/or new functionalities of the latest version. link count: 001
Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 9.7 CIS_Azure_1.1.0_9.7 CIS Microsoft Azure Foundations Benchmark recommendation 9.7 9 AppService Ensure that 'PHP version' is the latest, if used to run the web app Shared The customer is responsible for implementing this recommendation. Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. link count: 002
App Service apps that use PHP should use the latest 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 9.8 CIS_Azure_1.1.0_9.8 CIS Microsoft Azure Foundations Benchmark recommendation 9.8 9 AppService Ensure that 'Python version' is the latest, if used to run the web app Shared The customer is responsible for implementing this recommendation. Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. link count: 003
App Service apps that use Python should use the latest 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73), Function apps that use Python should use the latest 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.1.0 9.9 CIS_Azure_1.1.0_9.9 CIS Microsoft Azure Foundations Benchmark recommendation 9.9 9 AppService Ensure that 'Java version' is the latest, if used to run the web app Shared The customer is responsible for implementing this recommendation. Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version. link count: 003
App Service apps that use Java should use the latest 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed), Function apps that use Java should use the latest 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d)
CIS_Azure_1.3.0 1.1 CIS_Azure_1.3.0_1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like - Service Co-Administrators - Subscription Owners - Contributors link count: 003
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3), MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.10 CIS_Azure_1.3.0_1.10 CIS Microsoft Azure Foundations Benchmark recommendation 1.10 1 Identity and Access Management Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' Shared The customer is responsible for implementing this recommendation. Require administrators to provide consent for the apps before use. link count: 003
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.11 CIS_Azure_1.3.0_1.11 CIS Microsoft Azure Foundations Benchmark recommendation 1.11 1 Identity and Access Management Ensure that 'Users can register applications' is set to 'No' Shared The customer is responsible for implementing this recommendation. Require administrators to register third-party applications. link count: 003
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.12 CIS_Azure_1.3.0_1.12 CIS Microsoft Azure Foundations Benchmark recommendation 1.12 1 Identity and Access Management Ensure that 'Guest user permissions are limited' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Limit guest user permissions. link count: 008
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.13 CIS_Azure_1.3.0_1.13 CIS Microsoft Azure Foundations Benchmark recommendation 1.13 1 Identity and Access Management Ensure that 'Members can invite' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict invitations to administrators only. link count: 008
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.14 CIS_Azure_1.3.0_1.14 CIS Microsoft Azure Foundations Benchmark recommendation 1.14 1 Identity and Access Management Ensure that 'Guests can invite' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict guest being able to invite other guests to collaborate with your organization. link count: 008
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.15 CIS_Azure_1.3.0_1.15 CIS Microsoft Azure Foundations Benchmark recommendation 1.15 1 Identity and Access Management Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Restrict access to the Azure AD administration portal to administrators only. link count: 006
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.16 CIS_Azure_1.3.0_1.16 CIS Microsoft Azure Foundations Benchmark recommendation 1.16 1 Identity and Access Management Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict group creation to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.17 CIS_Azure_1.3.0_1.17 CIS Microsoft Azure Foundations Benchmark recommendation 1.17 1 Identity and Access Management Ensure that 'Users can create security groups in Azure Portals' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict security group creation to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.18 CIS_Azure_1.3.0_1.18 CIS Microsoft Azure Foundations Benchmark recommendation 1.18 1 Identity and Access Management Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict security group management to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.19 CIS_Azure_1.3.0_1.19 CIS Microsoft Azure Foundations Benchmark recommendation 1.19 1 Identity and Access Management Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict Microsoft 365 group creation to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.2 CIS_Azure_1.3.0_1.2 CIS Microsoft Azure Foundations Benchmark recommendation 1.2 1 Identity and Access Management Ensure that multi-factor authentication is enabled for all non-privileged users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all non-privileged users. link count: 002
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.20 CIS_Azure_1.3.0_1.20 CIS Microsoft Azure Foundations Benchmark recommendation 1.20 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link count: 008
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), Authorize remote access (dad8a2e9-6f27-4fc2-8933-7e99fe700c9c), Document mobility training (83dfb2b8-678b-20a0-4c44-5c75ada023e6), Document remote access guidelines (3d492600-27ba-62cc-a1c3-66eb919f6a0d), Identify and authenticate network devices (ae5345d5-8dab-086a-7290-db43a3272198), Implement controls to secure alternate work sites (cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e), Provide privacy training (518eafdd-08e5-37a9-795b-15a8d798056d), Satisfy token quality requirements (056a723b-4946-9d2a-5243-3aa27c4d31a1)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.21 CIS_Azure_1.3.0_1.21 CIS Microsoft Azure Foundations Benchmark recommendation 1.21 1 Identity and Access Management Ensure that no custom subscription owner roles are created Shared The customer is responsible for implementing this recommendation. Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. link count: 006
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.22 CIS_Azure_1.3.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link count: 009
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), Authenticate to cryptographic module (6f1de470-79f3-1572-866e-db0771352fc8), Authorize remote access (dad8a2e9-6f27-4fc2-8933-7e99fe700c9c), Document mobility training (83dfb2b8-678b-20a0-4c44-5c75ada023e6), Document remote access guidelines (3d492600-27ba-62cc-a1c3-66eb919f6a0d), Identify and authenticate network devices (ae5345d5-8dab-086a-7290-db43a3272198), Implement controls to secure alternate work sites (cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e), Provide privacy training (518eafdd-08e5-37a9-795b-15a8d798056d), Satisfy token quality requirements (056a723b-4946-9d2a-5243-3aa27c4d31a1)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.23 CIS_Azure_1.3.0_1.23 CIS Microsoft Azure Foundations Benchmark recommendation 1.23 1 Identity and Access Management Ensure Custom Role is assigned for Administering Resource Locks Shared The customer is responsible for implementing this recommendation. Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.3 CIS_Azure_1.3.0_1.3 CIS Microsoft Azure Foundations Benchmark recommendation 1.3 1 Identity and Access Management Ensure guest users are reviewed on a monthly basis Shared The customer is responsible for implementing this recommendation. Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user. link count: 008
Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60), External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4), Reassign or remove user privileges as needed (7805a343-275c-41be-9d62-7215b96212d8), Review account provisioning logs (a830fe9e-08c9-a4fb-420c-6f6bf1702395), Review user accounts (79f081c7-1634-01a1-708e-376197999289), Review user privileges (f96d2186-79df-262d-3f76-f371e3b71798)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.4 CIS_Azure_1.3.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link count: 003
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), Identify and authenticate network devices (ae5345d5-8dab-086a-7290-db43a3272198), Satisfy token quality requirements (056a723b-4946-9d2a-5243-3aa27c4d31a1)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.6 CIS_Azure_1.3.0_1.6 CIS Microsoft Azure Foundations Benchmark recommendation 1.6 1 Identity and Access Management Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" Shared The customer is responsible for implementing this recommendation. Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0. link count: 004
Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.7 CIS_Azure_1.3.0_1.7 CIS Microsoft Azure Foundations Benchmark recommendation 1.7 1 Identity and Access Management Ensure that 'Notify users on password resets?' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Ensure that users are notified on their primary and secondary emails on password resets. link count: 005
Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Implement training for protecting authenticators (e4b00788-7e1c-33ec-0418-d048508e095b), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.8 CIS_Azure_1.3.0_1.8 CIS Microsoft Azure Foundations Benchmark recommendation 1.8 1 Identity and Access Management Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Ensure that all administrators are notified if any other administrator resets their password. link count: 010
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Implement training for protecting authenticators (e4b00788-7e1c-33ec-0418-d048508e095b), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Monitor privileged role assignment (ed87d27a-9abf-7c71-714c-61d881889da4), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84), Restrict access to privileged accounts (873895e8-0e3a-6492-42e9-22cd030e9fcd), Revoke privileged roles as appropriate (32f22cfa-770b-057c-965b-450898425519), Use privileged identity management (e714b481-8fac-64a2-14a9-6f079b2501a4)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 1.9 CIS_Azure_1.3.0_1.9 CIS Microsoft Azure Foundations Benchmark recommendation 1.9 1 Identity and Access Management Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' Shared The customer is responsible for implementing this recommendation. Require administrators to provide consent for the apps before use. link count: 003
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.1 CIS_Azure_1.3.0_2.1 CIS Microsoft Azure Foundations Benchmark recommendation 2.1 2 Security Center Ensure that Azure Defender is set to On for Servers Shared The customer is responsible for implementing this recommendation. Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. link count: 009
Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.10 CIS_Azure_1.3.0_2.10 CIS Microsoft Azure Foundations Benchmark recommendation 2.10 2 Security Center Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Shared The customer is responsible for implementing this recommendation. This setting enables Microsoft Cloud App Security (MCAS) integration with Security Center. link count: 008
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.11 CIS_Azure_1.3.0_2.11 CIS Microsoft Azure Foundations Benchmark recommendation 2.11 2 Security Center Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Shared The customer is responsible for implementing this recommendation. Enable automatic provisioning of the monitoring agent to collect security data. link count: 003
Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17), Document security operations (2c6bee3a-2180-2430-440d-db3c7a849870), Turn on sensors for endpoint security solution (5fc24b95-53f7-0ed1-2330-701b539b97fe)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.12 CIS_Azure_1.3.0_2.12 CIS Microsoft Azure Foundations Benchmark recommendation 2.12 2 Security Center Ensure any of the ASC Default policy setting is not set to "Disabled" Shared The customer is responsible for implementing this recommendation. None of the settings offered by ASC Default policy should be set to effect "Disabled". link count: 006
Configure actions for noncompliant devices (b53aa659-513e-032c-52e6-1ce0ba46582f), Develop and maintain baseline configurations (2f20840e-7925-221c-725d-757442753e7c), Enforce security configuration settings (058e9719-1ff9-3653-4230-23f76b6492e0), Establish a configuration control board (7380631c-5bf5-0e3a-4509-0873becd8a63), Establish and document a configuration management plan (526ed90e-890f-69e7-0386-ba5c0f1f784f), Implement an automated configuration management tool (33832848-42ab-63f3-1a55-c0ad309d44cd)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.13 CIS_Azure_1.3.0_2.13 CIS Microsoft Azure Foundations Benchmark recommendation 2.13 2 Security Center Ensure 'Additional email addresses' is configured with a security contact email Shared The customer is responsible for implementing this recommendation. Security Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address. link count: 001
Subscriptions should have a contact email address for security issues (4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.14 CIS_Azure_1.3.0_2.14 CIS Microsoft Azure Foundations Benchmark recommendation 2.14 2 Security Center Ensure that 'Notify about alerts with the following severity' is set to 'High' Shared The customer is responsible for implementing this recommendation. Enables emailing security alerts to the subscription owner or other designated security contact. link count: 001
Email notification for high severity alerts should be enabled (6e2593d9-add6-4083-9c9b-4b7d2188c899)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.2 CIS_Azure_1.3.0_2.2 CIS Microsoft Azure Foundations Benchmark recommendation 2.2 2 Security Center Ensure that Azure Defender is set to On for App Service Shared The customer is responsible for implementing this recommendation. Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. link count: 009
Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.3 CIS_Azure_1.3.0_2.3 CIS Microsoft Azure Foundations Benchmark recommendation 2.3 2 Security Center Ensure that Azure Defender is set to On for Azure SQL database servers Shared The customer is responsible for implementing this recommendation. Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. link count: 009
Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.4 CIS_Azure_1.3.0_2.4 CIS Microsoft Azure Foundations Benchmark recommendation 2.4 2 Security Center Ensure that Azure Defender is set to On for SQL servers on machines Shared The customer is responsible for implementing this recommendation. Turning on Azure Defender enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. link count: 009
Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.5 CIS_Azure_1.3.0_2.5 CIS Microsoft Azure Foundations Benchmark recommendation 2.5 2 Security Center Ensure that Azure Defender is set to On for Storage Shared The customer is responsible for implementing this recommendation. Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. link count: 009
Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.6 CIS_Azure_1.3.0_2.6 CIS Microsoft Azure Foundations Benchmark recommendation 2.6 2 Security Center Ensure that Azure Defender is set to On for Kubernetes Shared The customer is responsible for implementing this recommendation. Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. link count: 009
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.7 CIS_Azure_1.3.0_2.7 CIS Microsoft Azure Foundations Benchmark recommendation 2.7 2 Security Center Ensure that Azure Defender is set to On for Container Registries Shared The customer is responsible for implementing this recommendation. Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. link count: 009
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.8 CIS_Azure_1.3.0_2.8 CIS Microsoft Azure Foundations Benchmark recommendation 2.8 2 Security Center Ensure that Azure Defender is set to On for Key Vault Shared The customer is responsible for implementing this recommendation. Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. link count: 009
Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 2.9 CIS_Azure_1.3.0_2.9 CIS Microsoft Azure Foundations Benchmark recommendation 2.9 2 Security Center Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Shared The customer is responsible for implementing this recommendation. This setting enables Windows Defender ATP (WDATP) integration with Security Center. link count: 008
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 3.1 CIS_Azure_1.3.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link count: 004
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93), Secure transfer to storage accounts should be enabled (404c3081-a854-4457-ae30-26a93ef643f9)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 3.10 CIS_Azure_1.3.0_3.10 CIS Microsoft Azure Foundations Benchmark recommendation 3.10 3 Storage Accounts Ensure Storage logging is enabled for Blob service for read, write, and delete requests Shared The customer is responsible for implementing this recommendation. The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 3.11 CIS_Azure_1.3.0_3.11 CIS Microsoft Azure Foundations Benchmark recommendation 3.11 3 Storage Accounts Ensure Storage logging is enabled for Table service for read, write, and delete requests Shared The customer is responsible for implementing this recommendation. The Storage Table storage is a service that stores structure NoSQL data in the cloud, providing a key/attribute store with a schema less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 3.2 CIS_Azure_1.3.0_3.2 CIS Microsoft Azure Foundations Benchmark recommendation 3.2 3 Storage Accounts Ensure that storage account access keys are periodically regenerated Shared The customer is responsible for implementing this recommendation. Regenerate storage account access keys periodically. link count: 007
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 3.3 CIS_Azure_1.3.0_3.3 CIS Microsoft Azure Foundations Benchmark recommendation 3.3 3 Storage Accounts Ensure Storage logging is enabled for Queue service for read, write, and delete requests Shared The customer is responsible for implementing this recommendation. The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 3.4 CIS_Azure_1.3.0_3.4 CIS Microsoft Azure Foundations Benchmark recommendation 3.4 3 Storage Accounts Ensure that shared access signature tokens expire within an hour Shared The customer is responsible for implementing this recommendation. Expire shared access signature tokens within an hour. link count: 003
Disable authenticators upon termination (d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10), Revoke privileged roles as appropriate (32f22cfa-770b-057c-965b-450898425519), Terminate user session automatically (4502e506-5f35-0df4-684f-b326e3cc7093)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 3.5 CIS_Azure_1.3.0_3.5 CIS Microsoft Azure Foundations Benchmark recommendation 3.5 3 Storage Accounts Ensure that 'Public access level' is set to Private for blob containers Shared The customer is responsible for implementing this recommendation. Disable anonymous access to blob containers and disallow blob public access on storage account. link count: 007
[Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751), Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 3.6 CIS_Azure_1.3.0_3.6 CIS Microsoft Azure Foundations Benchmark recommendation 3.6 3 Storage Accounts Ensure default network access rule for Storage Accounts is set to deny Shared The customer is responsible for implementing this recommendation. Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. link count: 002
Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c), Storage accounts should restrict network access using virtual network rules (2a1a9cdf-e04d-429a-8416-3bfb72a1b26f)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 3.7 CIS_Azure_1.3.0_3.7 CIS Microsoft Azure Foundations Benchmark recommendation 3.7 3 Storage Accounts Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Shared The customer is responsible for implementing this recommendation. Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. link count: 006
Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0), Establish firewall and router configuration standards (398fdbd8-56fd-274d-35c6-fa2d3b2755a1), Establish network segmentation for card holder data environment (f476f3b0-4152-526e-a209-44e5f8c968d7), Identify and manage downstream information exchanges (c7fddb0e-3f44-8635-2b35-dc6b8e740b7c), Storage accounts should allow access from trusted Microsoft services (c9d007d0-c057-4772-b18c-01e546713bcd)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 3.9 CIS_Azure_1.3.0_3.9 CIS Microsoft Azure Foundations Benchmark recommendation 3.9 3 Storage Accounts Ensure storage for critical data are encrypted with Customer Managed Key Shared The customer is responsible for implementing this recommendation. Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Storage accounts should use customer-managed key for encryption (6fac406b-40ca-413b-bf8e-0bf964659c25)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.1.1 CIS_Azure_1.3.0_4.1.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1 4 Database Services Ensure that 'Auditing' is set to 'On' Shared The customer is responsible for implementing this recommendation. Enable auditing on SQL Servers. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Auditing on SQL server should be enabled (a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.1.2 CIS_Azure_1.3.0_4.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Transparent Data Encryption on SQL databases should be enabled (17k78e20-9358-41c9-923c-fb736d382a12)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.1.3 CIS_Azure_1.3.0_4.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 4 Database Services Ensure that 'Auditing' Retention is 'greater than 90 days' Shared The customer is responsible for implementing this recommendation. SQL Server Audit Retention should be configured to be greater than 90 days. link count: 005
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1), SQL servers with auditing to storage account destination should be configured with 90 days retention or higher (89099bee-89e0-4b26-a5f4-165451757743)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.2.1 CIS_Azure_1.3.0_4.2.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.2.1 4 Database Services Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable "Azure Defender for SQL" on critical SQL Servers. link count: 003
Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.2.2 CIS_Azure_1.3.0_4.2.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2 4 Database Services Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Shared The customer is responsible for implementing this recommendation. Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases. link count: 004
Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.2.3 CIS_Azure_1.3.0_4.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3 4 Database Services Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server Shared The customer is responsible for implementing this recommendation. Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases. link count: 002
Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.2.4 CIS_Azure_1.3.0_4.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4 4 Database Services Ensure that VA setting Send scan reports to is configured for a SQL server Shared The customer is responsible for implementing this recommendation. Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers. link count: 003
Correlate Vulnerability scan information (e3905a3c-97e7-0b4f-15fb-465c0927536f), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.2.5 CIS_Azure_1.3.0_4.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5 4 Database Services Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server Shared The customer is responsible for implementing this recommendation. Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'. link count: 003
Correlate Vulnerability scan information (e3905a3c-97e7-0b4f-15fb-465c0927536f), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.3.1 CIS_Azure_1.3.0_4.3.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'PostgreSQL' Servers. link count: 004
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Enforce SSL connection should be enabled for PostgreSQL database servers (d158790f-bfb0-486c-8631-2dc6b4e8e6af), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.3.2 CIS_Azure_1.3.0_4.3.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'MYSQL' Servers. link count: 004
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Enforce SSL connection should be enabled for MySQL database servers (e802a67a-daf5-4436-9ea6-f6d821dd0c5d), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.3.3 CIS_Azure_1.3.0_4.3.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3 4 Database Services Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_checkpoints' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Log checkpoints should be enabled for PostgreSQL database servers (eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.3.4 CIS_Azure_1.3.0_4.3.4 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4 4 Database Services Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_connections' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Log connections should be enabled for PostgreSQL database servers (eb6f77b9-bd53-4e35-a23d-7f65d5f0e442), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.3.5 CIS_Azure_1.3.0_4.3.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5 4 Database Services Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_disconnections' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Disconnections should be logged for PostgreSQL database servers. (eb6f77b9-bd53-4e35-a23d-7f65d5f0e446), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.3.6 CIS_Azure_1.3.0_4.3.6 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6 4 Database Services Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'connection_throttling' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Connection throttling should be enabled for PostgreSQL database servers (5345bb39-67dc-4960-a1bf-427e16b9a0bd), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.3.7 CIS_Azure_1.3.0_4.3.7 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 4 Database Services Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_retention_days' on 'PostgreSQL Servers'. link count: 004
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.3.8 CIS_Azure_1.3.0_4.3.8 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 4 Database Services Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Shared The customer is responsible for implementing this recommendation. Disable access from Azure services to PostgreSQL Database Server link count: 005
Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0), Establish firewall and router configuration standards (398fdbd8-56fd-274d-35c6-fa2d3b2755a1), Establish network segmentation for card holder data environment (f476f3b0-4152-526e-a209-44e5f8c968d7), Identify and manage downstream information exchanges (c7fddb0e-3f44-8635-2b35-dc6b8e740b7c)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.4 CIS_Azure_1.3.0_4.4 CIS Microsoft Azure Foundations Benchmark recommendation 4.4 4 Database Services Ensure that Azure Active Directory Admin is configured Shared The customer is responsible for implementing this recommendation. Use Azure Active Directory Authentication for authentication with SQL Database. link count: 005
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9), Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 4.5 CIS_Azure_1.3.0_4.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.5 4 Database Services Ensure SQL server's TDE protector is encrypted with Customer-managed key Shared The customer is responsible for implementing this recommendation. TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). link count: 006
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2), SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.1.1 CIS_Azure_1.3.0_5.1.1 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 5 Logging and Monitoring Ensure that a 'Diagnostics Setting' exists Shared The customer is responsible for implementing this recommendation. Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment. link count: 001
Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.1.2 CIS_Azure_1.3.0_5.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 5 Logging and Monitoring Ensure Diagnostic Setting captures appropriate categories Shared The customer is responsible for implementing this recommendation. The diagnostic setting should be configured to log the appropriate activities from the control/management plane. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.1.3 CIS_Azure_1.3.0_5.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 5 Logging and Monitoring Ensure the storage container storing the activity logs is not publicly accessible Shared The customer is responsible for implementing this recommendation. The storage account container containing the activity log export should not be publicly accessible. link count: 003
[Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751), Enable dual or joint authorization (2c843d78-8f64-92b5-6a9b-e8186c0e7eb6), Protect audit information (0e696f5a-451f-5c15-5532-044136538491)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.1.4 CIS_Azure_1.3.0_5.1.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 5 Logging and Monitoring Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Shared The customer is responsible for implementing this recommendation. The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). link count: 004
Enable dual or joint authorization (2c843d78-8f64-92b5-6a9b-e8186c0e7eb6), Maintain integrity of audit system (c0559109-6a27-a217-6821-5a6d44f92897), Protect audit information (0e696f5a-451f-5c15-5532-044136538491), Storage account containing the container with activity logs must be encrypted with BYOK (fbb99e8e-e444-4da0-9ff1-75c92f5a85b2)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.1.5 CIS_Azure_1.3.0_5.1.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 5 Logging and Monitoring Ensure that logging for Azure KeyVault is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Resource logs in Key Vault should be enabled (cf820ca0-f99e-4f3e-84fb-66e913812d21), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.2.1 CIS_Azure_1.3.0_5.2.1 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create Policy Assignment Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create Policy Assignment event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Policy operations (c5447c04-a4d7-4ba8-a263-c9ee321a6858), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.2.2 CIS_Azure_1.3.0_5.2.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Policy Assignment Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Policy Assignment event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Policy operations (c5447c04-a4d7-4ba8-a263-c9ee321a6858), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.2.3 CIS_Azure_1.3.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.2.4 CIS_Azure_1.3.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.2.5 CIS_Azure_1.3.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Network Security Group Rule event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.2.6 CIS_Azure_1.3.0_5.2.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 5 Logging and Monitoring Ensure that activity log alert exists for the Delete Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group Rule event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.2.7 CIS_Azure_1.3.0_5.2.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Security Solution event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Security operations (3b980d31-7904-4bb7-8575-5665739a8052), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.2.8 CIS_Azure_1.3.0_5.2.8 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Security Solution event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Security operations (3b980d31-7904-4bb7-8575-5665739a8052), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.2.9 CIS_Azure_1.3.0_5.2.9 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 5.3 CIS_Azure_1.3.0_5.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.3 5 Logging and Monitoring Ensure that Diagnostic Logs are enabled for all services which support it. Shared The customer is responsible for implementing this recommendation. Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault. Currently, 32 Azure resources support Diagnostic Logging (See the references section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps and CosmosDB. The content of these logs varies by resource type. For example, Windows event system logs are a category of diagnostics logs for VMs, and blob, table, and queue logs are categories of diagnostics logs for storage accounts. A number of back-end services were not configured to log and store Diagnostic Logs for certain activities or for a sufficient length. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. By default, Diagnostic Logs are not enabled. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended. Note: The CIS Benchmark covers some specific Diagnostic Logs separately. ''' 3.3 - Ensure Storage logging is enabled for Queue service for read, write, and delete requests 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' ''' link count: 021
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), App Service apps should have resource logs enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510), Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Resource logs in Azure Data Lake Store should be enabled (057ef27e-665e-4328-8ea3-04b3122bd9fb), Resource logs in Azure Stream Analytics should be enabled (f9be5368-9bf5-4b84-9e0a-7850da98bb46), Resource logs in Batch accounts should be enabled (428256e6-1fac-4f48-a757-df34c2b3336d), Resource logs in Data Lake Analytics should be enabled (c95c74d9-38fe-4f0d-af86-0c7d626a315c), Resource logs in Event Hub should be enabled (83a214f7-d01a-484b-91a9-ed54470c9a6a), Resource logs in IoT Hub should be enabled (383856f8-de7f-44a2-81fc-e5135b5c2aa4), Resource logs in Key Vault should be enabled (cf820ca0-f99e-4f3e-84fb-66e913812d21), Resource logs in Logic Apps should be enabled (34f95f76-5386-4de7-b824-0d8478470c9d), Resource logs in Search services should be enabled (b4330a05-a843-4bc8-bf9a-cacce50c67f4), Resource logs in Service Bus should be enabled (f8d36e2f-389b-4ee4-898d-21aeb69a0f45), Resource logs in Virtual Machine Scale Sets should be enabled (7c1b1214-f927-48bf-8882-84f0af6588b1), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 6.3 CIS_Azure_1.3.0_6.3 CIS Microsoft Azure Foundations Benchmark recommendation 6.3 6 Networking Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) Shared The customer is responsible for implementing this recommendation. Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). link count: 002
Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 6.4 CIS_Azure_1.3.0_6.4 CIS Microsoft Azure Foundations Benchmark recommendation 6.4 6 Networking Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Shared The customer is responsible for implementing this recommendation. Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days. link count: 003
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 6.5 CIS_Azure_1.3.0_6.5 CIS Microsoft Azure Foundations Benchmark recommendation 6.5 6 Networking Ensure that Network Watcher is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable Network Watcher for Azure subscriptions. link count: 002
Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6), Verify security functions (ece8bb17-4080-5127-915f-dc7267ee8549)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 7.1 CIS_Azure_1.3.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure Virtual Machines are utilizing Managed Disks Shared The customer is responsible for implementing this recommendation. Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include 1) Default Disk Encryption 2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3) Reduction of costs over storage accounts link count: 004
Audit VMs that do not use managed disks (06a78e20-9358-41c9-923c-fb736d382a4d), Control physical access (55a7f9a0-6397-7589-05ef-5ed59a8149e7), Manage the input, output, processing, and storage of data (e603da3a-8af7-4f8a-94cb-1bcc0e0333d2), Review label activity and analytics (e23444b9-9662-40f3-289e-6d25c02b48fa)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 7.2 CIS_Azure_1.3.0_7.2 CIS Microsoft Azure Foundations Benchmark recommendation 7.2 7 Virtual Machines Ensure that 'OS and Data' disks are encrypted with CMK Shared The customer is responsible for implementing this recommendation. Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK. link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 7.3 CIS_Azure_1.3.0_7.3 CIS Microsoft Azure Foundations Benchmark recommendation 7.3 7 Virtual Machines Ensure that 'Unattached disks' are encrypted with CMK Shared The customer is responsible for implementing this recommendation. Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). link count: 004
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 7.4 CIS_Azure_1.3.0_7.4 CIS Microsoft Azure Foundations Benchmark recommendation 7.4 7 Virtual Machines Ensure that only approved extensions are installed Shared The customer is responsible for implementing this recommendation. Only install organization-approved extensions on VMs. link count: 001
Only approved VM extensions should be installed (c0e996f8-39cf-4af9-9f45-83fbde810432)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 7.5 CIS_Azure_1.3.0_7.5 CIS Microsoft Azure Foundations Benchmark recommendation 7.5 7 Virtual Machines Ensure that the latest OS Patches for all Virtual Machines are applied Shared The customer is responsible for implementing this recommendation. Ensure that the latest OS patches for all virtual machines are applied. link count: 002
Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b), System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 7.6 CIS_Azure_1.3.0_7.6 CIS Microsoft Azure Foundations Benchmark recommendation 7.6 7 Virtual Machines Ensure that the endpoint protection for all Virtual Machines is installed Shared The customer is responsible for implementing this recommendation. Install endpoint protection for all virtual machines. link count: 011
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Document security operations (2c6bee3a-2180-2430-440d-db3c7a849870), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Turn on sensors for endpoint security solution (5fc24b95-53f7-0ed1-2330-701b539b97fe), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65), Verify software, firmware and information integrity (db28735f-518f-870e-15b4-49623cbe3aa0)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 7.7 CIS_Azure_1.3.0_7.7 CIS Microsoft Azure Foundations Benchmark recommendation 7.7 7 Virtual Machines Ensure that VHD's are encrypted Shared The customer is responsible for implementing this recommendation. VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. link count: 004
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 8.1 CIS_Azure_1.3.0_8.1 CIS Microsoft Azure Foundations Benchmark recommendation 8.1 8 Other Security Considerations Ensure that the expiration date is set on all keys Shared The customer is responsible for implementing this recommendation. Ensure that all keys in Azure Key Vault have an expiration time set. link count: 008
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Key Vault keys should have an expiration date (152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 8.2 CIS_Azure_1.3.0_8.2 CIS Microsoft Azure Foundations Benchmark recommendation 8.2 8 Other Security Considerations Ensure that the expiration date is set on all Secrets Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in the Azure Key Vault have an expiration time set. link count: 008
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Key Vault secrets should have an expiration date (98728c90-32c7-4049-8429-847dc0f4fe37), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 8.3 CIS_Azure_1.3.0_8.3 CIS Microsoft Azure Foundations Benchmark recommendation 8.3 8 Other Security Considerations Ensure that Resource Locks are set for mission critical Azure resources Shared The customer is responsible for implementing this recommendation. Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion. link count: 001
Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 8.4 CIS_Azure_1.3.0_8.4 CIS Microsoft Azure Foundations Benchmark recommendation 8.4 8 Other Security Considerations Ensure the key vault is recoverable Shared The customer is responsible for implementing this recommendation. The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. link count: 002
Key vaults should have purge protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53), Maintain availability of information (3ad7f0bc-3d03-0585-4d24-529779bb02c2)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 8.5 CIS_Azure_1.3.0_8.5 CIS Microsoft Azure Foundations Benchmark recommendation 8.5 8 Other Security Considerations Enable role-based access control (RBAC) within Azure Kubernetes Services Shared The customer is responsible for implementing this recommendation. Ensure that RBAC is enabled on all Azure Kubernetes Services Instances link count: 007
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838), Role-Based Access Control (RBAC) should be used on Kubernetes Services (ac4a19c2-fa67-49b4-8ae5-0b2e78c49457)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.1 CIS_Azure_1.3.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set on Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link count: 005
App Service apps should have authentication enabled (95bccee9-a7f8-4bec-9ee9-62c3473701fc), Authenticate to cryptographic module (6f1de470-79f3-1572-866e-db0771352fc8), Enforce user uniqueness (e336d5f4-4d8f-0059-759c-ae10f63d1747), Function apps should have authentication enabled (c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8), Support personal verification credentials issued by legal authorities (1d39b5d9-0392-8954-8359-575ce1957d1a)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.10 CIS_Azure_1.3.0_9.10 CIS Microsoft Azure Foundations Benchmark recommendation 9.10 9 AppService Ensure FTP deployments are disabled Shared The customer is responsible for implementing this recommendation. By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions. link count: 005
App Service apps should require FTPS only (4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b), Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Function apps should require FTPS only (399b2637-a50f-4f95-96f8-3a145476eb15), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.11 CIS_Azure_1.3.0_9.11 CIS Microsoft Azure Foundations Benchmark recommendation 9.11 9 AppService Ensure Azure Keyvaults are used to store secrets Shared The customer is responsible for implementing this recommendation. Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. link count: 009
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Ensure cryptographic mechanisms are under configuration management (b8dad106-6444-5f55-307e-1e1cc9723e39), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Maintain availability of information (3ad7f0bc-3d03-0585-4d24-529779bb02c2), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.2 CIS_Azure_1.3.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link count: 004
App Service apps should only be accessible over HTTPS (a4af4a39-4135-47fb-b175-47fbdf85311d), Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.3 CIS_Azure_1.3.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure web app is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link count: 005
App Service apps should use the latest TLS version (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b), Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Function apps should use the latest TLS version (f9d614c5-c173-4d56-95a7-b4437057d193), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.4 CIS_Azure_1.3.0_9.4 CIS Microsoft Azure Foundations Benchmark recommendation 9.4 9 AppService Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' Shared The customer is responsible for implementing this recommendation. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. link count: 003
App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609), Authenticate to cryptographic module (6f1de470-79f3-1572-866e-db0771352fc8), Function apps should have 'Client Certificates (Incoming client certificates)' enabled (eaebaea7-8013-4ceb-9d14-7eb32271373c)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.5 CIS_Azure_1.3.0_9.5 CIS Microsoft Azure Foundations Benchmark recommendation 9.5 9 AppService Ensure that Register with Azure Active Directory is enabled on App Service Shared The customer is responsible for implementing this recommendation. Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. link count: 006
App Service apps should use managed identity (2b9ad585-36bc-4615-b300-fd4435808332), Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Function apps should use managed identity (0da106f2-4ca3-48e8-bc85-c638fe6aea8f), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.6 CIS_Azure_1.3.0_9.6 CIS Microsoft Azure Foundations Benchmark recommendation 9.6 9 AppService Ensure that 'PHP version' is the latest, if used to run the web app Shared The customer is responsible for implementing this recommendation. Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. link count: 002
App Service apps that use PHP should use the latest 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.7 CIS_Azure_1.3.0_9.7 CIS Microsoft Azure Foundations Benchmark recommendation 9.7 9 AppService Ensure that 'Python version' is the latest, if used to run the web app Shared The customer is responsible for implementing this recommendation. Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. link count: 003
App Service apps that use Python should use the latest 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73), Function apps that use Python should use the latest 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.8 CIS_Azure_1.3.0_9.8 CIS Microsoft Azure Foundations Benchmark recommendation 9.8 9 AppService Ensure that 'Java version' is the latest, if used to run the web app Shared The customer is responsible for implementing this recommendation. Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version. link count: 003
App Service apps that use Java should use the latest 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed), Function apps that use Java should use the latest 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.3.0 9.9 CIS_Azure_1.3.0_9.9 CIS Microsoft Azure Foundations Benchmark recommendation 9.9 9 AppService Ensure that 'HTTP Version' is the latest, if used to run the web app Shared The customer is responsible for implementing this recommendation. Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. link count: 003
App Service apps should use latest 'HTTP Version' (8c122334-9d20-4eb8-89ea-ac9a705b74ae), Function apps should use latest 'HTTP Version' (e2c1c086-2d84-4019-bff3-c44ccd95113c), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c)
CIS_Azure_1.4.0 1.1 CIS_Azure_1.4.0_1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1 1 Identity and Access Management Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as; - Service Co-Administrators - Subscription Owners - Contributors link count: 003
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3), MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.10 CIS_Azure_1.4.0_1.10 CIS Microsoft Azure Foundations Benchmark recommendation 1.10 1 Identity and Access Management Ensure that 'Users can add gallery apps to My Apps' is set to 'No' Shared The customer is responsible for implementing this recommendation. Require administrators to provide consent for the apps before use. link count: 003
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.11 CIS_Azure_1.4.0_1.11 CIS Microsoft Azure Foundations Benchmark recommendation 1.11 1 Identity and Access Management Ensure that 'Users can register applications' is set to 'No' Shared The customer is responsible for implementing this recommendation. Require administrators to register third-party applications. link count: 003
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.12 CIS_Azure_1.4.0_1.12 CIS Microsoft Azure Foundations Benchmark recommendation 1.12 1 Identity and Access Management Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' Shared The customer is responsible for implementing this recommendation. Limit guest user permissions. link count: 008
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.13 CIS_Azure_1.4.0_1.13 CIS Microsoft Azure Foundations Benchmark recommendation 1.13 1 Identity and Access Management Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" Shared The customer is responsible for implementing this recommendation. Restrict invitations to users with specific admin roles only. link count: 008
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.14 CIS_Azure_1.4.0_1.14 CIS Microsoft Azure Foundations Benchmark recommendation 1.14 1 Identity and Access Management Ensure That 'Restrict access to Azure AD administration portal' is Set to "Yes" Shared The customer is responsible for implementing this recommendation. Restrict access to the Azure AD administration portal to administrators only. link count: 006
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.15 CIS_Azure_1.4.0_1.15 CIS Microsoft Azure Foundations Benchmark recommendation 1.15 1 Identity and Access Management Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' Shared The customer is responsible for implementing this recommendation. Restricts group creation to administrators with permissions only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.16 CIS_Azure_1.4.0_1.16 CIS Microsoft Azure Foundations Benchmark recommendation 1.16 1 Identity and Access Management Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict security group creation to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.17 CIS_Azure_1.4.0_1.17 CIS Microsoft Azure Foundations Benchmark recommendation 1.17 1 Identity and Access Management Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict security group management to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.18 CIS_Azure_1.4.0_1.18 CIS Microsoft Azure Foundations Benchmark recommendation 1.18 1 Identity and Access Management Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' Shared The customer is responsible for implementing this recommendation. Restrict Microsoft 365 group creation to administrators only. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.19 CIS_Azure_1.4.0_1.19 CIS Microsoft Azure Foundations Benchmark recommendation 1.19 1 Identity and Access Management Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining or registering devices to the active directory should require Multi-factor authentication. link count: 008
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), Authorize remote access (dad8a2e9-6f27-4fc2-8933-7e99fe700c9c), Document mobility training (83dfb2b8-678b-20a0-4c44-5c75ada023e6), Document remote access guidelines (3d492600-27ba-62cc-a1c3-66eb919f6a0d), Identify and authenticate network devices (ae5345d5-8dab-086a-7290-db43a3272198), Implement controls to secure alternate work sites (cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e), Provide privacy training (518eafdd-08e5-37a9-795b-15a8d798056d), Satisfy token quality requirements (056a723b-4946-9d2a-5243-3aa27c4d31a1)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.2 CIS_Azure_1.4.0_1.2 CIS Microsoft Azure Foundations Benchmark recommendation 1.2 1 Identity and Access Management Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users Shared The customer is responsible for implementing this recommendation. Enable multi-factor authentication for all non-privileged users. link count: 002
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.20 CIS_Azure_1.4.0_1.20 CIS Microsoft Azure Foundations Benchmark recommendation 1.20 1 Identity and Access Management Ensure That No Custom Subscription Owner Roles Are Created Shared The customer is responsible for implementing this recommendation. Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. link count: 006
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e), Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.21 CIS_Azure_1.4.0_1.21 CIS Microsoft Azure Foundations Benchmark recommendation 1.21 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link count: 009
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), Authenticate to cryptographic module (6f1de470-79f3-1572-866e-db0771352fc8), Authorize remote access (dad8a2e9-6f27-4fc2-8933-7e99fe700c9c), Document mobility training (83dfb2b8-678b-20a0-4c44-5c75ada023e6), Document remote access guidelines (3d492600-27ba-62cc-a1c3-66eb919f6a0d), Identify and authenticate network devices (ae5345d5-8dab-086a-7290-db43a3272198), Implement controls to secure alternate work sites (cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e), Provide privacy training (518eafdd-08e5-37a9-795b-15a8d798056d), Satisfy token quality requirements (056a723b-4946-9d2a-5243-3aa27c4d31a1)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.22 CIS_Azure_1.4.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure a Custom Role is Assigned Permissions for Administering Resource Locks Shared The customer is responsible for implementing this recommendation. Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration. link count: 004
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.3 CIS_Azure_1.4.0_1.3 CIS Microsoft Azure Foundations Benchmark recommendation 1.3 1 Identity and Access Management Ensure guest users are reviewed on a monthly basis Shared The customer is responsible for implementing this recommendation. Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user. link count: 008
Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9), External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60), External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4), Reassign or remove user privileges as needed (7805a343-275c-41be-9d62-7215b96212d8), Review account provisioning logs (a830fe9e-08c9-a4fb-420c-6f6bf1702395), Review user accounts (79f081c7-1634-01a1-708e-376197999289), Review user privileges (f96d2186-79df-262d-3f76-f371e3b71798)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.4 CIS_Azure_1.4.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link count: 003
Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a), Identify and authenticate network devices (ae5345d5-8dab-086a-7290-db43a3272198), Satisfy token quality requirements (056a723b-4946-9d2a-5243-3aa27c4d31a1)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.6 CIS_Azure_1.4.0_1.6 CIS Microsoft Azure Foundations Benchmark recommendation 1.6 1 Identity and Access Management Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' Shared The customer is responsible for implementing this recommendation. Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0. link count: 004
Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.7 CIS_Azure_1.4.0_1.7 CIS Microsoft Azure Foundations Benchmark recommendation 1.7 1 Identity and Access Management Ensure that 'Notify users on password resets?' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Ensure that users are notified on their primary and secondary emails on password resets. link count: 005
Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Implement training for protecting authenticators (e4b00788-7e1c-33ec-0418-d048508e095b), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.8 CIS_Azure_1.4.0_1.8 CIS Microsoft Azure Foundations Benchmark recommendation 1.8 1 Identity and Access Management Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Ensure that all administrators are notified if any other administrator resets their password. link count: 010
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Implement training for protecting authenticators (e4b00788-7e1c-33ec-0418-d048508e095b), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Monitor privileged role assignment (ed87d27a-9abf-7c71-714c-61d881889da4), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84), Restrict access to privileged accounts (873895e8-0e3a-6492-42e9-22cd030e9fcd), Revoke privileged roles as appropriate (32f22cfa-770b-057c-965b-450898425519), Use privileged identity management (e714b481-8fac-64a2-14a9-6f079b2501a4)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 1.9 CIS_Azure_1.4.0_1.9 CIS Microsoft Azure Foundations Benchmark recommendation 1.9 1 Identity and Access Management Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' Shared The customer is responsible for implementing this recommendation. Require administrators to provide consent for the apps before use. link count: 003
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.1 CIS_Azure_1.4.0_2.1 CIS Microsoft Azure Foundations Benchmark recommendation 2.1 2 Microsoft Defender for Cloud Ensure that Microsoft Defender for Servers is set to 'On' Shared The customer is responsible for implementing this recommendation. Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. link count: 009
Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.10 CIS_Azure_1.4.0_2.10 CIS Microsoft Azure Foundations Benchmark recommendation 2.10 2 Microsoft Defender for Cloud Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected Shared The customer is responsible for implementing this recommendation. This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud. link count: 008
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.11 CIS_Azure_1.4.0_2.11 CIS Microsoft Azure Foundations Benchmark recommendation 2.11 2 Microsoft Defender for Cloud Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' Shared The customer is responsible for implementing this recommendation. Enable automatic provisioning of the monitoring agent to collect security data. link count: 003
Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17), Document security operations (2c6bee3a-2180-2430-440d-db3c7a849870), Turn on sensors for endpoint security solution (5fc24b95-53f7-0ed1-2330-701b539b97fe)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.12 CIS_Azure_1.4.0_2.12 CIS Microsoft Azure Foundations Benchmark recommendation 2.12 2 Microsoft Defender for Cloud Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' Shared The customer is responsible for implementing this recommendation. None of the settings offered by ASC Default policy should be set to effect "Disabled". link count: 006
Configure actions for noncompliant devices (b53aa659-513e-032c-52e6-1ce0ba46582f), Develop and maintain baseline configurations (2f20840e-7925-221c-725d-757442753e7c), Enforce security configuration settings (058e9719-1ff9-3653-4230-23f76b6492e0), Establish a configuration control board (7380631c-5bf5-0e3a-4509-0873becd8a63), Establish and document a configuration management plan (526ed90e-890f-69e7-0386-ba5c0f1f784f), Implement an automated configuration management tool (33832848-42ab-63f3-1a55-c0ad309d44cd)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.13 CIS_Azure_1.4.0_2.13 CIS Microsoft Azure Foundations Benchmark recommendation 2.13 2 Microsoft Defender for Cloud Ensure 'Additional email addresses' is Configured with a Security Contact Email Shared The customer is responsible for implementing this recommendation. Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address. link count: 001
Subscriptions should have a contact email address for security issues (4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.14 CIS_Azure_1.4.0_2.14 CIS Microsoft Azure Foundations Benchmark recommendation 2.14 2 Microsoft Defender for Cloud Ensure That 'Notify about alerts with the following severity' is Set to 'High' Shared The customer is responsible for implementing this recommendation. Enables emailing security alerts to the subscription owner or other designated security contact. link count: 001
Email notification for high severity alerts should be enabled (6e2593d9-add6-4083-9c9b-4b7d2188c899)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.2 CIS_Azure_1.4.0_2.2 CIS Microsoft Azure Foundations Benchmark recommendation 2.2 2 Microsoft Defender for Cloud Ensure that Microsoft Defender for App Service is set to 'On' Shared The customer is responsible for implementing this recommendation. Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. link count: 009
Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.3 CIS_Azure_1.4.0_2.3 CIS Microsoft Azure Foundations Benchmark recommendation 2.3 2 Microsoft Defender for Cloud Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' Shared The customer is responsible for implementing this recommendation. Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. link count: 009
Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.4 CIS_Azure_1.4.0_2.4 CIS Microsoft Azure Foundations Benchmark recommendation 2.4 2 Microsoft Defender for Cloud Ensure that Microsoft Defender for SQL servers on machines is set to 'On' Shared The customer is responsible for implementing this recommendation. Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. link count: 009
Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.5 CIS_Azure_1.4.0_2.5 CIS Microsoft Azure Foundations Benchmark recommendation 2.5 2 Microsoft Defender for Cloud Ensure that Microsoft Defender for Storage is set to 'On' Shared The customer is responsible for implementing this recommendation. Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. link count: 009
Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.6 CIS_Azure_1.4.0_2.6 CIS Microsoft Azure Foundations Benchmark recommendation 2.6 2 Microsoft Defender for Cloud Ensure that Microsoft Defender for Kubernetes is set to 'On' Shared The customer is responsible for implementing this recommendation. Turning on Microsoft Defender for Kubernetes enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. link count: 009
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.7 CIS_Azure_1.4.0_2.7 CIS Microsoft Azure Foundations Benchmark recommendation 2.7 2 Microsoft Defender for Cloud Ensure that Microsoft Defender for Container Registries is set to 'On' Shared The customer is responsible for implementing this recommendation. Turning on Microsoft Defender for Container Registries enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. link count: 009
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Microsoft Defender for Containers should be enabled (1c988dd6-ade4-430f-a608-2a3e5b0a6d38), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.8 CIS_Azure_1.4.0_2.8 CIS Microsoft Azure Foundations Benchmark recommendation 2.8 2 Microsoft Defender for Cloud Ensure that Microsoft Defender for Key Vault is set to 'On' Shared The customer is responsible for implementing this recommendation. Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. link count: 009
Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047), Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 2.9 CIS_Azure_1.4.0_2.9 CIS Microsoft Azure Foundations Benchmark recommendation 2.9 2 Microsoft Defender for Cloud Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected Shared The customer is responsible for implementing this recommendation. This setting enables Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud. link count: 008
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Detect network services that have not been authorized or approved (86ecd378-a3a0-5d5b-207c-05e6aaca43fc), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.1 CIS_Azure_1.4.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link count: 004
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93), Secure transfer to storage accounts should be enabled (404c3081-a854-4457-ae30-26a93ef643f9)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.10 CIS_Azure_1.4.0_3.10 CIS Microsoft Azure Foundations Benchmark recommendation 3.10 3 Storage Accounts Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests Shared The customer is responsible for implementing this recommendation. The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.11 CIS_Azure_1.4.0_3.11 CIS Microsoft Azure Foundations Benchmark recommendation 3.11 3 Storage Accounts Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests Shared The customer is responsible for implementing this recommendation. The Storage Table storage is a service that stores structure NoSQL data in the cloud, providing a key/attribute store with a schema less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.12 CIS_Azure_1.4.0_3.12 CIS Microsoft Azure Foundations Benchmark recommendation 3.12 3 Storage Accounts Ensure the "Minimum TLS version" is set to "Version 1.2" Shared The customer is responsible for implementing this recommendation. Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. link count: 003
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.2 CIS_Azure_1.4.0_3.2 CIS Microsoft Azure Foundations Benchmark recommendation 3.2 3 Storage Accounts Ensure That Storage Account Access Keys are Periodically Regenerated Shared The customer is responsible for implementing this recommendation. Regenerate storage account access keys periodically. link count: 007
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.3 CIS_Azure_1.4.0_3.3 CIS Microsoft Azure Foundations Benchmark recommendation 3.3 3 Storage Accounts Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests Shared The customer is responsible for implementing this recommendation. The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.4 CIS_Azure_1.4.0_3.4 CIS Microsoft Azure Foundations Benchmark recommendation 3.4 3 Storage Accounts Ensure that Shared Access Signature Tokens Expire Within an Hour Shared The customer is responsible for implementing this recommendation. Expire shared access signature tokens within an hour. link count: 003
Disable authenticators upon termination (d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10), Revoke privileged roles as appropriate (32f22cfa-770b-057c-965b-450898425519), Terminate user session automatically (4502e506-5f35-0df4-684f-b326e3cc7093)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.5 CIS_Azure_1.4.0_3.5 CIS Microsoft Azure Foundations Benchmark recommendation 3.5 3 Storage Accounts Ensure that 'Public access level' is set to Private for blob containers Shared The customer is responsible for implementing this recommendation. Disable anonymous access to blob containers and disallow blob public access on storage account. link count: 007
[Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751), Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.6 CIS_Azure_1.4.0_3.6 CIS Microsoft Azure Foundations Benchmark recommendation 3.6 3 Storage Accounts Ensure Default Network Access Rule for Storage Accounts is Set to Deny Shared The customer is responsible for implementing this recommendation. Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. link count: 002
Storage accounts should restrict network access (34c877ad-507e-4c82-993e-3452a6e0ad3c), Storage accounts should restrict network access using virtual network rules (2a1a9cdf-e04d-429a-8416-3bfb72a1b26f)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.7 CIS_Azure_1.4.0_3.7 CIS Microsoft Azure Foundations Benchmark recommendation 3.7 3 Storage Accounts Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access Shared The customer is responsible for implementing this recommendation. Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. link count: 006
Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0), Establish firewall and router configuration standards (398fdbd8-56fd-274d-35c6-fa2d3b2755a1), Establish network segmentation for card holder data environment (f476f3b0-4152-526e-a209-44e5f8c968d7), Identify and manage downstream information exchanges (c7fddb0e-3f44-8635-2b35-dc6b8e740b7c), Storage accounts should allow access from trusted Microsoft services (c9d007d0-c057-4772-b18c-01e546713bcd)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 3.9 CIS_Azure_1.4.0_3.9 CIS Microsoft Azure Foundations Benchmark recommendation 3.9 3 Storage Accounts Ensure Storage for Critical Data are Encrypted with Customer Managed Keys Shared The customer is responsible for implementing this recommendation. Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Storage accounts should use customer-managed key for encryption (6fac406b-40ca-413b-bf8e-0bf964659c25)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.1.1 CIS_Azure_1.4.0_4.1.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1 4 Database Services Ensure that 'Auditing' is set to 'On' Shared The customer is responsible for implementing this recommendation. Enable auditing on SQL Servers. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Auditing on SQL server should be enabled (a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.1.2 CIS_Azure_1.4.0_4.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Transparent Data Encryption on SQL databases should be enabled (17k78e20-9358-41c9-923c-fb736d382a12)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.1.3 CIS_Azure_1.4.0_4.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 4 Database Services Ensure that 'Auditing' Retention is 'greater than 90 days' Shared The customer is responsible for implementing this recommendation. SQL Server Audit Retention should be configured to be greater than 90 days. link count: 005
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1), SQL servers with auditing to storage account destination should be configured with 90 days retention or higher (89099bee-89e0-4b26-a5f4-165451757743)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.2.1 CIS_Azure_1.4.0_4.2.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.2.1 4 Database Services Ensure that Advanced Threat Protection (ATP) on a SQL Server is Set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable "Azure Defender for SQL" on critical SQL Servers. link count: 003
Azure Defender for SQL should be enabled for unprotected Azure SQL servers (abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9), Azure Defender for SQL should be enabled for unprotected SQL Managed Instances (abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.2.2 CIS_Azure_1.4.0_4.2.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2 4 Database Services Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Shared The customer is responsible for implementing this recommendation. Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases. link count: 004
Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b), Vulnerability assessment should be enabled on SQL Managed Instance (1b7aa243-30e4-4c9e-bca8-d0d3022b634a), Vulnerability assessment should be enabled on your SQL servers (ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.2.3 CIS_Azure_1.4.0_4.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3 4 Database Services Ensure that VA setting 'Periodic recurring scans' to 'on' for each SQL server Shared The customer is responsible for implementing this recommendation. Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases. link count: 002
Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.2.4 CIS_Azure_1.4.0_4.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4 4 Database Services Ensure that VA setting 'Send scan reports to' is configured for a SQL server Shared The customer is responsible for implementing this recommendation. Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers. link count: 003
Correlate Vulnerability scan information (e3905a3c-97e7-0b4f-15fb-465c0927536f), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.2.5 CIS_Azure_1.4.0_4.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5 4 Database Services Ensure that Vulnerability Assessment Setting 'Also send email notifications to admins and subscription owners' is Set for Each SQL Server Shared The customer is responsible for implementing this recommendation. Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'. link count: 003
Correlate Vulnerability scan information (e3905a3c-97e7-0b4f-15fb-465c0927536f), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.3.1 CIS_Azure_1.4.0_4.3.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'PostgreSQL' Servers. link count: 004
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Enforce SSL connection should be enabled for PostgreSQL database servers (d158790f-bfb0-486c-8631-2dc6b4e8e6af), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.3.2 CIS_Azure_1.4.0_4.3.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 4 Database Services Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_checkpoints' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Log checkpoints should be enabled for PostgreSQL database servers (eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.3.3 CIS_Azure_1.4.0_4.3.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3 4 Database Services Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_connections' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Log connections should be enabled for PostgreSQL database servers (eb6f77b9-bd53-4e35-a23d-7f65d5f0e442), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.3.4 CIS_Azure_1.4.0_4.3.4 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4 4 Database Services Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_disconnections' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Disconnections should be logged for PostgreSQL database servers. (eb6f77b9-bd53-4e35-a23d-7f65d5f0e446), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.3.5 CIS_Azure_1.4.0_4.3.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5 4 Database Services Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'connection_throttling' on 'PostgreSQL Servers'. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Connection throttling should be enabled for PostgreSQL database servers (5345bb39-67dc-4960-a1bf-427e16b9a0bd), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.3.6 CIS_Azure_1.4.0_4.3.6 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6 4 Database Services Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'log_retention_days' on 'PostgreSQL Servers'. link count: 004
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.3.7 CIS_Azure_1.4.0_4.3.7 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 4 Database Services Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Shared The customer is responsible for implementing this recommendation. Disable access from Azure services to PostgreSQL Database Server link count: 005
Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0), Establish firewall and router configuration standards (398fdbd8-56fd-274d-35c6-fa2d3b2755a1), Establish network segmentation for card holder data environment (f476f3b0-4152-526e-a209-44e5f8c968d7), Identify and manage downstream information exchanges (c7fddb0e-3f44-8635-2b35-dc6b8e740b7c)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.3.8 CIS_Azure_1.4.0_4.3.8 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 4 Database Services Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable encryption at rest for PostgreSQL Databases. link count: 004
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.4.1 CIS_Azure_1.4.0_4.4.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.4.1 4 Database Services Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'MYSQL' Servers. link count: 003
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.4.2 CIS_Azure_1.4.0_4.4.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.4.2 4 Database Services Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server Shared The customer is responsible for implementing this recommendation. Ensure 'TLS version' on 'MySQL flexible' servers is set to the default value. link count: 003
Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.5 CIS_Azure_1.4.0_4.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.5 4 Database Services Ensure that Azure Active Directory Admin is configured Shared The customer is responsible for implementing this recommendation. Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place. link count: 005
An Azure Active Directory administrator should be provisioned for SQL servers (1f314764-cb73-4fc9-b863-8eca98ac36e9), Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1), Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821), Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f), Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 4.6 CIS_Azure_1.4.0_4.6 CIS Microsoft Azure Foundations Benchmark recommendation 4.6 4 Database Services Ensure SQL server's TDE protector is encrypted with Customer-managed key Shared The customer is responsible for implementing this recommendation. TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). link count: 006
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2), SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.1.1 CIS_Azure_1.4.0_5.1.1 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1 5 Logging and Monitoring Ensure that a 'Diagnostics Setting' exists Shared The customer is responsible for implementing this recommendation. Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment. link count: 001
Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.1.2 CIS_Azure_1.4.0_5.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2 5 Logging and Monitoring Ensure Diagnostic Setting captures appropriate categories Shared The customer is responsible for implementing this recommendation. The diagnostic setting should be configured to log the appropriate activities from the control/management plane. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.1.3 CIS_Azure_1.4.0_5.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 5 Logging and Monitoring Ensure the storage container storing the activity logs is not publicly accessible Shared The customer is responsible for implementing this recommendation. The storage account container containing the activity log export should not be publicly accessible. link count: 003
[Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751), Enable dual or joint authorization (2c843d78-8f64-92b5-6a9b-e8186c0e7eb6), Protect audit information (0e696f5a-451f-5c15-5532-044136538491)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.1.4 CIS_Azure_1.4.0_5.1.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 5 Logging and Monitoring Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) Shared The customer is responsible for implementing this recommendation. The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). link count: 004
Enable dual or joint authorization (2c843d78-8f64-92b5-6a9b-e8186c0e7eb6), Maintain integrity of audit system (c0559109-6a27-a217-6821-5a6d44f92897), Protect audit information (0e696f5a-451f-5c15-5532-044136538491), Storage account containing the container with activity logs must be encrypted with BYOK (fbb99e8e-e444-4da0-9ff1-75c92f5a85b2)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.1.5 CIS_Azure_1.4.0_5.1.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 5 Logging and Monitoring Ensure that logging for Azure KeyVault is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. link count: 005
Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Resource logs in Key Vault should be enabled (cf820ca0-f99e-4f3e-84fb-66e913812d21), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.2.1 CIS_Azure_1.4.0_5.2.1 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create Policy Assignment Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create Policy Assignment event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Policy operations (c5447c04-a4d7-4ba8-a263-c9ee321a6858), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.2.2 CIS_Azure_1.4.0_5.2.2 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Policy Assignment Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Policy Assignment event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Policy operations (c5447c04-a4d7-4ba8-a263-c9ee321a6858), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.2.3 CIS_Azure_1.4.0_5.2.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.2.4 CIS_Azure_1.4.0_5.2.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.2.5 CIS_Azure_1.4.0_5.2.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Network Security Group Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Network Security Group Rule event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.2.6 CIS_Azure_1.4.0_5.2.6 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6 5 Logging and Monitoring Ensure that activity log alert exists for the Delete Network Security Group Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Network Security Group Rule event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.2.7 CIS_Azure_1.4.0_5.2.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update Security Solution event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Security operations (3b980d31-7904-4bb7-8575-5665739a8052), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.2.8 CIS_Azure_1.4.0_5.2.8 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8 5 Logging and Monitoring Ensure that Activity Log Alert exists for Delete Security Solution Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Delete Security Solution event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Security operations (3b980d31-7904-4bb7-8575-5665739a8052), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.2.9 CIS_Azure_1.4.0_5.2.9 CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9 5 Logging and Monitoring Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule Shared The customer is responsible for implementing this recommendation. Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. link count: 004
Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb), An activity log alert should exist for specific Administrative operations (b954148f-4c11-4c38-8221-be76711e194a), Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e), Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 5.3 CIS_Azure_1.4.0_5.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.3 5 Logging and Monitoring Ensure that Diagnostic Logs Are Enabled for All Services that Support it. Shared The customer is responsible for implementing this recommendation. Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault. Currently, 32 Azure resources support Diagnostic Logging (See the references section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps and CosmosDB. The content of these logs varies by resource type. For example, Windows event system logs are a category of diagnostics logs for VMs, and blob, table, and queue logs are categories of diagnostics logs for storage accounts. A number of back-end services were not configured to log and store Diagnostic Logs for certain activities or for a sufficient length. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. By default, Diagnostic Logs are not enabled. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended. Note: The CIS Benchmark covers some specific Diagnostic Logs separately. ''' 3.3 - Ensure Storage logging is enabled for Queue service for read, write, and delete requests 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' ''' link count: 021
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), App Service apps should have resource logs enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510), Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98), Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b), Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f), Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4), Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2), Resource logs in Azure Data Lake Store should be enabled (057ef27e-665e-4328-8ea3-04b3122bd9fb), Resource logs in Azure Stream Analytics should be enabled (f9be5368-9bf5-4b84-9e0a-7850da98bb46), Resource logs in Batch accounts should be enabled (428256e6-1fac-4f48-a757-df34c2b3336d), Resource logs in Data Lake Analytics should be enabled (c95c74d9-38fe-4f0d-af86-0c7d626a315c), Resource logs in Event Hub should be enabled (83a214f7-d01a-484b-91a9-ed54470c9a6a), Resource logs in IoT Hub should be enabled (383856f8-de7f-44a2-81fc-e5135b5c2aa4), Resource logs in Key Vault should be enabled (cf820ca0-f99e-4f3e-84fb-66e913812d21), Resource logs in Logic Apps should be enabled (34f95f76-5386-4de7-b824-0d8478470c9d), Resource logs in Search services should be enabled (b4330a05-a843-4bc8-bf9a-cacce50c67f4), Resource logs in Service Bus should be enabled (f8d36e2f-389b-4ee4-898d-21aeb69a0f45), Resource logs in Virtual Machine Scale Sets should be enabled (7c1b1214-f927-48bf-8882-84f0af6588b1), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1), Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 6.3 CIS_Azure_1.4.0_6.3 CIS Microsoft Azure Foundations Benchmark recommendation 6.3 6 Networking Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) Shared The customer is responsible for implementing this recommendation. Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). link count: 002
Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6), Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 6.4 CIS_Azure_1.4.0_6.4 CIS Microsoft Azure Foundations Benchmark recommendation 6.4 6 Networking Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Shared The customer is responsible for implementing this recommendation. Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days. link count: 003
Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1), Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc), Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 6.5 CIS_Azure_1.4.0_6.5 CIS Microsoft Azure Foundations Benchmark recommendation 6.5 6 Networking Ensure that Network Watcher is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable Network Watcher for Azure subscriptions. link count: 002
Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6), Verify security functions (ece8bb17-4080-5127-915f-dc7267ee8549)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 7.1 CIS_Azure_1.4.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure Virtual Machines are utilizing Managed Disks Shared The customer is responsible for implementing this recommendation. Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include 1) Default Disk Encryption 2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3) Reduction of costs over storage accounts link count: 004
Audit VMs that do not use managed disks (06a78e20-9358-41c9-923c-fb736d382a4d), Control physical access (55a7f9a0-6397-7589-05ef-5ed59a8149e7), Manage the input, output, processing, and storage of data (e603da3a-8af7-4f8a-94cb-1bcc0e0333d2), Review label activity and analytics (e23444b9-9662-40f3-289e-6d25c02b48fa)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 7.2 CIS_Azure_1.4.0_7.2 CIS Microsoft Azure Foundations Benchmark recommendation 7.2 7 Virtual Machines Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) Shared The customer is responsible for implementing this recommendation. Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE) link count: 005
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423), Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 7.3 CIS_Azure_1.4.0_7.3 CIS Microsoft Azure Foundations Benchmark recommendation 7.3 7 Virtual Machines Ensure that 'Unattached disks' are encrypted with CMK Shared The customer is responsible for implementing this recommendation. Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). link count: 004
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 7.4 CIS_Azure_1.4.0_7.4 CIS Microsoft Azure Foundations Benchmark recommendation 7.4 7 Virtual Machines Ensure that Only Approved Extensions Are Installed Shared The customer is responsible for implementing this recommendation. For added security only install organization-approved extensions on VMs. link count: 001
Only approved VM extensions should be installed (c0e996f8-39cf-4af9-9f45-83fbde810432)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 7.5 CIS_Azure_1.4.0_7.5 CIS Microsoft Azure Foundations Benchmark recommendation 7.5 7 Virtual Machines Ensure that the latest OS Patches for all Virtual Machines are applied Shared The customer is responsible for implementing this recommendation. Ensure that the latest OS patches for all virtual machines are applied. link count: 002
Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b), System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 7.6 CIS_Azure_1.4.0_7.6 CIS Microsoft Azure Foundations Benchmark recommendation 7.6 7 Virtual Machines Ensure that the endpoint protection for all Virtual Machines is installed Shared The customer is responsible for implementing this recommendation. Install endpoint protection for all virtual machines. link count: 011
Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517), Document security operations (2c6bee3a-2180-2430-440d-db3c7a849870), Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7), Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9), Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06), Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f), Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce), Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd), Turn on sensors for endpoint security solution (5fc24b95-53f7-0ed1-2330-701b539b97fe), Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65), Verify software, firmware and information integrity (db28735f-518f-870e-15b4-49623cbe3aa0)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 7.7 CIS_Azure_1.4.0_7.7 CIS Microsoft Azure Foundations Benchmark recommendation 7.7 7 Virtual Machines Ensure that VHD's are Encrypted Shared The customer is responsible for implementing this recommendation. VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. link count: 004
Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea), Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232), Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344), Protect special information (a315c657-4a00-8eba-15ac-44692ad24423)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 8.1 CIS_Azure_1.4.0_8.1 CIS Microsoft Azure Foundations Benchmark recommendation 8.1 8 Other Security Considerations Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults Shared The customer is responsible for implementing this recommendation. Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link count: 008
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Key Vault keys should have an expiration date (152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 8.2 CIS_Azure_1.4.0_8.2 CIS Microsoft Azure Foundations Benchmark recommendation 8.2 8 Other Security Considerations Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. Shared The customer is responsible for implementing this recommendation. Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link count: 008
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Key Vault keys should have an expiration date (152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 8.3 CIS_Azure_1.4.0_8.3 CIS Microsoft Azure Foundations Benchmark recommendation 8.3 8 Other Security Considerations Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link count: 008
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Key Vault secrets should have an expiration date (98728c90-32c7-4049-8429-847dc0f4fe37), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 8.4 CIS_Azure_1.4.0_8.4 CIS Microsoft Azure Foundations Benchmark recommendation 8.4 8 Other Security Considerations Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults Shared The customer is responsible for implementing this recommendation. Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. link count: 008
Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7), Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42), Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c), Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a), Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13), Key Vault secrets should have an expiration date (98728c90-32c7-4049-8429-847dc0f4fe37), Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4), Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 8.5 CIS_Azure_1.4.0_8.5 CIS Microsoft Azure Foundations Benchmark recommendation 8.5 8 Other Security Considerations Ensure that Resource Locks are set for Mission Critical Azure Resources Shared The customer is responsible for implementing this recommendation. Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion. link count: 001
Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 8.6 CIS_Azure_1.4.0_8.6 CIS Microsoft Azure Foundations Benchmark recommendation 8.6 8 Other Security Considerations Ensure the key vault is recoverable Shared The customer is responsible for implementing this recommendation. The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data including storage accounts, SQL databases, and/or dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. link count: 002
Key vaults should have purge protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53), Maintain availability of information (3ad7f0bc-3d03-0585-4d24-529779bb02c2)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 8.7 CIS_Azure_1.4.0_8.7 CIS Microsoft Azure Foundations Benchmark recommendation 8.7 8 Other Security Considerations Enable role-based access control (RBAC) within Azure Kubernetes Services Shared The customer is responsible for implementing this recommendation. Ensure that RBAC is enabled on all Azure Kubernetes Services Instances link count: 007
Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841), Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7), Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb), Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823), Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734), Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838), Role-Based Access Control (RBAC) should be used on Kubernetes Services (ac4a19c2-fa67-49b4-8ae5-0b2e78c49457)
CIS Microsoft Azure Foundations Benchmark v1.4.0 (c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5)
CIS_Azure_1.4.0 9.1 CIS_Azure_1.4.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set up for apps in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link count: 005
App Service apps should have authentication enabled (95bccee9-a7f8-4bec-9ee9-62c3473701fc), Authenticate to cryptographic module (6f1de470-79f3-1572-866e-db0771352fc8), Enforce user uniqueness (e336d5f4-4d8f-0059-759c-ae10f63d1747),