@@ -49,7 +49,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
|---|---|---|---|---|
| AWS | 304 | 61 -> `prowler aws --list-services` | 28 -> `prowler aws --list-compliance` | 6 -> `prowler aws --list-categories` |
| GCP | 75 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
-| Azure | 126 | 16 -> `prowler azure --list-services` | CIS soon | 2 -> `prowler azure --list-categories` |
+| Azure | 126 | 16 -> `prowler azure --list-services` | 2 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` |
| Kubernetes | Work In Progress | - | CIS soon | - |
# 📖 Documentation
diff --git a/docs/tutorials/compliance.md b/docs/tutorials/compliance.md
index c82fec0bd0..015826323a 100644
--- a/docs/tutorials/compliance.md
+++ b/docs/tutorials/compliance.md
@@ -17,6 +17,8 @@ Currently, the available frameworks are:
- `cis_1.5_aws`
- `cis_2.0_aws`
- `cis_2.0_gcp`
+- `cis_2.0_azure`
+- `cis_2.1_azure`
- `cis_3.0_aws`
- `cisa_aws`
- `ens_rd2022_aws`
diff --git a/prowler/compliance/azure/cis_2.0_azure.json b/prowler/compliance/azure/cis_2.0_azure.json
new file mode 100644
index 0000000000..1fb1af8b66
--- /dev/null
+++ b/prowler/compliance/azure/cis_2.0_azure.json
@@ -0,0 +1,3244 @@
+{
+ "Framework": "CIS",
+ "Version": "2.0",
+ "Provider": "AZURE",
+ "Description": "The CIS Azure Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Azure with an emphasis on foundational, testable, and architecture agnostic settings.",
+ "Requirements": [
+ {
+ "Id": "1.1.1",
+ "Description": "Ensure Security Defaults is enabled on Azure Active Directory",
+ "Checks": [
+ "entra_security_defaults_enabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.1 Security Defaults",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security",
+ "RationaleStatement": "Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example, doing the following: • Requiring all users and admins to register for MFA. • Challenging users with MFA - when necessary, based on factors such as location, device, role, and task. • Disabling authentication from legacy authentication clients, which can't do MFA.",
+ "ImpactStatement": "This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks. Administrators should also be aware that certain configurations in Azure Active Directory may impact other Microsoft services such as Microsoft 365.",
+ "RemediationProcedure": "From Azure Portal To enable security defaults in your directory: 1. From Azure Home select the Portal Menu. 2. Browse to Azure Active Directory > Properties 3. Select Manage security defaults 4. Set the Enable security defaults toggle to Yes 5. Select Save",
+ "AuditProcedure": "From Azure Portal To ensure security defaults is enabled in your directory: 1. From Azure Home select the Portal Menu. 2. Browse to Azure Active Directory > Properties. 3. Select Manage security defaults. 4. Verify the Enable security defaults toggle is Yes.",
+ "AdditionalInformation": "This recommendation differs from the Microsoft 365 Benchmark. This is because the potential impact associated with disabling Security Defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling Security Defaults implement appropriate security settings to replace the settings configured by Security Defaults.",
+ "DefaultValue": "If your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults"
+ }
+ ]
+ },
+ {
+ "Id": "1.1.2",
+ "Description": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users",
+ "Checks": [
+ "entra_privileged_user_has_mfa"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.1 Security Defaults",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as; • Service Co-Administrators • Subscription Owners • Contributors",
+ "RationaleStatement": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.",
+ "ImpactStatement": "Users would require two forms of authentication before any access is granted. Additional administrative time will be required for managing dual forms of authentication when enabling multi-factor authentication.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory blade 3. Select Users 4. Take note of all users with the role Service Co-Administrators, Owners or Contributors 5. Click on the Per-User MFA button in the top row menu 6. Check the box next to each noted user 7. Click Enable under quick steps in the right-hand panel 8. Click enable multi-factor auth 9. Click close",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select the Azure Active Directory blade 3. Select Users 4. Take note of all users with the role Service Co-Administrators, Owners or Contributors 5. Click on the Per-User MFA button in the top row menu 6. Ensure that MULTI-FACTOR AUTH STATUS is Enabled for all noted users From REST API For Every Subscription, For Every Tenant Step 1: Identify Users with Administrative Access 1. List All Users Using Microsoft Graph API: GET https://graph.microsoft.com/v1.0/users Capture id and corresponding userPrincipalName ('$uid', '$userPrincipalName') 2. List all Role Definitions Using Azure management API: https://management.azure.com/subscriptions/:subscriptionId/providers/Microsof t.Authorization/roleDefinitions?api-version=2017-05-01 Capture Role Definition IDs/Name ('$name') and role names ('$properties/roleName') where 'properties/roleName' contains (Owner or *contributor or admin ) 3. List All Role Assignments (Mappings $A.uid to $B.name) Using Azure Management API: GET https://management.azure.com/subscriptions/:subscriptionId/providers/Microsof t.Authorization/roleassignments?api-version=2017-10-01-preview Find all administrative roles ($B.name) in 'Properties/roleDefinitionId' mapped with user ids ($A.id) in 'Properties/principalId' where 'Properties/principalType' == 'User' 4. Now Match ($CProperties/principalId) with $A.uid and get $A.userPrincipalName save this as D.userPrincipalName Step 2: Run MSOL PowerShell command: Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName If the output contains any of the $D.userPrincipalName, then this recommendation is non-compliant.",
+ "AdditionalInformation": "Please note that at the time of writing, there is no API, Azure CLI or Powershell mechanism available to programmatically conduct security assessment or remediation for this recommendation. The only option is MSOL.",
+ "DefaultValue": "By default, multi-factor authentication is disabled for all users.",
+ "References": "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication:https://stackoverflow.com/questions/41156206/azure-active-directory-premium-mfa-attributes-via-graph-api:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access"
+ }
+ ]
+ },
+ {
+ "Id": "1.1.3",
+ "Description": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users",
+ "Checks": [
+ "entra_non_privileged_user_has_mfa"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.1 Security Defaults",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Enable multi-factor authentication for all non-privileged users.",
+ "RationaleStatement": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.",
+ "ImpactStatement": "Users would require two forms of authentication before any access is granted. Also, this requires an overhead for managing dual forms of authentication.",
+ "RemediationProcedure": "Follow Microsoft Azure documentation and enable multi-factor authentication in your environment. https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable- azure-mfa Enabling and configuring MFA is a multi-step process. Here are some additional resources on the process within Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto- conditional-access-policy-admin-mfa https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa- getstarted#enable-multi-factor-authentication-with-conditional-access https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa- mfasettings",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select the Azure Active Directory blade 3. Then Users 4. Select All Users 5. Click on Per-User MFA button on the top bar 6. Ensure that for all users MULTI-FACTOR AUTH STATUS is Enabled From REST API For Every Subscription, For Every Tenant Step 1: Identify Users with non-administrative Access 1. List All Users Using Microsoft Graph API: GET https://graph.microsoft.com/v1.0/users Capture id and corresponding userPrincipalName ($uid, $userPrincipalName) 2. List all Role Definitions Using Azure management API: https://management.azure.com/subscriptions//providers/Microso ft.Authorization/roleDefinitions?api-version=2017-05-01 Capture Role Definition IDs/Name ($name) and role names ($properties/roleName) where 'properties/roleName' does NOT contain (Owner or *contributor or admin ) 3. List All Role Assignments (Mappings $A.uid to $B.name) Using Azure Management API: GET https://management.azure.com/subscriptions//providers/Microso ft.Authorization/roleassignments?api-version=2017-10-01-preview Find all non-administrative roles ($B.name) in 'Properties/roleDefinationId' mapped with user ids ($A.id) in 'Properties/principalId' where 'Properties/principalType' == 'User' D> Now Match ($CProperties/principalId) with $A.uid and get $A.userPrincipalName save this as D.userPrincipleName Step 2: Run MSOL PowerShell command: Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName If the output contains any of the $D.userPrincipleName, then this recommendation is non-compliant.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, multi-factor authentication is disabled for all users.",
+ "References": "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access"
+ }
+ ]
+ },
+ {
+ "Id": "1.1.4",
+ "Description": "Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.1 Security Defaults",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Do not allow users to remember multi-factor authentication on devices.",
+ "RationaleStatement": "Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.",
+ "ImpactStatement": "For every login attempt, the user will be required to perform multi-factor authentication.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Click the Per-user MFA button on the top bar 5. Click on service settings 6. Uncheck the box next to Allow users to remember multi-factor authentication on devices they trust",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Click the Per-user MFA button on the top bar 5. Click on service settings 6. Ensure that Allow users to remember multi-factor authentication on devices they trust is not enabled",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Allow users to remember multi-factor authentication on devices they trust is disabled.",
+ "References": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#remember-multi-factor-authentication-for-devices-that-users-trust:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-6-use-strong-authentication-controls"
+ }
+ ]
+ },
+ {
+ "Id": "1.2.1",
+ "Description": "Ensure Trusted Locations Are Defined",
+ "Checks": [
+ "entra_trusted_named_locations_exists"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Azure Active Directory Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.",
+ "RationaleStatement": "Defining trusted source IP addresses or ranges helps organizations create and enforce Conditional Access policies around those trusted or untrusted IP addresses and ranges. Users authenticating from trusted IP addresses and/or ranges may have less access restrictions or access requirements when compared to users that try to authenticate to Azure Active Directory from untrusted locations or untrusted source IP addresses/ranges.",
+ "ImpactStatement": "When configuring Named locations, the organization can create locations using Geographical location data or by defining source IP addresses or ranges. Configuring Named locations using a Country location does not provide the organization the ability to mark those locations as trusted, and any Conditional Access policy relying on those Countries location setting will not be able to use the All trusted locations setting within the Conditional Access policy. They instead will have to rely on the Select locations setting. This may add additional resource requirements when configuring, and will require thorough organizational testing. In general, Conditional Access policies may completely prevent users from authenticating to Azure Active Directory, and thorough testing is recommended. To avoid complete lockout, a 'Break Glass' account with full Global Administrator rights is recommended in the event all other administrators are locked out of authenticating to Azure Active Directory. This 'Break Glass' account should be excluded from Conditional Access Policies and should be configured with the longest pass phrase feasible. This account should only be used in the event of an emergency and complete administrator lockout.",
+ "RemediationProcedure": "From Azure Portal 1. Navigate to the Azure AD Conditional Access Blade 2. Click on the Named locations blade 3. Within the Named locations blade, click on IP ranges location 4. Enter a name for this location setting in the Name text box 5. Click on the + sign 6. Add an IP Address Range in CIDR notation inside the text box that appears 7. Click on the Add button 8. Repeat steps 5 through 7 for each IP Range that needs to be added 9. If the information entered are trusted ranges, select the Mark as trusted location check box 10. Once finished, click on Create From PowerShell Create a new trusted IP-based Named location policy [System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.IpRange]]$ipR anges = @() $ipRanges.Add('') $ipRanges.Add('') $ipRanges.Add('') New-AzureADMSNamedLocationPolicy -OdataType '#microsoft.graph.ipNamedLocation' -DisplayName ' -IsTrusted $true -IpRanges $ipRanges Set an existing IP-based Named location policy to trusted Set-AzureADMSNamedLocationPolicy -PolicyId '' -OdataType '#microsoft.graph.ipNamedLocation' -IsTrusted $true",
+ "AuditProcedure": "From Azure Portal 1. In the Azure Portal, navigate to Azure AD Conditional Access 2. Click on Security 3. Click on Named Locations Ensure there are IP ranges location settings configured and marked as Trusted From PowerShell Get-AzureADMSNamedLocationPolicy In the output from the above command, for each Named location group, make sure at least one entry contains the IsTrusted parameter with a value of True. Otherwise, if there is no output as a result of the above command or all of the entries contain the IsTrusted parameter with an empty value, a NULL value, or a value of False, the results are out of compliance with this check.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, no locations are configured under the Named locations blade within the Azure AD Conditional Access blade.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
+ }
+ ]
+ },
+ {
+ "Id": "1.2.2",
+ "Description": "Ensure that an exclusionary Geographic Access Policy is considered",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "CAUTION: If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues. Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.",
+ "RationaleStatement": "Conditional Access, when used as a deny list for the tenant or subscription, is able to prevent ingress or egress of traffic to countries that are outside of the scope of interest (e.g.: customers, suppliers) or jurisdiction of an organization. This is an effective way to prevent unnecessary and long-lasting exposure to international threats such as APTs.",
+ "ImpactStatement": "Azure AD Premium is required. Limiting access geographically will deny access to users that are traveling or working remotely in a different part of the world. A point-to-site or site to site tunnel such as a VPN is recommended to address exceptions to geographic access policies.",
+ "RemediationProcedure": "From Azure Portal Part 1 of 2 - Create the policy and enable it in Report-only mode. 1. From Azure Home open the portal menu in the top left, and select Azure Active Directory. 2. Scroll down in the menu on the left, and select Security. 3. Select on the left side Conditional Access. 4. Click the + New policy button, then: 5. Provide a name for the policy. 6. Under Assignments, select Users or workload identities then: o Under Include, select All users o Under Exclude, check Users and groups and only select emergency access accounts and service accounts (NOTE: Service accounts are excluded here because service accounts are non-interactive and cannot complete MFA) 7. Under Assignments, select Cloud apps or actions then: o Under Include, select All cloud apps o Leave Exclude blank unless you have a well defined exception 8. Under Conditions, select Locations then: o Select Include, then add entries for locations for those that should be blocked o Select Exclude, then add entries for those that should be allowed (IMPORTANT: Ensure that all Trusted Locations are in the Exclude list.) 9. Under Access Controls, select Grant and Confirm that Block Access is selected. 10. Set Enable policy to Report-only. 11. Click Create. NOTE: The policy is not yet 'live,' since Report-only is being used to audit the effect of the policy. Part 2 of 2 - Confirm that the policy is not blocking access that should be granted, then toggle to On. 1. With your policy now in report-only mode, return to the Azure Active Directory blade and click on Sign-in logs. 2. Review the recent sign-in events - click an event then review the event details (specifically the Report-only tab) to ensure: o The sign-in event you're reviewing occurred after turning on the policy in report-only mode o The policy name from step 5 above is listed in the Policy Name column o The Result column for the new policy shows that the policy was Not applied (indicating the location origin was not blocked) 3. If the above conditions are present, navigate back to the policy name in Conditional Access and open it. 4. Toggle the policy from Report-only to On. 5. Click Save. From PowerShell First, set up the conditions objects values before updating an existing conditional access policy or before creating a new one. You may need to use additional PowerShell cmdlets to retrieve specific IDs such as the Get-AzureADMSNamedLocationPolicy which outputs the Location IDs for use with conditional access policies. $conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet $conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition $conditions.Applications.IncludeApplications = <'All' | 'Office365' | 'app ID' | @('app ID 1', 'app ID 2', etc...> $conditions.Applications.ExcludeApplications = <'Office365' | 'app ID' | @('app ID 1', 'app ID 2', etc...)> $conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition $conditions.Users.IncludeUsers = <'All' | 'None' | 'GuestsOrExternalUsers' | 'Specific User ID' | @('User ID 1', 'User ID 2', etc.)> $conditions.Users.ExcludeUsers = <'GuestsOrExternalUsers' | 'Specific User ID' | @('User ID 1', 'User ID 2', etc.)> $conditions.Users.IncludeGroups = <'group ID' | 'All' | @('Group ID 1', 'Group ID 2', etc...)> $conditions.Users.ExcludeGroups = <'group ID' | @('Group ID 1', 'Group ID 2', etc...)> $conditions.Users.IncludeRoles = <'Role ID' | 'All' | @('Role ID 1', 'Role ID 2', etc...)> $conditions.Users.ExcludeRoles = <'Role ID' | @('Role ID 1', 'Role ID 2', etc...)> $conditions.Locations = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition $conditions.Locations.IncludeLocations = <'Location ID' | @('Location ID 1', 'Location ID 2', etc...) > $conditions.Locations.ExcludeLocations = <'AllTrusted' | 'Location ID' | @('Location ID 1', 'Location ID 2', etc...)> $controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls $controls._Operator = 'OR' $controls.BuiltInControls = 'block' Next, update the existing conditional access policy with the condition set options configured with the previous commands. Set-AzureADMSConditionalAccessPolicy -PolicyId -Conditions $conditions -GrantControls $controls To create a new conditional access policy that complies with this best practice, run the following commands after creating the condition set above New-AzureADMSConditionalAccessPolicy -Name 'Policy Name' -State -Conditions $conditions -GrantControls $controls",
+ "AuditProcedure": "1. From Azure Home open the Portal menu in the top left, and select Azure Active Directory. 2. Scroll down in the menu on the left, and select Security. 3. Select on the left side Conditional Access. 4. Select the policy you wish to audit, then: o Under Assignments, Review the Users and Groups for the personnel the policy will apply to o Under Assignments, Review the Cloud apps or actions for the systems the policy will apply to o Under Conditions, Review the Include locations for those that should be blocked o Under Conditions, Review the Exclude locations for those that should be allowed (Note: locations set up in the previous recommendation for Trusted Location should be in the Exclude list.) o Under Access Controls > Grant - Confirm that Block Access is selected. From Azure CLI As of this writing there are no subcommands for Conditional Access Policies within the Azure CLI From PowerShell $conditionalAccessPolicies = Get-AzureADMSConditionalAccessPolicy foreach($policy in $conditionalAccessPolicies) {$policy | Select-Object @{N='Policy ID'; E={$policy.id}}, @{N='Included Locations'; E={$policy.Conditions.Locations.IncludeLocations}}, @{N='Excluded Locations'; E={$policy.Conditions.Locations.ExcludeLocations}}, @{N='BuiltIn GrantControls'; E={$policy.GrantControls.BuiltInControls}}} Make sure there is at least 1 row in the output of the above PowerShell command that contains Block under the BuiltIn GrantControls column and location IDs under the Included Locations and Excluded Locations columns. If not, a policy containing these options has not been created and is considered a finding.",
+ "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.",
+ "DefaultValue": "This policy does not exist by default.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-report-only:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
+ }
+ ]
+ },
+ {
+ "Id": "1.2.3",
+ "Description": "Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.",
+ "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the use of Administrative accounts to authenticated personnel.",
+ "ImpactStatement": "There is an increased cost, as Conditional Access policies require Azure AD Premium. Similarly, MFA may require additional overhead to maintain. There is also a potential scenario in which the multi-factor authentication method can be lost, and administrative users are no longer able to log in. For this scenario, there should be an emergency access account. Please see References for creating this.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in top left, and select Azure Active Directory. 2. Select Security. 3. Select Conditional Access. 4. Click + New policy. 5. Enter a name for the policy. 6. Select Users or workload identities. 7. Check Users and groups. 8. Select administrative groups this policy should apply to and click Select. 9. Under Exclude, check Users and groups. 10. Select users this policy not should apply to and click Select. 11. Select Cloud apps or actions. 12. Select All cloud apps. 13. Select Grant. 14. Under Grant access, check Require multifactor authentication and click Select. 15. Set Enable policy to Report-only. 16. Click Create. After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in the top left, and select Azure Active Directory. 2. Select Security. 3. Select Conditional Access. 4. Select the policy you wish to audit. 5. View under Users and Groups the corresponding users and groups to whom the policy is applied. Be certain the emergency access account is not in the list. 6. View under Exclude to determine which Users and groups to whom the policy is not applied.",
+ "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.",
+ "DefaultValue": "By default, MFA is not enabled for any administrative accounts.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa:https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
+ }
+ ]
+ },
+ {
+ "Id": "1.2.4",
+ "Description": "Ensure that A Multi-factor Authentication Policy Exists for All Users",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.",
+ "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.",
+ "ImpactStatement": "There is an increased cost, as Conditional Access policies require Azure AD Premium. Similarly, this may require additional overhead to maintain if users lose access to their MFA.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home open Portal menu in the top left, and select Azure Active Directory. 2. Select Security. 3. Select Conditional Access. 4. Click + New policy. 5. Enter a name for the policy. 6. Select Users or workload identities. 7. Under Include, select All users. 8. Under Exclude, check Users and groups. 9. Select users this policy should not apply to and click Select. 10. Select Cloud apps or actions. 11. Select All cloud apps. 12. Select Grant. 13. Under Grant access, check Require multifactor authentication and click Select. 14. Set Enable policy to Report-only. 15. Click Create. After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in the top left, and select Azure Active Directory. 2. Scroll down in the menu on the left, and select Security. 3. Select on the left side Conditional Access. 4. Select the policy you wish to audit. 5. View under Users and Groups the corresponding users and groups to whom the policy is applied. 6. View under Exclude to determine which users and groups to whom the policy is not applied.",
+ "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource the in References which monitors Azure sign ins.",
+ "DefaultValue": "MFA is not enabled by default.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
+ }
+ ]
+ },
+ {
+ "Id": "1.2.5",
+ "Description": "Ensure Multi-factor Authentication is Required for Risky Sign-ins",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.",
+ "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.",
+ "ImpactStatement": "There is an increased cost, as Conditional Access policies require Azure AD Premium. Similarly, they may require additional overhead to maintain if users lose access to their MFA.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu in the top left, and select Azure Active Directory. 2. Select Security 3. Select Conditional Access. 4. Click + New policy. 5. Enter a name for the policy. 6. Select Users or workload identities. 7. Under Include, select All users. 8. Under Exclude, check Users and groups. 9. Select users this policy should not apply to and click Select. 10. Select Cloud apps or actions. 11. Select All cloud apps. 12. Select Conditions. 13. Select Sign-in risk. 14. Update the Configure toggle to Yes. 15. Check the sign-in risk level this policy should apply to, e.g. High and Medium. 16. Select Done. 17. Select Grant. 18. Under Grant access, check Require multifactor authentication and click Select. 19. Set Enable policy to Report-only. 20. Click Create. After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu and select Security. 2. Select on the left side Conditional Access. 3. Select the policy you wish to audit. 4. View under Users and Groups the corresponding users and groups to whom the policy is applied. 5. View under Exclude to determine which users and groups to whom the policy is not applied.",
+ "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource the in References which monitors Azure sign ins.",
+ "DefaultValue": "MFA is not enabled by default.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions"
+ }
+ ]
+ },
+ {
+ "Id": "1.2.6",
+ "Description": "Ensure Multi-factor Authentication is Required for Azure Management",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.",
+ "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the use of Administrative actions and to prevent intruders from changing settings.",
+ "ImpactStatement": "There is an increased cost, as Conditional Access policies require Azure AD Premium. Similarly, they may require additional overhead to maintain if users lose access to their MFA.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu and select Azure Active Directory. 2. Select Security. 3. Select Conditional Access. 4. Click + New policy. 5. Enter a name for the policy. 6. Select Users or workload identities. 7. Under Include, select All users. 8. Under Exclude, check Users and groups. 9. Select users this policy should not apply to and click Select. 10. Select Cloud apps or actions. 11. Select Select apps. 12. Check the box next to Microsoft Azure Management and click Select. 13. Select Grant. 14. Under Grant access, check Require multifactor authentication and click Select. 15. Set Enable policy to Report-only. 16. Click Create. After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu and select Azure Active Directory. 2. Scroll down in the menu on the left, and select Security. 3. Select on the left side Conditional Access. 4. Select the policy you wish to audit. 5. View under Users and Groups the corresponding users and groups to whom the policy is applied. 6. View under Exclude to determine which Users and groups to whom the policy is not applied.",
+ "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with administrators changing settings until they use an MFA device linked to their accounts. An emergency access account is recommended for this eventuality if all administrators are locked out. Please see the documentation in the references for further information. Similarly further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.",
+ "DefaultValue": "MFA is not enabled by default for administrative actions.",
+ "References": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups"
+ }
+ ]
+ },
+ {
+ "Id": "1.3",
+ "Description": "Ensure that 'Users can create Azure AD Tenants' is set to 'No'",
+ "Checks": [
+ "entra_policy_ensure_default_user_cannot_create_tenants"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "Require administrators or appropriately delegated users to create new tenants.",
+ "RationaleStatement": "It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so.",
+ "ImpactStatement": "Enforcing this setting will ensure that only authorized users are able to create new tenants.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select User settings 5. Set Users can create Azure AD Tenants to No",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select User settings 5. Ensure that Users can create Azure AD Tenants is set to No Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security assessment for this recommendation.",
+ "AdditionalInformation": "",
+ "DefaultValue": "",
+ "References": "https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions:https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#tenant-creator"
+ }
+ ]
+ },
+ {
+ "Id": "1.4",
+ "Description": "Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "This recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2. Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.",
+ "RationaleStatement": "Guest users in the Azure AD are generally required for collaboration purposes in Office 365, and may also be required for Azure functions in enterprises with multiple Azure tenants. Guest users should be reviewed on a regular basis, at least annually. Guest users should not be granted administrative roles where possible. Guest users are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely, leading to a potential vulnerability. Guest users should be reviewed on a monthly basis to ensure that inactive and unneeded accounts are removed.",
+ "ImpactStatement": "Until you have a business need to provide guest access to any user, avoid creating guest users. If guest accounts are being used, they should be removed when no longer required.",
+ "RemediationProcedure": "From Azure Portal 1. From the Azure Portal home page click the portal menu in the top left. 2. Select Azure Active Directory 3. Select Users in the left column under the Manage heading. 4. Next to the search box select the filter option. 5. Search for and select User Type 6. In the third drop down Value select Guest. 7. Review the guest users in your Active Directory. 8. For those you wish to delete, select the checkbox on the left then the Delete option in the top row. From Azure CLI With the information from the audit procedure, to remove a Guest user run the following command with their User Principal Value. Remove-AzureADUser -ObjectId ''",
+ "AuditProcedure": "From Azure Portal 1. From the Azure Portal home page click the portal menu in the top left. 2. Select Azure Active Directory 3. Select Users in the left column under the Manage heading. 4. Next to the search box select the filter option. 5. Search for and select User Type 6. In the third drop down Value select Guest. 7. Review the guest users in your Active Directory. From Azure CLI Run the following command: az ad user list -Filter 'UserType eq 'Guest'' From PowerShell Run the following command: Get-AzureADUser -Filter 'UserType eq 'Guest'",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default no guest users are created",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/b2b/user-properties:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory#delete-a-user:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-3-review-and-reconcile-user-access-regularly:https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews:https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing"
+ }
+ ]
+ },
+ {
+ "Id": "1.5",
+ "Description": "Ensure Guest Users Are Reviewed on a Regular Basis",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed.",
+ "RationaleStatement": "Guest users in the Azure AD are generally required for collaboration purposes in Office 365, and may also be required for Azure functions in enterprises with multiple Azure tenants. Guest users are typically added outside your employee on-boarding/off- boarding process and could potentially be overlooked indefinitely, leading to a potential vulnerability. To prevent this, guest users should be reviewed on a regular basis. During this audit, guest users should also be determined to not have administrative privileges.",
+ "ImpactStatement": "Before removing guest users, determine their use and scope. Like removing any user, there may be unforeseen consequences to systems if it is deleted.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Click on Add filter 5. Select User type 6. Select Guest from the Value dropdown 7. Click Apply 8. Delete all Guest users that are no longer required or are inactive From Azure CLI Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems. az ad user update --id --account-enabled {false} After determining that there are no dependent systems delete the user. Remove-AzureADUser -ObjectId From Azure PowerShell Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems. Set-AzureADUser -ObjectId '' -AccountEnabled false After determining that there are no dependent systems delete the user. PS C:\\>Remove-AzureADUser -ObjectId ",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Click on Add filter 5. Select User type 6. Select Guest from the Value dropdown 7. Click Apply 8. Audit the listed guest users From Azure CLI az ad user list --query '[?userType=='Guest']' Ensure all users listed are still required and not inactive. From Azure PowerShell Get-AzureADUser |Where-Object {$_.UserType -like 'Guest'} |Select-Object DisplayName, UserPrincipalName, UserType -Unique",
+ "AdditionalInformation": "It is good practice to use a dynamic security group to manage guest users.To create the dynamic security group:1. Navigate to the 'Active Directory' blade in the Azure Portal2. Select the 'Groups' item3. Create new4. Type of 'dynamic'5. Use the following dynamic selection rule. '(user.userType -eq 'Guest')'6. Once the group has been created, select access reviews option and create anew access review with a period of monthly and send to relevant administratorsfor review.",
+ "DefaultValue": "By default no guest users are created.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/b2b/user-properties:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory#delete-a-user:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-3-review-and-reconcile-user-access-regularly:https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing:https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-restore"
+ }
+ ]
+ },
+ {
+ "Id": "1.6",
+ "Description": "Ensure That 'Number of methods required to reset' is set to '2'",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Ensures that two alternate forms of identification are provided before allowing a password reset.",
+ "RationaleStatement": "A Self-service Password Reset (SSPR) through Azure Multi-factor Authentication (MFA) ensures the user's identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user's password.",
+ "ImpactStatement": "There may be administrative overhead, as users who lose access to their secondary authentication methods will need an administrator with permissions to remove it. There will also need to be organization-wide security policies and training to teach administrators to verify the identity of the requesting user so that social engineering can not render this setting useless.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select Password reset 5. Then Authentication methods 6. Set the Number of methods required to reset to 2",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select Password reset 5. Then Authentication methods 6. Ensure that Number of methods required to reset is set to 2",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, the Number of methods required to reset is set to 2.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access:https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-faq#password-reset-registration:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods"
+ }
+ ]
+ },
+ {
+ "Id": "1.7",
+ "Description": "Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.",
+ "RationaleStatement": "Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.",
+ "ImpactStatement": "Increasing needed password complexity might increase overhead on administration of user accounts. Licensing requirement for Global Banned Password List and Custom Banned Password list requires Azure AD Premium P1 or P2. On-premises Active Directory Domain Services users that are not synchronized to Azure AD also benefit from Azure AD Password Protection based on existing licensing for synchronized users.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Security. 4. Under Manage, select Authentication Methods. 5. Select Password Protection. 6. Set the Enforce custom list option to Yes. 7. Double click the custom banned password list to add a string.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active directory. 3. Select 'Security'. 4. Under Manage, select Authentication Methods. 5. Select Password Protection. 6. Ensure Enforce custom list is set to Yes. 7. Scroll through the list to view the enforced passwords.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default the custom bad password list is not 'Enabled'. Organizational-specific terms can be added to the custom banned password list, such as the following examples: • Brand names • Product names • Locations, such as company headquarters • Company-specific internal terms • Abbreviations that have specific company meaning • Months and weekdays with your company's local languages The default Azure bad password policy is already applied to your resources which applies the following basic requirements: Characters allowed: • Uppercase characters (A - Z) • Lowercase characters (a - z) • Numbers (0 - 9) • Symbols: • @ # $ % ^ & * - _ ! + = [ ] { } | \\ : ' , . ? / ` ~ ' ( ) < > • blank space Characters not allowed: • Unicode characters • Password length Passwords require • A minimum of eight characters • A maximum of 256 characters Password complexity: Passwords require three out of four of the following categories: • Uppercase characters • Lowercase characters • Numbers • Symbols Note: Password complexity check isn't required for Education tenants. Password not recently used: • When a user changes or resets their password, the new password can't be the same as the current or recently used passwords. • Password isn't banned by Azure AD Password Protection. • The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-combined-policy:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad:https://docs.microsoft.com/en-us/powershell/module/Azuread/:https://www.microsoft.com/en-us/research/publication/password-guidance/:https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-6-use-strong-authentication-controls"
+ }
+ ]
+ },
+ {
+ "Id": "1.8",
+ "Description": "Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.",
+ "RationaleStatement": "This setting is necessary if you have setup 'Require users to register when signing in option'. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user changes, such as a phone number or email, then the password reset information for that user reverts to the previously registered authentication information.",
+ "ImpactStatement": "Users will be prompted for their multifactor authentication at the duration set here.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select Password reset 5. Then Registration 6. Set the Number of days before users are asked to re-confirm their authentication information to your organization-defined frequency.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select Password reset 5. Then Registration 6. Ensure that Number of days before users are asked to re-confirm their authentication information is not set to 0",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, the Number of days before users are asked to re-confirm their authentication information is set to '180 days'.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#registration:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods"
+ }
+ ]
+ },
+ {
+ "Id": "1.9",
+ "Description": "Ensure that 'Notify users on password resets?' is set to 'Yes'",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Ensure that users are notified on their primary and secondary emails on password resets.",
+ "RationaleStatement": "User notification on password reset is a proactive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.",
+ "ImpactStatement": "Users will receive emails alerting them to password changes to both their primary and secondary emails.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select Password reset 5. Under Manage, select Notifications 6. Set Notify users on password resets? to Yes",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Go to Password reset 5. Under Manage, select Notifications 6. Ensure that Notify users on password resets? is set to Yes",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Notify users on password resets? is set to 'Yes'.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations:https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ }
+ ]
+ },
+ {
+ "Id": "1.10",
+ "Description": "Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Ensure that all Global Administrators are notified if any other administrator resets their password.",
+ "RationaleStatement": "Global Administrator accounts are sensitive. Any password reset activity notification, when sent to all Global Administrators, ensures that all Global administrators can passively confirm if such a reset is a common pattern within their group. For example, if all Global Administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.",
+ "ImpactStatement": "All Global Administrators will receive a notification from Azure every time a password is reset. This is useful for auditing procedures to confirm that there are no out of the ordinary password resets for Global Administrators. There is additional overhead, however, in the time required for Global Administrators to audit the notifications. This setting is only useful if all Global Administrators pay attention to the notifications, and audit each one.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select Password reset 5. Under Manage, select Notifications 6. Set Notify all admins when other admins reset their password? to Yes",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select Password reset 5. Under Manage, select Notifications 6. Ensure that notify all admins when other admins reset their password? is set to Yes",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Notify all admins when other admins reset their password? is set to 'No'.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations"
+ }
+ ]
+ },
+ {
+ "Id": "1.11",
+ "Description": "Ensure `User consent for applications` is set to `Do not allow user consent`",
+ "Checks": [
+ "entra_policy_restricts_user_consent_for_apps"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Require administrators to provide consent for applications before use.",
+ "RationaleStatement": "If Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.",
+ "ImpactStatement": "Enforcing this setting may create additional requests that administrators need to review.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Enterprise Applications 4. Select Consent and permissions 5. Select User consent settings 6. Set User consent for applications to Do not allow user consent 7. Click save",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Enterprise Applications 4. Select Consent and permissions 5. Select User consent settings 6. Ensure User consent for applications is set to Do not allow user consent From PowerShell Connect-MsolService Get-MsolCompanyInformation | Select-Object UsersPermissionToUserConsentToAppEnabled Command should return UsersPermissionToUserConsentToAppEnabled with the value of False",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Users consent for applications is set to Allow user consent for apps.",
+ "References": "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx:https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ }
+ ]
+ },
+ {
+ "Id": "1.12",
+ "Description": "Ensure ‘User consent for applications’ Is Set To ‘Allow for Verified Publishers’ ",
+ "Checks": [
+ "entra_policy_user_consent_for_verified_apps"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Allow users to provide consent for selected permissions when a request is coming from a verified publisher.",
+ "RationaleStatement": "If Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.",
+ "ImpactStatement": "Enforcing this setting may create additional requests that administrators need to review.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Enterprise Applications 4. Select Consent and permissions 5. Select User consent settings 6. Under User consent for applications, select Allow user consent for apps from verified publishers, for selected permissions 7. Select Save From PowerShell Connect-MsolService Set-MsolCompanyInformation --UsersPermissionToUserConsentToAppEnabled $False",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Enterprise Applications 4. Select Consent and permissions 5. Select User consent settings 6. Under User consent for applications, ensure Allow user consent for apps from verified publishers, for selected permissions is selected From PowerShell Connect-MsolService Get-MsolCompanyInformation | Select-Object UsersPermissionToUserConsentToAppEnabled Command should return UsersPermissionToUserConsentToAppEnabled with the value of False",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, User consent for applications is set to Allow user consent for apps.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1.0:https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolcompanyinformation?view=azureadps-1.0"
+ }
+ ]
+ },
+ {
+ "Id": "1.13",
+ "Description": "Ensure that 'Users can add gallery apps to My Apps' is set to 'No'",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Require administrators to provide consent for the apps before use.",
+ "RationaleStatement": "Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.",
+ "ImpactStatement": "Can cause additional requests to administrators that need to be fulfilled quite often.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select User settings 5. Then Manage how end users launch and view their applications 6. Set Users can add gallery apps to My Apps to No",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select User settings 5. Then Manage how end users launch and view their applications, and ensure that Users can add gallery apps to My Apps is set to No",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Users can add gallery apps to My Apps is set to No.",
+ "References": "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/:https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
+ }
+ ]
+ },
+ {
+ "Id": "1.14",
+ "Description": "Ensure That 'Users Can Register Applications' Is Set to 'No'",
+ "Checks": [
+ "entra_policy_ensure_default_user_cannot_create_apps"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Require administrators or appropriately delegated users to register third-party applications.",
+ "RationaleStatement": "It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.",
+ "ImpactStatement": "Enforcing this setting will create additional requests for approval that will need to be addressed by an administrator. If permissions are delegated, a user may approve a malevolent third party application, potentially giving it access to your data.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select User settings 5. Set Users can register applications to No From PowerShell Connect-MsolService Set-MsolCompanyInformation -UsersPermissionToCreateLOBAppsEnabled $False",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select User settings 5. Ensure that Users can register applications is set to No From PowerShell Connect-MsolService Get-MsolCompanyInformation | Select-Object UsersPermissionToCreateLOBAppsEnabled Command should return UsersPermissionToCreateLOBAppsEnabled with the value of False",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Users can register applications is set to 'Yes'.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles#restrict-who-can-create-applications:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/:https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx:https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolcompanyinformation?view=azureadps-1.0:https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1.0"
+ }
+ ]
+ },
+ {
+ "Id": "1.15",
+ "Description": "Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' ",
+ "Checks": [
+ "entra_policy_guest_users_access_restrictions"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Limit guest user permissions.",
+ "RationaleStatement": "Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction. 1. Guest users have the same access as members (most inclusive), 2. Guest users have limited access to properties and memberships of directory objects (default value), 3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive). The recommended option is the 3rd, most restrictive: 'Guest user access is restricted to their own directory object'.",
+ "ImpactStatement": "This may create additional requests for permissions to access resources that administrators will need to approve.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then External Identities 4. Select External collaboration settings 5. Under Guest user access, change Guest user access restrictions to be Guest user access is restricted to properties and memberships of their own directory objects From PowerShell 1. From a PowerShell session enter Set-AzureADMSAuthorizationPolicy - GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b' 2. Check that the setting was applied by entering Get- AzureADMSAuthorizationPolicy 3. Make certain that the GuestUserRoleId is equal to the earlier entered value of 2af84b1e-32c8-42b7-82bc-daa82404023b.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then External Identities 4. Select External collaboration settings 5. Under Guest user access, ensure that Guest user access restrictions is set to Guest user access is restricted to properties and memberships of their own directory objects From PowerShell 1. Enter the following Get-AzureADMSAuthorizationPolicy Which will give a result like: Id : authorizationPolicy OdataType : Description : Used to manage authorization related settings across the company. DisplayName : Authorization Policy EnabledPreviewFeatures : {} GuestUserRoleId : 10dae51f-b6af-4016-8d66- 8c2a99b929b3 PermissionGrantPolicyIdsAssignedToDefaultUserRole : {user-default-legacy} If the GuestUserRoleID property does not equal 2af84b1e-32c8-42b7-82bc- daa82404023b then it is not set to most restrictive.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Guest user access restrictions is set to Guest user access is restricted to properties and memberships of their own directory objects",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#member-and-guest-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions"
+ }
+ ]
+ },
+ {
+ "Id": "1.16",
+ "Description": "Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'",
+ "Checks": [
+ "entra_policy_guest_invite_only_for_admin_roles"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Restrict invitations to users with specific administrative roles only.",
+ "RationaleStatement": "Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain 'Need to Know' permissions and prevents inadvertent access to data. By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.",
+ "ImpactStatement": "With the option of Only users assigned to specific admin roles can invite guest users selected, users with specific admin roles will be in charge of sending invitations to the external users, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then External Identities 4. Select External collaboration settings 5. Under Guest invite settings, for Guest invite restrictions, ensure that Only users assigned to specific admin roles can invite guest users is selected",
+ "AuditProcedure": "Audit: From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then External Identities 4. External collaboration settings 5. Under Guest invite settings, for Guest invite restrictions, ensure that that Only users assigned to specific admin roles can invite guest users is selected Note: This setting has 4 levels of restriction, which include: • Anyone in the organization can invite guest users including guests and non- admins (most inclusive), • Member users and users assigned to specific admin roles can invite guest users including guests with member permissions, • Only users assigned to specific admin roles can invite guest users, • No one in the organization can invite guest users including admins (most restrictive).",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins",
+ "References": " https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management"
+ }
+ ]
+ },
+ {
+ "Id": "1.17",
+ "Description": "Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Restrict access to the Azure AD administration portal to administrators only. NOTE: This only affects access to the Azure AD administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Azure AD.",
+ "RationaleStatement": "The Azure AD administrative portal has sensitive data and permission settings. All non-administrators should be prohibited from accessing any Azure AD data in the administration portal to avoid exposure.",
+ "ImpactStatement": "All administrative tasks will need to be done by Administrators, causing additional overhead in management of users and resources.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select User settings 5. Set Restrict access to Azure AD administration portal to Yes",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select User settings 5. Ensure that Restrict access to Azure AD administration portal is set to Yes",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Restrict access to Azure AD administration portal is set to No",
+ "References": " https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles-azure-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
+ }
+ ]
+ },
+ {
+ "Id": "1.18",
+ "Description": "Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Restricts group creation to administrators with permissions only.",
+ "RationaleStatement": "Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (Azure AD). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.",
+ "ImpactStatement": "Setting to Yes could create administrative overhead by customers seeking certain group memberships that will have to be manually managed by administrators with appropriate permissions.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Groups 4. Select General under Settings 5. Ensure that Restrict user ability to access groups features in the Access Panel is set to Yes",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Groups 4. Select General under Settings 5. Ensure that Restrict user ability to access groups features in the Access Panel is set to Yes",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Restrict user ability to access groups features in the Access Pane is set to No",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ }
+ ]
+ },
+ {
+ "Id": "1.19",
+ "Description": "Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'",
+ "Checks": [
+ "entra_policy_default_users_cannot_create_security_groups"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Restrict security group creation to administrators only.",
+ "RationaleStatement": "When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.",
+ "ImpactStatement": "Enabling this setting could create a number of requests that would need to be managed by an administrator.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Groups 4. Select General under Settings 5. Set Users can create security groups in Azure portals, API or PowerShell to No",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Groups 4. Select General under Settings 5. Ensure that Users can create security groups in Azure portals, API or PowerShell is set to No",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Users can create security groups in Azure portals, API or PowerShell is set to Yes",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
+ }
+ ]
+ },
+ {
+ "Id": "1.20",
+ "Description": "Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Restrict security group management to administrators only.",
+ "RationaleStatement": "Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.",
+ "ImpactStatement": "Group Membership for user accounts will need to be handled by Admins and cause administrative overhead.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Groups 4. Select General in settings 5. Set Owners can manage group membership requests in the Access Panel to No",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Groups 4. Select General in settings 5. Ensure that Owners can manage group membership requests in the Access Panel is set to No",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Owners can manage group membership requests in the Access Panel is set to No.",
+ "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-8-choose-approval-process-for-microsoft-support:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ }
+ ]
+ },
+ {
+ "Id": "1.21",
+ "Description": "Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'",
+ "Checks": [
+ "entra_users_cannot_create_microsoft_365_groups"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Restrict Microsoft 365 group creation to administrators only.",
+ "RationaleStatement": "Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other user.",
+ "ImpactStatement": "Enabling this setting could create a number of requests that would need to be managed by an administrator.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Groups 4. Select General in settings 5. Set Users can create Microsoft 365 groups in Azure portals, API or PowerShell to No",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Groups 4. Select General in setting 5. Ensure that Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to No",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to Yes.",
+ "References": "https://whitepages.unlimitedviz.com/2017/01/disable-office-365-groups-2/:https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems"
+ }
+ ]
+ },
+ {
+ "Id": "1.22",
+ "Description": "Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Joining or registering devices to the active directory should require Multi-factor authentication.",
+ "RationaleStatement": "Multi-factor authentication is recommended when adding devices to Azure AD. When set to Yes, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account. Note: Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices. Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain.",
+ "ImpactStatement": "A slight impact of additional overhead, as Administrators will now have to approve every access to the domain.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Devices 4. Select Device settings 5. Set Require Multi-Factor Authentication to register or join devices with Azure AD to Yes",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Devices 4. Select Device settings 5. Ensure that Require Multi-Factor Authentication to register or join devices with Azure AD is set to Yes",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Require Multi-Factor Authentication to register or join devices with Azure AD is set to No.",
+ "References": "https://blogs.technet.microsoft.com/janketil/2016/02/29/azure-mfa-for-enrollment-in-intune-and-azure-ad-device-registration-explained/:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access"
+ }
+ ]
+ },
+ {
+ "Id": "1.23",
+ "Description": "Ensure That No Custom Subscription Administrator Roles Exist",
+ "Checks": [
+ "iam_subscription_roles_owner_custom_not_created"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.",
+ "RationaleStatement": "Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.",
+ "ImpactStatement": "Subscriptions will need to be handled by Administrators with permissions.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Select Subscriptions. 3. Select Access control (IAM). 4. Select Roles. 5. Click Type and select CustomRole from the drop down menu. 6. Check the box next to each role which grants subscription administrator privileges. 7. Select Remove. 8. Select Yes. From Azure CLI List custom roles: az role definition list --custom-role-only True Check for entries with assignableScope of / or the subscription, and an action of * . To remove a violating role: az role definition delete --name Note that any role assignments must be removed before a custom role can be deleted. Ensure impact is assessed before deleting a custom role granting subscription administrator privileges.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Select Subscriptions. 3. Select Access control (IAM). 4. Select Roles. 5. Click Type and select CustomRole from the drop down menu. 6. Select View next to a role. 7. Select JSON. 8. Check for assignableScopes set to / or the subscription, and actions set to *. 9. Repeat steps 6-8 for each custom role. From Azure CLI List custom roles: az role definition list --custom-role-only True Check for entries with assignableScope of / or the subscription, and an action of * From PowerShell Connect-AzAccount Get-AzRoleDefinition |Where-Object {($_.IsCustom -eq $true) -and ($_.Actions.contains('*'))} Check the output for AssignableScopes value set to '/' or the subscription",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, no custom owner roles are created.",
+ "References": "https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle"
+ }
+ ]
+ },
+ {
+ "Id": "1.24",
+ "Description": "Ensure a Custom Role is Assigned Permissions for Administering Resource Locks",
+ "Checks": [
+ "iam_subscription_roles_owner_custom_not_created"
+ ],
+ "Attributes": [
+ {
+ "Section": "1.2 Conditional Access",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.",
+ "RationaleStatement": "Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.",
+ "ImpactStatement": "By adding this role, specific permissions may be granted for managing just resource locks rather than needing to provide the wide Owner or User Access Administrator role, reducing the risk of the user being able to do unintentional damage.",
+ "RemediationProcedure": "From Azure Portal 1. In the Azure portal, open a subscription or resource group where you want the custom role to be assigned. 2. Select Access control (IAM). 3. Click Add. 4. Select Add custom role. 5. In the Custom Role Name field enter Resource Lock Administrator. 6. In the Description field enter Can Administer Resource Locks. 7. For Baseline permissions select Start from scratch 8. Select next. 9. In the Permissions tab select Add permissions. 10. In the Search for a permission box, type in Microsoft.Authorization/locks to search for permissions. 11. Select the check box next to the permission Microsoft.Authorization/locks. 12. Select Add. 13. Select Review + create. 14. Select Create. 15. Assign the newly created role to the appropriate user. From PowerShell: Below is a power shell definition for a resource lock administrator role created at an Azure Management group level Import-Module Az.Accounts Connect-AzAccount $role = Get-AzRoleDefinition 'User Access Administrator' $role.Id = $null $role.Name = 'Resource Lock Administrator' $role.Description = 'Can Administer Resource Locks' $role.Actions.Clear() $role.Actions.Add('Microsoft.Authorization/locks/*') $role.AssignableScopes.Clear() * Scope at the Management group level Management group $role.AssignableScopes.Add('/providers/Microsoft.Management/managementGroups/ MG-Name') New-AzRoleDefinition -Role $role Get-AzureRmRoleDefinition 'Resource Lock Administrator'",
+ "AuditProcedure": "From Azure Portal 1. In the Azure portal, open a subscription or resource group where you want to view assigned roles. 2. Select Access control (IAM) 3. Select Roles 4. Search for the custom role named Ex. from remediation Resource Lock Administrator 5. Ensure that the role is assigned to the appropriate users.",
+ "AdditionalInformation": "",
+ "DefaultValue": "",
+ "References": "https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles:https://docs.microsoft.com/en-us/azure/role-based-access-control/check-access:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.1",
+ "Description": "Ensure That Microsoft Defender for Servers Is Set to 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_server_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+ "RationaleStatement": "Enabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "ImpactStatement": "Turning on Microsoft Defender for Servers in Microsoft Defender for Cloud incurs an additional cost per resource.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Set Server Status to On 6. Select Save From Azure CLI Run the following command: az security pricing create -n VirtualMachines --tier 'standard' From PowerShell Run the following command: Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Ensure Servers Status is set to On. From Azure CLI Run the following command: az security pricing show -n VirtualMachines --query pricingTier If the tenant is licensed and enabled, the output should indicate Standard From PowerShell Run the following command: Get-AzSecurityPricing -Name 'VirtualMachines' |Select-Object Name,PricingTier If the tenant is licensed and enabled, the -PricingTier parameter will indicate Standard",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender plan is off.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-endpoint-security#es-1-use-endpoint-detection-and-response-edr"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.2",
+ "Description": "Ensure That Microsoft Defender for App Services Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_server_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+ "RationaleStatement": "Enabling Microsoft Defender for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "ImpactStatement": "Turning on Microsoft Defender for App Service incurs an additional cost per resource.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Set App Service Status to On 6. Select Save From Azure CLI Run the following command: az security pricing create -n Appservices --tier 'standard' From PowerShell Run the following command: Set-AzSecurityPricing -Name 'AppServices' -PricingTier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Ensure Status is On for App Service From Azure CLI Run the following command: az security pricing show -n AppServices Ensure -PricingTier is set to Standard From PowerShell Run the following command: Get-AzSecurityPricing -Name 'AppServices' |Select-Object Name,PricingTier Ensure the -PricingTier is set to Standard",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender plan is off.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.3",
+ "Description": "Ensure That Microsoft Defender for Databases Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_databases_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.",
+ "RationaleStatement": "Enabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software. Instead of waiting on Microsoft release updates or other similar processes, you can manage them yourself. Threat detection is provided by the Microsoft Security Response Center (MSRC).",
+ "ImpactStatement": "Running Defender on Infrastructure as a service (IaaS) may incur increased costs associated with running the service and the instance it is on. Similarly, you will need qualified personnel to maintain the operating system and software updates. If it is not maintained, security patches will not be applied and it may be open to vulnerabilities.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Set Databases Status to On 6. Select Save Review the chosen pricing tier. For the Azure Databases resource review the different plan information and choose one that fits the needs of your organization. From Azure CLI Run the following commands: az security pricing create -n 'SqlServers' --tier 'Standard' az security pricing create -n 'SqlServerVirtualMachines' --tier 'Standard' az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'Standard' az security pricing create -n 'CosmosDbs' --tier 'Standard' From Azure PowerShell Run the following commands: Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard' Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard' Set-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier 'Standard' Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Ensure Databases Status is set to On 6. Review the chosen pricing tier From Azure CLI Ensure the output of the below commands is Standard az security pricing show -n 'SqlServers' az security pricing show -n 'SqlServerVirtualMachines' az security pricing show -n 'OpenSourceRelationalDatabases' az security pricing show -n 'CosmosDbs' If the output of any of the above commands shows pricingTier with a value of Free, the setting is out of compliance. From PowerShell Connect-AzAccount Get-AzSecurityPricing |select-object Name,PricingTier |where-object {$_.Name -match 'Sql' -or $_.Name -match 'Cosmos' -or $_.Name -match 'OpenSource'} Ensure the output shows Standard for each database type under the PricingTier column. Any that show Free are considered out of compliance.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender plan is off.",
+ "References": "https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql:https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-enable-database-protections:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-usage:https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.4",
+ "Description": "Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_azure_sql_databases_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, andbehavior analytics in the Microsoft Defender for Cloud.",
+ "RationaleStatement": "Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "ImpactStatement": "Turning on Microsoft Defender for Azure SQL Databases incurs an additional cost per resource.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Set the radio button next to Azure SQL Databases to On. 7. Select Continue. 8. Select Save. From Azure CLI Run the following command: az security pricing create -n SqlServers --tier 'standard' From PowerShell Run the following command: Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Ensure the radio button next to Azure SQL Databases is set to On. From Azure CLI Run the following command: az security pricing show -n SqlServers Ensure -PricingTier is set to Standard From PowerShell Run the following command: Get-AzSecurityPricing -Name 'SqlServers' | Select-Object Name,PricingTier Ensure the -PricingTier is set to Standard",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender plan is off.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.5",
+ "Description": "Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_sql_servers_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+ "RationaleStatement": "Enabling Microsoft Defender for SQL servers on machines allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "ImpactStatement": "Turning on Microsoft Defender for SQL servers on machines incurs an additional cost per resource.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Set the radio button next to SQL servers on machines to On. 7. Select Continue. 8. Select Save. From Azure CLI Run the following command: az security pricing create -n SqlServerVirtualMachines --tier 'standard' From PowerShell Run the following command: Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Ensure the radio button next to SQL servers on machines is set to On. From Azure CLI Run the following command: az security pricing show -n SqlServerVirtualMachines Ensure the 'PricingTier' is set to 'Standard' From PowerShell Run the following command: Get-AzSecurityPricing -Name 'SqlServerVirtualMachines' | Select-Object Name,PricingTier",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender plan is off.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/defender-for-sql-usage:https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-monitor-for-unauthorized-transfer-of-sensitive-data:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.6",
+ "Description": "Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_os_relational_databases_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+ "RationaleStatement": "Enabling Microsoft Defender for Open-source relational databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "ImpactStatement": "Turning on Microsoft Defender for Open-source relational databases incurs an additional cost per resource.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Set the radio button next to Open-source relational databases to On. 7. Select Continue. 8. Select Save. From Azure CLI Run the following command: az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'standard' From PowerShell Use the below command to enable Standard pricing tier for Open-source relational databases set-azsecuritypricing -name 'OpenSourceRelationalDatabases' -pricingtier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Ensure the radio button next to Open-source relational databases is set to On. From Azure CLI Run the following command: az security pricing show -n OpenSourceRelationalDatabases --query pricingTier From PowerShell Get-AzSecurityPricing | Where-Object {$_.Name -eq 'OpenSourceRelationalDatabases'} | Select-Object Name, PricingTier Ensure output for Name PricingTier is OpenSourceRelationalDatabases Standard",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender plan is off.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.7",
+ "Description": "Ensure That Microsoft Defender for Storage Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_storage_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+ "RationaleStatement": "Enabling Microsoft Defender for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "ImpactStatement": "Turning on Microsoft Defender for Storage incurs an additional cost per resource.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Set Status to On for Storage. 6. Select Save. From Azure CLI Ensure the output of the below command is Standard az security pricing create -n StorageAccounts --tier 'standard' From PowerShell Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Ensure Status is set to On for Storage. From Azure CLI Ensure the output of the below command is Standard az security pricing show -n StorageAccounts From PowerShell Get-AzSecurityPricing -Name 'StorageAccounts' | Select-Object Name,PricingTier Ensure output for Name PricingTier is StorageAccounts Standard",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender plan is off.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.8",
+ "Description": "Ensure That Microsoft Defender for Containers Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_containers_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+ "RationaleStatement": "Enabling Microsoft Defender for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "ImpactStatement": "Turning on Microsoft Defender for Containers incurs an additional cost per resource.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings. 3. Click on the subscription name. 4. Select Defender plans. 5. Set Status to On for Containers. 6. Click Save. From Azure CLI (Note: 'ContainerRegistry' has been deprecated and is replaced by 'Containers') Use the below command to enable Standard pricing tier for Containers. az security pricing create -n 'Containers' --tier 'standard' From PowerShell (Note: 'ContainerRegistry' has been deprecated and is replaced by 'Containers') Use the below command to enable Standard pricing tier for Containers. Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings. 3. Click on the subscription name. 4. Select Defender plans. 5. Ensure On is set under Status for Containers. From Azure CLI Ensure the output of the commands below indicates Standard pricing. For legacy Defender for Container Registries instances: az security pricing show --name 'ContainerRegistry' --query pricingTier For new Defender for Containers instances: az security pricing show --name 'Containers' --query pricingTier From PowerShell Ensure the output of the commands below indicates Standard pricing. For legacy Defender for Container Registries instances: Get-AzSecurityPricing -Name 'ContainerRegistry' | Select-Object Name,PricingTier For new Defender for Containers instances: Get-AzSecurityPricing -Name 'Containers' | Select-Object Name,PricingTier",
+ "AdditionalInformation": "Deprecation of previous product plans 'Container registries' and 'Kubernetes' plans for Microsoft Defender are being deprecated and replaced with 'Containers' or Microsoft Defender for Containers.",
+ "DefaultValue": "By default, Microsoft Defender for Containers is off.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.9",
+ "Description": "Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_cosmosdb_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.",
+ "RationaleStatement": "In scanning Azure Cosmos DB requests within a subscription, requests are compared to a heuristic list of potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.",
+ "ImpactStatement": "Enabling Microsoft Defender for Azure Cosmos DB requires enabling Microsoft Defender for your subscription. Both will incur additional charges.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. On the Database row click on Select types >. 6. Set the radio button next to Azure Cosmos DB to On. 7. Click Continue. 8. Click Save. From Azure CLI Run the following command: az security pricing create -n 'CosmosDbs' --tier 'standard' From PowerShell Use the below command to enable Standard pricing tier for Azure Cosmos DB Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings blade 3. Click on the subscription name 4. Select the Defender plans blade 5. On the Database row click on Select types > 6. Ensure the radio button next to Azure Cosmos DB is set to On. From Azure CLI Ensure the output of the below command is Standard az security pricing show -n CosmosDbs --query pricingTier From PowerShell Get-AzSecurityPricing -Name 'CosmosDbs' | Select-Object Name,PricingTier Ensure output of -PricingTier is Standard",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender for Azure Cosmos DB is not enabled.",
+ "References": "https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security:https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview:https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cosmos-db-security-baseline:https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-enable-database-protections:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.10",
+ "Description": "Ensure That Microsoft Defender for Key Vault Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_keyvault_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+ "RationaleStatement": "Enabling Microsoft Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
+ "ImpactStatement": "Turning on Microsoft Defender for Key Vault incurs an additional cost per resource.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings blade 3. Click on the subscription name 4. Select the Defender plans blade 5. Select On under Status for Key Vault. 6. Select Save. From Azure CLI Enable Standard pricing tier for Key Vault: az security pricing create -n 'KeyVaults' --tier 'Standard' From PowerShell Enable Standard pricing tier for Key Vault: Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings blade 3. Click on the subscription name 4. Select the Defender plans blade 5. Ensure Status is set to On for Key Vault. From Azure CLI Ensure the output of the below command is Standard az security pricing show -n 'KeyVaults' --query 'PricingTier' From PowerShell Get-AzSecurityPricing -Name 'KeyVaults' | Select-Object Name,PricingTier Ensure output for PricingTier is Standard",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender plan is off.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.11",
+ "Description": "Ensure That Microsoft Defender for DNS Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_dns_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Microsoft Defender for DNS scans all network traffic exiting from within a subscription.",
+ "RationaleStatement": "DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.",
+ "ImpactStatement": "Enabling Microsoft Defender for DNS requires enabling Microsoft Defender for your subscription. Both will incur additional charges, with Defender for DNS being a smallamount per million queries.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Select On under Status for DNS. 6. Select Save. From Powershell Enable Standard pricing tier for DNS: az security pricing create -n 'DNS' --tier 'Standard' From PowerShell Enable Standard pricing tier for DNS: Set-AzSecurityPricing -Name 'DNS' -PricingTier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings blade 3. Click on the subscription name 4. Select the Defender plans blade 5. Ensure Status is set to On for DNS. From Azure CLI Ensure the output of the below command is Standard az security pricing show -n 'DNS' --query 'PrincingTier' From PowerShell Get-AzSecurityPricing --Name 'DNS' | Select-Object Name,PricingTier Ensure output of PricingTier is Standard",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender for DNS is not enabled.",
+ "References": "https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/dns-security-baseline:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-dns-alerts:https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security:https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-10-ensure-domain-name-system-dns-security:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.12",
+ "Description": "Ensure That Microsoft Defender for Resource Manager Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_defender_for_arm_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.",
+ "RationaleStatement": "Scanning resource requests lets you be alerted every time there is suspicious activity in order to prevent a security threat from being introduced.",
+ "ImpactStatement": "Enabling Microsoft Defender for Resource Manager requires enabling Microsoft Defender for your subscription. Both will incur additional charges.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Select On under Status for Resource Manager. 6. Select `Save. From Azure CLI Use the below command to enable Standard pricing tier for Defender for Resource Manager az security pricing create -n 'Arm' --tier 'Standard' From PowerShell Use the below command to enable Standard pricing tier for Defender for Resource Manager Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard'",
+ "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings blade 3. Click on the subscription name 4. Select the Defender plans blade 5. Ensure Status is set to On for Resource Manager. From Azure CLI Ensure the output of the below command is Standard az security pricing show -n 'Arm' --query 'PricingTier' From Azure PowerShell Get-AzSecurityPricing -Name 'Arm' | Select-Object Name,PricingTier Ensure the output of PricingTier is Standard",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender for Resource Manager is not enabled.",
+ "References": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-resource-manager-introduction:https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.13",
+ "Description": "Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'",
+ "Checks": [
+ "defender_ensure_system_updates_are_applied"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Ensure that the latest OS patches for all virtual machines are applied.",
+ "RationaleStatement": "Windows and Linux virtual machines should be kept updated to: • Address a specific bug or flaw • Improve an OS or application's general stability • Fix a security vulnerability The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.",
+ "ImpactStatement": "Running Microsoft Defender for Cloud incurs additional charges for each resource monitored. Please see attached reference for exact charges per hour.",
+ "RemediationProcedure": "Follow Microsoft Azure documentation to apply security patches from the security center. Alternatively, you can employ your own patch assessment and management tool to periodically assess, report, and install the required security patches for your OS.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then the Recommendations blade 4. Ensure that there are no recommendations for Apply system updates Alternatively, you can employ your own patch assessment and management tool to periodically assess, report and install the required security patches for your OS.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, patches are not automatically deployed.",
+ "References": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities:https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.14",
+ "Description": "Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'",
+ "Checks": [
+ "policy_ensure_asc_enforcement_enabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "None of the settings offered by ASC Default policy should be set to effect Disabled.",
+ "RationaleStatement": "A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations.",
+ "ImpactStatement": "",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Select Environment Settings 4. Click on a subscription 5. Select Security Policy in the left column. 6. Click on ASC Default under Default initiative 7. Ensure Policy Enforcement is Enabled 8. Click on the Parameters tab and uncheck Only show parameters that need input or review 9. For any parameters set to Disabled or empty, update to a valid value for the organization 10. Click Save",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select subscription 5. Then on Security Policy in the left column. 6. Click on ASC Default under Default initiative 7. Scroll down to Policy Enforcement and ensure it is set to Enabled 8. Click on the Parameters tab and uncheck Only show parameters that need input or review 9. Review the Parameters to ensure none of the items are set to Disabled. The View effective Policy button can be used to see all effects of policies even if they have not been modified. From Azure CLI Ensure the properties.enforcementMode in the output of the below command is set to Default. If properties.enforcementMode is set to DoNotEnforce, the default policies are disabled and therefore out of compliance. az account get-access-token --query '{,}' --out tsv | xargs - L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Microso ft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2021-06- 01' Note policies that have not been modified will not be listed in this output From PowerShell Get-AzPolicyAssignment | Where-Object {$_.Name -eq 'SecurityCenterBuiltIn'} | Select-Object -ExpandProperty Properties If the EnforcementMode value equals Default the ASC Default Policies are enabled. Because several of the policies are in the Disabled state by default, check to see if the Parameters attribute in the output of the above command contains policies with the value of Disabled or if it's empty altogether. If so, these settings are out of compliance. If none of the values in the Parameters attribute show Disabled, these settings are in compliance. If the EnforcementMode parameter equals DoNotEnforce the ASC Default Policies are all disabled and thus out of compliance.",
+ "AdditionalInformation": "",
+ "DefaultValue": "",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-policies:https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-transparent-data-encryption:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/get:https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/create:https://docs.microsoft.com/en-in/azure/security-center/tutorial-security-policy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-7-define-and-implement-logging-threat-detection-and-incident-response-strategy"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.15",
+ "Description": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'",
+ "Checks": [
+ "defender_auto_provisioning_log_analytics_agent_vms_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Enable automatic provisioning of the monitoring agent to collect security data.",
+ "RationaleStatement": "When Log Analytics agent for Azure VMs is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.",
+ "ImpactStatement": "",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Select Environment Settings 4. Select a subscription 5. Click on Settings & Monitoring 6. Ensure that Log Analytics agent for Azure VMs is set to On Repeat the above for any additional subscriptions. From Azure CLI Use the below command to set Automatic provisioning of monitoring agent to On. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft .Security/autoProvisioningSettings/default?api-version=2017-08-01-preview - d@'input.json'' Where input.json contains the Request body json data as mentioned below. { 'id': '/subscriptions//providers/Microsoft.Security/autoProvi sioningSettings/default', 'name': 'default', 'type': 'Microsoft.Security/autoProvisioningSettings', 'properties': { 'autoProvision': 'On' } }",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select a subscription 5. Click on Settings & Monitoring 6. Ensure that Log Analytics agent/Azure Monitor agent is set to On Repeat the above for any additional subscriptions. From Azure CLI Ensure the output of the below command is On az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Microso ft.Security/autoProvisioningSettings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name=='default')'|jq '.properties.autoProvision' Using PowerShell Connect-AzAccount Get-AzSecurityAutoProvisioningSetting Ensure output for Id Name AutoProvision is /subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default default On",
+ "AdditionalInformation": "• Excluding any of the entries in input.json may disable the specific setting by default • Microsoft has recently changed APIs to get and Update Automatic Provisioning Setting. This recommendation is updated accordingly.",
+ "DefaultValue": "By default, Automatic provisioning of monitoring agent is set to On.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security:https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.16",
+ "Description": "Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'",
+ "Checks": [
+ "defender_auto_provisioning_vulnerabilty_assessments_machines_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.",
+ "RationaleStatement": "Vulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.",
+ "ImpactStatement": "Additional licensing is required and configuration of Azure Arc introduces complexity beyond this recommendation.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select a subscription 5. Click on Settings & Monitoring 6. Ensure that Vulnerability assessment for machines is set to On Repeat the above for any additional subscriptions.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select a subscription 5. Click on Settings & Monitoring 6. Ensure that Vulnerability assessment for machines is set to On Repeat the above for any additional subscriptions.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Automatic provisioning of monitoring agent is set to Off.",
+ "References": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-va:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-5-perform-vulnerability-assessments"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.17",
+ "Description": "Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Enable automatic provisioning of the Microsoft Defender for Containers components.",
+ "RationaleStatement": "As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities.",
+ "ImpactStatement": "Microsoft Defender for Containers will require additional licensing.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select a subscription 5. Then Auto Provisioning in the left column. 6. Set Microsoft Defender for Containers components to On",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select a subscription 5. Then Auto Provisioning in the left column. 6. Ensure that Microsoft Defender for Containers components is set to On Repeat the above for any additional subscriptions.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Microsoft Defender for Containers is disabled. If Defender for Containers is enabled from the Microsoft Defender for Cloud portal, auto provisioning will be enabled.",
+ "References": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction:https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-containers:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.18",
+ "Description": "Ensure That 'All users with the following roles' is set to 'Owner'",
+ "Checks": [
+ "defender_ensure_notify_emails_to_owners"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Automated",
+ "Description": "Enable security alert emails to subscription owners.",
+ "RationaleStatement": "Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.",
+ "ImpactStatement": "",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. In the drop down of the All users with the following roles field select Owner 7. Click Save From Azure CLI Use the below command to set Send email also to subscription owners to On. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts/default1?api-version=2017-08-01-preview -d@'input.json'' Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses: { 'id': '/subscriptions//providers/Microsoft.Security/securityC ontacts/default1', 'name': 'default1', 'type': 'Microsoft.Security/securityContacts', 'properties': { 'email': '', 'alertNotifications': 'On', 'alertsToAdmins': 'On', 'notificationsByRole': 'Owner' } }",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Ensure that All users with the following roles is set to Owner From Azure CLI Ensure the output of below command is set to true. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}'' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts?api-version=2020-01-01-preview' | jq '.|.value[] | select(.name=='default')'|jq '.properties.notificationsByRole'",
+ "AdditionalInformation": "Excluding any entries in the input.json properties block disables the specific setting by default.",
+ "DefaultValue": "By default, Owner is selected",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details:https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.19",
+ "Description": "Ensure 'Additional email addresses' is Configured with a Security Contact Email",
+ "Checks": [
+ "defender_additional_email_configured_with_a_security_contact"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.",
+ "RationaleStatement": "Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.",
+ "ImpactStatement": "",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field 7. Click Save From Azure CLI Use the below command to set Security contact emails to On. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts/default?api-version=2020-01-01-preview -d@'input.json'' Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses: { 'id': '/subscriptions//providers/Microsoft.Security/securityC ontacts/default', 'name': 'default', 'type': 'Microsoft.Security/securityContacts', 'properties': { 'email': '', 'alertNotifications': 'On', 'alertsToAdmins': 'On' } }",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Ensure that a valid security contact email address is listed in the Additional email addresses field From Azure CLI Ensure the output of the below command is set not empty and is set with appropriate email ids. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=='default')'|jq '.properties.emails'",
+ "AdditionalInformation": "Excluding any entries in the input.json properties block disables the specific setting by default.",
+ "DefaultValue": "By default, there are no additional email addresses entered.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details:https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.20",
+ "Description": "Ensure 'Additional email addresses' is Configured with a Security Contact Email",
+ "Checks": [
+ "defender_ensure_notify_alerts_severity_is_high"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "Enables emailing security alerts to the subscription owner or other designated security contact.",
+ "RationaleStatement": "Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.",
+ "ImpactStatement": "",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher): and select High from the drop down menu 7. Click Save From Azure CLI Use the below command to set Send email notification for high severity alerts to On. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/ securityContacts/default1?api-version=2017-08-01-preview -d@'input.json'' Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses: { 'id': '/subscriptions//providers/Microsoft.Security/securityC ontacts/default1', 'name': 'default1', 'type': 'Microsoft.Security/securityContacts', 'properties': { 'email': '', 'alertNotifications': 'On', 'alertsToAdmins': 'On' } }",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Ensure that the Notify about alerts with the following severity (or higher): setting is checked and set to High From Azure CLI Ensure the output of below command is set to true, enter your Subscription ID at the $0 between /subscriptions/<$0>/providers. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=='default')'|jq '.properties.alertNotifications'",
+ "AdditionalInformation": "Excluding any entries in the input.json properties block disables the specific setting by default. This recommendation has been updated to reflect recent changes to Microsoft REST APIs for getting and updating security contact information.",
+ "DefaultValue": "By default, Notify about alerts with the following severity (or higher): is set to High.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details:https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.21",
+ "Description": "Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected",
+ "Checks": [
+ "defender_ensure_mcas_is_enabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Automated",
+ "Description": "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.",
+ "RationaleStatement": "EMicrosoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license. Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.",
+ "ImpactStatement": "Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.",
+ "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Select Microsoft Defender for Cloud. 3. Select Environment Settings blade. 4. Select the subscription. 5. Select Integrations. 6. Check Allow Microsoft Defender for Cloud Apps to access my data. 7. Select Save. From Azure CLI Use the below command to enable Standard pricing tier for Storage Accounts az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Micros oft.Security/settings/MCAS?api-version=2021-06-01 -d@'input.json'' Where input.json contains the Request body json data as mentioned below. { 'id': '/subscriptions//providers/Microsoft.Security/settings/ MCAS', 'kind': 'DataExportSetting', 'type': 'Microsoft.Security/settings', 'properties': { 'enabled': true } }",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Select Environment Settings blade 4. Click on the subscription name 5. Select the Integrations blade 6. Ensure setting Allow Microsoft Defender for Cloud Apps to access my data is selected. From Azure CLI Ensure the output of the below command is True az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Micros oft.Security/settings?api-version=2021-06-01' | jq '.|.value[] | select(.name=='MCAS')'|jq '.properties.enabled' From PowerShell Run the following series of commands to audit this configuration Get-AzAccount Set-AzContext -Subscription Get-AzSecuritySetting | Select-Object name,enabled |where-object {$_.name -eq 'MCAS'} PowerShell Output - Non-Compliant Name Enabled ---- ------- MCAS False PowerShell Output - Compliant Name Enabled ---- ------- MCAS True",
+ "AdditionalInformation": "NOTE: 'Microsoft Defender for Cloud Apps' ('MDCA') is formerly known as 'Microsoft Cloud App Security' ('MCAS'). There are a number of places (e.g. Azure CLI) where the 'MCAS' acronym is still used within Azure.",
+ "DefaultValue": "With Cloud App Security license, these alerts are enabled by default.",
+ "References": "https://docs.microsoft.com/en-in/azure/security-center/security-center-alerts-service-layer#azure-management-layer-azure-resource-manager-preview:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-9-secure-user-access-to--existing-applications"
+ }
+ ]
+ },
+ {
+ "Id": "2.1.22",
+ "Description": "Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected",
+ "Checks": [
+ "defender_ensure_wdatp_is_enabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.1 Microsoft Defender for Cloud",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud. IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable. 1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal. 2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.",
+ "RationaleStatement": "Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud. MDE works only with Standard Tier subscriptions.",
+ "ImpactStatement": "Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.",
+ "RemediationProcedure": "From Azure Console 1. From Azure Home select the Portal Menu. 2. Go to Microsoft Defender for Cloud. 3. Select Environment Settings blade. 4. Select the subscription. 5. Select Integrations. 6. Check Allow Microsoft Defender for Endpoint to access my data. 7. Select Save. From Azure CLI Use the below command to enable Standard pricing tier for Storage Accounts az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Microso ft.Security/settings/WDATP?api-version=2021-06-01 -d@'input.json'' Where input.json contains the Request body json data as mentioned below. { 'id': '/subscriptions//providers/Microsoft.Security/settings/ WDATP', 'kind': 'DataExportSettings', 'type': 'Microsoft.Security/settings', 'properties': { 'enabled': true } }",
+ "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Select Environment Settings blade 4. Click on the subscription name 5. Select the Integrations blade 6. Ensure setting Allow Microsoft Defender for Endpoint to access my data is selected. From Azure CLI Ensure the output of the below command is True az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Microso ft.Security/settings?api-version=2021-06-01' | jq '.|.value[] | select(.name=='WDATP')'|jq '.properties.enabled' From PowerShell Run the following commands to login and audit this check Connect-AzAccount Set-AzContext -Subscription Get-AzSecuritySetting | Select-Object name,enabled |where-object {$_.name -eq 'WDATP'} PowerShell Output - Non-Compliant Name Enabled ---- ------- WDATP False PowerShell Output - Compliant Name Enabled ---- ------- WDATP True",
+ "AdditionalInformation": "IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable. 1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal. 2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned. NOTE: 'Microsoft Defender for Endpoint (MDE)' was formerly known as 'Windows Defender Advanced Threat Protection (WDATP).' There are a number of places (e.g. Azure CLI) where the 'WDATP' acronym is still used within Azure.",
+ "DefaultValue": "",
+ "References": "https://docs.microsoft.com/en-in/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-endpoint-security#es-1-use-endpoint-detection-and-response-edr:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-endpoint-security#es-2-use-modern-anti-malware-software"
+ }
+ ]
+ },
+ {
+ "Id": "2.2.1",
+ "Description": "Ensure That Microsoft Defender for IoT Hub Is Set To 'On'",
+ "Checks": [
+ "defender_ensure_iot_hub_defender_is_on"
+ ],
+ "Attributes": [
+ {
+ "Section": "2.2 Microsoft Defender for IoT",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.",
+ "RationaleStatement": "IoT devices are very rarely patched and can be potential attack vectors for enterprise networks. Updating their network configuration to use a central security hub allows for detection of these breaches.",
+ "ImpactStatement": "Enabling Microsoft Defender for IoT will incur additional charges dependent on the level of usage.",
+ "RemediationProcedure": "From Azure Portal 1. Go to IoT Hub. 2. Select a IoT Hub to validate. 3. Select Overview in Defender for IoT. 4. Click on Secure your IoT solution, and complete the onboarding.",
+ "AuditProcedure": "From Azure Portal 1. Go to IoT Hub. 2. Select a IoT Hub to validate. 3. Select Overview in Defender for IoT. 4. The Threat prevention and Threat detection screen will appear, if Defender for IoT is Enabled.",
+ "AdditionalInformation": "There are additional configurations for Microsoft Defender for IoT that allow for types of deployments called hybrid or local. Both run on your physical infrastructure. These are complicated setups and are primarily outside of the scope of a purely Azure benchmark. Please see the references to consider these options for your organization.",
+ "DefaultValue": "By default, Microsoft Defender for IoT is not enabled.",
+ "References": "https://azure.microsoft.com/en-us/services/iot-defender/#overview:https://docs.microsoft.com/en-us/azure/defender-for-iot/:https://azure.microsoft.com/en-us/pricing/details/iot-defender/:https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/defender-for-iot-security-baseline:https://docs.microsoft.com/en-us/cli/azure/iot?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities:https://learn.microsoft.com/en-us/azure/defender-for-iot/device-builders/quickstart-onboard-iot-hub"
+ }
+ ]
+ },
+ {
+ "Id": "3.1",
+ "Description": "Ensure that 'Secure transfer required' is set to 'Enabled'",
+ "Checks": [
+ "storage_secure_transfer_required_is_enabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "Enable data encryption in transit.",
+ "RationaleStatement": "The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.",
+ "ImpactStatement": "",
+ "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, go to Configuration 3. Set Secure transfer required to Enabled From Azure CLI Use the below command to enable Secure transfer required for a Storage Account az storage account update --name --resource-group --https-only true",
+ "AuditProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, go to Configuration 3. Ensure that Secure transfer required is set to Enabled From Azure CLI Use the below command to ensure the Secure transfer required is enabled for all the Storage Accounts by ensuring the output contains true for each of the Storage Accounts. az storage account list --query '[*].[name,enableHttpsTrafficOnly]'",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Secure transfer required is set to Disabled.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit:https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list:https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit"
+ }
+ ]
+ },
+ {
+ "Id": "3.2",
+ "Description": "Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'",
+ "Checks": [
+ "storage_infrastructure_encryption_is_enabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Automated",
+ "Description": "Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.",
+ "RationaleStatement": "Azure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption, which is one of the strongest, FIPS 140-2-compliant block ciphers available. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. Similarly, data is encrypted even before network transmission and in all backups. In this scenario, the additional layer of encryption continues to protect your data. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.",
+ "ImpactStatement": "The read and write speeds to the storage will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This performance impact should be considered in an analysis for justifying use of the feature in your environment. Customer-managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the storage.",
+ "RemediationProcedure": "From Azure Portal 1. During Storage Account creation, in the Encryption tab, check the box next to Enable infrastructure encryption. From Azure CLI Replace the information within <> with appropriate values: az storage account create --name --resource-group --location --sku Standard_RAGRS --kind StorageV2 --require-infrastructure-encryption From PowerShell Replace the information within <> with appropriate values: New-AzStorageAccount -ResourceGroupName ` -AccountName ` -Location ` -SkuName 'Standard_RAGRS' ` -Kind StorageV2 ` -RequireInfrastructureEncryption Enabling Infrastructure Encryption after Storage Account Creation If infrastructure encryption was not enabled on blob storage creation, there is no official way to enable it. Please see the additional information section.",
+ "AuditProcedure": "From Azure Portal 1. From Azure Portal select the portal menu in the top left. 2. Select Storage Accounts. 3. Click on each storage account within each resource group you wish to audit. 4. In the overview, under Security, ensure Infrastructure encryption is set to Enabled. From Azure CLI az storage blob show --account-name --container-name --name --query 'properties.serverEncrypted' From PowerShell $account = Get-AzStorageAccount -ResourceGroupName ` -Name $blob = Get-AzStorageBlob -Context $account.Context ` -Container ` -Blob $blob.ICloudBlob.Properties.IsServerEncrypted",
+ "AdditionalInformation": "Additional Information: The default service side encryption for Azure Storage is enabled on every block blob, append blob, or page blob that was written to Azure Storage after October 20, 2017. Hardware encryption, however, cannot be enabled on a blob storage after its creation. There are ways to copy all data from a blob storage into another or download and reupload into another blob storage. This could result in data loss and is not recommended.",
+ "DefaultValue": "By default, Infrastructure Encryption is disabled in blob creation.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-encryption-status:https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption:https://docs.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default"
+ }
+ ]
+ },
+ {
+ "Id": "3.3",
+ "Description": "Ensure that 'Enable key rotation reminders' is enabled for each Storage Account",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The 'Rotation Reminder' is an automatic reminder feature for a manual procedure.",
+ "RationaleStatement": "Reminders such as those generated by this recommendation will help maintain a regular and healthy cadence for activities which improve the overall efficacy of a security program. Cryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated 'regularly,' and advises that keys for static data stores be rotated every 'few months.' For the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization's security requirements should dictate the appropriate setting.",
+ "ImpactStatement": "This recommendation only creates a periodic reminder to regenerate access keys. Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients that use the access key to access the storage account must be updated to use the new key.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each Storage Account that is not compliant, go to Access keys 3. Click Set rotation reminder 4. Check Enable key rotation reminders 5. In the Send reminders field select Custom, then set the Remind me every field to 90 and the period drop down to Days. 6. Click Save",
+ "AuditProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each Storage Account, go to Access keys 3. Click Set rotation reminder If the checkbox for Enable key rotation reminders is already checked, that Storage Account is compliant. Review the Remind me every field for a desirable periodic setting that fits your security program's needs.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Key rotation reminders is not configured.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-2-manage-application-identities-securely-and-automatically:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-8-restrict-the-exposure-of-credential-and-secrets:https://www.pcidssguide.com/pci-dss-key-rotation-requirements/:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf"
+ }
+ ]
+ },
+ {
+ "Id": "3.4",
+ "Description": "Ensure that Storage Account Access Keys are Periodically Regenerated",
+ "Checks": [
+ "storage_key_rotation_90_days"
+ ],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "For increased security, regenerate storage account access keys periodically.",
+ "RationaleStatement": "When a storage account is created, Azure generates two 512-bit storage access keys which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure does not result from the compromise of these keys. Cryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated 'regularly,' and advises that keys for static data stores be rotated every 'few months.' For the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization's security requirements should dictate the appropriate setting.",
+ "ImpactStatement": "Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients who use the access key to access the storage account must be updated to use the new key.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each Storage Account with outdated keys, go to Access keys 3. Click Rotate key next to the outdated key, then click Yes to the prompt confirming that you want to regenerate the access key. After Azure regenerates the Access Key, you can confirm that Access keys reflects a Last rotated date of (0 days ago).",
+ "AuditProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each Storage Account, go to Access keys 3. Review the date in the Last rotated field for each key. If the Last rotated field indicates value greater than 90 day [or greater than your organization's period of validity], the key should be rotated. From Azure CLI 1. Get a list of storage accounts az storage account list --subscription Make a note of id, name and resourceGroup. 2. For every storage account make sure that key is regenerated in past 90 days. az monitor activity-log list --namespace Microsoft.Storage --offset 90d -- query '[?contains(authorization.action, 'regenerateKey')]' --resource-id The output should contain 'authorization'/'scope': AND 'authorization'/'action': 'Microsoft.Storage/storageAccounts/regeneratekey/action' AND 'status'/'localizedValue': 'Succeeded' 'status'/'Value': 'Succeeded'",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, access keys are not regenerated periodically.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-2-manage-application-identities-securely-and-automatically:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://www.pcidssguide.com/pci-dss-key-rotation-requirements/:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf"
+ }
+ ]
+ },
+ {
+ "Id": "3.5",
+ "Description": "Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Automated",
+ "Description": "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.",
+ "RationaleStatement": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.",
+ "ImpactStatement": "Enabling this setting can have a high impact on the cost of the log analytics service and data storage used by logging more data per each request. Do not enable this without determining your need for this level of logging, and do not forget to check in on data usage and projected cost. Some users have seen their logging costs increase from $10 per month to $10,000 per month.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings (classic) blade from Monitoring (classic) section. 4. Set the Status to On, if set to Off. 5. Select Queue properties. 6. Select Read, Write and Delete options under the Logging section to enable Storage Logging for Queue service.From Azure CLI Use the below command to enable the Storage Logging for Queue service. az storage logging update --account-name --account-key --services q --log rwd --retention 90",
+ "AuditProcedure": "From Azure Portal: 1. Go to Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings (classic) blade from Monitoring (classic) section. 4. Ensure the Status is set to On, if set to Off. 5. Select Queue properties. 6. Ensure Read Write Delete options are selected under the Logging section. From Azure CLI Ensure the below command's output contains properties delete, read and write set to true. az storage logging show --services q --account-name ",
+ "AdditionalInformation": "We cannot practically generalize detailed audit log requirements for every queue due to their nature and intent. This recommendation may be applicable to storage account queue services where the security is paramount.",
+ "DefaultValue": "By default storage account queue services are not logged.",
+ "References": "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging:https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources:https://docs.microsoft.com/en-us/azure/storage/queues/monitor-queue-storage?tabs=azure-portal"
+ }
+ ]
+ },
+ {
+ "Id": "3.6",
+ "Description": "Ensure that Shared Access Signature Tokens Expire Within an Hour",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Expire shared access signature tokens within an hour.",
+ "RationaleStatement": "A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour.",
+ "ImpactStatement": "",
+ "RemediationProcedure": "When generating shared access signature tokens, use start and end time such that it falls within an hour. From Azure Portal 1. Go to Storage Accounts 2. For each storage account, go to Shared access signature 3. Set Start and expiry date/time within an hour",
+ "AuditProcedure": "Currently, SAS token expiration times cannot be audited. Until Microsoft makes token expiration time a setting rather than a token creation parameter, this recommendation would require a manual verification.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, expiration for shared access signature is set to 8 hours.",
+ "References": " https://docs.microsoft.com/en-us/rest/api/storageservices/delegating-access-with-a-shared-access-signature:https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview"
+ }
+ ]
+ },
+ {
+ "Id": "3.7",
+ "Description": "Ensure that 'Public access level' is disabled for storage accounts with blob containers",
+ "Checks": [
+ "storage_blob_public_access_level_is_disabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Manual",
+ "Description": "Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.",
+ "RationaleStatement": "The default configuration for a storage account permits a user with appropriate permissions to configure public (anonymous) access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read- only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on any container in the storage account, it's recommended to set allowBlobPublicAccess false at the account level, which forbids any container to accept anonymous access in the future.",
+ "ImpactStatement": "Access will have to be managed using shared access signatures or via Azure AD RBAC.",
+ "RemediationProcedure": "From Azure Portal First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then, 1. Go to Storage Accounts 2. For each storage account, go to Networking in Security + networking 3. Set Public Network Access to Disabled if no anonymous access is needed on the storage account From Azure CLI Set 'Public Network Access' to Disabled on the storage account az storage account update --name --resource-group --public-network-access Disabled From PowerShell For each Storage Account, run the following to set the PublicNetworkAccess setting to Disabled Set-AzStorageAccount -ResourceGroupName -Name -PublicNetworkAccess Disabled",
+ "AuditProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, go to the Networking setting under Security + networking 3. Ensure the Public Network Access setting is set to Disabled. From Azure CLI Ensure publicNetworkAccess is Disabled az storage account show --name --resource-group --query '{publicNetworkAccess:publicNetworkAccess}' From PowerShell For each Storage Account, ensure PublicNetworkAccess is Disabled Get-AzStorageAccount -Name -ResourceGroupName |select PublicNetworkAccess",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Public Network Access is set to Enabled from all networks for the Storage Account.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-2-manage-application-identities-securely-and-automatically:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://www.pcidssguide.com/pci-dss-key-rotation-requirements/:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf"
+ }
+ ]
+ },
+ {
+ "Id": "3.8",
+ "Description": "Ensure Default Network Access Rule for Storage Accounts is Set to Deny",
+ "Checks": [
+ "storage_default_network_access_rule_is_denied"
+ ],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.",
+ "RationaleStatement": "Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.",
+ "ImpactStatement": "All allowed networks will need to be whitelisted on each specific network, creating administrative overhead. This may result in loss of network connectivity, so do not turn on for critical resources during business hours.",
+ "RemediationProcedure": "From Azure Console 1. Go to Storage Accounts 2. For each storage account, Click on the Networking blade 3. Click the Firewalls and virtual networks heading. 4. Ensure that you have elected to allow access from Selected networks 5. Add rules to allow traffic from specific network. 6. Click Save to apply your changes. From Azure CLI Use the below command to update default-action to Deny. az storage account update --name --resource-group --default-action Deny",
+ "AuditProcedure": "From Azure Console 1. Go to Storage Accounts 2. For each storage account, Click on the Networking blade. 3. Click the Firewalls and virtual networks heading. 4. Ensure that Allow access from All networks is not selected. From Azure CLI Ensure defaultAction is not set to Allow. az storage account list --query '[*].networkRuleSet' From PowerShell Connect-AzAccount Set-AzContext -Subscription Get-AzStorageAccountNetworkRuleset -ResourceGroupName -Name |Select-Object DefaultAction PowerShell Result - Non-Compliant DefaultAction : Allow PowerShell Result - Compliant DefaultAction : Deny",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Storage Accounts will accept connections from clients on any network.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls"
+ }
+ ]
+ },
+ {
+ "Id": "3.9",
+ "Description": "Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access ",
+ "Checks": [
+ "storage_ensure_azure_services_are_trusted_to_access_is_enabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Automated",
+ "Description": "Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).",
+ "RationaleStatement": "Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. We can re-enable this functionality by enabling 'Trusted Azure Services' through networking exceptions.",
+ "ImpactStatement": "This creates authentication credentials for services that need access to storage resources so that services will no longer need to communicate via network request.There may be a temporary loss of communication as you set each Storage Account. Itis recommended to not do this on mission-critical resources during business hours.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, Click on the Networking blade 3. Click on the Firewalls and virtual networks heading. 4. Ensure that Enabled from selected virtual networks and IP addresses is selected. 5. Under the 'Exceptions' label, enable check box for Allow Azure services on the trusted services list to access this storage account. 6. Click Save to apply your changes. From Azure CLI Use the below command to update Azure services. az storage account update --name --resource-group --bypass AzureServices",
+ "AuditProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, Click on the Networking blade 3. Click on the Firewalls and virtual networks heading. 4. Ensure that Enabled from selected virtual networks and IP addresses is selected. 5. Ensure that Allow Azure services on the trusted services list to access this storage account is checked in Exceptions. From Azure CLI Ensure bypass contains AzureServices az storage account list --query '[*].networkRuleSet' From PowerShell Connect-AzAccount Set-AzContext -Subscription Get-AzStorageAccountNetworkRuleset -ResourceGroupName -Name |Select-Object Bypass If the resultant output from the above command shows 'NULL', that storage account configuration is out of compliance with this check. If the result of the above command shows 'AzureServices', that storage account configuration is in compliance with this check.",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Storage Accounts will accept connections from clients on any network.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls"
+ }
+ ]
+ },
+ {
+ "Id": "3.10",
+ "Description": "Ensure Private Endpoints are used to access Storage Accounts",
+ "Checks": [
+ "storage_ensure_private_endpoints_in_storage_accounts"
+ ],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.",
+ "RationaleStatement": "Securing traffic between services through encryption protects the data from easy interception and reading.",
+ "ImpactStatement": "There is no cost in deploying VNets between Azure resources. If improperly implemented, it may result in loss of critical network traffic.",
+ "RemediationProcedure": "From Azure Portal 1. Open the Storage Accounts blade 2. For each listed Storage Account, perform the following: 3. Under the Security + networking heading, click on Networking 4. Click on the Private Endpoint Connections tab at the top of the networking window 5. Click the +Private endpoint button 6. In the 1 - Basics tab/step: o Enter a name that will be easily recognizable as associated with the Storage Account (Note: The 'Network Interface Name' will be automatically completed, but you can customize it if needed.) o Ensure that the Region matches the region of the Storage Account o Click Next 7. In the 2 - Resource tab/step: o Select the target sub-resource based on what type of storage resource is being made available o Click Next 8. In the 3 - Virtual Network tab/step: o Select the Virtual network that your Storage Account will be connecting to o Select the Subnet that your Storage Account will be connecting to o (Optional) Select other network settings as appropriate for your environment o Click Next 9. In the 4 - DNS tab/step: o (Optional) Select other DNS settings as appropriate for your environment o Click Next 10. In the 5 - Tags tab/step: o (Optional) Set any tags that are relevant to your organization o Click Next 11. In the 6 - Review + create tab/step: o A validation attempt will be made and after a few moments it should indicate Validation Passed - if it does not pass, double-check your settings before beginning more in depth troubleshooting. o If validation has passed, click Create then wait for a few minutes for the scripted deployment to complete. Repeat the above procedure for each Private Endpoint required within every Storage Account. From PowerShell $storageAccount = Get-AzStorageAccount -ResourceGroupName '' -Name '' $privateEndpointConnection = @{ Name = 'connectionName' PrivateLinkServiceId = $storageAccount.Id GroupID = 'blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_se condary|web|web_secondary|dfs|dfs_secondary' } $privateLinkServiceConnection = New-AzPrivateLinkServiceConnection @privateEndpointConnection $virtualNetDetails = Get-AzVirtualNetwork -ResourceGroupName '' -Name '' $privateEndpoint = @{ ResourceGroupName = '' Name = '' Location = '' Subnet = $virtualNetDetails.Subnets[0] PrivateLinkServiceConnection = $privateLinkServiceConnection } New-AzPrivateEndpoint @privateEndpoint From Azure CLI az network private-endpoint create --resource-group --name --vnet-name -- subnet --private-connection-resource-id -- connection-name --group-id ",
+ "AuditProcedure": "From Azure Portal 1. Open the Storage Accounts blade. 2. For each listed Storage Account, perform the following check: 3. Under the Security + networking heading, click on Networking. 4. Click on the Private Endpoint Connections tab at the top of the networking window. 5. Ensure that for each VNet that the Storage Account must be accessed from, a unique Private Endpoint is deployed and the Connection State for each Private Endpoint is Approved Repeat the procedure for each Storage Account. From PowerShell $storageAccount = Get-AzStorageAccount -ResourceGroup '' - Name '' Get-AzPrivateEndpoint -ResourceGroup ''|Where-Object {$_.PrivateLinkServiceConnectionsText -match $storageAccount.id} If the results of the second command returns information, the Storage Account is using a Private Endpoint and complies with this Benchmark, otherwise if the results of the second command are empty, the Storage Account generates a finding. From Azure CLI az storage account show --name '' --query 'privateEndpointConnections[0].id' If the above command returns data, the Storage Account complies with this Benchmark, otherwise if the results are empty, the Storage Account generates a finding.",
+ "AdditionalInformation": "A NAT gateway is the recommended solution for outbound internet access.",
+ "DefaultValue": "By default, Private Endpoints are not created for Storage Accounts.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview:https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal:https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-cli?tabs=dynamic-ip:https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell?tabs=dynamic-ip:https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls"
+ }
+ ]
+ },
+ {
+ "Id": "3.11",
+ "Description": "Ensure Soft Delete is Enabled for Azure Containers and Blob Storage",
+ "Checks": [
+ "storage_ensure_soft_delete_is_enabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.",
+ "RationaleStatement": "Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the 'Retention policies,' ranging from 7 days to 365 days.",
+ "ImpactStatement": "Additional storage costs may be incurred as snapshots are retained.",
+ "RemediationProcedure": "From Azure Portal 1. From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath. 2. Select Storage. 3. Select Storage Accounts. 4. For each Storage Account, navigate to Data protection in the left scroll column. 5. Check soft delete for both blobs and containers. Set the retention period to a sufficient length for your organization. From Azure CLI Update blob storage retention days in below command az storage blob service-properties delete-policy update --days-retained --account-name --account-key --enable true Update container retention with the below command az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days --account-name --resource-group --account-key ",
+ "AuditProcedure": "From Azure Portal: 1. From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath. 2. Select Storage. 3. Select Storage Accounts. 4. For each Storage Account, navigate to Data protection in the left scroll column. 5. Ensure that soft delete is checked for both blobs and containers. Also check if the retention period is a sufficient length for your organization. From Azure CLI Blob Storage Ensure that the output of the below command contains enabled status as true and days is not empty or null az storage blob service-properties delete-policy show --account-name --account-key Azure Containers Make certain that the --enable-container-delete-retention is 'true'. az storage account blob-service-properties show --account-name --account-key --resource-group ",
+ "AdditionalInformation": "",
+ "DefaultValue": "When a new storage account is created, soft delete for containers and blob storage is by default disabled.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete:https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-overview:https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-enable?tabs=azure-portal"
+ }
+ ]
+ },
+ {
+ "Id": "3.12",
+ "Description": "Ensure Storage for Critical Data are Encrypted with Customer Managed Keys",
+ "Checks": [
+ "storage_ensure_encryption_with_customer_managed_keys"
+ ],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Manual",
+ "Description": "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.",
+ "RationaleStatement": "By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. If you want to control and manage this encryption key yourself, however, you can specify a customer-managed key. That key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.",
+ "ImpactStatement": "If the key expires by setting the 'activation date' and 'expiration date', the user must rotate the key manually. Using Customer Managed Keys may also incur additional man-hour requirements to create, store, manage, and protect the keys as needed.",
+ "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, go to Encryption 3. Set Customer Managed Keys 4. Select the Encryption key and enter the appropriate setting value 5. Click Save",
+ "AuditProcedure": "From Azure Console: 1. Go to Storage Accounts 2. For each storage account, go to Encryption 3. Ensure that Encryption type is set to Customer Managed Keys From PowerShell Connect-AzAccount Set-AzContext -Subscription Get-AzStorageAccount |Select-Object -ExpandProperty Encryption PowerShell Results - Non-Compliant KeySource : Microsoft.Storage PowerShell Results - Compliant KeySource : Microsoft.Keyvault",
+ "AdditionalInformation": "",
+ "DefaultValue": "By default, Encryption type is set to Microsoft Managed Keys.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption:https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest:https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required"
+ }
+ ]
+ },
+ {
+ "Id": "3.13",
+ "Description": "Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Automated",
+ "Description": "The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.",
+ "RationaleStatement": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best- effort basis. Storage Analytics logging is not enabled by default for your storage account.",
+ "ImpactStatement": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.",
+ "RemediationProcedure": "Remediation: From Azure Portal 1. From the default portal page select Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings under the Monitoring section in the left column. 4. Select the 'blob' tab indented below the storage account. 5. Click '+ Add diagnostic setting'. 6. Select StorageRead, StorageWrite and StorageDelete options under the Logging section to enable Storage Logging for Blob service. 7. Select a destination for your logs to be sent to. From Azure CLI Use the below command to enable the Storage Logging for Blob service. az storage logging update --account-name --account-key --services b --log rwd --retention 90",
+ "AuditProcedure": "From Azure Portal 1. From the default portal page select Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings under the Monitoring section in the left column. 4. Select the 'blob' tab indented below the storage account. Then select the diagnostic setting listed. 5. Ensure StorageRead, StorageWrite, and StorageDelete options are selected under the Logging section and that they are sent to the correct destination. From Azure CLI Ensure the below command's output contains properties delete, read and write set to true. az storage logging show --services b --account-name ",
+ "AdditionalInformation": "We cannot practically generalize detailed audit log requirements for every blob due to their nature and intent. This recommendation may be applicable to storage account blob service where the security is paramount.",
+ "DefaultValue": "By default, storage account blob service logging is disabled for read, write, and delete operations.",
+ "References": " https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging:https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation"
+ }
+ ]
+ },
+ {
+ "Id": "3.14",
+ "Description": "Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests",
+ "Checks": [],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Automated",
+ "Description": "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.",
+ "RationaleStatement": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best- effort basis. Storage Analytics logging is not enabled by default for your storage account",
+ "ImpactStatement": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost",
+ "RemediationProcedure": "From Azure Portal 1. From the default portal page select Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings under the Monitoring section in the left column. 4. Select the 'table' tab indented below the storage account. 5. Click '+ Add diagnostic setting'. 6. Select StorageRead, StorageWrite and StorageDelete options under the Logging section to enable Storage Logging for Table service. 7. Select a destination for your logs to be sent to. From Azure CLI Use the below command to enable the Storage Logging for Table service. az storage logging update --account-name --account-key --services t --log rwd --retention 90",
+ "AuditProcedure": "From Azure Portal 1. From the default portal page select Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings under the Monitoring section in the left column. 4. Select the 'table' tab indented below the storage account. Then select the diagnostic setting listed. 5. Ensure StorageRead, StorageWrite, and StorageDelete options are selected under the Logging section and that they are sent to the correct destination. From Azure CLI Ensure the below command's output contains properties delete, read and write set to true. az storage logging show --services t --account-name ",
+ "AdditionalInformation": "We cannot practically generalize detailed audit log requirements for every table due to their nature and intent. This recommendation may be applicable to storage account table service where the security is paramount.",
+ "DefaultValue": "By default, storage account table service logging is disabled for read, write, an delete operations",
+ "References": "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging:https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources"
+ }
+ ]
+ },
+ {
+ "Id": "3.15",
+ "Description": "Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'",
+ "Checks": [
+ "storage_ensure_minimum_tls_version_12"
+ ],
+ "Attributes": [
+ {
+ "Section": "3. Storage Accounts",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "In some cases, Azure Storage sets the minimum TLS versio n to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLSversion can be configured to be later protocols such as TLS 1.2.",
+ "RationaleStatement": "TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.",
+ "ImpactStatement": "When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.",
+ "RemediationProcedure": "From Azure Console 1. Login to Azure Portal using https://portal.azure.com 2. Go to Storage Accounts 3. Click on each Storage Account 4. Under Setting section, Click on Configuration 5. Set the minimum TLS version to be Version 1.2 From Azure CLI az storage account update --name --resource-group --min-tls-version TLS1_2 From Azure PowerShell To set the minimum TLS version, run the following command: Set-AzStorageAccount -AccountName ` -ResourceGroupName ` -MinimumTlsVersion TLS1_2",
+ "AuditProcedure": "From Azure Console 1. Login to Azure Portal using https://portal.azure.com 2. Go to Storage Accounts 3. Click on each Storage Account 4. Under Setting section, Click on Configuration 5. Ensure that the minimum TLS version is set to be Version 1.2 From Azure CLI Get a list of all storage accounts and their resource groups az storage account list | jq '.[] | {name, resourceGroup}' Then query the minimumTLSVersion field az storage account show --name --resource-group --query minimumTlsVersion --output tsv From Azure PowerShell To get the minimum TLS version, run the following command: (Get-AzStorageAccount -Name -ResourceGroupName ).MinimumTlsVersion",
+ "AdditionalInformation": "",
+ "DefaultValue": "If a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2. If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.",
+ "References": "https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit"
+ }
+ ]
+ },
+ {
+ "Id": "4.1.1",
+ "Description": "Ensure that 'Auditing' is set to 'On'",
+ "Checks": [
+ "sqlserver_auditing_enabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "4.1 SQL Server - Auditing",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "Enable auditing on SQL Servers.",
+ "RationaleStatement": "The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.",
+ "ImpactStatement": "When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.",
+ "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. Select the SQL server instance 3. Under Security, click Auditing 4. Click the toggle next to Enable Azure SQL Auditing 5. Select an Audit log destination 6. Click Save From PowerShell Get the list of all SQL Servers Get-AzSqlServer For each Server, enable auditing and set the retention for at least 90 days. Log Analytics Example Set-AzSqlServerAudit -ResourceGroupName -ServerName -RetentionInDays -LogAnalyticsTargetState Enabled - WorkspaceResourceId '/subscriptions//resourceGroups/insights- integration/providers/Microsoft.OperationalInsights/workspaces/ Event Hub Example Set-AzSqlServerAudit -ResourceGroupName '' -ServerName '' -EventHubTargetState Enabled -EventHubName '' -EventHubAuthorizationRuleResourceId '' Blob Storage Example* Set-AzSqlServerAudit -ResourceGroupName '' -ServerName '' -BlobStorageTargetState Enabled -StorageAccountResourceId '/subscriptions//resourceGroups//providers/M icrosoft.Stora ge/storageAccounts/'",
+ "AuditProcedure": "From Azure Portal 1. Go to SQL servers 2. For each server instance 3. Click on Auditing 4. Ensure that Enable Azure SQL Auditing is set to On From PowerShell Get the list of all SQL Servers Get-AzSqlServer For each Server Get-AzSqlServerAudit -ResourceGroupName -ServerName Ensure that BlobStorageTargetState, EventHubTargetState, or LogAnalyticsTargetState is set to Enabled.",
+ "AdditionalInformation": "• A server policy applies to all existing and newly created databases on the server.• If server blob auditing is enabled, it always applies to the database. Thedatabase will be audited, regardless of the database auditing settings. Auditingtype table is already deprecated leaving only type blob available.• Enabling blob auditing on the database, in addition to enabling it on the server,does not override or change any of the settings of the server blob auditing. Bothaudits will exist side by side. In other words, the database is audited twice inparallel; once by the server policy and once by the database policy.",
+ "DefaultValue": "By default, Enable Azure SQL Auditing is set to Off.",
+ "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation"
+ }
+ ]
+ },
+ {
+ "Id": "4.1.2",
+ "Description": "Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)",
+ "Checks": [
+ "sqlserver_unrestricted_inbound_access"
+ ],
+ "Attributes": [
+ {
+ "Section": "4.1 SQL Server - Auditing",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).",
+ "RationaleStatement": "Azure SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters. By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services. Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.",
+ "ImpactStatement": "Disabling Allow Azure services and resources to access this server will break all connections to SQL server and Hosted Databases unless custom IP specific rules areadded in Firewall Policy.",
+ "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. For each SQL server 3. Click on Networking 4. Uncheck the checkbox for Allow Azure services and resources to access this server 5. Set firewall rules to limit access to only authorized connections From Azure CLI Disable default firewall rule Allow access to Azure services: az sql server firewall-rule delete --resource-group --server --name 'AllowAllWindowsAzureIps' Remove a custom firewall rule: az sql server firewall-rule delete --resource-group --server --name Create a firewall rule: az sql server firewall-rule create --resource-group --server --name --start-ip-address '' --end-ip-address '' Update a firewall rule: az sql server firewall-rule update --resource-group --server --name --start-ip-address '' --end-ip-address '' From PowerShell Disable Default Firewall Rule Allow access to Azure services : Remove-AzSqlServerFirewallRule -FirewallRuleName 'AllowAllWindowsAzureIps' - ResourceGroupName -ServerName Remove a custom Firewall rule: Remove-AzSqlServerFirewallRule -FirewallRuleName '' - ResourceGroupName -ServerName Set the appropriate firewall rules: Set-AzSqlServerFirewallRule -ResourceGroupName - ServerName -FirewallRuleName '' - StartIpAddress '' -EndIpAddress ''",
+ "AuditProcedure": "From Azure Portal 1. Go to SQL servers 2. For each SQL server 3. Click on Networking 4. Ensure that Allow Azure services and resources to access this server is Unchecked 5. Ensure that no firewall rule exists with • Start IP of 0.0.0.0 • or other combinations which allows access to wider public IP ranges From Azure CLI List all SQL servers az sql server list For each SQL server run the following command az sql server firewall-rule list --resource-group -- server Ensure the output does not contain any firewall allow rules with a source of 0.0.0.0, or any rules named AllowAllWindowsAzureIps From PowerShell Get the list of all SQL Servers Get-AzSqlServer For each Server Get-AzSqlServerFirewallRule -ResourceGroupName - ServerName Ensure that StartIpAddress is not set to 0.0.0.0, /0 or other combinations which allows access to wider public IP ranges including Windows Azure IP ranges. Also ensure that FirewallRuleName doesn't contain AllowAllWindowsAzureIps which is the rule created when the Allow Azure services and resources to access this server setting is enabled for that SQL Server.",
+ "AdditionalInformation": "Firewall rules configured on individual SQL Database using Transact-sql overrides the rules set on SQL server. Azure does not provide any Powershell, API, CLI, Portal option to check database level firewall rules, and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, Firewall rules should be checked using SQL client.",
+ "DefaultValue": "By default, Allow access to Azure Services is set to NO.",
+ "References": "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls"
+ }
+ ]
+ },
+ {
+ "Id": "4.1.3",
+ "Description": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key",
+ "Checks": [
+ "sqlserver_tde_encrypted_with_cmk"
+ ],
+ "Attributes": [
+ {
+ "Section": "4.1 SQL Server - Auditing",
+ "Profile": "Level 2",
+ "AssessmentStatus": "Automated",
+ "Description": "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security. Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).",
+ "RationaleStatement": "Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure’s cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.",
+ "ImpactStatement": "Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you, and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible. When deploying Customer Managed Keys, it is prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore, such as Azure Key Vault. As far as toolsets go, check with your cryptographic key provider, as they may well provide one as an add-on to their service",
+ "RemediationProcedure": "From Azure Console 1. Go to SQL servers For the desired server instance 2. Click On Transparent data encryption 3. Set Transparent data encryption to Customer-managed key 4. Browse through your key vaults to Select an existing key or create a new key in the Azure Key Vault. 5. Check Make selected key the default TDE protector From Azure CLI Use the below command to encrypt SQL server's TDE protector with a Customer- managed key az sql server tde-key set --resource-group --server --server-key-type {AzureKeyVault} --kid From PowerShell Use the below command to encrypt SQL server's TDE protector with a Customer- managed Key Vault key Set-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId -ServerName -ResourceGroupName Select Y when prompted",
+ "AuditProcedure": "From Azure Portal 1. Go to SQL servers For the desired server instance 2. Click On Transparent data encryption 3. Ensure that Customer-managed key is selected 4. Ensure Make selected key the default TDE protector is checked From Azure CLI az account get-access-token --query '{subscripton:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/resourceGroups/{resourceGroupNa me}/providers/Microsoft.Sql/servers/{serverName}/encryptionProtector?api- version=2015-05-01-preview' Ensure the output of the command contains properties kind set to azurekeyvault serverKeyType set to AzureKeyVault uri is not null From PowerShell Get-AzSqlServerTransparentDataEncryptionProtector -ServerName - ResourceGroupName Ensure the output of the command contains properties Type set to AzureKeyVault ServerKeyVaultKeyName set to KeyVaultName_KeyName_KeyIdentifierVersion KeyId set to KeyIdentifier",
+ "AdditionalInformation": "• This configuration is audited or can be done only on SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. • Ensuring TDE is protected by a Customer-managed key on SQL Server does not ensure the encryption of SQL Databases. Transparent Data Encryption : Data Encryption (ON/OFF) setting on individual SQL Database decides whether database is encrypted or not.",
+ "DefaultValue": "By Default, Microsoft managed TDE protector is enabled for a SQL server.",
+ "References": "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql:https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/:https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required:https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts:https://docs.microsoft.com/en-us/cli/azure/sql/server/tde-key?view=azure-cli-latest:https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlservertransparentdataencryptionprotector?view=azps-9.2.0:https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlservertransparentdataencryptionprotector?view=azps-9.2.0"
+ }
+ ]
+ },
+ {
+ "Id": "4.1.4",
+ "Description": "Ensure that Azure Active Directory Admin is Configured for SQL Servers",
+ "Checks": [
+ "sqlserver_azuread_administrator_enabled"
+ ],
+ "Attributes": [
+ {
+ "Section": "4.1 SQL Server - Auditing",
+ "Profile": "Level 1",
+ "AssessmentStatus": "Automated",
+ "Description": "Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.",
+ "RationaleStatement": "Azure Active Directory authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management. • It provides an alternative to SQL Server authentication. • Helps stop the proliferation of user identities across database servers. • Allows password rotation in a single place. • Customers can manage database permissions using external (AAD) groups. • It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. • Azure AD authentication uses contained database users to authenticate identities at the database level. • Azure AD supports token-based authentication for applications connecting to SQL Database. • Azure AD authentication supports ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. • Azure AD supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options — phone call, text message, smart cards with pin, or mobile app notification.",
+ "ImpactStatement": "This will create administrative overhead with user account and permission management. For further security on these administrative accounts, you may want toconsider higher tiers of AAD which support features like Multi Factor Authentication, thatwill cost more.",
+ "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. For each SQL server, click on Active Directory admin 3. Click on Set admin 4. Select an admin 5. Click Save From Azure CLI az ad user show --id For each Server, set AD Admin az sql server ad-admin create --resource-group --server --display-name --object-id