diff --git a/README.md b/README.md index 7f068743a3..96fa6b79b6 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@

Learn more at prowler.com

- +

Prowler community on Slack
@@ -49,7 +49,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe |---|---|---|---|---| | AWS | 304 | 61 -> `prowler aws --list-services` | 28 -> `prowler aws --list-compliance` | 6 -> `prowler aws --list-categories` | | GCP | 75 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`| -| Azure | 126 | 16 -> `prowler azure --list-services` | CIS soon | 2 -> `prowler azure --list-categories` | +| Azure | 126 | 16 -> `prowler azure --list-services` | 2 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` | | Kubernetes | Work In Progress | - | CIS soon | - | # 📖 Documentation diff --git a/docs/tutorials/compliance.md b/docs/tutorials/compliance.md index c82fec0bd0..015826323a 100644 --- a/docs/tutorials/compliance.md +++ b/docs/tutorials/compliance.md @@ -17,6 +17,8 @@ Currently, the available frameworks are: - `cis_1.5_aws` - `cis_2.0_aws` - `cis_2.0_gcp` +- `cis_2.0_azure` +- `cis_2.1_azure` - `cis_3.0_aws` - `cisa_aws` - `ens_rd2022_aws` diff --git a/prowler/compliance/azure/cis_2.0_azure.json b/prowler/compliance/azure/cis_2.0_azure.json new file mode 100644 index 0000000000..1fb1af8b66 --- /dev/null +++ b/prowler/compliance/azure/cis_2.0_azure.json @@ -0,0 +1,3244 @@ +{ + "Framework": "CIS", + "Version": "2.0", + "Provider": "AZURE", + "Description": "The CIS Azure Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Azure with an emphasis on foundational, testable, and architecture agnostic settings.", + "Requirements": [ + { + "Id": "1.1.1", + "Description": "Ensure Security Defaults is enabled on Azure Active Directory", + "Checks": [ + "entra_security_defaults_enabled" + ], + "Attributes": [ + { + "Section": "1.1 Security Defaults", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security", + "RationaleStatement": "Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example, doing the following: • Requiring all users and admins to register for MFA. • Challenging users with MFA - when necessary, based on factors such as location, device, role, and task. • Disabling authentication from legacy authentication clients, which can't do MFA.", + "ImpactStatement": "This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks. Administrators should also be aware that certain configurations in Azure Active Directory may impact other Microsoft services such as Microsoft 365.", + "RemediationProcedure": "From Azure Portal To enable security defaults in your directory: 1. From Azure Home select the Portal Menu. 2. Browse to Azure Active Directory > Properties 3. Select Manage security defaults 4. Set the Enable security defaults toggle to Yes 5. Select Save", + "AuditProcedure": "From Azure Portal To ensure security defaults is enabled in your directory: 1. From Azure Home select the Portal Menu. 2. Browse to Azure Active Directory > Properties. 3. Select Manage security defaults. 4. Verify the Enable security defaults toggle is Yes.", + "AdditionalInformation": "This recommendation differs from the Microsoft 365 Benchmark. This is because the potential impact associated with disabling Security Defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling Security Defaults implement appropriate security settings to replace the settings configured by Security Defaults.", + "DefaultValue": "If your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults" + } + ] + }, + { + "Id": "1.1.2", + "Description": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users", + "Checks": [ + "entra_privileged_user_has_mfa" + ], + "Attributes": [ + { + "Section": "1.1 Security Defaults", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as; • Service Co-Administrators • Subscription Owners • Contributors", + "RationaleStatement": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.", + "ImpactStatement": "Users would require two forms of authentication before any access is granted. Additional administrative time will be required for managing dual forms of authentication when enabling multi-factor authentication.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory blade 3. Select Users 4. Take note of all users with the role Service Co-Administrators, Owners or Contributors 5. Click on the Per-User MFA button in the top row menu 6. Check the box next to each noted user 7. Click Enable under quick steps in the right-hand panel 8. Click enable multi-factor auth 9. Click close", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select the Azure Active Directory blade 3. Select Users 4. Take note of all users with the role Service Co-Administrators, Owners or Contributors 5. Click on the Per-User MFA button in the top row menu 6. Ensure that MULTI-FACTOR AUTH STATUS is Enabled for all noted users From REST API For Every Subscription, For Every Tenant Step 1: Identify Users with Administrative Access 1. List All Users Using Microsoft Graph API: GET https://graph.microsoft.com/v1.0/users Capture id and corresponding userPrincipalName ('$uid', '$userPrincipalName') 2. List all Role Definitions Using Azure management API: https://management.azure.com/subscriptions/:subscriptionId/providers/Microsof t.Authorization/roleDefinitions?api-version=2017-05-01 Capture Role Definition IDs/Name ('$name') and role names ('$properties/roleName') where 'properties/roleName' contains (Owner or *contributor or admin ) 3. List All Role Assignments (Mappings $A.uid to $B.name) Using Azure Management API: GET https://management.azure.com/subscriptions/:subscriptionId/providers/Microsof t.Authorization/roleassignments?api-version=2017-10-01-preview Find all administrative roles ($B.name) in 'Properties/roleDefinitionId' mapped with user ids ($A.id) in 'Properties/principalId' where 'Properties/principalType' == 'User' 4. Now Match ($CProperties/principalId) with $A.uid and get $A.userPrincipalName save this as D.userPrincipalName Step 2: Run MSOL PowerShell command: Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName If the output contains any of the $D.userPrincipalName, then this recommendation is non-compliant.", + "AdditionalInformation": "Please note that at the time of writing, there is no API, Azure CLI or Powershell mechanism available to programmatically conduct security assessment or remediation for this recommendation. The only option is MSOL.", + "DefaultValue": "By default, multi-factor authentication is disabled for all users.", + "References": "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication:https://stackoverflow.com/questions/41156206/azure-active-directory-premium-mfa-attributes-via-graph-api:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access" + } + ] + }, + { + "Id": "1.1.3", + "Description": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users", + "Checks": [ + "entra_non_privileged_user_has_mfa" + ], + "Attributes": [ + { + "Section": "1.1 Security Defaults", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable multi-factor authentication for all non-privileged users.", + "RationaleStatement": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.", + "ImpactStatement": "Users would require two forms of authentication before any access is granted. Also, this requires an overhead for managing dual forms of authentication.", + "RemediationProcedure": "Follow Microsoft Azure documentation and enable multi-factor authentication in your environment. https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable- azure-mfa Enabling and configuring MFA is a multi-step process. Here are some additional resources on the process within Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto- conditional-access-policy-admin-mfa https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa- getstarted#enable-multi-factor-authentication-with-conditional-access https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa- mfasettings", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select the Azure Active Directory blade 3. Then Users 4. Select All Users 5. Click on Per-User MFA button on the top bar 6. Ensure that for all users MULTI-FACTOR AUTH STATUS is Enabled From REST API For Every Subscription, For Every Tenant Step 1: Identify Users with non-administrative Access 1. List All Users Using Microsoft Graph API: GET https://graph.microsoft.com/v1.0/users Capture id and corresponding userPrincipalName ($uid, $userPrincipalName) 2. List all Role Definitions Using Azure management API: https://management.azure.com/subscriptions//providers/Microso ft.Authorization/roleDefinitions?api-version=2017-05-01 Capture Role Definition IDs/Name ($name) and role names ($properties/roleName) where 'properties/roleName' does NOT contain (Owner or *contributor or admin ) 3. List All Role Assignments (Mappings $A.uid to $B.name) Using Azure Management API: GET https://management.azure.com/subscriptions//providers/Microso ft.Authorization/roleassignments?api-version=2017-10-01-preview Find all non-administrative roles ($B.name) in 'Properties/roleDefinationId' mapped with user ids ($A.id) in 'Properties/principalId' where 'Properties/principalType' == 'User' D> Now Match ($CProperties/principalId) with $A.uid and get $A.userPrincipalName save this as D.userPrincipleName Step 2: Run MSOL PowerShell command: Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName If the output contains any of the $D.userPrincipleName, then this recommendation is non-compliant.", + "AdditionalInformation": "", + "DefaultValue": "By default, multi-factor authentication is disabled for all users.", + "References": "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access" + } + ] + }, + { + "Id": "1.1.4", + "Description": "Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled", + "Checks": [], + "Attributes": [ + { + "Section": "1.1 Security Defaults", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Do not allow users to remember multi-factor authentication on devices.", + "RationaleStatement": "Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.", + "ImpactStatement": "For every login attempt, the user will be required to perform multi-factor authentication.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Click the Per-user MFA button on the top bar 5. Click on service settings 6. Uncheck the box next to Allow users to remember multi-factor authentication on devices they trust", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Click the Per-user MFA button on the top bar 5. Click on service settings 6. Ensure that Allow users to remember multi-factor authentication on devices they trust is not enabled", + "AdditionalInformation": "", + "DefaultValue": "By default, Allow users to remember multi-factor authentication on devices they trust is disabled.", + "References": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#remember-multi-factor-authentication-for-devices-that-users-trust:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-6-use-strong-authentication-controls" + } + ] + }, + { + "Id": "1.2.1", + "Description": "Ensure Trusted Locations Are Defined", + "Checks": [ + "entra_trusted_named_locations_exists" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Azure Active Directory Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.", + "RationaleStatement": "Defining trusted source IP addresses or ranges helps organizations create and enforce Conditional Access policies around those trusted or untrusted IP addresses and ranges. Users authenticating from trusted IP addresses and/or ranges may have less access restrictions or access requirements when compared to users that try to authenticate to Azure Active Directory from untrusted locations or untrusted source IP addresses/ranges.", + "ImpactStatement": "When configuring Named locations, the organization can create locations using Geographical location data or by defining source IP addresses or ranges. Configuring Named locations using a Country location does not provide the organization the ability to mark those locations as trusted, and any Conditional Access policy relying on those Countries location setting will not be able to use the All trusted locations setting within the Conditional Access policy. They instead will have to rely on the Select locations setting. This may add additional resource requirements when configuring, and will require thorough organizational testing. In general, Conditional Access policies may completely prevent users from authenticating to Azure Active Directory, and thorough testing is recommended. To avoid complete lockout, a 'Break Glass' account with full Global Administrator rights is recommended in the event all other administrators are locked out of authenticating to Azure Active Directory. This 'Break Glass' account should be excluded from Conditional Access Policies and should be configured with the longest pass phrase feasible. This account should only be used in the event of an emergency and complete administrator lockout.", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Azure AD Conditional Access Blade 2. Click on the Named locations blade 3. Within the Named locations blade, click on IP ranges location 4. Enter a name for this location setting in the Name text box 5. Click on the + sign 6. Add an IP Address Range in CIDR notation inside the text box that appears 7. Click on the Add button 8. Repeat steps 5 through 7 for each IP Range that needs to be added 9. If the information entered are trusted ranges, select the Mark as trusted location check box 10. Once finished, click on Create From PowerShell Create a new trusted IP-based Named location policy [System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.IpRange]]$ipR anges = @() $ipRanges.Add('') $ipRanges.Add('') $ipRanges.Add('') New-AzureADMSNamedLocationPolicy -OdataType '#microsoft.graph.ipNamedLocation' -DisplayName ' -IsTrusted $true -IpRanges $ipRanges Set an existing IP-based Named location policy to trusted Set-AzureADMSNamedLocationPolicy -PolicyId '' -OdataType '#microsoft.graph.ipNamedLocation' -IsTrusted $true", + "AuditProcedure": "From Azure Portal 1. In the Azure Portal, navigate to Azure AD Conditional Access 2. Click on Security 3. Click on Named Locations Ensure there are IP ranges location settings configured and marked as Trusted From PowerShell Get-AzureADMSNamedLocationPolicy In the output from the above command, for each Named location group, make sure at least one entry contains the IsTrusted parameter with a value of True. Otherwise, if there is no output as a result of the above command or all of the entries contain the IsTrusted parameter with an empty value, a NULL value, or a value of False, the results are out of compliance with this check.", + "AdditionalInformation": "", + "DefaultValue": "By default, no locations are configured under the Named locations blade within the Azure AD Conditional Access blade.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions" + } + ] + }, + { + "Id": "1.2.2", + "Description": "Ensure that an exclusionary Geographic Access Policy is considered", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "CAUTION: If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues. Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.", + "RationaleStatement": "Conditional Access, when used as a deny list for the tenant or subscription, is able to prevent ingress or egress of traffic to countries that are outside of the scope of interest (e.g.: customers, suppliers) or jurisdiction of an organization. This is an effective way to prevent unnecessary and long-lasting exposure to international threats such as APTs.", + "ImpactStatement": "Azure AD Premium is required. Limiting access geographically will deny access to users that are traveling or working remotely in a different part of the world. A point-to-site or site to site tunnel such as a VPN is recommended to address exceptions to geographic access policies.", + "RemediationProcedure": "From Azure Portal Part 1 of 2 - Create the policy and enable it in Report-only mode. 1. From Azure Home open the portal menu in the top left, and select Azure Active Directory. 2. Scroll down in the menu on the left, and select Security. 3. Select on the left side Conditional Access. 4. Click the + New policy button, then: 5. Provide a name for the policy. 6. Under Assignments, select Users or workload identities then: o Under Include, select All users o Under Exclude, check Users and groups and only select emergency access accounts and service accounts (NOTE: Service accounts are excluded here because service accounts are non-interactive and cannot complete MFA) 7. Under Assignments, select Cloud apps or actions then: o Under Include, select All cloud apps o Leave Exclude blank unless you have a well defined exception 8. Under Conditions, select Locations then: o Select Include, then add entries for locations for those that should be blocked o Select Exclude, then add entries for those that should be allowed (IMPORTANT: Ensure that all Trusted Locations are in the Exclude list.) 9. Under Access Controls, select Grant and Confirm that Block Access is selected. 10. Set Enable policy to Report-only. 11. Click Create. NOTE: The policy is not yet 'live,' since Report-only is being used to audit the effect of the policy. Part 2 of 2 - Confirm that the policy is not blocking access that should be granted, then toggle to On. 1. With your policy now in report-only mode, return to the Azure Active Directory blade and click on Sign-in logs. 2. Review the recent sign-in events - click an event then review the event details (specifically the Report-only tab) to ensure: o The sign-in event you're reviewing occurred after turning on the policy in report-only mode o The policy name from step 5 above is listed in the Policy Name column o The Result column for the new policy shows that the policy was Not applied (indicating the location origin was not blocked) 3. If the above conditions are present, navigate back to the policy name in Conditional Access and open it. 4. Toggle the policy from Report-only to On. 5. Click Save. From PowerShell First, set up the conditions objects values before updating an existing conditional access policy or before creating a new one. You may need to use additional PowerShell cmdlets to retrieve specific IDs such as the Get-AzureADMSNamedLocationPolicy which outputs the Location IDs for use with conditional access policies. $conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet $conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition $conditions.Applications.IncludeApplications = <'All' | 'Office365' | 'app ID' | @('app ID 1', 'app ID 2', etc...> $conditions.Applications.ExcludeApplications = <'Office365' | 'app ID' | @('app ID 1', 'app ID 2', etc...)> $conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition $conditions.Users.IncludeUsers = <'All' | 'None' | 'GuestsOrExternalUsers' | 'Specific User ID' | @('User ID 1', 'User ID 2', etc.)> $conditions.Users.ExcludeUsers = <'GuestsOrExternalUsers' | 'Specific User ID' | @('User ID 1', 'User ID 2', etc.)> $conditions.Users.IncludeGroups = <'group ID' | 'All' | @('Group ID 1', 'Group ID 2', etc...)> $conditions.Users.ExcludeGroups = <'group ID' | @('Group ID 1', 'Group ID 2', etc...)> $conditions.Users.IncludeRoles = <'Role ID' | 'All' | @('Role ID 1', 'Role ID 2', etc...)> $conditions.Users.ExcludeRoles = <'Role ID' | @('Role ID 1', 'Role ID 2', etc...)> $conditions.Locations = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition $conditions.Locations.IncludeLocations = <'Location ID' | @('Location ID 1', 'Location ID 2', etc...) > $conditions.Locations.ExcludeLocations = <'AllTrusted' | 'Location ID' | @('Location ID 1', 'Location ID 2', etc...)> $controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls $controls._Operator = 'OR' $controls.BuiltInControls = 'block' Next, update the existing conditional access policy with the condition set options configured with the previous commands. Set-AzureADMSConditionalAccessPolicy -PolicyId -Conditions $conditions -GrantControls $controls To create a new conditional access policy that complies with this best practice, run the following commands after creating the condition set above New-AzureADMSConditionalAccessPolicy -Name 'Policy Name' -State -Conditions $conditions -GrantControls $controls", + "AuditProcedure": "1. From Azure Home open the Portal menu in the top left, and select Azure Active Directory. 2. Scroll down in the menu on the left, and select Security. 3. Select on the left side Conditional Access. 4. Select the policy you wish to audit, then: o Under Assignments, Review the Users and Groups for the personnel the policy will apply to o Under Assignments, Review the Cloud apps or actions for the systems the policy will apply to o Under Conditions, Review the Include locations for those that should be blocked o Under Conditions, Review the Exclude locations for those that should be allowed (Note: locations set up in the previous recommendation for Trusted Location should be in the Exclude list.) o Under Access Controls > Grant - Confirm that Block Access is selected. From Azure CLI As of this writing there are no subcommands for Conditional Access Policies within the Azure CLI From PowerShell $conditionalAccessPolicies = Get-AzureADMSConditionalAccessPolicy foreach($policy in $conditionalAccessPolicies) {$policy | Select-Object @{N='Policy ID'; E={$policy.id}}, @{N='Included Locations'; E={$policy.Conditions.Locations.IncludeLocations}}, @{N='Excluded Locations'; E={$policy.Conditions.Locations.ExcludeLocations}}, @{N='BuiltIn GrantControls'; E={$policy.GrantControls.BuiltInControls}}} Make sure there is at least 1 row in the output of the above PowerShell command that contains Block under the BuiltIn GrantControls column and location IDs under the Included Locations and Excluded Locations columns. If not, a policy containing these options has not been created and is considered a finding.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.", + "DefaultValue": "This policy does not exist by default.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-report-only:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions" + } + ] + }, + { + "Id": "1.2.3", + "Description": "Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.", + "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the use of Administrative accounts to authenticated personnel.", + "ImpactStatement": "There is an increased cost, as Conditional Access policies require Azure AD Premium. Similarly, MFA may require additional overhead to maintain. There is also a potential scenario in which the multi-factor authentication method can be lost, and administrative users are no longer able to log in. For this scenario, there should be an emergency access account. Please see References for creating this.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in top left, and select Azure Active Directory. 2. Select Security. 3. Select Conditional Access. 4. Click + New policy. 5. Enter a name for the policy. 6. Select Users or workload identities. 7. Check Users and groups. 8. Select administrative groups this policy should apply to and click Select. 9. Under Exclude, check Users and groups. 10. Select users this policy not should apply to and click Select. 11. Select Cloud apps or actions. 12. Select All cloud apps. 13. Select Grant. 14. Under Grant access, check Require multifactor authentication and click Select. 15. Set Enable policy to Report-only. 16. Click Create. After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.", + "AuditProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in the top left, and select Azure Active Directory. 2. Select Security. 3. Select Conditional Access. 4. Select the policy you wish to audit. 5. View under Users and Groups the corresponding users and groups to whom the policy is applied. Be certain the emergency access account is not in the list. 6. View under Exclude to determine which Users and groups to whom the policy is not applied.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.", + "DefaultValue": "By default, MFA is not enabled for any administrative accounts.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa:https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions" + } + ] + }, + { + "Id": "1.2.4", + "Description": "Ensure that A Multi-factor Authentication Policy Exists for All Users", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.", + "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.", + "ImpactStatement": "There is an increased cost, as Conditional Access policies require Azure AD Premium. Similarly, this may require additional overhead to maintain if users lose access to their MFA.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home open Portal menu in the top left, and select Azure Active Directory. 2. Select Security. 3. Select Conditional Access. 4. Click + New policy. 5. Enter a name for the policy. 6. Select Users or workload identities. 7. Under Include, select All users. 8. Under Exclude, check Users and groups. 9. Select users this policy should not apply to and click Select. 10. Select Cloud apps or actions. 11. Select All cloud apps. 12. Select Grant. 13. Under Grant access, check Require multifactor authentication and click Select. 14. Set Enable policy to Report-only. 15. Click Create. After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.", + "AuditProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in the top left, and select Azure Active Directory. 2. Scroll down in the menu on the left, and select Security. 3. Select on the left side Conditional Access. 4. Select the policy you wish to audit. 5. View under Users and Groups the corresponding users and groups to whom the policy is applied. 6. View under Exclude to determine which users and groups to whom the policy is not applied.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource the in References which monitors Azure sign ins.", + "DefaultValue": "MFA is not enabled by default.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions" + } + ] + }, + { + "Id": "1.2.5", + "Description": "Ensure Multi-factor Authentication is Required for Risky Sign-ins", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.", + "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.", + "ImpactStatement": "There is an increased cost, as Conditional Access policies require Azure AD Premium. Similarly, they may require additional overhead to maintain if users lose access to their MFA.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu in the top left, and select Azure Active Directory. 2. Select Security 3. Select Conditional Access. 4. Click + New policy. 5. Enter a name for the policy. 6. Select Users or workload identities. 7. Under Include, select All users. 8. Under Exclude, check Users and groups. 9. Select users this policy should not apply to and click Select. 10. Select Cloud apps or actions. 11. Select All cloud apps. 12. Select Conditions. 13. Select Sign-in risk. 14. Update the Configure toggle to Yes. 15. Check the sign-in risk level this policy should apply to, e.g. High and Medium. 16. Select Done. 17. Select Grant. 18. Under Grant access, check Require multifactor authentication and click Select. 19. Set Enable policy to Report-only. 20. Click Create. After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu and select Security. 2. Select on the left side Conditional Access. 3. Select the policy you wish to audit. 4. View under Users and Groups the corresponding users and groups to whom the policy is applied. 5. View under Exclude to determine which users and groups to whom the policy is not applied.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource the in References which monitors Azure sign ins.", + "DefaultValue": "MFA is not enabled by default.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions" + } + ] + }, + { + "Id": "1.2.6", + "Description": "Ensure Multi-factor Authentication is Required for Azure Management", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.", + "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the use of Administrative actions and to prevent intruders from changing settings.", + "ImpactStatement": "There is an increased cost, as Conditional Access policies require Azure AD Premium. Similarly, they may require additional overhead to maintain if users lose access to their MFA.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu and select Azure Active Directory. 2. Select Security. 3. Select Conditional Access. 4. Click + New policy. 5. Enter a name for the policy. 6. Select Users or workload identities. 7. Under Include, select All users. 8. Under Exclude, check Users and groups. 9. Select users this policy should not apply to and click Select. 10. Select Cloud apps or actions. 11. Select Select apps. 12. Check the box next to Microsoft Azure Management and click Select. 13. Select Grant. 14. Under Grant access, check Require multifactor authentication and click Select. 15. Set Enable policy to Report-only. 16. Click Create. After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu and select Azure Active Directory. 2. Scroll down in the menu on the left, and select Security. 3. Select on the left side Conditional Access. 4. Select the policy you wish to audit. 5. View under Users and Groups the corresponding users and groups to whom the policy is applied. 6. View under Exclude to determine which Users and groups to whom the policy is not applied.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with administrators changing settings until they use an MFA device linked to their accounts. An emergency access account is recommended for this eventuality if all administrators are locked out. Please see the documentation in the references for further information. Similarly further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.", + "DefaultValue": "MFA is not enabled by default for administrative actions.", + "References": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups" + } + ] + }, + { + "Id": "1.3", + "Description": "Ensure that 'Users can create Azure AD Tenants' is set to 'No'", + "Checks": [ + "entra_policy_ensure_default_user_cannot_create_tenants" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Require administrators or appropriately delegated users to create new tenants.", + "RationaleStatement": "It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so.", + "ImpactStatement": "Enforcing this setting will ensure that only authorized users are able to create new tenants.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select User settings 5. Set Users can create Azure AD Tenants to No", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select User settings 5. Ensure that Users can create Azure AD Tenants is set to No Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security assessment for this recommendation.", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions:https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#tenant-creator" + } + ] + }, + { + "Id": "1.4", + "Description": "Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "This recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2. Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user.", + "RationaleStatement": "Guest users in the Azure AD are generally required for collaboration purposes in Office 365, and may also be required for Azure functions in enterprises with multiple Azure tenants. Guest users should be reviewed on a regular basis, at least annually. Guest users should not be granted administrative roles where possible. Guest users are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely, leading to a potential vulnerability. Guest users should be reviewed on a monthly basis to ensure that inactive and unneeded accounts are removed.", + "ImpactStatement": "Until you have a business need to provide guest access to any user, avoid creating guest users. If guest accounts are being used, they should be removed when no longer required.", + "RemediationProcedure": "From Azure Portal 1. From the Azure Portal home page click the portal menu in the top left. 2. Select Azure Active Directory 3. Select Users in the left column under the Manage heading. 4. Next to the search box select the filter option. 5. Search for and select User Type 6. In the third drop down Value select Guest. 7. Review the guest users in your Active Directory. 8. For those you wish to delete, select the checkbox on the left then the Delete option in the top row. From Azure CLI With the information from the audit procedure, to remove a Guest user run the following command with their User Principal Value. Remove-AzureADUser -ObjectId ''", + "AuditProcedure": "From Azure Portal 1. From the Azure Portal home page click the portal menu in the top left. 2. Select Azure Active Directory 3. Select Users in the left column under the Manage heading. 4. Next to the search box select the filter option. 5. Search for and select User Type 6. In the third drop down Value select Guest. 7. Review the guest users in your Active Directory. From Azure CLI Run the following command: az ad user list -Filter 'UserType eq 'Guest'' From PowerShell Run the following command: Get-AzureADUser -Filter 'UserType eq 'Guest'", + "AdditionalInformation": "", + "DefaultValue": "By default no guest users are created", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/b2b/user-properties:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory#delete-a-user:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-3-review-and-reconcile-user-access-regularly:https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews:https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing" + } + ] + }, + { + "Id": "1.5", + "Description": "Ensure Guest Users Are Reviewed on a Regular Basis", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed.", + "RationaleStatement": "Guest users in the Azure AD are generally required for collaboration purposes in Office 365, and may also be required for Azure functions in enterprises with multiple Azure tenants. Guest users are typically added outside your employee on-boarding/off- boarding process and could potentially be overlooked indefinitely, leading to a potential vulnerability. To prevent this, guest users should be reviewed on a regular basis. During this audit, guest users should also be determined to not have administrative privileges.", + "ImpactStatement": "Before removing guest users, determine their use and scope. Like removing any user, there may be unforeseen consequences to systems if it is deleted.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Click on Add filter 5. Select User type 6. Select Guest from the Value dropdown 7. Click Apply 8. Delete all Guest users that are no longer required or are inactive From Azure CLI Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems. az ad user update --id --account-enabled {false} After determining that there are no dependent systems delete the user. Remove-AzureADUser -ObjectId From Azure PowerShell Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems. Set-AzureADUser -ObjectId '' -AccountEnabled false After determining that there are no dependent systems delete the user. PS C:\\>Remove-AzureADUser -ObjectId ", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Click on Add filter 5. Select User type 6. Select Guest from the Value dropdown 7. Click Apply 8. Audit the listed guest users From Azure CLI az ad user list --query '[?userType=='Guest']' Ensure all users listed are still required and not inactive. From Azure PowerShell Get-AzureADUser |Where-Object {$_.UserType -like 'Guest'} |Select-Object DisplayName, UserPrincipalName, UserType -Unique", + "AdditionalInformation": "It is good practice to use a dynamic security group to manage guest users.To create the dynamic security group:1. Navigate to the 'Active Directory' blade in the Azure Portal2. Select the 'Groups' item3. Create new4. Type of 'dynamic'5. Use the following dynamic selection rule. '(user.userType -eq 'Guest')'6. Once the group has been created, select access reviews option and create anew access review with a period of monthly and send to relevant administratorsfor review.", + "DefaultValue": "By default no guest users are created.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/b2b/user-properties:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory#delete-a-user:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-3-review-and-reconcile-user-access-regularly:https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing:https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-restore" + } + ] + }, + { + "Id": "1.6", + "Description": "Ensure That 'Number of methods required to reset' is set to '2'", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Ensures that two alternate forms of identification are provided before allowing a password reset.", + "RationaleStatement": "A Self-service Password Reset (SSPR) through Azure Multi-factor Authentication (MFA) ensures the user's identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user's password.", + "ImpactStatement": "There may be administrative overhead, as users who lose access to their secondary authentication methods will need an administrator with permissions to remove it. There will also need to be organization-wide security policies and training to teach administrators to verify the identity of the requesting user so that social engineering can not render this setting useless.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select Password reset 5. Then Authentication methods 6. Set the Number of methods required to reset to 2", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select Password reset 5. Then Authentication methods 6. Ensure that Number of methods required to reset is set to 2", + "AdditionalInformation": "", + "DefaultValue": "By default, the Number of methods required to reset is set to 2.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access:https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-faq#password-reset-registration:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods" + } + ] + }, + { + "Id": "1.7", + "Description": "Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.", + "RationaleStatement": "Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.", + "ImpactStatement": "Increasing needed password complexity might increase overhead on administration of user accounts. Licensing requirement for Global Banned Password List and Custom Banned Password list requires Azure AD Premium P1 or P2. On-premises Active Directory Domain Services users that are not synchronized to Azure AD also benefit from Azure AD Password Protection based on existing licensing for synchronized users.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Security. 4. Under Manage, select Authentication Methods. 5. Select Password Protection. 6. Set the Enforce custom list option to Yes. 7. Double click the custom banned password list to add a string.", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active directory. 3. Select 'Security'. 4. Under Manage, select Authentication Methods. 5. Select Password Protection. 6. Ensure Enforce custom list is set to Yes. 7. Scroll through the list to view the enforced passwords.", + "AdditionalInformation": "", + "DefaultValue": "By default the custom bad password list is not 'Enabled'. Organizational-specific terms can be added to the custom banned password list, such as the following examples: • Brand names • Product names • Locations, such as company headquarters • Company-specific internal terms • Abbreviations that have specific company meaning • Months and weekdays with your company's local languages The default Azure bad password policy is already applied to your resources which applies the following basic requirements: Characters allowed: • Uppercase characters (A - Z) • Lowercase characters (a - z) • Numbers (0 - 9) • Symbols: • @ # $ % ^ & * - _ ! + = [ ] { } | \\ : ' , . ? / ` ~ ' ( ) < > • blank space Characters not allowed: • Unicode characters • Password length Passwords require • A minimum of eight characters • A maximum of 256 characters Password complexity: Passwords require three out of four of the following categories: • Uppercase characters • Lowercase characters • Numbers • Symbols Note: Password complexity check isn't required for Education tenants. Password not recently used: • When a user changes or resets their password, the new password can't be the same as the current or recently used passwords. • Password isn't banned by Azure AD Password Protection. • The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-combined-policy:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad:https://docs.microsoft.com/en-us/powershell/module/Azuread/:https://www.microsoft.com/en-us/research/publication/password-guidance/:https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-6-use-strong-authentication-controls" + } + ] + }, + { + "Id": "1.8", + "Description": "Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.", + "RationaleStatement": "This setting is necessary if you have setup 'Require users to register when signing in option'. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user changes, such as a phone number or email, then the password reset information for that user reverts to the previously registered authentication information.", + "ImpactStatement": "Users will be prompted for their multifactor authentication at the duration set here.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select Password reset 5. Then Registration 6. Set the Number of days before users are asked to re-confirm their authentication information to your organization-defined frequency.", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select Password reset 5. Then Registration 6. Ensure that Number of days before users are asked to re-confirm their authentication information is not set to 0", + "AdditionalInformation": "", + "DefaultValue": "By default, the Number of days before users are asked to re-confirm their authentication information is set to '180 days'.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#registration:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods" + } + ] + }, + { + "Id": "1.9", + "Description": "Ensure that 'Notify users on password resets?' is set to 'Yes'", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Ensure that users are notified on their primary and secondary emails on password resets.", + "RationaleStatement": "User notification on password reset is a proactive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.", + "ImpactStatement": "Users will receive emails alerting them to password changes to both their primary and secondary emails.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select Password reset 5. Under Manage, select Notifications 6. Set Notify users on password resets? to Yes", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Go to Password reset 5. Under Manage, select Notifications 6. Ensure that Notify users on password resets? is set to Yes", + "AdditionalInformation": "", + "DefaultValue": "By default, Notify users on password resets? is set to 'Yes'.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations:https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "1.10", + "Description": "Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Ensure that all Global Administrators are notified if any other administrator resets their password.", + "RationaleStatement": "Global Administrator accounts are sensitive. Any password reset activity notification, when sent to all Global Administrators, ensures that all Global administrators can passively confirm if such a reset is a common pattern within their group. For example, if all Global Administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.", + "ImpactStatement": "All Global Administrators will receive a notification from Azure every time a password is reset. This is useful for auditing procedures to confirm that there are no out of the ordinary password resets for Global Administrators. There is additional overhead, however, in the time required for Global Administrators to audit the notifications. This setting is only useful if all Global Administrators pay attention to the notifications, and audit each one.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select Password reset 5. Under Manage, select Notifications 6. Set Notify all admins when other admins reset their password? to Yes", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select Password reset 5. Under Manage, select Notifications 6. Ensure that notify all admins when other admins reset their password? is set to Yes", + "AdditionalInformation": "", + "DefaultValue": "By default, Notify all admins when other admins reset their password? is set to 'No'.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations" + } + ] + }, + { + "Id": "1.11", + "Description": "Ensure `User consent for applications` is set to `Do not allow user consent`", + "Checks": [ + "entra_policy_restricts_user_consent_for_apps" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Require administrators to provide consent for applications before use.", + "RationaleStatement": "If Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.", + "ImpactStatement": "Enforcing this setting may create additional requests that administrators need to review.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Enterprise Applications 4. Select Consent and permissions 5. Select User consent settings 6. Set User consent for applications to Do not allow user consent 7. Click save", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Enterprise Applications 4. Select Consent and permissions 5. Select User consent settings 6. Ensure User consent for applications is set to Do not allow user consent From PowerShell Connect-MsolService Get-MsolCompanyInformation | Select-Object UsersPermissionToUserConsentToAppEnabled Command should return UsersPermissionToUserConsentToAppEnabled with the value of False", + "AdditionalInformation": "", + "DefaultValue": "By default, Users consent for applications is set to Allow user consent for apps.", + "References": "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx:https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "1.12", + "Description": "Ensure ‘User consent for applications’ Is Set To ‘Allow for Verified Publishers’ ", + "Checks": [ + "entra_policy_user_consent_for_verified_apps" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Allow users to provide consent for selected permissions when a request is coming from a verified publisher.", + "RationaleStatement": "If Azure Active Directory is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.", + "ImpactStatement": "Enforcing this setting may create additional requests that administrators need to review.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Enterprise Applications 4. Select Consent and permissions 5. Select User consent settings 6. Under User consent for applications, select Allow user consent for apps from verified publishers, for selected permissions 7. Select Save From PowerShell Connect-MsolService Set-MsolCompanyInformation --UsersPermissionToUserConsentToAppEnabled $False", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Enterprise Applications 4. Select Consent and permissions 5. Select User consent settings 6. Under User consent for applications, ensure Allow user consent for apps from verified publishers, for selected permissions is selected From PowerShell Connect-MsolService Get-MsolCompanyInformation | Select-Object UsersPermissionToUserConsentToAppEnabled Command should return UsersPermissionToUserConsentToAppEnabled with the value of False", + "AdditionalInformation": "", + "DefaultValue": "By default, User consent for applications is set to Allow user consent for apps.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1.0:https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolcompanyinformation?view=azureadps-1.0" + } + ] + }, + { + "Id": "1.13", + "Description": "Ensure that 'Users can add gallery apps to My Apps' is set to 'No'", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Require administrators to provide consent for the apps before use.", + "RationaleStatement": "Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.", + "ImpactStatement": "Can cause additional requests to administrators that need to be fulfilled quite often.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select User settings 5. Then Manage how end users launch and view their applications 6. Set Users can add gallery apps to My Apps to No", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select User settings 5. Then Manage how end users launch and view their applications, and ensure that Users can add gallery apps to My Apps is set to No", + "AdditionalInformation": "", + "DefaultValue": "By default, Users can add gallery apps to My Apps is set to No.", + "References": "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/:https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems" + } + ] + }, + { + "Id": "1.14", + "Description": "Ensure That 'Users Can Register Applications' Is Set to 'No'", + "Checks": [ + "entra_policy_ensure_default_user_cannot_create_apps" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Require administrators or appropriately delegated users to register third-party applications.", + "RationaleStatement": "It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.", + "ImpactStatement": "Enforcing this setting will create additional requests for approval that will need to be addressed by an administrator. If permissions are delegated, a user may approve a malevolent third party application, potentially giving it access to your data.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select User settings 5. Set Users can register applications to No From PowerShell Connect-MsolService Set-MsolCompanyInformation -UsersPermissionToCreateLOBAppsEnabled $False", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select User settings 5. Ensure that Users can register applications is set to No From PowerShell Connect-MsolService Get-MsolCompanyInformation | Select-Object UsersPermissionToCreateLOBAppsEnabled Command should return UsersPermissionToCreateLOBAppsEnabled with the value of False", + "AdditionalInformation": "", + "DefaultValue": "By default, Users can register applications is set to 'Yes'.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles#restrict-who-can-create-applications:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/:https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx:https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolcompanyinformation?view=azureadps-1.0:https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1.0" + } + ] + }, + { + "Id": "1.15", + "Description": "Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' ", + "Checks": [ + "entra_policy_guest_users_access_restrictions" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Limit guest user permissions.", + "RationaleStatement": "Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction. 1. Guest users have the same access as members (most inclusive), 2. Guest users have limited access to properties and memberships of directory objects (default value), 3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive). The recommended option is the 3rd, most restrictive: 'Guest user access is restricted to their own directory object'.", + "ImpactStatement": "This may create additional requests for permissions to access resources that administrators will need to approve.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then External Identities 4. Select External collaboration settings 5. Under Guest user access, change Guest user access restrictions to be Guest user access is restricted to properties and memberships of their own directory objects From PowerShell 1. From a PowerShell session enter Set-AzureADMSAuthorizationPolicy - GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b' 2. Check that the setting was applied by entering Get- AzureADMSAuthorizationPolicy 3. Make certain that the GuestUserRoleId is equal to the earlier entered value of 2af84b1e-32c8-42b7-82bc-daa82404023b.", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then External Identities 4. Select External collaboration settings 5. Under Guest user access, ensure that Guest user access restrictions is set to Guest user access is restricted to properties and memberships of their own directory objects From PowerShell 1. Enter the following Get-AzureADMSAuthorizationPolicy Which will give a result like: Id : authorizationPolicy OdataType : Description : Used to manage authorization related settings across the company. DisplayName : Authorization Policy EnabledPreviewFeatures : {} GuestUserRoleId : 10dae51f-b6af-4016-8d66- 8c2a99b929b3 PermissionGrantPolicyIdsAssignedToDefaultUserRole : {user-default-legacy} If the GuestUserRoleID property does not equal 2af84b1e-32c8-42b7-82bc- daa82404023b then it is not set to most restrictive.", + "AdditionalInformation": "", + "DefaultValue": "By default, Guest user access restrictions is set to Guest user access is restricted to properties and memberships of their own directory objects", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#member-and-guest-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions" + } + ] + }, + { + "Id": "1.16", + "Description": "Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'", + "Checks": [ + "entra_policy_guest_invite_only_for_admin_roles" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Restrict invitations to users with specific administrative roles only.", + "RationaleStatement": "Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain 'Need to Know' permissions and prevents inadvertent access to data. By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.", + "ImpactStatement": "With the option of Only users assigned to specific admin roles can invite guest users selected, users with specific admin roles will be in charge of sending invitations to the external users, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then External Identities 4. Select External collaboration settings 5. Under Guest invite settings, for Guest invite restrictions, ensure that Only users assigned to specific admin roles can invite guest users is selected", + "AuditProcedure": "Audit: From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then External Identities 4. External collaboration settings 5. Under Guest invite settings, for Guest invite restrictions, ensure that that Only users assigned to specific admin roles can invite guest users is selected Note: This setting has 4 levels of restriction, which include: • Anyone in the organization can invite guest users including guests and non- admins (most inclusive), • Member users and users assigned to specific admin roles can invite guest users including guests with member permissions, • Only users assigned to specific admin roles can invite guest users, • No one in the organization can invite guest users including admins (most restrictive).", + "AdditionalInformation": "", + "DefaultValue": "By default, Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins", + "References": " https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management" + } + ] + }, + { + "Id": "1.17", + "Description": "Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Restrict access to the Azure AD administration portal to administrators only. NOTE: This only affects access to the Azure AD administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Azure AD.", + "RationaleStatement": "The Azure AD administrative portal has sensitive data and permission settings. All non-administrators should be prohibited from accessing any Azure AD data in the administration portal to avoid exposure.", + "ImpactStatement": "All administrative tasks will need to be done by Administrators, causing additional overhead in management of users and resources.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select User settings 5. Set Restrict access to Azure AD administration portal to Yes", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Users 4. Select User settings 5. Ensure that Restrict access to Azure AD administration portal is set to Yes", + "AdditionalInformation": "", + "DefaultValue": "By default, Restrict access to Azure AD administration portal is set to No", + "References": " https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles-azure-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems" + } + ] + }, + { + "Id": "1.18", + "Description": "Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Restricts group creation to administrators with permissions only.", + "RationaleStatement": "Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (Azure AD). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.", + "ImpactStatement": "Setting to Yes could create administrative overhead by customers seeking certain group memberships that will have to be manually managed by administrators with appropriate permissions.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Groups 4. Select General under Settings 5. Ensure that Restrict user ability to access groups features in the Access Panel is set to Yes", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Groups 4. Select General under Settings 5. Ensure that Restrict user ability to access groups features in the Access Panel is set to Yes", + "AdditionalInformation": "", + "DefaultValue": "By default, Restrict user ability to access groups features in the Access Pane is set to No", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "1.19", + "Description": "Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'", + "Checks": [ + "entra_policy_default_users_cannot_create_security_groups" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Restrict security group creation to administrators only.", + "RationaleStatement": "When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.", + "ImpactStatement": "Enabling this setting could create a number of requests that would need to be managed by an administrator.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Groups 4. Select General under Settings 5. Set Users can create security groups in Azure portals, API or PowerShell to No", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Groups 4. Select General under Settings 5. Ensure that Users can create security groups in Azure portals, API or PowerShell is set to No", + "AdditionalInformation": "", + "DefaultValue": "By default, Users can create security groups in Azure portals, API or PowerShell is set to Yes", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems" + } + ] + }, + { + "Id": "1.20", + "Description": "Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Restrict security group management to administrators only.", + "RationaleStatement": "Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.", + "ImpactStatement": "Group Membership for user accounts will need to be handled by Admins and cause administrative overhead.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Groups 4. Select General in settings 5. Set Owners can manage group membership requests in the Access Panel to No", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Groups 4. Select General in settings 5. Ensure that Owners can manage group membership requests in the Access Panel is set to No", + "AdditionalInformation": "", + "DefaultValue": "By default, Owners can manage group membership requests in the Access Panel is set to No.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-8-choose-approval-process-for-microsoft-support:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "1.21", + "Description": "Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'", + "Checks": [ + "entra_users_cannot_create_microsoft_365_groups" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Restrict Microsoft 365 group creation to administrators only.", + "RationaleStatement": "Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other user.", + "ImpactStatement": "Enabling this setting could create a number of requests that would need to be managed by an administrator.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Groups 4. Select General in settings 5. Set Users can create Microsoft 365 groups in Azure portals, API or PowerShell to No", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Then Groups 4. Select General in setting 5. Ensure that Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to No", + "AdditionalInformation": "", + "DefaultValue": "By default, Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to Yes.", + "References": "https://whitepages.unlimitedviz.com/2017/01/disable-office-365-groups-2/:https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems" + } + ] + }, + { + "Id": "1.22", + "Description": "Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Joining or registering devices to the active directory should require Multi-factor authentication.", + "RationaleStatement": "Multi-factor authentication is recommended when adding devices to Azure AD. When set to Yes, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account. Note: Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices. Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain.", + "ImpactStatement": "A slight impact of additional overhead, as Administrators will now have to approve every access to the domain.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Devices 4. Select Device settings 5. Set Require Multi-Factor Authentication to register or join devices with Azure AD to Yes", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Devices 4. Select Device settings 5. Ensure that Require Multi-Factor Authentication to register or join devices with Azure AD is set to Yes", + "AdditionalInformation": "", + "DefaultValue": "By default, Require Multi-Factor Authentication to register or join devices with Azure AD is set to No.", + "References": "https://blogs.technet.microsoft.com/janketil/2016/02/29/azure-mfa-for-enrollment-in-intune-and-azure-ad-device-registration-explained/:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access" + } + ] + }, + { + "Id": "1.23", + "Description": "Ensure That No Custom Subscription Administrator Roles Exist", + "Checks": [ + "iam_subscription_roles_owner_custom_not_created" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.", + "RationaleStatement": "Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.", + "ImpactStatement": "Subscriptions will need to be handled by Administrators with permissions.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Select Subscriptions. 3. Select Access control (IAM). 4. Select Roles. 5. Click Type and select CustomRole from the drop down menu. 6. Check the box next to each role which grants subscription administrator privileges. 7. Select Remove. 8. Select Yes. From Azure CLI List custom roles: az role definition list --custom-role-only True Check for entries with assignableScope of / or the subscription, and an action of * . To remove a violating role: az role definition delete --name Note that any role assignments must be removed before a custom role can be deleted. Ensure impact is assessed before deleting a custom role granting subscription administrator privileges.", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Select Subscriptions. 3. Select Access control (IAM). 4. Select Roles. 5. Click Type and select CustomRole from the drop down menu. 6. Select View next to a role. 7. Select JSON. 8. Check for assignableScopes set to / or the subscription, and actions set to *. 9. Repeat steps 6-8 for each custom role. From Azure CLI List custom roles: az role definition list --custom-role-only True Check for entries with assignableScope of / or the subscription, and an action of * From PowerShell Connect-AzAccount Get-AzRoleDefinition |Where-Object {($_.IsCustom -eq $true) -and ($_.Actions.contains('*'))} Check the output for AssignableScopes value set to '/' or the subscription", + "AdditionalInformation": "", + "DefaultValue": "By default, no custom owner roles are created.", + "References": "https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle" + } + ] + }, + { + "Id": "1.24", + "Description": "Ensure a Custom Role is Assigned Permissions for Administering Resource Locks", + "Checks": [ + "iam_subscription_roles_owner_custom_not_created" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.", + "RationaleStatement": "Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.", + "ImpactStatement": "By adding this role, specific permissions may be granted for managing just resource locks rather than needing to provide the wide Owner or User Access Administrator role, reducing the risk of the user being able to do unintentional damage.", + "RemediationProcedure": "From Azure Portal 1. In the Azure portal, open a subscription or resource group where you want the custom role to be assigned. 2. Select Access control (IAM). 3. Click Add. 4. Select Add custom role. 5. In the Custom Role Name field enter Resource Lock Administrator. 6. In the Description field enter Can Administer Resource Locks. 7. For Baseline permissions select Start from scratch 8. Select next. 9. In the Permissions tab select Add permissions. 10. In the Search for a permission box, type in Microsoft.Authorization/locks to search for permissions. 11. Select the check box next to the permission Microsoft.Authorization/locks. 12. Select Add. 13. Select Review + create. 14. Select Create. 15. Assign the newly created role to the appropriate user. From PowerShell: Below is a power shell definition for a resource lock administrator role created at an Azure Management group level Import-Module Az.Accounts Connect-AzAccount $role = Get-AzRoleDefinition 'User Access Administrator' $role.Id = $null $role.Name = 'Resource Lock Administrator' $role.Description = 'Can Administer Resource Locks' $role.Actions.Clear() $role.Actions.Add('Microsoft.Authorization/locks/*') $role.AssignableScopes.Clear() * Scope at the Management group level Management group $role.AssignableScopes.Add('/providers/Microsoft.Management/managementGroups/ MG-Name') New-AzRoleDefinition -Role $role Get-AzureRmRoleDefinition 'Resource Lock Administrator'", + "AuditProcedure": "From Azure Portal 1. In the Azure portal, open a subscription or resource group where you want to view assigned roles. 2. Select Access control (IAM) 3. Select Roles 4. Search for the custom role named Ex. from remediation Resource Lock Administrator 5. Ensure that the role is assigned to the appropriate users.", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles:https://docs.microsoft.com/en-us/azure/role-based-access-control/check-access:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "2.1.1", + "Description": "Ensure That Microsoft Defender for Servers Is Set to 'On'", + "Checks": [ + "defender_ensure_defender_for_server_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Servers in Microsoft Defender for Cloud incurs an additional cost per resource.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Set Server Status to On 6. Select Save From Azure CLI Run the following command: az security pricing create -n VirtualMachines --tier 'standard' From PowerShell Run the following command: Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Ensure Servers Status is set to On. From Azure CLI Run the following command: az security pricing show -n VirtualMachines --query pricingTier If the tenant is licensed and enabled, the output should indicate Standard From PowerShell Run the following command: Get-AzSecurityPricing -Name 'VirtualMachines' |Select-Object Name,PricingTier If the tenant is licensed and enabled, the -PricingTier parameter will indicate Standard", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-endpoint-security#es-1-use-endpoint-detection-and-response-edr" + } + ] + }, + { + "Id": "2.1.2", + "Description": "Ensure That Microsoft Defender for App Services Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_server_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for App Service incurs an additional cost per resource.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Set App Service Status to On 6. Select Save From Azure CLI Run the following command: az security pricing create -n Appservices --tier 'standard' From PowerShell Run the following command: Set-AzSecurityPricing -Name 'AppServices' -PricingTier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Ensure Status is On for App Service From Azure CLI Run the following command: az security pricing show -n AppServices Ensure -PricingTier is set to Standard From PowerShell Run the following command: Get-AzSecurityPricing -Name 'AppServices' |Select-Object Name,PricingTier Ensure the -PricingTier is set to Standard", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.3", + "Description": "Ensure That Microsoft Defender for Databases Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_databases_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.", + "RationaleStatement": "Enabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software. Instead of waiting on Microsoft release updates or other similar processes, you can manage them yourself. Threat detection is provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Running Defender on Infrastructure as a service (IaaS) may incur increased costs associated with running the service and the instance it is on. Similarly, you will need qualified personnel to maintain the operating system and software updates. If it is not maintained, security patches will not be applied and it may be open to vulnerabilities.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Set Databases Status to On 6. Select Save Review the chosen pricing tier. For the Azure Databases resource review the different plan information and choose one that fits the needs of your organization. From Azure CLI Run the following commands: az security pricing create -n 'SqlServers' --tier 'Standard' az security pricing create -n 'SqlServerVirtualMachines' --tier 'Standard' az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'Standard' az security pricing create -n 'CosmosDbs' --tier 'Standard' From Azure PowerShell Run the following commands: Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard' Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard' Set-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier 'Standard' Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings 3. Click on the subscription name 4. Select Defender plans 5. Ensure Databases Status is set to On 6. Review the chosen pricing tier From Azure CLI Ensure the output of the below commands is Standard az security pricing show -n 'SqlServers' az security pricing show -n 'SqlServerVirtualMachines' az security pricing show -n 'OpenSourceRelationalDatabases' az security pricing show -n 'CosmosDbs' If the output of any of the above commands shows pricingTier with a value of Free, the setting is out of compliance. From PowerShell Connect-AzAccount Get-AzSecurityPricing |select-object Name,PricingTier |where-object {$_.Name -match 'Sql' -or $_.Name -match 'Cosmos' -or $_.Name -match 'OpenSource'} Ensure the output shows Standard for each database type under the PricingTier column. Any that show Free are considered out of compliance.", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql:https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-enable-database-protections:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-usage:https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.4", + "Description": "Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_azure_sql_databases_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, andbehavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Azure SQL Databases incurs an additional cost per resource.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Set the radio button next to Azure SQL Databases to On. 7. Select Continue. 8. Select Save. From Azure CLI Run the following command: az security pricing create -n SqlServers --tier 'standard' From PowerShell Run the following command: Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Ensure the radio button next to Azure SQL Databases is set to On. From Azure CLI Run the following command: az security pricing show -n SqlServers Ensure -PricingTier is set to Standard From PowerShell Run the following command: Get-AzSecurityPricing -Name 'SqlServers' | Select-Object Name,PricingTier Ensure the -PricingTier is set to Standard", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.5", + "Description": "Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_sql_servers_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for SQL servers on machines allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for SQL servers on machines incurs an additional cost per resource.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Set the radio button next to SQL servers on machines to On. 7. Select Continue. 8. Select Save. From Azure CLI Run the following command: az security pricing create -n SqlServerVirtualMachines --tier 'standard' From PowerShell Run the following command: Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Ensure the radio button next to SQL servers on machines is set to On. From Azure CLI Run the following command: az security pricing show -n SqlServerVirtualMachines Ensure the 'PricingTier' is set to 'Standard' From PowerShell Run the following command: Get-AzSecurityPricing -Name 'SqlServerVirtualMachines' | Select-Object Name,PricingTier", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/defender-for-sql-usage:https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-monitor-for-unauthorized-transfer-of-sensitive-data:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.6", + "Description": "Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_os_relational_databases_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Open-source relational databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Open-source relational databases incurs an additional cost per resource.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Set the radio button next to Open-source relational databases to On. 7. Select Continue. 8. Select Save. From Azure CLI Run the following command: az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'standard' From PowerShell Use the below command to enable Standard pricing tier for Open-source relational databases set-azsecuritypricing -name 'OpenSourceRelationalDatabases' -pricingtier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Click Select types > in the row for Databases. 6. Ensure the radio button next to Open-source relational databases is set to On. From Azure CLI Run the following command: az security pricing show -n OpenSourceRelationalDatabases --query pricingTier From PowerShell Get-AzSecurityPricing | Where-Object {$_.Name -eq 'OpenSourceRelationalDatabases'} | Select-Object Name, PricingTier Ensure output for Name PricingTier is OpenSourceRelationalDatabases Standard", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.7", + "Description": "Ensure That Microsoft Defender for Storage Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_storage_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Storage incurs an additional cost per resource.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Set Status to On for Storage. 6. Select Save. From Azure CLI Ensure the output of the below command is Standard az security pricing create -n StorageAccounts --tier 'standard' From PowerShell Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Ensure Status is set to On for Storage. From Azure CLI Ensure the output of the below command is Standard az security pricing show -n StorageAccounts From PowerShell Get-AzSecurityPricing -Name 'StorageAccounts' | Select-Object Name,PricingTier Ensure output for Name PricingTier is StorageAccounts Standard", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.8", + "Description": "Ensure That Microsoft Defender for Containers Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_containers_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Containers incurs an additional cost per resource.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings. 3. Click on the subscription name. 4. Select Defender plans. 5. Set Status to On for Containers. 6. Click Save. From Azure CLI (Note: 'ContainerRegistry' has been deprecated and is replaced by 'Containers') Use the below command to enable Standard pricing tier for Containers. az security pricing create -n 'Containers' --tier 'standard' From PowerShell (Note: 'ContainerRegistry' has been deprecated and is replaced by 'Containers') Use the below command to enable Standard pricing tier for Containers. Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings. 3. Click on the subscription name. 4. Select Defender plans. 5. Ensure On is set under Status for Containers. From Azure CLI Ensure the output of the commands below indicates Standard pricing. For legacy Defender for Container Registries instances: az security pricing show --name 'ContainerRegistry' --query pricingTier For new Defender for Containers instances: az security pricing show --name 'Containers' --query pricingTier From PowerShell Ensure the output of the commands below indicates Standard pricing. For legacy Defender for Container Registries instances: Get-AzSecurityPricing -Name 'ContainerRegistry' | Select-Object Name,PricingTier For new Defender for Containers instances: Get-AzSecurityPricing -Name 'Containers' | Select-Object Name,PricingTier", + "AdditionalInformation": "Deprecation of previous product plans 'Container registries' and 'Kubernetes' plans for Microsoft Defender are being deprecated and replaced with 'Containers' or Microsoft Defender for Containers.", + "DefaultValue": "By default, Microsoft Defender for Containers is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks" + } + ] + }, + { + "Id": "2.1.9", + "Description": "Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_cosmosdb_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.", + "RationaleStatement": "In scanning Azure Cosmos DB requests within a subscription, requests are compared to a heuristic list of potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.", + "ImpactStatement": "Enabling Microsoft Defender for Azure Cosmos DB requires enabling Microsoft Defender for your subscription. Both will incur additional charges.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. On the Database row click on Select types >. 6. Set the radio button next to Azure Cosmos DB to On. 7. Click Continue. 8. Click Save. From Azure CLI Run the following command: az security pricing create -n 'CosmosDbs' --tier 'standard' From PowerShell Use the below command to enable Standard pricing tier for Azure Cosmos DB Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings blade 3. Click on the subscription name 4. Select the Defender plans blade 5. On the Database row click on Select types > 6. Ensure the radio button next to Azure Cosmos DB is set to On. From Azure CLI Ensure the output of the below command is Standard az security pricing show -n CosmosDbs --query pricingTier From PowerShell Get-AzSecurityPricing -Name 'CosmosDbs' | Select-Object Name,PricingTier Ensure output of -PricingTier is Standard", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender for Azure Cosmos DB is not enabled.", + "References": "https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security:https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview:https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cosmos-db-security-baseline:https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-enable-database-protections:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.10", + "Description": "Ensure That Microsoft Defender for Key Vault Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_keyvault_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Key Vault incurs an additional cost per resource.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings blade 3. Click on the subscription name 4. Select the Defender plans blade 5. Select On under Status for Key Vault. 6. Select Save. From Azure CLI Enable Standard pricing tier for Key Vault: az security pricing create -n 'KeyVaults' --tier 'Standard' From PowerShell Enable Standard pricing tier for Key Vault: Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings blade 3. Click on the subscription name 4. Select the Defender plans blade 5. Ensure Status is set to On for Key Vault. From Azure CLI Ensure the output of the below command is Standard az security pricing show -n 'KeyVaults' --query 'PricingTier' From PowerShell Get-AzSecurityPricing -Name 'KeyVaults' | Select-Object Name,PricingTier Ensure output for PricingTier is Standard", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.11", + "Description": "Ensure That Microsoft Defender for DNS Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_dns_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Microsoft Defender for DNS scans all network traffic exiting from within a subscription.", + "RationaleStatement": "DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.", + "ImpactStatement": "Enabling Microsoft Defender for DNS requires enabling Microsoft Defender for your subscription. Both will incur additional charges, with Defender for DNS being a smallamount per million queries.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Select On under Status for DNS. 6. Select Save. From Powershell Enable Standard pricing tier for DNS: az security pricing create -n 'DNS' --tier 'Standard' From PowerShell Enable Standard pricing tier for DNS: Set-AzSecurityPricing -Name 'DNS' -PricingTier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings blade 3. Click on the subscription name 4. Select the Defender plans blade 5. Ensure Status is set to On for DNS. From Azure CLI Ensure the output of the below command is Standard az security pricing show -n 'DNS' --query 'PrincingTier' From PowerShell Get-AzSecurityPricing --Name 'DNS' | Select-Object Name,PricingTier Ensure output of PricingTier is Standard", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender for DNS is not enabled.", + "References": "https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/dns-security-baseline:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-dns-alerts:https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security:https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-10-ensure-domain-name-system-dns-security:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.12", + "Description": "Ensure That Microsoft Defender for Resource Manager Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_arm_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.", + "RationaleStatement": "Scanning resource requests lets you be alerted every time there is suspicious activity in order to prevent a security threat from being introduced.", + "ImpactStatement": "Enabling Microsoft Defender for Resource Manager requires enabling Microsoft Defender for your subscription. Both will incur additional charges.", + "RemediationProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud. 2. Select Environment Settings blade. 3. Click on the subscription name. 4. Select the Defender plans blade. 5. Select On under Status for Resource Manager. 6. Select `Save. From Azure CLI Use the below command to enable Standard pricing tier for Defender for Resource Manager az security pricing create -n 'Arm' --tier 'Standard' From PowerShell Use the below command to enable Standard pricing tier for Defender for Resource Manager Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard'", + "AuditProcedure": "From Azure Portal 1. Go to Microsoft Defender for Cloud 2. Select Environment Settings blade 3. Click on the subscription name 4. Select the Defender plans blade 5. Ensure Status is set to On for Resource Manager. From Azure CLI Ensure the output of the below command is Standard az security pricing show -n 'Arm' --query 'PricingTier' From Azure PowerShell Get-AzSecurityPricing -Name 'Arm' | Select-Object Name,PricingTier Ensure the output of PricingTier is Standard", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender for Resource Manager is not enabled.", + "References": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-resource-manager-introduction:https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.13", + "Description": "Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'", + "Checks": [ + "defender_ensure_system_updates_are_applied" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Ensure that the latest OS patches for all virtual machines are applied.", + "RationaleStatement": "Windows and Linux virtual machines should be kept updated to: • Address a specific bug or flaw • Improve an OS or application's general stability • Fix a security vulnerability The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.", + "ImpactStatement": "Running Microsoft Defender for Cloud incurs additional charges for each resource monitored. Please see attached reference for exact charges per hour.", + "RemediationProcedure": "Follow Microsoft Azure documentation to apply security patches from the security center. Alternatively, you can employ your own patch assessment and management tool to periodically assess, report, and install the required security patches for your OS.", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then the Recommendations blade 4. Ensure that there are no recommendations for Apply system updates Alternatively, you can employ your own patch assessment and management tool to periodically assess, report and install the required security patches for your OS.", + "AdditionalInformation": "", + "DefaultValue": "By default, patches are not automatically deployed.", + "References": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities:https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm" + } + ] + }, + { + "Id": "2.1.14", + "Description": "Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'", + "Checks": [ + "policy_ensure_asc_enforcement_enabled" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "None of the settings offered by ASC Default policy should be set to effect Disabled.", + "RationaleStatement": "A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Select Environment Settings 4. Click on a subscription 5. Select Security Policy in the left column. 6. Click on ASC Default under Default initiative 7. Ensure Policy Enforcement is Enabled 8. Click on the Parameters tab and uncheck Only show parameters that need input or review 9. For any parameters set to Disabled or empty, update to a valid value for the organization 10. Click Save", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select subscription 5. Then on Security Policy in the left column. 6. Click on ASC Default under Default initiative 7. Scroll down to Policy Enforcement and ensure it is set to Enabled 8. Click on the Parameters tab and uncheck Only show parameters that need input or review 9. Review the Parameters to ensure none of the items are set to Disabled. The View effective Policy button can be used to see all effects of policies even if they have not been modified. From Azure CLI Ensure the properties.enforcementMode in the output of the below command is set to Default. If properties.enforcementMode is set to DoNotEnforce, the default policies are disabled and therefore out of compliance. az account get-access-token --query '{,}' --out tsv | xargs - L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Microso ft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2021-06- 01' Note policies that have not been modified will not be listed in this output From PowerShell Get-AzPolicyAssignment | Where-Object {$_.Name -eq 'SecurityCenterBuiltIn'} | Select-Object -ExpandProperty Properties If the EnforcementMode value equals Default the ASC Default Policies are enabled. Because several of the policies are in the Disabled state by default, check to see if the Parameters attribute in the output of the above command contains policies with the value of Disabled or if it's empty altogether. If so, these settings are out of compliance. If none of the values in the Parameters attribute show Disabled, these settings are in compliance. If the EnforcementMode parameter equals DoNotEnforce the ASC Default Policies are all disabled and thus out of compliance.", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-policies:https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-transparent-data-encryption:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/get:https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/create:https://docs.microsoft.com/en-in/azure/security-center/tutorial-security-policy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-7-define-and-implement-logging-threat-detection-and-incident-response-strategy" + } + ] + }, + { + "Id": "2.1.15", + "Description": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'", + "Checks": [ + "defender_auto_provisioning_log_analytics_agent_vms_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Enable automatic provisioning of the monitoring agent to collect security data.", + "RationaleStatement": "When Log Analytics agent for Azure VMs is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Select Environment Settings 4. Select a subscription 5. Click on Settings & Monitoring 6. Ensure that Log Analytics agent for Azure VMs is set to On Repeat the above for any additional subscriptions. From Azure CLI Use the below command to set Automatic provisioning of monitoring agent to On. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft .Security/autoProvisioningSettings/default?api-version=2017-08-01-preview - d@'input.json'' Where input.json contains the Request body json data as mentioned below. { 'id': '/subscriptions//providers/Microsoft.Security/autoProvi sioningSettings/default', 'name': 'default', 'type': 'Microsoft.Security/autoProvisioningSettings', 'properties': { 'autoProvision': 'On' } }", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select a subscription 5. Click on Settings & Monitoring 6. Ensure that Log Analytics agent/Azure Monitor agent is set to On Repeat the above for any additional subscriptions. From Azure CLI Ensure the output of the below command is On az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Microso ft.Security/autoProvisioningSettings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name=='default')'|jq '.properties.autoProvision' Using PowerShell Connect-AzAccount Get-AzSecurityAutoProvisioningSetting Ensure output for Id Name AutoProvision is /subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default default On", + "AdditionalInformation": "• Excluding any of the entries in input.json may disable the specific setting by default • Microsoft has recently changed APIs to get and Update Automatic Provisioning Setting. This recommendation is updated accordingly.", + "DefaultValue": "By default, Automatic provisioning of monitoring agent is set to On.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security:https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification" + } + ] + }, + { + "Id": "2.1.16", + "Description": "Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'", + "Checks": [ + "defender_auto_provisioning_vulnerabilty_assessments_machines_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.", + "RationaleStatement": "Vulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.", + "ImpactStatement": "Additional licensing is required and configuration of Azure Arc introduces complexity beyond this recommendation.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select a subscription 5. Click on Settings & Monitoring 6. Ensure that Vulnerability assessment for machines is set to On Repeat the above for any additional subscriptions.", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select a subscription 5. Click on Settings & Monitoring 6. Ensure that Vulnerability assessment for machines is set to On Repeat the above for any additional subscriptions.", + "AdditionalInformation": "", + "DefaultValue": "By default, Automatic provisioning of monitoring agent is set to Off.", + "References": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-va:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-5-perform-vulnerability-assessments" + } + ] + }, + { + "Id": "2.1.17", + "Description": "Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'", + "Checks": [], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable automatic provisioning of the Microsoft Defender for Containers components.", + "RationaleStatement": "As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities.", + "ImpactStatement": "Microsoft Defender for Containers will require additional licensing.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select a subscription 5. Then Auto Provisioning in the left column. 6. Set Microsoft Defender for Containers components to On", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Select a subscription 5. Then Auto Provisioning in the left column. 6. Ensure that Microsoft Defender for Containers components is set to On Repeat the above for any additional subscriptions.", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender for Containers is disabled. If Defender for Containers is enabled from the Microsoft Defender for Cloud portal, auto provisioning will be enabled.", + "References": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction:https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-containers:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification" + } + ] + }, + { + "Id": "2.1.18", + "Description": "Ensure That 'All users with the following roles' is set to 'Owner'", + "Checks": [ + "defender_ensure_notify_emails_to_owners" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Enable security alert emails to subscription owners.", + "RationaleStatement": "Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. In the drop down of the All users with the following roles field select Owner 7. Click Save From Azure CLI Use the below command to set Send email also to subscription owners to On. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts/default1?api-version=2017-08-01-preview -d@'input.json'' Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses: { 'id': '/subscriptions//providers/Microsoft.Security/securityC ontacts/default1', 'name': 'default1', 'type': 'Microsoft.Security/securityContacts', 'properties': { 'email': '', 'alertNotifications': 'On', 'alertsToAdmins': 'On', 'notificationsByRole': 'Owner' } }", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Then Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Ensure that All users with the following roles is set to Owner From Azure CLI Ensure the output of below command is set to true. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}'' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts?api-version=2020-01-01-preview' | jq '.|.value[] | select(.name=='default')'|jq '.properties.notificationsByRole'", + "AdditionalInformation": "Excluding any entries in the input.json properties block disables the specific setting by default.", + "DefaultValue": "By default, Owner is selected", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details:https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification" + } + ] + }, + { + "Id": "2.1.19", + "Description": "Ensure 'Additional email addresses' is Configured with a Security Contact Email", + "Checks": [ + "defender_additional_email_configured_with_a_security_contact" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.", + "RationaleStatement": "Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field 7. Click Save From Azure CLI Use the below command to set Security contact emails to On. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts/default?api-version=2020-01-01-preview -d@'input.json'' Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses: { 'id': '/subscriptions//providers/Microsoft.Security/securityC ontacts/default', 'name': 'default', 'type': 'Microsoft.Security/securityContacts', 'properties': { 'email': '', 'alertNotifications': 'On', 'alertsToAdmins': 'On' } }", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Ensure that a valid security contact email address is listed in the Additional email addresses field From Azure CLI Ensure the output of the below command is set not empty and is set with appropriate email ids. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=='default')'|jq '.properties.emails'", + "AdditionalInformation": "Excluding any entries in the input.json properties block disables the specific setting by default.", + "DefaultValue": "By default, there are no additional email addresses entered.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details:https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification" + } + ] + }, + { + "Id": "2.1.20", + "Description": "Ensure 'Additional email addresses' is Configured with a Security Contact Email", + "Checks": [ + "defender_ensure_notify_alerts_severity_is_high" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enables emailing security alerts to the subscription owner or other designated security contact.", + "RationaleStatement": "Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher): and select High from the drop down menu 7. Click Save From Azure CLI Use the below command to set Send email notification for high severity alerts to On. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/ securityContacts/default1?api-version=2017-08-01-preview -d@'input.json'' Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses: { 'id': '/subscriptions//providers/Microsoft.Security/securityC ontacts/default1', 'name': 'default1', 'type': 'Microsoft.Security/securityContacts', 'properties': { 'email': '', 'alertNotifications': 'On', 'alertsToAdmins': 'On' } }", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Ensure that the Notify about alerts with the following severity (or higher): setting is checked and set to High From Azure CLI Ensure the output of below command is set to true, enter your Subscription ID at the $0 between /subscriptions/<$0>/providers. az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=='default')'|jq '.properties.alertNotifications'", + "AdditionalInformation": "Excluding any entries in the input.json properties block disables the specific setting by default. This recommendation has been updated to reflect recent changes to Microsoft REST APIs for getting and updating security contact information.", + "DefaultValue": "By default, Notify about alerts with the following severity (or higher): is set to High.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details:https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification" + } + ] + }, + { + "Id": "2.1.21", + "Description": "Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected", + "Checks": [ + "defender_ensure_mcas_is_enabled" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.", + "RationaleStatement": "EMicrosoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license. Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.", + "ImpactStatement": "Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Select Microsoft Defender for Cloud. 3. Select Environment Settings blade. 4. Select the subscription. 5. Select Integrations. 6. Check Allow Microsoft Defender for Cloud Apps to access my data. 7. Select Save. From Azure CLI Use the below command to enable Standard pricing tier for Storage Accounts az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Micros oft.Security/settings/MCAS?api-version=2021-06-01 -d@'input.json'' Where input.json contains the Request body json data as mentioned below. { 'id': '/subscriptions//providers/Microsoft.Security/settings/ MCAS', 'kind': 'DataExportSetting', 'type': 'Microsoft.Security/settings', 'properties': { 'enabled': true } }", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Select Environment Settings blade 4. Click on the subscription name 5. Select the Integrations blade 6. Ensure setting Allow Microsoft Defender for Cloud Apps to access my data is selected. From Azure CLI Ensure the output of the below command is True az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Micros oft.Security/settings?api-version=2021-06-01' | jq '.|.value[] | select(.name=='MCAS')'|jq '.properties.enabled' From PowerShell Run the following series of commands to audit this configuration Get-AzAccount Set-AzContext -Subscription Get-AzSecuritySetting | Select-Object name,enabled |where-object {$_.name -eq 'MCAS'} PowerShell Output - Non-Compliant Name Enabled ---- ------- MCAS False PowerShell Output - Compliant Name Enabled ---- ------- MCAS True", + "AdditionalInformation": "NOTE: 'Microsoft Defender for Cloud Apps' ('MDCA') is formerly known as 'Microsoft Cloud App Security' ('MCAS'). There are a number of places (e.g. Azure CLI) where the 'MCAS' acronym is still used within Azure.", + "DefaultValue": "With Cloud App Security license, these alerts are enabled by default.", + "References": "https://docs.microsoft.com/en-in/azure/security-center/security-center-alerts-service-layer#azure-management-layer-azure-resource-manager-preview:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-9-secure-user-access-to--existing-applications" + } + ] + }, + { + "Id": "2.1.22", + "Description": "Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected", + "Checks": [ + "defender_ensure_wdatp_is_enabled" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud. IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable. 1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal. 2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.", + "RationaleStatement": "Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud. MDE works only with Standard Tier subscriptions.", + "ImpactStatement": "Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.", + "RemediationProcedure": "From Azure Console 1. From Azure Home select the Portal Menu. 2. Go to Microsoft Defender for Cloud. 3. Select Environment Settings blade. 4. Select the subscription. 5. Select Integrations. 6. Check Allow Microsoft Defender for Endpoint to access my data. 7. Select Save. From Azure CLI Use the below command to enable Standard pricing tier for Storage Accounts az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Microso ft.Security/settings/WDATP?api-version=2021-06-01 -d@'input.json'' Where input.json contains the Request body json data as mentioned below. { 'id': '/subscriptions//providers/Microsoft.Security/settings/ WDATP', 'kind': 'DataExportSettings', 'type': 'Microsoft.Security/settings', 'properties': { 'enabled': true } }", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Select Environment Settings blade 4. Click on the subscription name 5. Select the Integrations blade 6. Ensure setting Allow Microsoft Defender for Endpoint to access my data is selected. From Azure CLI Ensure the output of the below command is True az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions//providers/Microso ft.Security/settings?api-version=2021-06-01' | jq '.|.value[] | select(.name=='WDATP')'|jq '.properties.enabled' From PowerShell Run the following commands to login and audit this check Connect-AzAccount Set-AzContext -Subscription Get-AzSecuritySetting | Select-Object name,enabled |where-object {$_.name -eq 'WDATP'} PowerShell Output - Non-Compliant Name Enabled ---- ------- WDATP False PowerShell Output - Compliant Name Enabled ---- ------- WDATP True", + "AdditionalInformation": "IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable. 1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal. 2. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned. NOTE: 'Microsoft Defender for Endpoint (MDE)' was formerly known as 'Windows Defender Advanced Threat Protection (WDATP).' There are a number of places (e.g. Azure CLI) where the 'WDATP' acronym is still used within Azure.", + "DefaultValue": "", + "References": "https://docs.microsoft.com/en-in/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-endpoint-security#es-1-use-endpoint-detection-and-response-edr:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-endpoint-security#es-2-use-modern-anti-malware-software" + } + ] + }, + { + "Id": "2.2.1", + "Description": "Ensure That Microsoft Defender for IoT Hub Is Set To 'On'", + "Checks": [ + "defender_ensure_iot_hub_defender_is_on" + ], + "Attributes": [ + { + "Section": "2.2 Microsoft Defender for IoT", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.", + "RationaleStatement": "IoT devices are very rarely patched and can be potential attack vectors for enterprise networks. Updating their network configuration to use a central security hub allows for detection of these breaches.", + "ImpactStatement": "Enabling Microsoft Defender for IoT will incur additional charges dependent on the level of usage.", + "RemediationProcedure": "From Azure Portal 1. Go to IoT Hub. 2. Select a IoT Hub to validate. 3. Select Overview in Defender for IoT. 4. Click on Secure your IoT solution, and complete the onboarding.", + "AuditProcedure": "From Azure Portal 1. Go to IoT Hub. 2. Select a IoT Hub to validate. 3. Select Overview in Defender for IoT. 4. The Threat prevention and Threat detection screen will appear, if Defender for IoT is Enabled.", + "AdditionalInformation": "There are additional configurations for Microsoft Defender for IoT that allow for types of deployments called hybrid or local. Both run on your physical infrastructure. These are complicated setups and are primarily outside of the scope of a purely Azure benchmark. Please see the references to consider these options for your organization.", + "DefaultValue": "By default, Microsoft Defender for IoT is not enabled.", + "References": "https://azure.microsoft.com/en-us/services/iot-defender/#overview:https://docs.microsoft.com/en-us/azure/defender-for-iot/:https://azure.microsoft.com/en-us/pricing/details/iot-defender/:https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/defender-for-iot-security-baseline:https://docs.microsoft.com/en-us/cli/azure/iot?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities:https://learn.microsoft.com/en-us/azure/defender-for-iot/device-builders/quickstart-onboard-iot-hub" + } + ] + }, + { + "Id": "3.1", + "Description": "Ensure that 'Secure transfer required' is set to 'Enabled'", + "Checks": [ + "storage_secure_transfer_required_is_enabled" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable data encryption in transit.", + "RationaleStatement": "The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, go to Configuration 3. Set Secure transfer required to Enabled From Azure CLI Use the below command to enable Secure transfer required for a Storage Account az storage account update --name --resource-group --https-only true", + "AuditProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, go to Configuration 3. Ensure that Secure transfer required is set to Enabled From Azure CLI Use the below command to ensure the Secure transfer required is enabled for all the Storage Accounts by ensuring the output contains true for each of the Storage Accounts. az storage account list --query '[*].[name,enableHttpsTrafficOnly]'", + "AdditionalInformation": "", + "DefaultValue": "By default, Secure transfer required is set to Disabled.", + "References": "https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit:https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list:https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit" + } + ] + }, + { + "Id": "3.2", + "Description": "Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'", + "Checks": [ + "storage_infrastructure_encryption_is_enabled" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.", + "RationaleStatement": "Azure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption, which is one of the strongest, FIPS 140-2-compliant block ciphers available. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. Similarly, data is encrypted even before network transmission and in all backups. In this scenario, the additional layer of encryption continues to protect your data. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.", + "ImpactStatement": "The read and write speeds to the storage will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This performance impact should be considered in an analysis for justifying use of the feature in your environment. Customer-managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the storage.", + "RemediationProcedure": "From Azure Portal 1. During Storage Account creation, in the Encryption tab, check the box next to Enable infrastructure encryption. From Azure CLI Replace the information within <> with appropriate values: az storage account create --name --resource-group --location --sku Standard_RAGRS --kind StorageV2 --require-infrastructure-encryption From PowerShell Replace the information within <> with appropriate values: New-AzStorageAccount -ResourceGroupName ` -AccountName ` -Location ` -SkuName 'Standard_RAGRS' ` -Kind StorageV2 ` -RequireInfrastructureEncryption Enabling Infrastructure Encryption after Storage Account Creation If infrastructure encryption was not enabled on blob storage creation, there is no official way to enable it. Please see the additional information section.", + "AuditProcedure": "From Azure Portal 1. From Azure Portal select the portal menu in the top left. 2. Select Storage Accounts. 3. Click on each storage account within each resource group you wish to audit. 4. In the overview, under Security, ensure Infrastructure encryption is set to Enabled. From Azure CLI az storage blob show --account-name --container-name --name --query 'properties.serverEncrypted' From PowerShell $account = Get-AzStorageAccount -ResourceGroupName ` -Name $blob = Get-AzStorageBlob -Context $account.Context ` -Container ` -Blob $blob.ICloudBlob.Properties.IsServerEncrypted", + "AdditionalInformation": "Additional Information: The default service side encryption for Azure Storage is enabled on every block blob, append blob, or page blob that was written to Azure Storage after October 20, 2017. Hardware encryption, however, cannot be enabled on a blob storage after its creation. There are ways to copy all data from a blob storage into another or download and reupload into another blob storage. This could result in data loss and is not recommended.", + "DefaultValue": "By default, Infrastructure Encryption is disabled in blob creation.", + "References": "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-encryption-status:https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption:https://docs.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default" + } + ] + }, + { + "Id": "3.3", + "Description": "Ensure that 'Enable key rotation reminders' is enabled for each Storage Account", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The 'Rotation Reminder' is an automatic reminder feature for a manual procedure.", + "RationaleStatement": "Reminders such as those generated by this recommendation will help maintain a regular and healthy cadence for activities which improve the overall efficacy of a security program. Cryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated 'regularly,' and advises that keys for static data stores be rotated every 'few months.' For the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization's security requirements should dictate the appropriate setting.", + "ImpactStatement": "This recommendation only creates a periodic reminder to regenerate access keys. Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients that use the access key to access the storage account must be updated to use the new key.", + "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each Storage Account that is not compliant, go to Access keys 3. Click Set rotation reminder 4. Check Enable key rotation reminders 5. In the Send reminders field select Custom, then set the Remind me every field to 90 and the period drop down to Days. 6. Click Save", + "AuditProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each Storage Account, go to Access keys 3. Click Set rotation reminder If the checkbox for Enable key rotation reminders is already checked, that Storage Account is compliant. Review the Remind me every field for a desirable periodic setting that fits your security program's needs.", + "AdditionalInformation": "", + "DefaultValue": "By default, Key rotation reminders is not configured.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-2-manage-application-identities-securely-and-automatically:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-8-restrict-the-exposure-of-credential-and-secrets:https://www.pcidssguide.com/pci-dss-key-rotation-requirements/:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf" + } + ] + }, + { + "Id": "3.4", + "Description": "Ensure that Storage Account Access Keys are Periodically Regenerated", + "Checks": [ + "storage_key_rotation_90_days" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "For increased security, regenerate storage account access keys periodically.", + "RationaleStatement": "When a storage account is created, Azure generates two 512-bit storage access keys which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure does not result from the compromise of these keys. Cryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated 'regularly,' and advises that keys for static data stores be rotated every 'few months.' For the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization's security requirements should dictate the appropriate setting.", + "ImpactStatement": "Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients who use the access key to access the storage account must be updated to use the new key.", + "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each Storage Account with outdated keys, go to Access keys 3. Click Rotate key next to the outdated key, then click Yes to the prompt confirming that you want to regenerate the access key. After Azure regenerates the Access Key, you can confirm that Access keys reflects a Last rotated date of (0 days ago).", + "AuditProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each Storage Account, go to Access keys 3. Review the date in the Last rotated field for each key. If the Last rotated field indicates value greater than 90 day [or greater than your organization's period of validity], the key should be rotated. From Azure CLI 1. Get a list of storage accounts az storage account list --subscription Make a note of id, name and resourceGroup. 2. For every storage account make sure that key is regenerated in past 90 days. az monitor activity-log list --namespace Microsoft.Storage --offset 90d -- query '[?contains(authorization.action, 'regenerateKey')]' --resource-id The output should contain 'authorization'/'scope': AND 'authorization'/'action': 'Microsoft.Storage/storageAccounts/regeneratekey/action' AND 'status'/'localizedValue': 'Succeeded' 'status'/'Value': 'Succeeded'", + "AdditionalInformation": "", + "DefaultValue": "By default, access keys are not regenerated periodically.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-2-manage-application-identities-securely-and-automatically:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://www.pcidssguide.com/pci-dss-key-rotation-requirements/:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf" + } + ] + }, + { + "Id": "3.5", + "Description": "Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.", + "RationaleStatement": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.", + "ImpactStatement": "Enabling this setting can have a high impact on the cost of the log analytics service and data storage used by logging more data per each request. Do not enable this without determining your need for this level of logging, and do not forget to check in on data usage and projected cost. Some users have seen their logging costs increase from $10 per month to $10,000 per month.", + "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings (classic) blade from Monitoring (classic) section. 4. Set the Status to On, if set to Off. 5. Select Queue properties. 6. Select Read, Write and Delete options under the Logging section to enable Storage Logging for Queue service.From Azure CLI Use the below command to enable the Storage Logging for Queue service. az storage logging update --account-name --account-key --services q --log rwd --retention 90", + "AuditProcedure": "From Azure Portal: 1. Go to Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings (classic) blade from Monitoring (classic) section. 4. Ensure the Status is set to On, if set to Off. 5. Select Queue properties. 6. Ensure Read Write Delete options are selected under the Logging section. From Azure CLI Ensure the below command's output contains properties delete, read and write set to true. az storage logging show --services q --account-name ", + "AdditionalInformation": "We cannot practically generalize detailed audit log requirements for every queue due to their nature and intent. This recommendation may be applicable to storage account queue services where the security is paramount.", + "DefaultValue": "By default storage account queue services are not logged.", + "References": "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging:https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources:https://docs.microsoft.com/en-us/azure/storage/queues/monitor-queue-storage?tabs=azure-portal" + } + ] + }, + { + "Id": "3.6", + "Description": "Ensure that Shared Access Signature Tokens Expire Within an Hour", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Expire shared access signature tokens within an hour.", + "RationaleStatement": "A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour.", + "ImpactStatement": "", + "RemediationProcedure": "When generating shared access signature tokens, use start and end time such that it falls within an hour. From Azure Portal 1. Go to Storage Accounts 2. For each storage account, go to Shared access signature 3. Set Start and expiry date/time within an hour", + "AuditProcedure": "Currently, SAS token expiration times cannot be audited. Until Microsoft makes token expiration time a setting rather than a token creation parameter, this recommendation would require a manual verification.", + "AdditionalInformation": "", + "DefaultValue": "By default, expiration for shared access signature is set to 8 hours.", + "References": " https://docs.microsoft.com/en-us/rest/api/storageservices/delegating-access-with-a-shared-access-signature:https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview" + } + ] + }, + { + "Id": "3.7", + "Description": "Ensure that 'Public access level' is disabled for storage accounts with blob containers", + "Checks": [ + "storage_blob_public_access_level_is_disabled" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.", + "RationaleStatement": "The default configuration for a storage account permits a user with appropriate permissions to configure public (anonymous) access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read- only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on any container in the storage account, it's recommended to set allowBlobPublicAccess false at the account level, which forbids any container to accept anonymous access in the future.", + "ImpactStatement": "Access will have to be managed using shared access signatures or via Azure AD RBAC.", + "RemediationProcedure": "From Azure Portal First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then, 1. Go to Storage Accounts 2. For each storage account, go to Networking in Security + networking 3. Set Public Network Access to Disabled if no anonymous access is needed on the storage account From Azure CLI Set 'Public Network Access' to Disabled on the storage account az storage account update --name --resource-group --public-network-access Disabled From PowerShell For each Storage Account, run the following to set the PublicNetworkAccess setting to Disabled Set-AzStorageAccount -ResourceGroupName -Name -PublicNetworkAccess Disabled", + "AuditProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, go to the Networking setting under Security + networking 3. Ensure the Public Network Access setting is set to Disabled. From Azure CLI Ensure publicNetworkAccess is Disabled az storage account show --name --resource-group --query '{publicNetworkAccess:publicNetworkAccess}' From PowerShell For each Storage Account, ensure PublicNetworkAccess is Disabled Get-AzStorageAccount -Name -ResourceGroupName |select PublicNetworkAccess", + "AdditionalInformation": "", + "DefaultValue": "By default, Public Network Access is set to Enabled from all networks for the Storage Account.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-2-manage-application-identities-securely-and-automatically:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy:https://www.pcidssguide.com/pci-dss-key-rotation-requirements/:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf" + } + ] + }, + { + "Id": "3.8", + "Description": "Ensure Default Network Access Rule for Storage Accounts is Set to Deny", + "Checks": [ + "storage_default_network_access_rule_is_denied" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.", + "RationaleStatement": "Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.", + "ImpactStatement": "All allowed networks will need to be whitelisted on each specific network, creating administrative overhead. This may result in loss of network connectivity, so do not turn on for critical resources during business hours.", + "RemediationProcedure": "From Azure Console 1. Go to Storage Accounts 2. For each storage account, Click on the Networking blade 3. Click the Firewalls and virtual networks heading. 4. Ensure that you have elected to allow access from Selected networks 5. Add rules to allow traffic from specific network. 6. Click Save to apply your changes. From Azure CLI Use the below command to update default-action to Deny. az storage account update --name --resource-group --default-action Deny", + "AuditProcedure": "From Azure Console 1. Go to Storage Accounts 2. For each storage account, Click on the Networking blade. 3. Click the Firewalls and virtual networks heading. 4. Ensure that Allow access from All networks is not selected. From Azure CLI Ensure defaultAction is not set to Allow. az storage account list --query '[*].networkRuleSet' From PowerShell Connect-AzAccount Set-AzContext -Subscription Get-AzStorageAccountNetworkRuleset -ResourceGroupName -Name |Select-Object DefaultAction PowerShell Result - Non-Compliant DefaultAction : Allow PowerShell Result - Compliant DefaultAction : Deny", + "AdditionalInformation": "", + "DefaultValue": "By default, Storage Accounts will accept connections from clients on any network.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls" + } + ] + }, + { + "Id": "3.9", + "Description": "Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access ", + "Checks": [ + "storage_ensure_azure_services_are_trusted_to_access_is_enabled" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).", + "RationaleStatement": "Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. We can re-enable this functionality by enabling 'Trusted Azure Services' through networking exceptions.", + "ImpactStatement": "This creates authentication credentials for services that need access to storage resources so that services will no longer need to communicate via network request.There may be a temporary loss of communication as you set each Storage Account. Itis recommended to not do this on mission-critical resources during business hours.", + "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, Click on the Networking blade 3. Click on the Firewalls and virtual networks heading. 4. Ensure that Enabled from selected virtual networks and IP addresses is selected. 5. Under the 'Exceptions' label, enable check box for Allow Azure services on the trusted services list to access this storage account. 6. Click Save to apply your changes. From Azure CLI Use the below command to update Azure services. az storage account update --name --resource-group --bypass AzureServices", + "AuditProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, Click on the Networking blade 3. Click on the Firewalls and virtual networks heading. 4. Ensure that Enabled from selected virtual networks and IP addresses is selected. 5. Ensure that Allow Azure services on the trusted services list to access this storage account is checked in Exceptions. From Azure CLI Ensure bypass contains AzureServices az storage account list --query '[*].networkRuleSet' From PowerShell Connect-AzAccount Set-AzContext -Subscription Get-AzStorageAccountNetworkRuleset -ResourceGroupName -Name |Select-Object Bypass If the resultant output from the above command shows 'NULL', that storage account configuration is out of compliance with this check. If the result of the above command shows 'AzureServices', that storage account configuration is in compliance with this check.", + "AdditionalInformation": "", + "DefaultValue": "By default, Storage Accounts will accept connections from clients on any network.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls" + } + ] + }, + { + "Id": "3.10", + "Description": "Ensure Private Endpoints are used to access Storage Accounts", + "Checks": [ + "storage_ensure_private_endpoints_in_storage_accounts" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.", + "RationaleStatement": "Securing traffic between services through encryption protects the data from easy interception and reading.", + "ImpactStatement": "There is no cost in deploying VNets between Azure resources. If improperly implemented, it may result in loss of critical network traffic.", + "RemediationProcedure": "From Azure Portal 1. Open the Storage Accounts blade 2. For each listed Storage Account, perform the following: 3. Under the Security + networking heading, click on Networking 4. Click on the Private Endpoint Connections tab at the top of the networking window 5. Click the +Private endpoint button 6. In the 1 - Basics tab/step: o Enter a name that will be easily recognizable as associated with the Storage Account (Note: The 'Network Interface Name' will be automatically completed, but you can customize it if needed.) o Ensure that the Region matches the region of the Storage Account o Click Next 7. In the 2 - Resource tab/step: o Select the target sub-resource based on what type of storage resource is being made available o Click Next 8. In the 3 - Virtual Network tab/step: o Select the Virtual network that your Storage Account will be connecting to o Select the Subnet that your Storage Account will be connecting to o (Optional) Select other network settings as appropriate for your environment o Click Next 9. In the 4 - DNS tab/step: o (Optional) Select other DNS settings as appropriate for your environment o Click Next 10. In the 5 - Tags tab/step: o (Optional) Set any tags that are relevant to your organization o Click Next 11. In the 6 - Review + create tab/step: o A validation attempt will be made and after a few moments it should indicate Validation Passed - if it does not pass, double-check your settings before beginning more in depth troubleshooting. o If validation has passed, click Create then wait for a few minutes for the scripted deployment to complete. Repeat the above procedure for each Private Endpoint required within every Storage Account. From PowerShell $storageAccount = Get-AzStorageAccount -ResourceGroupName '' -Name '' $privateEndpointConnection = @{ Name = 'connectionName' PrivateLinkServiceId = $storageAccount.Id GroupID = 'blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_se condary|web|web_secondary|dfs|dfs_secondary' } $privateLinkServiceConnection = New-AzPrivateLinkServiceConnection @privateEndpointConnection $virtualNetDetails = Get-AzVirtualNetwork -ResourceGroupName '' -Name '' $privateEndpoint = @{ ResourceGroupName = '' Name = '' Location = '' Subnet = $virtualNetDetails.Subnets[0] PrivateLinkServiceConnection = $privateLinkServiceConnection } New-AzPrivateEndpoint @privateEndpoint From Azure CLI az network private-endpoint create --resource-group --name --vnet-name -- subnet --private-connection-resource-id -- connection-name --group-id ", + "AuditProcedure": "From Azure Portal 1. Open the Storage Accounts blade. 2. For each listed Storage Account, perform the following check: 3. Under the Security + networking heading, click on Networking. 4. Click on the Private Endpoint Connections tab at the top of the networking window. 5. Ensure that for each VNet that the Storage Account must be accessed from, a unique Private Endpoint is deployed and the Connection State for each Private Endpoint is Approved Repeat the procedure for each Storage Account. From PowerShell $storageAccount = Get-AzStorageAccount -ResourceGroup '' - Name '' Get-AzPrivateEndpoint -ResourceGroup ''|Where-Object {$_.PrivateLinkServiceConnectionsText -match $storageAccount.id} If the results of the second command returns information, the Storage Account is using a Private Endpoint and complies with this Benchmark, otherwise if the results of the second command are empty, the Storage Account generates a finding. From Azure CLI az storage account show --name '' --query 'privateEndpointConnections[0].id' If the above command returns data, the Storage Account complies with this Benchmark, otherwise if the results are empty, the Storage Account generates a finding.", + "AdditionalInformation": "A NAT gateway is the recommended solution for outbound internet access.", + "DefaultValue": "By default, Private Endpoints are not created for Storage Accounts.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview:https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal:https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-cli?tabs=dynamic-ip:https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell?tabs=dynamic-ip:https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls" + } + ] + }, + { + "Id": "3.11", + "Description": "Ensure Soft Delete is Enabled for Azure Containers and Blob Storage", + "Checks": [ + "storage_ensure_soft_delete_is_enabled" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.", + "RationaleStatement": "Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the 'Retention policies,' ranging from 7 days to 365 days.", + "ImpactStatement": "Additional storage costs may be incurred as snapshots are retained.", + "RemediationProcedure": "From Azure Portal 1. From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath. 2. Select Storage. 3. Select Storage Accounts. 4. For each Storage Account, navigate to Data protection in the left scroll column. 5. Check soft delete for both blobs and containers. Set the retention period to a sufficient length for your organization. From Azure CLI Update blob storage retention days in below command az storage blob service-properties delete-policy update --days-retained --account-name --account-key --enable true Update container retention with the below command az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days --account-name --resource-group --account-key ", + "AuditProcedure": "From Azure Portal: 1. From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath. 2. Select Storage. 3. Select Storage Accounts. 4. For each Storage Account, navigate to Data protection in the left scroll column. 5. Ensure that soft delete is checked for both blobs and containers. Also check if the retention period is a sufficient length for your organization. From Azure CLI Blob Storage Ensure that the output of the below command contains enabled status as true and days is not empty or null az storage blob service-properties delete-policy show --account-name --account-key Azure Containers Make certain that the --enable-container-delete-retention is 'true'. az storage account blob-service-properties show --account-name --account-key --resource-group ", + "AdditionalInformation": "", + "DefaultValue": "When a new storage account is created, soft delete for containers and blob storage is by default disabled.", + "References": "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete:https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-overview:https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-enable?tabs=azure-portal" + } + ] + }, + { + "Id": "3.12", + "Description": "Ensure Storage for Critical Data are Encrypted with Customer Managed Keys", + "Checks": [ + "storage_ensure_encryption_with_customer_managed_keys" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.", + "RationaleStatement": "By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. If you want to control and manage this encryption key yourself, however, you can specify a customer-managed key. That key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.", + "ImpactStatement": "If the key expires by setting the 'activation date' and 'expiration date', the user must rotate the key manually. Using Customer Managed Keys may also incur additional man-hour requirements to create, store, manage, and protect the keys as needed.", + "RemediationProcedure": "From Azure Portal 1. Go to Storage Accounts 2. For each storage account, go to Encryption 3. Set Customer Managed Keys 4. Select the Encryption key and enter the appropriate setting value 5. Click Save", + "AuditProcedure": "From Azure Console: 1. Go to Storage Accounts 2. For each storage account, go to Encryption 3. Ensure that Encryption type is set to Customer Managed Keys From PowerShell Connect-AzAccount Set-AzContext -Subscription Get-AzStorageAccount |Select-Object -ExpandProperty Encryption PowerShell Results - Non-Compliant KeySource : Microsoft.Storage PowerShell Results - Compliant KeySource : Microsoft.Keyvault", + "AdditionalInformation": "", + "DefaultValue": "By default, Encryption type is set to Microsoft Managed Keys.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption:https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest:https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required" + } + ] + }, + { + "Id": "3.13", + "Description": "Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.", + "RationaleStatement": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best- effort basis. Storage Analytics logging is not enabled by default for your storage account.", + "ImpactStatement": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.", + "RemediationProcedure": "Remediation: From Azure Portal 1. From the default portal page select Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings under the Monitoring section in the left column. 4. Select the 'blob' tab indented below the storage account. 5. Click '+ Add diagnostic setting'. 6. Select StorageRead, StorageWrite and StorageDelete options under the Logging section to enable Storage Logging for Blob service. 7. Select a destination for your logs to be sent to. From Azure CLI Use the below command to enable the Storage Logging for Blob service. az storage logging update --account-name --account-key --services b --log rwd --retention 90", + "AuditProcedure": "From Azure Portal 1. From the default portal page select Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings under the Monitoring section in the left column. 4. Select the 'blob' tab indented below the storage account. Then select the diagnostic setting listed. 5. Ensure StorageRead, StorageWrite, and StorageDelete options are selected under the Logging section and that they are sent to the correct destination. From Azure CLI Ensure the below command's output contains properties delete, read and write set to true. az storage logging show --services b --account-name ", + "AdditionalInformation": "We cannot practically generalize detailed audit log requirements for every blob due to their nature and intent. This recommendation may be applicable to storage account blob service where the security is paramount.", + "DefaultValue": "By default, storage account blob service logging is disabled for read, write, and delete operations.", + "References": " https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging:https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "3.14", + "Description": "Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.", + "RationaleStatement": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best- effort basis. Storage Analytics logging is not enabled by default for your storage account", + "ImpactStatement": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost", + "RemediationProcedure": "From Azure Portal 1. From the default portal page select Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings under the Monitoring section in the left column. 4. Select the 'table' tab indented below the storage account. 5. Click '+ Add diagnostic setting'. 6. Select StorageRead, StorageWrite and StorageDelete options under the Logging section to enable Storage Logging for Table service. 7. Select a destination for your logs to be sent to. From Azure CLI Use the below command to enable the Storage Logging for Table service. az storage logging update --account-name --account-key --services t --log rwd --retention 90", + "AuditProcedure": "From Azure Portal 1. From the default portal page select Storage Accounts. 2. Select the specific Storage Account. 3. Click the Diagnostics settings under the Monitoring section in the left column. 4. Select the 'table' tab indented below the storage account. Then select the diagnostic setting listed. 5. Ensure StorageRead, StorageWrite, and StorageDelete options are selected under the Logging section and that they are sent to the correct destination. From Azure CLI Ensure the below command's output contains properties delete, read and write set to true. az storage logging show --services t --account-name ", + "AdditionalInformation": "We cannot practically generalize detailed audit log requirements for every table due to their nature and intent. This recommendation may be applicable to storage account table service where the security is paramount.", + "DefaultValue": "By default, storage account table service logging is disabled for read, write, an delete operations", + "References": "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging:https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources" + } + ] + }, + { + "Id": "3.15", + "Description": "Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'", + "Checks": [ + "storage_ensure_minimum_tls_version_12" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "In some cases, Azure Storage sets the minimum TLS versio n to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLSversion can be configured to be later protocols such as TLS 1.2.", + "RationaleStatement": "TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.", + "ImpactStatement": "When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.", + "RemediationProcedure": "From Azure Console 1. Login to Azure Portal using https://portal.azure.com 2. Go to Storage Accounts 3. Click on each Storage Account 4. Under Setting section, Click on Configuration 5. Set the minimum TLS version to be Version 1.2 From Azure CLI az storage account update --name --resource-group --min-tls-version TLS1_2 From Azure PowerShell To set the minimum TLS version, run the following command: Set-AzStorageAccount -AccountName ` -ResourceGroupName ` -MinimumTlsVersion TLS1_2", + "AuditProcedure": "From Azure Console 1. Login to Azure Portal using https://portal.azure.com 2. Go to Storage Accounts 3. Click on each Storage Account 4. Under Setting section, Click on Configuration 5. Ensure that the minimum TLS version is set to be Version 1.2 From Azure CLI Get a list of all storage accounts and their resource groups az storage account list | jq '.[] | {name, resourceGroup}' Then query the minimumTLSVersion field az storage account show --name --resource-group --query minimumTlsVersion --output tsv From Azure PowerShell To get the minimum TLS version, run the following command: (Get-AzStorageAccount -Name -ResourceGroupName ).MinimumTlsVersion", + "AdditionalInformation": "", + "DefaultValue": "If a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2. If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit" + } + ] + }, + { + "Id": "4.1.1", + "Description": "Ensure that 'Auditing' is set to 'On'", + "Checks": [ + "sqlserver_auditing_enabled" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable auditing on SQL Servers.", + "RationaleStatement": "The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.", + "ImpactStatement": "When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.", + "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. Select the SQL server instance 3. Under Security, click Auditing 4. Click the toggle next to Enable Azure SQL Auditing 5. Select an Audit log destination 6. Click Save From PowerShell Get the list of all SQL Servers Get-AzSqlServer For each Server, enable auditing and set the retention for at least 90 days. Log Analytics Example Set-AzSqlServerAudit -ResourceGroupName -ServerName -RetentionInDays -LogAnalyticsTargetState Enabled - WorkspaceResourceId '/subscriptions//resourceGroups/insights- integration/providers/Microsoft.OperationalInsights/workspaces/ Event Hub Example Set-AzSqlServerAudit -ResourceGroupName '' -ServerName '' -EventHubTargetState Enabled -EventHubName '' -EventHubAuthorizationRuleResourceId '' Blob Storage Example* Set-AzSqlServerAudit -ResourceGroupName '' -ServerName '' -BlobStorageTargetState Enabled -StorageAccountResourceId '/subscriptions//resourceGroups//providers/M icrosoft.Stora ge/storageAccounts/'", + "AuditProcedure": "From Azure Portal 1. Go to SQL servers 2. For each server instance 3. Click on Auditing 4. Ensure that Enable Azure SQL Auditing is set to On From PowerShell Get the list of all SQL Servers Get-AzSqlServer For each Server Get-AzSqlServerAudit -ResourceGroupName -ServerName Ensure that BlobStorageTargetState, EventHubTargetState, or LogAnalyticsTargetState is set to Enabled.", + "AdditionalInformation": "• A server policy applies to all existing and newly created databases on the server.• If server blob auditing is enabled, it always applies to the database. Thedatabase will be audited, regardless of the database auditing settings. Auditingtype table is already deprecated leaving only type blob available.• Enabling blob auditing on the database, in addition to enabling it on the server,does not override or change any of the settings of the server blob auditing. Bothaudits will exist side by side. In other words, the database is audited twice inparallel; once by the server policy and once by the database policy.", + "DefaultValue": "By default, Enable Azure SQL Auditing is set to Off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "4.1.2", + "Description": "Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)", + "Checks": [ + "sqlserver_unrestricted_inbound_access" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).", + "RationaleStatement": "Azure SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters. By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services. Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.", + "ImpactStatement": "Disabling Allow Azure services and resources to access this server will break all connections to SQL server and Hosted Databases unless custom IP specific rules areadded in Firewall Policy.", + "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. For each SQL server 3. Click on Networking 4. Uncheck the checkbox for Allow Azure services and resources to access this server 5. Set firewall rules to limit access to only authorized connections From Azure CLI Disable default firewall rule Allow access to Azure services: az sql server firewall-rule delete --resource-group --server --name 'AllowAllWindowsAzureIps' Remove a custom firewall rule: az sql server firewall-rule delete --resource-group --server --name Create a firewall rule: az sql server firewall-rule create --resource-group --server --name --start-ip-address '' --end-ip-address '' Update a firewall rule: az sql server firewall-rule update --resource-group --server --name --start-ip-address '' --end-ip-address '' From PowerShell Disable Default Firewall Rule Allow access to Azure services : Remove-AzSqlServerFirewallRule -FirewallRuleName 'AllowAllWindowsAzureIps' - ResourceGroupName -ServerName Remove a custom Firewall rule: Remove-AzSqlServerFirewallRule -FirewallRuleName '' - ResourceGroupName -ServerName Set the appropriate firewall rules: Set-AzSqlServerFirewallRule -ResourceGroupName - ServerName -FirewallRuleName '' - StartIpAddress '' -EndIpAddress ''", + "AuditProcedure": "From Azure Portal 1. Go to SQL servers 2. For each SQL server 3. Click on Networking 4. Ensure that Allow Azure services and resources to access this server is Unchecked 5. Ensure that no firewall rule exists with • Start IP of 0.0.0.0 • or other combinations which allows access to wider public IP ranges From Azure CLI List all SQL servers az sql server list For each SQL server run the following command az sql server firewall-rule list --resource-group -- server Ensure the output does not contain any firewall allow rules with a source of 0.0.0.0, or any rules named AllowAllWindowsAzureIps From PowerShell Get the list of all SQL Servers Get-AzSqlServer For each Server Get-AzSqlServerFirewallRule -ResourceGroupName - ServerName Ensure that StartIpAddress is not set to 0.0.0.0, /0 or other combinations which allows access to wider public IP ranges including Windows Azure IP ranges. Also ensure that FirewallRuleName doesn't contain AllowAllWindowsAzureIps which is the rule created when the Allow Azure services and resources to access this server setting is enabled for that SQL Server.", + "AdditionalInformation": "Firewall rules configured on individual SQL Database using Transact-sql overrides the rules set on SQL server. Azure does not provide any Powershell, API, CLI, Portal option to check database level firewall rules, and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, Firewall rules should be checked using SQL client.", + "DefaultValue": "By default, Allow access to Azure Services is set to NO.", + "References": "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls" + } + ] + }, + { + "Id": "4.1.3", + "Description": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key", + "Checks": [ + "sqlserver_tde_encrypted_with_cmk" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security. Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).", + "RationaleStatement": "Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure’s cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.", + "ImpactStatement": "Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you, and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible. When deploying Customer Managed Keys, it is prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore, such as Azure Key Vault. As far as toolsets go, check with your cryptographic key provider, as they may well provide one as an add-on to their service", + "RemediationProcedure": "From Azure Console 1. Go to SQL servers For the desired server instance 2. Click On Transparent data encryption 3. Set Transparent data encryption to Customer-managed key 4. Browse through your key vaults to Select an existing key or create a new key in the Azure Key Vault. 5. Check Make selected key the default TDE protector From Azure CLI Use the below command to encrypt SQL server's TDE protector with a Customer- managed key az sql server tde-key set --resource-group --server --server-key-type {AzureKeyVault} --kid From PowerShell Use the below command to encrypt SQL server's TDE protector with a Customer- managed Key Vault key Set-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId -ServerName -ResourceGroupName Select Y when prompted", + "AuditProcedure": "From Azure Portal 1. Go to SQL servers For the desired server instance 2. Click On Transparent data encryption 3. Ensure that Customer-managed key is selected 4. Ensure Make selected key the default TDE protector is checked From Azure CLI az account get-access-token --query '{subscripton:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X GET -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/resourceGroups/{resourceGroupNa me}/providers/Microsoft.Sql/servers/{serverName}/encryptionProtector?api- version=2015-05-01-preview' Ensure the output of the command contains properties kind set to azurekeyvault serverKeyType set to AzureKeyVault uri is not null From PowerShell Get-AzSqlServerTransparentDataEncryptionProtector -ServerName - ResourceGroupName Ensure the output of the command contains properties Type set to AzureKeyVault ServerKeyVaultKeyName set to KeyVaultName_KeyName_KeyIdentifierVersion KeyId set to KeyIdentifier", + "AdditionalInformation": "• This configuration is audited or can be done only on SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. • Ensuring TDE is protected by a Customer-managed key on SQL Server does not ensure the encryption of SQL Databases. Transparent Data Encryption : Data Encryption (ON/OFF) setting on individual SQL Database decides whether database is encrypted or not.", + "DefaultValue": "By Default, Microsoft managed TDE protector is enabled for a SQL server.", + "References": "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql:https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/:https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required:https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts:https://docs.microsoft.com/en-us/cli/azure/sql/server/tde-key?view=azure-cli-latest:https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlservertransparentdataencryptionprotector?view=azps-9.2.0:https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlservertransparentdataencryptionprotector?view=azps-9.2.0" + } + ] + }, + { + "Id": "4.1.4", + "Description": "Ensure that Azure Active Directory Admin is Configured for SQL Servers", + "Checks": [ + "sqlserver_azuread_administrator_enabled" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.", + "RationaleStatement": "Azure Active Directory authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management. • It provides an alternative to SQL Server authentication. • Helps stop the proliferation of user identities across database servers. • Allows password rotation in a single place. • Customers can manage database permissions using external (AAD) groups. • It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. • Azure AD authentication uses contained database users to authenticate identities at the database level. • Azure AD supports token-based authentication for applications connecting to SQL Database. • Azure AD authentication supports ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. • Azure AD supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options — phone call, text message, smart cards with pin, or mobile app notification.", + "ImpactStatement": "This will create administrative overhead with user account and permission management. For further security on these administrative accounts, you may want toconsider higher tiers of AAD which support features like Multi Factor Authentication, thatwill cost more.", + "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. For each SQL server, click on Active Directory admin 3. Click on Set admin 4. Select an admin 5. Click Save From Azure CLI az ad user show --id For each Server, set AD Admin az sql server ad-admin create --resource-group --server --display-name --object-id From PowerShell For each Server, set AD Admin Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName ''", + "AuditProcedure": "From Azure Portal 1. Go to SQL servers 2. For each SQL server, click on Active Directory admin under the Settings section 3. Ensure that a value has been set for Admin Name under the Azure Active Directory admin section From Azure CLI To list SQL Server Admins on a specific server: az sql server ad-admin list --resource-group --server From PowerShell Print a list of all SQL Servers to find which one you want to audit Get-AzSqlServer Audit a list of Administrators on a Specific Server Get-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName Ensure Output shows DisplayName set to AD account.", + "AdditionalInformation": "NOTE - Assigning an Administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. The How-to Guides should be used to determine what roles should be assigned and what groups should be created to manage permissions and access to resources.", + "DefaultValue": "Azure Active Directory Authentication for SQL Database/Server is not enabled by default", + "References": "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-1-use-centralized-identity-and-authentication-system:https://docs.microsoft.com/en-us/cli/azure/sql/server/ad-admin?view=azure-cli-latest#az_sql_server_ad_admin_list" + } + ] + }, + { + "Id": "4.1.5", + "Description": "Ensure that 'Data encryption' is set to 'On' on a SQL Database", + "Checks": [ + "sqlserver_tde_encryption_enabled" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable Transparent Data Encryption on every SQL server.", + "RationaleStatement": "Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Go to SQL databases 2. For each DB instance 3. Click on Transparent data encryption 4. Set Data encryption to On From Azure CLI Use the below command to enable Transparent data encryption for SQL DB instance. az sql db tde set --resource-group --server -- database --status Enabled From PowerShell Use the below command to enable Transparent data encryption for SQL DB instance. Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName -ServerName -DatabaseName -State 'Enabled' Note: • TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. • Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.", + "AuditProcedure": "From Azure Portal 1. Go to SQL databases 2. For each DB instance 3. Click on Transparent data encryption 4. Ensure that Data encryption is set to On From Azure CLI Ensure the output of the below command is Enabled az sql db tde show --resource-group --server - -database --query status From PowerShell Get a list of SQL Servers. Get-AzSqlServer For each server, list the databases. Get-AzSqlDatabase -ServerName -ResourceGroupName For each database not listed as a Master database, check for Transparent Data Encryption. Get-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName -ServerName -DatabaseName Make sure DataEncryption is Enabled for each database except the Master database.", + "AdditionalInformation": "• Transparent Data Encryption (TDE) can be enabled or disabled on individual SQLDatabase level and not on the SQL Server level.• TDE cannot be used to encrypt the logical master database in SQL Database.The master database contains objects that are needed to perform the TDEoperations on the user databases.", + "DefaultValue": "By default, Data encryption is set to On.", + "References": "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default:https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqldatabasetransparentdataencryption?view=azps-9.2.0" + } + ] + }, + { + "Id": "4.1.6", + "Description": "Ensure that 'Auditing' Retention is 'greater than 90 days'", + "Checks": [ + "sqlserver_auditing_retention_90_days" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "SQL Server Audit Retention should be configured to be greater than 90 days.", + "RationaleStatement": "Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. For each server instance 3. Click on Auditing 4. If storage is selected, expand Advanced properties 5. Set the Retention (days) setting greater than 90 days or 0 for unlimited retention. 6. Select Save From PowerShell For each Server, set retention policy to more than 90 days Log Analytics Example Set-AzSqlServerAudit -ResourceGroupName -ServerName -RetentionInDays -LogAnalyticsTargetState Enabled - WorkspaceResourceId '/subscriptions//resourceGroups/insights- integration/providers/Microsoft.OperationalInsights/workspaces/ Event Hub Example Set-AzSqlServerAudit -ResourceGroupName '' -ServerName '' -EventHubTargetState Enabled -EventHubName '' -EventHubAuthorizationRuleResourceId '' Blob Storage Example* Set-AzSqlServerAudit -ResourceGroupName '' -ServerName '' -BlobStorageTargetState Enabled -StorageAccountResourceId '/subscriptions//resourceGroups//providers/M icrosoft.Stora ge/storageAccounts/'", + "AuditProcedure": "From Azure Portal 1. Go to SQL servers 2. For each server instance 3. Click on Auditing 4. If storage is selected, expand Advanced properties 5. Ensure Retention (days) setting is greater than 90 days or 0 for unlimited retention. From PowerShell Get the list of all SQL Servers Get-AzSqlServer For each Server Get-AzSqlServerAudit -ResourceGroupName -ServerName Ensure that RetentionInDays is set to more than 90 Note: If the SQL server is set with LogAnalyticsTargetState setting set to Enabled, run the following additional command. Get-AzOperationalInsightsWorkspace | Where-Object {$_.ResourceId -eq } Ensure that RetentionInDays is set to more than 90", + "AdditionalInformation": "", + "DefaultValue": "By default, SQL Server audit storage is disabled.", + "References": "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditing?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-6-configure-log-storage-retention" + } + ] + }, + { + "Id": "4.2.1", + "Description": "Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers", + "Checks": [ + "sqlserver_microsoft_defender_enabled" + ], + "Attributes": [ + { + "Section": "4.2 SQL Server - Microsoft Defender for SQL", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Enable 'Microsoft Defender for SQL' on critical SQL Servers.", + "RationaleStatement": "Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.", + "ImpactStatement": "Microsoft Defender for SQL is a paid feature and will incur additional cost for each SQL server.", + "RemediationProcedure": "From Azure Portal 1. Go to SQL servers For each production SQL server instance: 2. Click Microsoft Defender for Cloud 3. Click Enable Microsoft Defender for SQL From PowerShell Enable Advanced Data Security for a SQL Server: Set-AzSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True Note: • Enabling 'Microsoft Defender for SQL' from the Azure portal enables Threat Detection • Using Powershell command Set-AzSqlServerThreatDetectionPolicy enables Microsoft Defender for SQL for a SQL server", + "AuditProcedure": "From Azure Portal 1. Go to SQL servers For each production SQL server instance: 2. Click Microsoft Defender for Cloud 3. Ensure that Enablement Status is Enabled From PowerShell Get the list of all SQL Servers Get-AzSqlServer For each Server Get-AzSqlServerAdvancedThreatProtectionSetting -ResourceGroupName -ServerName Ensure that ThreatDetectionState is set to Enabled.", + "AdditionalInformation": "• The feature 'Microsoft Defender for SQL' can be enabled only on SQL server and the same settings will be inherently applied to the SQL databases hosted on the SQL server.", + "DefaultValue": "By default, Microsoft Defender for SQL is set to Off.", + "References": "https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverthreatdetectionpolicy?view=azurermps-6.13.0&viewFallbackFrom=azurermps-5.2.0:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data" + } + ] + }, + { + "Id": "4.2.2", + "Description": "Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account", + "Checks": [ + "sqlserver_vulnerability_assessment_enabled" + ], + "Attributes": [ + { + "Section": "4.2 SQL Server - Microsoft Defender for SQL", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.", + "RationaleStatement": "Enabling Microsoft Defender for SQL server does not enables Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.", + "ImpactStatement": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server.", + "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. Select a server instance 3. Click on Security Center 4. Select Configure next to Enabled at subscription-level 5. In Section Vulnerability Assessment Settings, Click Select Storage account 6. Choose Storage Account (Existing or Create New). Click Ok 7. Click Save From PowerShell If not already, Enable Microsoft Defender for a SQL: Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName ''` -ServerName ''` -StorageAccountName ' -ServerName Ensure that value for parameter StorageAccountName is not empty (blank). Sample Output: ResourceGroupName : ResourceGroup01 ServerName : Server01 StorageAccountName : mystorage ScanResultsContainerName : vulnerability-assessment RecurringScansInterval : None EmailSubscriptionAdmins : False NotificationEmail : {}", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender for SQL is not enabled for a SQL server. EnablingMicrosoft Defender for SQL does not enable VA scanning by setting Storage Accountautomatically.", + "References": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment:https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver:https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0:https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments" + } + ] + }, + { + "Id": "4.2.3", + "Description": "Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server", + "Checks": [ + "sqlserver_va_periodic_recurring_scans_enabled" + ], + "Attributes": [ + { + "Section": "4.2 SQL Server - Microsoft Defender for SQL", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.", + "RationaleStatement": "VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.", + "ImpactStatement": "Enabling the Azure Defender for SQL feature will incur additional costs for each SQL server.", + "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. For each server instance 3. Click on Security Center 4. In Section Vulnerability Assessment Settings, set Storage Account if not already 5. Toggle 'Periodic recurring scans' to ON. 6. Click Save From PowerShell If not already, Enable Advanced Data Security for a SQL Server: Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with 'Periodic recurring scans' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName ''` -ServerName ''` -StorageAccountName ' -ServerName Ensure that value for parameter RecurringScansInterval is not set to None.", + "AdditionalInformation": "", + "DefaultValue": "Enabling Microsoft Defender for SQL enables 'Periodic recurring scans' by default but does not configure the Storage account.", + "References": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment:https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver:https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0:https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments" + } + ] + }, + { + "Id": "4.2.4", + "Description": "Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server", + "Checks": [ + "sqlserver_va_scan_reports_configured" + ], + "Attributes": [ + { + "Section": "4.2 SQL Server - Microsoft Defender for SQL", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers", + "RationaleStatement": "Vulnerability Assessment (VA) scan reports and alerts will be sent to email addresses configured at 'Send scan reports to'. This may help in reducing time required foridentifying risks and taking corrective measures.", + "ImpactStatement": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server.", + "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. Select a server instance 3. Select Microsoft Defender for Cloud 4. Select Configure next to Enablement status 5. Set Microsoft Defender for SQL to On 6. Under Vulnerability Assessment Settings, select a Storage Account 7. Set Periodic recurring scans to On 8. Under Send scan reports to, provide email addresses for data owners and stakeholders 9. Click Save From PowerShell If not already, Enable Advanced Data Security for a SQL Server: Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set 'Send scan reports to' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName ''` -ServerName ''` -StorageAccountName ' -ServerName Ensure that value for parameter NotificationEmail is not blank/empty {}.", + "AdditionalInformation": "", + "DefaultValue": "By default, 'Send reports to' is blank.", + "References": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment:https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver:https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0:https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments" + } + ] + }, + { + "Id": "4.2.5", + "Description": "Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server", + "Checks": [ + "sqlserver_va_emails_notifications_admins_enabled" + ], + "Attributes": [ + { + "Section": "4.2 SQL Server - Microsoft Defender for SQL", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.", + "RationaleStatement": "VA scan reports and alerts will be sent to admins and subscription owners by enabling setting 'Also send email notifications to admins and subscription owners'. This may help in reducing time required for identifying risks and taking corrective measures.", + "ImpactStatement": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server.", + "RemediationProcedure": "From Azure Portal 1. Go to SQL servers 2. Select a server instance 3. Click on Security Center 4. Select Configure next to Enabled at subscription-level 5. In Section Vulnerability Assessment Settings, configure Storage Accounts if not already 6. Check/enable 'Also send email notifications to admins and subscription owners' 7. Click Save From PowerShell If not already, Enable Advanced Data Security for a SQL Server: Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set 'Also send email notifications to admins and subscription owners' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName ''` -ServerName ''` -StorageAccountName ' -ServerName Ensure that value for parameter EmailSubscriptionAdmin is set to true.", + "AdditionalInformation": "", + "DefaultValue": "By default, 'Also send email notifications to admins and subscription owners' is enabled.", + "References": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment:https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver:https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0:https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments" + } + ] + }, + { + "Id": "4.3.1", + "Description": "Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_enforce_ssl_enabled" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable SSL connection on PostgreSQL Servers.", + "RationaleStatement": "SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.", + "ImpactStatement": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server.", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to Azure Database for PostgreSQL server 3. For each database, click on Connection security 4. In SSL settings, click on ENABLED to enforce SSL connections 5. Click Save From Azure CLI Use the below command to enforce ssl connection for PostgreSQL Database. az postgres server update --resource-group --name --ssl-enforcement Enabled From PowerShell Update-AzPostgreSqlServer -ResourceGroupName -ServerName -SslEnforcement Enabled", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to Azure Database for PostgreSQL server 3. For each database, click on Connection security 4. In SSL settings, ensure Enforce SSL connection is set to ENABLED. From Azure CLI Ensure the output of the below command returns Enabled. az postgres server show --resource-group myresourcegroup --name --query sslEnforcement From PowerShell Ensure the output of the below command returns Enabled. Get-AzPostgreSqlServer -ResourceGroupName -ServerName | Select-Object SslEnforcement", + "AdditionalInformation": "", + "DefaultValue": "By default, secure connectivity is enforced, but some application frameworks may not enable it during deployment.", + "References": "https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlserver?view=azps-9.2.0#example-2-get-postgresql-server-by-resource-group-and-server-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlserver?view=azps-9.2.0#example-1-update-postgresql-server-by-resource-group-and-server-name" + } + ] + }, + { + "Id": "4.3.2", + "Description": "Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_log_checkpoints_on" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable log_checkpoints on PostgreSQL Servers.", + "RationaleStatement": "Enabling log_checkpoints helps the PostgreSQ L Database to Log each checkpoint in turn generates query and error logs. However, access to transaction logs is notsupported. Query and error logs can be used to identify, troubleshoot, and repairconfiguration errors and sub-optimal performance.", + "ImpactStatement": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Go to Azure Database for PostgreSQL servers. 3. For each database, click on Server parameters. 4. Search for log_checkpoints. 5. Click ON and save. From Azure CLI Use the below command to update log_checkpoints configuration. az postgres server configuration set --resource-group -- server-name --name log_checkpoints --value on From PowerShell Update-AzPostgreSqlConfiguration -ResourceGroupName - ServerName -Name log_checkpoints -Value on", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Go to Azure Database for PostgreSQL servers. 3. For each database, click on Server parameters. 4. Search for log_checkpoints. 5. Ensure that value is set to ON. From Azure CLI Ensure value is set to ON az postgres server configuration show --resource-group - -server-name --name log_checkpoints From PowerShell Ensure value is set to ON Get-AzPostgreSqlConfiguration -ResourceGroupName - ServerName -Name log_checkpoints", + "AdditionalInformation": "", + "DefaultValue": "By default log_checkpoints is enabled (set to on).", + "References": "https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server:https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources:https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-server-logs#configure-logging:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name" + } + ] + }, + { + "Id": "4.3.3", + "Description": "Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_log_connections_on" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable log_connections on PostgreSQL Servers.", + "RationaleStatement": "Enabling log_connections helps PostgreSQL Database to log attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.", + "ImpactStatement": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server.", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com. 2. Go to Azure Database for PostgreSQL servers. 3. For each database, click on Server parameters. 4. Search for log_connections. 5. Click ON and save. From Azure CLI Use the below command to update log_connections configuration. az postgres server configuration set --resource-group -- server-name --name log_connections --value on From PowerShell Use the below command to update log_connections configuration. Update-AzPostgreSqlConfiguration -ResourceGroupName - ServerName -Name log_connections -Value on", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com. 2. Go to Azure Database for PostgreSQL servers. 3. For each database, click on Server parameters. 4. Search for log_connections. 5. Ensure that value is set to ON. From Azure CLI Ensure log_connections value is set to ON az postgres server configuration show --resource-group -- server-name --name log_connections From PowerShell Ensure log_connections value is set to ON Get-AzPostgreSqlConfiguration -ResourceGroupName - ServerName -Name log_connections", + "AdditionalInformation": "", + "DefaultValue": "By default log_connections is enabled (set to on).", + "References": "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver:https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name" + } + ] + }, + { + "Id": "4.3.4", + "Description": "Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_log_disconnections_on" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable log_disconnections on PostgreSQL Servers.", + "RationaleStatement": "Enabling log_disconnections helps PostgreSQL Database to Logs end of a session, including duration, which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", + "ImpactStatement": "Enabling this setting will enable a log of all disconnections. If this is enabled for a high traffic server, the log may grow exponentially.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Go to Azure Database for PostgreSQL servers 3. For each database, click on Server parameters 4. Search for log_disconnections. 5. Click ON and save. From Azure CLI Use the below command to update log_disconnections configuration. az postgres server configuration set --resource-group -- server-name --name log_disconnections --value on From PowerShell Use the below command to update log_disconnections configuration. Update-AzPostgreSqlConfiguration -ResourceGroupName - ServerName -Name log_disconnections -Value on", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Go to Azure Database for PostgreSQL servers 3. For each database, click on Server parameters 4. Search for log_disconnections. 5. Ensure that value is set to ON. From Azure CLI Ensure log_disconnections value is set to ON az postgres server configuration show --resource-group -- server-name --name log_disconnections From PowerShell Ensure log_disconnections value is set to ON Get-AzPostgreSqlConfiguration -ResourceGroupName - ServerName -Name log_disconnections", + "AdditionalInformation": "", + "DefaultValue": "By default log_disconnections is disabled (set to off).", + "References": "https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server:https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name" + } + ] + }, + { + "Id": "4.3.5", + "Description": "Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_connection_throttling_on" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable connection_throttling on PostgreSQL Servers.", + "RationaleStatement": "Enabling connection_throttling helps the PostgreSQL Database to Set the verbosity of logged messages. This in turn generates query and error logs with respect to concurrent connections that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com. 2. Go to Azure Database for PostgreSQL servers. 3. For each database, click on Server parameters. 4. Search for connection_throttling. 5. Click ON and save. From Azure CLI Use the below command to update connection_throttling configuration. az postgres server configuration set --resource-group -- server-name --name connection_throttling --value on From PowerShell Use the below command to update connection_throttling configuration. Update-AzPostgreSqlConfiguration -ResourceGroupName - ServerName -Name connection_throttling -Value on", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com. 2. Go to Azure Database for PostgreSQL servers. 3. For each database, click on Server parameters. 4. Search for connection_throttling. 5. Ensure that value is set to ON. From Azure CLI Ensure connection_throttling value is set to ON az postgres server configuration show --resource-group -- server-name --name connection_throttling From PowerShell Ensure connection_throttling value is set to ON Get-AzPostgreSqlConfiguration -ResourceGroupName - ServerName -Name connection_throttling", + "AdditionalInformation": "", + "DefaultValue": "By default, connection_throttling is enabled (set to on).", + "References": "https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server:https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name" + } + ] + }, + { + "Id": "4.3.6", + "Description": "Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_log_retention_days_greater_3" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure log_retention_days on PostgreSQL Servers is set to an appropriate value.", + "RationaleStatement": "Configuring log_retention_days determines the duration in days that Azure Database for PostgreSQL retains log files. Query and error logs can be used to identify,troubleshoot, and repair configuration errors and sub-optimal performance.", + "ImpactStatement": "Configuring this setting will result in logs being retained for the specified number of days. If this is configured on a high traffic server, the log may grow quickly to occupy alarge amount of disk space. In this case you may want to set this to a lower number.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Go to Azure Database for PostgreSQL servers. 3. For each database, click on Server parameters. 4. Search for log_retention_days. 5. Input a value between 4 and 7 (inclusive) and click Save. From Azure CLI Use the below command to update log_retention_days configuration. az postgres server configuration set --resource-group -- server-name --name log_retention_days --value <4-7> From Powershell Use the below command to update log_retention_days configuration. Update-AzPostgreSqlConfiguration -ResourceGroupName - ServerName -Name log_retention_days -Value <4-7>", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Go to Azure Database for PostgreSQL servers. 3. For each database, click on Server parameters. 4. Search for log_retention_days. 5. Ensure that the value is between 4 and 7 (inclusive). From Azure CLI Ensure log_retention_days value is greater than 3. az postgres server configuration show --resource-group -- server-name --name log_retention_days From Powershell Ensure log_retention_days value is greater than 3. Get-AzPostgreSqlConfiguration -ResourceGroupName - ServerName -Name log_retention_days", + "AdditionalInformation": "", + "DefaultValue": "By default log_retention_days is set to 3.", + "References": "https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal:https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-6-configure-log-storage-retention:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name" + } + ] + }, + { + "Id": "4.3.7", + "Description": "Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled", + "Checks": [ + "postgresql_flexible_server_allow_access_services_disabled" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Disable access from Azure services to PostgreSQL Database Server.", + "RationaleStatement": "If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.", + "ImpactStatement": "Configuring this setting will result in logs being retained for the specified number of days. If this is configured on a high traffic server, the log may grow quickly to occupy alarge amount of disk space. In this case you may want to set this to a lower number.", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com. 2. Go to Azure Database for PostgreSQL servers. 3. For each database, click on Connection security. 4. Under Firewall rules, set Allow access to Azure services to No. 5. Click Save. From Azure CLI Use the below command to delete the AllowAllWindowsAzureIps rule for PostgreSQL Database. az postgres server firewall-rule delete --name AllowAllWindowsAzureIps -- resource-group --server-name ", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com. 2. Go to Azure Database for PostgreSQL servers. 3. For each database, click on Connection security. 4. Under Firewall rules, ensure Allow access to Azure services is set to No. From Azure CLI Ensure the output of the below command does not include a rule with the name AllowAllWindowsAzureIps or 'startIpAddress': '0.0.0.0' & 'endIpAddress': '0.0.0.0', az postgres server firewall-rule list --resource-group - -server ", + "AdditionalInformation": "", + "DefaultValue": "The Azure Postgres firewall is set to block all access by default.", + "References": "https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules:https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-6-deploy-web-application-firewall" + } + ] + }, + { + "Id": "4.3.8", + "Description": "Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'", + "Checks": [], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.", + "RationaleStatement": "If Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level. Information will be encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or processor cache. Encryption will also be in place for any backups taken of the database, so the key will secure access the data in all forms. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.", + "ImpactStatement": "The read and write speeds to the database will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This cost is justified for information security. Customer managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the database.", + "RemediationProcedure": "It is not possible to enable 'infrastructure double encryption' on an existing Azure Database for PostgreSQL server. The remediation steps detail the creation of a new Azure Database for PostgreSQL server with 'infrastructure double encryption' enabled. From Azure Portal 1. Go through the normal process of database creation. 2. On step 2 titled 'Additional settings' ensure that 'Infrastructure double encryption enabled' is 'checked'. 3. Acknowledge that you understand this will impact database performance. 4. Finish database creation as normal. From Azure CLI az postgres server create --resource-group --name --location --admin-user --admin- password --sku-name GP_Gen4_2 --version 11 -- infrastructure-encryption Enabled", + "AuditProcedure": "From Azure Portal 1. From Azure Home, click on more services. 2. Click on Databases. 3. Click on Azure Database for PostgreSQL servers. 4. Select the database by clicking on its name. 5. Under Security, click Data encryption. 6. Ensure that 'Infrastructure encryption enabled' is displayed and is 'checked'. From Azure CLI 1. Enter the command az postgres server configuration show --name --resource-group --query 'properties.infrastructureEncryption' -o tsv 2. Verify that Infrastructure encryption is enabled.", + "AdditionalInformation": "Flexible PostgreSQL Database Servers are still in preview. A recommendation will be created for Flexible Servers once the service is out of preview.", + "DefaultValue": "By Default, Double Encryption is disabled.", + "References": "https://docs.microsoft.com/en-us/azure/postgresql/howto-double-encryption:https://docs.microsoft.com/en-us/azure/postgresql/concepts-infrastructure-double-encryption:https://docs.microsoft.com/en-us/azure/postgresql/concepts-data-encryption-postgresql:https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification:https://docs.microsoft.com/en-us/azure/postgresql/howto-double-encryption:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default" + } + ] + }, + { + "Id": "4.4.1", + "Description": "Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server", + "Checks": [ + "postgresql_flexible_server_allow_access_services_disabled" + ], + "Attributes": [ + { + "Section": "4.4 MySQL Database", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable SSL connection on MYSQL Servers.", + "RationaleStatement": "SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to Azure Database for MySQL servers 3. For each database, click on Connection security 4. In SSL settings, click on ENABLED to Enforce SSL connections From Azure CLI Use the below command to set MYSQL Databases to Enforce SSL connection. az mysql server update --resource-group --name --ssl-enforcement Enabled", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to Azure Database for MySQL servers 3. For each database, click on Connection security 4. In SSL settings, ensure Enforce SSL connection is set to ENABLED. From Azure CLI Ensure the output of the below command returns ENABLED. az mysql server show --resource-group --name --query sslEnforcement", + "AdditionalInformation": "", + "DefaultValue": "Azure Database for MySQL when provisioned through the Azure portal or CLI will require SSL connections by default.", + "References": "https://docs.microsoft.com/en-us/azure/mysql/single-server/concepts-ssl-connection-security:https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-ssl:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit" + } + ] + }, + { + "Id": "4.4.2", + "Description": "Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server", + "Checks": [ + "mysql_flexible_server_minimum_tls_version_12" + ], + "Attributes": [ + { + "Section": "4.4 MySQL Database", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure TLS version on MySQL flexible servers is set to the default value.", + "RationaleStatement": "TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to Azure Database for MySQL flexible servers 3. For each database, click on Server parameters under Settings 4. In the search box, type in tls_version 5. Click on the VALUE dropdown, and ensure only TLSV1.2 is selected for tls_version From Azure CLI Use the below command to set MYSQL flexible databases to used version 1.2 for the tls_version parameter. az mysql flexible-server parameter set --name tls_version --resource- group --server-name --value TLSV1.2", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to Azure Database for MySQL flexible servers 3. For each database, click on Server parameters under Settings 4. In the search box, type in tls_version 5. Ensure tls_version is set to TLSV1.2 From Azure CLI Ensure the output of the below command contains the key value pair 'values': 'TLSV1.2'. az mysql flexible-server parameter show --name tls_version --resource- group --server-name ", + "AdditionalInformation": "", + "DefaultValue": "By default, TLS is set to v1.2 for MySQL Flexible servers.", + "References": "https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security:https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default" + } + ] + }, + { + "Id": "4.4.3", + "Description": "Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server", + "Checks": [ + "mysql_flexible_server_audit_log_enabled" + ], + "Attributes": [ + { + "Section": "4.4 MySQL Database", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable audit_log_enabled on MySQL Servers.", + "RationaleStatement": "Enabling audit_log_enabled helps MySQL Database to log items such as connection attempts to the server, DDL/DML access, and more. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.", + "ImpactStatement": "There are further costs incurred for storage of logs. For high traffic databases these logs will be significant. Determine your organization's needs before enabling.", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com. 2. Select Azure Database for MySQL Servers. 3. Select a database. 4. Under Settings, select Server parameters. 5. Update audit_log_enabled parameter to ON 6. Under Monitoring, select Diagnostic settings. 7. Select + Add diagnostic setting. 8. Provide a diagnostic setting name. 9. Under Categories, select MySQL Audit Logs. 10. Specify destination details. 11. Click Save. It may take up to 10 minutes for the logs to appear in the configured destination.", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Select Azure Database for MySQL Servers 3. For each database, under the Settings section in the sidebar, select Server parameters 4. Ensure the audit_log_enabled parameter is set to ON", + "AdditionalInformation": "There is also a CLI version: https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-audit-logs-cliThere are numerous settings and event types and it might be helpful to discuss which ofthese may be appropriate to have a separate check item for.", + "DefaultValue": "audit_log_enabled is set to OFF by default", + "References": "https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-audit-logs-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "4.4.4", + "Description": "Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server", + "Checks": [ + "mysql_flexible_server_audit_log_connection_activated" + ], + "Attributes": [ + { + "Section": "4.4 MySQL Database", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Set audit_log_enabled to include CONNECTION on MySQL Servers.", + "RationaleStatement": "Enabling CONNECTION helps MySQL Database to log items such as successful and failed connection attempts to the server. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.", + "ImpactStatement": "There are further costs incurred for storage of logs. For high traffic databases these logs will be significant. Determine your organization's needs before enabling.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Select Azure Database for MySQL servers. 3. Select a database. 4. Under Settings, select Server parameters. 5. Update audit_log_enabled parameter to ON. 6. Update audit_log_events parameter to have at least CONNECTION checked. 7. Click Save. 8. Under Monitoring, select Diagnostic settings. 9. Select + Add diagnostic setting. 10. Provide a diagnostic setting name. 11. Under Categories, select MySQL Audit Logs. 12. Specify destination details. 13. Click Save. It may take up to 10 minutes for the logs to appear in the configured destination.", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu. 2. Select Azure Database for MySQL servers. 3. Select a database. 4. Under Settings, select Server parameters. 5. Ensure audit_log_enabled parameter is set to ON. 6. Ensure audit_log_events parameter has CONNECTION checked.", + "AdditionalInformation": "There is also a CLI version: https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-audit-logs-cli", + "DefaultValue": "By default audit_log_events is disabled.", + "References": "https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-audit-logs-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "4.5.1", + "Description": "Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server", + "Checks": [ + "cosmosdb_account_firewall_use_selected_networks" + ], + "Attributes": [ + { + "Section": "4.5 Cosmos DB", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.", + "RationaleStatement": "Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.", + "ImpactStatement": "Failure to whitelist the correct networks will result in a connection loss.", + "RemediationProcedure": "From Azure Portal 1. Open the portal menu. 2. Select the Azure Cosmos DB blade. 3. Select a Cosmos DB account to audit. 4. Select Networking. 5. Under Public network access, select Selected networks. 6. Under Virtual networks, select + Add existing virtual network or + Add a new virtual network. 7. For existing networks, select subscription, virtual network, subnet and click Add. For new networks, provide a name, update the default values if required, and click Create. 8. Click Save.", + "AuditProcedure": "From Azure Portal 1. Open the portal menu. 2. Select the Azure Cosmos DB blade 3. Select a Cosmos DB to audit. 4. Select Networking. 5. Under Public network access, ensure Selected networks is selected. 6. Under Virtual networks, ensure appropriate virtual networks are configured. From Azure CLI az cosmosdb database list az cosmosdb show isVirtualNetworkFilterEnabled should be set to true", + "AdditionalInformation": "", + "DefaultValue": "By default, Cosmos DBs are set to have access all networks.", + "References": "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints:https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint:https://docs.microsoft.com/en-us/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-show:https://docs.microsoft.com/en-us/cli/azure/cosmosdb/database?view=azure-cli-latest#az-cosmosdb-database-list:https://docs.microsoft.com/en-us/powershell/module/az.cosmosdb/?view=azps-8.1.0:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls" + } + ] + }, + { + "Id": "4.5.2", + "Description": "Ensure That Private Endpoints Are Used Where Possible", + "Checks": [ + "cosmosdb_account_use_private_endpoints" + ], + "Attributes": [ + { + "Section": "4.5 Cosmos DB", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Private endpoints limit network traffic to approved sources.", + "RationaleStatement": "For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.", + "ImpactStatement": "Only whitelisted services will have access to communicate with the Cosmos DB.", + "RemediationProcedure": "1. Open the portal menu. 2. Select the Azure Cosmos DB blade. 3. Select the Azure Cosmos DB account. 4. Select Networking. 5. Select Private access. 6. Click + Private Endpoint. 7. Provide a Name. 8. Click Next. 9. From the Resource type drop down, select Microsoft.AzureCosmosDB/databaseAccounts. 10. From the Resource drop down, select the Cosmos DB account. 11. Click Next. 12. Provide appropriate Virtual Network details. 13. Click Next. 14. Provide appropriate DNS details. 15. Click Next. 16. Optionally provide Tags. 17. Click Next : Review + create. 18. Click Create.", + "AuditProcedure": "From Azure Portal 1. Open the portal menu. 2. Select the Azure Cosmos DB blade. 3. Select the Azure Cosmos DB account. 4. Select Networking. 5. Ensure Public network access is set to Selected networks. 6. Ensure the listed networks are set appropriately. 7. Select Private access. 8. Ensure a private endpoint exists and Connection state is Approved.", + "AdditionalInformation": "", + "DefaultValue": "By default Cosmos DB does not have private endpoints enabled and its traffic is public to the network.", + "References": "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints:https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-cosmosdb-portal:https://docs.microsoft.com/en-us/cli/azure/cosmosdb/private-endpoint-connection?view=azure-cli-latest:https://docs.microsoft.com/en-us/cli/azure/network/private-endpoint?view=azure-cli-latest#az-network-private-endpoint-create:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls" + } + ] + }, + { + "Id": "4.5.3", + "Description": "Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible.", + "Checks": [ + "cosmosdb_account_use_aad_and_rbac" + ], + "Attributes": [ + { + "Section": "4.5 Cosmos DB", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.", + "RationaleStatement": "AAD client authentication is considerably more secure than token-based authentication because the tokens must be persistent at the client. AAD does not require this.", + "ImpactStatement": "Only whitelisted services will have access to communicate with the Cosmos DB.", + "RemediationProcedure": "Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens. Create an Azure Active Directory (AAD) identity for each of these resources: For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities. For non-Azure resources, create an AAD identity. Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step. You can use the az resource update powershell command: $cosmosdbname = 'cosmos-db-account-name' $resourcegroup = 'resource-group-name' $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest- include-preview", + "AuditProcedure": "$cosmosdbname = 'cosmos-db-account-name' $resourcegroup = 'resource-group-name' $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json In the resulting output, disableLocalAuth should be true", + "AdditionalInformation": "", + "DefaultValue": "The default is to use tokens/keys for client authentication.", + "References": " https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control" + } + ] + }, + { + "Id": "5.1.1", + "Description": "Ensure that a 'Diagnostic Setting' exists", + "Checks": [ + "monitor_diagnostic_settings_exists" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Enable Diagnostic settings for exporting activity logs. Diagnos tic settings are available for each individual resource within a subscription. Settings should be configured for allappropriate resources for your environment.", + "RationaleStatement": "A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal To enable Diagnostic Settings on a Subscription: 1. Go to Monitor 2. Click on Activity Log 3. Click on Export Activity Logs 4. Click + Add diagnostic setting 5. Enter a Diagnostic setting name 6. Select Categories for the diagnostic settings 7. Select the appropriate Destination details (this may be Log Analytics/Storage Account/Event Hub or Partner solution) 8. Click Save To enable Diagnostic Settings on a specific resource: 1. Go to Monitor 2. Click Diagnostic settings 3. Click on the resource that has a diagnostics status of disabled 4. Select Add Diagnostic Setting 5. Enter a Diagnostic setting name 6. Select the appropriate log, metric, and destination. (This may be Log Analytics/Storage account or Event Hub) 7. Click save Repeat these step for all resources as needed. From Azure CLI To configure Diagnostic Settings on a Subscription: az monitor diagnostic-settings subscription create --subscription --name --location <[- -event-hub --event-hub-auth-rule ] [-- storage-account ] [--workspace ] --logs '' (e.g. [{category:Security,enabled:true},{category:Administrative,enabled:true},{cat egory:Alert,enabled:true},{category:Policy,enabled:true}]) To configure Diagnostic Settings on a specific resource: az monitor diagnostic-settings create --subscription -- resource --name <[--event-hub --event-hub-rule ] [--storage-account ] [--workspace ] --logs --metrics From PowerShell To configure Diagnostic Settings on a subscription: $logCategories = @(); $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Administrative -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Security -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category ServiceHealth -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Alert -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Recommendation -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Policy -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Autoscale -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category ResourceHealth -Enabled $true New-AzSubscriptionDiagnosticSetting -SubscriptionId -Name <[-EventHubAuthorizationRule -EventHubName ] [-StorageAccountId ] [-WorkSpaceId ] [-MarketplacePartner ID ]> -Log $logCategories To configure Diagnostic Settings on a specific resource: $logCategories = @() $logCategories += New-AzDiagnosticSettingLogSettingsObject -Category -Enabled $true Repeat command and variable assignment for each Log category specific to the resource where this Diagnostic Setting will get configured. $metricCategories = @() $metricCategories += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true [-Category ] [- RetentionPolicyDay ] [-RetentionPolicyEnabled $true] Repeat command and variable assignment for each Metric category or use the 'AllMetrics' category. New-AzDiagnosticSetting -ResourceId -Name -Log $logCategories -Metric $metricCategories [- EventHubAuthorizationRuleId -EventHubName ] [-StorageAccountId ] [-WorkspaceId ] [-MarketplacePartnerId ]>", + "AuditProcedure": "From Azure Portal To identify Diagnostic Settings on a subscription: 1. Go to Monitor 2. Click Activity Log 3. Click Export Activity Logs 4. Select a Subscription 5. Ensure a Diagnostic settings exists for the selected Subscription To identify Diagnostic Settings on specific resources: 1. Go to Monitor 2. Click Diagnostic settings 3. Ensure that Diagnostics status is enabled on all appropriate resources. From Azure CLI To identify Diagnostic Settings on a subscription: az monitor diagnostic-settings subscription list --subscription To identify Diagnostic Settings on a resource az monitor diagnostic-settings list --resource From PowerShell To identify Diagnostic Settings on a Subscription: Get-AzDiagnosticSetting -SubscriptionId To identify Diagnostic Settings on a specific resource: Get-AzDiagnosticSetting -ResourceId ", + "AdditionalInformation": "", + "DefaultValue": "By default, diagnostic setting is not set.", + "References": " https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile:https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.1.2", + "Description": "Ensure Diagnostic Setting captures appropriate categories", + "Checks": [ + "monitor_diagnostic_setting_with_appropriate_categories" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Prerequisite: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane.", + "RationaleStatement": "A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Go to Azure Monitor 2. Click Activity log 3. Click on Export Activity Logs 4. Select the Subscription from the drop down menu 5. Click on Add diagnostic setting 6. Enter a name for your new Diagnostic Setting 7. Check the following categories: Administrative, Alert, Policy, and Security 8. Choose the destination details according to your organization's needs. From Az CLI az monitor diagnostic-settings subscription create --subscription --name --location <[- -event-hub --event-hub-auth-rule ] [-- storage-account ] [--workspace ] --logs '[{category:Security,enabled:true},{category:Administrative,enabled:true},{ca tegory:Alert,enabled:true},{category:Policy,enabled:true}]' From PowerShell $logCategories = @(); $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Administrative -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Security -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Alert -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Policy -Enabled $true New-AzSubscriptionDiagnosticSetting -SubscriptionId -Name <[-EventHubAuthorizationRule -EventHubName ] [-StorageAccountId ] [-WorkSpaceId ] [-MarketplacePartner ID ]> -Log $logCategories", + "AuditProcedure": "From Azure Portal 1. Go to Azure Monitor 2. Click Activity log 3. Click on Export Activity Logs 4. Select the appropriate Subscription 5. If there is no Diagnostic Settings listed, generate a finding. 6. Otherwise, click on Edit Settings 7. Ensure that the following categories are checked: Administrative, Alert, Policy, and SecurityFrom Azure CLI Ensure the categories 'Administrative', 'Alert', 'Policy', and 'Security' set to: 'enabled: true' az monitor diagnostic-settings subscription list --subscription From Powershell Ensure the categories Administrative, Alert, Policy, and Security are set to Enabled:True Get-AzSubscriptionDiagnosticSetting -Subscription ", + "AdditionalInformation": "", + "DefaultValue": "When the diagnostic setting is created using Azure Portal, by default no categories are selected.", + "References": " https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings:https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest:https://learn.microsoft.com/en-us/powershell/module/az.monitor/new-azsubscriptiondiagnosticsetting?view=azps-9.2.0" + } + ] + }, + { + "Id": "5.1.3", + "Description": "Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible", + "Checks": [ + "monitor_storage_account_with_activity_logs_is_private" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "The storage account container containing the activity log export should not be publicly accessible.", + "RationaleStatement": "Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.", + "ImpactStatement": "Configuring container Access policy to private will remove access from the container for everyone except owners of the storage account. Access policy needs to be setexplicitly in order to allow access to other desired users.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Search for Storage Accounts to access Storage account blade 3. Click on the storage account name 4. Click on Configuration under settings 5. Select Enabled under 'Allow Blob public access' From Azure CLI az storage container set-permission --name insights-activity-logs --account- name --sas-token --public-access off From PowerShell Create a new storage account context for the storage account holding the insight- activity-logs container making sure to use a valid Shared Access Signature (SAS) token. $context = New-AzStorageContext -StorageAccountName - SasToken '' Change the insights-activity-logs container public access to off Set-AzStorageContainerAcl -Context $context -Name 'insights-activity-logs' - Permission Off -PassThru", + "AuditProcedure": "From Azure Portal 1. From Azure Home select the Portal Menu 2. Select Diagnostic Settings in the left column. 3. In section Storage Account, note the name of the Storage account 4. Close Diagnostic settings. Close the Monitor - Activity Log blade. 5. In left menu, Click Storage Accounts 6. For each storage account, go to the Configuration setting 7. Check if Blob public access is Disabled. From Azure CLI 1. Get storage account id configured with Diagnostic Settings: az monitor diagnostic-settings subscription list --subscription $subscription.Id --query 'value[*].storageAccountId' 2. Ensure the container storing activity logs (insights-activity-logs) is not publicly accessible: az storage container list --account-name --query '[?name=='insights-activity-logs']' If this command returns output and no errors, the storage account is publicly accessible. 3. Otherwise, list Storage Account Keys for the storage account. az storage account keys list --resource-group --account-name 4. Use a key to determine if the Container is also publicly accessible (in the event the storage account is) az storage container list --account-name --query '[?name=='insights-activity-logs']' --sas-token '' Ensure publicAccess is set to null in the output of the command in step 4. From PowerShell Create a new storage account context with either a Storage-level SAS token with at least read/list permissions for Blob > Service, Container, Object. $context = New-AzStorageContext -StorageAccountName - SasToken '' Use the newly created storage account context to determine if the insights-activity- logs container is publicly accessible. Get-AzStorageContainer -Context $context -name 'insights-activity-logs' Ensure PublicAccess is empty or set to null, 0, or off.", + "AdditionalInformation": "", + "DefaultValue": "By default, public access is set to null (allowing only private access) for a container with activity log export.", + "References": " https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls" + } + ] + }, + { + "Id": "5.1.4", + "Description": "Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key", + "Checks": [ + "monitor_storage_account_with_activity_logs_cmk_encrypted" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).", + "RationaleStatement": "Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.", + "ImpactStatement": "NOTE: You must have your key vault setup to utilize this. All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Storage accounts blade. 2. Click on the storage account. 3. Under Security + networking, click Encryption. 4. Next to Encryption type, select Customer-managed keys. 5. Complete the steps to configure a customer-managed key for encryption of the storage account. From Azure CLI az storage account update --name --resource- group --encryption-key- source=Microsoft.Keyvault --encryption-key-vault -- encryption-key-name --encryption-key-version From PowerShell Set-AzStorageAccount -ResourceGroupName -Name -KeyvaultEncryption -KeyVaultUri -KeyName ", + "AuditProcedure": "From Azure Portal 1. Go to Activity log 2. Select Export 3. Select Subscription 4. In section Storage Account, note the name of the Storage account 5. Close the Export Audit Logs blade. Close the Monitor - Activity Log blade. 6. In right column, Click service Storage Accounts to access Storage account blade 7. Click on the storage account name noted in step 4. This will open blade specific to that storage account 8. Under Security + networking, click Encryption. 9. Ensure Customer-managed keys is selected and Key URI is set.From Azure CLI1. Get storage account id configured with log profile:az monitor diagnostic-settings subscription list --subscription --query 'value[*].storageAccountId'2. Ensure the storage account is encrypted with CMK:az storage account list --query '[?name=='']'In command output ensure keySource is set to Microsoft.Keyvault andkeyVaultProperties is not set to nullFrom PowerShellGet-AzStorageAccount -ResourceGroupName -Name |select-object -ExpandProperty encryption|format-listEnsure the value of KeyVaultProperties is not null or empty, and ensure KeySource isnot set to Microsoft.Storage.", + "AdditionalInformation": "", + "DefaultValue": "By default, for a storage account keySource is set to Microsoft.Storage allowing encryption with vendor Managed key and not a Customer Managed Key.", + "References": " https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest:https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=cli#managing-legacy-log-profiles" + } + ] + }, + { + "Id": "5.1.5", + "Description": "Ensure that logging for Azure Key Vault is 'Enabled'", + "Checks": [ + "keyvault_logging_enabled" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.", + "RationaleStatement": "Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Go to Key vaults 2. Select a Key vault 3. Select Diagnostic settings 4. Click on Edit setting against an existing diagnostic setting, or Add diagnostic setting 5. If creating a new diagnostic setting, provide a name 6. Check Archive to a storage account 7. Under Categories, check Audit Logs 8. Set an appropriate value for Retention (days) 9. Click Save From Azure CLI To update an existing Diagnostic Settings az monitor diagnostic-settings update --name '' -- resource --set retentionPolicy.days=90 To create a new Diagnostic Settings az monitor diagnostic-settings create --name -- resource --logs '[{category:AuditEvents,enabled:true,retention- policy:{enabled:true,days:180}}]' --metrics '[{category:AllMetrics,enabled:true,retention- policy:{enabled:true,days:180}}]' <[--event-hub --event-hub- rule | --storage-account |-- workspace | --marketplace-partner-id ]> From PowerShell Create the Log settings object $logSettings = @() $logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true - RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AuditEvent Create the Metric settings object $metricSettings = @() $metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics Create the Diagnostic Settings for each Key Vault New-AzDiagnosticSetting -Name '' -ResourceId -Log $logSettings -Metric $metricSettings [- StorageAccountId | -EventHubName - EventHubAuthorizationRuleId | -WorkSpaceId | -MarketPlacePartnerId ]", + "AuditProcedure": "From Azure Portal 1. Go to Key vaults 2. For each Key vault 3. Go to Diagnostic settings 4. Click on Edit Settings 5. Ensure that Archive to a storage account is Enabled 6. Ensure that AuditEvent is checked, and the retention days is set to 180 days or as appropriate From Azure CLI List all key vaults az keyvault list For each keyvault id az monitor diagnostic-settings list --resource Ensure that storageAccountId is set as appropriate. Also, ensure that category and days are set. One of the sample outputs is as below. 'logs': [ { 'category': 'AuditEvent', 'enabled': true, 'retentionPolicy': { 'days': 180, 'enabled': true } } ] From PowerShell List the key vault(s) in the subscription Get-AzKeyVault For each key vault, run the following: Get-AzDiagnosticSetting -ResourceId Ensure that StorageAccountId, ServiceBusRuleId, MarketplacePartnerId, or WorkspaceId is set as appropriate. Also, ensure that enabled is set to true, and that category and days are set under the Log heading.", + "AdditionalInformation": "", + "DefaultValue": "By default, Diagnostic AuditEvent logging is not enabled for Key Vault instances.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.1.6", + "Description": "Ensure that Network Security Group Flow logs are captured and sent to Log Analytics", + "Checks": [ + "network_flow_log_captured_sent" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Ensure that network flow logs are captured and fed into a central log analytics workspace.", + "RationaleStatement": "Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting thegeneration of visual flow diagrams to aid with analyzing for lateral movement, etc.", + "ImpactStatement": "The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor.", + "RemediationProcedure": "From Azure Portal 1. Navigate to Network Watcher. 2. Select NSG flow logs. 3. Select + Create. 4. Select the desired Subscription. 5. Select + Select NSG. 6. Select a network security group. 7. Click Confirm selection. 8. Select or create a new Storage Account. 9. Input the retention in days to retain the log. 10. Click Next. 11. Under Configuration, select Version 2. 12. If rich analytics are required, select Enable Traffic Analytics, a processing interval, and a Log Analytics Workspace. 13. Select Next. 14. Optionally add Tags. 15. Select Review + create. 16. Select Create. Warning The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.", + "AuditProcedure": "From Azure Portal 1. Navigate to Network Watcher. 2. Select NSG flow logs 3. For each log you wish to audit select it from this view.", + "AdditionalInformation": "", + "DefaultValue": "By default Network Security Group logs are not sent to Log Analytics.", + "References": "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.1.7", + "Description": "Ensure that logging for Azure AppService 'HTTP logs' is enabled", + "Checks": [ + "app_http_logs_enabled" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.", + "RationaleStatement": "Capturing web requests can be important supporting information for security analysts performing monitoring and incident response activities. Once logging, these logs can be ingested into SIEM or other central aggregation point for the organization.", + "ImpactStatement": "Log consumption and processing will incur additional cost.", + "RemediationProcedure": "From Azure Portal 1. Go to App Services For each App Service: 2. Go to Diagnostic Settings 3. Click Add Diagnostic Setting 4. Check the checkbox next to 'HTTP logs' 5. Configure a destination based on your specific logging consumption capability (for example Stream to an event hub and then consuming with SIEM integration for Event Hub logging).", + "AuditProcedure": "From Azure Portal 1. Go to App Services For each App Service: 2. Go to Diagnostic Settings 3. Ensure that 'HTTP logs' is configured to log to a destination aligned to your environments approach to log consumption (event hub, storage account, etc. dependent on what is consuming the logs such as SIEM or other log aggregation utility).", + "AdditionalInformation": "", + "DefaultValue": "Not configured.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.1", + "Description": "Ensure that Activity Log Alert exists for Create Policy Assignment", + "Checks": [ + "monitor_alert_create_policy_assignment" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Create Policy Assignment event.", + "RationaleStatement": "Monitoring for create policy assignment events gives insight into changes done in 'Azure policy - assignments' and can reduce the time it takes to detect unsolicited changes.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Monitor blade. 2. Select Alerts. 3. Select Create. 4. Select Alert rule. 5. Under Filter by subscription, choose a subscription. 6. Under Filter by resource type, select Policy assignment (policyAssignments). 7. Under Filter by location, select All. 8. From the results, select the subscription. 9. Select Done. 10. Select the Condition tab. 11. Under Signal name, click Create policy assignment (Microsoft.Authorization/policyAssignments). 12. Select the Actions tab. 13. To use an existing action group, click elect action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection. 14. Select the Details tab. 15. Select a Resource group, provide an Alert rule name and an optional Alert rule description. 16. Click Review + create. 17. Click Create. From Azure CLI az monitor activity-log alert create --resource-group '' --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/write and level= --scope '/subscriptions/' --name '' -- subscription --action-group --location global From PowerShell Create the conditions object. $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Authorization/policyAssignments/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level Get the Action Group information and store it in a variable, then create a new Action object. $actionGroup = Get-AzActionGroup -ResourceGroupName - Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id Create the Scope variable. $scope = '/subscriptions/' Create the Activity Log Alert Rule for Microsoft.Authorization/policyAssignments/write New-AzActivityLogAlert -Name '' -ResourceGroupName '' -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true", + "AuditProcedure": "From Azure Portal 1. Navigate to the Monitor blade 2. Click on Alerts 3. In the Alerts window, click on Alert rules 4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Authorization/policyAssignments/write 5. Click on the Alert Name associated with the previous step 6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Create policy assignment (policyAssignments) 7. In the Configure signal logic window, ensure the following is configured: o Event level: All selected o Status: All selected o Event initiated by: * (All services and users) 8. Click Done 9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization. From Azure CLI az monitor activity-log alert list --subscription --query '[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}' Look for Microsoft.Authorization/policyAssignments/write in the output. If it's missing, generate a finding. From PowerShell Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match 'Microsoft.Authorization/policyAssignments/write'}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf If the output is empty, an alert rule for Create Policy Assignments is not configured.", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": " https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://docs.microsoft.com/en-in/rest/api/policy/policy-assignments:https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log" + } + ] + }, + { + "Id": "5.2.2", + "Description": "Ensure that Activity Log Alert exists for Delete Policy Assignment", + "Checks": [ + "monitor_alert_delete_policy_assignment" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Delete Policy Assignment event.", + "RationaleStatement": "Monitoring for delete policy assignment events gives insight into changes done in 'azure policy - assignments' and can reduce the time it takes to detect unsolicited changes.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Monitor blade. 2. Select Alerts. 3. Select Create. 4. Select Alert rule. 5. Under Filter by subscription, choose a subscription. 6. Under Filter by resource type, select Policy assignment (policyAssignments). 7. Under Filter by location, select All. 8. From the results, select the subscription. 9. Select Done. 10. Select the Condition tab. 11. Under Signal name, click Delete policy assignment (Microsoft.Authorization/policyAssignments). 12. Select the Actions tab. 13. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection. 14. Select the Details tab. 15. Select a Resource group, provide an Alert rule name and an optional Alert rule description. 16. Click Review + create. 17. Click Create. From Azure CLI az monitor activity-log alert create --resource-group '' --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete and level= --scope '/subscriptions/' --name '' -- subscription --action-group --location global From PowerShell Create the conditions object $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Authorization/policyAssignments/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level Retrieve the Action Group information and store in a variable, then create the Action object. $actionGroup = Get-AzActionGroup -ResourceGroupName - Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id Create the Scope variable. $scope = '/subscriptions/' Create the Activity Log Alert Rule for Microsoft.Authorization/policyAssignments/delete. New-AzActivityLogAlert -Name '' - ResourceGroupName '' -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true", + "AuditProcedure": "From Azure Portal 1. Navigate to the Monitor blade 2. Click on Alerts 3. In the Alerts window, click on Alert rules 4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Authorization/policyAssignments/delete 5. Click on the Alert Name associated with the previous step 6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete policy assignment (policyAssignments)' 7. In the Configure signal logic window, ensure the following is configured: o Event level: All selected o Status: All selected o Event initiated by: * (All services and users) 8. Click Done 9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization. From Azure CLI az monitor activity-log alert list --subscription --query '[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}' Look for Microsoft.Authorization/policyAssignments/delete in the output From PowerShell Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match 'Microsoft.Authorization/policyAssignments/delete'}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": " https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://azure.microsoft.com/en-us/services/blueprints/" + } + ] + }, + { + "Id": "5.2.3", + "Description": "Ensure that Activity Log Alert exists for Create or Update Network Security Group", + "Checks": [ + "monitor_alert_create_update_nsg" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an Activity Log Alert for the Create or Update Network Security Group event.", + "RationaleStatement": "Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Monitor blade. 2. Select Alerts. 3. Select Create. 4. Select Alert rule. 5. Under Filter by subscription, choose a subscription. 6. Under Filter by resource type, select Network security groups. 7. Under Filter by location, select All. 8. From the results, select the subscription. 9. Select Done. 10. Select the Condition tab. 11. Under Signal name, click Create or Update Network Security Group (Microsoft.Network/networkSecurityGroups). 12. Select the Actions tab. 13. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection. 14. Select the Details tab. 15. Select a Resource group, provide an Alert rule name and an optional Alert rule description. 16. Click Review + create. 17. Click Create. From Azure CLI az monitor activity-log alert create --resource-group '' --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/write and level=verbose --scope '/subscriptions/' --name '' --subscription --action-group --location global From PowerShell Create the Conditions object. $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Network/networkSecurityGroups/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level Retrieve the Action Group information and store in a variable, then create the Actions object. $actionGroup = Get-AzActionGroup -ResourceGroupName - Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id Create the Scope object $scope = '/subscriptions/' Create the Activity Log Alert Rule for Microsoft.Network/networkSecurityGroups/write New-AzActivityLogAlert -Name '' - ResourceGroupName '' -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true", + "AuditProcedure": "From Azure Portal 1. Navigate to the Monitor blade 2. Click on Alerts 3. In the Alerts window, click on Alert rules 4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Network/networkSecurityGroups/write 5. Click on the Alert Name associated with the previous step 6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Create or Update Network Security Group (networkSecurityGroups)' 7. In the Configure signal logic window, ensure the following is configured: o Event level: All selected o Status: All selected o Event initiated by: * (All services and users) 8. Click Done 9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization. From Azure CLI az monitor activity-log alert list --subscription --query '[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}' Look for Microsoft.Network/networkSecurityGroups/write in the output From PowerShell Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match 'Microsoft.Network/networkSecurityGroups/write'}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.4", + "Description": "Ensure that Activity Log Alert exists for Delete Network Security Group", + "Checks": [ + "monitor_alert_delete_nsg" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Delete Network Security Group event.", + "RationaleStatement": "Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Monitor blade. 2. Select Alerts. 3. Select Create. 4. Select Alert rule. 5. Under Filter by subscription, choose a subscription. 6. Under Filter by resource type, select Network security groups. 7. Under Filter by location, select All. 8. From the results, select the subscription. 9. Select Done. 10. Select the Condition tab. 11. Under Signal name, click Delete Network Security Group (Microsoft.Network/networkSecurityGroups). 12. Select the Actions tab. 13. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection. 14. Select the Details tab. 15. Select a Resource group, provide an Alert rule name and an optional Alert rule description. 16. Click Review + create. 17. Click Create. From Azure CLI az monitor activity-log alert create --resource-group '' --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/delete and level=--scope '/subscriptions/' --name '' -- subscription --action-group --location global From PowerShell Create the Conditions object. $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Network/networkSecurityGroups/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level Retrieve the Action Group information and store in a variable, then create the Actions object. $actionGroup = Get-AzActionGroup -ResourceGroupName - Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id Create the Scope object $scope = '/subscriptions/' Create the Activity Log Alert Rule for Microsoft.Network/networkSecurityGroups/delete New-AzActivityLogAlert -Name '' - ResourceGroupName '' -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true", + "AuditProcedure": "From Azure Portal 1. Navigate to the Monitor blade 2. Click on Alerts 3. In the Alerts window, click on Alert rules 4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Network/networkSecurityGroups/delete 5. Click on the Alert Name associated with the previous step 6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete Network Security Group (networkSecurityGroups)' 7. In the Configure signal logic window, ensure the following is configured: o Event level: All selected o Status: All selected o Event initiated by: * (All services and users) 8. Click Done 9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization. From Azure CLI az monitor activity-log alert list --subscription --query '[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}' Look for Microsoft.Network/networkSecurityGroups/delete in the output From PowerShell Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match 'Microsoft.Network/networkSecurityGroups/delete'}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.5", + "Description": "Ensure that Activity Log Alert exists for Create or Update Security Solution", + "Checks": [ + "monitor_alert_create_update_security_solution" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Create or Update Security Solution event.", + "RationaleStatement": "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Monitor blade. 2. Select Alerts. 3. Select Create. 4. Select Alert rule. 5. Under Filter by subscription, choose a subscription. 6. Under Filter by resource type, select Security Solutions (securitySolutions). 7. Under Filter by location, select All. 8. From the results, select the subscription. 9. Select Done. 10. Select the Condition tab. 11. Under Signal name, click Create or Update Security Solutions (Microsoft.Security/securitySolutions). 12. Select the Actions tab. 13. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection. 14. Select the Details tab. 15. Select a Resource group, provide an Alert rule name and an optional Alert rule description. 16. Click Review + create. 17. Click Create. From Azure CLI az monitor activity-log alert create --resource-group '' --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/write and level=--scope '/subscriptions/' --name '' -- subscription --action-group --location global From PowerShell Create the Conditions object. $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Security/securitySolutions/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level Retrieve the Action Group information and store in a variable, then create the Actions object. $actionGroup = Get-AzActionGroup -ResourceGroupName - Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id Create the Scope object $scope = '/subscriptions/' Create the Activity Log Alert Rule for Microsoft.Security/securitySolutions/write New-AzActivityLogAlert -Name '' - ResourceGroupName '' -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true", + "AuditProcedure": "From Azure Portal 1. Navigate to the Monitor blade 2. Click on Alerts 3. In the Alerts window, click on Alert rules 4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Security/securitySolutions/write 5. Click on the Alert Name associated with the previous step 6. Click on the Condition name of Whenever the Activity Log has an event with Category='Security', Signal name='Create or Update Security Solutions (securitySolutions)' 7. In the Configure signal logic window, ensure the following is configured: o Event level: All selected o Status: All selected o Event initiated by: * (All services and users) 8. Click Done 9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization. From Azure CLI az monitor activity-log alert list --subscription --query '[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}' Look for Microsoft.Security/securitySolutions/write in the output From PowerShell Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match 'Microsoft.Security/securitySolutions/write'}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.6", + "Description": "Ensure that Activity Log Alert exists for Delete Security Solution", + "Checks": [ + "monitor_alert_delete_security_solution" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Delete Security Solution event.", + "RationaleStatement": "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Console 1. Navigate to the Monitor blade. 2. Select Alerts. 3. Select Create. 4. Select Alert rule. 5. Under Filter by subscription, choose a subscription. 6. Under Filter by resource type, select Security Solutions (securitySolutions). 7. Under Filter by location, select All. 8. From the results, select the subscription. 9. Select Done. 10. Select the Condition tab. 11. Under Signal name, click Delete Security Solutions (Microsoft.Security/securitySolutions). 12. Select the Actions tab. 13. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection. 14. Select the Details tab. 15. Select a Resource group, provide an Alert rule name and an optional Alert rule description. 16. Click Review + create. 17. Click Create. From Azure CLI az monitor activity-log alert create --resource-group '' --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/delete and level=--scope '/subscriptions/' --name '' -- subscription --action-group --location global From PowerShell Create the Conditions object. $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Security/securitySolutions/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level Retrieve the Action Group information and store in a variable, then create the Actions object. $actionGroup = Get-AzActionGroup -ResourceGroupName - Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id Create the Scope object $scope = '/subscriptions/' Create the Activity Log Alert Rule for Microsoft.Security/securitySolutions/delete New-AzActivityLogAlert -Name '' - ResourceGroupName '' -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true", + "AuditProcedure": "From Azure Console 1. Navigate to the Monitor blade 2. Click on Alerts 3. In the Alerts window, click on Alert rules 4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Security/securitySolutions/delete 5. Click on the Alert Name associated with the previous step 6. Click on the Condition name of Whenever the Activity Log has an event with Category='Security', Signal name='Delete Security Solutions (securitySolutions)' 7. In the Configure signal logic window, ensure the following is configured: o Event level: All selected o Status: All selected o Event initiated by: * (All services and users) 8. Click Done 9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization. From Azure CLI az monitor activity-log alert list --subscription --query '[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}' Look for Microsoft.Security/securitySolutions/delete in the output From PowerShell Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match 'Microsoft.Security/securitySolutions/delete'}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": " https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.7", + "Description": "Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule", + "Checks": [ + "monitor_alert_create_update_sqlserver_fr" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Create or Update SQL Server Firewall Rule event.", + "RationaleStatement": "Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "There will be a substantial increase in log size if there are a large number of administrative actions on a server.", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Monitor blade. 2. Select Alerts. 3. Select Create. 4. Select Alert rule. 5. Under Filter by subscription, choose a subscription. 6. Under Filter by resource type, select Server Firewall Rule (servers/firewallRules). 7. Under Filter by location, select All. 8. From the results, select the subscription. 9. Select Done. 10. Select the Condition tab. 11. Under Signal name, click Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules). 12. Select the Actions tab. 13. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection. 14. Select the Details tab. 15. Select a Resource group, provide an Alert rule name and an optional Alert rule description. 16. Click Review + create. 17. Click Create. From Azure CLI az monitor activity-log alert create --resource-group '' --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/write and level=--scope '/subscriptions/' --name '' -- subscription --action-group --location global From PowerShell Create the Conditions object. $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Sql/servers/firewallRules/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level Retrieve the Action Group information and store in a variable, then create the Actions object. $actionGroup = Get-AzActionGroup -ResourceGroupName - Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id Create the Scope object $scope = '/subscriptions/' Create the Activity Log Alert Rule for Microsoft.Sql/servers/firewallRules/write New-AzActivityLogAlert -Name '' - ResourceGroupName '' -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true", + "AuditProcedure": "From Azure Portal 1. Navigate to the Monitor blade 2. Click on Alerts 3. In the Alerts window, click on Alert rules 4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Sql/servers/firewallRules/write 5. Click on the Alert Name associated with the previous step 6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Create/Update server firewall rule (servers/firewallRules)' 7. In the Configure signal logic window, ensure the following is configured: o Event level: All selected o Status: All selected o Event initiated by: * (All services and users) 8. Click Done 9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization. From Azure CLI az monitor activity-log alert list --subscription --query '[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}' Look for Microsoft.Sql/servers/firewallRules/write in the output From PowerShell Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match 'Microsoft.Sql/servers/firewallRules/write'}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created or active.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.8", + "Description": "Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule", + "Checks": [ + "monitor_alert_delete_sqlserver_fr" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the 'Delete SQL Server Firewall Rule.'", + "RationaleStatement": "Monitoring for Delete SQL Server Firewall Rule events gives insight into SQL network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "There will be a substantial increase in log size if there are a large number of administrative actions on a server.", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Monitor blade. 2. Select Alerts. 3. Select Create. 4. Select Alert rule. 5. Under Filter by subscription, choose a subscription. 6. Under Filter by resource type, select Server Firewall Rule (servers/firewallRules). 7. Under Filter by location, select All. 8. From the results, select the subscription. 9. Select Done. 10. Select the Condition tab. 11. Under Signal name, click Delete server firewall rule (Microsoft.Sql/servers/firewallRules). 12. Select the Actions tab. 13. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection. 14. Select the Details tab. 15. Select a Resource group, provide an Alert rule name and an optional Alert rule description. 16. Click Review + create. 17. Click Create. From Azure CLI az monitor activity-log alert create --resource-group '' --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/delete and level=--scope '/subscriptions/' --name '' -- subscription --action-group --location global From PowerShell Create the Conditions object. $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Sql/servers/firewallRules/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level Retrieve the Action Group information and store in a variable, then create the Actions object. $actionGroup = Get-AzActionGroup -ResourceGroupName - Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id Create the Scope object $scope = '/subscriptions/' Create the Activity Log Alert Rule for Microsoft.Sql/servers/firewallRules/delete New-AzActivityLogAlert -Name '' - ResourceGroupName '' -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true", + "AuditProcedure": "From Azure Portal 1. Navigate to the Monitor blade 2. Click on Alerts 3. In the Alerts window, click on Alert rules 4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Sql/servers/firewallRules/delete 5. Click on the Alert Name associated with the previous step 6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete server firewall rule (servers/firewallRules)' 7. In the Configure signal logic window, ensure the following is configured: o Event level: All selected o Status: All selected o Event initiated by: * (All services and users) 8. Click Done 9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization. From Azure CLI az monitor activity-log alert list --subscription --query '[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}' Look for Microsoft.Sql/servers/firewallRules/delete in the output From PowerShell Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match 'Microsoft.Sql/servers/firewallRules/delete'}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created or active.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.9", + "Description": "Ensure that Activity Log Alert exists for Create or Update Public IP Address rule", + "Checks": [ + "monitor_alert_create_update_public_ip_address_rule" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Create or Update Public IP Addresses rule.", + "RationaleStatement": "Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "There will be a substantial increase in log size if there are a large number of administrative actions on a server.", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Monitor blade. 2. Select Alerts. 3. Select Create. 4. Select Alert rule. 5. Under Filter by subscription, choose a subscription. 6. Under Filter by resource type, select Public IP addresses. 7. Under Filter by location, select All. 8. From the results, select the subscription. 9. Select Done. 10. Select the Condition tab. 11. Under Signal name, click Create or Update Public Ip Address (Microsoft.Network/publicIPAddresses). 12. Select the Actions tab. 13. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection. 14. Select the Details tab. 15. Select a Resource group, provide an Alert rule name and an optional Alert rule description. 16. Click Review + create. 17. Click Create. From Azure CLI az monitor activity-log alert create --resource-group '' --condition category=Administrative and operationName=Microsoft.Network/publicIPAddresses/write and level=--scope '/subscriptions/' --name '' -- subscription --action-group --location global From PowerShell Create the Conditions object. $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Network/publicIPAddresses/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level Retrieve the Action Group information and store in a variable, then create the Actions object. $actionGroup = Get-AzActionGroup -ResourceGroupName - Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id Create the Scope object $scope = '/subscriptions/' Create the Activity Log Alert Rule for Microsoft.Network/publicIPAddresses/write New-AzActivityLogAlert -Name '' - ResourceGroupName '' -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true", + "AuditProcedure": "From Azure Portal 1. Navigate to the Monitor blade 2. Click on Alerts 3. In the Alerts window, click on Alert rules 4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Network/publicIPAddresses/write 5. Click on the Alert Name associated with the previous step 6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Create or Update Public Ip Address (publicIPAddresses)' 7. In the Configure signal logic window, ensure the following is configured: o Event level: All selected o Status: All selected o Event initiated by: * (All services and users) 8. Click Done 9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization. From Azure CLI az monitor activity-log alert list --subscription --query '[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}' Look for Microsoft.Network/publicIPAddresses/write in the output From PowerShell Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match 'Microsoft.Network/publicIPAddresses/write'}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created or active.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.10", + "Description": "Ensure that Activity Log Alert exists for Delete Public IP Address rule", + "Checks": [ + "monitor_alert_delete_public_ip_address_rule" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Delete Public IP Address rule.", + "RationaleStatement": "Monitoring for Delete Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "There will be a substantial increase in log size if there are a large number of administrative actions on a server.", + "RemediationProcedure": "From Azure Portal 1. Navigate to the Monitor blade. 2. Select Alerts. 3. Select Create. 4. Select Alert rule. 5. Under Filter by subscription, choose a subscription. 6. Under Filter by resource type, select Public IP addresses. 7. Under Filter by location, select All. 8. From the results, select the subscription. 9. Select Done. 10. Select the Condition tab. 11. Under Signal name, click Delete Public Ip Address (Microsoft.Network/publicIPAddresses). 12. Select the Actions tab. 13. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection. 14. Select the Details tab. 15. Select a Resource group, provide an Alert rule name and an optional Alert rule description. 16. Click Review + create. 17. Click Create. From Azure CLI az monitor activity-log alert create --resource-group '' --condition category=Administrative and operationName=Microsoft.Network/publicIPAddresses/delete and level=--scope '/subscriptions/' --name '' -- subscription --action-group --location global From PowerShell Create the Conditions object. $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Microsoft.Network/publicIPAddresses/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject - Equal Verbose -Field level Retrieve the Action Group information and store in a variable, then create the Actions object. $actionGroup = Get-AzActionGroup -ResourceGroupName - Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id Create the Scope object $scope = '/subscriptions/' Create the Activity Log Alert Rule for Microsoft.Network/publicIPAddresses/delete New-AzActivityLogAlert -Name '' - ResourceGroupName '' -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true", + "AuditProcedure": "From Azure Portal 1. Navigate to the Monitor blade 2. Click on Alerts 3. In the Alerts window, click on Alert rules 4. Hover mouse over the values in the Condition column to find an alert where Operation name=Microsoft.Network/publicIPAddresses/delete 5. Click on the Alert Name associated with the previous step 6. Click on the Condition name of Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete Public Ip Address (Microsoft.Network/publicIPAddresses)' 7. In the Configure signal logic window, ensure the following is configured: o Event level: All selected o Status: All selected o Event initiated by: * (All services and users) 8. Click Done 9. Back in the < Alert Name > window, review Actions to ensure that an Action group is assigned to notify the appropriate personnel in your organization. From Azure CLI az monitor activity-log alert list --subscription --query '[].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions}' Look for Microsoft.Network/publicIPAddresses/delete in the output From PowerShell Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match 'Microsoft.Network/publicIPAddresses/delete'}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created or active.", + "References": " https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.4", + "Description": "Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it", + "Checks": [], + "Attributes": [ + { + "Section": "5.3 Configuring Application Insights", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type. A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.", + "RationaleStatement": "A lack of monitoring reduces the visibility into the data plane, and therefore an organization's ability to detect reconnaissance, authorization attempts or other malicious activity. Unlike Activity Logs, Resource Logs are not enabled by default. Specifically, without monitoring it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Web Services or Databases are only possible when logging is enabled.", + "ImpactStatement": "Costs for monitoring varies with Log Volume. Not every resource needs to have logging enabled. It is important to determine the security classification of the data being processed by the given resource and adjust the logging based on which events need to be tracked. This is typically determined by governance and compliance requirements.", + "RemediationProcedure": "Azure Subscriptions should log every access and operation for all resources. Logs should be sent to Storage and a Log Analytics Workspace or equivalent third-party system. Logs should be kept in readily-accessible storage for a minimum of one year, and then moved to inexpensive cold storage for a duration of time as necessary. If retention policies are set but storing logs in a Storage Account is disabled (for example, if only Event Hubs or Log Analytics options are selected), the retention policies have no effect. Enable all monitoring at first, and then be more aggressive moving data to cold storage if the volume of data becomes a cost concern. From Azure Portal The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are: 1. Go to the resource 2. Click on Diagnostic settings 3. In the blade that appears, click 'Add diagnostic setting' 4. Configure the diagnostic settings 5. Click on Save From Azure CLI For each resource, run the following making sure to use a resource appropriate JSON encoded category for the --logs option. az monitor diagnostic-settings create --name -- resource --logs '[{category:,enabled:true,rentention-policy:{enabled:true,days:180}}]' --metrics '[{category:AllMetrics,enabled:true,retention- policy:{enabled:true,days:180}}]' <[--event-hub --event-hub- rule | --storage-account |-- workspace | --marketplace-partner-id ]> From PowerShell Create the log settings object $logSettings = @() $logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true - RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category $logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true - RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category Create the metric settings object $metricSettings = @() $metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics Create the diagnostic setting for a specific resource New-AzDiagnosticSetting -Name '' -ResourceId -Log $logSettings -Metric $metricSettings", + "AuditProcedure": "From Azure Portal The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are: 1. Go to the resource 2. Click on Diagnostic settings 3. In the blade that appears, click 'Add diagnostic setting' 4. Configure the diagnostic settings 5. Click on Save From Azure CLI List all resources for a subscription az resource list --subscription For each resource run the following az monitor diagnostic-settings list --resource An empty result means a diagnostic settings is not configured for that resource. An error message means a diagnostic settings is not supported for that resource. From PowerShell Get a list of resources in a subscription context and store in a variable $resources = Get-AzResource Loop through each resource to determine if a diagnostic setting is configured or not. foreach ($resource in $resources) {$diagnosticSetting = Get- AzDiagnosticSetting -ResourceId $resource.id -ErrorAction 'SilentlyContinue'; if ([string]::IsNullOrEmpty($diagnosticSetting)) {$message = 'Diagnostic Settings not configured for resource: ' + $resource.Name;Write-Output $message}else{$diagnosticSetting}} A result of Diagnostic Settings not configured for resource: means a diagnostic settings is not configured for that resource. Otherwise, the output of the above command will show configured Diagnostic Settings for a resource.", + "AdditionalInformation": "Note: The CIS Benchmark covers some specific Diagnostic Logs separately. Section 3 - Storage Accounts: Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests Section 6 - Network: Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' For an up-to-date list of Azure resources which support Azure Monitor, refer to the 'Supported Log Categories' reference.", + "DefaultValue": "By default, Azure Monitor Resource Logs are 'Disabled' for all resources", + "References": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis:https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/monitor-azure-resource:Supported Log Categories: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs-categories:Logs and Audit - Fundamentals: https://docs.microsoft.com/en-us/azure/security/fundamentals/log-audit:Collecting Logs: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs:Key Vault Logging: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging:Monitor Diagnostic Settings: https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest:Overview of Diagnostic Logs: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-logs-overview:Supported Services for Diagnostic Logs: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-logs-schema:Diagnostic Logs for CDNs: https://docs.microsoft.com/en-us/azure/cdn/cdn-azure-diagnostic-logs" + } + ] + }, + { + "Id": "5.5", + "Description": "Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)", + "Checks": [], + "Attributes": [ + { + "Section": "5.3 Configuring Application Insights", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.", + "RationaleStatement": "Typically, production workloads need to be monitored and should have an SLA with Microsoft, using Basic SKUs for any deployed product will mean that that these capabilities do not exist. The following resource types should use standard SKUs as a minimum. • Public IP Addresses • Network Load Balancers • REDIS Cache • SQL PaaS Databases • VPN Gateways", + "ImpactStatement": "The impact of enforcing Standard SKU's is twofold 1. There will be a cost increase 2. The monitoring and service level agreements will be available and will support the production service. All resources should be either tagged or in separate Management Groups/Subscriptions", + "RemediationProcedure": "Each artifact has its own process for upgrading from basic to standard SKU's and this should be followed if required.", + "AuditProcedure": "This needs to be audited by Azure Policy (one for each resource type) and denied for each artifact that is production. From Azure Portal 1. Open Azure Resource Graph Explorer 2. Click New query 3. Paste the following into the query window: Resources | where sku contains 'Basic' or sku contains 'consumption' | order by type 4. Click Run query then evaluate the results in the results window. From Azure CLI az graph query -q 'Resources | sku contains 'Basic' or sku contains 'consumption' | order by type' From PowerShell Get-AzResource | ?{ $_.Sku -EQ 'Basic'}", + "AdditionalInformation": "", + "DefaultValue": "Policy should enforce standard SKUs for the following artifacts:• Public IP Addresses• Network Load Balancers• REDIS Cache• SQL PaaS Databases• VPN Gateways", + "References": "" + } + ] + }, + { + "Id": "5.3.1", + "Description": "Ensure Application Insights are Configured", + "Checks": [ + "appinsights_ensure_is_configured" + ], + "Attributes": [ + { + "Section": "5.3 Configuring Application Insights", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.", + "RationaleStatement": "Configuring Application Insights provides additional data not found elsewhere within Azure as part of a much larger logging and monitoring program within an organization's Information Security practice. The types and contents of these logs will act as both a potential cost saving measure (application performance) and a means to potentially confirm the source of a potential incident (trace logging). Metrics and Telemetry data provide organizations with a proactive approach to cost savings by monitoring an application's performance, while the trace logging data provides necessary details in a reactive incident response scenario by helping organizations identify the potential source of an incident within their application.", + "ImpactStatement": "Because Application Insights relies on a Log Analytics Workspace, an organization will incur additional expenses when using this service.", + "RemediationProcedure": "Remediation Procedures From Azure Portal 1. Navigate to Application Insights 2. Under the Basics tab within the PROJECT DETAILS section, select the Subscription 3. Select the Resource group 4. Within the INSTANCE DETAILS, enter a Name 5. Select a Region 6. Next to Resource Mode, select Workspace-based 7. Within the WORKSPACE DETAILS, select the Subscription for the log analytics workspace 8. Select the appropriate Log Analytics Workspace 9. Click Next:Tags > 10. Enter the appropriate Tags as Name, Value pairs. 11. Click Next:Review+Create 12. Click Create From Azure CLI az monitor app-insights component create --app --resource-group --location --kind 'web' --retention-time --workspace -- subscription From PowerShell New-AzApplicationInsights -Kind 'web' -ResourceGroupName -Name -location -RetentionInDays -SubscriptionID -WorkspaceResourceId ", + "AuditProcedure": "From Azure Portal 1. Navigate to Application Insights 2. Ensure an Application Insights service is configured and exists. From Azure CLI Note: The application-insights extension to Azure CLI is currently in Preview Add the application-insights extension. az extension add --name application-insights az monitor app-insights component show --query '[].{ID:appId, Name:name, Tenant:tenantId, Location:location, Provisioning_State:provisioningState}' Ensure the above command produces output, otherwise Application Insights has not been configured. From PowerShell Get-AzApplicationInsights|select location,name,appid,provisioningState,tenantid", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "" + } + ] + }, + { + "Id": "6.1", + "Description": "Ensure that RDP access from the Internet is evaluated and restricted", + "Checks": [ + "network_rdp_internet_access_restricted" + ], + "Attributes": [ + { + "Section": "6 Networking", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.", + "RationaleStatement": "The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.", + "ImpactStatement": "", + "RemediationProcedure": "Where RDP is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute Site-to-site VPN Point-to-site VPN", + "AuditProcedure": "From Azure Portal 1. For each VM, open the Networking blade 2. Verify that the INBOUND PORT RULES does not have a rule for RDP such as o port = 3389, o protocol = TCP, o Source = Any OR Internet From Azure CLI List Network security groups with corresponding non-default Security rules: az network nsg list --query [*].[name,securityRules] Ensure that none of the NSGs have security rule as below 'access' : 'Allow' 'destinationPortRange' : '3389' or '*' or '[port range containing 3389]' 'direction' : 'Inbound' 'protocol' : 'TCP' 'sourceAddressPrefix' : '*' or '0.0.0.0' or '/0' or '/0' or 'internet' or 'any'", + "AdditionalInformation": "", + "DefaultValue": "By default, RDP access from internet is not enabled.", + "References": "https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries:Express Route: https://docs.microsoft.com/en-us/azure/expressroute/:Site-to-SiteVPN:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal:Point-to-SiteVPN:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal" + } + ] + }, + { + "Id": "6.2", + "Description": "Ensure that SSH access from the Internet is evaluated and restricted", + "Checks": [ + "network_ssh_internet_access_restricted" + ], + "Attributes": [ + { + "Section": "6 Networking", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.", + "RationaleStatement": "The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.", + "ImpactStatement": "", + "RemediationProcedure": "Where SSH is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute Site-to-site VPN Point-to-site VPN", + "AuditProcedure": "From Azure Portal 1. Open the Networking blade for the specific Virtual machine in Azure portal 2. Verify that the INBOUND PORT RULES does not have a rule for SSH such as o port = 22, o protocol = TCP, o Source = Any OR Internet From Azure CLI List Network security groups with corresponding non-default Security rules: az network nsg list --query [*].[name,securityRules] Ensure that none of the NSGs have security rule as below 'access' : 'Allow' 'destinationPortRange' : '22' or '*' or '[port range containing 22]' 'direction' : 'Inbound' 'protocol' : 'TCP' 'sourceAddressPrefix' : '*' or '0.0.0.0' or '/0' or '/0' or 'internet' or 'any'", + "AdditionalInformation": "", + "DefaultValue": "By default, SSH access from internet is not enabled.", + "References": "https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries:Express Route: https://docs.microsoft.com/en-us/azure/expressroute/:Site-to-SiteVPN:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal:Point-to-SiteVPN:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal" + } + ] + }, + { + "Id": "6.3", + "Description": "Ensure that UDP access from the Internet is evaluated and restricted", + "Checks": [ + "network_udp_internet_access_restricted" + ], + "Attributes": [ + { + "Section": "6 Networking", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.", + "RationaleStatement": "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification sources for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.", + "ImpactStatement": "", + "RemediationProcedure": "Where UDP is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute Site-to-site VPN Point-to-site VPN", + "AuditProcedure": "From Azure Portal 1. Open the Networking blade for the specific Virtual machine in Azure portal 2. Verify that the INBOUND PORT RULES does not have a rule for UDP such as • protocol = UDP, • Source = Any OR Internet From Azure CLI List Network security groups with corresponding non-default Security rules: az network nsg list --query [*].[name,securityRules] Ensure that none of the NSGs have security rule as below 'access' : 'Allow' 'destinationPortRange' : '*' or '[port range containing 53, 123, 161, 389, 1900, or other vulnerable UDP-based services]' 'direction' : 'Inbound' 'protocol' : 'UDP' 'sourceAddressPrefix' : '*' or '0.0.0.0' or '/0' or '/0' or 'internet' or 'any'", + "AdditionalInformation": "", + "DefaultValue": "By default, UDP access from internet is not enabled.", + "References": "https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks:https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries:ExpressRoute: https://docs.microsoft.com/en-us/azure/expressroute/:Site-to-siteVPN:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal:Point-to-siteVPN:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal" + } + ] + }, + { + "Id": "6.4", + "Description": "Ensure that HTTP(S) access from the Internet is evaluated and restricted", + "Checks": [ + "network_http_internet_access_restricted" + ], + "Attributes": [ + { + "Section": "6 Networking", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.", + "RationaleStatement": "TThe potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.", + "ImpactStatement": "", + "RemediationProcedure": "Where HTTP(S) is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute Site-to-site VPN Point-to-site VPN", + "AuditProcedure": "From Azure Portal 1. For each VM, open the Networking blade 2. Verify that the INBOUND PORT RULES does not have a rule for HTTP such as o port = 80, o protocol = TCP, o Source = Any OR Internet From Azure CLI List Network security groups with corresponding non-default Security rules: az network nsg list --query [*].[name,securityRules] Ensure that none of the NSGs have security rule as below 'access' : 'Allow' 'destinationPortRange' : '80' or '*' or '[port range containing 80]' 'direction' : 'Inbound' 'protocol' : 'TCP' 'sourceAddressPrefix' : '*' or '0.0.0.0' or '/0' or '/0' or 'internet' or 'any'", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "Express Route: https://docs.microsoft.com/en-us/azure/expressroute/:Site-to-SiteVPN:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal:Point-to-SiteVPN:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries" + } + ] + }, + { + "Id": "6.5", + "Description": "Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'", + "Checks": [ + "network_flow_log_more_than_90_days" + ], + "Attributes": [ + { + "Section": "6 Networking", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.", + "RationaleStatement": "Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.", + "ImpactStatement": "This will keep IP traffic logs for longer than 90 days. As a level 2, first determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use.", + "RemediationProcedure": "From Azure Portal 1. Go to Network Watcher 2. Select NSG flow logs blade in the Logs section 3. Select each Network Security Group from the list 4. Ensure Status is set to On 5. Ensure Retention (days) setting greater than 90 days 6. Select your storage account in the Storage account field 7. Select Save From Azure CLI Enable the NSG flow logs and set the Retention (days) to greater than or equal to 90 days. az network watcher flow-log configure --nsg --enabled true --resource-group --retention 91 -- storage-account ", + "AuditProcedure": "From Azure Portal 1. Go to Network Watcher 2. Select NSG flow logs blade in the Logs section 3. Select each Network Security Group from the list 4. Ensure Status is set to On 5. Ensure Retention (days) setting greater than 90 days From Azure CLI az network watcher flow-log show --resource-group --nsg --query 'retentionPolicy' Ensure that enabled is set to true and days is set to greater then or equal to 90.", + "AdditionalInformation": "", + "DefaultValue": "By default, Network Security Group Flow Logs are disabled.", + "References": "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview:https://docs.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-6-configure-log-storage-retention" + } + ] + }, + { + "Id": "6.6", + "Description": "Ensure that Network Watcher is 'Enabled'", + "Checks": [ + "network_watcher_enabled" + ], + "Attributes": [ + { + "Section": "6 Networking", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Enable Network Watcher for Azure subscriptions.", + "RationaleStatement": "Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.", + "ImpactStatement": "There are additional costs per transaction to run and store network data. For high-volume networks these charges will add up quickly.", + "RemediationProcedure": "Opting out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support.", + "AuditProcedure": "From Azure Portal 1. Go to Network Watcher 2. Ensure that the STATUS is set to Enabled From Azure CLI az network watcher list This will list all regions where provisioningState is Succeeded. Then run az account list-locations This will list all regions that exist in the subscription. Compare this list to the previous one to ensure that for all regions, provisioningState is set to Succeeded. From PowerShell Get a list of Network Watchers Get-AzNetworkWatcher Make sure each watcher is set with the ProvisioningState setting set to Succeeded and all Locations are set with a watcher.", + "AdditionalInformation": "", + "DefaultValue": "Network Watcher is automatically enabled. When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher.", + "References": "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview:https://docs.azure.cn/zh-cn/cli/network/watcher?view=azure-cli-latest#az_network_watcher_list:https://docs.azure.cn/zh-cn/cli/network/watcher?view=azure-cli-latest#az_network_watcher_configure:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-create:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-3-enable-logging-for-azure-network-activities:https://azure.microsoft.com/en-ca/pricing/details/network-watcher/" + } + ] + }, + { + "Id": "6.7", + "Description": "Ensure that Public IP addresses are Evaluated on a Periodic Basis", + "Checks": [], + "Attributes": [ + { + "Section": "6 Networking", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity.", + "RationaleStatement": "Public IP Addresses allocated to the tenant should be periodically reviewed for necessity. Public IP Addresses that are not intentionally assigned and controlled present a publicly facing vector for threat actors and significant risk to the tenant.", + "ImpactStatement": "", + "RemediationProcedure": "Remediation will vary significantly depending on your organization's security requirements for the resources attached to each individual Public IP address", + "AuditProcedure": "From Azure Portal 1. Open the All Resources blade 2. Click on Add Filter 3. In the Add Filter window, select the following: Filter: Type Operator: Equals Value: Public IP address 4. Click the Apply button 5. For each Public IP address in the list, use Overview (or Properties) to review the 'Associated to:' field and determine if the associated resource is still relevant to your tenant environment. If the associated resource is relevant, ensure that additional controls exist to mitigate risk (e.g. Firewalls, VPNs, Traffic Filtering, Virtual Gateway Appliances, Web Application Firewalls, etc.) on all subsequently attached resources. From Azure CLI List all Public IP addresses: az network public-ip list For each Public IP address in the output, review the 'name' property and determine if the associated resource is still relevant to your tenant environment. If the associated resource is relevant, ensure that additional controls exist to mitigate risk (e.g. Firewalls, VPNs, Traffic Filtering, Virtual Gateway Appliances, Web Application Firewalls, etc.) on all subsequently attached resources", + "AdditionalInformation": "", + "DefaultValue": "During Virtual Machine and Application creation, a setting may create and attach a public IP.", + "References": "https://docs.microsoft.com/en-us/cli/azure/network/public-ip?view=azure-cli-latest:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security" + } + ] + }, + { + "Id": "7.1", + "Description": "Ensure an Azure Bastion Host Exists", + "Checks": [ + "network_bastion_host_exists" + ], + "Attributes": [ + { + "Section": "7 Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.", + "RationaleStatement": "The Azure Bastion service allows organizations a more secure means of accessing Azure Virtual Machines over the Internet without assigning public IP addresses to those Virtual Machines. The Azure Bastion service provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Virtual Machines using TLS within a web browser, thus preventing organizations from opening up 3389/TCP and 22/TCP to the Internet on Azure Virtual Machines. Additional benefits of the Bastion service includes Multi-Factor Authentication, Conditional Access Policies, and any other hardening measures configured within Azure Active Directory using a central point of access.", + "ImpactStatement": "The Azure Bastion service incurs additional costs and requires a specific virtual network configuration. The Standard tier offers additional configuration options compared to the Basic tier and may incur additional costs for those added features.", + "RemediationProcedure": "From Azure Portal* 1. Click on Bastions 2. Select the Subscription 3. Select the Resource group 4. Type a Name for the new Bastion host 5. Select a Region 6. Choose Standard next to Tier 7. Use the slider to set the Instance count 8. Select the Virtual network or Create new 9. Select the Subnet named AzureBastionSubnet. Create a Subnet named AzureBastionSubnet using a /26 CIDR range if it doesn't already exist. 10. Selct the appropriate Public IP address option. 11. If Create new is selected for the Public IP address option, provide a Public IP address name. 12. If Use existing is selected for Public IP address option, select an IP address from Choose public IP address 13. Click Next: Tags > 14. Configure the appropriate Tags 15. Click Next: Advanced > 16. Select the appropriate Advanced options 17. Click Next: Review + create > 18. Click Create From Azure CLI az network bastion create --location --name --public-ip-address --resource-group --vnet-name --scale-units --sku Standard [--disable-copy- paste true|false] [--enable-ip-connect true|false] [--enable-tunneling true|false] From PowerShell Create the appropriate Virtual network settings and Public IP Address settings. $subnetName = 'AzureBastionSubnet' $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix $virtualNet = New-AzVirtualNetwork -Name - ResourceGroupName -Location -AddressPrefix -Subnet $subnet $publicip = New-AzPublicIpAddress -ResourceGroupName - Name -Location -AllocationMethod Dynamic -Sku Standard Page 403 Create the Azure Bastion service using the information within the created variables from above. New-AzBastion -ResourceGroupName -Name - PublicIpAddress $publicip -VirtualNetwork $virtualNet -Sku 'Standard' - ScaleUnit ", + "AuditProcedure": "From Azure Portal 1. Click on Bastions 2. Ensure there is at least one Bastion host listed under the Name column From Azure CLI Note: The Azure CLI network bastion module is in Preview as of this writing az network bastion list --subscription Ensure the output of the above command is not empty. From PowerShell Retrieve the Bastion host(s) information for a specific Resource Group Get-AzBastion -ResourceGroupName Ensure the output of the above command is not empty.", + "AdditionalInformation": "", + "DefaultValue": "By default, the Azure Bastion service is not configured.", + "References": "https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku:https://learn.microsoft.com/en-us/powershell/module/az.network/get-azbastion?view=azps-9.2.0:https://learn.microsoft.com/en-us/cli/azure/network/bastion?view=azure-cli-latest" + } + ] + }, + { + "Id": "7.2", + "Description": "Ensure Virtual Machines are utilizing Managed Disks", + "Checks": [ + "vm_ensure_using_managed_disks" + ], + "Attributes": [ + { + "Section": "7 Virtual Machines", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include: 1. Default Disk Encryption 2. Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3. Reduction of costs over storage accounts", + "RationaleStatement": "Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts. For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective.", + "ImpactStatement": "There are additional costs for managed disks based off of disk space allocated. When converting to managed disks, VMs will be powered off and back on.", + "RemediationProcedure": "From Azure Portal 1. Using the search feature, go to Virtual Machines 2. Select the virtual machine you would like to convert 3. Select Disks in the menu for the VM 4. At the top select Migrate to managed disks 5. You may follow the prompts to convert the disk and finish by selecting Migrate to start the process NOTE VMs will be stopped and restarted after migration is complete. From PowerShell Stop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName", + "AuditProcedure": "From Azure Portal 1. Using the search feature, go to Virtual Machines 2. Click the Manage view dropdown, then select Edit columns 3. Add Uses managed disks to the selected columns 4. Select Save 5. Ensure all virtual machines listed are using managed disks Page 406 From PowerShell Get-AzVM | ForEach-Object {'Name: ' + $_.Name;'ManagedDisk Id: ' + $_.StorageProfile.OsDisk.ManagedDisk.Id;''} Example output: Name: vm1 ManagedDisk Id: /disk1/id Name: vm2 ManagedDisk Id: /disk2/id If the 'ManagedDisk Id' field is empty the os disk for that vm is not managed.", + "AdditionalInformation": "", + "DefaultValue": "Managed disks or are an option upon the creation of VMs.", + "References": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default:https://docs.microsoft.com/en-us/azure/virtual-machines/faq-for-disks:https://azure.microsoft.com/en-us/pricing/details/managed-disks/" + } + ] + }, + { + "Id": "7.3", + "Description": "Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)", + "Checks": [ + "vm_ensure_attached_disks_encrypted_with_cmk" + ], + "Attributes": [ + { + "Section": "7 Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE orServer Side Encryption (SSE).", + "RationaleStatement": "Encrypting the IaaS VM's OS disk (boot volume) and Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key, thus protecting the volume from unwanted reads. PMK (Platform Managed Keys) are enabled by default in Azure-managed disks and allow encryption at rest. CMK is recommended because it gives the customer the option to control which specific keys are used for the encryption and decryption of the disk. The customer can then change keys and increase security by disabling them instead of relying on the PMK key that remains unchanging. There is also the option to increase security further by using automatically rotating keys so that access to disk is ensured to be limited. Organizations should evaluate what their security requirements are, however, for the data stored on the disk. For high-risk data using CMK is a must, as it provides extra steps of security. If the data is low risk, PMK is enabled by default and provides sufficient data security.", + "ImpactStatement": "Using CMK/BYOK will entail additional management of keys. NOTE: You must have your key vault set up to utilize this.", + "RemediationProcedure": "From Azure Portal Note: Disks must be detached from VMs to have encryption changed. 1. Go to Virtual machines 2. For each virtual machine, go to Settings 3. Click on Disks 4. Click the ellipsis (...), then click Detach to detach the disk from the VM 5. Now search for Disks and locate the unattached disk 6. Click the disk then select Encryption 7. Change your encryption type, then select your encryption set 8. Click Save 9. Go back to the VM and re-attach the disk From PowerShell $KVRGname = 'MyKeyVaultResourceGroup'; $VMRGName = 'MyVirtualMachineResourceGroup'; $vmName = 'MySecureVM'; $KeyVaultName = 'MySecureVault'; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl - DiskEncryptionKeyVaultId $KeyVaultResourceId; NOTE: During encryption it is likely that a reboot will be required. It may take up to 15 minutes to complete the process. NOTE 2: This may differ for Linux machines as you may need to set the -skipVmBackup parameter", + "AuditProcedure": "From Azure Portal 1. Go to Virtual machines 2. For each virtual machine, go to Settings 3. Click on Disks 4. Ensure that the OS disk and Data disks have encryption set to CMK. From PowerShell $ResourceGroupName='yourResourceGroupName' $DiskName='yourDiskName' $disk=Get-AzDisk -ResourceGroupName $ResourceGroupName -DiskName $DiskName $disk.Encryption.Type", + "AdditionalInformation": "", + "DefaultValue": "By default, Azure disks are encrypted using SSE with PMK.", + "References": "https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss:https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json:https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart:https://docs.microsoft.com/en-us/rest/api/compute/disks/delete:https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell:https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption" + } + ] + }, + { + "Id": "7.4", + "Description": "Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)", + "Checks": [ + "vm_ensure_unattached_disks_encrypted_with_cmk" + ], + "Attributes": [ + { + "Section": "7 Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).", + "RationaleStatement": "Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks, which may lead to sensitive information disclosure and tampering.", + "ImpactStatement": "NOTE: You must have your key vault set up to utilize this. Encryption is available only on Standard tier VMs. This might cost you more. Utilizing and maintaining Customer-managed keys will require additional work to create, protect, and rotate keys.", + "RemediationProcedure": "If data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks at: -https://docs.microsoft.com/en-us/rest/api/compute/disks/delete -https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az- disk-delete If data stored in the disk is important, To encrypt the disk refer azure documentation at: -https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable- customer-managed-keys-portal -https://docs.microsoft.com/en- us/rest/api/compute/disks/update#encryptionsettings", + "AuditProcedure": "From Azure Portal 1. Go to Disks 2. Click on Add Filter 3. In the filter field select Disk state 4. In the Value field select Unattached 5. Click Apply 6. for each disk listed ensure that Encryption type in the encryption blade is `Encryption at-rest with a customer-managed key' Page 412 From Azure CLI Ensure command below does not return any output. az disk list --query '[? diskstate == `Unattached`].{encryptionSettings: encryptionSettings, name: name}' -o json Sample Output: [ { 'encryptionSettings': null, 'name': '' }, { 'encryptionSettings': null, 'name': '' } ]", + "AdditionalInformation": "", + "DefaultValue": "By default, managed disks are encrypted with a Platform-managed key.", + "References": "https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss:https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json:https://docs.microsoft.com/en-us/rest/api/compute/disks/delete:https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete:https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings:https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest" + } + ] + }, + { + "Id": "7.5", + "Description": "Ensure that Only Approved Extensions Are Installed", + "Checks": [], + "Attributes": [ + { + "Section": "7 Virtual Machines", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "For added security, only install organization-approved extensions on VMs.", + "RationaleStatement": "Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are actually implemented.", + "ImpactStatement": "Functionality by unsupported extensions will be disabled.", + "RemediationProcedure": "From Azure Portal 1. Go to Virtual machines 2. For each virtual machine, go to Settings 3. Click on Extensions + applications 4. If there are unapproved extensions, uninstall them. From Azure CLI From the audit command identify the unapproved extensions, and use the below CLI command to remove an unapproved extension attached to VM. az vm extension delete --resource-group --vm-name --name From PowerShell For each VM and each insecure extension from the Audit Procedure run the following command. Remove-AzVMExtension -ResourceGroupName -Name -VMName ", + "AuditProcedure": "From Azure Portal 1. Go to Virtual machines. 2. For each virtual machine, click on the server name to select it go to 3. In the new column menu, under Settings Click on Extensions + applications. 4. Ensure that all the listed extensions are approved by your organization for use. From Azure CLI Use the below command to list the extensions attached to a VM, and ensure the listed extensions are approved for use. az vm extension list --vm-name --resource-group -- query [*].name From PowerShell Get a list of VMs. Get-AzVM For each VM run the following command. Get-AzVMExtension -ResourceGroupName -VMName Review each Name, ExtensionType, and ProvisioningState to make sure no unauthorized extensions are installed on any virtual machines.", + "AdditionalInformation": "", + "DefaultValue": "By default, no extensions are added to the virtual machines.", + "References": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-features:https://docs.microsoft.com/en-us/powershell/module/az.compute/?view=azps-7.5.0#vm-extensions:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management#am-2-use-only-approved-services:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management#am-5-use-only-approved-applications-in-virtual-machine" + } + ] + }, + { + "Id": "7.6", + "Description": "Ensure that Endpoint Protection for all Virtual Machines is installed", + "Checks": [ + "defender_assessments_vm_endpoint_protection_installed" + ], + "Attributes": [ + { + "Section": "7 Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Install endpoint protection for all virtual machines.", + "RationaleStatement": "Installing endpoint protection systems (like anti-malware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems.", + "ImpactStatement": "Endpoint protection will incur an additional cost to you.", + "RemediationProcedure": "Follow Microsoft Azure documentation to install endpoint protection from the security center. Alternatively, you can employ your own endpoint protection tool for your OS.", + "AuditProcedure": "From Azure Portal 1. Go to Security Center 2. Click the Recommendations blade 3. Ensure that there are no recommendations for Endpoint Protection not installed on Azure VMs From Azure CLI az vm show -g MyResourceGroup -n MyVm -d It should list below or any other endpoint extensions as one of the installed extensions. EndpointSecurity || TrendMicroDSA* || Antimalware || EndpointProtection || SCWPAgent || PortalProtectExtension* || FileSecurity* Alternatively, you can employ your own endpoint protection tool for your OS.", + "AdditionalInformation": "", + "DefaultValue": "By default Endpoint Protection is disabled.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection:https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware:https://docs.microsoft.com/en-us/cli/azure/vm/extension?view=azure-cli-latest#az_vm_extension_list:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-endpoint-security#es-1-use-endpoint-detection-and-response-edr" + } + ] + }, + { + "Id": "7.7", + "Description": "[Legacy] Ensure that VHDs are Encrypted", + "Checks": [], + "Attributes": [ + { + "Section": "7 Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "NOTE: This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations. VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs", + "RationaleStatement": "While it is recommended to use Managed Disks which are encrypted by default, 'legacy' VHDs may exist for a variety of reasons and may need to remain in VHD format. VHDs are not encrypted by default, so this recommendation intends to address the security of these disks. In these niche cases, VHDs should be encrypted using the procedures in this recommendation to encrypt and protect the data content. If a virtual machine is using a VHD and can be converted to a managed disk, instructions for this procedure can be found in the resources section of this recommendation under the title 'Convert VHD to Managed Disk.'", + "ImpactStatement": "Depending on how the encryption is implemented will change the size of the impact. If provider-managed keys(PMK) are utilized, the impact is relatively low, but processes need to be put in place to regularly rotate the keys. If Customer-managed keys(CMK) are utilized, a key management process needs to be implemented to store and manage key rotation, thus the impact is medium to high depending on user maturity with key management.", + "RemediationProcedure": "From Azure Portal 1. Navigate to the storage account that you wish to encrypt 2. Select encryption 3. Select the encryption type that you wish to use If you wish to use a Microsoft-managed key (the default), you can save at this point and encryption will be applied to the account. If you select Customer-managed keys, it will ask for the location of the key (The default is an Azure Key Vault) and the key name. Once these are captured, save the configuration and the account will be encrypted using the provided key. From Azure CLI: Create the Key Vault az keyvault create --name --resource-group --location --enabled-for-disk-encryption Encrypt the disk and store the key in Key Vault az vm encryption enable -g --name --disk-encryption- keyvault myKV From PowerShell This process uses a Key Vault to store the keys Create the Key Vault New-AzKeyvault -name -ResourceGroupName -Location -EnabledForDiskEncryption Encrypt the disk and store the key in Key Vault $KeyVault = Get-AzKeyVault -VaultName -ResourceGroupName Set-AzVMDiskEncryptionExtension -ResourceGroupName -VMName -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri - DiskEncryptionKeyVaultId $KeyVault.ResourceId", + "AuditProcedure": "From Azure CLI For each virtual machine identify if the VM is using a legacy VHD by reviewing the VHD parameter in the output of the following command. The VHD parameter will contain the Storage Account name used for the VHD. az vm show --name --resource-group Next, identify if the storage account from the VHD parameter is encrypted by reviewing the encryption --> services --> blob --> enabled within the output of the following command and make sure its value is True. az storage account show --name --resource-group From PowerShell: Determine whether the VM is using a VHD for the OS Disk and any Data disks. $virtualMachine = Get-AzVM --Name --ResourceGroup |Select-Object -ExpandProperty StorageProfile $virtualMachine.OsDisk $virtualMachine.DataDisks Next, use the value from VHD to see if the storage blob holding the VHD is encrypted. $storageAccount = Get-AzStorageAccount -Name -ResourceGroupName $storageAccount.Encryption.Services.Blob", + "AdditionalInformation": "", + "DefaultValue": "The default value for encryption is 'NO Encryption'", + "References": "CLI: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-cli-quickstart:Powershell: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-powershell-quickstart:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest:Convert VHD to Managed Disk: https://docs.microsoft.com/en-us/previous-versions/azure/virtual-machines/scripts/virtual-machines-powershell-sample-create-managed-disk-from-vhd" + } + ] + }, + { + "Id": "8.1", + "Description": "Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults", + "Checks": [ + "keyvault_rbac_key_expiration_set" + ], + "Attributes": [ + { + "Section": "8 Key Vault", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "RationaleStatement": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.", + "ImpactStatement": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used.", + "RemediationProcedure": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Keys. 3. In the main pane, ensure that an appropriate Expiration date is set for any keys that are Enabled. From Azure CLI: Update the Expiration date for the key using the below command: az keyvault key set-attributes --name --vault-name -- expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all keys in a Key Vault using Microsoft API, the 'List' Key permission is required. To update the expiration date for the keys: 1. Go to the Key vault, click on Access Control (IAM). 2. Click on Add role assignment and assign the role of Key Vault Crypto Officer to the appropriate user. From PowerShell: Set-AzKeyVaultKeyAttribute -VaultName -Name -Expires ", + "AuditProcedure": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Keys. 3. In the main pane, ensure that an appropriate Expiration date is set for any keys that are Enabled. From Azure CLI: Get a list of all the key vaults in your Azure environment by running the following command: az keyvault list Then for each key vault listed ensure that the output of the below command contains Key ID (kid), enabled status as true and Expiration date (expires) is not empty or null: az keyvault key list --vault-name --query '[*].{'kid':kid,'enabled':attributes.enabled,'expires':attributes.expires}' From PowerShell: Retrieve a list of Azure Key vaults: Get-AzKeyVault For each Key vault run the following command to determine which vaults are configured to use RBAC. Get-AzKeyVault -VaultName For each Key vault with the EnableRbacAuthorizatoin setting set to True, run the following command. Get-AzKeyVaultKey -VaultName Make sure the Expires setting is configured with a value as appropriate wherever the Enabled setting is set to True.", + "AdditionalInformation": "", + "DefaultValue": "By default, keys do not expire.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis:https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process:https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyattribute?view=azps-0.10.0" + } + ] + }, + { + "Id": "8.2", + "Description": "Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.", + "Checks": [ + "keyvault_key_expiration_set_in_non_rbac" + ], + "Attributes": [ + { + "Section": "8 Key Vault", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "RationaleStatement": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for a cryptographic operation. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.", + "ImpactStatement": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used.", + "RemediationProcedure": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Keys. 3. In the main pane, ensure that the status of the key is Enabled. 4. For each enabled key, ensure that an appropriate Expiration date is set. From Azure CLI: Update the Expiration date for the key using the below command: az keyvault key set-attributes --name --vault-name -- expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all keys in a Key Vault using Microsoft API, the 'List' Key permission is required. To update the expiration date for the keys: 1. Go to Key vault, click on Access policies. 2. Click on Create and add an access policy with the Update permission (in the Key Permissions - Key Management Operations section). From PowerShell Set-AzKeyVaultKeyAttribute -VaultName -Name -Expires ", + "AuditProcedure": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Keys. 3. In the main pane, ensure that the status of the key is Enabled. 4. For each enabled key, ensure that an appropriate Expiration date is set. From Azure CLI: Get a list of all the key vaults in your Azure environment by running the following command: az keyvault list For each key vault, ensure that the output of the below command contains Key ID (kid), enabled status as true and Expiration date (expires) is not empty or null: az keyvault key list --vault-name --query '[*].{'kid':kid,'enabled':attributes.enabled,'expires':attributes.expires}' From PowerShell: Retrieve a list of Azure Key vaults: Get-AzKeyVault For each Key vault, run the following command to determine which vaults are configured to not use RBAC: Get-AzKeyVault -VaultName For each Key vault with the EnableRbacAuthorizatoin setting set to False or empty, run the following command. Get-AzKeyVaultKey -VaultName Make sure the Expires setting is configured with a value as appropriate wherever the Enabled setting is set to True.", + "AdditionalInformation": "", + "DefaultValue": "By default, keys do not expire.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis:https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process:https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyattribute?view=azps-0.10.0" + } + ] + }, + { + "Id": "8.3", + "Description": "Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults", + "Checks": [ + "keyvault_rbac_secret_expiration_set" + ], + "Attributes": [ + { + "Section": "8 Key Vault", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "RationaleStatement": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.", + "ImpactStatement": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used.", + "RemediationProcedure": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Secrets. 3. In the main pane, ensure that the status of the secret is Enabled. 4. For each enabled secret, ensure that an appropriate Expiration date is set. From Azure CLI: Update the Expiration date for the secret using the below command: az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all secrets in a Key Vault using Microsoft API, the List Key permission is required. To update the expiration date for the secrets: 1. Go to the Key vault, click on Access Control (IAM). 2. Click on Add role assignment and assign the role of Key Vault Secrets Officer to the appropriate user. From PowerShell: Set-AzKeyVaultSecretAttribute -VaultName -Name - Expires ", + "AuditProcedure": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Secrets. 3. In the main pane, ensure that the status of the secret is Enabled. 4. For each enabled secret, ensure that an appropriate Expiration date is set. From Azure CLI: Ensure that the output of the below command contains ID (id), enabled status as true and Expiration date (expires) is not empty or null: az keyvault secret list --vault-name --query '[*].{'kid':kid,'enabled':attributes.enabled,'expires':attributes.expires}' From PowerShell: Retrieve a list of Key vaults: Get-AzKeyVault For each Key vault, run the following command to determine which vaults are configured to use RBAC: Get-AzKeyVault -VaultName For each Key vault with the EnableRbacAuthorizatoin setting set to True, run the following command: Get-AzKeyVaultSecret -VaultName Make sure the Expires setting is configured with a value as appropriate wherever the Enabled setting is set to True.", + "AdditionalInformation": "", + "DefaultValue": "By default, secrets do not expire.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis:https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process:https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyattribute?view=azps-0.10.0" + } + ] + }, + { + "Id": "8.4", + "Description": "Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults", + "Checks": [ + "keyvault_non_rbac_secret_expiration_set" + ], + "Attributes": [ + { + "Section": "8 Key Vault", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "RationaleStatement": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.", + "ImpactStatement": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.", + "RemediationProcedure": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Secrets. 3. In the main pane, ensure that the status of the secret is Enabled. 4. Set an appropriate Expiration date on all secrets. From Azure CLI: Update the Expiration date for the secret using the below command: az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all secrets in a Key Vault using Microsoft API, the List Key permission is required. To update the expiration date for the secrets: 1. Go to Key vault, click on Access policies. 2. Click on Create and add an access policy with the Update permission (in the Secret Permissions - Secret Management Operations section). From PowerShell: For each Key vault with the EnableRbacAuthorization setting set to False or empty, run the following command. Set-AzKeyVaultSecret -VaultName -Name -Expires ", + "AuditProcedure": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Secrets. 3. In the main pane, ensure that the status of the secret is Enabled. 4. Set an appropriate Expiration date on all secrets. From Azure CLI: Get a list of all the key vaults in your Azure environment by running the following command: az keyvault list For each key vault, ensure that the output of the below command contains ID (id), enabled status as true and Expiration date (expires) is not empty or null: az keyvault secret list --vault-name --query '[*].{'kid':kid,'enabled':attributes.enabled,'expires':attributes.expires}' From PowerShell: Retrieve a list of Key vaults: Get-AzKeyVault For each Key vault run the following command to determine which vaults are configured to use RBAC: Get-AzKeyVault -VaultName For each Key Vault with the EnableRbacAuthorization setting set to False or empty, run the following command. Get-AzKeyVaultSecret -VaultName Make sure the Expires setting is configured with a value as appropriate wherever the Enabled setting is set to True.", + "AdditionalInformation": "", + "DefaultValue": "By default, secrets do not expire.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis:https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process:https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultsecret?view=azps-7.4.0" + } + ] + }, + { + "Id": "8.5", + "Description": "Ensure the Key Vault is Recoverable", + "Checks": [ + "keyvault_recoverable" + ], + "Attributes": [ + { + "Section": "8 Key Vault", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the 'Do Not Purge' and 'Soft Delete' functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. WARNING: A current limitation of the soft-delete feature across all Azure services is role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.", + "RationaleStatement": "There could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There are 2 Key Vault properties that play a role in permanent unavailability of a Key Vault: 1. enableSoftDelete: Setting this parameter to 'true' for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, key vault and its objects will subsequently be purged. 2. enablePurgeProtection: enableSoftDelete only ensures that Key Vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are scenarios in which the Key Vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to 'true' ensures that the Key Vault and its objects cannot be purged. Enabling both the parameters on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently.", + "ImpactStatement": "Once purge-protection and soft-delete are enabled for a Key Vault, the action is irreversible.", + "RemediationProcedure": "To enable 'Do Not Purge' and 'Soft Delete' for a Key Vault: From Azure Portal 1. Go to Key Vaults 2. For each Key Vault 3. Click Properties 4. Ensure the status of soft-delete reads Soft delete has been enabled on this key vault. 5. At the bottom of the page, click 'Enable Purge Protection' Note, once enabled you cannot disable it. From Azure CLI az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx- xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault /vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true From PowerShell Update-AzKeyVault -VaultName --query '[*].{'kid':kid,'enabled':attributes.enabled,'expires':attributes.expires}' From PowerShell: Retrieve a list of Key vaults: Get-AzKeyVault For each Key vault run the following command to determine which vaults are configured to use RBAC: Get-AzKeyVault -VaultName For each Key Vault with the EnableRbacAuthorization setting set to False or empty, run the following command. Get-AzKeyVaultSecret -VaultName Make sure the Expires setting is configured with a value as appropriate wherever the Enabled setting is set to True.", + "AdditionalInformation": "When a key is used for SQL server TDE or Encrypting Storage Account, both the features 'Do Not Purge' and 'Soft Delete' are enabled for the corresponding Key Vault by default by Azure Backend. WARNING: A current limitation of the soft-delete feature across all Azure services is role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.", + "DefaultValue": "When a new Key Vault is created, both the parameters enableSoftDelete and enablePurgeProtection are set to null, disabling both the features.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli:https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-8-define-and-implement-backup-and-recovery-strategy:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository" + } + ] + }, + { + "Id": "8.6", + "Description": "Enable Role Based Access Control for Azure Key Vault", + "Checks": [ + "keyvault_rbac_enabled" + ], + "Attributes": [ + { + "Section": "8 Key Vault", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "WARNING: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services.", + "RationaleStatement": "The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.", + "ImpactStatement": "Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs.", + "RemediationProcedure": "From Azure Portal Key Vaults can be configured to use Azure role-based access control on creation. For existing Key Vaults: 1. From Azure Home open the Portal Menu in the top left corner 2. Select Key Vaults 3. Select a Key Vault to audit 4. Select Access configuration 5. Set the Permission model radio button to Azure role-based access control, taking note of the warning message 6. Click Save 7. Select Access Control (IAM) 8. Select the Role Assignments tab 9. Reapply permissions as needed to groups or users", + "AuditProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in the top left corner 2. Select Key Vaults 3. Select a Key Vault to audit 4. Select Access configuration 5. Ensure the Permission Model radio button is set to Azure role-based access control", + "AdditionalInformation": "", + "DefaultValue": "The default value for Access control in Key Vaults is Vault Policy.", + "References": "https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-migration#vault-access-policy-to-azure-rbac-migration-stepshttps://docs.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal?tabs=current:https://docs.microsoft.com/en-gb/azure/role-based-access-control/overview:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository" + } + ] + }, + { + "Id": "8.7", + "Description": "Ensure that Private Endpoints are Used for Azure Key Vault", + "Checks": [ + "keyvault_private_endpoints" + ], + "Attributes": [ + { + "Section": "8 Key Vault", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.", + "RationaleStatement": "Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.", + "ImpactStatement": "Incorrect or poorly-timed changing of network configuration could result in service interruption. There are also additional costs tiers for running a private endpoint per petabyte or more of networking traffic.", + "RemediationProcedure": "Please see the additional information about the requirements needed before starting this remediation procedure. From Azure Portal 1. From Azure Home open the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Select Networking in the left column. 5. Select Private endpoint connections from the top row. 6. Select + Create. 7. Select the subscription the Key Vault is within, and other desired configuration. 8. Select Next. 9. For resource type select Microsoft.KeyVault/vaults. 10. Select the Key Vault to associate the Private Endpoint with. 11. Select Next. 12. In the Virtual Networking field, select the network to assign the Endpoint. 13. Select other configuration options as desired, including an existing or new application security group. 14. Select Next. 15. Select the private DNS the Private Endpoints will use. 16. Select Next. 17. Optionally add Tags. 18. Select Next : Review + Create. 19. Review the information and select Create. Follow the Audit Procedure to determine if it has successfully applied. 20. Repeat steps 3-19 for each Key Vault. From Azure CLI 1. To create an endpoint, run the following command: az network private-endpoint create --resource-group --subnet --name -- private-connection-resource-id '/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/' --group-ids vault --connection-name -- location --manual-request 2. To manually approve the endpoint request, run the following command: az keyvault private-endpoint-connection approve --resource-group --vault-name –name 4. Determine the Private Endpoint's IP address to connect the Key Vault to the Private DNS you have previously created: 5. Look for the property networkInterfaces then id; the value must be placed in the variable within step 7. az network private-endpoint show -g -n 6. Look for the property networkInterfaces then id; the value must be placed on in step 7. az network nic show --ids 7. Create a Private DNS record within the DNS Zone you created for the Private Endpoint: az network private-dns record-set a add-record -g -z 'privatelink.vaultcore.azure.net' -n -a 8. nslookup the private endpoint to determine if the DNS record is correct: nslookup .vault.azure.net nslookup .privatelink.vaultcore.azure.n", + "AuditProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Select Networking in the left column. 5. Select Private endpoint connections from the top row. 6. View if there is an endpoint attached. From Azure CLI Run the following command within a subscription for each Key Vault you wish to audit. az keyvault private-endpoint-connection show -g --vault-name From Powershell Run the following command within a subscription for each Key Vault you wish to audit. Get-AzPrivateEndpointConnection -PrivateLinkResourceId '/subscriptions//resourceGroups//providers /Microsoft.KeyVault/vaults//'", + "AdditionalInformation": "This recommendation assumes that you have created a Resource Group containing a Virtual Network that the services are already associated with and configured private DNS. A Bastion on the virtual network is also required, and the service to which you are connecting must already have a Private Endpoint. For information concerning the installation of these services, please see the attached documentation. Microsoft's own documentation lists the requirements as: A Key Vault. An Azure virtual network. A subnet in the virtual network. Owner or contributor permissions for both the Key Vault and the virtual network.", + "DefaultValue": "By default, Private Endpoints are not enabled for any services within Azure.", + "References": " https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview:https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints:https://azure.microsoft.com/en-us/pricing/details/private-link/:https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal:https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal:https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal:https://docs.microsoft.com/en-us/azure/bastion/bastion-overview:https://docs.microsoft.com/azure/dns/private-dns-getstarted-cli#create-an-additional-dns-record:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository" + } + ] + }, + { + "Id": "8.8", + "Description": "Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services", + "Checks": [ + "keyvault_key_rotation_enabled" + ], + "Attributes": [ + { + "Section": "8 Key Vault", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.", + "RationaleStatement": "Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.", + "ImpactStatement": "There are an additional costs per operation in running the needed applications.", + "RemediationProcedure": "Note: Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P(Y,M,D). The leading P is required with it denoting period. The (Y,M,D) are for the duration of Year, Month,and Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D). From Azure Portal 1. From Azure Portal select the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Under Objects select Keys. 5. Select a key to audit. 6. In the top row select Rotation policy. 7. Select an Expiry time. 8. Set Enable auto rotation to Enabled. 9. Set an appropriate Rotation option and Rotation time. 10. Optionally set the Notification time. 11. Select Save. 12. Repeat steps 3-11 for each Key Vault and Key. From Azure CLI Run the following command for each key to update its policy to be auto-rotated: az keyvault key rotation-policy update -n --vault-name --value Note: It is easiest to supply the policy flags in a .json file. An example json file would be: { 'lifetimeActions': [ { 'trigger': { 'timeAfterCreate': '', 'timeBeforeExpiry' : null }, 'action': { 'type': 'Rotate' } }, { 'trigger': { 'timeBeforeExpiry' : '' }, 'action': { 'type': 'Notify' } } ], 'attributes': { 'expiryTime': '' } } From PowerShell Run the following command for each key to update its policy: Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json Note: It is easiest to supply the policy flags in a .json file. An example json file would be: <# rotation_policy.json { 'lifetimeActions': [ { 'trigger': { 'timeAfterCreate': 'PM', 'timeBeforeExpiry': null }, 'action': { 'type': 'Rotate' } }, { 'trigger': { 'timeBeforeExpiry': 'PD' }, 'action': { 'type': 'Notify' } } ], 'attributes': { 'expiryTime': 'PY' } } #>", + "AuditProcedure": "From Azure Portal 1. From Azure Portal select the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Under Objects select Keys. 5. Select a key to audit. 6. In the top row select Rotation policy. 7. Ensure Enable auto rotation is set to Enabled. 8. Repeat steps 3-7 for each Key Vault and Key. From Azure CLI Run the following command: az keyvault key rotation-policy show --vaultname --name From PowerShell Run the following command: Get-AzKeyVaultKeyRotationPolicy -VaultName -Name ", + "AdditionalInformation": "Automatic Key Rotation is in public preview, so any configuration will not change upon full release. **Note: ** Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P(Y,M,D). The leading P is required with it denoting period. The (Y,M,D) are for the duration of Year, Month, Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).", + "DefaultValue": "By default, Automatic Key Rotation is not enabled.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation:https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#update-the-key-version:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell#set-up-an-azure-key-vault-and-diskencryptionset-optionally-with-automatic-key-rotation:https://azure.microsoft.com/en-us/updates/public-preview-automatic-key-rotation-of-customermanaged-keys-for-encrypting-azure-managed-disks/:https://docs.microsoft.com/en-us/cli/azure/keyvault/key/rotation-policy?view=azure-cli-latest#az-keyvault-key-rotation-policy-update:https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyrotationpolicy?view=azps-8.1.0:https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/timespan:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process" + } + ] + }, + { + "Id": "9.1", + "Description": "Ensure App Service Authentication is set up for apps in Azure App Service", + "Checks": [ + "app_ensure_auth_is_set_up" + ], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.", + "RationaleStatement": "By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers.", + "ImpactStatement": "This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable. Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication.", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, click on Authentication 5. If no identity providers are set up, then click Add identity provider 6. Choose other parameters as per your requirements and click on Add From Azure CLI To set App Service Authentication for an existing app, run the following command: az webapp auth update --resource-group --name --enabled true Note In order to access App Service authentication settings for Web app using Microsoft API requires Website contributor permission at subscription level. A custom role can be created in place of Website contributor to provide more specific permission and maintain the principle of least privileged access.", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on Authentication 5. Ensure that App Service authentication set to Enabled (Will only appear once an Identity provider is set up/selected) From Azure CLI To check App Service Authentication status for an existing app, run the following command, az webapp auth show --resource-group --name --query enabled The output should return true if App Service authentication is set to On.", + "AdditionalInformation": "You're not required to use App Service for authentication and authorization. Many web frameworks are bundled with security features, and you can use them if you like. If you need more flexibility than App Service provides, you can also write your own utilities. Secure authentication and authorization require deep understanding of security, including federation, encryption, JSON web tokens (JWT) management, grant types, and so on.", + "DefaultValue": "By default, App Service Authentication is disabled when a new app is created using the command-line tool or Azure Portal console.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview:https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "9.2", + "Description": "Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service", + "Checks": [ + "app_ensure_http_is_redirected_to_https" + ], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.", + "RationaleStatement": "Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits.", + "ImpactStatement": "When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app.", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on TLS/SSL settings 5. Under the Bindings pane, set HTTPS Only to On under Protocol Settings section From Azure CLI To set HTTPS-only traffic value for an existing app, run the following command: az webapp update --resource-group --name -- set httpsOnly=true From PowerShell Set-AzWebApp -ResourceGroupName -Name - HttpsOnly $true", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, click on TLS/SSL settings 5. Under the Bindings pane, ensure that HTTPS Only set to On under Protocol Settings From Azure CLI To check HTTPS-only traffic value for an existing app, run the following command, az webapp show --resource-group --name -- query httpsOnly The output should return true if HTTPS-only traffic value is set to On. From PowerShell List all the web apps configured within the subscription. Get-AzWebApp | Select-Object ResourceGroup, Name, HttpsOnly For each web app review the HttpsOnly setting and make sure it is set to True.", + "AdditionalInformation": "", + "DefaultValue": "By default, HTTPS-only feature will be disabled when a new app is created using the command-line tool or Azure Portal console.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit:https://docs.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-8.1.0" + } + ] + }, + { + "Id": "9.3", + "Description": "Ensure Web App is using the latest version of TLS encryption", + "Checks": [ + "app_minimum_tls_version_12" + ], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.", + "RationaleStatement": "App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on SSL settings 5. Under the Bindings pane, set Minimum TLS Version to 1.2 under Protocol Settings section From Azure CLI To set TLS Version for an existing app, run the following command: az webapp config set --resource-group --name --min-tls-version 1.2 From PowerShell Set-AzWebApp -ResourceGroupName -Name - MinTlsVersion 1.2", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on TLS/SSL settings 5. Under the Bindings pane, ensure that Minimum TLS Version set to 1.2 under Protocol Settings From Azure CLI To check TLS Version for an existing app, run the following command, az webapp config show --resource-group --name --query minTlsVersion The output should return 1.2 if TLS Version is set to 1.2 (Which is currently the latest version). From PowerShell List all web apps. Get-AzWebApp For each web app run the following command. Get-AzWebApp -ResourceGroupName -Name |Select-Object -ExpandProperty SiteConfig Make sure the minTlsVersion is set to at least 1.2.", + "AdditionalInformation": "", + "DefaultValue": "By default, TLS Version feature will be set to 1.2 when a new app is created using the command-line tool or Azure Portal console.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-8-detect-and-disable-insecure-services-and--protocols:https://docs.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-8.1.0" + } + ] + }, + { + "Id": "9.4", + "Description": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'", + "Checks": [ + "app_client_certificates_on" + ], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.", + "RationaleStatement": "The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app.", + "ImpactStatement": "Utilizing and maintaining client certificates will require additional work to obtain and manage replacement and key rotation.", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under the Settings section, Click on Configuration, then General settings 5. Set the option Client certificate mode located under Incoming client certificates to Require From Azure CLI To set Incoming client certificates value for an existing app, run the following command: az webapp update --resource-group --name -- set clientCertEnabled=true", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under the Settings section, Click on Configuration, then General settings 5. Ensure that the option Client certificate mode located under Incoming client certificates is set to Require From Azure CLI To check Incoming client certificates value for an existing app, run the following command, az webapp show --resource-group --name -- query clientCertEnabled The output should return true if Incoming client certificates value is set to On. From PowerShell List all web apps. Get-AzWebApp For each web app run the following command. Get-AzWebApp -ResourceGroup -Name Make sure the ClientCertEnabled is set to True.", + "AdditionalInformation": "", + "DefaultValue": "By default, incoming client certificates will be disabled when a new app is created using the command-line tool or Azure Portal console.", + "References": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-authenticate-server-and-services" + } + ] + }, + { + "Id": "9.5", + "Description": "Ensure that Register with Azure Active Directory is enabled on App Service", + "Checks": [ + "app_register_with_identity" + ], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.", + "RationaleStatement": "App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.", + "ImpactStatement": "", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on Identity 5. Under the System assigned pane, set Status to On From Azure CLI To set Register with Azure Active Directory feature for an existing app, run the following command: az webapp identity assign --resource-group --name From PowerShell To register with Azure Active Directory feature for an existing app, run the following command: Set-AzWebApp -AssignIdentity $True -ResourceGroupName - Name ", + "AuditProcedure": "From Azure Portal 1. From Azure Portal open the Portal Menu in the top left 2. Go to App Services 3. Click on each App 4. Under the Setting section, Click on Identity 5. Under the System assigned pane, ensure that Status set to On From Azure CLI To check Register with Azure Active Directory feature status for an existing app, run the following command, az webapp identity show --resource-group --name --query principalId The output should return unique Principal ID. If no output for the above command then Register with Azure Active Directory is not set. From PowerShell List the web apps. Get-AzWebApp For each web app run the following command. Get-AzWebapp -ResourceGroupName -Name Make sure the Identity setting contains a unique Principal ID", + "AdditionalInformation": "", + "DefaultValue": "By default, Managed service identity via Azure AD is disabled.", + "References": "https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-1-use-centralized-identity-and-authentication-system" + } + ] + }, + { + "Id": "9.6", + "Description": "Ensure That 'PHP version' is the Latest, If Used to Run the Web App", + "Checks": [ + "app_ensure_php_version_is_latest" + ], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.", + "RationaleStatement": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.", + "ImpactStatement": "If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in the top left 2. Go to App Services 3. Click on each App 4. Under Settings section, click on Configuration 5. Click on the General settings pane, ensure that for a Stack of PHP the Major Version and Minor Version reflect the latest stable and supported release. NOTE: No action is required If PHP version is set to Off or is set with an empty value as PHP is not used by your web app. From Azure CLI List the available PHP runtimes: az webapp list-runtimes To set latest PHP version for an existing app, run the following command: az webapp config set --resource-group --name [--linux-fx-version ][--php-version ] From PowerShell To set latest PHP version for an existing app, run the following command: Set-AzWebApp -ResourceGroupName -Name - phpVersion NOTE: Currently there is no way to update an existing web app Linux FX Version setting using PowerShell, nor is there a way to create a new web app using PowerShell that configures the PHP runtime in the Linux FX Version setting.", + "AuditProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in the top left 2. Go to App Services 3. Click on each App 4. Under Settings section, click on Configuration 5. Click on the General settings pane, ensure that for a Stack of PHP the Major Version and Minor Version reflect the latest stable and supported release. ** The latest stable version can be confirmed by going to php.net. Navigate to the downloads, and then find the most recent version that is marked by Current Stable PHP [version_number]. ** NOTE: No action is required If PHP version is set to Off as PHP is not used by your web app. From Azure CLI To check PHP version for an existing app, run the following command, az webapp config show --resource-group --name --query '{LinuxFxVersion:linuxFxVersion,PHP_Version:phpVersion}' From PowerShell $application = Get-AzWebApp -ResourceGroupName -Name $application.SiteConfig | select-object LinuxFXVersion, phpVersion The output should return the latest available version of PHP. Any other version of PHP would be considered a finding. NOTE: No action is required, If the output is empty as PHP is not used by your web app.", + "AdditionalInformation": "", + "DefaultValue": "The version of PHP is whatever was selected upon App creation.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources:https://www.php.net/downloads" + } + ] + }, + { + "Id": "9.7", + "Description": "Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App", + "Checks": [ + "app_ensure_python_version_is_latest" + ], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.", + "RationaleStatement": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected. Using the latest full version will keep your stack secure to vulnerabilities and exploits.", + "ImpactStatement": "If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime.", + "RemediationProcedure": "From Azure Portal 1. From Azure Home open the Portal Menu in the top left 2. Go to App Services 3. Click on each App 4. Under Settings section, click on Configuration 5. Click on the General settings pane and ensure that the Major Version and the Minor Version is set to the latest stable version available (Python 3.11, at the time of writing) NOTE: No action is required if Python version is set to Off, as Python is not used by your web app. From Azure CLI To see the list of supported runtimes: az webapp list-runtimes To set latest Python version for an existing app, run the following command: az webapp config set --resource-group --name [--windows-fx-version 'PYTHON|3.11'] [--linux-fx-version 'PYTHON|3.11'] From PowerShell As of this writing, there is no way to update an existing application's SiteConfig or set the a new application's SiteConfig settings during creation via PowerShell.", + "AuditProcedure": "From Azure Console 1. From Azure Home open the Portal Menu in the top left 2. Go to App Services 3. Click on each App 4. Under Settings section, click on Configuration 5. Click on the General settings pane and ensure that for a Stack of Python, with Major Version of Python 3, that the Minor Version is set to the latest stable version available (Python 3.11, at the time of writing) NOTE: No action is required if Python version is set to Off, as Python is not used by your web app. From Azure CLI To check Python version for an existing app, run the following command az webapp config show --resource-group --name --query '{LinuxFxVersion:linuxFxVersion,WindowsFxVersion:windowsFxVersion,PythonVersi on:pythonVersion}' The output should return the latest stable version of Python. NOTE: No action is required if the output is empty, as Python is not used by your web app. From PowerShell $app = Get-AzWebApp -Name -ResourceGroup $app.SiteConfig |Select-Object LinuxFXVersion, WindowsFxVersion, PythonVersion Ensure the output of the above command shows the latest version of Python. NOTE: No action is required if the output is empty, as Python is not used by your web app.", + "AdditionalInformation": "** The latest stable version can be confirmed by going to python.org. Navigate to the downloads, and then find the most recent version that is marked by security in the maintenance column. **", + "DefaultValue": "The version of Python is whatever was selected upon App creation.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources:https://www.python.org/downloads/" + } + ] + }, + { + "Id": "9.8", + "Description": "Ensure that 'Java version' is the latest, if used to run the Web App", + "Checks": [ + "app_ensure_java_version_is_latest" + ], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.", + "RationaleStatement": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.", + "ImpactStatement": "If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime.", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Settings section, click on Configuration 5. Click on the General settings pane and ensure that for a Stack of Java the Major Version and Minor Version reflect the latest stable and supported release, and that the Java web server version is set to the auto-update option. NOTE: No action is required if Java version is set to Off, as Java is not used by your web app. From Azure CLI To see the list of supported runtimes: az webapp list-runtimes To set latest Java version for an existing app, run the following command: az webapp config set --resource-group --name [--java-version --java-container --java- container-version [--windows-fx-version ] [--linux-fx-version ] If creating a new web application to use a currently supported version of Java, run the following commands. To create an app service plan: az appservice plan create --resource-group --name --location [--is-linux --number-of-workers --sku ] [--hyper-v --sku ] Get the app service plan ID: az appservice plan list --query '[].{Name:name, ID:id, SKU:sku, Location:location}' To create a new Java web application using the retrieved app service ID: az webapp create --resource-group --plan --name [--linux-fx-version ] [-- windows-fx-version ] From PowerShell As of this writing, there is no way to update an existing application's SiteConfig or set a new application's SiteConfig settings during creation via PowerShell.", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Settings section, click on Configuration 5. Click on the General settings pane and ensure that for a Stack of Java the Major Version and Minor Version reflect the latest stable and supported release, and that the Java web server version is set to the auto-update option. NOTE: No action is required if Java version is set to Off, as Java is not used by your web app. From Azure CLI To check Java version for an existing app, run the following command, az webapp config show --resource-group --name --query '{LinuxFxVersion:linuxFxVersion, WindowsFxVersion:windowsFxVersion, JavaVersion:javaVersion, JavaContainerVersion:javaContainerVersion, JavaContainer:javaContainer}' The output should return the latest available version of Java (if java is being used for the web application being audited). From PowerShell For each application, store the application information within an object, and then interrogate the SiteConfig information for that application object. $app = Get-AzWebApp -Name -ResourceGroup $app.SiteConfig |Select-Object LinuxFXVersion, WindowsFxVersion, JavaVersion, JavaContainerVersion, JavaContainer Ensure the Java version used within the application is a currently supported version (if java is being used for the web application being audited).", + "AdditionalInformation": "", + "DefaultValue": "The default setting is whichever setting was chosen in the creation of the webapp.", + "References": " https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources:https://www.oracle.com/java/technologies/downloads/#java11" + } + ] + }, + { + "Id": "9.9", + "Description": "Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App", + "Checks": [ + "app_ensure_using_http20" + ], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to takeadvantage of security fixes, if any, and/or new functionalities of the newer version.", + "RationaleStatement": "Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected. HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.", + "ImpactStatement": "If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime.", + "RemediationProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on Configuration 5. Set HTTP version to 2.0 under General settings NOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non- encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate. From Azure CLI To set HTTP 2.0 version for an existing app, run the following command: az webapp config set --resource-group --name --http20-enabled true From PowerShell To enable HTTP 2.0 version support, run the following command: Set-AzWebApp -ResourceGroupName -Name - Http20Enabled $true", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on Configuration 5. Ensure that HTTP Version set to 2.0 version under General settings NOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non- encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate. From Azure CLI To check HTTP 2.0 version status for an existing app, run the following command, az webapp config show --resource-group --name --query http20Enabled The output should return true if HTTPS 2.0 traffic value is set to On. From PowerShell For each application, run the following command: Get-AzWebApp -ResourceGroupName -Name |Select-Object -ExpandProperty SiteConfig If the value of the Http20Enabled setting is true, the application is compliant. Otherwise if the value of the Http20Enabled setting is false, the application is non-compliant.", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources" + } + ] + }, + { + "Id": "9.10", + "Description": "Ensure FTP deployments are Disabled", + "Checks": [ + "app_ftp_deployment_disabled" + ], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.", + "RationaleStatement": "Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.", + "ImpactStatement": "Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.", + "RemediationProcedure": "From Azure Portal 1. Go to the Azure Portal 2. Select App Services 3. Click on an app 4. Select Settings and then Configuration 5. Under General Settings, for the Platform Settings, the FTP state should be set to Disabled or FTPS Only From Azure CLI For each out of compliance application, run the following choosing either 'disabled' or 'FtpsOnly' as appropriate: az webapp config set --resource-group --name --ftps-state [disabled|FtpsOnly] From PowerShell For each out of compliance application, run the following: Set-AzWebApp -ResourceGroupName -Name - FtpsState ", + "AuditProcedure": "From Azure Portal 1. Go to the Azure Portal 2. Select App Services 3. Click on an app 4. Select Settings and then Configuration 5. Under General Settings, for the Platform Settings, the FTP state should not be set to All allowed From Azure CLI List webapps to obtain the ids. az webapp list List the publish profiles to obtain the username, password and ftp server url. az webapp deployment list-publishing-profiles --ids { 'publishUrl': , 'userName': , 'userPWD': , } From PowerShell List all Web Apps: Get-AzWebApp For each app: Get-AzWebApp -ResourceGroupName -Name | Select-Object -ExpandProperty SiteConfig In the output, look for the value of FtpsState. If its value is AllAllowed the setting is out of compliance. Any other value is considered in compliance with this check.", + "AdditionalInformation": "", + "DefaultValue": "By default, FTP based deployment is All allowed", + "References": "[Azure Web Service Deploy via FTP](https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp):[Azure Web Service Deployment](https://docs.microsoft.com/en-us/azure/app-service/overview-security):https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities" + } + ] + }, + { + "Id": "9.11", + "Description": "Ensure Azure Key Vaults are Used to Store Secrets", + "Checks": [], + "Attributes": [ + { + "Section": "9 AppService", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.", + "RationaleStatement": "The credentials given to an application have permissions to create, delete, or modify data stored within the systems they access. If these credentials are stored within the application itself, anyone with access to the application or a copy of the code has access to them. Storing within Azure Key Vault as secrets increases security by controlling access. This also allows for updates of the credentials without redeploying the entire application.", + "ImpactStatement": "Integrating references to secrets within the key vault are required to be specifically integrated within the application code. This will require additional configuration to be made during the writing of an application, or refactoring of an already written one. There are also additional costs that are charged per 10000 requests to the Key Vault.", + "RemediationProcedure": "Remediation has 2 steps 1. Setup the Key Vault 2. Setup the App Service to use the Key Vault Step 1: Set up the Key Vault From Azure CLI az keyvault create --name '' --resource-group '' -- location myLocation From Powershell New-AzKeyvault -name -ResourceGroupName -Location Step 2: Set up the App Service to use the Key Vault Sample JSON Template for App Service Configuration: Page 488 { //... 'resources': [ { 'type': 'Microsoft.Storage/storageAccounts', 'name': '[variables('storageAccountName')]', //... }, { 'type': 'Microsoft.Insights/components', 'name': '[variables('appInsightsName')]', //... }, { 'type': 'Microsoft.Web/sites', 'name': '[variables('functionAppName')]', 'identity': { 'type': 'SystemAssigned' }, //... 'resources': [ { 'type': 'config', 'name': 'appsettings', //... 'dependsOn': [ '[resourceId('Microsoft.Web/sites', variables('functionAppName'))]', '[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]', '[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('storageConnectionStringName'))]', '[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('appInsightsKeyName'))]' ], 'properties': { 'AzureWebJobsStorage': '[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersio n, ')')]', 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING': '[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersio n, ')')]', 'APPINSIGHTS_INSTRUMENTATIONKEY': '[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('appInsightsKeyResourceId')).secretUriWithVersion, ')')]', 'WEBSITE_ENABLE_SYNC_UPDATE_SITE': 'true' //... } }, { 'type': 'sourcecontrols', 'name': 'web', //... 'dependsOn': [ '[resourceId('Microsoft.Web/sites', variables('functionAppName'))]', '[resourceId('Microsoft.Web/sites/config', variables('functionAppName'), 'appsettings')]' ], } ] }, { 'type': 'Microsoft.KeyVault/vaults', 'name': '[variables('keyVaultName')]', //... 'dependsOn': [ '[resourceId('Microsoft.Web/sites', variables('functionAppName'))]' ], 'properties': { //... 'accessPolicies': [ { 'tenantId': '[reference(concat('Microsoft.Web/sites/', variables('functionAppName'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31- PREVIEW').tenantId]', 'objectId': '[reference(concat('Microsoft.Web/sites/', variables('functionAppName'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31- PREVIEW').principalId]', 'permissions': { 'secrets': [ 'get' ] } } ] }, 'resources': [ { 'type': 'secrets', 'name': '[variables('storageConnectionStringName')]', //... 'dependsOn': [ '[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]', '[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]' ], 'properties': { 'value': '[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2015-05-01-preview').key1)]' } }, { 'type': 'secrets', 'name': '[variables('appInsightsKeyName')]', //... 'dependsOn': [ '[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]', '[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]' ], 'properties': { 'value': '[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]' } } ] } ] }", + "AuditProcedure": "From Azure Portal 1. Login to Azure Portal 2. In the expandable menu on the left go to Key Vaults 3. View the Key Vaults listed. From Azure CLI To list key vaults within a subscription run the following command: Get-AzKeyVault To list the secrets within these key vaults run the following command: Get-AzKeyVaultSecret [-VaultName] From Powershell To list key vaults within a subscription run the following command: Get-AzKeyVault To list all secrets in a key vault run the following command: Get-AzKeyVaultSecret -VaultName ' --lock-type -- resource-group --resource-name --resource- type From Powershell Get-AzResourceLock -ResourceName -ResourceType -ResourceGroupName -Locktype ", + "AuditProcedure": "From Azure Portal 1. Navigate to the specific Azure Resource or Resource Group 2. Click on Locks 3. Ensure the lock is defined with name and description, with type Read-only or Delete as appropriate. From Azure CLI Review the list of all locks set currently: az lock list --resource-group --resource-name --namespace --resource-type --parent '' From Powershell Run the following command to list all resources. Get-AzResource For each resource, run the following command to check for Resource Locks. Get-AzResourceLock -ResourceName -ResourceType -ResourceGroupName Review the output of the Properties setting. Compliant settings will have the CanNotDelete or ReadOnly value.", + "AdditionalInformation": "", + "DefaultValue": "By default, no locks are set.", + "References": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance#azure-resource-locks:https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management#am-4-limit-access-to-asset-management" + } + ] + } + ] +} diff --git a/prowler/compliance/azure/cis_2.1_azure.json b/prowler/compliance/azure/cis_2.1_azure.json new file mode 100644 index 0000000000..bdd41c8730 --- /dev/null +++ b/prowler/compliance/azure/cis_2.1_azure.json @@ -0,0 +1,3278 @@ +{ + "Framework": "CIS", + "Version": "2.1", + "Provider": "AZURE", + "Description": "The CIS Azure Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Azure with an emphasis on foundational, testable, and architecture agnostic settings.", + "Requirements": [ + { + "Id": "1.3", + "Description": "Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'", + "Checks": [ + "entra_policy_ensure_default_user_cannot_create_tenants" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Require administrators or appropriately delegated users to create new tenants.", + "RationaleStatement": "It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Microsoft Entra ID or Azure AD B2C tenants and ensures that only authorized users are able to do so.", + "ImpactStatement": "Enforcing this setting will ensure that only authorized users are able to create new tenants.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Select `User settings` 1. Set `Restrict non-admin users from creating tenants ` to `Yes` **From PowerShell** ``` Import-Module Microsoft.Graph.Identity.SignIns Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization' Select-MgProfile -Name beta $params = @{ DefaultUserRolePermissions = @{ AllowedToCreateTenants = $false } } Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId -BodyParameter $params ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Select `User settings` 1. Ensure that `Restrict non-admin users from creating tenants` is set to `Yes` **From PowerShell** ``` Import-Module Microsoft.Graph.Identity.SignIns Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization' Get-MgPolicyAuthorizationPolicy | Select-Object -ExpandProperty DefaultUserRolePermissions | Format-List ``` Review the DefaultUserRolePermissions section of the output. Ensure that `AllowedToCreateTenants` is not `True`.", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions:https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#tenant-creator:https://blog.admindroid.com/disable-users-creating-new-azure-ad-tenants-in-microsoft-365/" + } + ] + }, + { + "Id": "1.4", + "Description": "Ensure Guest Users Are Reviewed on a Regular Basis", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Microsoft Entra ID is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed.", + "RationaleStatement": "Guest users in the Microsoft Entra ID are generally required for collaboration purposes in Office 365, and may also be required for Azure functions in enterprises with multiple Azure tenants. Guest users are typically added outside your employee on-boarding/off-boarding process and could potentially be overlooked indefinitely, leading to a potential vulnerability. To prevent this, guest users should be reviewed on a regular basis. During this audit, guest users should also be determined to not have administrative privileges.", + "ImpactStatement": "Before removing guest users, determine their use and scope. Like removing any user, there may be unforeseen consequences to systems if it is deleted.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Click on `Add filter` 1. Select `User type` 1. Select `Guest` from the Value dropdown 1. Click `Apply` 1. Delete all `Guest` users that are no longer required or are inactive **From Azure CLI** Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems. ``` az ad user update --id --account-enabled {false} ``` After determining that there are no dependent systems delete the user. ``` Remove-AzureADUser -ObjectId ``` **From Azure PowerShell** Before deleting the user, set it to inactive using the ID from the Audit Procedure to determine if there are any dependent systems. ``` Set-AzureADUser -ObjectId -AccountEnabled false ``` After determining that there are no dependent systems delete the user. ``` PS C:\\>Remove-AzureADUser -ObjectId ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Click on `Add filter` 1. Select `User type` 1. Select `Guest` from the Value dropdown 1. Click `Apply` 1. Audit the listed guest users **From Azure CLI** ``` az ad user list --query [?userType=='Guest'] ``` Ensure all users listed are still required and not inactive. **From Azure PowerShell** ``` Get-AzureADUser |Where-Object {$_.UserType -like Guest} |Select-Object DisplayName, UserPrincipalName, UserType -Unique ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [e9ac8f8e-ce22-4355-8f04-99b911d6be52](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) **- Name:** 'Guest accounts with read permissions on Azure resources should be removed' - **Policy ID:** [94e1c2ac-cbbe-4cac-a2b5-389c812dee87](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94e1c2ac-cbbe-4cac-a2b5-389c812dee87) **- Name:** 'Guest accounts with write permissions on Azure resources should be removed' - **Policy ID:** [339353f6-2387-4a45-abe4-7f529d121046](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) **- Name:** 'Guest accounts with owner permissions on Azure resources should be removed'", + "AdditionalInformation": "It is good practice to use a dynamic security group to manage guest users. To create the dynamic security group: 1. Navigate to the 'Microsoft Entra ID' blade in the Azure Portal 2. Select the 'Groups' item 3. Create new 4. Type of 'dynamic' 5. Use the following dynamic selection rule. (user.userType -eq Guest) 6. Once the group has been created, select access reviews option and create a new access review with a period of monthly and send to relevant administrators for review.", + "DefaultValue": "By default no guest users are created.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/b2b/user-properties:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory#delete-a-user:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-4-review-and-reconcile-user-access-regularly:https://www.microsoft.com/en-us/security/business/identity-access-management/azure-ad-pricing:https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-restore" + } + ] + }, + { + "Id": "1.5", + "Description": "Ensure That 'Number of methods required to reset' is set to '2'", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Ensures that two alternate forms of identification are provided before allowing a password reset.", + "RationaleStatement": "A Self-service Password Reset (SSPR) through Azure Multi-factor Authentication (MFA) ensures the user's identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user's password.", + "ImpactStatement": "There may be administrative overhead, as users who lose access to their secondary authentication methods will need an administrator with permissions to remove it. There will also need to be organization-wide security policies and training to teach administrators to verify the identity of the requesting user so that social engineering can not render this setting useless.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Users` 1. Select `Password reset` 1. Then `Authentication methods` 1. Set the `Number of methods required to reset` to `2`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Users` 1. Select `Password reset` 1. Then `Authentication methods` 1. Ensure that `Number of methods required to reset` is set to `2`", + "AdditionalInformation": "", + "DefaultValue": "By default, the `Number of methods required to reset` is set to 2.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-6-use-strong-authentication-controls:https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-faq#password-reset-registration:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods" + } + ] + }, + { + "Id": "1.6", + "Description": "Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Microsoft Entra ID Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.", + "RationaleStatement": "Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.", + "ImpactStatement": "Increasing needed password complexity might increase overhead on administration of user accounts. Licensing requirement for Global Banned Password List and Custom Banned Password list requires Microsoft Entra ID P1 or P2. On-premises Active Directory Domain Services users that are not synchronized to Microsoft Entra ID also benefit from Microsoft Entra ID Password Protection based on existing licensing for synchronized users.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Security`. 1. Under `Manage`, select `Authentication Methods`. 1. Select `Password Protection`. 1. Set the `Enforce custom list` option to `Yes`. 1. Double click the custom banned password list to add a string.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID`. 1. Select 'Security'. 1. Under `Manage`, select `Authentication Methods`. 1. Select `Password Protection`. 1. Ensure `Enforce custom list` is set to `Yes`. 1. Scroll through the list to view the enforced passwords.", + "AdditionalInformation": "", + "DefaultValue": "By default the custom bad password list is not 'Enabled'. Organizational-specific terms can be added to the custom banned password list, such as the following examples: - Brand names - Product names - Locations, such as company headquarters - Company-specific internal terms - Abbreviations that have specific company meaning - Months and weekdays with your company's local languages The default Azure bad password policy is already applied to your resources which applies the following basic requirements: **Characters allowed:** - Uppercase characters (A - Z) - Lowercase characters (a - z) - Numbers (0 - 9) - Symbols: - @ # $ % ^ & * - _ ! + = [ ] { } | \\ : ' , . ? / ` ~ ( ) ; < > - blank space **Characters not allowed:** - Unicode characters - Password length Passwords require - A minimum of eight characters - A maximum of 256 characters **Password complexity:** Passwords require three out of four of the following categories: - Uppercase characters - Lowercase characters - Numbers - Symbols Note: Password complexity check isn't required for Education tenants. **Password not recently used:** - When a user changes or resets their password, the new password can't be the same as the current or recently used passwords. - Password isn't banned by Entra ID Password Protection. - The password can't be on the global list of banned passwords for Azure AD Password Protection, or on the customizable list of banned passwords specific to your organization.", + "References": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad-combined-policy:https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad:https://docs.microsoft.com/en-us/powershell/module/Azuread/:https://www.microsoft.com/en-us/research/publication/password-guidance/:https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-configure-custom-password-protection:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-6-use-strong-authentication-controls" + } + ] + }, + { + "Id": "1.7", + "Description": "Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.", + "RationaleStatement": "This setting is necessary if you have setup 'Require users to register when signing in option'. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user changes, such as a phone number or email, then the password reset information for that user reverts to the previously registered authentication information.", + "ImpactStatement": "Users will be prompted for their multifactor authentication at the duration set here.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Users` 1. Select `Password reset` 1. Then `Registration` 1. Set the `Number of days before users are asked to re-confirm their authentication information` to your organization-defined frequency.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Users` 1. Select `Password reset` 1. Then `Registration` 1. Ensure that `Number of days before users are asked to re-confirm their authentication information` is not set to `0`", + "AdditionalInformation": "", + "DefaultValue": "By default, the `Number of days before users are asked to re-confirm their authentication information` is set to 180 days.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#registration:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods" + } + ] + }, + { + "Id": "1.8", + "Description": "Ensure that 'Notify users on password resets?' is set to 'Yes'", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Ensure that users are notified on their primary and secondary emails on password resets.", + "RationaleStatement": "User notification on password reset is a proactive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.", + "ImpactStatement": "Users will receive emails alerting them to password changes to both their primary and secondary emails.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Select `Password reset` 1. Under Manage, select `Notifications` 1. Set `Notify users on password resets?` to `Yes`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Go to `Password reset` 1. Under Manage, select `Notifications` 1. Ensure that `Notify users on password resets?` is set to `Yes`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Notify users on password resets?` is set to Yes.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations:https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "1.9", + "Description": "Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Ensure that all Global Administrators are notified if any other administrator resets their password.", + "RationaleStatement": "Global Administrator accounts are sensitive. Any password reset activity notification, when sent to all Global Administrators, ensures that all Global administrators can passively confirm if such a reset is a common pattern within their group. For example, if all Global Administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.", + "ImpactStatement": "All Global Administrators will receive a notification from Azure every time a password is reset. This is useful for auditing procedures to confirm that there are no out of the ordinary password resets for Global Administrators. There is additional overhead, however, in the time required for Global Administrators to audit the notifications. This setting is only useful if all Global Administrators pay attention to the notifications, and audit each one.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Select `Password reset` 1. Under Manage, select `Notifications` 1. Set `Notify all admins when other admins reset their password?` to `Yes`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Select `Password reset` 1. Under Manage, select `Notifications` 1. Ensure that `notify all admins when other admins reset their password?` is set to `Yes`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Notify all admins when other admins reset their password?` is set to No.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations" + } + ] + }, + { + "Id": "1.10", + "Description": "Ensure `User consent for applications` is set to `Do not allow user consent`", + "Checks": [ + "entra_policy_restricts_user_consent_for_apps" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Require administrators to provide consent for applications before use.", + "RationaleStatement": "If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.", + "ImpactStatement": "Enforcing this setting may create additional requests that administrators need to review.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Enterprise Applications` 1. Select `Consent and permissions` 1. Select `User consent settings` 1. Set `User consent for applications` to `Do not allow user consent` 1. Click save", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Enterprise Applications` 1. Select `Consent and permissions` 1. Select `User consent settings` 1. Ensure `User consent for applications` is set to `Do not allow user consent` **From PowerShell** ``` Connect-MsolService Get-MsolCompanyInformation | Select-Object UsersPermissionToUserConsentToAppEnabled ``` Command should return `UsersPermissionToUserConsentToAppEnabled` with the value of `False`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Users consent for applications` is set to `Allow user consent for apps`.", + "References": "https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx:https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "1.11", + "Description": "Ensure ‘User consent for applications’ Is Set To ‘Allow for Verified Publishers’", + "Checks": [ + "entra_policy_user_consent_for_verified_apps" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Allow users to provide consent for selected permissions when a request is coming from a verified publisher.", + "RationaleStatement": "If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.", + "ImpactStatement": "Enforcing this setting may create additional requests that administrators need to review.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Enterprise Applications` 1. Select `Consent and permissions` 1. Select `User consent settings` 1. Under `User consent for applications`, select `Allow user consent for apps from verified publishers, for selected permissions` 1. Select `Save` **From PowerShell** ``` Connect-MsolService Set-MsolCompanyInformation --UsersPermissionToUserConsentToAppEnabled $False ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Enterprise Applications` 1. Select `Consent and permissions` 1. Select `User consent settings` 1. Under `User consent for applications`, ensure `Allow user consent for apps from verified publishers, for selected permissions` is selected **From PowerShell** ``` Connect-MsolService Get-MsolCompanyInformation | Select-Object UsersPermissionToUserConsentToAppEnabled ``` Command should return `UsersPermissionToUserConsentToAppEnabled` with the value of `False`", + "AdditionalInformation": "", + "DefaultValue": "By default, `User consent for applications` is set to `Allow user consent for apps`.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1.0:https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolcompanyinformation?view=azureadps-1.0" + } + ] + }, + { + "Id": "1.12", + "Description": "Ensure that 'Users can add gallery apps to My Apps' is set to 'No'", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Require administrators to provide consent for the apps before use.", + "RationaleStatement": "Unless Microsoft Entra ID is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.", + "ImpactStatement": "Can cause additional requests to administrators that need to be fulfilled quite often.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Enterprise applications` 1. Select `User settings` 1. Set `Users can add gallery apps to My Apps` to `No`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Enterprise applications` 1. Select `User settings` 1. Ensure that `Users can add gallery apps to My Apps` is set to `No`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Users can add gallery apps to My Apps` is set to `No`.", + "References": "https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/:https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users" + } + ] + }, + { + "Id": "1.13", + "Description": "Ensure That ‘Users Can Register Applications’ Is Set to ‘No’", + "Checks": [ + "entra_policy_ensure_default_user_cannot_create_apps" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Require administrators or appropriately delegated users to register third-party applications.", + "RationaleStatement": "It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Microsoft Entra ID data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.", + "ImpactStatement": "Enforcing this setting will create additional requests for approval that will need to be addressed by an administrator. If permissions are delegated, a user may approve a malevolent third party application, potentially giving it access to your data.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Select `User settings` 1. Set `Users can register applications` to `No` **From PowerShell** ``` Connect-MsolService Set-MsolCompanyInformation -UsersPermissionToCreateLOBAppsEnabled $False ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Select `User settings` 1. Ensure that `Users can register applications` is set to `No` **From PowerShell** ``` Connect-MsolService Get-MsolCompanyInformation | Select-Object UsersPermissionToCreateLOBAppsEnabled ``` Command should return `UsersPermissionToCreateLOBAppsEnabled` with the value of `False`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Users can register applications` is set to Yes.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles#restrict-who-can-create-applications:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/:https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx:https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolcompanyinformation?view=azureadps-1.0:https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1.0" + } + ] + }, + { + "Id": "1.14", + "Description": "Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'", + "Checks": [ + "entra_policy_guest_users_access_restrictions" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Limit guest user permissions.", + "RationaleStatement": "Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction. 1. Guest users have the same access as members (most inclusive), 2. Guest users have limited access to properties and memberships of directory objects (default value), 3. Guest user access is restricted to properties and memberships of their own directory objects (most restrictive). The recommended option is the 3rd, most restrictive: Guest user access is restricted to their own directory object.", + "ImpactStatement": "This may create additional requests for permissions to access resources that administrators will need to approve. According to https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions#services-currently-not-supported Service without current support might have compatibility issues with the new guest restriction setting. - Forms - Project - Yammer - Planner in SharePoint", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `External Identities` 1. Select `External collaboration settings` 1. Under `Guest user access`, change `Guest user access restrictions` to be `Guest user access is restricted to properties and memberships of their own directory objects` **From PowerShell** 1. From a PowerShell session enter ``Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'`` 1. Check that the setting was applied by entering ``Get-AzureADMSAuthorizationPolicy`` 1. Make certain that the GuestUserRoleId is equal to the earlier entered value of 2af84b1e-32c8-42b7-82bc-daa82404023b.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `External Identities` 1. Select `External collaboration settings` 1. Under `Guest user access`, ensure that `Guest user access restrictions ` is set to `Guest user access is restricted to properties and memberships of their own directory objects` **From PowerShell** 1. Enter the following ``Get-AzureADMSAuthorizationPolicy`` Which will give a result like: ``` Id : authorizationPolicy OdataType : Description : Used to manage authorization related settings across the company. DisplayName : Authorization Policy EnabledPreviewFeatures : {} GuestUserRoleId : 10dae51f-b6af-4016-8d66-8c2a99b929b3 PermissionGrantPolicyIdsAssignedToDefaultUserRole : {user-default-legacy} ``` If the GuestUserRoleID property does not equal `2af84b1e-32c8-42b7-82bc-daa82404023b` then it is not set to most restrictive.", + "AdditionalInformation": "", + "DefaultValue": "By default, `Guest user access restrictions` is set to `Guest users have limited access to properties and memberships of directory objects`.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#member-and-guest-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions" + } + ] + }, + { + "Id": "1.15", + "Description": "Ensure that 'Guest invite restrictions' is set to Only users assigned to specific admin roles can invite guest users", + "Checks": [ + "entra_policy_guest_invite_only_for_admin_roles" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Restrict invitations to users with specific administrative roles only.", + "RationaleStatement": "Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain Need to Know permissions and prevents inadvertent access to data. By default the setting `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.", + "ImpactStatement": "With the option of `Only users assigned to specific admin roles can invite guest users` selected, users with specific admin roles will be in charge of sending invitations to the external users, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `External Identities` 1. Select `External collaboration settings` 1. Under `Guest invite settings`, for `Guest invite restrictions`, ensure that `Only users assigned to specific admin roles can invite guest users` is selected", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `External Identities` 1. `External collaboration settings` 1. Under `Guest invite settings`, for `Guest invite restrictions`, ensure that that `Only users assigned to specific admin roles can invite guest users` is selected Note: This setting has 4 levels of restriction, which include: - Anyone in the organization can invite guest users including guests and non-admins (most inclusive), - Member users and users assigned to specific admin roles can invite guest users including guests with member permissions, - Only users assigned to specific admin roles can invite guest users, - No one in the organization can invite guest users including admins (most restrictive).", + "AdditionalInformation": "", + "DefaultValue": "By default, `Guest invite restrictions` is set to `Anyone in the organization can invite guest users including guests and non-admins`", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements" + } + ] + }, + { + "Id": "1.16", + "Description": "Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Restrict access to the Microsoft Entra ID administration center to administrators only. **NOTE**: This only affects access to the Entra ID administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Microsoft Entra ID.", + "RationaleStatement": "The Microsoft Entra ID administrative center has sensitive data and permission settings. All non-administrators should be prohibited from accessing any Microsoft Entra ID data in the administration center to avoid exposure.", + "ImpactStatement": "All administrative tasks will need to be done by Administrators, causing additional overhead in management of users and resources.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Users` 1. Select `User settings` 1. Set `Restrict access to Microsoft Entra admin center` to `Yes`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Users` 1. Select `User settings` 1. Ensure that `Restrict access to Microsoft Entra admin center` is set to `Yes`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Restrict access to Microsoft Entra admin center` is set to `No`", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles-azure-portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users" + } + ] + }, + { + "Id": "1.17", + "Description": "Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Restrict access to group web interface in the Access Panel portal.", + "RationaleStatement": "Self-service group management enables users to create and manage security groups or Office 365 groups in Microsoft Entra ID. Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled. Any user can access the Access Panel, where they can reset their passwords, view their information, etc. By default, users are also allowed to access the Group feature, which shows groups, members, related resources (SharePoint URL, Group email address, Yammer URL, and Teams URL). By setting this feature to 'Yes', users will no longer have access to the web interface, but still have access to the data using the API. This is useful to prevent non-technical users from enumerating groups-related information, but technical users will still be able to access this information using APIs.", + "ImpactStatement": "Setting to `Yes` could create administrative overhead by customers seeking certain group memberships that will have to be manually managed by administrators with appropriate permissions.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Groups` 1. Select `General` under `Settings` 1. Ensure that `Restrict user ability to access groups features in My Groups` is set to `Yes`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Groups` 1. Select `General` under `Settings` 1. Ensure that `Restrict user ability to access groups features in My Groups` is set to `Yes`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Restrict user ability to access groups features in the Access Pane` is set to `No`", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "1.18", + "Description": "Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'", + "Checks": [ + "entra_policy_default_users_cannot_create_security_groups" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Restrict security group creation to administrators only.", + "RationaleStatement": "When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.", + "ImpactStatement": "Enabling this setting could create a number of requests that would need to be managed by an administrator.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Groups` 1. Select `General` under `Settings` 1. Set `Users can create security groups in Azure portals, API or PowerShell` to `No`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Groups` 1. Select `General` under `Settings` 1. Ensure that `Users can create security groups in Azure portals, API or PowerShell` is set to `No`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Users can create security groups in Azure portals, API or PowerShell` is set to `Yes`", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements" + } + ] + }, + { + "Id": "1.19", + "Description": "Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Restrict security group management to administrators only.", + "RationaleStatement": "Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.", + "ImpactStatement": "Group Membership for user accounts will need to be handled by Admins and cause administrative overhead.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Groups` 1. Select `General` in settings 1. Set `Owners can manage group membership requests in the Access Panel` to `No`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Groups` 1. Select `General` in settings 4. Ensure that `Owners can manage group membership requests in the Access Panel` is set to `No`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Owners can manage group membership requests in the Access Panel` is set to `No`.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-8-determine-access-process-for-cloud-provider-support:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "1.20", + "Description": "Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'", + "Checks": [ + "entra_users_cannot_create_microsoft_365_groups" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Restrict Microsoft 365 group creation to administrators only.", + "RationaleStatement": "Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other user.", + "ImpactStatement": "Enabling this setting could create a number of requests that would need to be managed by an administrator.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Groups` 1. Select `General` in settings 1. Set `Users can create Microsoft 365 groups in Azure portals, API or PowerShell` to `No`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Then `Groups` 1. Select `General` in setting 1. Ensure that `Users can create Microsoft 365 groups in Azure portals, API or PowerShell` is set to `No`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Users can create Microsoft 365 groups in Azure portals, API or PowerShell` is set to `Yes`.", + "References": "https://whitepages.unlimitedviz.com/2017/01/disable-office-365-groups-2/:https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements" + } + ] + }, + { + "Id": "1.21", + "Description": "Ensure that 'Require Multi-Factor Authentication to register or join devices with Microsoft Entra ID' is set to 'Yes'", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Joining or registering devices to Microsoft Entra ID should require Multi-factor authentication.", + "RationaleStatement": "Multi-factor authentication is recommended when adding devices to Microsoft Entra ID. When set to `Yes`, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account. _Note:_ Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices. Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain.", + "ImpactStatement": "A slight impact of additional overhead, as Administrators will now have to approve every access to the domain.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Devices` 1. Select `Device settings` 1. Set `Require Multi-Factor Authentication to register or join devices with Microsoft Entra` to `Yes`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Devices` 1. Select `Device settings` 1. Ensure that `Require Multi-Factor Authentication to register or join devices with Microsoft Entra` is set to `Yes`", + "AdditionalInformation": "", + "DefaultValue": "By default, `Require Multi-Factor Authentication to register or join devices with Microsoft Entra` is set to `No`.", + "References": "https://blogs.technet.microsoft.com/janketil/2016/02/29/azure-mfa-for-enrollment-in-intune-and-azure-ad-device-registration-explained/:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-6-use-strong-authentication-controls" + } + ] + }, + { + "Id": "1.22", + "Description": "Ensure That No Custom Subscription Administrator Roles Exist", + "Checks": [ + "iam_subscription_roles_owner_custom_not_created" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.", + "RationaleStatement": "Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.", + "ImpactStatement": "Subscriptions will need to be handled by Administrators with permissions.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu. 1. Select `Subscriptions`. 1. Select `Access control (IAM)`. 1. Select `Roles`. 1. Click `Type` and select `CustomRole` from the drop down menu. 1. Check the box next to each role which grants subscription administrator privileges. 1. Select `Remove`. 1. Select `Yes`. **From Azure CLI** List custom roles: ``` az role definition list --custom-role-only True ``` Check for entries with `assignableScope` of the `subscription`, and an action of `*`. To remove a violating role: ``` az role definition delete --name ``` Note that any role assignments must be removed before a custom role can be deleted. Ensure impact is assessed before deleting a custom role granting subscription administrator privileges.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu. 1. Select `Subscriptions`. 1. Select `Access control (IAM)`. 1. Select `Roles`. 1. Click `Type` and select `CustomRole` from the drop down menu. 1. Select `View` next to a role. 1. Select `JSON`. 1. Check for `assignableScopes` set to the subscription, and `actions` set to `*`. 1. Repeat steps 6-8 for each custom role. **From Azure CLI** List custom roles: ``` az role definition list --custom-role-only True ``` Check for entries with `assignableScope` of the `subscription`, and an action of `*` **From PowerShell** ``` Connect-AzAccount Get-AzRoleDefinition |Where-Object {($_.IsCustom -eq $true) -and ($_.Actions.contains('*'))} ``` Check the output for `AssignableScopes` value set to the subscription. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [a451c1ef-c6ca-483d-87ed-f49761e3ffb5](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) **- Name:** 'Audit usage of custom RBAC roles'", + "AdditionalInformation": "", + "DefaultValue": "By default, no custom owner roles are created.", + "References": "https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle" + } + ] + }, + { + "Id": "1.23", + "Description": "Ensure a Custom Role is Assigned Permissions for Administering Resource Locks", + "Checks": [ + "iam_custom_role_has_permissions_to_administer_resource_locks" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.", + "RationaleStatement": "Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.", + "ImpactStatement": "By adding this role, specific permissions may be granted for managing just resource locks rather than needing to provide the wide Owner or User Access Administrator role, reducing the risk of the user being able to do unintentional damage.", + "RemediationProcedure": "**From Azure Portal** 1. In the Azure portal, open a subscription or resource group where you want the custom role to be assigned. 2. `Select Access control (IAM)`. 3. Click `Add`. 4. Select `Add custom role`. 5. In the `Custom Role Name` field enter `Resource Lock Administrator`. 6. In the Description field enter `Can Administer Resource Locks`. 7. For Baseline permissions select `Start from scratch` 8. Select `next`. 9. In the Permissions tab select `Add permissions`. 10. In the Search for a permission box, type in `Microsoft.Authorization/locks` to search for permissions. 11. Select the check box next to the permission `Microsoft.Authorization/locks`. 12. Select `Add`. 13. Select `Review + create`. 14. Select `Create`. 15. Assign the newly created role to the appropriate user. **From PowerShell:** Below is a power shell definition for a resource lock administrator role created at an Azure Management group level ``` Import-Module Az.Accounts Connect-AzAccount $role = Get-AzRoleDefinition User Access Administrator $role.Id = $null $role.Name = Resource Lock Administrator $role.Description = Can Administer Resource Locks $role.Actions.Clear() $role.Actions.Add(Microsoft.Authorization/locks/*) $role.AssignableScopes.Clear() * Scope at the Management group level Management group $role.AssignableScopes.Add(/providers/Microsoft.Management/managementGroups/MG-Name) New-AzRoleDefinition -Role $role Get-AzureRmRoleDefinition Resource Lock Administrator ```", + "AuditProcedure": "**From Azure Portal** 1. In the Azure portal, open a subscription or resource group where you want to view assigned roles. 2. Select `Access control (IAM)` 3. Select `Roles` 4. Search for the custom role named Ex. from remediation `Resource Lock Administrator` 5. Ensure that the role is assigned to the appropriate users.", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles:https://docs.microsoft.com/en-us/azure/role-based-access-control/check-access:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "1.24", + "Description": "Ensure That `Subscription leaving Microsoft Entra ID directory` and `Subscription entering Microsoft Entra ID directory` Is Set To ‘Permit No One’", + "Checks": [], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Microsoft Entra ID.", + "RationaleStatement": "Permissions to move subscriptions in and out of Microsoft Entra ID directory must only be given to appropriate administrative personnel. A subscription that is moved into an Microsoft Entra ID directory may be within a folder to which other users have elevated permissions. This prevents loss of data or unapproved changes of the objects within by potential bad actors.", + "ImpactStatement": "Subscriptions will need to have these settings turned off to be moved.", + "RemediationProcedure": "**From Azure Portal** 1. From the Azure Portal Home select the portal menu 1. Select `Subscriptions` 1. In the `Advanced options` drop-down menu, select `Manage Policies` 1. Under `Subscription leaving Microsoft Entra ID directory` and `Subscription entering Microsoft Entra ID directory` select `Permit no one`", + "AuditProcedure": "**From Azure Portal** 1. From the Azure Portal Home select the portal menu 1. Select `Subscriptions` 1. In the `Advanced options` drop-down menu, select `Manage Policies` 1. Ensure `Subscription leaving Microsoft Entra ID directory` and `Subscription entering Microsoft Entra ID directory` are set to `Permit no one`", + "AdditionalInformation": "", + "DefaultValue": "By default `Subscription leaving Microsoft Entra ID directory` and `Subscription entering Microsoft Entra ID directory` are set to `Allow everyone (default)`", + "References": "https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-2-protect-identity-and-authentication-systems" + } + ] + }, + { + "Id": "1.25", + "Description": "Ensure fewer than 5 users have global administrator assignment", + "Checks": [ + "entra_global_admin_in_less_than_five_users" + ], + "Attributes": [ + { + "Section": "1.Identity and Access Management", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "This recommendation aims to maintain a balance between security and operational efficiency by ensuring that a minimum of 2 and a maximum of 4 users are assigned the Global Administrator role in Microsoft Entra ID. Having at least two Global Administrators ensures redundancy, while limiting the number to four reduces the risk of excessive privileged access.", + "RationaleStatement": "The Global Administrator role has extensive privileges across all services in Microsoft Entra ID. The Global Administrator role should never be used in regular daily activities; administrators should have a regular user account for daily activities, and a separate account for administrative responsibilities. Limiting the number of Global Administrators helps mitigate the risk of unauthorized access, reduces the potential impact of human error, and aligns with the principle of least privilege to reduce the attack surface of an Azure tenant. Conversely, having at least two Global Administrators ensures that administrative functions can be performed without interruption in case of unavailability of a single admin.", + "ImpactStatement": "Implementing this recommendation may require changes in administrative workflows or the redistribution of roles and responsibilities. Adequate training and awareness should be provided to all Global Administrators.", + "RemediationProcedure": "If more 4 users are assigned: 1. Remove Global Administrator role for users which do not or no longer require the role. 2. Assign Global Administrator role via PIM which can be activated when required. 3. Assign more granular roles to users to conduct their duties. If only one user is assigned: 1. Provide the Global Administrator role to a trusted user or create a break glass admin account.", + "AuditProcedure": "1. From Azure Home select the Portal Menu 2. Select `Microsoft Entra ID` 3. Select `Roles and Administrators` 4. Select `Global Administrator` 5. Ensure less than 5 users are actively assigned the role. 6. Ensure that at least 2 users are actively assigned the role.", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5:https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide#security-guidelines-for-assigning-roles:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users" + } + ] + }, + { + "Id": "1.1.1", + "Description": "Ensure Security Defaults is enabled on Microsoft Entra ID", + "Checks": [ + "entra_security_defaults_enabled" + ], + "Attributes": [ + { + "Section": "1.1 Security Defaults Security Defaults", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Security defaults in Microsoft Entra ID make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.", + "RationaleStatement": "Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example, doing the following: - Requiring all users and admins to register for MFA. - Challenging users with MFA - when necessary, based on factors such as location, device, role, and task. - Disabling authentication from legacy authentication clients, which can’t do MFA.", + "ImpactStatement": "This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks. Administrators should also be aware that certain configurations in Microsoft Entra ID may impact other Microsoft services such as Microsoft 365.", + "RemediationProcedure": "**From Azure Portal** To enable security defaults in your directory: 1. From Azure Home select the Portal Menu. 1. Browse to `Microsoft Entra ID` > `Properties` 1. Select `Manage security defaults` 1. Set the `Enable security defaults` to `Enabled` 1. Select `Save`", + "AuditProcedure": "**From Azure Portal** To ensure security defaults is enabled in your directory: 1. From Azure Home select the Portal Menu. 2. Browse to `Microsoft Entra ID` > `Properties`. 3. Select `Manage security defaults`. 4. Verify the `Enable security defaults` toggle is `Enabled`.", + "AdditionalInformation": "This recommendation differs from the [Microsoft 365 Benchmark](https://workbench.cisecurity.org/benchmarks/5741). This is because the potential impact associated with disabling Security Defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling Security Defaults implement appropriate security settings to replace the settings configured by Security Defaults.", + "DefaultValue": "If your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults:https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-2-protect-identity-and-authentication-systems" + } + ] + }, + { + "Id": "1.1.2", + "Description": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users", + "Checks": [ + "entra_privileged_user_has_mfa" + ], + "Attributes": [ + { + "Section": "1.1 Security Defaults Security Defaults", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. These include custom created objects or built-in roles such as; - Service Co-Administrators - Subscription Owners - Contributors", + "RationaleStatement": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.", + "ImpactStatement": "Users would require two forms of authentication before any access is granted. Additional administrative time will be required for managing dual forms of authentication when enabling multi-factor authentication.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` blade 1. Select `Users` 1. Take note of all users with the role `Service Co-Administrators`, `Owners` or `Contributors` 1. Click on the `Per-User MFA button` in the top row menu 1. Check the box next to each noted user 1. Click `Enable` under quick steps in the right-hand panel 1. Click `enable multi-factor auth` 1. Click `close` **Other Options within Azure Portal** Follow Microsoft Azure documentation and enable multi-factor authentication in your environment. [https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa](https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa) Enabling and configuring MFA with conditional access policy is a multi-step process. Here are some additional resources on the process within Entra ID to enable multi-factor authentication for users within your subscriptions with conditional access policy. [https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa) [https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#enable-multi-factor-authentication-with-conditional-access](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#enable-multi-factor-authentication-with-conditional-access) [https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings)", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select the `Microsoft Entra ID` blade 1. Select `Users` 1. Take note of all users with the role `Service Co-Administrators`, `Owners` or `Contributors` 1. Click on the `Per-User MFA` button in the top row menu 1. Ensure that `MULTI-FACTOR AUTH STATUS` is `Enabled` for all noted users **From REST API** For Every Subscription, For Every Tenant **Step 1:** Identify Users with Administrative Access 1. List All Users Using Microsoft Graph API: ``` GET https://graph.microsoft.com/v1.0/users ``` Capture `id` and corresponding `userPrincipalName` ('$uid', '$userPrincipalName') 2. List all Role Definitions Using Azure management API: ``` https://management.azure.com/subscriptions/:subscriptionId/providers/Microsoft.Authorization/roleDefinitions?api-version=2017-05-01 ``` Capture Role Definition IDs/Name ('$name') and role names ('$properties/roleName') where properties/roleName contains (`Owner` or `*contributor` or `admin` ) 3. List All Role Assignments (Mappings `$A.uid` to `$B.name`) Using Azure Management API: ``` GET https://management.azure.com/subscriptions/:subscriptionId/providers/Microsoft.Authorization/roleassignments?api-version=2017-10-01-preview ``` Find all administrative roles (`$B.name`) in `Properties/roleDefinitionId` mapped with user ids (`$A.id`) in `Properties/principalId` where `Properties/principalType == User` 4. Now Match (`$CProperties/principalId`) with `$A.uid` and get `$A.userPrincipalName` save this as `D.userPrincipalName` **Step 2:** Run MSOL PowerShell command: ``` Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName ``` If the output contains any of the `$D.userPrincipalName`, then this recommendation is non-compliant. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [e3e008c3-56b9-4133-8fd7-d3347377402a](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3e008c3-56b9-4133-8fd7-d3347377402a) **- Name:** 'Accounts with owner permissions on Azure resources should be MFA enabled' - **Policy ID:** [931e118d-50a1-4457-a5e4-78550e086c52](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) **- Name:** 'Accounts with write permissions on Azure resources should be MFA enabled'", + "AdditionalInformation": "*Please note that at the time of writing, there is no API, Azure CLI or Powershell mechanism available to programmatically conduct security assessment or remediation for this recommendation. The only option is MSOL.*", + "DefaultValue": "By default, multi-factor authentication is disabled for all users.", + "References": "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication:https://stackoverflow.com/questions/41156206/azure-active-directory-premium-mfa-attributes-via-graph-api:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-4-authenticate-server-and-services" + } + ] + }, + { + "Id": "1.1.3", + "Description": "Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users", + "Checks": [ + "entra_non_privileged_user_has_mfa" + ], + "Attributes": [ + { + "Section": "1.1 Security Defaults", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable multi-factor authentication for all non-privileged users.", + "RationaleStatement": "Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.", + "ImpactStatement": "Users would require two forms of authentication before any access is granted. Also, this requires an overhead for managing dual forms of authentication.", + "RemediationProcedure": "Follow Microsoft Azure documentation and enable multi-factor authentication in your environment. [https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa](https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa) Enabling and configuring MFA is a multi-step process. Here are some additional resources on the process within Microsoft Entra ID: [https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa](https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa) [https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted#enable-multi-factor-authentication-with-conditional-access](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted#enable-multi-factor-authentication-with-conditional-access) [https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings)", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 2. Select the `Microsoft Entra ID` blade 3. Select `Users` 4. Take note of all users with the role `Service Co-Administrators`, `Owners` or `Contributors` 5. Click on the `Per-User MFA button` in the top row menu 6. Check the box next to each noted user 7. Click `Enable` under quick steps in the right-hand panel 8. Click `enable multi-factor auth` 9. Click `close` **From REST API** For Every Subscription, For Every Tenant **Step 1:** Identify Users with non-administrative Access 1. List All Users Using Microsoft Graph API: ``` GET https://graph.microsoft.com/v1.0/users ``` Capture `id` and corresponding `userPrincipalName` (`$uid`, `$userPrincipalName`) 2. List all Role Definitions Using Azure management API: ``` https://management.azure.com/subscriptions//providers/Microsoft.Authorization/roleDefinitions?api-version=2017-05-01 ``` Capture Role Definition IDs/Name (`$name`) and role names (`$properties/roleName`) where `properties/roleName` does NOT contain (`Owner` or `*contributor` or `admin` ) 3. List All Role Assignments (Mappings `$A.uid` to `$B.name`) Using Azure Management API: ``` GET https://management.azure.com/subscriptions//providers/Microsoft.Authorization/roleassignments?api-version=2017-10-01-preview ``` Find all non-administrative roles (`$B.name`) in `Properties/roleDefinationId` mapped with user ids (`$A.id`) in `Properties/principalId` where `Properties/principalType == User` D> Now Match (`$CProperties/principalId`) with `$A.uid` and get `$A.userPrincipalName` save this as `D.userPrincipleName` **Step 2:** Run MSOL PowerShell command: ``` Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName ``` If the output contains any of the `$D.userPrincipleName`, then this recommendation is non-compliant. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) **- Name:** 'Accounts with read permissions on Azure resources should be MFA enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, multi-factor authentication is disabled for all users.", + "References": "https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication:https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-4-authenticate-server-and-services" + } + ] + }, + { + "Id": "1.1.4", + "Description": "Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled", + "Checks": [], + "Attributes": [ + { + "Section": "1.1 Security Defaults", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Do not allow users to remember multi-factor authentication on devices.", + "RationaleStatement": "Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.", + "ImpactStatement": "For every login attempt, the user will be required to perform multi-factor authentication.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Click the `Per-user MFA` button on the top bar 1. Click on `service settings` 1. Uncheck the box next to `Allow users to remember multi-factor authentication on devices they trust`", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Entra ID` 1. Select `Users` 1. Click the `Per-user MFA` button on the top bar 1. Click on `service settings` 1. Ensure that `Allow users to remember multi-factor authentication on devices they trust` is not enabled", + "AdditionalInformation": "", + "DefaultValue": "By default, `Allow users to remember multi-factor authentication on devices they trust` is disabled.", + "References": "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#remember-multi-factor-authentication-for-devices-that-users-trust:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-6-use-strong-authentication-controls" + } + ] + }, + { + "Id": "1.2.1", + "Description": "Ensure Trusted Locations Are Defined", + "Checks": [ + "entra_trusted_named_locations_exists" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Microsoft Entra ID Conditional Access allows an organization to configure `Named locations` and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.", + "RationaleStatement": "Defining trusted source IP addresses or ranges helps organizations create and enforce Conditional Access policies around those trusted or untrusted IP addresses and ranges. Users authenticating from trusted IP addresses and/or ranges may have less access restrictions or access requirements when compared to users that try to authenticate to Microsoft Entra ID from untrusted locations or untrusted source IP addresses/ranges.", + "ImpactStatement": "When configuring `Named locations`, the organization can create locations using Geographical location data or by defining source IP addresses or ranges. Configuring `Named locations` using a Country location does not provide the organization the ability to mark those locations as trusted, and any Conditional Access policy relying on those `Countries location` setting will not be able to use the `All trusted locations` setting within the Conditional Access policy. They instead will have to rely on the `Select locations` setting. This may add additional resource requirements when configuring, and will require thorough organizational testing. In general, Conditional Access policies may completely prevent users from authenticating to Microsoft Entra ID, and thorough testing is recommended. To avoid complete lockout, a 'Break Glass' account with full Global Administrator rights is recommended in the event all other administrators are locked out of authenticating to Microsoft Entra ID. This 'Break Glass' account should be excluded from Conditional Access Policies and should be configured with the longest pass phrase feasible. This account should only be used in the event of an emergency and complete administrator lockout.", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `Microsoft Entra ID Conditional Access` Blade 1. Click on the `Named locations` blade 1. Within the `Named locations` blade, click on `IP ranges location` 1. Enter a name for this location setting in the `Name` text box 1. Click on the `+` sign 1. Add an IP Address Range in CIDR notation inside the text box that appears 1. Click on the `Add` button 1. Repeat steps 5 through 7 for each IP Range that needs to be added 1. If the information entered are trusted ranges, select the `Mark as trusted location` check box 1. Once finished, click on `Create` **From PowerShell** Create a new trusted IP-based Named location policy ``` [System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.IpRange]]$ipRanges = @() $ipRanges.Add() $ipRanges.Add() $ipRanges.Add() New-AzureADMSNamedLocationPolicy -OdataType #microsoft.graph.ipNamedLocation -DisplayName -IsTrusted $true -IpRanges $ipRanges ``` Set an existing IP-based Named location policy to trusted ``` Set-AzureADMSNamedLocationPolicy -PolicyId -OdataType #microsoft.graph.ipNamedLocation -IsTrusted $true ```", + "AuditProcedure": "**From Azure Portal** 1. In the Azure Portal, navigate to `Microsoft Entra ID Conditional Access` 1. Click on `Manage` 1. Click on `Named Locations` Ensure there are `IP ranges location` settings configured and marked as `Trusted` **From PowerShell** ``` Get-AzureADMSNamedLocationPolicy ``` In the output from the above command, for each Named location group, make sure at least one entry contains the `IsTrusted` parameter with a value of `True`. Otherwise, if there is no output as a result of the above command or all of the entries contain the `IsTrusted` parameter with an empty value, a `NULL` value, or a value of `False`, the results are out of compliance with this check.", + "AdditionalInformation": "", + "DefaultValue": "By default, no locations are configured under the `Named locations` blade within the Microsoft Entra ID Conditional Access blade.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions" + } + ] + }, + { + "Id": "1.2.2", + "Description": "Ensure that an exclusionary Geographic Access Policy is considered", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "**CAUTION**: If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues. Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.", + "RationaleStatement": "Conditional Access, when used as a deny list for the tenant or subscription, is able to prevent ingress or egress of traffic to countries that are outside of the scope of interest (e.g.: customers, suppliers) or jurisdiction of an organization. This is an effective way to prevent unnecessary and long-lasting exposure to international threats such as APTs.", + "ImpactStatement": "Microsoft Entra ID P1 or P2 is required. Limiting access geographically will deny access to users that are traveling or working remotely in a different part of the world. A point-to-site or site to site tunnel such as a VPN is recommended to address exceptions to geographic access policies.", + "RemediationProcedure": "**From Azure Portal** Part 1 of 2 - Create the policy and enable it in `Report-only` mode. 1. From Azure Home open the portal menu in the top left, and select `Microsoft Entra ID`. 1. Scroll down in the menu on the left, and select `Security`. 1. Select on the left side `Conditional Access`. 1. Click the `+ New policy` button, then: 1. Provide a name for the policy. 1. Under `Assignments`, select `Users or workload identities` then: - Under `Include`, select `All users` - Under `Exclude`, check Users and groups and only select emergency access accounts and service accounts (**NOTE**: Service accounts are excluded here because service accounts are non-interactive and cannot complete MFA) 1. Under `Assignments`, select `Cloud apps or actions` then: - Under `Include`, select `All cloud apps` - Leave `Exclude` blank unless you have a well defined exception 1. Under `Conditions`, select `Locations` then: - Select `Include`, then add entries for locations for those that should be **blocked** - Select `Exclude`, then add entries for those that should be allowed (**IMPORTANT**: Ensure that all Trusted Locations are in the `Exclude` list.) 1. Under `Access Controls`, select `Grant` and Confirm that `Block Access` is selected. 1. Set `Enable policy` to `Report-only`. 1. Click `Create`. **NOTE:** The policy is not yet 'live,' since `Report-only` is being used to audit the effect of the policy. Part 2 of 2 - Confirm that the policy is not blocking access that should be granted, then toggle to `On`. 1. With your policy now in report-only mode, return to the Microsoft Entra blade and click on `Sign-in logs`. 1. Review the recent sign-in events - click an event then review the event details (specifically the `Report-only` tab) to ensure: - The sign-in event you're reviewing occurred **after** turning on the policy in report-only mode - The policy name from step 5 above is listed in the `Policy Name` column - The `Result` column for the new policy shows that the policy was `Not applied` (indicating the location origin was not blocked) 1. If the above conditions are present, navigate back to the policy name in Conditional Access and open it. 1. Toggle the policy from `Report-only` to `On`. 1. Click `Save`. **From PowerShell** First, set up the conditions objects values before updating an existing conditional access policy or before creating a new one. You may need to use additional PowerShell cmdlets to retrieve specific IDs such as the `Get-AzureADMSNamedLocationPolicy` which outputs the `Location IDs` for use with conditional access policies. ``` $conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet $conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition $conditions.Applications.IncludeApplications = $conditions.Applications.ExcludeApplications = $conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition $conditions.Users.IncludeUsers = $conditions.Users.ExcludeUsers = $conditions.Users.IncludeGroups = $conditions.Users.ExcludeGroups = $conditions.Users.IncludeRoles = $conditions.Users.ExcludeRoles = $conditions.Locations = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition $conditions.Locations.IncludeLocations = $conditions.Locations.ExcludeLocations = $controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls $controls._Operator = OR $controls.BuiltInControls = block ``` Next, update the existing conditional access policy with the condition set options configured with the previous commands. ``` Set-AzureADMSConditionalAccessPolicy -PolicyId -Conditions $conditions -GrantControls $controls ``` To create a new conditional access policy that complies with this best practice, run the following commands after creating the condition set above ``` New-AzureADMSConditionalAccessPolicy -Name Policy Name -State -Conditions $conditions -GrantControls $controls ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home open the Portal menu in the top left, and select `Microsoft Entra ID`. 1. Scroll down in the menu on the left, and select `Security`. 1. Select on the left side `Conditional Access`. 1. Select the policy you wish to audit, then: - Under `Assignments`, Review the `Users and Groups` for the personnel the policy will apply to - Under `Assignments`, Review the `Cloud apps or actions` for the systems the policy will apply to - Under `Conditions`, Review the `Include` locations for those that should be **blocked** - Under `Conditions`, Review the `Exclude` locations for those that should be allowed (Note: locations set up in the previous recommendation for Trusted Location should be in the `Exclude` list.) - Under `Access Controls` > `Grant` - Confirm that `Block Access` is selected. **From Azure CLI** ``` As of this writing there are no subcommands for Conditional Access Policies within the Azure CLI ``` **From PowerShell** ``` $conditionalAccessPolicies = Get-AzureADMSConditionalAccessPolicy foreach($policy in $conditionalAccessPolicies) {$policy | Select-Object @{N='Policy ID'; E={$policy.id}}, @{N=Included Locations; E={$policy.Conditions.Locations.IncludeLocations}}, @{N=Excluded Locations; E={$policy.Conditions.Locations.ExcludeLocations}}, @{N=BuiltIn GrantControls; E={$policy.GrantControls.BuiltInControls}}} ``` Make sure there is at least 1 row in the output of the above PowerShell command that contains `Block` under the `BuiltIn GrantControls` column and location IDs under the `Included Locations` and `Excluded Locations` columns. If not, a policy containing these options has not been created and is considered a finding.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.", + "DefaultValue": "This policy does not exist by default.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-report-only:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions" + } + ] + }, + { + "Id": "1.2.3", + "Description": "Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.", + "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the use of Administrative accounts to authenticated personnel.", + "ImpactStatement": "There is an increased cost, as Conditional Access policies require Microsoft Entra ID P1. Similarly, MFA may require additional overhead to maintain. There is also a potential scenario in which the multi-factor authentication method can be lost, and administrative users are no longer able to log in. For this scenario, there should be an emergency access account. Please see References for creating this.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home open the Portal Menu in top left, and select Microsoft Entra ID. 1. Select `Security`. 1. Select `Conditional Access`. 1. Click `+ New policy`. 1. Enter a name for the policy. 1. Select `Users or workload identities`. 1. Check `Users and groups`. 1. Select administrative groups this policy should apply to and click `Select`. 1. Under `Exclude`, check `Users and groups`. 1. Select users this policy not should apply to and click `Select`. 1. Select `Cloud apps or actions`. 1. Select `All cloud apps`. 1. Select `Grant`. 1. Under Grant access, check `Require multifactor authentication` and click `Select`. 1. Set `Enable policy` to `Report-only`. 1. Click `Create`. After testing the policy in report-only mode, update the `Enable policy` setting from `Report-only` to `On`.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home open the Portal Menu in the top left, and select `Microsoft Entra ID`. 1. Select `Security`. 1. Select `Conditional Access`. 1. Select the policy you wish to audit. 1. View under `Users and Groups` the corresponding users and groups to whom the policy is applied. Be certain the emergency access account is not in the list. 1. View under `Exclude` to determine which Users and groups to whom the policy is not applied.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.", + "DefaultValue": "By default, MFA is not enabled for any administrative accounts.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa:https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions" + } + ] + }, + { + "Id": "1.2.4", + "Description": "Ensure that A Multi-factor Authentication Policy Exists for All Users", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins.", + "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.", + "ImpactStatement": "There is an increased cost, as Conditional Access policies require Microsoft Entra ID P1 or P2. Similarly, this may require additional overhead to maintain if users lose access to their MFA.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home open Portal menu in the top left, and select `Microsoft Entra ID`. 1. Select `Security`. 1. Select `Conditional Access`. 1. Click `+ New policy`. 1. Enter a name for the policy. 1. Select `Users or workload identities`. 1. Under `Include`, select `All users`. 1. Under `Exclude`, check `Users and groups`. 1. Select users this policy should not apply to and click `Select`. 1. Select `Cloud apps or actions`. 1. Select `All cloud apps`. 1. Select `Grant`. 1. Under `Grant access`, check `Require multifactor authentication` and click `Select`. 1. Set `Enable policy` to `Report-only`. 1. Click `Create`. After testing the policy in report-only mode, update the `Enable policy` setting from `Report-only` to `On`.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home open the Portal Menu in the top left, and select `Microsoft Entra ID`. 2. Scroll down in the menu on the left, and select `Security`. 3. Select on the left side `Conditional Access`. 4. Select the policy you wish to audit. 5. View under `Users and Groups` the corresponding users and groups to whom the policy is applied. 6. View under `Exclude` to determine which users and groups to whom the policy is not applied.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource the in References which monitors Azure sign ins.", + "DefaultValue": "MFA is not enabled by default.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions" + } + ] + }, + { + "Id": "1.2.5", + "Description": "Ensure Multi-factor Authentication is Required for Risky Sign-ins", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login.", + "RationaleStatement": "Enabling multi-factor authentication is a recommended setting to limit the potential of accounts being compromised and limiting access to authenticated personnel.", + "ImpactStatement": "There is an increased cost, as Conditional Access policies require Microsoft Entra ID P1 or P2. Similarly, they may require additional overhead to maintain if users lose access to their MFA.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu in the top left, and select `Microsoft Entra ID`. 1. Select `Security` 1. Select `Conditional Access`. 1. Click `+ New policy`. 1. Enter a name for the policy. 1. Select `Users or workload identities`. 1. Under `Include`, select `All users`. 1. Under `Exclude`, check `Users and groups`. 1. Select users this policy should not apply to and click `Select`. 1. Select `Cloud apps or actions`. 1. Select `All cloud apps`. 1. Select `Conditions`. 1. Select `Sign-in risk`. 1. Update the `Configure` toggle to `Yes`. 1. Check the sign-in risk level this policy should apply to, e.g. `High` and `Medium`. 1. Select `Done`. 1. Click the blue text under `Grant access` and check `Require multifactor authentication` then click the `Select` button. 1. Click the blue text under `Session` then check `Sign-in frequency` and select `Every time` and click the `Select` button. 1. Set `Enable policy` to `Report-only`. 1. Click `Create`. After testing the policy in report-only mode, update the `Enable policy` setting from `Report-only` to `On`.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu in the top left, and select `Microsoft Entra ID`. 1. Select `Security`. 1. Select on the left side `Conditional Access`. 1. Select the policy you wish to audit. 1. View under `Users and Groups` the corresponding users and groups to whom the policy is applied. 1. View under `Exclude` to determine which users and groups to whom the policy is not applied.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource the in References which monitors Azure sign ins.", + "DefaultValue": "MFA is not enabled by default.", + "References": "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions" + } + ] + }, + { + "Id": "1.2.6", + "Description": "Ensure Multifactor Authentication is Required for Windows Azure Service Management API", + "Checks": [ + "entra_conditional_access_policy_require_mfa_for_management_api" + ], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "This recommendation ensures that users accessing the Windows Azure Service Management API (i.e. Azure Powershell, Azure CLI, Azure Resource Manager API, etc.) are required to use multifactor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API.", + "RationaleStatement": "Administrative access to the Windows Azure Service Management API should be secured with a higher level of scrutiny to authenticating mechanisms. Enabling multifactor authentication is recommended to reduce the potential for abuse of Administrative actions, and to prevent intruders or compromised admin credentials from changing administrative settings. **IMPORTANT**: While this recommendation allows exceptions to specific Users or Groups, they should be very carefully tracked and reviewed for necessity on a regular interval through an Access Review process. It is important that this rule be built to include All Users to ensure that all users not specifically excepted will be required to use MFA to access the Azure Service Management API.", + "ImpactStatement": "Conditional Access policies require Microsoft Entra ID P1 or P2 licenses. Similarly, they may require additional overhead to maintain if users lose access to their MFA. Any users or groups which are granted an exception to this policy should be carefully tracked, be granted only minimal necessary privileges, and conditional access exceptions should be regularly reviewed or investigated.", + "RemediationProcedure": "**From Azure Portal** 1. From the Azure Admin Portal dashboard, open `Microsoft Entra ID`. 1. Click `Security` in the Entra ID blade. 1. Click `Conditional Access` in the Security blade. 1. Click `Policies` in the Conditional Access blade. 1. Click `+ New policy`. 1. Enter a name for the policy. 1. Click the blue text under `Users`. 1. Under `Include`, select `All users`. 1. Under `Exclude`, check `Users and groups`. 1. Select users or groups to be exempted from this policy (e.g. break-glass emergency accounts, and non-interactive service accounts) then click the `Select` button. 1. Click the blue text under `Target Resources`. 1. Under `Include`, click the `Select apps` radio button. 1. Click the blue text under `Select`. 1. Check the box next to `Windows Azure Service Management APIs` then click the `Select` button. 1. Click the blue text under `Grant`. 1. Under `Grant access` check the box for `Require multifactor authentication` then click the `Select` button. 1. Before creating, set `Enable policy` to `Report-only`. 1. Click `Create`. After testing the policy in report-only mode, update the `Enable policy` setting from `Report-only` to `On`.", + "AuditProcedure": "**From Azure Portal** 1. From the Azure Admin Portal dashboard, open `Microsoft Entra ID`. 1. In the menu on the left of the Entra ID blade, click `Security`. 1. In the menu on the left of the Security blade, click `Conditional Access`. 1. In the menu on the left of the Conditional Access blade, click `Policies`. 1. Click on the name of the policy you wish to audit. 1. Click the blue text under `Users`. 1. Under the `Include` section of Users, review `Users and Groups` to ensure that `All Users` is selected. 1. Under the `Exclude` section of Users, review the `Users and Groups` that are excluded from the policy (NOTE: this should be limited to break-glass emergency access accounts, non-interactive service accounts, and other carefully considered exceptions). 1. On the left side, click the blue text under `Target Resources`. 1. Select what this policy applies to should have `Cloud apps` selected. 1. Under the `Include` section of Target Resources, the `Select apps` radio button should be selected. 1. Click the blue text under `Select`. 1. From the select prompt that appears, the checkbox for `Windows Azure Service Management API` should be checked.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with administrators changing settings until they use an MFA device linked to their accounts. An emergency access account is recommended for this eventuality if all administrators are locked out. Please see the documentation in the references for further information. Similarly further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.", + "DefaultValue": "MFA is not enabled by default for administrative actions.", + "References": "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups:https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-azure-management:https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#windows-azure-service-management-api" + } + ] + }, + { + "Id": "1.2.7", + "Description": "Ensure Multifactor Authentication is Required to access Microsoft Admin Portals", + "Checks": [], + "Attributes": [ + { + "Section": "1.2 Conditional Access", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "This recommendation ensures that users accessing Microsoft Admin Portals (i.e. Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal, etc.) are required to use multifactor authentication (MFA) credentials when logging into an Admin Portal.", + "RationaleStatement": "Administrative Portals for Microsoft Azure should be secured with a higher level of scrutiny to authenticating mechanisms. Enabling multifactor authentication is recommended to reduce the potential for abuse of Administrative actions, and to prevent intruders or compromised admin credentials from changing administrative settings. **IMPORTANT**: While this recommendation allows exceptions to specific Users or Groups, they should be very carefully tracked and reviewed for necessity on a regular interval through an Access Review process. It is important that this rule be built to include All Users to ensure that all users not specifically excepted will be required to use MFA to access Admin Portals.", + "ImpactStatement": "Conditional Access policies require Microsoft Entra ID P1 or P2 licenses. Similarly, they may require additional overhead to maintain if users lose access to their MFA. Any users or groups which are granted an exception to this policy should be carefully tracked, be granted only minimal necessary privileges, and conditional access exceptions should be reviewed or investigated.", + "RemediationProcedure": "**From Azure Portal** 1. From the Azure Admin Portal dashboard, open `Microsoft Entra ID`. 1. Click `Security` in the Entra ID blade. 1. Click `Conditional Access` in the Security blade. 1. Click `Policies` in the Conditional Access blade. 1. Click `+ New policy`. 1. Enter a name for the policy. 1. Click the blue text under `Users`. 1. Under `Include`, select `All users`. 1. Under `Exclude`, check `Users and groups`. 1. Select users or groups to be exempted from this policy (e.g. break-glass emergency accounts, and non-interactive service accounts) then click the `Select` button. 1. Click the blue text under `Target Resources`. 1. Under `Include`, click the `Select apps` radio button. 1. Click the blue text under `Select`. 1. Check the box next to `Microsoft Admin Portals` then click the `Select` button. 1. Click the blue text under `Grant`. 1. Under `Grant access` check the box for `Require multifactor authentication` then click the `Select` button. 1. Before creating, set `Enable policy` to `Report-only`. 1. Click `Create`. After testing the policy in report-only mode, update the `Enable policy` setting from `Report-only` to `On`.", + "AuditProcedure": "**From Azure Portal** 1. From the Azure Admin Portal dashboard, open `Microsoft Entra ID`. 1. In the menu on the left of the Entra ID blade, click `Security`. 1. In the menu on the left of the Security blade, click `Conditional Access`. 1. In the menu on the left of the Conditional Access blade, click `Policies`. 1. Click on the name of the policy you wish to audit. 1. Click the blue text under `Users`. 1. Under the `Include` section of Users, review `Users and Groups` to ensure that `All Users` is selected. 1. Under the `Exclude` section of Users, review the `Users and Groups` that are excluded from the policy (NOTE: this should be limited to break-glass emergency access accounts, non-interactive service accounts, and other carefully considered exceptions). 1. On the left side, click the blue text under `Target Resources`. 1. Select what this policy applies to should have `Cloud apps` selected. 1. Under the `Include` section of Target Resources, the `Select apps` radio button should be selected. 1. Click the blue text under `Select`. 1. From the select prompt that appears, the checkbox for `Microsoft Admin Portals` should be checked.", + "AdditionalInformation": "These policies should be tested by using the What If tool in the References. Setting these can and will create issues with administrators changing settings until they use an MFA device linked to their accounts. An emergency access account is recommended for this eventuality if all administrators are locked out. Please see the documentation in the references for further information. Similarly further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.", + "DefaultValue": "MFA is not enabled by default for administrative actions.", + "References": "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions:https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups:https://learn.microsoft.com/en-us/entra/identity/conditional-access/how-to-policy-mfa-admin-portals" + } + ] + }, + { + "Id": "2.1.1", + "Description": "Ensure That Microsoft Defender for Servers Is Set to 'On'", + "Checks": [ + "defender_ensure_defender_for_server_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Servers in Microsoft Defender for Cloud incurs an additional cost per resource.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud` 2. Select `Environment Settings` 3. Click on the subscription name 4. Select `Defender plans` 5. Set `Server` Status to `On` 6. Select `Save` **From Azure CLI** Run the following command: ``` az security pricing create -n VirtualMachines --tier 'standard' ``` **From PowerShell** Run the following command: ``` Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard' ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud` 2. Select `Environment Settings` 3. Click on the subscription name 4. Select `Defender plans` 5. Ensure `Servers` Status is set to `On`. **From Azure CLI** Run the following command: ``` az security pricing show -n VirtualMachines --query pricingTier ``` If the tenant is licensed and enabled, the output should indicate `Standard` **From PowerShell** Run the following command: ``` Get-AzSecurityPricing -Name 'VirtualMachines' |Select-Object Name,PricingTier ``` If the tenant is licensed and enabled, the `-PricingTier` parameter will indicate `Standard` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [4da35fc9-c9e7-4960-aec9-797fe7d9051d](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) **- Name:** 'Azure Defender for servers should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-endpoint-security#es-1-use-endpoint-detection-and-response-edr" + } + ] + }, + { + "Id": "2.1.2", + "Description": "Ensure That Microsoft Defender for App Services Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_app_services_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for App Service incurs an additional cost per resource.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud` 2. Select `Environment Settings` 3. Click on the subscription name 4. Select `Defender plans` 5. Set `App Service` Status to `On` 6. Select `Save` **From Azure CLI** Run the following command: ``` az security pricing create -n Appservices --tier 'standard' ``` **From PowerShell** Run the following command: ``` Set-AzSecurityPricing -Name AppServices -PricingTier Standard ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud` 2. Select `Environment Settings` 3. Click on the subscription name 4. Select `Defender plans` 5. Ensure Status is `On` for `App Service` **From Azure CLI** Run the following command: ``` az security pricing show -n AppServices ``` Ensure `-PricingTier` is set to `Standard` **From PowerShell** Run the following command: ``` Get-AzSecurityPricing -Name 'AppServices' |Select-Object Name,PricingTier ``` Ensure the `-PricingTier` is set to `Standard` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [2913021d-f2fd-4f3d-b958-22354e2bdbcb](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) **- Name:** 'Azure Defender for App Service should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.3", + "Description": "Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_azure_sql_databases_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Managed Instance Azure SQL databases, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-in-depth, includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.", + "ImpactStatement": "Turning on Microsoft Defender for Azure SQL Databases incurs an additional cost per resource.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings` blade. 3. Click on the subscription name. 4. Select the `Defender plans` blade. 5. Click `Select types >` in the row for `Databases`. 6. Set the radio button next to `Azure SQL Databases` to `On`. 7. Select `Continue`. 8. Select `Save`. **From Azure CLI** Run the following command: ``` az security pricing create -n SqlServers --tier 'standard' ``` **From PowerShell** Run the following command: ``` Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard' ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings` blade. 3. Click on the subscription name. 4. Select the `Defender plans` blade. 5. Click `Select types >` in the row for `Databases`. 6. Ensure the radio button next to `Azure SQL Databases` is set to `On`. **From Azure CLI** Run the following command: ``` az security pricing show -n SqlServers ``` Ensure `-PricingTier` is set to `Standard` **From PowerShell** Run the following command: ``` Get-AzSecurityPricing -Name 'SqlServers' | Select-Object Name,PricingTier ``` Ensure the `-PricingTier` is set to `Standard` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [7fe3b40f-802b-4cdd-8bd4-fd799c948cc2](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) **- Name:** 'Azure Defender for Azure SQL Database servers should be enabled' - **Policy ID:** [abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) **- Name:** 'Azure Defender for SQL should be enabled for unprotected SQL Managed Instances'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.4", + "Description": "Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_sql_servers_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for SQL servers on machines allows for greater defense-in-depth, functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.", + "ImpactStatement": "Turning on Microsoft Defender for SQL servers on machines incurs an additional cost per resource.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings` blade. 3. Click on the subscription name. 4. Select the `Defender plans` blade. 5. Click `Select types >` in the row for `Databases`. 6. Set the radio button next to `SQL servers on machines` to `On`. 7. Select `Continue`. 8. Select `Save`. **From Azure CLI** Run the following command: ``` az security pricing create -n SqlServerVirtualMachines --tier 'standard' ``` **From PowerShell** Run the following command: ``` Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard' ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings` blade. 3. Click on the subscription name. 4. Select the `Defender plans` blade. 5. Click `Select types >` in the row for `Databases`. 6. Ensure the radio button next to `SQL servers on machines` is set to `On`. **From Azure CLI** Ensure Defender for SQL is licensed with the following command: ``` az security pricing show -n SqlServerVirtualMachines ``` Ensure the 'PricingTier' is set to 'Standard' **From PowerShell** Run the following command: ``` Get-AzSecurityPricing -Name 'SqlServerVirtualMachines' | Select-Object Name,PricingTier ``` Ensure the 'PricingTier' is set to 'Standard' **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [6581d072-105e-4418-827f-bd446d56421b](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) **- Name:** 'Azure Defender for SQL servers on machines should be enabled' - **Policy ID:** [abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) **- Name:** 'Azure Defender for SQL should be enabled for unprotected Azure SQL servers'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/defender-for-sql-usage:https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.5", + "Description": "Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_os_relational_databases_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Open-source relational databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Open-source relational databases incurs an additional cost per resource.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings` blade. 3. Click on the subscription name. 4. Select the `Defender plans` blade. 5. Click `Select types >` in the row for `Databases`. 6. Set the radio button next to `Open-source relational databases` to `On`. 7. Select `Continue`. 8. Select `Save`. **From Azure CLI** Run the following command: ``` az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'standard' ``` **From PowerShell** Use the below command to enable Standard pricing tier for Open-source relational databases ``` set-azsecuritypricing -name OpenSourceRelationalDatabases -pricingtier Standard ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 1. Select `Environment Settings` blade. 1. Click on the subscription name. 1. Select the `Defender plans` blade. 1. Click `Select types >` in the row for `Databases`. 1. Ensure the radio button next to `Open-source relational databases` is set to `On`. **From Azure CLI** Run the following command: ``` az security pricing show -n OpenSourceRelationalDatabases --query pricingTier ``` **From PowerShell** ``` Get-AzSecurityPricing | Where-Object {$_.Name -eq 'OpenSourceRelationalDatabases'} | Select-Object Name, PricingTier ``` Ensure output for `Name PricingTier` is `OpenSourceRelationalDatabases Standard` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [0a9fbe0d-c5c4-4da8-87d8-f4fd77338835](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a9fbe0d-c5c4-4da8-87d8-f4fd77338835) **- Name:** 'Azure Defender for open-source relational databases should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.6", + "Description": "Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_cosmosdb_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources.", + "RationaleStatement": "In scanning Azure Cosmos DB requests within a subscription, requests are compared to a heuristic list of potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.", + "ImpactStatement": "Enabling Microsoft Defender for Azure Cosmos DB requires enabling Microsoft Defender for your subscription. Both will incur additional charges.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings` blade. 3. Click on the subscription name. 4. Select the `Defender plans` blade. 5. On the `Database` row click on `Select types >`. 6. Set the radio button next to `Azure Cosmos DB` to `On`. 7. Click `Continue`. 8. Click `Save`. **From Azure CLI** Run the following command: ``` az security pricing create -n 'CosmosDbs' --tier 'standard' ``` **From PowerShell** Use the below command to enable Standard pricing tier for Azure Cosmos DB ``` Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud` 2. Select `Environment Settings` blade 3. Click on the subscription name 4. Select the `Defender plans` blade 5. On the `Database` row click on `Select types >` 6. Ensure the radio button next to `Azure Cosmos DB` is set to `On`. **From Azure CLI** Ensure the output of the below command is Standard ``` az security pricing show -n CosmosDbs --query pricingTier ``` **From PowerShell** ``` Get-AzSecurityPricing -Name 'CosmosDbs' | Select-Object Name,PricingTier ``` Ensure output of `-PricingTier` is `Standard` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [adbe85b5-83e6-4350-ab58-bf3a4f736e5e](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fadbe85b5-83e6-4350-ab58-bf3a4f736e5e) **- Name:** 'Microsoft Defender for Azure Cosmos DB should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender for Azure Cosmos DB is not enabled.", + "References": "https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security:https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview:https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cosmos-db-security-baseline:https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-enable-database-protections:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.7", + "Description": "Ensure That Microsoft Defender for Storage Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_storage_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Storage incurs an additional cost per resource.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings` blade. 3. Click on the subscription name. 4. Select the `Defender plans` blade. 5. Set `Status` to `On` for `Storage`. 6. Select `Save`. **From Azure CLI** Ensure the output of the below command is Standard ``` az security pricing create -n StorageAccounts --tier 'standard' ``` **From PowerShell** ``` Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard' ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings` blade. 3. Click on the subscription name. 4. Select the `Defender plans` blade. 5. Ensure `Status` is set to `On` for `Storage`. **From Azure CLI** Ensure the output of the below command is Standard ``` az security pricing show -n StorageAccounts ``` **From PowerShell** ``` Get-AzSecurityPricing -Name 'StorageAccounts' | Select-Object Name,PricingTier ``` Ensure output for `Name PricingTier` is `StorageAccounts Standard` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [308fbb08-4ab8-4e67-9b29-592e93fb94fa](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) **- Name:** 'Microsoft Defender for Storage (Classic) should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.8", + "Description": "Ensure That Microsoft Defender for Containers Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_containers_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. The following services will be enabled for container instances: - Defender agent in Azure - Azure Policy for Kubernetes - Agentless discovery for Kubernetes - Agentless container vulnerability assessment", + "RationaleStatement": "Enabling Microsoft Defender for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Containers incurs an additional cost per resource.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings`. 3. Click on the subscription name. 4. Select `Defender plans`. 5. Set `Status` to `On` for `Containers`. 6. Click `Save`. **From Azure CLI** (Note: 'ContainerRegistry' has been deprecated and is replaced by 'Containers') Use the below command to enable Standard pricing tier for Containers. ``` az security pricing create -n 'Containers' --tier 'standard' ``` **From PowerShell** (Note: 'ContainerRegistry' has been deprecated and is replaced by 'Containers') Use the below command to enable Standard pricing tier for Containers. ``` Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard' ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings`. 3. Click on the subscription name. 4. Select `Defender plans`. 5. Ensure `On` is set under `Status` for `Containers`. **From Azure CLI** Ensure the output of the commands below indicates `Standard` pricing. For legacy Defender for Container Registries instances: ``` az security pricing show --name ContainerRegistry --query pricingTier ``` For new Defender for Containers instances: ``` az security pricing show --name Containers --query pricingTier ``` **From PowerShell** Ensure the output of the commands below indicates `Standard` pricing. For legacy Defender for Container Registries instances: ``` Get-AzSecurityPricing -Name 'ContainerRegistry' | Select-Object Name,PricingTier ``` For new Defender for Containers instances: ``` Get-AzSecurityPricing -Name 'Containers' | Select-Object Name,PricingTier ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [1c988dd6-ade4-430f-a608-2a3e5b0a6d38](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) **- Name:** 'Microsoft Defender for Containers should be enabled'", + "AdditionalInformation": "**Deprecation of previous product plans** 'Container registries' and 'Kubernetes' plans for Microsoft Defender are being deprecated and replaced with 'Containers' or Microsoft Defender for Containers.", + "DefaultValue": "By default, Microsoft Defender for Containers is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks" + } + ] + }, + { + "Id": "2.1.9", + "Description": "Ensure That Microsoft Defender for Key Vault Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_keyvault_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.", + "RationaleStatement": "Enabling Microsoft Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).", + "ImpactStatement": "Turning on Microsoft Defender for Key Vault incurs an additional cost per resource.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud` 2. Select `Environment Settings` blade 3. Click on the subscription name 4. Select the `Defender plans` blade 5. Select `On` under `Status` for `Key Vault`. 6. Select `Save`. **From Azure CLI** Enable Standard pricing tier for Key Vault: ``` az security pricing create -n 'KeyVaults' --tier 'Standard' ``` **From PowerShell** Enable Standard pricing tier for Key Vault: ``` Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard' ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud` 2. Select `Environment Settings` blade 3. Click on the subscription name 4. Select the `Defender plans` blade 5. Ensure `Status` is set to `On` for `Key Vault`. **From Azure CLI** Ensure the output of the below command is Standard ``` az security pricing show -n 'KeyVaults' --query 'PricingTier' ``` **From PowerShell** ``` Get-AzSecurityPricing -Name 'KeyVaults' | Select-Object Name,PricingTier ``` Ensure output for `PricingTier` is `Standard` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [0e6763cc-5078-4e64-889d-ff4d9a839047](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) **- Name:** 'Azure Defender for Key Vault should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender plan is off.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update:https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.10", + "Description": "[LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_dns_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "[**NOTE:** As of August 1, customers with an existing subscription to Defender for DNS can continue to use the service, but new subscribers will receive alerts about suspicious DNS activity as part of Defender for Servers P2.] Microsoft Defender for DNS scans all network traffic exiting from within a subscription.", + "RationaleStatement": "DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.", + "ImpactStatement": "Enabling Microsoft Defender for DNS requires enabling Microsoft Defender for your subscription. Both will incur additional charges, with Defender for DNS being a small amount per million queries.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings` blade. 3. Click on the subscription name. 4. Select the `Defender plans` blade. 5. Select `On` under `Status` for `DNS`. 6. Select `Save`. **From Powershell** Enable Standard pricing tier for DNS: ``` az security pricing create -n 'DNS' --tier 'Standard' ``` **From PowerShell** Enable Standard pricing tier for DNS: ``` Set-AzSecurityPricing -Name 'DNS' -PricingTier 'Standard' ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud` 2. Select `Environment Settings` blade 3. Click on the subscription name 4. Select the `Defender plans` blade 5. Ensure `Status` is set to `On` for `DNS`. **From Azure CLI** Ensure the output of the below command is Standard ``` az security pricing show -n 'DNS' --query 'PricingTier' ``` **From PowerShell** ``` Get-AzSecurityPricing --Name 'DNS' | Select-Object Name,PricingTier ``` Ensure output of `PricingTier` is `Standard` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [bdc59948-5574-49b3-bb91-76b7c986428d](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbdc59948-5574-49b3-bb91-76b7c986428d) **- Name:** 'Azure Defender for DNS should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender for DNS is not enabled.", + "References": "https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/dns-security-baseline:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-dns-alerts:https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security:https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-10-ensure-domain-name-system-dns-security:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.11", + "Description": "Ensure That Microsoft Defender for Resource Manager Is Set To 'On'", + "Checks": [ + "defender_ensure_defender_for_arm_is_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.", + "RationaleStatement": "Scanning resource requests lets you be alerted every time there is suspicious activity in order to prevent a security threat from being introduced.", + "ImpactStatement": "Enabling Microsoft Defender for Resource Manager requires enabling Microsoft Defender for your subscription. Both will incur additional charges.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud`. 2. Select `Environment Settings` blade. 3. Click on the subscription name. 4. Select the `Defender plans` blade. 5. Select `On` under `Status` for `Resource Manager`. 6. Select `Save. **From Azure CLI** Use the below command to enable Standard pricing tier for Defender for Resource Manager ``` az security pricing create -n 'Arm' --tier 'Standard' ``` **From PowerShell** Use the below command to enable Standard pricing tier for Defender for Resource Manager ``` Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard' ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Microsoft Defender for Cloud` 2. Select `Environment Settings` blade 3. Click on the subscription name 4. Select the `Defender plans` blade 5. Ensure `Status` is set to `On` for `Resource Manager`. **From Azure CLI** Ensure the output of the below command is Standard ``` az security pricing show -n 'Arm' --query 'PricingTier' ``` **From Azure PowerShell** ``` Get-AzSecurityPricing -Name 'Arm' | Select-Object Name,PricingTier ``` Ensure the output of `PricingTier` is `Standard` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [c3d20c29-b36d-48fe-808b-99a87530ad99](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) **- Name:** 'Azure Defender for Resource Manager should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender for Resource Manager is not enabled.", + "References": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security:https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-resource-manager-introduction:https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities" + } + ] + }, + { + "Id": "2.1.12", + "Description": "Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'", + "Checks": [ + "defender_ensure_system_updates_are_applied" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that the latest OS patches for all virtual machines are applied.", + "RationaleStatement": "Windows and Linux virtual machines should be kept updated to: - Address a specific bug or flaw - Improve an OS or application’s general stability - Fix a security vulnerability Microsoft Defender for Cloud retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.", + "ImpactStatement": "Running Microsoft Defender for Cloud incurs additional charges for each resource monitored. Please see attached reference for exact charges per hour.", + "RemediationProcedure": "Follow Microsoft Azure documentation to apply security patches from the security center. Alternatively, you can employ your own patch assessment and management tool to periodically assess, report, and install the required security patches for your OS.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Then the `Recommendations` blade 1. Ensure that there are no recommendations for `Apply system updates` Alternatively, you can employ your own patch assessment and management tool to periodically assess, report and install the required security patches for your OS. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [bd876905-5b84-4f73-ab2d-2e7a7c4568d9](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) **- Name:** '[Preview]: Machines should be configured to periodically check for missing system updates'", + "AdditionalInformation": "", + "DefaultValue": "By default, patches are not automatically deployed.", + "References": "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-6-rapidly-and-automatically-remediate-vulnerabilities:https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/:https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm" + } + ] + }, + { + "Id": "2.1.13", + "Description": "Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'", + "Checks": [ + "policy_ensure_asc_enforcement_enabled" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "The Microsoft Cloud Security Benchmark (or MCSB) is an Azure Policy Initiative containing many security policies to evaluate resource configuration against best practice recommendations. If a policy in the MCSB is set with effect type `Disabled`, it is not evaluated and may prevent administrators from being informed of valuable security recommendations.", + "RationaleStatement": "A security policy defines the desired configuration of resources in your environment and helps ensure compliance with company or regulatory security requirements. The MCSB Policy Initiative a set of security recommendations based on best practices and is associated with every subscription by default. When a policy Effect is set to `Audit`, policies in the MCSB ensure that Defender for Cloud evaluates relevant resources for supported recommendations. To ensure that policies within the MCSB are not being missed when the Policy Initiative is evaluated, none of the policies should have an Effect of `Disabled`.", + "ImpactStatement": "Policies within the MCSB default to an effect of `Audit` and will evaluate - but not enforce - policy recommendations. Ensuring these policies are set to `Audit` simply ensures that the evaluation occurs to allow administrators to understand where an improvement may be possible. Administrators will need to determine if the recommendations are relevant and desirable for their environment, then manually take action to resolve the status if desired.", + "RemediationProcedure": "**From Azure Portal** Part A - List all disabled policies 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Then `Environment Settings` 1. Select the appropriate Subscription 1. Click on `Security Policy` in the left column. 1. Click on `Microsoft Cloud Security Benchmark` 1. Click `Add Filter` and select `Effect` 1. Check the `Disabled` box to search for all disabled policies 1. Click `Apply` Part B - Remediate Policy Effect For each policy that remains in the list: 1. Click the blue ellipses `...` to the right of the policy name 1. Click `Manage effect and parameters` 1. Under Policy Effect, select the `Audit` radio button 1. Click `Save` 1. Click `Refresh` Repeat Part B - Remediate Policy Effect until no more policies are listed.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Then `Environment Settings` 1. Select the appropriate Subscription 1. Click on `Security Policy` in the left column. 1. Click on `Microsoft Cloud Security Benchmark` 1. Click `Add Filter` and select `Effect` 1. Check the `Disabled` box to search for all disabled policies 1. Click `Apply` If no Policies are shown, no Policies are in `Disabled` status and no remediation is necessary. If any Policies remain in the list, the policy `Effect` should be changed to `Audit`.", + "AdditionalInformation": "", + "DefaultValue": "By default, the MCSB policy initiative is associated to all subscriptions and **most** policies will have an effect of `Audit`. Some policies will have a default effect of `Disabled`.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-policies:https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-transparent-data-encryption:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/get:https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/create:https://docs.microsoft.com/en-in/azure/security-center/tutorial-security-policy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-7-define-and-implement-logging-threat-detection-and-incident-response-strategy" + } + ] + }, + { + "Id": "2.1.14", + "Description": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'", + "Checks": [ + "defender_auto_provisioning_log_analytics_agent_vms_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable automatic provisioning of the monitoring agent to collect security data.", + "RationaleStatement": "When `Log Analytics agent for Azure VMs` is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Select `Environment Settings` 1. Select a subscription 1. Click on `Settings & Monitoring` 1. Ensure that `Log Analytics agent for Azure VMs` is set to `On` Repeat the above for any additional subscriptions. **From Azure CLI** Use the below command to set `Automatic provisioning of monitoring agent` to `On`. ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X PUT -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@input.json' ``` Where `input.json` contains the Request body json data as mentioned below. ``` { id: /subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default, name: default, type: Microsoft.Security/autoProvisioningSettings, properties: { autoProvision: On } } ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Then `Environment Settings` 1. Select a subscription 1. Click on `Settings & Monitoring` 1. Ensure that `Log Analytics agent/Azure Monitor agent` is set to `On` Repeat the above for any additional subscriptions. **From Azure CLI** Ensure the output of the below command is `On` ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X GET -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions//providers/Microsoft.Security/autoProvisioningSettings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name==default)'|jq '.properties.autoProvision' ``` **Using PowerShell** ``` Connect-AzAccount Get-AzSecurityAutoProvisioningSetting | Select-Object Name, AutoProvision ``` Ensure output for `Id Name AutoProvision` is `/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default default On` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [475aae12-b88a-4572-8b36-9b712b2b3a17](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F475aae12-b88a-4572-8b36-9b712b2b3a17) **- Name:** 'Auto provisioning of the Log Analytics agent should be enabled on your subscription'", + "AdditionalInformation": "- Excluding any of the entries in `input.json` may disable the specific setting by default - Microsoft has recently changed APIs to get and Update Automatic Provisioning Setting. This recommendation is updated accordingly.", + "DefaultValue": "By default, `Automatic provisioning of monitoring agent` is set to `On`.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security:https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification" + } + ] + }, + { + "Id": "2.1.15", + "Description": "Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'", + "Checks": [ + "defender_auto_provisioning_vulnerabilty_assessments_machines_on" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.", + "RationaleStatement": "Vulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.", + "ImpactStatement": "Additional licensing is required and configuration of Azure Arc introduces complexity beyond this recommendation.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Then `Environment Settings` 1. Select a subscription 1. Click on `Settings & Monitoring` 1. Ensure that `Vulnerability assessment for machines` is set to `On` Repeat the above for any additional subscriptions.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Then `Environment Settings` 1. Select a subscription 1. Click on `Settings & Monitoring` 1. Ensure that `Vulnerability assessment for machines` is set to `On` Repeat the above for any additional subscriptions.", + "AdditionalInformation": "While this feature is generally available as of publication, it is not yet available for Azure Government tenants.", + "DefaultValue": "By default, `Automatic provisioning of monitoring agent` is set to `Off`.", + "References": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-va:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-5-perform-vulnerability-assessments" + } + ] + }, + { + "Id": "2.1.16", + "Description": "Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'", + "Checks": [], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Enable automatic provisioning of the Microsoft Defender for Containers components.", + "RationaleStatement": "As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities.", + "ImpactStatement": "Microsoft Defender for Containers will require additional licensing.", + "RemediationProcedure": "**From Azure Portal** 1. From the Azure Portal `Home` page, select `Microsoft Defender for Cloud` 1. Under `Management`, select `Environment Settings` 1. Select a subscription 1. Set `Containers` to `On`", + "AuditProcedure": "**From Azure Portal** 1. From the Azure Portal `Home` page, select `Microsoft Defender for Cloud` 1. Under `Management` select `Environment Settings` 1. Select a subscription 1. Ensure that `Containers` is set to `On` Repeat the above for any additional subscriptions. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [1c988dd6-ade4-430f-a608-2a3e5b0a6d38](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) **- Name:** 'Microsoft Defender for Containers should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, Microsoft Defender for Containers is disabled. If Defender for Containers is enabled from the Microsoft Defender for Cloud portal, auto provisioning will be enabled.", + "References": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction:https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-containers:https://msdn.microsoft.com/en-us/library/mt704062.aspx:https://msdn.microsoft.com/en-us/library/mt704063.aspx:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification" + } + ] + }, + { + "Id": "2.1.17", + "Description": "Ensure That 'All users with the following roles' is set to 'Owner'", + "Checks": [ + "defender_ensure_notify_emails_to_owners" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable security alert emails to subscription owners.", + "RationaleStatement": "Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Click on `Environment Settings` 1. Click on the appropriate Management Group, Subscription, or Workspace 1. Click on `Email notifications` 1. In the drop down of the `All users with the following roles` field select `Owner` 1. Click `Save` **From Azure CLI** Use the below command to set `Send email also to subscription owners` to `On`. ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X PUT -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@input.json' ``` Where `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses: ``` { id: /subscriptions//providers/Microsoft.Security/securityContacts/default1, name: default1, type: Microsoft.Security/securityContacts, properties: { email: , alertNotifications: On, alertsToAdmins: On, notificationsByRole: Owner } } ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Then `Environment Settings` 1. Click on the appropriate Management Group, Subscription, or Workspace 1. Click on `Email notifications` 1. Ensure that `All users with the following roles` is set to `Owner` **From Azure CLI** Ensure the command below returns state of `On` and that `Owner` appears in roles. ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X GET -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview'| jq '.[] | select(.name==default).properties.notificationsByRole' ```", + "AdditionalInformation": "Excluding any entries in the input.json properties block disables the specific setting by default.", + "DefaultValue": "By default, `Owner` is selected", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details:https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification" + } + ] + }, + { + "Id": "2.1.18", + "Description": "Ensure 'Additional email addresses' is Configured with a Security Contact Email", + "Checks": [ + "defender_additional_email_configured_with_a_security_contact" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.", + "RationaleStatement": "Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Click on `Environment Settings` 1. Click on the appropriate Management Group, Subscription, or Workspace 1. Click on `Email notifications` 1. Enter a valid security contact email address (or multiple addresses separated by commas) in the `Additional email addresses` field 1. Click `Save` **From Azure CLI** Use the below command to set `Security contact emails` to `On`. ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X PUT -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview -d@input.json' ``` Where `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses: ``` { id: /subscriptions//providers/Microsoft.Security/securityContacts/default, name: default, type: Microsoft.Security/securityContacts, properties: { email: , alertNotifications: On, alertsToAdmins: On } } ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu. 1. Select `Microsoft Defender for Cloud` 1. Click on `Environment Settings` 1. Click on the appropriate Management Group, Subscription, or Workspace 1. Click on `Email notifications` 1. Ensure that a valid security contact email address is listed in the `Additional email addresses` field **From Azure CLI** Ensure the output of the below command is set not empty and is set with appropriate email ids. ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X GET -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name==default)'|jq '.properties.emails' ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7) **- Name:** 'Subscriptions should have a contact email address for security issues'", + "AdditionalInformation": "Excluding any entries in the input.json properties block disables the specific setting by default.", + "DefaultValue": "By default, there are no additional email addresses entered.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details:https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification" + } + ] + }, + { + "Id": "2.1.19", + "Description": "Ensure That 'Notify about alerts with the following severity' is Set to 'High'", + "Checks": [ + "defender_ensure_notify_alerts_severity_is_high" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enables emailing security alerts to the subscription owner or other designated security contact.", + "RationaleStatement": "Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Click on `Environment Settings` 1. Click on the appropriate Management Group, Subscription, or Workspace 1. Click on `Email notifications` 1. Under `Notification types`, check the check box next to `Notify about alerts with the following severity (or higher):` and select `High` from the drop down menu 1. Click `Save` **From Azure CLI** Use the below command to set `Send email notification for high severity alerts` to `On`. ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X PUT -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@input.json' ``` Where `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses: ``` { id: /subscriptions//providers/Microsoft.Security/securityContacts/default1, name: default1, type: Microsoft.Security/securityContacts, properties: { email: , alertNotifications: On, alertsToAdmins: On } } ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Click on `Environment Settings` 1. Click on the appropriate Management Group, Subscription, or Workspace 1. Click on `Email notifications` 1. Ensure that the `Notify about alerts with the following severity (or higher):` setting is checked and set to `High` **From Azure CLI** Ensure the output of below command is set to `true`, enter your Subscription ID at the $0 between /subscriptions/<$0>/providers. ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X GET -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name==default)'|jq '.properties.alertNotifications' ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [6e2593d9-add6-4083-9c9b-4b7d2188c899](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6e2593d9-add6-4083-9c9b-4b7d2188c899) **- Name:** 'Email notification for high severity alerts should be enabled'", + "AdditionalInformation": "Excluding any entries in the input.json properties block disables the specific setting by default. This recommendation has been updated to reflect recent changes to Microsoft REST APIs for getting and updating security contact information.", + "DefaultValue": "By default, `Notify about alerts with the following severity (or higher):` is set to `High`.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details:https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification" + } + ] + }, + { + "Id": "2.1.20", + "Description": "Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected", + "Checks": [ + "defender_ensure_mcas_is_enabled" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.", + "RationaleStatement": "Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license. Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.", + "ImpactStatement": "Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu. 1. Select `Microsoft Defender for Cloud`. 1. Select `Environment Settings` blade. 1. Select the subscription. 1. Select `Integrations`. 1. Check `Allow Microsoft Defender for Cloud Apps to access my data`. 1. Select `Save`. **From Azure CLI** Use the below command to enable Standard pricing tier for Storage Accounts ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X PUT -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions//providers/Microsoft.Security/settings/MCAS?api-version=2021-06-01 -d@input.json' ``` Where input.json contains the Request body json data as mentioned below. ``` { id: /subscriptions//providers/Microsoft.Security/settings/MCAS, kind: DataExportSetting, type: Microsoft.Security/settings, properties: { enabled: true } } ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Select `Environment Settings` blade 1. Click on the subscription name 1. Select the `Integrations` blade 1. Ensure setting `Allow Microsoft Defender for Cloud Apps to access my data` is selected. **From Azure CLI** Ensure the output of the below command is `True` ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X GET -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions//providers/Microsoft.Security/settings?api-version=2021-06-01' | jq '.|.value[] | select(.name==MCAS)'|jq '.properties.enabled' ``` **From PowerShell** Run the following series of commands to audit this configuration ``` Get-AzAccount Set-AzContext -Subscription Get-AzSecuritySetting | Select-Object name,enabled |where-object {$_.name -eq MCAS} ``` **PowerShell Output - Non-Compliant** ``` Name Enabled ---- ------- MCAS False ``` **PowerShell Output - Compliant** ``` Name Enabled ---- ------- MCAS True ```", + "AdditionalInformation": "NOTE: Microsoft Defender for Cloud Apps (MDCA) is formerly known as Microsoft Cloud App Security (MCAS). There are a number of places (e.g. Azure CLI) where the MCAS acronym is still used within Azure.", + "DefaultValue": "With Cloud App Security license, these alerts are enabled by default.", + "References": "https://docs.microsoft.com/en-in/azure/security-center/security-center-alerts-service-layer#azure-management-layer-azure-resource-manager-preview:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-9-secure-user-access-to--existing-applications" + } + ] + }, + { + "Id": "2.1.21", + "Description": "Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected", + "Checks": [ + "defender_ensure_wdatp_is_enabled" + ], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud. **IMPORTANT:** When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable. 1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal. 1. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.", + "RationaleStatement": "Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud. MDE works only with Standard Tier subscriptions.", + "ImpactStatement": "Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.", + "RemediationProcedure": "**From Azure Console** 1. From Azure Home select the Portal Menu. 1. Go to `Microsoft Defender for Cloud`. 1. Select `Environment Settings` blade. 1. Select the subscription. 1. Select `Integrations`. 1. Check `Allow Microsoft Defender for Endpoint to access my data`. 1. Select `Save`. **From Azure CLI** Use the below command to enable Standard pricing tier for Storage Accounts ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X PUT -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions//providers/Microsoft.Security/settings/WDATP?api-version=2021-06-01 -d@input.json' ``` Where input.json contains the Request body json data as mentioned below. ``` { id: /subscriptions//providers/Microsoft.Security/settings/WDATP, kind: DataExportSettings, type: Microsoft.Security/settings, properties: { enabled: true } } ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Select `Microsoft Defender for Cloud` 1. Select `Environment Settings` blade 1. Click on the subscription name 1. Select the `Integrations` blade 1. Ensure setting `Allow Microsoft Defender for Endpoint to access my data` is selected. **From Azure CLI** Ensure the output of the below command is `True` ``` az account get-access-token --query {subscription:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X GET -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions//providers/Microsoft.Security/settings?api-version=2021-06-01' | jq '.|.value[] | select(.name==WDATP)'|jq '.properties.enabled' ``` **From PowerShell** Run the following commands to login and audit this check ``` Connect-AzAccount Set-AzContext -Subscription Get-AzSecuritySetting | Select-Object name,enabled |where-object {$_.name -eq WDATP} ``` **PowerShell Output - Non-Compliant** ``` Name Enabled ---- ------- WDATP False ``` **PowerShell Output - Compliant** ``` Name Enabled ---- ------- WDATP True ```", + "AdditionalInformation": "**IMPORTANT:** When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable. 1. For server 2019 & above if defender is installed (default for these server SKU's) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal. 1. If the new unified agent is required for server SKU's of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned. NOTE: Microsoft Defender for Endpoint (MDE) was formerly known as Windows Defender Advanced Threat Protection (WDATP). There are a number of places (e.g. Azure CLI) where the WDATP acronym is still used within Azure.", + "DefaultValue": "", + "References": "https://docs.microsoft.com/en-in/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list:https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/update:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-endpoint-security#es-1-use-endpoint-detection-and-response-edr:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-endpoint-security#es-2-use-modern-anti-malware-software" + } + ] + }, + { + "Id": "2.1.22", + "Description": "Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled", + "Checks": [], + "Attributes": [ + { + "Section": "2.1 Microsoft Defender for Cloud", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "An organization's attack surface is the collection of assets with a public network identifier or URI that an external threat actor can see or access from outside your cloud. It is the set of points on the boundary of a system, a system element, system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, system component, or environment. The larger the attack surface, the harder it is to protect. This tool can be configured to scan your organization's online infrastructure such as specified domains, hosts, CIDR blocks, and SSL certificates, and store them in an Inventory. Inventory items can be added, reviewed, approved, and removed, and may contain enrichments (insights) and additional information collected from the tool's different scan engines and open-source intelligence sources. A Defender EASM workspace will generate an Inventory of publicly exposed assets by crawling and scanning the internet using _Seeds_ you provide when setting up the tool. Seeds can be FQDNs, IP CIDR blocks, and WHOIS records. Defender EASM will generate Insights within 24-48 hours after Seeds are provided, and these insights include vulnerability data (CVEs), ports and protocols, and weak or expired SSL certificates that could be used by an attacker for reconnaisance or exploitation. Results are classified High/Medium/Low and some of them include proposed mitigations.", + "RationaleStatement": "This tool can monitor the externally exposed resources of an organization, provide valuable insights, and export these findings in a variety of formats (including CSV) for use in vulnerability management operations and red/purple team exercises.", + "ImpactStatement": "Microsoft Defender EASM workspaces are currently available as Azure Resources with a 30-day free trial period but can quickly accrue significant charges. The costs are calculated daily as (Number of billable inventory items) x (item cost per day; approximately: $0.017). Estimated cost is not provided within the tool, and users are strongly advised to contact their Microsoft sales representative for pricing and set a calendar reminder for the end of the trial period. For an EASM workspace having an Inventory of 5k-10k billable items (IP addresses, hostnames, SSL certificates, etc) a typical cost might be approximiately $85-170 per day or $2500-5000 USD/month at the time of publication. If the workspace is deleted by the last day of a free trial period, no charges are billed.", + "RemediationProcedure": "To begin remediation, a Microsoft Defender EASM workspace must be created. The resources and inventory items added to this workspace will depend on your environment.", + "AuditProcedure": "To view Defender EASM workspaces created for your Subscriptions, search for EASM in the Azure Portal using the search box.", + "AdditionalInformation": "Microsoft added its Defender for External Attack Surface management (EASM) offering to Azure following its 2022 acquisition of EASM SaaS tool company RiskIQ.", + "DefaultValue": "Microsoft Defender EASM is an optional, paid Azure Resource that must be created and configured inside a Subscription and Resource Group.", + "References": "https://learn.microsoft.com/en-us/azure/external-attack-surface-management/:https://learn.microsoft.com/en-us/azure/external-attack-surface-management/deploying-the-defender-easm-azure-resource?source=recommendations:https://www.microsoft.com/en-us/security/blog/2022/08/02/microsoft-announces-new-solutions-for-threat-intelligence-and-attack-surface-management/" + } + ] + }, + { + "Id": "2.2.1", + "Description": "Ensure That Microsoft Defender for IoT Hub Is Set To 'On'", + "Checks": [ + "defender_ensure_iot_hub_defender_is_on" + ], + "Attributes": [ + { + "Section": "2.2 Microsoft Defender for IoT", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.", + "RationaleStatement": "IoT devices are very rarely patched and can be potential attack vectors for enterprise networks. Updating their network configuration to use a central security hub allows for detection of these breaches.", + "ImpactStatement": "Enabling Microsoft Defender for IoT will incur additional charges dependent on the level of usage.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `IoT Hub`. 2. Select a `IoT Hub` to validate. 3. Select `Overview` in `Defender for IoT`. 4. Click on `Secure your IoT solution`, and complete the onboarding.", + "AuditProcedure": "**From Azure Portal** 1. Go to `IoT Hub`. 2. Select a `IoT Hub` to validate. 3. Select `Overview` in `Defender for IoT`. 4. The Threat prevention and Threat detection screen will appear, if `Defender for IoT` is Enabled.", + "AdditionalInformation": "There are additional configurations for Microsoft Defender for IoT that allow for types of deployments called hybrid or local. Both run on your physical infrastructure. These are complicated setups and are primarily outside of the scope of a purely Azure benchmark. Please see the references to consider these options for your organization.", + "DefaultValue": "By default, Microsoft Defender for IoT is not enabled.", + "References": "https://azure.microsoft.com/en-us/services/iot-defender/#overview:https://docs.microsoft.com/en-us/azure/defender-for-iot/:https://azure.microsoft.com/en-us/pricing/details/iot-defender/:https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/defender-for-iot-security-baseline:https://docs.microsoft.com/en-us/cli/azure/iot?view=azure-cli-latest:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities:https://learn.microsoft.com/en-us/azure/defender-for-iot/device-builders/quickstart-onboard-iot-hub" + } + ] + }, + { + "Id": "3.1", + "Description": "Ensure that 'Secure transfer required' is set to 'Enabled'", + "Checks": [ + "storage_secure_transfer_required_is_enabled" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable data encryption in transit.", + "RationaleStatement": "The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Storage Accounts` 2. For each storage account, go to `Configuration` 3. Set `Secure transfer required` to `Enabled` **From Azure CLI** Use the below command to enable `Secure transfer required` for a `Storage Account` ``` az storage account update --name --resource-group --https-only true ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Storage Accounts` 2. For each storage account, go to `Configuration` 3. Ensure that `Secure transfer required` is set to `Enabled` **From Azure CLI** Use the below command to ensure the `Secure transfer required` is enabled for all the `Storage Accounts` by ensuring the output contains `true` for each of the `Storage Accounts`. ``` az storage account list --query [*].[name,enableHttpsTrafficOnly] ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [404c3081-a854-4457-ae30-26a93ef643f9](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) **- Name:** 'Secure transfer to storage accounts should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "By default, `Secure transfer required` is set to `Disabled`.", + "References": "https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit:https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list:https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit" + } + ] + }, + { + "Id": "3.2", + "Description": "Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’", + "Checks": [ + "storage_infrastructure_encryption_is_enabled" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.", + "RationaleStatement": "Azure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption, which is one of the strongest, FIPS 140-2-compliant block ciphers available. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. Similarly, data is encrypted even before network transmission and in all backups. In this scenario, the additional layer of encryption continues to protect your data. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.", + "ImpactStatement": "The read and write speeds to the storage will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This performance impact should be considered in an analysis for justifying use of the feature in your environment. Customer-managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the storage.", + "RemediationProcedure": "**From Azure Portal** 1. During Storage Account creation, in the `Encryption` tab, check the box next to `Enable infrastructure encryption`. **From Azure CLI** Replace the information within <> with appropriate values: ``` az storage account create \\ --name \\ --resource-group \\ --location \\ --sku Standard_RAGRS \\ --kind StorageV2 \\ --require-infrastructure-encryption ``` **From PowerShell** Replace the information within <> with appropriate values: ``` New-AzStorageAccount -ResourceGroupName ` -AccountName ` -Location ` -SkuName Standard_RAGRS ` -Kind StorageV2 ` -RequireInfrastructureEncryption ``` **Enabling Infrastructure Encryption after Storage Account Creation** If infrastructure encryption was not enabled on blob storage creation, there is no ***official*** way to enable it. Please see the additional information section.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Portal select the portal menu in the top left. 2. Select `Storage Accounts`. 3. Click on each storage account within each resource group you wish to audit. 4. In the overview, under Security, ensure `Infrastructure encryption` is set to `Enabled`. **From Azure CLI** ``` az storage blob show \\ --account-name \\ --container-name \\ --name \\ --query properties.serverEncrypted ``` **From PowerShell** ``` $account = Get-AzStorageAccount -ResourceGroupName ` -Name $blob = Get-AzStorageBlob -Context $account.Context ` -Container ` -Blob $blob.ICloudBlob.Properties.IsServerEncrypted ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [4733ea7b-a883-42fe-8cac-97454c2a9e4a](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4733ea7b-a883-42fe-8cac-97454c2a9e4a) **- Name:** 'Storage accounts should have infrastructure encryption'", + "AdditionalInformation": "The default service side encryption for Azure Storage is enabled on every block blob, append blob, or page blob that was written to Azure Storage after October 20, 2017. Hardware encryption, however, cannot be enabled on a blob storage after its creation. There are ways to copy all data from a blob storage into another or download and reupload into another blob storage. This could result in data loss and is not recommended.", + "DefaultValue": "By default, Infrastructure Encryption is disabled in blob creation.", + "References": "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-encryption-status:https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption:https://docs.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default" + } + ] + }, + { + "Id": "3.3", + "Description": "Ensure that 'Enable key rotation reminders' is enabled for each Storage Account", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The Rotation Reminder is an automatic reminder feature for a manual procedure.", + "RationaleStatement": "Reminders such as those generated by this recommendation will help maintain a regular and healthy cadence for activities which improve the overall efficacy of a security program. Cryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated 'regularly,' and advises that keys for static data stores be rotated every 'few months.' For the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization's security requirements should dictate the appropriate setting.", + "ImpactStatement": "This recommendation only creates a periodic reminder to regenerate access keys. Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients that use the access key to access the storage account must be updated to use the new key.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Storage Accounts` 1. For each Storage Account that is not compliant, go to `Access keys` 1. Click `Set rotation reminder` 1. Check `Enable key rotation reminders` 1. In the `Send reminders` field select `Custom`, then set the `Remind me every` field to `90` and the period drop down to `Days.` 1. Click `Save` **From Powershell** ``` $rgName = $accountName = $account = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName if ($account.KeyCreationTime.Key1 -eq $null -or $account.KeyCreationTime.Key2 -eq $null){ Write-output (You must regenerate both keys at least once before setting expiration policy) } else { $account = Set-AzStorageAccount -ResourceGroupName $rgName -Name $accountName -KeyExpirationPeriodInDay 90 } $account.KeyPolicy.KeyExpirationPeriodInDays ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Storage Accounts` 2. For each Storage Account, go to `Access keys` 3. Click `Set rotation reminder` If the checkbox for `Enable key rotation reminders` is already checked, that Storage Account is compliant. Review the `Remind me every` field for a desirable periodic setting that fits your security program's needs. **From Powershell** ``` $rgName = $accountName = $account = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName Write-Output $accountName -> Write-Output Expiration Reminder set to: $($account.KeyPolicy.KeyExpirationPeriodInDays) Days Write-Output Key1 Last Rotated: $($account.KeyCreationTime.Key1.ToShortDateString()) Write-Output Key2 Last Rotated: $($account.KeyCreationTime.Key2.ToShortDateString()) ``` If any of the creation dates is empty, then remediation is required, due to the need of at least one rotation of the keys. If the reminder is set, the period in days will be returned. 90 days is the recommendation.", + "AdditionalInformation": "", + "DefaultValue": "By default, Key rotation reminders is not configured.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-3-manage-application-identities-securely-and-automatically:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-8-restrict-the-exposure-of-credentials-and-secrets:https://www.pcidssguide.com/pci-dss-key-rotation-requirements/:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf" + } + ] + }, + { + "Id": "3.4", + "Description": "Ensure that Storage Account Access Keys are Periodically Regenerated", + "Checks": [ + "storage_key_rotation_90_days" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "For increased security, regenerate storage account access keys periodically.", + "RationaleStatement": "When a storage account is created, Azure generates two 512-bit storage access keys which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure does not result from the compromise of these keys. Cryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated 'regularly,' and advises that keys for static data stores be rotated every 'few months.' For the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization's security requirements should dictate the appropriate setting.", + "ImpactStatement": "Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients who use the access key to access the storage account must be updated to use the new key.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Storage Accounts` 2. For each Storage Account with outdated keys, go to `Access keys` 3. Click `Rotate key` next to the outdated key, then click `Yes` to the prompt confirming that you want to regenerate the access key. After Azure regenerates the Access Key, you can confirm that `Access keys` reflects a `Last rotated` date of `(0 days ago)`.", + "AuditProcedure": "**From Azure Portal** 1. Go to `Storage Accounts` 2. For each Storage Account, go to `Access keys` 3. Review the date in the `Last rotated` field for **each** key. If the `Last rotated` field indicates value greater than 90 day [or greater than your organization's period of validity], the key should be rotated. **From Azure CLI** 1. Get a list of storage accounts ``` az storage account list --subscription ``` Make a note of `id`, `name` and `resourceGroup`. 2. For every storage account make sure that key is regenerated in past 90 days. ``` az monitor activity-log list --namespace Microsoft.Storage --offset 90d --query [?contains(authorization.action, 'regenerateKey')] --resource-id ``` The output should contain ``` authorization/scope: AND authorization/action: Microsoft.Storage/storageAccounts/regeneratekey/action AND status/localizedValue: Succeeded status/Value: Succeeded ```", + "AdditionalInformation": "", + "DefaultValue": "By default, access keys are not regenerated periodically.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-2-protect-identity-and-authentication-systems:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy:https://www.pcidssguide.com/pci-dss-key-rotation-requirements/:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf" + } + ] + }, + { + "Id": "3.5", + "Description": "Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.", + "RationaleStatement": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.", + "ImpactStatement": "Enabling this setting can have a high impact on the cost of the log analytics service and data storage used by logging more data per each request. Do not enable this without determining your need for this level of logging, and do not forget to check in on data usage and projected cost. Some users have seen their logging costs increase from $10 per month to $10,000 per month.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Storage Accounts`. 1. Select the specific Storage Account. 1. Click the `Diagnostics settings` under the `Monitoring` section in the left column. 1. Select the `queue` tab indented below the storage account. 1. Click `+ Add diagnostic setting`. 1. Select `StorageRead`, `StorageWrite` and `StorageDelete` options under the `Logs` section to enable Storage Logging for Queue service. 1. Select a destination for your logs to be sent to. **From Azure CLI** Use the below command to enable the Storage Logging for Queue service. ``` az storage logging update --account-name --account-key --services q --log rwd --retention 90 ```", + "AuditProcedure": "**From Azure Portal:** 1. Go to `Storage Accounts`. 1. Select the specific Storage Account. 1. Click the `Diagnostics settings` under the `Monitoring` section in the left column. 1. Select the `queue` tab indented below the storage account. Then select the diagnostic setting listed. 1. Ensure `StorageRead`, `StorageWrite`, and `StorageDelete` options are selected under the `Logs` section and that they are sent to the correct destination. **From Azure CLI** Ensure the below command's output contains properties `delete`, `read` and `write` set to `true`. ``` az storage logging show --services q --account-name ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [7bd000e3-37c7-4928-9f31-86c4b77c5c45](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7bd000e3-37c7-4928-9f31-86c4b77c5c45) **- Name:** 'Configure diagnostic settings for Queue Services to Log Analytics workspace'", + "AdditionalInformation": "We cannot practically generalize detailed audit log requirements for every queue due to their nature and intent. This recommendation may be applicable to storage account queue services where the security is paramount.", + "DefaultValue": "By default storage account queue services are not logged.", + "References": "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging:https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation:https://docs.microsoft.com/en-us/azure/storage/queues/monitor-queue-storage?tabs=azure-portal" + } + ] + }, + { + "Id": "3.6", + "Description": "Ensure that Shared Access Signature Tokens Expire Within an Hour", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Expire shared access signature tokens within an hour.", + "RationaleStatement": "A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour.", + "ImpactStatement": "", + "RemediationProcedure": "When generating shared access signature tokens, use start and end time such that it falls within an hour. **From Azure Portal** 1. Go to Storage Accounts 2. For each storage account, go to Shared access signature 3. Set Start and expiry date/time within an hour", + "AuditProcedure": "Currently, SAS token expiration times cannot be audited. Until Microsoft makes token expiration time a setting rather than a token creation parameter, this recommendation would require a manual verification.", + "AdditionalInformation": "", + "DefaultValue": "By default, expiration for shared access signature is set to 8 hours.", + "References": "https://docs.microsoft.com/en-us/rest/api/storageservices/delegating-access-with-a-shared-access-signature:https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview" + } + ] + }, + { + "Id": "3.7", + "Description": "Ensure that 'Public Network Access' is `Disabled' for storage accounts", + "Checks": [ + "storage_blob_public_access_level_is_disabled" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.", + "RationaleStatement": "The default network configuration for a storage account permits a user with appropriate permissions to configure public network access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide public network access to storage accounts until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers.", + "ImpactStatement": "Access will have to be managed using shared access signatures or via Azure AD RBAC.", + "RemediationProcedure": "**From Azure Portal** First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then, 1. Go to `Storage Accounts` 2. For each storage account, under the `Security + networking` section, click `Networking` 3. Set `Public Network Access` to `Disabled`. **From Azure CLI** Set 'Public Network Access' to `Disabled` on the storage account ``` az storage account update --name --resource-group --public-network-access Disabled ``` **From PowerShell** For each Storage Account, run the following to set the `PublicNetworkAccess` setting to `Disabled` ``` Set-AzStorageAccount -ResourceGroupName -Name -PublicNetworkAccess Disabled ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Storage Accounts` 2. For each storage account, under the `Security + networking` section, click `Networking` 3. Ensure the `Public Network Access` setting is set to `Disabled`. **From Azure CLI** Ensure `publicNetworkAccess` is `Disabled` ``` az storage account show --name --resource-group --query {publicNetworkAccess:publicNetworkAccess} ``` **From PowerShell** For each Storage Account, ensure `PublicNetworkAccess` is `Disabled` ``` Get-AzStorageAccount -Name -ResourceGroupName |select PublicNetworkAccess ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [b2982f36-99f2-4db5-8eff-283140c09693](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%b2982f36-99f2-4db5-8eff-283140c09693) **- Name:** 'Storage accounts should disable public network access'", + "AdditionalInformation": "For classic storage accounts (to be retired on August 31, 2024), each container in the account must be configured to block anonymous access. Either configure all containers or to configure at the storage account level, migrate to the Azure Resource Manager deployment model.", + "DefaultValue": "By default, `Public Network Access` is set to `Enabled from all networks` for the Storage Account.", + "References": "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls:https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access:https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal" + } + ] + }, + { + "Id": "3.8", + "Description": "Ensure Default Network Access Rule for Storage Accounts is Set to Deny", + "Checks": [ + "storage_default_network_access_rule_is_denied" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.", + "RationaleStatement": "Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.", + "ImpactStatement": "All allowed networks will need to be whitelisted on each specific network, creating administrative overhead. This may result in loss of network connectivity, so do not turn on for critical resources during business hours.", + "RemediationProcedure": "**From Azure Console** 1. Go to `Storage Accounts` 2. For each storage account, Click on the `Networking` blade 4. Click the `Firewalls and virtual network`s heading. 5. Ensure that you have elected to `allow access from Selected networks` 6. Add rules to allow traffic from specific network. 7. Click Save to apply your changes. **From Azure CLI** Use the below command to update `default-action` to `Deny`. ``` az storage account update --name --resource-group --default-action Deny ```", + "AuditProcedure": "**From Azure Console** 1. Go to Storage Accounts 2. For each storage account, Click on the `Networking` blade. 4. Click the `Firewalls and virtual networks` heading. 3. Ensure that Allow access from `All networks` is not selected. **From Azure CLI** Ensure `defaultAction` is not set to ` Allow`. ``` az storage account list --query '[*].networkRuleSet' ``` **From PowerShell** ``` Connect-AzAccount Set-AzContext -Subscription Get-AzStorageAccountNetworkRuleset -ResourceGroupName -Name |Select-Object DefaultAction ``` **PowerShell Result - Non-Compliant** ``` DefaultAction : Allow ``` **PowerShell Result - Compliant** ``` DefaultAction : Deny ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [34c877ad-507e-4c82-993e-3452a6e0ad3c](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) **- Name:** 'Storage accounts should restrict network access' - **Policy ID:** [2a1a9cdf-e04d-429a-8416-3bfb72a1b26f](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) **- Name:** 'Storage accounts should restrict network access using virtual network rules'", + "AdditionalInformation": "", + "DefaultValue": "By default, Storage Accounts will accept connections from clients on any network.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls" + } + ] + }, + { + "Id": "3.9", + "Description": "Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access", + "Checks": [ + "storage_ensure_azure_services_are_trusted_to_access_is_enabled" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).", + "RationaleStatement": "Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. We can re-enable this functionality by enabling `Trusted Azure Services` through networking exceptions.", + "ImpactStatement": "This creates authentication credentials for services that need access to storage resources so that services will no longer need to communicate via network request. There may be a temporary loss of communication as you set each Storage Account. It is recommended to not do this on mission-critical resources during business hours.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Storage Accounts` 2. For each storage account, Click on the `Networking` blade 3. Click on the `Firewalls and virtual networks` heading. 4. Ensure that `Enabled from selected virtual networks and IP addresses` is selected. 5. Under the 'Exceptions' label, enable check box for `Allow Azure services on the trusted services list to access this storage account`. 6. Click Save to apply your changes. **From Azure CLI** Use the below command to update `Azure services`. ``` az storage account update --name --resource-group --bypass AzureServices ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Storage Accounts` 2. For each storage account, Click on the `Networking` blade 3. Click on the `Firewalls and virtual networks` heading. 4. Ensure that `Enabled from selected virtual networks and IP addresses` is selected. 5. Ensure that `Allow Azure services on the trusted services list to access this storage account` is checked in `Exceptions`. **From Azure CLI** Ensure `bypass` contains `AzureServices` ``` az storage account list --query '[*].networkRuleSet' ``` **From PowerShell** ``` Connect-AzAccount Set-AzContext -Subscription Get-AzStorageAccountNetworkRuleset -ResourceGroupName -Name |Select-Object Bypass ``` If the resultant output from the above command shows 'NULL', that storage account configuration is out of compliance with this check. If the result of the above command shows 'AzureServices', that storage account configuration is in compliance with this check. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [c9d007d0-c057-4772-b18c-01e546713bcd](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc9d007d0-c057-4772-b18c-01e546713bcd) **- Name:** 'Storage accounts should allow access from trusted Microsoft services'", + "AdditionalInformation": "", + "DefaultValue": "By default, Storage Accounts will accept connections from clients on any network.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls" + } + ] + }, + { + "Id": "3.10", + "Description": "Ensure Private Endpoints are used to access Storage Accounts", + "Checks": [ + "storage_ensure_private_endpoints_in_storage_accounts" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.", + "RationaleStatement": "Securing traffic between services through encryption protects the data from easy interception and reading.", + "ImpactStatement": "There is no cost in deploying VNets between Azure resources. If improperly implemented, it may result in loss of critical network traffic.", + "RemediationProcedure": "**From Azure Portal** 1. Open the `Storage Accounts` blade 1. For each listed Storage Account, perform the following: 1. Under the `Security + networking` heading, click on `Networking` 1. Click on the `Private Endpoint Connections` tab at the top of the networking window 1. Click the `+Private endpoint` button 1. In the `1 - Basics` tab/step: - `Enter a name` that will be easily recognizable as associated with the Storage Account (*Note*: The Network Interface Name will be automatically completed, but you can customize it if needed.) - Ensure that the `Region` matches the region of the Storage Account - Click `Next` 1. In the `2 - Resource` tab/step: - Select the `target sub-resource` based on what type of storage resource is being made available - Click `Next` 1. In the `3 - Virtual Network` tab/step: - Select the `Virtual network` that your Storage Account will be connecting to - Select the `Subnet` that your Storage Account will be connecting to - (Optional) Select other network settings as appropriate for your environment - Click `Next` 1. In the `4 - DNS` tab/step: - (Optional) Select other DNS settings as appropriate for your environment - Click `Next` 1. In the `5 - Tags` tab/step: - (Optional) Set any tags that are relevant to your organization - Click `Next` 1. In the `6 - Review + create` tab/step: - A validation attempt will be made and after a few moments it should indicate `Validation Passed` - if it does not pass, double-check your settings before beginning more in depth troubleshooting. - If validation has passed, click `Create` then wait for a few minutes for the scripted deployment to complete. Repeat the above procedure for each Private Endpoint required within every Storage Account. **From PowerShell** ``` $storageAccount = Get-AzStorageAccount -ResourceGroupName '' -Name '' $privateEndpointConnection = @{ Name = 'connectionName' PrivateLinkServiceId = $storageAccount.Id GroupID = blob|blob_secondary|file|file_secondary|table|table_secondary|queue|queue_secondary|web|web_secondary|dfs|dfs_secondary } $privateLinkServiceConnection = New-AzPrivateLinkServiceConnection @privateEndpointConnection $virtualNetDetails = Get-AzVirtualNetwork -ResourceGroupName '' -Name '' $privateEndpoint = @{ ResourceGroupName = '' Name = '' Location = '' Subnet = $virtualNetDetails.Subnets[0] PrivateLinkServiceConnection = $privateLinkServiceConnection } New-AzPrivateEndpoint @privateEndpoint ``` **From Azure CLI** ``` az network private-endpoint create --resource-group --name --vnet-name --subnet --private-connection-resource-id --connection-name --group-id ```", + "AuditProcedure": "**From Azure Portal** 1. Open the `Storage Accounts` blade. 1. For each listed Storage Account, perform the following check: 1. Under the `Security + networking` heading, click on `Networking`. 1. Click on the `Private Endpoint Connections` tab at the top of the networking window. 1. Ensure that for each VNet that the Storage Account must be accessed from, a unique Private Endpoint is deployed and the Connection State for each Private Endpoint is `Approved` Repeat the procedure for each Storage Account. **From PowerShell** ``` $storageAccount = Get-AzStorageAccount -ResourceGroup '' -Name '' Get-AzPrivateEndpoint -ResourceGroup ''|Where-Object {$_.PrivateLinkServiceConnectionsText -match $storageAccount.id} ``` If the results of the second command returns information, the Storage Account is using a Private Endpoint and complies with this Benchmark, otherwise if the results of the second command are empty, the Storage Account generates a finding. **From Azure CLI** ``` az storage account show --name '' --query privateEndpointConnections[0].id ``` If the above command returns data, the Storage Account complies with this Benchmark, otherwise if the results are empty, the Storage Account generates a finding. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [6edd7eda-6dd8-40f7-810d-67160c639cd9](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) **- Name:** 'Storage accounts should use private link'", + "AdditionalInformation": "A NAT gateway is the recommended solution for outbound internet access.", + "DefaultValue": "By default, Private Endpoints are not created for Storage Accounts.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview:https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal:https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-cli?tabs=dynamic-ip:https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell?tabs=dynamic-ip:https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls" + } + ] + }, + { + "Id": "3.11", + "Description": "Ensure Soft Delete is Enabled for Azure Containers and Blob Storage", + "Checks": [ + "storage_ensure_soft_delete_is_enabled" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the **soft delete** configuration. This is to save and recover data when blobs or blob snapshots are deleted.", + "RationaleStatement": "Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the Retention policies, ranging from 7 days to 365 days.", + "ImpactStatement": "Additional storage costs may be incurred as snapshots are retained.", + "RemediationProcedure": "**From Azure Portal** 1. From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath. 2. Select Storage. 3. Select Storage Accounts. 4. For each Storage Account, navigate to Data protection in the left scroll column. 5. Check soft delete for both blobs and containers. Set the retention period to a sufficient length for your organization. **From Azure CLI** Update blob storage retention days in below command ``` az storage blob service-properties delete-policy update --days-retained --account-name --account-key --enable true ``` Update container retention with the below command ``` az storage account blob-service-properties update --enable-container-delete-retention true --container-delete-retention-days --account-name --resource-group --account-key ```", + "AuditProcedure": "**From Azure Portal:** 1. From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath. 2. Select Storage. 3. Select Storage Accounts. 4. For each Storage Account, navigate to Data protection in the left scroll column. 5. Ensure that soft delete is checked for both blobs and containers. Also check if the retention period is a sufficient length for your organization. **From Azure CLI** Blob Storage: Ensure that the output of the below command contains enabled status as true and days is not empty or null ``` az storage blob service-properties delete-policy show --account-name --account-key ``` Azure Containers: Make certain that the --enable-container-delete-retention is 'true'. ``` az storage account blob-service-properties show --account-name --account-key --resource-group ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [ea39f60f-9f00-473c-8604-be5eac4bb088](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea39f60f-9f00-473c-8604-be5eac4bb088) **- Name:** 'Configure blob soft delete on a storage account'", + "AdditionalInformation": "", + "DefaultValue": "When a new storage account is created, soft delete for containers and blob storage is by default **disabled**.", + "References": "https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete:https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-overview:https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-enable?tabs=azure-portal" + } + ] + }, + { + "Id": "3.12", + "Description": "Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)", + "Checks": [ + "storage_ensure_encryption_with_customer_managed_keys" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable sensitive data encryption at rest using Customer Managed Keys (CMK) rather than Microsoft Managed keys.", + "RationaleStatement": "By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. If you want to control and manage this encryption key yourself, however, you can specify a customer-managed key. That key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.", + "ImpactStatement": "If the key expires by setting the 'activation date' and 'expiration date', the user must rotate the key manually. Using Customer Managed Keys may also incur additional man-hour requirements to create, store, manage, and protect the keys as needed.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Storage Accounts` 2. For each storage account, go to `Encryption` 3. Set Customer Managed Keys 4. Select the Encryption key and enter the appropriate setting value 5. Click `Save`", + "AuditProcedure": "**From Azure Console:** 1. Go to `Storage Accounts` 2. For each storage account, go to `Encryption` 3. Ensure that Encryption type is set to Customer Managed Keys **From PowerShell** ``` Connect-AzAccount Set-AzContext -Subscription Get-AzStorageAccount |Select-Object -ExpandProperty Encryption ``` **PowerShell Results - Non-Compliant** ``` ... KeySource : Microsoft.Storage ... ``` **PowerShell Results - Compliant** ``` ... KeySource : Microsoft.Keyvault ... ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [6fac406b-40ca-413b-bf8e-0bf964659c25](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fac406b-40ca-413b-bf8e-0bf964659c25) **- Name:** 'Storage accounts should use customer-managed key for encryption'", + "AdditionalInformation": "", + "DefaultValue": "By default, Encryption type is set to Microsoft Managed Keys.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption:https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest:https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required" + } + ] + }, + { + "Id": "3.13", + "Description": "Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.", + "RationaleStatement": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.", + "ImpactStatement": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.", + "RemediationProcedure": "**From Azure Portal** 1. From the default portal page select `Storage Accounts`. 2. Select the specific Storage Account. 3. Click the `Diagnostics settings` under the `Monitoring` section in the left column. 4. Select the 'blob' tab indented below the storage account. 5. Click '+ Add diagnostic setting'. 6. Select `StorageRead`, `StorageWrite` and `StorageDelete` options under the `Logging` section to enable Storage Logging for Blob service. 7. Select a destination for your logs to be sent to. **From Azure CLI** Use the below command to enable the Storage Logging for Blob service. ``` az storage logging update --account-name --account-key --services b --log rwd --retention 90 ```", + "AuditProcedure": "**From Azure Portal** 1. From the default portal page select `Storage Accounts`. 2. Select the specific Storage Account. 3. Click the `Diagnostics settings` under the `Monitoring` section in the left column. 4. Select the 'blob' tab indented below the storage account. Then select the diagnostic setting listed. 5. Ensure `StorageRead`, `StorageWrite`, and `StorageDelete` options are selected under the `Logging section` and that they are sent to the correct destination. **From Azure CLI** Ensure the below command's output contains properties delete, read and write set to true. ``` az storage logging show --services b --account-name ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb) **- Name:** 'Configure diagnostic settings for Blob Services to Log Analytics workspace'", + "AdditionalInformation": "We cannot practically generalize detailed audit log requirements for every blob due to their nature and intent. This recommendation may be applicable to storage account blob service where the security is paramount.", + "DefaultValue": "By default, storage account blob service logging is disabled for read, write, and delete operations.", + "References": "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging:https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "3.14", + "Description": "Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.", + "RationaleStatement": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.", + "ImpactStatement": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.", + "RemediationProcedure": "**From Azure Portal** 1. From the default portal page select `Storage Accounts`. 2. Select the specific Storage Account. 3. Click the `Diagnostics settings` under the `Monitoring` section in the left column. 4. Select the 'table' tab indented below the storage account. 5. Click '+ Add diagnostic setting'. 6. Select `StorageRead`, `StorageWrite` and `StorageDelete` options under the `Logging` section to enable Storage Logging for Table service. 7. Select a destination for your logs to be sent to. **From Azure CLI** Use the below command to enable the Storage Logging for Table service. ``` az storage logging update --account-name --account-key --services t --log rwd --retention 90 ```", + "AuditProcedure": "**From Azure Portal** 1. From the default portal page select `Storage Accounts`. 2. Select the specific Storage Account. 3. Click the `Diagnostics settings` under the `Monitoring` section in the left column. 4. Select the 'table' tab indented below the storage account. Then select the diagnostic setting listed. 5. Ensure `StorageRead`, `StorageWrite`, and `StorageDelete` options are selected under the `Logging section` and that they are sent to the correct destination. **From Azure CLI** Ensure the below command's output contains properties delete, read and write set to true. ``` az storage logging show --services t --account-name ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [2fb86bf3-d221-43d1-96d1-2434af34eaa0](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2fb86bf3-d221-43d1-96d1-2434af34eaa0) **- Name:** 'Configure diagnostic settings for Table Services to Log Analytics workspace'", + "AdditionalInformation": "We cannot practically generalize detailed audit log requirements for every table due to their nature and intent. This recommendation may be applicable to storage account table service where the security is paramount.", + "DefaultValue": "By default, storage account table service logging is disabled for read, write, an delete operations", + "References": "https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging:https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "3.15", + "Description": "Ensure the Minimum TLS version for storage accounts is set to Version 1.2", + "Checks": [ + "storage_ensure_minimum_tls_version_12" + ], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.", + "RationaleStatement": "TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.", + "ImpactStatement": "When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.", + "RemediationProcedure": "**From Azure Console** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `Storage Accounts` 3. Click on each Storage Account 4. Under `Setting` section, Click on `Configuration` 5. Set the `minimum TLS version` to be Version 1.2 **From Azure CLI** ``` az storage account update \\ --name \\ --resource-group \\ --min-tls-version TLS1_2 ``` **From Azure PowerShell** To set the minimum TLS version, run the following command: ``` Set-AzStorageAccount -AccountName ` -ResourceGroupName ` -MinimumTlsVersion TLS1_2 ```", + "AuditProcedure": "**From Azure Console** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `Storage Accounts` 3. Click on each Storage Account 4. Under `Setting` section, Click on `Configuration` 5. Ensure that the `minimum TLS version` is set to be Version 1.2 **From Azure CLI** Get a list of all storage accounts and their resource groups ``` az storage account list | jq '.[] | {name, resourceGroup}' ``` Then query the minimumTLSVersion field ``` az storage account show \\ --name \\ --resource-group \\ --query minimumTlsVersion \\ --output tsv ``` **From Azure PowerShell** To get the minimum TLS version, run the following command: ``` (Get-AzStorageAccount -Name -ResourceGroupName ).MinimumTlsVersion ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [fe83a0eb-a853-422d-aac2-1bffd182c5d0](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffe83a0eb-a853-422d-aac2-1bffd182c5d0) **- Name:** 'Storage accounts should have the specified minimum TLS version'", + "AdditionalInformation": "", + "DefaultValue": "If a storage account is created through the portal, the MinimumTlsVersion property for that storage account will be set to TLS 1.2. If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set, and defaults to TLS 1.0.", + "References": "https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit" + } + ] + }, + { + "Id": "3.16", + "Description": "Ensure 'Cross Tenant Replication' is not enabled", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Cross Tenant Replication in Azure allows data to be replicated across multiple Azure tenants. While this feature can be beneficial for data sharing and availability, it also poses a significant security risk if not properly managed. Unauthorized data access, data leakage, and compliance violations are potential risks. Disabling Cross Tenant Replication ensures that data is not inadvertently replicated across different tenant boundaries without explicit authorization.", + "RationaleStatement": "Disabling Cross Tenant Replication minimizes the risk of unauthorized data access and ensures that data governance policies are strictly adhered to. This control is especially critical for organizations with stringent data security and privacy requirements, as it prevents the accidental sharing of sensitive information.", + "ImpactStatement": "Disabling Cross Tenant Replication may affect data availability and sharing across different Azure tenants. Ensure that this change aligns with your organizational data sharing and availability requirements.", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to Storage Accounts 1. For each storage account, on the left blade under Data Management, click on Object replication 1. Click on Advanced settings and untick Allow cross-tenant replication 1. Click on OK **From Azure CLI** Replace the information within <> with appropriate values: ``` az storage account update --name --resource-group --allow-cross-tenant-replication false ```", + "AuditProcedure": "**From Azure Portal** Login to the Azure Portal using [https://portal.azure.com](https://portal.azure.com) 1. Navigate to Storage Accounts 2. For each storage account, on the left blade under Data Management, click on Object replication 3. Select `Advanced settings` 3. Make sure Allow cross-tenant replication is not checked **From Azure CLI** ``` az storage account list --query [*].[name,allowCrossTenantReplication] ``` The value of `false` should be returned for each storage account listed. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [92a89a79-6c52-4a7e-a03f-61306fc49312](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%92a89a79-6c52-4a7e-a03f-61306fc49312) **- Name:** 'Storage accounts should prevent cross tenant object replication'", + "AdditionalInformation": "", + "DefaultValue": "For new storage accounts created after Dec 15, 2023 cross tenant replication is not enabled.", + "References": "https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal" + } + ] + }, + { + "Id": "3.17", + "Description": "Ensure that `Allow Blob Anonymous Access` is set to `Disabled`", + "Checks": [], + "Attributes": [ + { + "Section": "3. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "The Azure Storage setting ‘Allow Blob Anonymous Access’ (aka allowBlobPublicAccess) controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.", + "RationaleStatement": "If Allow Blob Anonymous Access is enabled, blobs can be accessed by adding the blob name to the URL to see the contents. An attacker can enumerate a blob using methods, such as brute force, and access them. Exfiltration of data by brute force enumeration of items from a storage account may occur if this setting is set to 'Enabled'.", + "ImpactStatement": "Additional consideration may be required for exceptional circumstances where elements of a storage account require public accessibility. In these circumstances, it is highly recommended that all data stored in the public facing storage account be reviewed for sensitive or potentially compromising data, and that sensitive or compromising data is never stored in these storage accounts.", + "RemediationProcedure": "**From Azure Portal:** 1. Open the Storage Accounts blade 1. Click on a Storage Account 1. In the storage account menu pane, under the Settings section, click `Configuration`. 1. Under Allow Blob Anonymous Access, select `Disabled`. Repeat these steps for each Storage Account. **From Powershell:** For every storage account in scope, run the following: ``` $storageAccount = Get-AzStorageAccount -ResourceGroupName -Name $storageAccount.AllowBlobPublicAccess = $false Set-AzStorageAccount -InputObject $storageAccount ```", + "AuditProcedure": "**From Azure Portal:** 1. Open the Storage Accounts blade 1. Click on a Storage Account 1. In the storage account menu pane, under the Settings section, click `Configuration`. 1. Under `Allow Blob Anonymous Access` ensure that the selected setting is `Disabled`. Repeat these steps for each Storage Account. **From Azure CLI:** For every storage account in scope: ``` az storage account show --Name --query allowBlobPublicAccess ``` Ensure that every storage account in scope returns `false` for the allowBlobPublicAccess setting. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [13502221-8df0-4414-9937-de9c5c4e396b](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%13502221-8df0-4414-9937-de9c5c4e396b) **- Name:** 'Configure your Storage account public access to be disallowed'", + "AdditionalInformation": "Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.", + "DefaultValue": "Disabled", + "References": "https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent?tabs=portal:https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent?source=recommendations&tabs=portal:Classic Storage Accounts: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent-classic?tabs=portal" + } + ] + }, + { + "Id": "4.1.1", + "Description": "Ensure that 'Auditing' is set to 'On'", + "Checks": [ + "sqlserver_auditing_enabled" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable auditing on SQL Servers.", + "RationaleStatement": "The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Go to `SQL servers` 2. Select the SQL server instance 3. Under `Security`, click `Auditing` 4. Click the toggle next to `Enable Azure SQL Auditing` 5. Select an Audit log destination 6. Click `Save` **From PowerShell** Get the list of all SQL Servers ``` Get-AzSqlServer ``` For each Server, enable auditing and set the retention for at least 90 days. **Log Analytics Example** ``` Set-AzSqlServerAudit -ResourceGroupName -ServerName -RetentionInDays -LogAnalyticsTargetState Enabled -WorkspaceResourceId /subscriptions//resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/ ``` **Event Hub Example** ``` Set-AzSqlServerAudit -ResourceGroupName -ServerName -EventHubTargetState Enabled -EventHubName -EventHubAuthorizationRuleResourceId ``` **Blob Storage Example*** ``` Set-AzSqlServerAudit -ResourceGroupName -ServerName -BlobStorageTargetState Enabled -StorageAccountResourceId /subscriptions//resourceGroups//providers/Microsoft.Stora ge/storageAccounts/ ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `SQL servers` 2. For each server instance 3. Click on `Auditing` 4. Ensure that `Enable Azure SQL Auditing` is set to `On` **From PowerShell** Get the list of all SQL Servers ``` Get-AzSqlServer ``` For each Server ``` Get-AzSqlServerAudit -ResourceGroupName -ServerName ``` Ensure that `BlobStorageTargetState`, `EventHubTargetState`, or `LogAnalyticsTargetState` is set to `Enabled`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) **- Name:** 'Auditing on SQL server should be enabled'", + "AdditionalInformation": "- A server policy applies to all existing and newly created databases on the server. - If server blob auditing is enabled, it always applies to the database. The database will be audited, regardless of the database auditing settings. Auditing type table is already deprecated leaving only type blob available. - Enabling blob auditing on the database, in addition to enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits will exist side by side. In other words, the database is audited twice in parallel; once by the server policy and once by the database policy.", + "DefaultValue": "By default, `Enable Azure SQL Auditing` is set to `Off`.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "4.1.2", + "Description": "Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)", + "Checks": [ + "sqlserver_unrestricted_inbound_access" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).", + "RationaleStatement": "Azure SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters. By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services. Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.", + "ImpactStatement": "Disabling `Allow Azure services and resources to access this server` will break all connections to SQL server and Hosted Databases unless custom IP specific rules are added in Firewall Policy.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `SQL servers` 2. For each SQL server 3. Click on `Networking` 4. `Uncheck` the checkbox for `Allow Azure services and resources to access this server` 5. Set firewall rules to limit access to only authorized connections **From Azure CLI** Disable default firewall rule `Allow access to Azure services`: ``` az sql server firewall-rule delete --resource-group --server --name AllowAllWindowsAzureIps ``` Remove a custom firewall rule: ``` az sql server firewall-rule delete --resource-group --server --name ``` Create a firewall rule: ``` az sql server firewall-rule create --resource-group --server --name --start-ip-address --end-ip-address ``` Update a firewall rule: ``` az sql server firewall-rule update --resource-group --server --name --start-ip-address --end-ip-address ``` **From PowerShell** Disable Default Firewall Rule `Allow access to Azure services` : ``` Remove-AzSqlServerFirewallRule -FirewallRuleName AllowAllWindowsAzureIps -ResourceGroupName -ServerName ``` Remove a custom Firewall rule: ``` Remove-AzSqlServerFirewallRule -FirewallRuleName -ResourceGroupName -ServerName ``` Set the appropriate firewall rules: ``` Set-AzSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName -StartIpAddress -EndIpAddress ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `SQL servers` 2. For each SQL server 3. Click on `Networking` 4. Ensure that `Allow Azure services and resources to access this server` is `Unchecked` 5. Ensure that no firewall rule exists with - Start IP of `0.0.0.0` - or other combinations which allows access to wider public IP ranges **From Azure CLI** List all SQL servers ``` az sql server list ``` For each SQL server run the following command ``` az sql server firewall-rule list --resource-group --server ``` Ensure the output does not contain any firewall `allow` rules with a source of `0.0.0.0`, or any rules named `AllowAllWindowsAzureIps` **From PowerShell** Get the list of all SQL Servers ``` Get-AzSqlServer ``` For each Server ``` Get-AzSqlServerFirewallRule -ResourceGroupName -ServerName ``` Ensure that `StartIpAddress` is not set to `0.0.0.0`, `/0` or other combinations which allows access to wider public IP ranges including Windows Azure IP ranges. Also ensure that `FirewallRuleName` doesn't contain `AllowAllWindowsAzureIps` which is the rule created when the `Allow Azure services and resources to access this server` setting is enabled for that SQL Server. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [1b8ca024-1d5c-4dec-8995-b1a932b41780](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b8ca024-1d5c-4dec-8995-b1a932b41780) **- Name:** 'Public network access on Azure SQL Database should be disabled'", + "AdditionalInformation": "Firewall rules configured on individual SQL Database using Transact-sql overrides the rules set on SQL server. Azure does not provide any Powershell, API, CLI, Portal option to check database level firewall rules, and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, Firewall rules should be checked using SQL client.", + "DefaultValue": "By default, `Allow access to Azure Services` is set to `NO`.", + "References": "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls" + } + ] + }, + { + "Id": "4.1.3", + "Description": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key", + "Checks": [ + "sqlserver_tde_encrypted_with_cmk" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security. Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).", + "RationaleStatement": "Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure’s cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.", + "ImpactStatement": "Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you, and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible. When deploying Customer Managed Keys, it is prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore, such as Azure Key Vault. As far as toolsets go, check with your cryptographic key provider, as they may well provide one as an add-on to their service.", + "RemediationProcedure": "**From Azure Console** 1. Go to `SQL servers` For the desired server instance 2. Click On `Transparent data encryption` 3. Set `Transparent data encryption` to `Customer-managed key` 4. Browse through your `key vaults` to Select an existing key or create a new key in the Azure Key Vault. 5. Check `Make selected key the default TDE protector` **From Azure CLI** Use the below command to encrypt SQL server's TDE protector with a Customer-managed key ``` az sql server tde-key set --resource-group --server --server-key-type {AzureKeyVault} --kid ``` **From PowerShell** Use the below command to encrypt SQL server's TDE protector with a Customer-managed Key Vault key ``` Set-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId -ServerName -ResourceGroupName ``` Select `Y` when prompted", + "AuditProcedure": "**From Azure Portal** 1. Go to `SQL servers` For the desired server instance 2. Click On `Transparent data encryption` 3. Ensure that `Customer-managed key` is selected 4. Ensure `Make selected key the default TDE protector` is checked **From Azure CLI** ``` az account get-access-token --query {subscripton:subscription,accessToken:accessToken} --out tsv | xargs -L1 bash -c 'curl -X GET -H Authorization: Bearer $1 -H Content-Type: application/json https://management.azure.com/subscriptions/$0/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/encryptionProtector?api-version=2015-05-01-preview' ``` Ensure the output of the command contains properties `kind` set to `azurekeyvault` `serverKeyType` set to `AzureKeyVault` `uri` is not null **From PowerShell** ``` Get-AzSqlServerTransparentDataEncryptionProtector -ServerName -ResourceGroupName ``` Ensure the output of the command contains properties `Type` set to `AzureKeyVault` `ServerKeyVaultKeyName` set to `KeyVaultName_KeyName_KeyIdentifierVersion` `KeyId` set to `KeyIdentifier` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [0a370ff3-6cab-4e85-8995-295fd854c5b8](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a370ff3-6cab-4e85-8995-295fd854c5b8) **- Name:** 'SQL servers should use customer-managed keys to encrypt data at rest' - **Policy ID:** [ac01ad65-10e5-46df-bdd9-6b0cad13e1d2](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac01ad65-10e5-46df-bdd9-6b0cad13e1d2) **- Name:** 'SQL managed instances should use customer-managed keys to encrypt data at rest'", + "AdditionalInformation": "- This configuration is audited or can be done only on SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. - Ensuring TDE is protected by a Customer-managed key on SQL Server does not ensure the encryption of SQL Databases. `Transparent Data Encryption : Data Encryption (ON/OFF)` setting on individual SQL Database decides whether database is encrypted or not.", + "DefaultValue": "By Default, Microsoft managed TDE protector is enabled for a SQL server.", + "References": "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql:https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/:https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required:https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts:https://docs.microsoft.com/en-us/cli/azure/sql/server/tde-key?view=azure-cli-latest:https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlservertransparentdataencryptionprotector?view=azps-9.2.0:https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlservertransparentdataencryptionprotector?view=azps-9.2.0" + } + ] + }, + { + "Id": "4.1.4", + "Description": "Ensure that Microsoft Entra authentication is Configured for SQL Servers", + "Checks": [ + "sqlserver_azuread_administrator_enabled" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.", + "RationaleStatement": "Microsoft Entra authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in the Microsoft Entra ID directory. With Entra ID authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management. - It provides an alternative to SQL Server authentication. - Helps stop the proliferation of user identities across database servers. - Allows password rotation in a single place. - Customers can manage database permissions using external (Entra ID) groups. - It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra. - Entra ID authentication uses contained database users to authenticate identities at the database level. - Entra ID supports token-based authentication for applications connecting to SQL Database. - Entra ID authentication supports ADFS (domain federation) or native user/password authentication for a local Active Directory without domain synchronization. - Entra ID supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options — phone call, text message, smart cards with pin, or mobile app notification.", + "ImpactStatement": "This will create administrative overhead with user account and permission management. For further security on these administrative accounts, you may want to consider licensing which supports features like Multi Factor Authentication.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `SQL servers` 2. For each SQL server, click on `Microsoft Entra admin` 3. Click on `Set admin` 4. Select an admin 5. Click `Save` **From Azure CLI** ``` az ad user show --id ``` For each Server, set AD Admin ``` az sql server ad-admin create --resource-group --server --display-name --object-id ``` **From PowerShell** For each Server, set Entra ID Admin ``` Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `SQL servers` 2. For each SQL server, click on `Microsoft Entra admin` under the Settings section 3. Ensure that a value has been set for `Admin Name` under the `Microsoft Entra admin` section **From Azure CLI** To list SQL Server Admins on a specific server: ``` az sql server ad-admin list --resource-group --server ``` **From PowerShell** Print a list of all SQL Servers to find which one you want to audit ``` Get-AzSqlServer ``` Audit a list of Administrators on a Specific Server ``` Get-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName ``` Ensure Output shows `DisplayName` set to `AD account`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [1f314764-cb73-4fc9-b863-8eca98ac36e9](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) **- Name:** 'An Azure Active Directory administrator should be provisioned for SQL servers'", + "AdditionalInformation": "**NOTE** - Assigning an Administrator in Entra ID is just the first step. When using Entra ID for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. The How-to Guides should be used to determine what roles should be assigned and what groups should be created to manage permissions and access to resources.", + "DefaultValue": "Entra ID Authentication for SQL Database/Server is not enabled by default", + "References": "https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-1-use-centralized-identity-and-authentication-system:https://docs.microsoft.com/en-us/cli/azure/sql/server/ad-admin?view=azure-cli-latest#az_sql_server_ad_admin_list" + } + ] + }, + { + "Id": "4.1.5", + "Description": "Ensure that 'Data encryption' is set to 'On' on a SQL Database", + "Checks": [ + "sqlserver_tde_encryption_enabled" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable Transparent Data Encryption on every SQL server.", + "RationaleStatement": "Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Go to `SQL databases` 2. For each DB instance 3. Click on `Transparent data encryption` 4. Set `Data encryption` to `On` **From Azure CLI** Use the below command to enable `Transparent data encryption` for SQL DB instance. ``` az sql db tde set --resource-group --server --database --status Enabled ``` **From PowerShell** Use the below command to enable `Transparent data encryption` for SQL DB instance. ``` Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName -ServerName -DatabaseName -State 'Enabled' ``` **Note:** - TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. - Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.", + "AuditProcedure": "**From Azure Portal** 1. Go to `SQL databases` 2. For each DB instance 3. Click on `Transparent data encryption` 4. Ensure that `Data encryption` is set to `On` **From Azure CLI** Ensure the output of the below command is `Enabled` ``` az sql db tde show --resource-group --server --database --query status ``` **From PowerShell** Get a list of SQL Servers. ``` Get-AzSqlServer ``` For each server, list the databases. ``` Get-AzSqlDatabase -ServerName -ResourceGroupName ``` For each database not listed as a `Master` database, check for Transparent Data Encryption. ``` Get-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName -ServerName -DatabaseName ``` Make sure `DataEncryption` is `Enabled` for each database except the `Master` database. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [17k78e20-9358-41c9-923c-fb736d382a12](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) **- Name:** 'Transparent Data Encryption on SQL databases should be enabled'", + "AdditionalInformation": "- Transparent Data Encryption (TDE) can be enabled or disabled on individual `SQL Database` level and not on the `SQL Server` level. - TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.", + "DefaultValue": "By default, `Data encryption` is set to `On`.", + "References": "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default:https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqldatabasetransparentdataencryption?view=azps-9.2.0" + } + ] + }, + { + "Id": "4.1.6", + "Description": "Ensure that 'Auditing' Retention is 'greater than 90 days'", + "Checks": [ + "sqlserver_auditing_retention_90_days" + ], + "Attributes": [ + { + "Section": "4.1 SQL Server - Auditing", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "SQL Server Audit Retention should be configured to be greater than 90 days.", + "RationaleStatement": "Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Go to `SQL servers` 2. For each server instance 3. Click on `Auditing` 4. If storage is selected, expand `Advanced properties` 5. Set the `Retention (days)` setting greater than `90` days or `0` for unlimited retention. 6. Select `Save` **From PowerShell** For each Server, set retention policy to more than 90 days Log Analytics Example ``` Set-AzSqlServerAudit -ResourceGroupName -ServerName -RetentionInDays -LogAnalyticsTargetState Enabled -WorkspaceResourceId /subscriptions//resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/ ``` Event Hub Example ``` Set-AzSqlServerAudit -ResourceGroupName -ServerName -EventHubTargetState Enabled -EventHubName -EventHubAuthorizationRuleResourceId ``` Blob Storage Example ``` Set-AzSqlServerAudit -ResourceGroupName -ServerName -BlobStorageTargetState Enabled -StorageAccountResourceId /subscriptions//resourceGroups//providers/Microsoft.Stora ge/storageAccounts/ ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `SQL servers` 2. For each server instance 3. Click on `Auditing` 4. If storage is selected, expand `Advanced properties` 5. Ensure `Retention (days)` setting is greater than `90` days or `0` for unlimited retention. **From PowerShell** Get the list of all SQL Servers ``` Get-AzSqlServer ``` For each Server ``` Get-AzSqlServerAudit -ResourceGroupName -ServerName ``` Ensure that `RetentionInDays` is set to `more than 90` **Note:** If the SQL server is set with `LogAnalyticsTargetState` setting set to `Enabled`, run the following additional command. ``` Get-AzOperationalInsightsWorkspace | Where-Object {$_.ResourceId -eq } ``` Ensure that `RetentionInDays` is set to `more than 90` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [89099bee-89e0-4b26-a5f4-165451757743](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F89099bee-89e0-4b26-a5f4-165451757743) **- Name:** 'SQL servers with auditing to storage account destination should be configured with 90 days retention or higher'", + "AdditionalInformation": "", + "DefaultValue": "By default, SQL Server audit storage is `disabled`.", + "References": "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-6-configure-log-storage-retention" + } + ] + }, + { + "Id": "4.3.1", + "Description": "Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_enforce_ssl_enabled" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable `SSL connection` on `PostgreSQL` Servers.", + "RationaleStatement": "`SSL connectivity` helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against man in the middle attacks by encrypting the data stream between the server and application.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to Azure Database for `PostgreSQL server` 3. For each database, click on `Connection security` 4. In `SSL` settings, click on `ENABLED` to enforce SSL connections 5. Click `Save` **From Azure CLI** Use the below command to `enforce ssl connection` for `PostgreSQL` Database. ``` az postgres server update --resource-group --name --ssl-enforcement Enabled ``` **From PowerShell** ``` Update-AzPostgreSqlServer -ResourceGroupName -ServerName -SslEnforcement Enabled ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `Azure Database for PostgreSQL server` 3. For each database, click on `Connection security` 4. In `SSL` settings, ensure `Enforce SSL connection` is set to `ENABLED`. **From Azure CLI** Ensure the output of the below command returns `Enabled`. ``` az postgres server show --resource-group myresourcegroup --name --query sslEnforcement ``` **From PowerShell** Ensure the output of the below command returns `Enabled`. ``` Get-AzPostgreSqlServer -ResourceGroupName -ServerName | Select-Object SslEnforcement ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [d158790f-bfb0-486c-8631-2dc6b4e8e6af](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) **- Name:** 'Enforce SSL connection should be enabled for PostgreSQL database servers'", + "AdditionalInformation": "", + "DefaultValue": "By default, secure connectivity is enforced, but some application frameworks may not enable it during deployment.", + "References": "https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlserver?view=azps-9.2.0#example-2-get-postgresql-server-by-resource-group-and-server-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlserver?view=azps-9.2.0#example-1-update-postgresql-server-by-resource-group-and-server-name" + } + ] + }, + { + "Id": "4.3.2", + "Description": "Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_log_checkpoints_on" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable `log_checkpoints` on `PostgreSQL Servers`.", + "RationaleStatement": "Enabling `log_checkpoints` helps the PostgreSQL Database to `Log each checkpoint` in turn generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu. 1. Go to `Azure Database for PostgreSQL servers`. 1. For each database, click on `Server parameters`. 1. Search for `log_checkpoints`. 1. Click `ON` and save. **From Azure CLI** Use the below command to update `log_checkpoints` configuration. ``` az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on ``` **From PowerShell** ``` Update-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_checkpoints -Value on ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu. 1. Go to `Azure Database for PostgreSQL servers`. 1. For each database, click on `Server parameters`. 1. Search for `log_checkpoints`. 1. Ensure that value is set to `ON`. **From Azure CLI** Ensure value is set to `ON` ``` az postgres server configuration show --resource-group --server-name --name log_checkpoints ``` **From PowerShell** Ensure value is set to `ON` ``` Get-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_checkpoints ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb6f77b9-bd53-4e35-a23d-7f65d5f0e43d) **- Name:** 'Log checkpoints should be enabled for PostgreSQL database servers'", + "AdditionalInformation": "", + "DefaultValue": "By default `log_checkpoints` is enabled (set to `on`).", + "References": "https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server:https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-server-logs#configure-logging:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name" + } + ] + }, + { + "Id": "4.3.3", + "Description": "Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_log_connections_on" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable `log_connections` on `PostgreSQL Servers`.", + "RationaleStatement": "Enabling `log_connections` helps PostgreSQL Database to log attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com. 2. Go to `Azure Database for PostgreSQL servers`. 3. For each database, click on `Server parameters`. 4. Search for `log_connections`. 5. Click `ON` and save. **From Azure CLI** Use the below command to update `log_connections` configuration. ``` az postgres server configuration set --resource-group --server-name --name log_connections --value on ``` **From PowerShell** Use the below command to update `log_connections` configuration. ``` Update-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_connections -Value on ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com. 2. Go to `Azure Database for PostgreSQL servers`. 3. For each database, click on `Server parameters`. 4. Search for `log_connections`. 5. Ensure that value is set to `ON`. **From Azure CLI** Ensure `log_connections` value is set to `ON` ``` az postgres server configuration show --resource-group --server-name --name log_connections ``` **From PowerShell** Ensure `log_connections` value is set to `ON` ``` Get-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_connections ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [eb6f77b9-bd53-4e35-a23d-7f65d5f0e442](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb6f77b9-bd53-4e35-a23d-7f65d5f0e442) **- Name:** 'Log connections should be enabled for PostgreSQL database servers'", + "AdditionalInformation": "", + "DefaultValue": "By default `log_connections` is enabled (set to `on`).", + "References": "https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver:https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name" + } + ] + }, + { + "Id": "4.3.4", + "Description": "Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_log_disconnections_on" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable `log_disconnections` on `PostgreSQL Servers`.", + "RationaleStatement": "Enabling `log_disconnections` helps PostgreSQL Database to `Logs end of a session`, including duration, which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", + "ImpactStatement": "Enabling this setting will enable a log of all disconnections. If this is enabled for a high traffic server, the log may grow exponentially.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 2. Go to `Azure Database` for `PostgreSQL servers` 3. For each database, click on `Server parameters` 4. Search for `log_disconnections`. 5. Click `ON` and save. **From Azure CLI** Use the below command to update `log_disconnections` configuration. ``` az postgres server configuration set --resource-group --server-name --name log_disconnections --value on ``` **From PowerShell** Use the below command to update `log_disconnections` configuration. ``` Update-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_disconnections -Value on ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu 1. Go to `Azure Database` for `PostgreSQL servers` 1. For each database, click on `Server parameters` 1. Search for `log_disconnections`. 1. Ensure that value is set to `ON`. **From Azure CLI** Ensure `log_disconnections` value is set to `ON` ``` az postgres server configuration show --resource-group --server-name --name log_disconnections ``` **From PowerShell** Ensure `log_disconnections` value is set to `ON` ``` Get-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_disconnections ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [eb6f77b9-bd53-4e35-a23d-7f65d5f0e446](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb6f77b9-bd53-4e35-a23d-7f65d5f0e446) **- Name:** 'Disconnections should be logged for PostgreSQL database servers.'", + "AdditionalInformation": "", + "DefaultValue": "By default `log_disconnections` is disabled (set to `off`).", + "References": "https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server:https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name" + } + ] + }, + { + "Id": "4.3.5", + "Description": "Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_connection_throttling_on" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable `connection_throttling` on `PostgreSQL Servers`.", + "RationaleStatement": "Enabling `connection_throttling` helps the PostgreSQL Database to `Set the verbosity of logged messages`. This in turn generates query and error logs with respect to concurrent connections that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com. 2. Go to `Azure Database for PostgreSQL servers`. 3. For each database, click on `Server parameters`. 4. Search for `connection_throttling`. 5. Click `ON` and save. **From Azure CLI** Use the below command to update `connection_throttling` configuration. ``` az postgres server configuration set --resource-group --server-name --name connection_throttling --value on ``` **From PowerShell** Use the below command to update `connection_throttling` configuration. ``` Update-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name connection_throttling -Value on ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com. 2. Go to `Azure Database for PostgreSQL servers`. 3. For each database, click on `Server parameters`. 4. Search for `connection_throttling`. 5. Ensure that value is set to `ON`. **From Azure CLI** Ensure `connection_throttling` value is set to `ON` ``` az postgres server configuration show --resource-group --server-name --name connection_throttling ``` **From PowerShell** Ensure `connection_throttling` value is set to `ON` ``` Get-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name connection_throttling ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [5345bb39-67dc-4960-a1bf-427e16b9a0bd](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5345bb39-67dc-4960-a1bf-427e16b9a0bd) **- Name:** 'Connection throttling should be enabled for PostgreSQL database servers'", + "AdditionalInformation": "", + "DefaultValue": "By default, `connection_throttling` is enabled (set to `on`).", + "References": "https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server:https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name" + } + ] + }, + { + "Id": "4.3.6", + "Description": "Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server", + "Checks": [ + "postgresql_flexible_server_log_retention_days_greater_3" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure `log_retention_days` on `PostgreSQL Servers` is set to an appropriate value.", + "RationaleStatement": "Configuring `log_retention_days` determines the duration in days that `Azure Database for PostgreSQL` retains log files. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", + "ImpactStatement": "Configuring this setting will result in logs being retained for the specified number of days. If this is configured on a high traffic server, the log may grow quickly to occupy a large amount of disk space. In this case you may want to set this to a lower number.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu. 1. Go to `Azure Database for PostgreSQL servers`. 1. For each database, click on `Server parameters`. 1. Search for `log_retention_days`. 1. Input a value between 4 and 7 (inclusive) and click `Save`. **From Azure CLI** Use the below command to update `log_retention_days` configuration. ``` az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7> ``` **From Powershell** Use the below command to update `log_retention_days` configuration. ``` Update-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_retention_days -Value <4-7> ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu. 1. Go to `Azure Database for PostgreSQL servers`. 1. For each database, click on `Server parameters`. 1. Search for `log_retention_days`. 1. Ensure that the `value` is between 4 and 7 (inclusive). **From Azure CLI** Ensure `log_retention_days` value is greater than 3. ``` az postgres server configuration show --resource-group --server-name --name log_retention_days ``` **From Powershell** Ensure `log_retention_days` value is greater than 3. ``` Get-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_retention_days ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3) **- Name:** 'Log duration should be enabled for PostgreSQL database servers' - **Policy ID:** [5e1de0e3-42cb-4ebc-a86d-61d0c619ca48](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5e1de0e3-42cb-4ebc-a86d-61d0c619ca48) **- Name:** 'Public network access should be disabled for PostgreSQL flexible servers'", + "AdditionalInformation": "", + "DefaultValue": "By default `log_retention_days` is set to `3`.", + "References": "https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal:https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-6-configure-log-storage-retention:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name:https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name" + } + ] + }, + { + "Id": "4.3.7", + "Description": "Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled", + "Checks": [ + "postgresql_flexible_server_allow_access_services_disabled" + ], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Disable access from Azure services to PostgreSQL Database Server.", + "RationaleStatement": "If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com. 1. Go to `Azure Database for PostgreSQL servers`. 1. For each database, click on `Connection security`. 1. Under `Firewall rules`, set `Allow access to Azure services` to `No`. 1. Click `Save`. **From Azure CLI** Use the below command to delete the AllowAllWindowsAzureIps rule for PostgreSQL Database. ``` az postgres server firewall-rule delete --name AllowAllWindowsAzureIps --resource-group --server-name ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com. 1. Go to `Azure Database for PostgreSQL servers`. 1. For each database, click on `Connection security`. 1. Under `Firewall rules`, ensure `Allow access to Azure services` is set to `No`. **From Azure CLI** Ensure the output of the below command does not include a rule with the name AllowAllWindowsAzureIps **or** startIpAddress: 0.0.0.0 **or** endIpAddress: 0.0.0.0, ``` az postgres server firewall-rule list --resource-group --server ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [b52376f7-9612-48a1-81cd-1ffe4b61032c](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb52376f7-9612-48a1-81cd-1ffe4b61032c) **- Name:** 'Public network access should be disabled for PostgreSQL servers' - **Policy ID:** [5e1de0e3-42cb-4ebc-a86d-61d0c619ca48](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5e1de0e3-42cb-4ebc-a86d-61d0c619ca48) **- Name:** 'Public network access should be disabled for PostgreSQL flexible servers'", + "AdditionalInformation": "", + "DefaultValue": "The Azure Postgres firewall is set to block all access by default.", + "References": "https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules:https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-1-establish-network-segmentation-boundaries:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-6-deploy-web-application-firewall" + } + ] + }, + { + "Id": "4.3.8", + "Description": "Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'", + "Checks": [], + "Attributes": [ + { + "Section": "4.3 PostgreSQL Database Server. Storage Accounts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.", + "RationaleStatement": "If Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level. Information will be encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or processor cache. Encryption will also be in place for any backups taken of the database, so the key will secure access the data in all forms. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.", + "ImpactStatement": "The read and write speeds to the database will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This cost is justified for information security. Customer managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the database.", + "RemediationProcedure": "It is not possible to enable 'infrastructure double encryption' on an existing Azure Database for PostgreSQL server. The remediation steps detail the creation of a new Azure Database for PostgreSQL server with 'infrastructure double encryption' enabled. **From Azure Portal** 1. Go through the normal process of database creation. 2. On step 2 titled 'Additional settings' ensure that 'Infrastructure double encryption enabled' is 'checked'. 3. Acknowledge that you understand this will impact database performance. 4. Finish database creation as normal. **From Azure CLI** ``` az postgres server create --resource-group --name --location --admin-user --admin-password --sku-name GP_Gen4_2 --version 11 --infrastructure-encryption Enabled ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home, click on more services. 2. Click on Databases. 3. Click on Azure Database for PostgreSQL servers. 4. Select the database by clicking on its name. 5. Under Security, click Data encryption. 6. Ensure that 'Infrastructure encryption enabled' is displayed and is 'checked'. **From Azure CLI** 1. Enter the command ``` az postgres server configuration show --name --resource-group --query 'properties.infrastructureEncryption' -o tsv ``` 2. Verify that Infrastructure encryption is enabled. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [24fba194-95d6-48c0-aea7-f65bf859c598](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F24fba194-95d6-48c0-aea7-f65bf859c598) **- Name:** 'Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers'", + "AdditionalInformation": "Flexible PostgreSQL Database Servers are still in preview. A recommendation will be created for Flexible Servers once the service is out of preview.", + "DefaultValue": "By Default, Double Encryption is disabled.", + "References": "https://docs.microsoft.com/en-us/azure/postgresql/howto-double-encryption:https://docs.microsoft.com/en-us/azure/postgresql/concepts-infrastructure-double-encryption:https://docs.microsoft.com/en-us/azure/postgresql/concepts-data-encryption-postgresql:https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification:https://docs.microsoft.com/en-us/azure/postgresql/howto-double-encryption:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default" + } + ] + }, + { + "Id": "4.4.1", + "Description": "Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server", + "Checks": [ + "mysql_flexible_server_ssl_connection_enabled" + ], + "Attributes": [ + { + "Section": "4.4 MySQL Database", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable `SSL connection` on `MYSQL` Servers.", + "RationaleStatement": "SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against man in the middle attacks by encrypting the data stream between the server and application.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `Azure Database for MySQL servers` 3. For each database, click on `Connection security` 4. In `SSL` settings, click on `ENABLED` to `Enforce SSL connections` **From Azure CLI** Use the below command to set MYSQL Databases to Enforce SSL connection. ``` az mysql server update --resource-group --name --ssl-enforcement Enabled ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `Azure Database for MySQL servers` 3. For each database, click on `Connection security` 4. In `SSL` settings, ensure `Enforce SSL connection` is set to `ENABLED`. **From Azure CLI** Ensure the output of the below command returns ENABLED. ``` az mysql server show --resource-group --name --query sslEnforcement ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [e802a67a-daf5-4436-9ea6-f6d821dd0c5d](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) **- Name:** 'Enforce SSL connection should be enabled for MySQL database servers'", + "AdditionalInformation": "", + "DefaultValue": "Azure Database for MySQL when provisioned through the Azure portal or CLI will require SSL connections by default.", + "References": "https://docs.microsoft.com/en-us/azure/mysql/single-server/concepts-ssl-connection-security:https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-ssl:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit" + } + ] + }, + { + "Id": "4.4.2", + "Description": "Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server", + "Checks": [ + "mysql_flexible_server_minimum_tls_version_12" + ], + "Attributes": [ + { + "Section": "4.4 MySQL Database", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure `TLS version` on `MySQL flexible` servers is set to use TLS version 1.2 or higher.", + "RationaleStatement": "TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against man in the middle attacks by encrypting the data stream between the server and application.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `Azure Database for MySQL flexible servers` 3. For each database, click on `Server parameters` under `Settings` 4. In the search box, type in `tls_version` 5. Click on the VALUE dropdown, and ensure only `TLSV1.2` (or higher) is selected for `tls_version` **From Azure CLI** Use the below command to set MYSQL flexible databases to used version 1.2 for the `tls_version` parameter. ``` az mysql flexible-server parameter set --name tls_version --resource-group --server-name --value TLSV1.2 ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `Azure Database for MySQL flexible servers` 3. For each database, click on `Server parameters` under `Settings` 4. In the search box, type in `tls_version` 5. Ensure `tls_version` is set to `TLSV1.2` (or higher) **From Azure CLI** Ensure the output of the below command contains the key value pair `values: TLSV1.2` (or higher). ``` az mysql flexible-server parameter show --name tls_version --resource-group --server-name ``` Example output: ``` { allowedValues: TLSv1,TLSv1.1,TLSv1.2, dataType: Set, defaultValue: TLSv1.2, description: Which protocols the server permits for encrypted connections. By default, TLS 1.2 is enforced, id: /subscriptions//resourceGroups//providers/Microsoft.DBforMySQL/flexibleServers//configurations/tls_version, isConfigPendingRestart: False, isDynamicConfig: False, isReadOnly: False, name: tls_version, resourceGroup: , source: system-default, systemData: null, type: Microsoft.DBforMySQL/flexibleServers/configurations, value: TLSv1.2 } ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [49e6f04d-fbc3-4ac3-9e84-6ae0eb5db024](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F49e6f04d-fbc3-4ac3-9e84-6ae0eb5db024) **- Name:** 'Require Secure Transport should be enabled for MySQL flexible servers'", + "AdditionalInformation": "", + "DefaultValue": "By default, TLS is set to v1.2 for MySQL Flexible servers.", + "References": "https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security:https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default" + } + ] + }, + { + "Id": "4.4.3", + "Description": "Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server", + "Checks": [ + "mysql_flexible_server_audit_log_enabled" + ], + "Attributes": [ + { + "Section": "4.4 MySQL Database", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable audit_log_enabled on MySQL Servers.", + "RationaleStatement": "Enabling audit_log_enabled helps MySQL Database to log items such as connection attempts to the server, DDL/DML access, and more. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.", + "ImpactStatement": "There are further costs incurred for storage of logs. For high traffic databases these logs will be significant. Determine your organization's needs before enabling.", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com. 2. Select `Azure Database for MySQL Servers`. 3. Select a database. 4. Under Settings, select `Server parameters`. 5. Update `audit_log_enabled` parameter to `ON` 6. Under Monitoring, select `Diagnostic settings`. 7. Select `+ Add diagnostic setting`. 8. Provide a diagnostic setting name. 9. Under Categories, select `MySQL Audit Logs`. 10. Specify destination details. 11. Click `Save`. It may take up to 10 minutes for the logs to appear in the configured destination.", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Select `Azure Database for MySQL Servers` 3. For each database, under the Settings section in the sidebar, select `Server parameters` 4. Ensure the `audit_log_enabled` parameter is set to `ON`", + "AdditionalInformation": "There is also a CLI version: https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-audit-logs-cli There are numerous settings and event types and it might be helpful to discuss which of these may be appropriate to have a separate check item for.", + "DefaultValue": "audit_log_enabled is set to OFF by default", + "References": "https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-audit-logs-portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "4.4.4", + "Description": "Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server", + "Checks": [ + "mysql_flexible_server_audit_log_connection_activated" + ], + "Attributes": [ + { + "Section": "4.4 MySQL Database", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Set `audit_log_enabled` to include CONNECTION on MySQL Servers.", + "RationaleStatement": "Enabling CONNECTION helps MySQL Database to log items such as successful and failed connection attempts to the server. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.", + "ImpactStatement": "There are further costs incurred for storage of logs. For high traffic databases these logs will be significant. Determine your organization's needs before enabling.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu. 2. Select `Azure Database for MySQL servers`. 3. Select a database. 4. Under `Settings`, select `Server parameters`. 5. Update `audit_log_enabled` parameter to `ON`. 6. Update `audit_log_events` parameter to have at least `CONNECTION` checked. 7. Click `Save`. 8. Under `Monitoring`, select `Diagnostic settings`. 9. Select `+ Add diagnostic setting`. 10. Provide a diagnostic setting name. 11. Under `Categories`, select `MySQL Audit Logs`. 12. Specify destination details. 13. Click `Save`. It may take up to 10 minutes for the logs to appear in the configured destination.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home select the Portal Menu. 2. Select `Azure Database for MySQL servers`. 3. Select a database. 4. Under `Settings`, select `Server parameters`. 4. Ensure `audit_log_enabled` parameter is set to `ON`. 5. Ensure `audit_log_events` parameter has `CONNECTION` checked.", + "AdditionalInformation": "There is also a CLI version: https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-audit-logs-cli", + "DefaultValue": "By default `audit_log_events` is disabled.", + "References": "https://docs.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-audit-logs-portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "4.5.1", + "Description": "Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks", + "Checks": [ + "cosmosdb_account_firewall_use_selected_networks" + ], + "Attributes": [ + { + "Section": "4.5 Cosmos DB", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.", + "RationaleStatement": "Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.", + "ImpactStatement": "Failure to whitelist the correct networks will result in a connection loss.", + "RemediationProcedure": "**From Azure Portal** 1. Open the portal menu. 2. Select the Azure Cosmos DB blade. 3. Select a Cosmos DB account to audit. 4. Select `Networking`. 5. Under `Public network access`, select `Selected networks`. 6. Under `Virtual networks`, select `+ Add existing virtual network` or `+ Add a new virtual network`. 7. For existing networks, select subscription, virtual network, subnet and click `Add`. For new networks, provide a name, update the default values if required, and click `Create`. 8. Click `Save`.", + "AuditProcedure": "**From Azure Portal** 1. Open the portal menu. 2. Select the Azure Cosmos DB blade 3. Select a Cosmos DB to audit. 4. Select `Networking`. 5. Under `Public network access`, ensure `Selected networks` is selected. 6. Under `Virtual networks`, ensure appropriate virtual networks are configured. **From Azure CLI** Retrieve a list of all CosmosDB database names: ``` az cosmosdb list ``` For each database listed, run the following command: ``` az cosmosdb show ``` For each database, ensure that `isVirtualNetworkFilterEnabled` is set to `true` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) **- Name:** 'Azure Cosmos DB accounts should have firewall rules'", + "AdditionalInformation": "", + "DefaultValue": "By default, Cosmos DBs are set to have access all networks.", + "References": "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints:https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint:https://docs.microsoft.com/en-us/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-show:https://docs.microsoft.com/en-us/cli/azure/cosmosdb/database?view=azure-cli-latest#az-cosmosdb-database-list:https://docs.microsoft.com/en-us/powershell/module/az.cosmosdb/?view=azps-8.1.0:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls" + } + ] + }, + { + "Id": "4.5.2", + "Description": "Ensure That Private Endpoints Are Used Where Possible", + "Checks": [ + "cosmosdb_account_use_private_endpoints" + ], + "Attributes": [ + { + "Section": "4.5 Cosmos DB", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Private endpoints limit network traffic to approved sources.", + "RationaleStatement": "For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.", + "ImpactStatement": "Only whitelisted services will have access to communicate with the Cosmos DB.", + "RemediationProcedure": "**From Azure Portal** 1. Open the portal menu. 2. Select the Azure Cosmos DB blade. 3. Select the Azure Cosmos DB account. 4. Select `Networking`. 5. Select `Private access`. 6. Click `+ Private Endpoint`. 7. Provide a Name. 8. Click `Next`. 9. From the Resource type drop down, select `Microsoft.AzureCosmosDB/databaseAccounts`. 10. From the Resource drop down, select the Cosmos DB account. 11. Click `Next`. 12. Provide appropriate Virtual Network details. 13. Click `Next`. 14. Provide appropriate DNS details. 15. Click `Next`. 16. Optionally provide Tags. 17. Click `Next : Review + create`. 18. Click `Create`.", + "AuditProcedure": "**From Azure Portal** 1. Open the portal menu. 2. Select the Azure Cosmos DB blade. 3. Select the Azure Cosmos DB account. 4. Select `Networking`. 5. Ensure `Public network access` is set to `Selected networks`. 6. Ensure the listed networks are set appropriately. 7. Select `Private access`. 8. Ensure a private endpoint exists and `Connection state` is `Approved`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [58440f8a-10c5-4151-bdce-dfbaad4a20b7](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) **- Name:** 'CosmosDB accounts should use private link'", + "AdditionalInformation": "", + "DefaultValue": "By default Cosmos DB does not have private endpoints enabled and its traffic is public to the network.", + "References": "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints:https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-cosmosdb-portal:https://docs.microsoft.com/en-us/cli/azure/cosmosdb/private-endpoint-connection?view=azure-cli-latest:https://docs.microsoft.com/en-us/cli/azure/network/private-endpoint?view=azure-cli-latest#az-network-private-endpoint-create:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls" + } + ] + }, + { + "Id": "4.5.3", + "Description": "Use Entra ID Client Authentication and Azure RBAC where possible.", + "Checks": [ + "cosmosdb_account_use_aad_and_rbac" + ], + "Attributes": [ + { + "Section": "4.5 Cosmos DB", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Cosmos DB can use tokens or Entra ID for client authentication which in turn will use Azure RBAC for authorization. Using Entra ID is significantly more secure because Entra ID handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.", + "RationaleStatement": "Entra ID client authentication is considerably more secure than token-based authentication because the tokens must be persistent at the client. Entra ID does not require this.", + "ImpactStatement": "", + "RemediationProcedure": "Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens. Create an Entra ID identity for each of these resources: - For Azure resources, you can create a managed identity. You may choose between system-assigned and user-assigned managed identities. - For non-Azure resources, create an Entra ID identity. Grant each Entra ID identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step. **From Powershell:** ``` $cosmosdbname = $resourcegroup = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview ```", + "AuditProcedure": "**From Powershell:** ``` $cosmosdbname = $resourcegroup = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json ``` In the resulting output, disableLocalAuth should be true", + "AdditionalInformation": "", + "DefaultValue": "The default is to use tokens/keys for client authentication.", + "References": "https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control" + } + ] + }, + { + "Id": "5.4", + "Description": "Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it", + "Checks": [], + "Attributes": [ + { + "Section": "5. Logging and Monitoring", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type. A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.", + "RationaleStatement": "A lack of monitoring reduces the visibility into the data plane, and therefore an organization's ability to detect reconnaissance, authorization attempts or other malicious activity. Unlike Activity Logs, Resource Logs are not enabled by default. Specifically, without monitoring it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Web Services or Databases are only possible when logging is enabled.", + "ImpactStatement": "Costs for monitoring varies with Log Volume. Not every resource needs to have logging enabled. It is important to determine the security classification of the data being processed by the given resource and adjust the logging based on which events need to be tracked. This is typically determined by governance and compliance requirements.", + "RemediationProcedure": "Azure Subscriptions should log every access and operation for all resources. Logs should be sent to Storage and a Log Analytics Workspace or equivalent third-party system. Logs should be kept in readily-accessible storage for a minimum of one year, and then moved to inexpensive cold storage for a duration of time as necessary. If retention policies are set but storing logs in a Storage Account is disabled (for example, if only Event Hubs or Log Analytics options are selected), the retention policies have no effect. Enable all monitoring at first, and then be more aggressive moving data to cold storage if the volume of data becomes a cost concern. **From Azure Portal** The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are: 1. Go to the resource 2. Click on Diagnostic settings 3. In the blade that appears, click Add diagnostic setting 4. Configure the diagnostic settings 5. Click on Save **From Azure CLI** For each `resource`, run the following making sure to use a `resource` appropriate JSON encoded `category` for the `--logs` option. ``` az monitor diagnostic-settings create --name --resource --logs [{category:,enabled:true,rentention-policy:{enabled:true,days:180}}] --metrics [{category:AllMetrics,enabled:true,retention-policy:{enabled:true,days:180}}] <[--event-hub --event-hub-rule | --storage-account |--workspace | --marketplace-partner-id ]> ``` **From PowerShell** Create the `log` settings object ``` $logSettings = @() $logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category $logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category ``` Create the `metric` settings object ``` $metricSettings = @() $metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics ``` Create the diagnostic setting for a specific resource ``` New-AzDiagnosticSetting -Name -ResourceId -Log $logSettings -Metric $metricSettings ```", + "AuditProcedure": "**From Azure Portal** The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are: 1. Go to the resource 2. Click on Diagnostic settings 3. In the blade that appears, click Add diagnostic setting 4. Configure the diagnostic settings 5. Click on Save **From Azure CLI** List all `resources` for a `subscription` ``` az resource list --subscription ``` For each `resource` run the following ``` az monitor diagnostic-settings list --resource ``` An empty result means a `diagnostic settings` is not configured for that resource. An error message means a `diagnostic settings` is not supported for that resource. **From PowerShell** Get a list of `resources` in a `subscription` context and store in a variable ``` $resources = Get-AzResource ``` Loop through each `resource` to determine if a diagnostic setting is configured or not. ``` foreach ($resource in $resources) {$diagnosticSetting = Get-AzDiagnosticSetting -ResourceId $resource.id -ErrorAction SilentlyContinue; if ([string]::IsNullOrEmpty($diagnosticSetting)) {$message = Diagnostic Settings not configured for resource: + $resource.Name;Write-Output $message}else{$diagnosticSetting}} ``` A result of `Diagnostic Settings not configured for resource: ` means a `diagnostic settings` is not configured for that resource. Otherwise, the output of the above command will show configured `Diagnostic Settings` for a resource. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [cf820ca0-f99e-4f3e-84fb-66e913812d21](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf820ca0-f99e-4f3e-84fb-66e913812d21) **- Name:** 'Resource logs in Key Vault should be enabled' - **Policy ID:** [91a78b24-f231-4a8a-8da9-02c35b2b6510](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) **- Name:** 'App Service apps should have resource logs enabled' - **Policy ID:** [428256e6-1fac-4f48-a757-df34c2b3336d](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) **- Name:** 'Resource logs in Batch accounts should be enabled' - **Policy ID:** [057ef27e-665e-4328-8ea3-04b3122bd9fb](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) **- Name:** 'Resource logs in Azure Data Lake Store should be enabled' - **Policy ID:** [c95c74d9-38fe-4f0d-af86-0c7d626a315c](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc95c74d9-38fe-4f0d-af86-0c7d626a315c) **- Name:** 'Resource logs in Data Lake Analytics should be enabled' - **Policy ID:** [83a214f7-d01a-484b-91a9-ed54470c9a6a](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83a214f7-d01a-484b-91a9-ed54470c9a6a) **- Name:** 'Resource logs in Event Hub should be enabled' - **Policy ID:** [383856f8-de7f-44a2-81fc-e5135b5c2aa4](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F383856f8-de7f-44a2-81fc-e5135b5c2aa4) **- Name:** 'Resource logs in IoT Hub should be enabled' - **Policy ID:** [34f95f76-5386-4de7-b824-0d8478470c9d](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34f95f76-5386-4de7-b824-0d8478470c9d) **- Name:** 'Resource logs in Logic Apps should be enabled' - **Policy ID:** [b4330a05-a843-4bc8-bf9a-cacce50c67f4](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) **- Name:** 'Resource logs in Search services should be enabled' - **Policy ID:** [f8d36e2f-389b-4ee4-898d-21aeb69a0f45](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8d36e2f-389b-4ee4-898d-21aeb69a0f45) **- Name:** 'Resource logs in Service Bus should be enabled' - **Policy ID:** [f9be5368-9bf5-4b84-9e0a-7850da98bb46](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) **- Name:** 'Resource logs in Azure Stream Analytics should be enabled'", + "AdditionalInformation": "Note: The CIS Benchmark covers some specific Diagnostic Logs separately. ``` Section 3 - Storage Accounts: Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests Section 6 - Network: Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' ``` For an up-to-date list of Azure resources which support Azure Monitor, refer to the Supported Log Categories reference.", + "DefaultValue": "By default, Azure Monitor Resource Logs are 'Disabled' for all resources.", + "References": "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis:https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/monitor-azure-resource:Supported Log Categories: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs-categories:Logs and Audit - Fundamentals: https://docs.microsoft.com/en-us/azure/security/fundamentals/log-audit:Collecting Logs: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs:Key Vault Logging: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging:Monitor Diagnostic Settings: https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest:Overview of Diagnostic Logs: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-logs-overview:Supported Services for Diagnostic Logs: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-logs-schema:Diagnostic Logs for CDNs: https://docs.microsoft.com/en-us/azure/cdn/cdn-azure-diagnostic-logs" + } + ] + }, + { + "Id": "5.5", + "Description": "Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)", + "Checks": [], + "Attributes": [ + { + "Section": "5. Logging and Monitoring", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft may refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.", + "RationaleStatement": "Typically, production workloads need to be monitored and should have an SLA with Microsoft, using Basic SKUs for any deployed product will mean that that these capabilities do not exist. The following resource types should use standard SKUs as a minimum. - Public IP Addresses - Network Load Balancers - REDIS Cache - SQL PaaS Databases - VPN Gateways", + "ImpactStatement": "The impact of enforcing Standard SKU's is twofold 1) There will be a cost increase 2) The monitoring and service level agreements will be available and will support the production service. All resources should be either tagged or in separate Management Groups/Subscriptions", + "RemediationProcedure": "Each artifact has its own process for upgrading from basic to standard SKU's and this should be followed if required.", + "AuditProcedure": "This needs to be audited by Azure Policy (one for each resource type) and denied for each artifact that is production. **From Azure Portal** 1. Open `Azure Resource Graph Explorer` 1. Click `New query` 1. Paste the following into the query window: ``` Resources | where sku contains 'Basic' or sku contains 'consumption' | order by type ``` 4. Click `Run query` then evaluate the results in the results window. **From Azure CLI** ``` az graph query -q Resources | sku contains 'Basic' or sku contains 'consumption' | order by type ``` **From PowerShell** ``` Get-AzResource | ?{ $_.Sku -EQ Basic} ```", + "AdditionalInformation": "", + "DefaultValue": "Policy should enforce standard SKUs for the following artifacts: - Public IP Addresses - Network Load Balancers - REDIS Cache - SQL PaaS Databases - VPN Gateways", + "References": "https://azure.microsoft.com/en-us/support/plans:https://azure.microsoft.com/en-us/support/plans/response/" + } + ] + }, + { + "Id": "5.1.1", + "Description": "Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs", + "Checks": [ + "monitor_diagnostic_settings_exists" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.", + "RationaleStatement": "A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** To enable Diagnostic Settings on a Subscription: 1. Go to `Monitor` 2. Click on `Activity Log` 3. Click on `Export Activity Logs` 4. Click `+ Add diagnostic setting` 5. Enter a `Diagnostic setting name` 6. Select `Categories` for the diagnostic settings 7. Select the appropriate `Destination details` (this may be Log Analytics, Storage Account, Event Hub, or Partner solution) 8. Click `Save` To enable Diagnostic Settings on a specific resource: 1. Go to `Monitor` 2. Click `Diagnostic settings` 3. Click on the resource that has a diagnostics status of `disabled` 4. Select `Add Diagnostic Setting` 5. Enter a `Diagnostic setting name` 6. Select the appropriate log, metric, and destination. (this may be Log Analytics, Storage Account, Event Hub, or Partner solution) 7. Click `save` Repeat these step for all resources as needed. **From Azure CLI** To configure Diagnostic Settings on a Subscription: ``` az monitor diagnostic-settings subscription create --subscription --name --location <[--event-hub --event-hub-auth-rule ] [--storage-account ] [--workspace ] --logs (e.g. [{category:Security,enabled:true},{category:Administrative,enabled:true},{category:Alert,enabled:true},{category:Policy,enabled:true}]) ``` To configure Diagnostic Settings on a specific resource: ``` az monitor diagnostic-settings create --subscription --resource --name <[--event-hub --event-hub-rule ] [--storage-account ] [--workspace ] --logs --metrics ``` **From PowerShell** To configure Diagnostic Settings on a subscription: ``` $logCategories = @(); $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Administrative -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Security -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category ServiceHealth -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Alert -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Recommendation -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Policy -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Autoscale -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category ResourceHealth -Enabled $true New-AzSubscriptionDiagnosticSetting -SubscriptionId -Name <[-EventHubAuthorizationRule -EventHubName ] [-StorageAccountId ] [-WorkSpaceId ] [-MarketplacePartner ID ]> -Log $logCategories ``` To configure Diagnostic Settings on a specific resource: ``` $logCategories = @() $logCategories += New-AzDiagnosticSettingLogSettingsObject -Category -Enabled $true Repeat command and variable assignment for each Log category specific to the resource where this Diagnostic Setting will get configured. $metricCategories = @() $metricCategories += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true [-Category ] [-RetentionPolicyDay ] [-RetentionPolicyEnabled $true] Repeat command and variable assignment for each Metric category or use the 'AllMetrics' category. New-AzDiagnosticSetting -ResourceId -Name -Log $logCategories -Metric $metricCategories [-EventHubAuthorizationRuleId -EventHubName ] [-StorageAccountId ] [-WorkspaceId ] [-MarketplacePartnerId ]>", + "AuditProcedure": "**From Azure Portal** To identify Diagnostic Settings on a subscription: 1. Go to `Monitor` 2. Click `Activity Log` 3. Click `Export Activity Logs` 4. Select a `Subscription` 5. Ensure a `Diagnostic settings` exists for the selected Subscription To identify Diagnostic Settings on specific resources: 1. Go to `Monitor` 2. Click `Diagnostic settings` 3. Ensure that Diagnostics status is `enabled` on all appropriate resources. **From Azure CLI** To identify Diagnostic Settings on a subscription: ``` az monitor diagnostic-settings subscription list --subscription ``` To identify Diagnostic Settings on a resource ``` az monitor diagnostic-settings list --resource ``` **From PowerShell** To identify Diagnostic Settings on a Subscription: ``` Get-AzDiagnosticSetting -SubscriptionId ``` To identify Diagnostic Settings on a specific resource: ``` Get-AzDiagnosticSetting -ResourceId ```", + "AdditionalInformation": "", + "DefaultValue": "By default, diagnostic setting is not set.", + "References": "https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile:https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.1.2", + "Description": "Ensure Diagnostic Setting captures appropriate categories", + "Checks": [ + "monitor_diagnostic_setting_with_appropriate_categories" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "**Prerequisite**: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: Ensure that a 'Diagnostic Setting' exists. The diagnostic setting should be configured to log the appropriate activities from the control/management plane.", + "RationaleStatement": "A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Azure Monitor` 2. Click `Activity log` 3. Click on `Export Activity Logs` 4. Select the `Subscription` from the drop down menu 5. Click on `Add diagnostic setting` 6. Enter a name for your new Diagnostic Setting 7. Check the following categories: `Administrative, Alert, Policy, and Security` 8. Choose the destination details according to your organization's needs. **From Az CLI** ``` az monitor diagnostic-settings subscription create --subscription --name --location <[--event-hub --event-hub-auth-rule ] [--storage-account ] [--workspace ] --logs [{category:Security,enabled:true},{category:Administrative,enabled:true},{category:Alert,enabled:true},{category:Policy,enabled:true}] ``` **From PowerShell** ``` $logCategories = @(); $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Administrative -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Security -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Alert -Enabled $true $logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject -Category Policy -Enabled $true New-AzSubscriptionDiagnosticSetting -SubscriptionId -Name <[-EventHubAuthorizationRule -EventHubName ] [-StorageAccountId ] [-WorkSpaceId ] [-MarketplacePartner ID ]> -Log $logCategories ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Azure Monitor` 2. Click `Activity log` 3. Click on `Export Activity Logs` 4. Select the appropriate `Subscription` 5. If there is no `Diagnostic Settings` listed, generate a finding. 6. Otherwise, click on `Edit Settings` 7. Ensure that the following categories are checked: `Administrative, Alert, Policy, and Security` **From Azure CLI** Ensure the categories `'Administrative', 'Alert', 'Policy', and 'Security'` set to: 'enabled: true' ``` az monitor diagnostic-settings subscription list --subscription ``` **From Powershell** Ensure the categories Administrative, Alert, Policy, and Security are set to Enabled:True ``` Get-AzSubscriptionDiagnosticSetting -Subscription ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [3b980d31-7904-4bb7-8575-5665739a8052](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3b980d31-7904-4bb7-8575-5665739a8052) **- Name:** 'An activity log alert should exist for specific Security operations' - **Policy ID:** [b954148f-4c11-4c38-8221-be76711e194a](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb954148f-4c11-4c38-8221-be76711e194a) **- Name:** 'An activity log alert should exist for specific Administrative operations' - **Policy ID:** [c5447c04-a4d7-4ba8-a263-c9ee321a6858](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc5447c04-a4d7-4ba8-a263-c9ee321a6858) **- Name:** 'An activity log alert should exist for specific Policy operations'", + "AdditionalInformation": "", + "DefaultValue": "When the diagnostic setting is created using Azure Portal, by default no categories are selected.", + "References": "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings:https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest:https://learn.microsoft.com/en-us/powershell/module/az.monitor/new-azsubscriptiondiagnosticsetting?view=azps-9.2.0" + } + ] + }, + { + "Id": "5.1.3", + "Description": "Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)", + "Checks": [ + "monitor_storage_account_with_activity_logs_cmk_encrypted" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).", + "RationaleStatement": "Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.", + "ImpactStatement": "**NOTE:** You must have your key vault setup to utilize this. All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the Storage accounts blade. 1. Click on the storage account. 1. Under `Security + networking`, click `Encryption`. 1. Next to `Encryption type`, select `Customer-managed keys`. 1. Complete the steps to configure a customer-managed key for encryption of the storage account. **From Azure CLI** ``` az storage account update --name --resource-group --encryption-key-source=Microsoft.Keyvault --encryption-key-vault --encryption-key-name --encryption-key-version ``` **From PowerShell** ``` Set-AzStorageAccount -ResourceGroupName -Name -KeyvaultEncryption -KeyVaultUri -KeyName ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Activity log` 2. Select `Export` 3. Select `Subscription` 4. In section `Storage Account`, note the name of the Storage account 5. Close the `Export Audit Logs` blade. Close the `Monitor - Activity Log` blade. 6. In right column, Click service `Storage Accounts` to access Storage account blade 7. Click on the storage account name noted in step 4. This will open blade specific to that storage account 8. Under `Security + networking`, click `Encryption`. 9. Ensure `Customer-managed keys` is selected and `Key URI` is set. **From Azure CLI** 1. Get storage account id configured with log profile: ``` az monitor diagnostic-settings subscription list --subscription --query 'value[*].storageAccountId' ``` 2. Ensure the storage account is encrypted with CMK: ``` az storage account list --query [?name==''] ``` In command output ensure `keySource` is set to `Microsoft.Keyvault` and `keyVaultProperties` is not set to `null` **From PowerShell** ``` Get-AzStorageAccount -ResourceGroupName -Name |select-object -ExpandProperty encryption|format-list ``` Ensure the value of `KeyVaultProperties` is not `null` or empty, and ensure `KeySource` is not set to `Microsoft.Storage`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [fbb99e8e-e444-4da0-9ff1-75c92f5a85b2](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) **- Name:** 'Storage account containing the container with activity logs must be encrypted with BYOK'", + "AdditionalInformation": "", + "DefaultValue": "By default, for a storage account `keySource` is set to `Microsoft.Storage` allowing encryption with vendor Managed key and not a Customer Managed Key.", + "References": "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required:https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=cli#managing-legacy-log-profiles" + } + ] + }, + { + "Id": "5.1.4", + "Description": "Ensure that logging for Azure Key Vault is 'Enabled'", + "Checks": [ + "keyvault_logging_enabled" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.", + "RationaleStatement": "Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Key Vault. Enabling logging for Key Vault saves information in a user provided destination of either an Azure storage account or Log Analytics workspace. The same destination can be used for collecting logs for multiple Key Vaults.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Key vaults`. 2. Select a Key vault. 3. Select `Diagnostic settings`. 4. Click `Edit setting` to update an existing diagnostic setting, or `Add diagnostic setting` to create a new one. 5. If creating a new diagnostic setting, provide a name. 6. Configure an appropriate destination. 7. Under `Category groups`, check `audit` and `allLogs`. 8. Click `Save`. **From Azure CLI** To update an existing `Diagnostic Settings` ``` az monitor diagnostic-settings update --name --resource ``` To create a new `Diagnostic Settings` ``` az monitor diagnostic-settings create --name --resource --logs [{category:audit,enabled:true},{category:allLogs,enabled:true}] --metrics [{category:AllMetrics,enabled:true}] <[--event-hub --event-hub-rule | --storage-account |--workspace | --marketplace-partner-id ]> ``` **From PowerShell** Create the `Log` settings object ``` $logSettings = @() $logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -Category audit $logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -Category allLogs ``` Create the `Metric` settings object ``` $metricSettings = @() $metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true -Category AllMetrics ``` Create the `Diagnostic Settings` for each `Key Vault` ``` New-AzDiagnosticSetting -Name -ResourceId -Log $logSettings -Metric $metricSettings [-StorageAccountId | -EventHubName -EventHubAuthorizationRuleId | -WorkSpaceId | -MarketPlacePartnerId ] ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Key vaults`. 2. For each Key vault. 3. Go to `Diagnostic settings`. 4. Click `Edit setting`. 5. Ensure that a destination is configured. 6. Under `Category groups`, ensure that `audit` and `allLogs` are checked. **From Azure CLI** List all key vaults ``` az keyvault list ``` For each keyvault `id` ``` az monitor diagnostic-settings list --resource ``` Ensure that `storageAccountId` reflects your desired destination and that `categoryGroup` and `enabled` are set as follows in the sample outputs below. ``` logs: [ { categoryGroup: audit, enabled: true, }, { categoryGroup: allLogs, enabled: true, } ``` **From PowerShell** List the key vault(s) in the subscription ``` Get-AzKeyVault ``` For each key vault, run the following: ``` Get-AzDiagnosticSetting -ResourceId ``` Ensure that `StorageAccountId`, `ServiceBusRuleId`, `MarketplacePartnerId`, or `WorkspaceId` is set as appropriate. Also, ensure that `enabled` is set to `true`, and that `categoryGroup` reflects both `audit` and `allLogs` category groups. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [cf820ca0-f99e-4f3e-84fb-66e913812d21](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf820ca0-f99e-4f3e-84fb-66e913812d21) **- Name:** 'Resource logs in Key Vault should be enabled'", + "AdditionalInformation": "**DEPRECATION WARNING** Retention rules for Key Vault logging is being migrated to Azure Storage Lifecycle Management. Retention rules should be set based on the needs of your organization and security or compliance frameworks. Please visit [https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/migrate-to-azure-storage-lifecycle-policy?tabs=portal](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/migrate-to-azure-storage-lifecycle-policy?tabs=portal) for detail on migrating your retention rules. Microsoft has provided the following deprecation timeline: March 31, 2023 – The Diagnostic Settings Storage Retention feature will no longer be available to configure new retention rules for log data. This includes using the portal, CLI PowerShell, and ARM and Bicep templates. If you have configured retention settings, you'll still be able to see and change them in the portal. March 31, 2024 – You will no longer be able to use the API (CLI, Powershell, or templates), or Azure portal to configure retention setting unless you're changing them to 0. Existing retention rules will still be respected. September 30, 2025 – All retention functionality for the Diagnostic Settings Storage Retention feature will be disabled across all environments.", + "DefaultValue": "By default, Diagnostic AuditEvent logging is not enabled for Key Vault instances.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.1.5", + "Description": "Ensure that Network Security Group Flow logs are captured and sent to Log Analytics", + "Checks": [ + "network_flow_log_captured_sent" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Ensure that network flow logs are captured and fed into a central log analytics workspace.", + "RationaleStatement": "Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.", + "ImpactStatement": "The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor.", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to `Network Watcher`. 1. Select `NSG flow logs`. 1. Select `+ Create`. 1. Select the desired Subscription. 1. Select `+ Select NSG`. 1. Select a network security group. 1. Click `Confirm selection`. 1. Select or create a new Storage Account. 1. Input the retention in days to retain the log. 1. Click `Next`. 1. Under `Configuration`, select `Version 2`. 1. If rich analytics are required, select `Enable Traffic Analytics`, a processing interval, and a `Log Analytics Workspace`. 1. Select `Next`. 1. Optionally add Tags. 1. Select `Review + create`. 1. Select `Create`. ***Warning*** The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.", + "AuditProcedure": "**From Azure Portal** 1. Navigate to `Network Watcher`. 1. Select `NSG flow logs` 1. For each log you wish to audit select it from this view. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [27960feb-a23c-4577-8d36-ef8b5f35e0be](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F27960feb-a23c-4577-8d36-ef8b5f35e0be) **- Name:** 'All flow log resources should be in enabled state' - **Policy ID:** [c251913d-7d24-4958-af87-478ed3b9ba41](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc251913d-7d24-4958-af87-478ed3b9ba41) **- Name:** 'Flow logs should be configured for every network security group' - **Policy ID:** [4c3c6c5f-0d47-4402-99b8-aa543dd8bcee](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4c3c6c5f-0d47-4402-99b8-aa543dd8bcee) **- Name:** 'Flow logs should be configured for every virtual network'", + "AdditionalInformation": "", + "DefaultValue": "By default Network Security Group logs are not sent to Log Analytics.", + "References": "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.1.6", + "Description": "Ensure that logging for Azure AppService 'HTTP logs' is enabled", + "Checks": [ + "app_http_logs_enabled" + ], + "Attributes": [ + { + "Section": "5.1 Configuring Diagnostic Settings", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.", + "RationaleStatement": "Capturing web requests can be important supporting information for security analysts performing monitoring and incident response activities. Once logging, these logs can be ingested into SIEM or other central aggregation point for the organization.", + "ImpactStatement": "Log consumption and processing will incur additional cost.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `App Services` For each `App Service`: 2. Go to `Diagnostic Settings` 3. Click `Add Diagnostic Setting` 4. Check the checkbox next to 'HTTP logs' 5. Configure a destination based on your specific logging consumption capability (for example Stream to an event hub and then consuming with SIEM integration for Event Hub logging).", + "AuditProcedure": "**From Azure Portal** 1. Go to `App Services` For each `App Service`: 2. Go to `Diagnostic Settings` 3. Ensure that 'HTTP logs' is configured to log to a destination aligned to your environments approach to log consumption (event hub, storage account, etc. dependent on what is consuming the logs such as SIEM or other log aggregation utility).", + "AdditionalInformation": "", + "DefaultValue": "Not configured.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.1", + "Description": "Ensure that Activity Log Alert exists for Create Policy Assignment", + "Checks": [ + "monitor_alert_create_policy_assignment" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Create Policy Assignment event.", + "RationaleStatement": "Monitoring for create policy assignment events gives insight into changes done in Azure policy - assignments and can reduce the time it takes to detect unsolicited changes.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Select `Alerts`. 1. Select `Create`. 1. Select `Alert rule`. 1. Choose a subscription. 1. Select `Apply`. 1. Select the `Condition` tab. 1. Click `See all signals`. 1. Select `Create policy assignment (Policy assignment)`. 1. Click `Apply`. 1. Select the `Actions` tab. 1. Click `Select action groups` to select an existing action group, or `Create action group` to create a new action group. 1. Follow the prompts to choose or create an action group. 1. Select the `Details` tab. 1. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`. 1. Click `Review + create`. 1. Click `Create`. **From Azure CLI** ``` az monitor activity-log alert create --resource-group --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/write and level= --scope /subscriptions/ --name --subscription --action-group ``` **From PowerShell** Create the `conditions` object. ``` $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Authorization/policyAssignments/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level ``` Get the `Action Group` information and store it in a variable, then create a new `Action` object. ``` $actionGroup = Get-AzActionGroup -ResourceGroupName -Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id ``` Create the `Scope` variable. ``` $scope = /subscriptions/ ``` Create the `Activity Log Alert Rule` for `Microsoft.Authorization/policyAssignments/write` ``` New-AzActivityLogAlert -Name -ResourceGroupName -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Click on `Alerts`. 1. In the Alerts window, click on `Alert rules`. 1. Ensure an alert rule exists where the Condition column contains `Operation name=Microsoft.Authorization/policyAssignments/write`. 1. Click on the Alert `Name` associated with the previous step. 1. Ensure the `Condition` panel displays the text `Whenever the Activity Log has an event with Category='Administrative', Operation name='Create policy assignment'` and does not filter on `Level`, `Status` or `Caller`. 1. Ensure the `Actions` panel displays an Action group is assigned to notify the appropriate personnel in your organization. **From Azure CLI** ``` az monitor activity-log alert list --subscription --query [].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions} ``` Look for `Microsoft.Authorization/policyAssignments/write` in the output. If it's missing, generate a finding. **From PowerShell** ``` Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match Microsoft.Authorization/policyAssignments/write}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf ``` If the output is empty, an `alert rule` for `Create Policy Assignments` is not configured. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [c5447c04-a4d7-4ba8-a263-c9ee321a6858](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc5447c04-a4d7-4ba8-a263-c9ee321a6858) **- Name:** 'An activity log alert should exist for specific Policy operations'", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://docs.microsoft.com/en-in/rest/api/policy/policy-assignments:https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log" + } + ] + }, + { + "Id": "5.2.2", + "Description": "Ensure that Activity Log Alert exists for Delete Policy Assignment", + "Checks": [ + "monitor_alert_delete_policy_assignment" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Delete Policy Assignment event.", + "RationaleStatement": "Monitoring for delete policy assignment events gives insight into changes done in azure policy - assignments and can reduce the time it takes to detect unsolicited changes.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Select `Alerts`. 1. Select `Create`. 1. Select `Alert rule`. 1. Choose a subscription. 1. Select `Apply`. 1. Select the `Condition` tab. 1. Click `See all signals`. 1. Select `Delete policy assignment (Policy assignment)`. 1. Click `Apply`. 1. Select the `Actions` tab. 1. Click `Select action groups` to select an existing action group, or `Create action group` to create a new action group. 1. Follow the prompts to choose or create an action group. 1. Select the `Details` tab. 1. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`. 1. Click `Review + create`. 1. Click `Create`. **From Azure CLI** ``` az monitor activity-log alert create --resource-group --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete and level= --scope /subscriptions/ --name --subscription --action-group ``` **From PowerShell** Create the conditions object ``` $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Authorization/policyAssignments/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level ``` Retrieve the `Action Group` information and store in a variable, then create the `Action` object. ``` $actionGroup = Get-AzActionGroup -ResourceGroupName -Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id ``` Create the `Scope` variable. ``` $scope = /subscriptions/ ``` Create the `Activity Log Alert Rule` for `Microsoft.Authorization/policyAssignments/delete`. ``` New-AzActivityLogAlert -Name -ResourceGroupName -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Click on `Alerts`. 1. In the Alerts window, click on `Alert rules`. 1. Ensure an alert rule exists where the Condition column contains `Operation name=Microsoft.Authorization/policyAssignments/delete`. 1. Click on the Alert `Name` associated with the previous step. 1. Ensure the `Condition` panel displays the text `Whenever the Activity Log has an event with Category='Administrative', Operation name='Delete policy assignment'` and does not filter on `Level`, `Status` or `Caller`. 1. Ensure the `Actions` panel displays an Action group is assigned to notify the appropriate personnel in your organization. **From Azure CLI** ``` az monitor activity-log alert list --subscription --query [].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions} ``` Look for `Microsoft.Authorization/policyAssignments/delete` in the output **From PowerShell** ``` Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match Microsoft.Authorization/policyAssignments/delete}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [c5447c04-a4d7-4ba8-a263-c9ee321a6858](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc5447c04-a4d7-4ba8-a263-c9ee321a6858) **- Name:** 'An activity log alert should exist for specific Policy operations'", + "AdditionalInformation": "This log alert also applies for Azure Blueprints.", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": "https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation:https://azure.microsoft.com/en-us/services/blueprints/" + } + ] + }, + { + "Id": "5.2.3", + "Description": "Ensure that Activity Log Alert exists for Create or Update Network Security Group", + "Checks": [ + "monitor_alert_create_update_nsg" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an Activity Log Alert for the Create or Update Network Security Group event.", + "RationaleStatement": "Monitoring for Create or Update Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Select `Alerts`. 1. Select `Create`. 1. Select `Alert rule`. 1. Choose a subscription. 1. Select `Apply`. 1. Select the `Condition` tab. 1. Click `See all signals`. 1. Select `Create or Update Network Security Group (Network Security Group)`. 1. Click `Apply`. 1. Select the `Actions` tab. 1. Click `Select action groups` to select an existing action group, or `Create action group` to create a new action group. 1. Follow the prompts to choose or create an action group. 1. Select the `Details` tab. 1. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`. 1. Click `Review + create`. 1. Click `Create`. **From Azure CLI** ``` az monitor activity-log alert create --resource-group --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/write and level=verbose --scope /subscriptions/ --name --subscription --action-group ``` **From PowerShell** Create the `Conditions` object. ``` $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Network/networkSecurityGroups/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level ``` Retrieve the `Action Group` information and store in a variable, then create the `Actions` object. ``` $actionGroup = Get-AzActionGroup -ResourceGroupName -Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id ``` Create the `Scope` object ``` $scope = /subscriptions/ ``` Create the `Activity Log Alert Rule` for `Microsoft.Network/networkSecurityGroups/write` ``` New-AzActivityLogAlert -Name -ResourceGroupName -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Click on `Alerts`. 1. In the Alerts window, click on `Alert rules`. 1. Ensure an alert rule exists where the Condition column contains `Operation name=Microsoft.Network/networkSecurityGroups/write`. 1. Click on the Alert `Name` associated with the previous step. 1. Ensure the `Condition` panel displays the text `Whenever the Activity Log has an event with Category='Administrative', Operation name='Create or Update Network Security Group'` and does not filter on `Level`, `Status` or `Caller`. 1. Ensure the `Actions` panel displays an Action group is assigned to notify the appropriate personnel in your organization. **From Azure CLI** ``` az monitor activity-log alert list --subscription --query [].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions} ``` Look for `Microsoft.Network/networkSecurityGroups/write` in the output **From PowerShell** ``` Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match Microsoft.Network/networkSecurityGroups/write}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [b954148f-4c11-4c38-8221-be76711e194a](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb954148f-4c11-4c38-8221-be76711e194a) **- Name:** 'An activity log alert should exist for specific Administrative operations'", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.4", + "Description": "Ensure that Activity Log Alert exists for Delete Network Security Group", + "Checks": [ + "monitor_alert_delete_nsg" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Delete Network Security Group event.", + "RationaleStatement": "Monitoring for Delete Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Select `Alerts`. 1. Select `Create`. 1. Select `Alert rule`. 1. Choose a subscription. 1. Select `Apply`. 1. Select the `Condition` tab. 1. Click `See all signals`. 1. Select `Delete Network Security Group (Network Security Group)`. 1. Click `Apply`. 1. Select the `Actions` tab. 1. Click `Select action groups` to select an existing action group, or `Create action group` to create a new action group. 1. Follow the prompts to choose or create an action group. 1. Select the `Details` tab. 1. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`. 1. Click `Review + create`. 1. Click `Create`. **From Azure CLI** ``` az monitor activity-log alert create --resource-group --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/delete and level= --scope /subscriptions/ --name --subscription --action-group ``` **From PowerShell** Create the `Conditions` object. ``` $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Network/networkSecurityGroups/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level ``` Retrieve the `Action Group` information and store in a variable, then create the `Actions` object. ``` $actionGroup = Get-AzActionGroup -ResourceGroupName -Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id ``` Create the `Scope` object ``` $scope = /subscriptions/ ``` Create the `Activity Log Alert Rule` for `Microsoft.Network/networkSecurityGroups/delete` ``` New-AzActivityLogAlert -Name -ResourceGroupName -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Click on `Alerts`. 1. In the Alerts window, click on `Alert rules`. 1. Ensure an alert rule exists where the Condition column contains `Operation name=Microsoft.Network/networkSecurityGroups/delete`. 1. Click on the Alert `Name` associated with the previous step. 1. Ensure the `Condition` panel displays the text `Whenever the Activity Log has an event with Category='Administrative', Operation name='Delete Network Security Group'` and does not filter on `Level`, `Status` or `Caller`. 1. Ensure the `Actions` panel displays an Action group is assigned to notify the appropriate personnel in your organization. **From Azure CLI** ``` az monitor activity-log alert list --subscription --query [].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions} ``` Look for `Microsoft.Network/networkSecurityGroups/delete` in the output **From PowerShell** ``` Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match Microsoft.Network/networkSecurityGroups/delete}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [b954148f-4c11-4c38-8221-be76711e194a](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb954148f-4c11-4c38-8221-be76711e194a) **- Name:** 'An activity log alert should exist for specific Administrative operations'", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.5", + "Description": "Ensure that Activity Log Alert exists for Create or Update Security Solution", + "Checks": [ + "monitor_alert_create_update_security_solution" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Create or Update Security Solution event.", + "RationaleStatement": "Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Select `Alerts`. 1. Select `Create`. 1. Select `Alert rule`. 1. Choose a subscription. 1. Select `Apply`. 1. Select the `Condition` tab. 1. Click `See all signals`. 1. Select `Create or Update Security Solutions (Security Solutions)`. 1. Click `Apply`. 1. Select the `Actions` tab. 1. Click `Select action groups` to select an existing action group, or `Create action group` to create a new action group. 1. Follow the prompts to choose or create an action group. 1. Select the `Details` tab. 1. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`. 1. Click `Review + create`. 1. Click `Create`. **From Azure CLI** ``` az monitor activity-log alert create --resource-group --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/write and level= --scope /subscriptions/ --name --subscription --action-group ``` **From PowerShell** Create the `Conditions` object. ``` $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Security/securitySolutions/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level ``` Retrieve the `Action Group` information and store in a variable, then create the `Actions` object. ``` $actionGroup = Get-AzActionGroup -ResourceGroupName -Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id ``` Create the `Scope` object ``` $scope = /subscriptions/ ``` Create the `Activity Log Alert Rule` for `Microsoft.Security/securitySolutions/write` ``` New-AzActivityLogAlert -Name -ResourceGroupName -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Click on `Alerts`. 1. In the Alerts window, click on `Alert rules`. 1. Ensure an alert rule exists where the Condition column contains `Operation name=Microsoft.Security/securitySolutions/write`. 1. Click on the Alert `Name` associated with the previous step. 1. Ensure the `Condition` panel displays the text `Whenever the Activity Log has an event with Category='Administrative', Operation name='Create or Update Security Solutions'` and does not filter on `Level`, `Status` or `Caller`. 1. Ensure the `Actions` panel displays an Action group is assigned to notify the appropriate personnel in your organization. **From Azure CLI** ``` az monitor activity-log alert list --subscription --query [].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions} ``` Look for `Microsoft.Security/securitySolutions/write` in the output **From PowerShell** ``` Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match Microsoft.Security/securitySolutions/write}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [b954148f-4c11-4c38-8221-be76711e194a](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb954148f-4c11-4c38-8221-be76711e194a) **- Name:** 'An activity log alert should exist for specific Administrative operations'", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.6", + "Description": "Ensure that Activity Log Alert exists for Delete Security Solution", + "Checks": [ + "monitor_alert_delete_security_solution" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Delete Security Solution event.", + "RationaleStatement": "Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Console** 1. Navigate to the `Monitor` blade. 1. Select `Alerts`. 1. Select `Create`. 1. Select `Alert rule`. 1. Choose a subscription. 1. Select `Apply`. 1. Select the `Condition` tab. 1. Click `See all signals`. 1. Select `Delete Security Solutions (Security Solutions)`. 1. Click `Apply`. 1. Select the `Actions` tab. 1. Click `Select action groups` to select an existing action group, or `Create action group` to create a new action group. 1. Follow the prompts to choose or create an action group. 1. Select the `Details` tab. 1. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`. 1. Click `Review + create`. 1. Click `Create`. **From Azure CLI** ``` az monitor activity-log alert create --resource-group --condition category=Administrative and operationName=Microsoft.Security/securitySolutions/delete and level= --scope /subscriptions/ --name --subscription --action-group ``` **From PowerShell** Create the `Conditions` object. ``` $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Security/securitySolutions/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level ``` Retrieve the `Action Group` information and store in a variable, then create the `Actions` object. ``` $actionGroup = Get-AzActionGroup -ResourceGroupName -Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id ``` Create the `Scope` object ``` $scope = /subscriptions/ ``` Create the `Activity Log Alert Rule` for `Microsoft.Security/securitySolutions/delete` ``` New-AzActivityLogAlert -Name -ResourceGroupName -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true ```", + "AuditProcedure": "**From Azure Console** 1. Navigate to the `Monitor` blade. 1. Click on `Alerts`. 1. In the Alerts window, click on `Alert rules`. 1. Ensure an alert rule exists where the Condition column contains `Operation name=Microsoft.Security/securitySolutions/delete`. 1. Click on the Alert `Name` associated with the previous step. 1. Ensure the `Condition` panel displays the text `Whenever the Activity Log has an event with Category='Administrative', Operation name='Delete Security Solutions'` and does not filter on `Level`, `Status` or `Caller`. 1. Ensure the `Actions` panel displays an Action group is assigned to notify the appropriate personnel in your organization. **From Azure CLI** ``` az monitor activity-log alert list --subscription --query [].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions} ``` Look for `Microsoft.Security/securitySolutions/delete` in the output **From PowerShell** ``` Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match Microsoft.Security/securitySolutions/delete}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [b954148f-4c11-4c38-8221-be76711e194a](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb954148f-4c11-4c38-8221-be76711e194a) **- Name:** 'An activity log alert should exist for specific Administrative operations'", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.7", + "Description": "Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule", + "Checks": [ + "monitor_alert_create_update_sqlserver_fr" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Create or Update SQL Server Firewall Rule event.", + "RationaleStatement": "Monitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "There will be a substantial increase in log size if there are a large number of administrative actions on a server.", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Select `Alerts`. 1. Select `Create`. 1. Select `Alert rule`. 1. Choose a subscription. 1. Select `Apply`. 1. Select the `Condition` tab. 1. Click `See all signals`. 1. Select `Create/Update server firewall rule (Server Firewall Rule)`. 1. Click `Apply`. 1. Select the `Actions` tab. 1. Click `Select action groups` to select an existing action group, or `Create action group` to create a new action group. 1. Follow the prompts to choose or create an action group. 1. Select the `Details` tab. 1. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`. 1. Click `Review + create`. 1. Click `Create`. **From Azure CLI** ``` az monitor activity-log alert create --resource-group --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/write and level= --scope /subscriptions/ --name --subscription --action-group ``` **From PowerShell** Create the `Conditions` object. ``` $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Sql/servers/firewallRules/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level ``` Retrieve the `Action Group` information and store in a variable, then create the `Actions` object. ``` $actionGroup = Get-AzActionGroup -ResourceGroupName -Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id ``` Create the `Scope` object ``` $scope = /subscriptions/ ``` Create the `Activity Log Alert Rule` for `Microsoft.Sql/servers/firewallRules/write` ``` New-AzActivityLogAlert -Name -ResourceGroupName -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Click on `Alerts`. 1. In the Alerts window, click on `Alert rules`. 1. Ensure an alert rule exists where the Condition column contains `Operation name=Microsoft.Sql/servers/firewallRules/write`. 1. Click on the Alert `Name` associated with the previous step. 1. Ensure the `Condition` panel displays the text `Whenever the Activity Log has an event with Category='Administrative', Operation name='Create/Update server firewall rule'` and does not filter on `Level`, `Status` or `Caller`. 1. Ensure the `Actions` panel displays an Action group is assigned to notify the appropriate personnel in your organization. **From Azure CLI** ``` az monitor activity-log alert list --subscription --query [].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions} ``` Look for `Microsoft.Sql/servers/firewallRules/write` in the output **From PowerShell** ``` Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match Microsoft.Sql/servers/firewallRules/write}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [b954148f-4c11-4c38-8221-be76711e194a](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb954148f-4c11-4c38-8221-be76711e194a) **- Name:** 'An activity log alert should exist for specific Administrative operations'", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created or active.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.8", + "Description": "Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule", + "Checks": [ + "monitor_alert_delete_sqlserver_fr" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Delete SQL Server Firewall Rule.", + "RationaleStatement": "Monitoring for Delete SQL Server Firewall Rule events gives insight into SQL network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "There will be a substantial increase in log size if there are a large number of administrative actions on a server.", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Select `Alerts`. 1. Select `Create`. 1. Select `Alert rule`. 1. Choose a subscription. 1. Select `Apply`. 1. Select the `Condition` tab. 1. Click `See all signals`. 1. Select `Delete server firewall rule (Server Firewall Rule)`. 1. Click `Apply`. 1. Select the `Actions` tab. 1. Click `Select action groups` to select an existing action group, or `Create action group` to create a new action group. 1. Follow the prompts to choose or create an action group. 1. Select the `Details` tab. 1. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`. 1. Click `Review + create`. 1. Click `Create`. **From Azure CLI** ``` az monitor activity-log alert create --resource-group --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/delete and level= --scope /subscriptions/ --name --subscription --action-group ``` **From PowerShell** Create the `Conditions` object. ``` $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Sql/servers/firewallRules/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level ``` Retrieve the `Action Group` information and store in a variable, then create the `Actions` object. ``` $actionGroup = Get-AzActionGroup -ResourceGroupName -Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id ``` Create the `Scope` object ``` $scope = /subscriptions/ ``` Create the `Activity Log Alert Rule` for `Microsoft.Sql/servers/firewallRules/delete` ``` New-AzActivityLogAlert -Name -ResourceGroupName -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Click on `Alerts`. 1. In the Alerts window, click on `Alert rules`. 1. Ensure an alert rule exists where the Condition column contains `Operation name=Microsoft.Sql/servers/firewallRules/delete`. 1. Click on the Alert `Name` associated with the previous step. 1. Ensure the `Condition` panel displays the text `Whenever the Activity Log has an event with Category='Administrative', Operation name='Delete server firewall rule'` and does not filter on `Level`, `Status` or `Caller`. 1. Ensure the `Actions` panel displays an Action group is assigned to notify the appropriate personnel in your organization. **From Azure CLI** ``` az monitor activity-log alert list --subscription --query [].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions} ``` Look for `Microsoft.Sql/servers/firewallRules/delete` in the output **From PowerShell** ``` Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match Microsoft.Sql/servers/firewallRules/delete}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [b954148f-4c11-4c38-8221-be76711e194a](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb954148f-4c11-4c38-8221-be76711e194a) **- Name:** 'An activity log alert should exist for specific Administrative operations'", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created or active.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.9", + "Description": "Ensure that Activity Log Alert exists for Create or Update Public IP Address rule", + "Checks": [ + "monitor_alert_create_update_public_ip_address_rule" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Create or Update Public IP Addresses rule.", + "RationaleStatement": "Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "There will be a substantial increase in log size if there are a large number of administrative actions on a server.", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Select `Alerts`. 1. Select `Create`. 1. Select `Alert rule`. 1. Choose a subscription. 1. Select `Apply`. 1. Select the `Condition` tab. 1. Click `See all signals`. 1. Select `Create or Update Public Ip Address (Public Ip Address)`. 1. Click `Apply`. 1. Select the `Actions` tab. 1. Click `Select action groups` to select an existing action group, or `Create action group` to create a new action group. 1. Follow the prompts to choose or create an action group. 1. Select the `Details` tab. 1. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`. 1. Click `Review + create`. 1. Click `Create`. **From Azure CLI** ``` az monitor activity-log alert create --resource-group --condition category=Administrative and operationName=Microsoft.Network/publicIPAddresses/write and level= --scope /subscriptions/ --name --subscription --action-group ``` **From PowerShell** Create the `Conditions` object. ``` $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Network/publicIPAddresses/write -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level ``` Retrieve the `Action Group` information and store in a variable, then create the `Actions` object. ``` $actionGroup = Get-AzActionGroup -ResourceGroupName -Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id ``` Create the `Scope` object ``` $scope = /subscriptions/ ``` Create the `Activity Log Alert Rule` for `Microsoft.Network/publicIPAddresses/write` ``` New-AzActivityLogAlert -Name -ResourceGroupName -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Click on `Alerts`. 1. In the Alerts window, click on `Alert rules`. 1. Ensure an alert rule exists where the Condition column contains `Operation name=Microsoft.Network/publicIPAddresses/write`. 1. Click on the Alert `Name` associated with the previous step. 1. Ensure the `Condition` panel displays the text `Whenever the Activity Log has an event with Category='Administrative', Operation name='Create or Update Public Ip Address'` and does not filter on `Level`, `Status` or `Caller`. 1. Ensure the `Actions` panel displays an Action group is assigned to notify the appropriate personnel in your organization. **From Azure CLI** ``` az monitor activity-log alert list --subscription --query [].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions} ``` Look for `Microsoft.Network/publicIPAddresses/write` in the output **From PowerShell** ``` Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match Microsoft.Network/publicIPAddresses/write}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [1513498c-3091-461a-b321-e9b433218d28](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1513498c-3091-461a-b321-e9b433218d28) **- Name:** 'Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics'", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created or active.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.2.10", + "Description": "Ensure that Activity Log Alert exists for Delete Public IP Address rule", + "Checks": [ + "monitor_alert_delete_public_ip_address_rule" + ], + "Attributes": [ + { + "Section": "5.2 Monitoring using Activity Log Alerts", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Create an activity log alert for the Delete Public IP Address rule.", + "RationaleStatement": "Monitoring for Delete Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.", + "ImpactStatement": "There will be a substantial increase in log size if there are a large number of administrative actions on a server.", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Select `Alerts`. 1. Select `Create`. 1. Select `Alert rule`. 1. Choose a subscription. 1. Select `Apply`. 1. Select the `Condition` tab. 1. Click `See all signals`. 1. Select `Delete Public Ip Address (Public Ip Address)`. 1. Click `Apply`. 1. Select the `Actions` tab. 1. Click `Select action groups` to select an existing action group, or `Create action group` to create a new action group. 1. Follow the prompts to choose or create an action group. 1. Select the `Details` tab. 1. Select a `Resource group`, provide an `Alert rule name` and an optional `Alert rule description`. 1. Click `Review + create`. 1. Click `Create`. **From Azure CLI** ``` az monitor activity-log alert create --resource-group --condition category=Administrative and operationName=Microsoft.Network/publicIPAddresses/delete and level= --scope /subscriptions/ --name --subscription --action-group ``` **From PowerShell** Create the `Conditions` object. ``` $conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Network/publicIPAddresses/delete -Field operationName $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level ``` Retrieve the `Action Group` information and store in a variable, then create the `Actions` object. ``` $actionGroup = Get-AzActionGroup -ResourceGroupName -Name $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id ``` Create the `Scope` object ``` $scope = /subscriptions/ ``` Create the `Activity Log Alert Rule` for `Microsoft.Network/publicIPAddresses/delete` ``` New-AzActivityLogAlert -Name -ResourceGroupName -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the `Monitor` blade. 1. Click on `Alerts`. 1. In the Alerts window, click on `Alert rules`. 1. Ensure an alert rule exists where the Condition column contains `Operation name=Microsoft.Network/publicIPAddresses/delete`. 1. Click on the Alert `Name` associated with the previous step. 1. Ensure the `Condition` panel displays the text `Whenever the Activity Log has an event with Category='Administrative', Operation name='Delete Public Ip Address'` and does not filter on `Level`, `Status` or `Caller`. 1. Ensure the `Actions` panel displays an Action group is assigned to notify the appropriate personnel in your organization. **From Azure CLI** ``` az monitor activity-log alert list --subscription --query [].{Name:name,Enabled:enabled,Condition:condition.allOf,Actions:actions} ``` Look for `Microsoft.Network/publicIPAddresses/delete` in the output **From PowerShell** ``` Get-AzActivityLogAlert -SubscriptionId |where-object {$_.ConditionAllOf.Equal -match Microsoft.Network/publicIPAddresses/delete}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [1513498c-3091-461a-b321-e9b433218d28](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1513498c-3091-461a-b321-e9b433218d28) **- Name:** 'Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics'", + "AdditionalInformation": "", + "DefaultValue": "By default, no monitoring alerts are created or active.", + "References": "https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement:https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate:https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" + } + ] + }, + { + "Id": "5.3.1", + "Description": "Ensure Application Insights are Configured", + "Checks": [ + "appinsights_ensure_is_configured" + ], + "Attributes": [ + { + "Section": "5.3 Configuring Application Insights. Storage Accounts", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.", + "RationaleStatement": "Configuring Application Insights provides additional data not found elsewhere within Azure as part of a much larger logging and monitoring program within an organization's Information Security practice. The types and contents of these logs will act as both a potential cost saving measure (application performance) and a means to potentially confirm the source of a potential incident (trace logging). Metrics and Telemetry data provide organizations with a proactive approach to cost savings by monitoring an application's performance, while the trace logging data provides necessary details in a reactive incident response scenario by helping organizations identify the potential source of an incident within their application.", + "ImpactStatement": "Because Application Insights relies on a Log Analytics Workspace, an organization will incur additional expenses when using this service.", + "RemediationProcedure": "Remediation Procedures **From Azure Portal** 1. Navigate to `Application Insights` 2. Under the `Basics` tab within the `PROJECT DETAILS` section, select the `Subscription` 3. Select the `Resource group` 4. Within the `INSTANCE DETAILS`, enter a `Name` 5. Select a `Region` 6. Next to `Resource Mode`, select `Workspace-based` 7. Within the `WORKSPACE DETAILS`, select the `Subscription` for the log analytics workspace 8. Select the appropriate `Log Analytics Workspace` 9. Click `Next:Tags >` 10. Enter the appropriate `Tags` as `Name`, `Value` pairs. 11. Click `Next:Review+Create` 12. Click `Create` **From Azure CLI** ``` az monitor app-insights component create --app --resource-group --location --kind web --retention-time --workspace --subscription ``` **From PowerShell** ``` New-AzApplicationInsights -Kind web -ResourceGroupName -Name -location -RetentionInDays -SubscriptionID -WorkspaceResourceId ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to `Application Insights` 2. Ensure an `Application Insights` service is configured and exists. **From Azure CLI** *Note:* The `application-insights` extension to Azure CLI is currently in `Preview` Add the `application-insights` extension. ``` az extension add --name application-insights ``` ``` az monitor app-insights component show --query [].{ID:appId, Name:name, Tenant:tenantId, Location:location, Provisioning_State:provisioningState} ``` Ensure the above command produces output, otherwise `Application Insights` has not been configured. **From PowerShell** ``` Get-AzApplicationInsights|select location,name,appid,provisioningState,tenantid ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [fa9cd53d-cb8f-464e-84f1-7b1490fd21c6](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffa9cd53d-cb8f-464e-84f1-7b1490fd21c6) **- Name:** 'Deploy Diagnostic Settings for Application Insights to Log Analytics workspace'", + "AdditionalInformation": "", + "DefaultValue": "Application Insights are not enabled by default.", + "References": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview" + } + ] + }, + { + "Id": "6.1", + "Description": "Ensure that RDP access from the Internet is evaluated and restricted", + "Checks": [ + "network_rdp_internet_access_restricted" + ], + "Attributes": [ + { + "Section": "6. Networking", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.", + "RationaleStatement": "The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.", + "ImpactStatement": "", + "RemediationProcedure": "Where RDP is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: [ExpressRoute](https://docs.microsoft.com/en-us/azure/expressroute/) [Site-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal) [Point-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal)", + "AuditProcedure": "**From Azure Portal** 1. For each VM, open the `Networking` blade 2. Verify that the `INBOUND PORT RULES` **does not** have a rule for RDP such as - port = `3389`, - protocol = `TCP` OR `ANY`, - Source = `Any` OR `Internet` **From Azure CLI** List Network security groups with corresponding non-default Security rules: ``` az network nsg list --query [*].[name,securityRules] ``` Ensure that none of the NSGs have security rule as below ``` access : Allow destinationPortRange : 3389 or * or [port range containing 3389] direction : Inbound protocol : TCP or * sourceAddressPrefix : * or 0.0.0.0 or /0 or /0 or internet or any ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [22730e10-96f6-4aac-ad84-9383d35b5917](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) **- Name:** 'Management ports should be closed on your virtual machines'", + "AdditionalInformation": "", + "DefaultValue": "By default, RDP access from internet is not `enabled`.", + "References": "https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-1-establish-network-segmentation-boundaries:Express Route: https://docs.microsoft.com/en-us/azure/expressroute/:Site-to-Site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal:Point-to-Site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal" + } + ] + }, + { + "Id": "6.2", + "Description": "Ensure that SSH access from the Internet is evaluated and restricted", + "Checks": [ + "network_ssh_internet_access_restricted" + ], + "Attributes": [ + { + "Section": "6. Networking", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.", + "RationaleStatement": "The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.", + "ImpactStatement": "", + "RemediationProcedure": "Where SSH is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: [ExpressRoute](https://docs.microsoft.com/en-us/azure/expressroute/) [Site-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal) [Point-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal)", + "AuditProcedure": "**From Azure Portal** 1. Open the `Networking` blade for the specific Virtual machine in Azure portal 2. Verify that the `INBOUND PORT RULES` **does not** have a rule for SSH such as - port = `22`, - protocol = `TCP` OR `ANY`, - Source = `Any` OR `Internet` **From Azure CLI** List Network security groups with corresponding non-default Security rules: ``` az network nsg list --query [*].[name,securityRules] ``` Ensure that none of the NSGs have security rule as below ``` access : Allow destinationPortRange : 22 or * or [port range containing 22] direction : Inbound protocol : TCP or * sourceAddressPrefix : * or 0.0.0.0 or /0 or /0 or internet or any ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [22730e10-96f6-4aac-ad84-9383d35b5917](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) **- Name:** 'Management ports should be closed on your virtual machines'", + "AdditionalInformation": "", + "DefaultValue": "By default, SSH access from internet is not `enabled`.", + "References": "https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-1-establish-network-segmentation-boundaries:Express Route: https://docs.microsoft.com/en-us/azure/expressroute/:Site-to-Site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal:Point-to-Site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal" + } + ] + }, + { + "Id": "6.3", + "Description": "Ensure that UDP access from the Internet is evaluated and restricted", + "Checks": [ + "network_udp_internet_access_restricted" + ], + "Attributes": [ + { + "Section": "6. Networking", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.", + "RationaleStatement": "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification sources for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.", + "ImpactStatement": "", + "RemediationProcedure": "Where UDP is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: [ExpressRoute](https://docs.microsoft.com/en-us/azure/expressroute/) [Site-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal) [Point-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal)", + "AuditProcedure": "**From Azure Portal** 1. Open the `Networking` blade for the specific Virtual machine in Azure portal 2. Verify that the `INBOUND PORT RULES` **does not** have a rule for UDP such as - protocol = `UDP`, - Source = `Any` OR `Internet` **From Azure CLI** List Network security groups with corresponding non-default Security rules: ``` az network nsg list --query [*].[name,securityRules] ``` Ensure that none of the NSGs have security rule as below ``` access : Allow destinationPortRange : * or [port range containing 53, 123, 161, 389, 1900, or other vulnerable UDP-based services] direction : Inbound protocol : UDP sourceAddressPrefix : * or 0.0.0.0 or /0 or /0 or internet or any ```", + "AdditionalInformation": "", + "DefaultValue": "By default, UDP access from internet is not `enabled`.", + "References": "https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks:https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-1-establish-network-segmentation-boundaries:ExpressRoute: https://docs.microsoft.com/en-us/azure/expressroute/:Site-to-site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal:Point-to-site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal" + } + ] + }, + { + "Id": "6.4", + "Description": "Ensure that HTTP(S) access from the Internet is evaluated and restricted", + "Checks": [ + "network_http_internet_access_restricted" + ], + "Attributes": [ + { + "Section": "6. Networking", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.", + "RationaleStatement": "The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.", + "ImpactStatement": "", + "RemediationProcedure": "Using Azure console 1. Go to `Virtual machines`. 2. For each VM, open the `Networking` blade. 3. Click on `Inbound port rules`. 4. Delete the rule with: * Port = 80/443 OR \\[port range containing 80/443\\] * Protocol = TCP OR Any * Source = Any (\\*) OR IP Addresses(0.0.0.0/0) OR Service Tag(Internet) * Action = Allow Using CLI 1. Run below command to list network security groups: ``` az network nsg list --subscription --output table ``` 2. For each network security group, run below command to list the rules associated with the specified port: ``` az network nsg rule list --resource-group --nsg-name --query [?destinationPortRange=='80 or 443'] ``` 3. Run the below command to delete the rule with: * Port = 80/443 OR \\[port range containing 80/443\\] * Protocol = TCP OR * * Source = Any (\\*) OR IP Addresses(0.0.0.0/0) OR Service Tag(Internet) * Action = Allow ``` az network nsg rule delete --resource-group --nsg-name --name ```", + "AuditProcedure": "**From Azure Portal** 1. For each VM, open the Networking blade 2. Verify that the INBOUND PORT RULES does not have a rule for HTTP(S) such as - port = `80`/ `443`, - protocol = `TCP`, - Source = `Any` OR `Internet` **From Azure CLI** List Network security groups with corresponding non-default Security rules: ``` az network nsg list --query [*].[name,securityRules] ``` Ensure that none of the NSGs have security rule as below ``` access : Allow destinationPortRange : 80/443 or * or [port range containing 80/443] direction : Inbound protocol : TCP sourceAddressPrefix : * or 0.0.0.0 or /0 or /0 or internet or any ```", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "Express Route: https://docs.microsoft.com/en-us/azure/expressroute/:Site-to-Site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal:Point-to-Site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-1-establish-network-segmentation-boundaries" + } + ] + }, + { + "Id": "6.5", + "Description": "Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'", + "Checks": [ + "network_flow_log_more_than_90_days" + ], + "Attributes": [ + { + "Section": "6. Networking", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.", + "RationaleStatement": "Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.", + "ImpactStatement": "This will keep IP traffic logs for longer than 90 days. As a level 2, first determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Network Watcher` 2. Select `NSG flow logs` blade in the Logs section 3. Select each Network Security Group from the list 4. Ensure `Status` is set to `On` 5. Ensure `Retention (days)` setting `greater than 90 days` 6. Select your storage account in the `Storage account` field 7. Select `Save` **From Azure CLI** Enable the `NSG flow logs` and set the Retention (days) to greater than or equal to 90 days. ``` az network watcher flow-log configure --nsg --enabled true --resource-group --retention 91 --storage-account ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Network Watcher` 2. Select `NSG flow logs` blade in the Logs section 3. Select each Network Security Group from the list 4. Ensure `Status` is set to `On` 5. Ensure `Retention (days)` setting `greater than 90 days` **From Azure CLI** ``` az network watcher flow-log show --resource-group --nsg --query 'retentionPolicy' ``` Ensure that `enabled` is set to `true` and `days` is set to `greater then or equal to 90`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [5e1cd26a-5090-4fdb-9d6a-84a90335e22d](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5e1cd26a-5090-4fdb-9d6a-84a90335e22d) **- Name:** 'Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics'", + "AdditionalInformation": "", + "DefaultValue": "By default, Network Security Group Flow Logs are `disabled`.", + "References": "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview:https://docs.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azure-cli-latest:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-6-configure-log-storage-retention" + } + ] + }, + { + "Id": "6.6", + "Description": "Ensure that Network Watcher is 'Enabled'", + "Checks": [ + "network_watcher_enabled" + ], + "Attributes": [ + { + "Section": "6. Networking", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Enable Network Watcher for physical regions in Azure subscriptions.", + "RationaleStatement": "Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.", + "ImpactStatement": "There are additional costs per transaction to run and store network data. For high-volume networks these charges will add up quickly.", + "RemediationProcedure": "Opting out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support. To manually enable Network Watcher in each region where you want to use Network Watcher capabilities, follow the steps below. **From Azure Portal** 1. Go to `Network Watcher`. 2. Click `Create`. 3. Select a `Region` from the drop-down menu. 4. Click `Add`. **From Azure CLI** ``` az network watcher configure --locations --enabled true --resource-group ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Network Watcher` 2. Ensure that a network watcher is listed for each region. **From Azure CLI** ``` az network watcher list --query [].{Location:location,State:provisioningState} -o table ``` This will list all network watchers and their provisioning state. Ensure `provisioningState` is `Succeeded` for each network watcher. ``` az account list-locations --query [?metadata.regionType=='Physical'].{Name:name,DisplayName:regionalDisplayName} -o table ``` This will list all physical regions that exist in the subscription. Compare this list to the previous one to ensure that for each region, a network watcher exists with `provisioningState` set to `Succeeded`. **From PowerShell** Get a list of Network Watchers ``` Get-AzNetworkWatcher ``` Make sure each watcher is set with the `ProvisioningState` setting set to `Succeeded` and all `Locations` are set with a watcher. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [b6e2945c-0b7b-40f5-9233-7a5323b5cdc6](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) **- Name:** 'Network Watcher should be enabled'", + "AdditionalInformation": "", + "DefaultValue": "Network Watcher is automatically enabled. When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher.", + "References": "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview:https://docs.azure.cn/zh-cn/cli/network/watcher?view=azure-cli-latest#az_network_watcher_list:https://docs.azure.cn/zh-cn/cli/network/watcher?view=azure-cli-latest#az_network_watcher_configure:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-create:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation:https://azure.microsoft.com/en-ca/pricing/details/network-watcher/" + } + ] + }, + { + "Id": "6.7", + "Description": "Ensure that Public IP addresses are Evaluated on a Periodic Basis", + "Checks": [], + "Attributes": [ + { + "Section": "6. Networking", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity.", + "RationaleStatement": "Public IP Addresses allocated to the tenant should be periodically reviewed for necessity. Public IP Addresses that are not intentionally assigned and controlled present a publicly facing vector for threat actors and significant risk to the tenant.", + "ImpactStatement": "", + "RemediationProcedure": "Remediation will vary significantly depending on your organization's security requirements for the resources attached to each individual Public IP address.", + "AuditProcedure": "**From Azure Portal** 1. Open the `All Resources` blade 2. Click on `Add Filter` 3. In the Add Filter window, select the following: Filter: `Type` Operator: `Equals` Value: `Public IP address` 4. Click the `Apply` button 5. For each Public IP address in the list, use Overview (or Properties) to review the `Associated to:` field and determine if the associated resource is still relevant to your tenant environment. If the associated resource is relevant, ensure that additional controls exist to mitigate risk (e.g. Firewalls, VPNs, Traffic Filtering, Virtual Gateway Appliances, Web Application Firewalls, etc.) on all subsequently attached resources. **From Azure CLI** List all Public IP addresses: ``` az network public-ip list ``` For each Public IP address in the output, review the `name` property and determine if the associated resource is still relevant to your tenant environment. If the associated resource is relevant, ensure that additional controls exist to mitigate risk (e.g. Firewalls, VPNs, Traffic Filtering, Virtual Gateway Appliances, Web Application Firewalls, etc.) on all subsequently attached resources.", + "AdditionalInformation": "", + "DefaultValue": "During Virtual Machine and Application creation, a setting may create and attach a public IP.", + "References": "https://docs.microsoft.com/en-us/cli/azure/network/public-ip?view=azure-cli-latest:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security" + } + ] + }, + { + "Id": "7.1", + "Description": "Ensure an Azure Bastion Host Exists", + "Checks": [ + "network_bastion_host_exists" + ], + "Attributes": [ + { + "Section": "7. Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.", + "RationaleStatement": "The Azure Bastion service allows organizations a more secure means of accessing Azure Virtual Machines over the Internet without assigning public IP addresses to those Virtual Machines. The Azure Bastion service provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Virtual Machines using TLS within a web browser, thus preventing organizations from opening up 3389/TCP and 22/TCP to the Internet on Azure Virtual Machines. Additional benefits of the Bastion service includes Multi-Factor Authentication, Conditional Access Policies, and any other hardening measures configured within Azure Active Directory using a central point of access.", + "ImpactStatement": "The Azure Bastion service incurs additional costs and requires a specific virtual network configuration. The `Standard` tier offers additional configuration options compared to the `Basic` tier and may incur additional costs for those added features.", + "RemediationProcedure": "Remediation Procedures **From Azure Portal** 1. Click on `Bastions` 2. Select the `Subscription` 3. Select the `Resource group` 4. Type a `Name` for the new Bastion host 5. Select a `Region` 6. Choose `Standard` next to `Tier` 7. Use the slider to set the `Instance count` 8. Select the `Virtual network` or `Create new` 9. Select the `Subnet` named `AzureBastionSubnet`. Create a `Subnet` named `AzureBastionSubnet` using a `/26` CIDR range if it doesn't already exist. 10. Selct the appropriate `Public IP address` option. 11. If `Create new` is selected for the `Public IP address` option, provide a `Public IP address name`. 12. If `Use existing` is selected for `Public IP address` option, select an IP address from `Choose public IP address` 13. Click `Next: Tags >` 14. Configure the appropriate `Tags` 15. Click `Next: Advanced >` 16. Select the appropriate `Advanced` options 17. Click `Next: Review + create >` 18. Click `Create` **From Azure CLI** ``` az network bastion create --location --name --public-ip-address --resource-group --vnet-name --scale-units --sku Standard [--disable-copy-paste true|false] [--enable-ip-connect true|false] [--enable-tunneling true|false] ``` **From PowerShell** Create the appropriate `Virtual network` settings and `Public IP Address` settings. ``` $subnetName = AzureBastionSubnet $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix $virtualNet = New-AzVirtualNetwork -Name -ResourceGroupName -Location -AddressPrefix -Subnet $subnet $publicip = New-AzPublicIpAddress -ResourceGroupName -Name -Location -AllocationMethod Dynamic -Sku Standard ``` Create the `Azure Bastion` service using the information within the created variables from above. ``` New-AzBastion -ResourceGroupName -Name -PublicIpAddress $publicip -VirtualNetwork $virtualNet -Sku Standard -ScaleUnit ```", + "AuditProcedure": "**From Azure Portal** 1. Click on `Bastions` 2. Ensure there is at least one `Bastion` host listed under the `Name` column **From Azure CLI** **Note:** The Azure CLI `network bastion` module is in `Preview` as of this writing ``` az network bastion list --subscription ``` Ensure the output of the above command is not empty. **From PowerShell** Retrieve the `Bastion` host(s) information for a specific `Resource Group` ``` Get-AzBastion -ResourceGroupName ``` Ensure the output of the above command is not empty.", + "AdditionalInformation": "", + "DefaultValue": "By default, the Azure Bastion service is not configured.", + "References": "https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku:https://learn.microsoft.com/en-us/powershell/module/az.network/get-azbastion?view=azps-9.2.0:https://learn.microsoft.com/en-us/cli/azure/network/bastion?view=azure-cli-latest" + } + ] + }, + { + "Id": "7.2", + "Description": "Ensure Virtual Machines are utilizing Managed Disks", + "Checks": [ + "vm_ensure_using_managed_disks" + ], + "Attributes": [ + { + "Section": "7. Virtual Machines", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include: 1) Default Disk Encryption 2) Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3) Reduction of costs over storage accounts", + "RationaleStatement": "Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts. For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective.", + "ImpactStatement": "There are additional costs for managed disks based off of disk space allocated. When converting to managed disks, VMs will be powered off and back on.", + "RemediationProcedure": "**From Azure Portal** 1. Using the search feature, go to `Virtual Machines` 2. Select the virtual machine you would like to convert 3. Select `Disks` in the menu for the VM 4. At the top select `Migrate to managed disks` 5. You may follow the prompts to convert the disk and finish by selecting `Migrate` to start the process **NOTE** VMs will be stopped and restarted after migration is complete. **From PowerShell** ``` Stop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName ```", + "AuditProcedure": "**From Azure Portal** 1. Using the search feature, go to `Virtual Machines` 2. Click the `Manage view` dropdown, then select `Edit columns` 3. Add `Uses managed disks` to the selected columns 4. Select `Save` 5. Ensure all virtual machines listed are using managed disks **From PowerShell** ``` Get-AzVM | ForEach-Object {Name: + $_.Name;ManagedDisk Id: + $_.StorageProfile.OsDisk.ManagedDisk.Id;} ``` Example output: ``` Name: vm1 ManagedDisk Id: /disk1/id Name: vm2 ManagedDisk Id: /disk2/id ``` If the 'ManagedDisk Id' field is empty the os disk for that vm is not managed. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [06a78e20-9358-41c9-923c-fb736d382a4d](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F06a78e20-9358-41c9-923c-fb736d382a4d) **- Name:** 'Audit VMs that do not use managed disks'", + "AdditionalInformation": "", + "DefaultValue": "Managed disks or are an option upon the creation of VMs.", + "References": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default:https://docs.microsoft.com/en-us/azure/virtual-machines/faq-for-disks:https://azure.microsoft.com/en-us/pricing/details/managed-disks/" + } + ] + }, + { + "Id": "7.3", + "Description": "Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)", + "Checks": [ + "vm_ensure_attached_disks_encrypted_with_cmk" + ], + "Attributes": [ + { + "Section": "7. Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE).", + "RationaleStatement": "Encrypting the IaaS VM's OS disk (boot volume) and Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key, thus protecting the volume from unwanted reads. PMK (Platform Managed Keys) are enabled by default in Azure-managed disks and allow encryption at rest. CMK is recommended because it gives the customer the option to control which specific keys are used for the encryption and decryption of the disk. The customer can then change keys and increase security by disabling them instead of relying on the PMK key that remains unchanging. There is also the option to increase security further by using automatically rotating keys so that access to disk is ensured to be limited. Organizations should evaluate what their security requirements are, however, for the data stored on the disk. For high-risk data using CMK is a must, as it provides extra steps of security. If the data is low risk, PMK is enabled by default and provides sufficient data security.", + "ImpactStatement": "Using CMK/BYOK will entail additional management of keys. **NOTE:** You must have your key vault set up to utilize this.", + "RemediationProcedure": "**From Azure Portal** **Note:** Disks must be detached from VMs to have encryption changed. 1. Go to `Virtual machines` 2. For each virtual machine, go to `Settings` 3. Click on `Disks` 4. Click the ellipsis (`...`), then click `Detach` to detach the disk from the VM 5. Now search for `Disks` and locate the unattached disk 6. Click the disk then select `Encryption` 7. Change your encryption type, then select your encryption set 8. Click `Save` 9. Go back to the VM and re-attach the disk **From PowerShell** ``` $KVRGname = 'MyKeyVaultResourceGroup'; $VMRGName = 'MyVirtualMachineResourceGroup'; $vmName = 'MySecureVM'; $KeyVaultName = 'MySecureVault'; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId; ``` **NOTE:** During encryption it is likely that a reboot will be required. It may take up to 15 minutes to complete the process. **NOTE 2:** This may differ for Linux machines as you may need to set the `-skipVmBackup` parameter", + "AuditProcedure": "**From Azure Portal** 1. Go to `Virtual machines` 2. For each virtual machine, go to `Settings` 3. Click on `Disks` 4. Ensure that the `OS disk` and `Data disks` have encryption set to CMK. **From PowerShell** ``` $ResourceGroupName=yourResourceGroupName $DiskName=yourDiskName $disk=Get-AzDisk -ResourceGroupName $ResourceGroupName -DiskName $DiskName $disk.Encryption.Type ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [0961003e-5a0a-4549-abde-af6a37f2724d](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) **- Name:** 'Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources'", + "AdditionalInformation": "", + "DefaultValue": "By default, Azure disks are encrypted using SSE with PMK.", + "References": "https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss:https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json:https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest https://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart:https://docs.microsoft.com/en-us/rest/api/compute/disks/delete:https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell:https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption" + } + ] + }, + { + "Id": "7.4", + "Description": "Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)", + "Checks": [ + "vm_ensure_unattached_disks_encrypted_with_cmk" + ], + "Attributes": [ + { + "Section": "7. Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).", + "RationaleStatement": "Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks, which may lead to sensitive information disclosure and tampering.", + "ImpactStatement": "**NOTE:** You must have your key vault set up to utilize this. Encryption is available only on Standard tier VMs. This might cost you more. Utilizing and maintaining Customer-managed keys will require additional work to create, protect, and rotate keys.", + "RemediationProcedure": "If data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks at: ``` -https://docs.microsoft.com/en-us/rest/api/compute/disks/delete -https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete ``` If data stored in the disk is important, To encrypt the disk refer azure documentation at: ``` -https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal -https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Disks` 1. Click on `Add Filter` 1. In the `filter` field select `Disk state` 1. In the `Value` field select `Unattached` 1. Click `Apply` 1. for each disk listed ensure that `Encryption type` in the `encryption` blade is `Encryption at-rest with a customer-managed key' **From Azure CLI** Ensure command below does not return any output. ``` az disk list --query '[? diskstate == `Unattached`].{encryptionSettings: encryptionSettings, name: name}' -o json ``` Sample Output: ``` [ { encryptionSettings: null, name: }, { encryptionSettings: null, name: } ] ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [ca91455f-eace-4f96-be59-e6e2c35b4816](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca91455f-eace-4f96-be59-e6e2c35b4816) **- Name:** 'Managed disks should be double encrypted with both platform-managed and customer-managed keys'", + "AdditionalInformation": "", + "DefaultValue": "By default, managed disks are encrypted with a Platform-managed key.", + "References": "https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss:https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json:https://docs.microsoft.com/en-us/rest/api/compute/disks/delete:https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete:https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings:https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required" + } + ] + }, + { + "Id": "7.5", + "Description": "Ensure that Only Approved Extensions Are Installed", + "Checks": [], + "Attributes": [ + { + "Section": "7. Virtual Machines", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "For added security, only install organization-approved extensions on VMs.", + "RationaleStatement": "Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are actually implemented.", + "ImpactStatement": "Functionality by unsupported extensions will be disabled.", + "RemediationProcedure": "**From Azure Portal** 1. Go to `Virtual machines` 2. For each virtual machine, go to `Settings` 3. Click on `Extensions + applications` 4. If there are unapproved extensions, uninstall them. **From Azure CLI** From the audit command identify the unapproved extensions, and use the below CLI command to remove an unapproved extension attached to VM. ``` az vm extension delete --resource-group --vm-name --name ``` **From PowerShell** For each VM and each insecure extension from the Audit Procedure run the following command. ``` Remove-AzVMExtension -ResourceGroupName -Name -VMName ```", + "AuditProcedure": "**From Azure Portal** 1. Go to `Virtual machines`. 2. For each virtual machine, click on the server name to select it go to 3. In the new column menu, under `Settings` Click on `Extensions + applications`. 4. Ensure that all the listed extensions are approved by your organization for use. **From Azure CLI** Use the below command to list the extensions attached to a VM, and ensure the listed extensions are approved for use. ``` az vm extension list --vm-name --resource-group --query [*].name ``` **From PowerShell** Get a list of VMs. ``` Get-AzVM ``` For each VM run the following command. ``` Get-AzVMExtension -ResourceGroupName -VMName ``` Review each `Name`, `ExtensionType`, and `ProvisioningState` to make sure no unauthorized extensions are installed on any virtual machines. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [c0e996f8-39cf-4af9-9f45-83fbde810432](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc0e996f8-39cf-4af9-9f45-83fbde810432) **- Name:** 'Only approved VM extensions should be installed'", + "AdditionalInformation": "", + "DefaultValue": "By default, no extensions are added to the virtual machines.", + "References": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-features:https://docs.microsoft.com/en-us/powershell/module/az.compute/?view=azps-7.5.0#vm-extensions:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-asset-management#am-5-use-only-approved-applications-in-virtual-machine" + } + ] + }, + { + "Id": "7.6", + "Description": "Ensure that Endpoint Protection for all Virtual Machines is installed", + "Checks": [ + "defender_assessments_vm_endpoint_protection_installed" + ], + "Attributes": [ + { + "Section": "7. Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Install endpoint protection for all virtual machines.", + "RationaleStatement": "Installing endpoint protection systems (like anti-malware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems.", + "ImpactStatement": "Endpoint protection will incur an additional cost to you.", + "RemediationProcedure": "Follow Microsoft Azure documentation to install endpoint protection from the security center. Alternatively, you can employ your own endpoint protection tool for your OS.", + "AuditProcedure": "**From Azure Portal** 1. Go to `Security Center` 2. Click the `Recommendations` blade 3. Ensure that there are no recommendations for `Endpoint Protection not installed on Azure VMs` **From Azure CLI** ``` az vm show -g -n -d --query resources[?type=='Microsoft.Compute/virtualMachines/extensions'].{ExtensionName:name} -o table ``` If extensions are installed, it will list the installed extensions. ``` EndpointSecurity || TrendMicroDSA* || Antimalware || EndpointProtection || SCWPAgent || PortalProtectExtension* || FileSecurity* ``` Alternatively, you can employ your own endpoint protection tool for your OS. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [1f7c564c-0a90-4d44-b7e1-9d456cffaee8](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f7c564c-0a90-4d44-b7e1-9d456cffaee8) **- Name:** 'Endpoint protection should be installed on your machines'", + "AdditionalInformation": "", + "DefaultValue": "By default Endpoint Protection is disabled.", + "References": "https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection:https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware:https://docs.microsoft.com/en-us/cli/azure/vm/extension?view=azure-cli-latest#az_vm_extension_list:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-endpoint-security#es-1-use-endpoint-detection-and-response-edr" + } + ] + }, + { + "Id": "7.7", + "Description": "[Legacy] Ensure that VHDs are Encrypted", + "Checks": [], + "Attributes": [ + { + "Section": "7. Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "**NOTE: This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations.** VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs.", + "RationaleStatement": "While it is recommended to use Managed Disks which are encrypted by default, legacy VHDs may exist for a variety of reasons and may need to remain in VHD format. VHDs are not encrypted by default, so this recommendation intends to address the security of these disks. In these niche cases, VHDs should be encrypted using the procedures in this recommendation to encrypt and protect the data content. If a virtual machine is using a VHD and can be converted to a managed disk, instructions for this procedure can be found in the resources section of this recommendation under the title Convert VHD to Managed Disk.", + "ImpactStatement": "Depending on how the encryption is implemented will change the size of the impact. If provider-managed keys(PMK) are utilized, the impact is relatively low, but processes need to be put in place to regularly rotate the keys. If Customer-managed keys(CMK) are utilized, a key management process needs to be implemented to store and manage key rotation, thus the impact is medium to high depending on user maturity with key management.", + "RemediationProcedure": "**From Azure Portal** 1. Navigate to the `storage account` that you wish to encrypt 2. Select `encryption` 3. Select the `encryption type` that you wish to use If you wish to use a Microsoft-managed key (the default), you can save at this point and encryption will be applied to the account. If you select `Customer-managed keys`, it will ask for the location of the key (The default is an Azure Key Vault) and the key name. Once these are captured, save the configuration and the account will be encrypted using the provided key. **From Azure CLI:** Create the Key Vault ``` az keyvault create --name --resource-group --location --enabled-for-disk-encryption ``` Encrypt the disk and store the key in Key Vault ``` az vm encryption enable -g --name --disk-encryption-keyvault myKV ``` **From PowerShell** This process uses a Key Vault to store the keys Create the Key Vault ``` New-AzKeyvault -name -ResourceGroupName -Location -EnabledForDiskEncryption ``` Encrypt the disk and store the key in Key Vault ``` $KeyVault = Get-AzKeyVault -VaultName -ResourceGroupName ``` ``` Set-AzVMDiskEncryptionExtension -ResourceGroupName -VMName -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId ```", + "AuditProcedure": "**From Azure CLI** For each virtual machine identify if the VM is using a legacy VHD by reviewing the *VHD* parameter in the output of the following command. The *VHD* parameter will contain the Storage Account name used for the VHD. ``` az vm show --name --resource-group ``` Next, identify if the storage account from the *VHD* parameter is encrypted by reviewing the *encryption --> services --> blob --> enabled* within the output of the following command and make sure its value is *True*. ``` az storage account show --name --resource-group ``` **From PowerShell:** Determine whether the VM is using a VHD for the OS Disk and any Data disks. ``` $virtualMachine = Get-AzVM --Name --ResourceGroup |Select-Object -ExpandProperty StorageProfile $virtualMachine.OsDisk $virtualMachine.DataDisks ``` Next, use the value from *VHD* to see if the storage blob holding the VHD is encrypted. ``` $storageAccount = Get-AzStorageAccount -Name -ResourceGroupName $storageAccount.Encryption.Services.Blob ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [702dd420-7fcc-42c5-afe8-4026edd20fe0](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F702dd420-7fcc-42c5-afe8-4026edd20fe0) **- Name:** 'OS and data disks should be encrypted with a customer-managed key'", + "AdditionalInformation": "", + "DefaultValue": "The default value for encryption is NO Encryption", + "References": "CLI: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-cli-quickstart:Powershell: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-powershell-quickstart:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default:Convert VHD to Managed Disk: https://docs.microsoft.com/en-us/previous-versions/azure/virtual-machines/scripts/virtual-machines-powershell-sample-create-managed-disk-from-vhd" + } + ] + }, + { + "Id": "7.8", + "Description": "Ensure only MFA enabled identities can access privileged Virtual Machine", + "Checks": [ + "entra_user_with_vm_access_has_mfa" + ], + "Attributes": [ + { + "Section": "7. Virtual Machines", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal", + "RationaleStatement": "Integrating multi-factor authentication (MFA) as part of the organizational policy can greatly reduce the risk of an identity gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. An Adversary may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized to move laterally and perform actions with the virtual machine's managed identity. The adversary may then perform management actions or access cloud-hosted resources as the logged-on managed identity.", + "ImpactStatement": "this recommendation requires an Azure AD P2 License to implement. Ensure that identities that are provisioned to a virtual machine utilizes an RBAC/ABAC group and is allocated a role using Azure PIM, and the Role settings require MFA or use another PAM solution (like CyberArk) for accessing Virtual Machines.", + "RemediationProcedure": "**From Azure Portal** 1. Log in to the Azure portal. 2. This can be remediated by enabling MFA for user, Removing user access or Reducing access of managed identities attached to virtual machines. - Case I : Enable MFA for users having access on virtual machines. 1. Navigate to `Azure AD` from the left pane and select `Users` from the `Manage` section. 2. Click on `Per-User MFA` from the top menu options and select each user with `MULTI-FACTOR AUTH STATUS` as `Disabled` and can login to virtual machines: * From `quick steps` on the right side select `enable`. * Click on `enable multi-factor auth` and share the link with the user to setup MFA as required. - Case II : Removing user access on a virtual machine. 1. Select the `Subscription`, then click on `Access control (IAM)`. 2. Select `Role assignments` and search for `Virtual Machine Administrator Login` or `Virtual Machine User Login` or any role that provides access to log into virtual machines. 3. Click on `Role Name`, Select `Assignments`, and remove identities with no MFA configured. - Case III : Reducing access of managed identities attached to virtual machines. 1. Select the `Subscription`, then click on `Access control (IAM)`. 2. Select `Role Assignments` from the top menu and apply filters on `Assignment type` as `Privileged administrator roles` and `Type` as `Virtual Machines`. 3. Click on `Role Name`, Select `Assignments`, and remove identities access make sure this follows the least privileges principal.", + "AuditProcedure": "**From Azure Portal** 1. Log in to the Azure portal. 2. Select the `Subscription`, then click on `Access control (IAM)`. 3. Select `Role Assignments` from the top menu and apply filters on `Assignment type` as `Privileged administrator roles` and `Type` as `Virtual Machines`. 4. Verify the list of privileged managed identities attached to any virtual machine. 5. If there are privileged managed identities from the above list, then check the list of users without MFA by navigating to `Azure AD`. 6. In the left navigation pane select `Users` from `Manage`. 7. Click on `Per-User MFA` from the top menu options and for each user with `MULTI-FACTOR AUTH STATUS` as `Disabled` follow the below-mentioned steps: * Select the `Subscription`, then click on `Access control (IAM)`. * Select `Check access` and click on `User, group, or service principal`. * Enter the user name or email and verify there are no role assignments on the user that provides access like `Virtual Machine Administrator Login` or `Virtual Machine User Login`. Make sure this follows the least privileges principal.", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "" + } + ] + }, + { + "Id": "7.9", + "Description": "Ensure Trusted Launch is enabled on Virtual Machines", + "Checks": [ + "vm_trusted_launch_enabled" + ], + "Attributes": [ + { + "Section": "7. Virtual Machines", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "When **Secure Boot** and **vTPM** are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. If the attacker is able to bypass Secure Boot and install a malicious bootloader, vTPM can be used to detect the intrusion and alert you.", + "RationaleStatement": "Secure Boot and vTPM work together to protect your VM from a variety of boot attacks, including bootkits, rootkits, and firmware rootkits. Not enabling Trusted Launch in Azure VM can lead to increased vulnerability to rootkits and boot-level malware, reduced ability to detect and prevent unauthorized changes to the boot process, and a potential compromise of system integrity and data security.", + "ImpactStatement": "Secure Boot and vTPM are not currently supported for Azure Generation 1 VMs. **IMPORTANT:** Before enabling Secure Boot and vTPM on a Generation 2 VM which does not already have both enabled, it is highly recommended to create a restore point of the VM prior to remediation.", + "RemediationProcedure": "**From Azure Portal** 1. Go to Virtual Machines 1. For each VM, under Settings, click on Configuration on the left blade 1. Under Security Type, select 'Trusted Launch Virtual Machines' 1. Make sure Enable Secure Boot & Enable vTPM are checked 1. Click on Apply. Note: Trusted launch on existing virtual machines (VMs) is currently not supported for Azure Generation 1 VMs", + "AuditProcedure": "**From Azure Portal** 1. Go to Virtual Machines 1. For each VM, under Settings, click on Configuration on the left blade 1. Under Security Type, make sure security type is not standard and if it is Trusted Launch Virtual Machines then make sure Enable Secure Boot & Enable vTPM are checked **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [97566dd7-78ae-4997-8b36-1c7bfe0d8121](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F97566dd7-78ae-4997-8b36-1c7bfe0d8121) **- Name:** '[Preview]: Secure Boot should be enabled on supported Windows virtual machines'", + "AdditionalInformation": "", + "DefaultValue": "On Azure Generation 2 VMs, vTPM is enabled by default. Secure Boot is not enabled by default.", + "References": "https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-existing-vm?tabs=portal:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-existing-vm?tabs=portal#enable-trusted-launch-on-existing-vm:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot" + } + ] + }, + { + "Id": "8.1", + "Description": "Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults", + "Checks": [ + "keyvault_rbac_key_expiration_set" + ], + "Attributes": [ + { + "Section": "8. Key Vault", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "RationaleStatement": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.", + "ImpactStatement": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used.", + "RemediationProcedure": "**From Azure Portal:** 1. Go to `Key vaults`. 2. For each Key vault, click on `Keys`. 3. In the main pane, ensure that an appropriate `Expiration date` is set for any keys that are `Enabled`. **From Azure CLI:** Update the `Expiration date` for the key using the below command: ``` az keyvault key set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z' ``` **Note:** To view the expiration date on all keys in a Key Vault using Microsoft API, the List Key permission is required. To update the expiration date for the keys: 1. Go to the Key vault, click on Access Control (IAM). 2. Click on Add role assignment and assign the role of Key Vault Crypto Officer to the appropriate user. **From PowerShell:** ``` Set-AzKeyVaultKeyAttribute -VaultName -Name -Expires ```", + "AuditProcedure": "**From Azure Portal:** 1. Go to `Key vaults`. 2. For each Key vault, click on `Keys`. 3. In the main pane, ensure that an appropriate `Expiration date` is set for any keys that are `Enabled`. **From Azure CLI:** Get a list of all the key vaults in your Azure environment by running the following command: ``` az keyvault list ``` Then for each key vault listed ensure that the output of the below command contains Key ID (kid), enabled status as `true` and Expiration date (expires) is not empty or null: ``` az keyvault key list --vault-name --query '[*].{kid:kid,enabled:attributes.enabled,expires:attributes.expires}' ``` **From PowerShell:** Retrieve a list of Azure Key vaults: ``` Get-AzKeyVault ``` For each Key vault run the following command to determine which vaults are configured to use RBAC. ``` Get-AzKeyVault -VaultName ``` For each Key vault with the `EnableRbacAuthorizatoin` setting set to `True`, run the following command. ``` Get-AzKeyVaultKey -VaultName ``` Make sure the `Expires` setting is configured with a value as appropriate wherever the `Enabled` setting is set to `True`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0) **- Name:** 'Key Vault keys should have an expiration date'", + "AdditionalInformation": "", + "DefaultValue": "By default, keys do not expire.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis:https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-6-use-a-secure-key-management-process:https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyattribute?view=azps-0.10.0" + } + ] + }, + { + "Id": "8.2", + "Description": "Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.", + "Checks": [ + "keyvault_key_expiration_set_in_non_rbac" + ], + "Attributes": [ + { + "Section": "8. Key Vault", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "RationaleStatement": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for a cryptographic operation. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.", + "ImpactStatement": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used.", + "RemediationProcedure": "**From Azure Portal:** 1. Go to `Key vaults`. 2. For each Key vault, click on `Keys`. 3. In the main pane, ensure that the status of the key is `Enabled`. 4. For each enabled key, ensure that an appropriate `Expiration date` is set. **From Azure CLI:** Update the `Expiration date` for the key using the below command: ``` az keyvault key set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z' ``` **Note:** To view the expiration date on all keys in a Key Vault using Microsoft API, the List Key permission is required. To update the expiration date for the keys: 1. Go to Key vault, click on `Access policies`. 2. Click on `Create` and add an access policy with the `Update` permission (in the Key Permissions - Key Management Operations section). **From PowerShell** ``` Set-AzKeyVaultKeyAttribute -VaultName -Name -Expires ```", + "AuditProcedure": "**From Azure Portal:** 1. Go to `Key vaults`. 2. For each Key vault, click on `Keys`. 3. In the main pane, ensure that the status of the key is `Enabled`. 4. For each enabled key, ensure that an appropriate `Expiration date` is set. **From Azure CLI:** Get a list of all the key vaults in your Azure environment by running the following command: ``` az keyvault list ``` For each key vault, ensure that the output of the below command contains Key ID (kid), enabled status as `true` and Expiration date (expires) is not empty or null: ``` az keyvault key list --vault-name --query '[*].{kid:kid,enabled:attributes.enabled,expires:attributes.expires}' ``` **From PowerShell:** Retrieve a list of Azure Key vaults: ``` Get-AzKeyVault ``` For each Key vault, run the following command to determine which vaults are configured to not use RBAC: ``` Get-AzKeyVault -VaultName ``` For each Key vault with the `EnableRbacAuthorizatoin` setting set to `False` or empty, run the following command. ``` Get-AzKeyVaultKey -VaultName ``` Make sure the `Expires` setting is configured with a value as appropriate wherever the `Enabled` setting is set to `True`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0) **- Name:** 'Key Vault keys should have an expiration date'", + "AdditionalInformation": "", + "DefaultValue": "By default, keys do not expire.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis:https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-6-use-a-secure-key-management-process:https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyattribute?view=azps-0.10.0" + } + ] + }, + { + "Id": "8.3", + "Description": "Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults", + "Checks": [ + "keyvault_rbac_secret_expiration_set" + ], + "Attributes": [ + { + "Section": "8. Key Vault", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "RationaleStatement": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.", + "ImpactStatement": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used.", + "RemediationProcedure": "**From Azure Portal:** 1. Go to `Key vaults`. 2. For each Key vault, click on `Secrets`. 3. In the main pane, ensure that the status of the secret is `Enabled`. 4. For each enabled secret, ensure that an appropriate `Expiration date` is set. **From Azure CLI:** Update the Expiration date for the secret using the below command: ``` az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z' ``` Note: To view the expiration date on all secrets in a Key Vault using Microsoft API, the `List` Key permission is required. To update the expiration date for the secrets: 1. Go to the Key vault, click on `Access Control (IAM)`. 2. Click on `Add role assignment` and assign the role of `Key Vault Secrets Officer` to the appropriate user. **From PowerShell:** ``` Set-AzKeyVaultSecretAttribute -VaultName -Name -Expires ```", + "AuditProcedure": "**From Azure Portal:** 1. Go to `Key vaults`. 2. For each Key vault, click on `Secrets`. 3. In the main pane, ensure that the status of the secret is `Enabled`. 4. For each enabled secret, ensure that an appropriate `Expiration date` is set. **From Azure CLI:** Ensure that the output of the below command contains ID (id), enabled status as `true` and Expiration date (expires) is not empty or null: ``` az keyvault secret list --vault-name --query '[*].{kid:kid,enabled:attributes.enabled,expires:attributes.expires}' ``` **From PowerShell:** Retrieve a list of Key vaults: ``` Get-AzKeyVault ``` For each Key vault, run the following command to determine which vaults are configured to use RBAC: ``` Get-AzKeyVault -VaultName ``` For each Key vault with the `EnableRbacAuthorizatoin` setting set to `True`, run the following command: ``` Get-AzKeyVaultSecret -VaultName ``` Make sure the `Expires` setting is configured with a value as appropriate wherever the `Enabled` setting is set to `True`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [98728c90-32c7-4049-8429-847dc0f4fe37](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F98728c90-32c7-4049-8429-847dc0f4fe37) **- Name:** 'Key Vault secrets should have an expiration date'", + "AdditionalInformation": "", + "DefaultValue": "By default, secrets do not expire.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis:https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-6-use-a-secure-key-management-process:https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultsecretattribute?view=azps-0.10.0" + } + ] + }, + { + "Id": "8.4", + "Description": "Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults", + "Checks": [ + "keyvault_non_rbac_secret_expiration_set" + ], + "Attributes": [ + { + "Section": "8. Key Vault", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "RationaleStatement": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.", + "ImpactStatement": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used.", + "RemediationProcedure": "**From Azure Portal:** 1. Go to `Key vaults`. 2. For each Key vault, click on `Secrets`. 3. In the main pane, ensure that the status of the secret is `Enabled`. 4. Set an appropriate `Expiration date` on all secrets. **From Azure CLI:** Update the `Expiration date` for the secret using the below command: ``` az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z' ``` Note: To view the expiration date on all secrets in a Key Vault using Microsoft API, the `List` Key permission is required. To update the expiration date for the secrets: 1. Go to Key vault, click on `Access policies`. 2. Click on `Create` and add an access policy with the `Update` permission (in the Secret Permissions - Secret Management Operations section). **From PowerShell:** For each Key vault with the `EnableRbacAuthorization` setting set to `False` or empty, run the following command. ``` Set-AzKeyVaultSecret -VaultName -Name -Expires ```", + "AuditProcedure": "**From Azure Portal:** 1. Go to `Key vaults`. 2. For each Key vault, click on `Secrets`. 3. In the main pane, ensure that the status of the secret is `Enabled`. 4. Set an appropriate `Expiration date` on all secrets. **From Azure CLI:** Get a list of all the key vaults in your Azure environment by running the following command: ``` az keyvault list ``` For each key vault, ensure that the output of the below command contains ID (id), enabled status as `true` and Expiration date (expires) is not empty or null: ``` az keyvault secret list --vault-name --query '[*].{kid:kid,enabled:attributes.enabled,expires:attributes.expires}' ``` **From PowerShell:** Retrieve a list of Key vaults: ``` Get-AzKeyVault ``` For each Key vault run the following command to determine which vaults are configured to use RBAC: ``` Get-AzKeyVault -VaultName ``` For each Key Vault with the `EnableRbacAuthorization` setting set to `False` or empty, run the following command. ``` Get-AzKeyVaultSecret -VaultName ``` Make sure the `Expires` setting is configured with a value as appropriate wherever the `Enabled` setting is set to `True`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [98728c90-32c7-4049-8429-847dc0f4fe37](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F98728c90-32c7-4049-8429-847dc0f4fe37) **- Name:** 'Key Vault secrets should have an expiration date'", + "AdditionalInformation": "", + "DefaultValue": "By default, secrets do not expire.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis:https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-6-use-a-secure-key-management-process:https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultsecret?view=azps-7.4.0" + } + ] + }, + { + "Id": "8.5", + "Description": "Ensure the Key Vault is Recoverable", + "Checks": [ + "keyvault_recoverable" + ], + "Attributes": [ + { + "Section": "8. Key Vault", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the Do Not Purge and Soft Delete functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. WARNING: A current limitation is that role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.", + "RationaleStatement": "There could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There is a Key Vault property that plays a role in permanent unavailability of a Key Vault: `enablePurgeProtection`: Setting this parameter to true for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, the key vault and its objects will subsequently be purged. Enabling the enablePurgeProtection parameter on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently.", + "ImpactStatement": "Once purge-protection and soft-delete are enabled for a Key Vault, the action is irreversible.", + "RemediationProcedure": "To enable Do Not Purge and Soft Delete for a Key Vault: **From Azure Portal** 1. Go to `Key Vaults` 2. For each Key Vault 3. Click `Properties` 4. Ensure the status of Purge protection reads `Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects)`. Note, once enabled you cannot disable it. **From Azure CLI** ``` az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault /vaults/ --set properties.enablePurgeProtection=true ``` **From PowerShell** ``` Update-AzKeyVault -VaultName /providers/Microsoft.KeyVault /vaults/ ``` **From PowerShell** Get all Key Vaults. ``` Get-AzKeyVault ``` For each Key Vault run the following command. ``` Get-AzKeyVault -VaultName ``` Examine the results of the above command for the `EnablePurgeProtection` setting. Make sure enablePurgeProtection is set to `True`.", + "AdditionalInformation": "When a key is used for SQL server TDE or Encrypting Storage Account, both the features Do Not Purge and Soft Delete are enabled for the corresponding Key Vault by default by Azure Backend. WARNING: A current limitation of the soft-delete feature across all Azure services is role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.", + "DefaultValue": "When a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli:https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-8-define-and-implement-backup-and-recovery-strategy:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository" + } + ] + }, + { + "Id": "8.6", + "Description": "Enable Role Based Access Control for Azure Key Vault", + "Checks": [ + "keyvault_rbac_enabled" + ], + "Attributes": [ + { + "Section": "8. Key Vault", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "WARNING: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services.", + "RationaleStatement": "The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.", + "ImpactStatement": "Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs.", + "RemediationProcedure": "**From Azure Portal** Key Vaults can be configured to use `Azure role-based access control` on creation. For existing Key Vaults: 1. From Azure Home open the Portal Menu in the top left corner 2. Select `Key Vaults` 3. Select a Key Vault to audit 4. Select `Access configuration` 5. Set the Permission model radio button to `Azure role-based access control`, taking note of the warning message 6. Click `Save` 7. Select `Access Control (IAM)` 8. Select the `Role Assignments` tab 9. Reapply permissions as needed to groups or users **From Azure CLI*** To enable RBAC Authorization for each Key Vault, run the following Azure CLI command: ``` az keyvault update --resource-group --name --enable-rbac-authorization true ``` **From PowerShell** To enable RBAC authorization on each Key Vault, run the following PowerShell command: ``` Update-AzKeyVault -ResourceGroupName -VaultName -EnableRbacAuthorization $True ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home open the Portal Menu in the top left corner 2. Select Key Vaults 3. Select a Key Vault to audit 4. Select Access configuration 5. Ensure the Permission Model radio button is set to `Azure role-based access control` **From Azure CLI*** Run the following command for each Key Vault in each Resource Group: ``` az keyvault show --resource-group --name ``` Ensure the `enableRbacAuthorization` setting is set to `true` within the output of the above command. **From PowerShell** Run the following PowerShell command: ``` Get-AzKeyVault -Vaultname -ResourceGroupName ``` Ensure the `Enabled For RBAC Authorization` setting is set to `True` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5) **- Name:** '[Preview]: Azure Key Vault should use RBAC permission model'", + "AdditionalInformation": "", + "DefaultValue": "The default value for Access control in Key Vaults is Vault Policy.", + "References": "https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-migration#vault-access-policy-to-azure-rbac-migration-steps:https://docs.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal?tabs=current:https://docs.microsoft.com/en-gb/azure/role-based-access-control/overview:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository" + } + ] + }, + { + "Id": "8.7", + "Description": "Ensure that Private Endpoints are Used for Azure Key Vault", + "Checks": [ + "keyvault_private_endpoints" + ], + "Attributes": [ + { + "Section": "8. Key Vault", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.", + "RationaleStatement": "Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.", + "ImpactStatement": "Incorrect or poorly-timed changing of network configuration could result in service interruption. There are also additional costs tiers for running a private endpoint per petabyte or more of networking traffic.", + "RemediationProcedure": "**Please see the additional information about the requirements needed before starting this remediation procedure.** **From Azure Portal** 1. From Azure Home open the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Select `Networking` in the left column. 5. Select `Private endpoint connections` from the top row. 6. Select `+ Create`. 7. Select the subscription the Key Vault is within, and other desired configuration. 8. Select `Next`. 9. For resource type select `Microsoft.KeyVault/vaults`. 10. Select the Key Vault to associate the Private Endpoint with. 11. Select `Next`. 12. In the `Virtual Networking` field, select the network to assign the Endpoint. 13. Select other configuration options as desired, including an existing or new application security group. 14. Select `Next`. 15. Select the private DNS the Private Endpoints will use. 16. Select `Next`. 17. Optionally add `Tags`. 18. Select `Next : Review + Create`. 19. Review the information and select `Create`. Follow the Audit Procedure to determine if it has successfully applied. 20. Repeat steps 3-19 for each Key Vault. **From Azure CLI** 1. To create an endpoint, run the following command: ``` az network private-endpoint create --resource-group --subnet --name --private-connection-resource-id /subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/ --group-ids vault --connection-name --location --manual-request ``` 2. To manually approve the endpoint request, run the following command: ``` az keyvault private-endpoint-connection approve --resource-group --vault-name –name ``` 4. Determine the Private Endpoint's IP address to connect the Key Vault to the Private DNS you have previously created: 5. Look for the property networkInterfaces then id; the value must be placed in the variable within step 7. ``` az network private-endpoint show -g -n ``` 6. Look for the property networkInterfaces then id; the value must be placed on in step 7. ``` az network nic show --ids ``` 7. Create a Private DNS record within the DNS Zone you created for the Private Endpoint: ``` az network private-dns record-set a add-record -g -z privatelink.vaultcore.azure.net -n -a ``` 8. nslookup the private endpoint to determine if the DNS record is correct: ``` nslookup .vault.azure.net nslookup .privatelink.vaultcore.azure.n ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home open the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Select `Networking` in the left column. 5. Select `Private endpoint connections` from the top row. 6. View if there is an endpoint attached. **From Azure CLI** Run the following command within a subscription for each Key Vault you wish to audit. ``` az keyvault private-endpoint-connection show -g --vault-name ``` **From Powershell** Run the following command within a subscription for each Key Vault you wish to audit. ``` Get-AzPrivateEndpointConnection -PrivateLinkResourceId '/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults//' ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [a6abeaec-4d90-4a02-805f-6b26c4d3fbe9](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6abeaec-4d90-4a02-805f-6b26c4d3fbe9) **- Name:** 'Azure Key Vaults should use private link'", + "AdditionalInformation": "This recommendation assumes that you have created a Resource Group containing a Virtual Network that the services are already associated with and configured private DNS. A Bastion on the virtual network is also required, and the service to which you are connecting must already have a Private Endpoint. For information concerning the installation of these services, please see the attached documentation. Microsoft's own documentation lists the requirements as: A Key Vault. An Azure virtual network. A subnet in the virtual network. Owner or contributor permissions for both the Key Vault and the virtual network.", + "DefaultValue": "By default, Private Endpoints are not enabled for any services within Azure.", + "References": "https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview:https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints:https://azure.microsoft.com/en-us/pricing/details/private-link/:https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal:https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal:https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal:https://docs.microsoft.com/en-us/azure/bastion/bastion-overview:https://docs.microsoft.com/azure/dns/private-dns-getstarted-cli#create-an-additional-dns-record:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository" + } + ] + }, + { + "Id": "8.8", + "Description": "Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services", + "Checks": [ + "keyvault_key_rotation_enabled" + ], + "Attributes": [ + { + "Section": "8. Key Vault", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.", + "RationaleStatement": "Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.", + "ImpactStatement": "There are an additional costs per operation in running the needed applications.", + "RemediationProcedure": "**Note:** Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P(Y,M,D). The leading P is required with it denoting `period`. The (Y,M,D) are for the duration of Year, Month,and Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D). **From Azure Portal** 1. From Azure Portal select the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Under `Objects` select `Keys`. 5. Select a key to audit. 6. In the top row select `Rotation policy`. 7. Select an `Expiry time`. 8. Set `Enable auto rotation` to `Enabled`. 9. Set an appropriate `Rotation option` and `Rotation time`. 10. Optionally set the `Notification time`. 11. Select `Save`. 12. Repeat steps 3-11 for each Key Vault and Key. **From Azure CLI** Run the following command for each key to update its policy to be auto-rotated: ``` az keyvault key rotation-policy update -n --vault-name --value Note: It is easiest to supply the policy flags in a .json file. An example json file would be: { lifetimeActions: [ { trigger: { timeAfterCreate: , timeBeforeExpiry : null }, action: { type: Rotate } }, { trigger: { timeBeforeExpiry : }, action: { type: Notify } } ], attributes: { expiryTime: } } ``` **From PowerShell** Run the following command for each key to update its policy: ``` Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json ``` Note: It is easiest to supply the policy flags in a .json file. An example json file would be: ``` <# rotation_policy.json { lifetimeActions: [ { trigger: { timeAfterCreate: PM, timeBeforeExpiry: null }, action: { type: Rotate } }, { trigger: { timeBeforeExpiry: PD }, action: { type: Notify } } ], attributes: { expiryTime: PY } } #> ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Portal select the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Under `Objects` select `Keys`. 5. Select a key to audit. 6. In the top row select `Rotation policy`. 7. Ensure `Enable auto rotation` is set to `Enabled`. 8. Repeat steps 3-7 for each Key Vault and Key. **From Azure CLI** Run the following command: ``` az keyvault key rotation-policy show --vaultname --name ``` **From PowerShell** Run the following command: ``` Get-AzKeyVaultKeyRotationPolicy -VaultName -Name ``` **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [d8cf8476-a2ec-4916-896e-992351803c44](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd8cf8476-a2ec-4916-896e-992351803c44) **- Name:** 'Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation.'", + "AdditionalInformation": "Automatic Key Rotation is in public preview, so any configuration will not change upon full release. **Note: ** Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P(Y,M,D). The leading P is required with it denoting `period`. The (Y,M,D) are for the duration of Year, Month, Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).", + "DefaultValue": "By default, Automatic Key Rotation is not enabled.", + "References": "https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation:https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#update-the-key-version:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell#set-up-an-azure-key-vault-and-diskencryptionset-optionally-with-automatic-key-rotation:https://azure.microsoft.com/en-us/updates/public-preview-automatic-key-rotation-of-customermanaged-keys-for-encrypting-azure-managed-disks/:https://docs.microsoft.com/en-us/cli/azure/keyvault/key/rotation-policy?view=azure-cli-latest#az-keyvault-key-rotation-policy-update:https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyrotationpolicy?view=azps-8.1.0:https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/timespan:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-6-use-a-secure-key-management-process" + } + ] + }, + { + "Id": "9.1", + "Description": "Ensure App Service Authentication is set up for apps in Azure App Service", + "Checks": [ + "app_ensure_auth_is_set_up" + ], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 2", + "AssessmentStatus": "Automated", + "Description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.", + "RationaleStatement": "By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. Disabling HTTP Basic Authentication functionality further ensures legacy authentication methods are disabled within the application.", + "ImpactStatement": "This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable. Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication.", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Under `Setting` section, click on `Authentication` 5. If no identity providers are set up, then click `Add identity provider` 6. Choose other parameters as per your requirements and click on `Add` To disable the `Basic Auth Publishing Credentials` setting, perform the following steps: 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Under `Settings`, click on `Configuration` 5. Click on the 'General Settings' tab 6. Under `Platform settings`, ensure `Basic Auth Publishing Credentials` is set to `Off` **From Azure CLI** To set App Service Authentication for an existing app, run the following command: ``` az webapp auth update --resource-group --name --enabled true ``` **Note** In order to access `App Service authentication` settings for Web app using Microsoft API requires `Website contributor` permission at subscription level. A custom role can be created in place of `Website contributor` to provide more specific permission and maintain the principle of least privileged access.", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Under `Settings` section, Click on `Authentication` 5. Ensure that `App Service authentication` set to `Enabled` (Will only appear once an Identity provider is set up/selected) 6. Navigate back to the application blade 7. Under `Settings`, click on `Configuration` 8. Click on the 'General Settings' tab 9. Under `Platform settings`, ensure `Basic Auth Publishing Credentials` is set to `Off` **From Azure CLI** To check App Service Authentication status for an existing app, run the following command (using authV1 extension), ``` az webapp auth show --resource-group --name ``` The output should return `true` if App Service authentication is set to `On`. If using the `authV2` extension for the `az webapp auth` CLI, run the following command, ``` az webapp auth show --resource-group --name ``` Ensure that the `enabled` setting under `azureActiveDirectory` is set to `true`. To check whether the `Basic Auth Publishing Credentials` are disabled, issue the following commands, ``` az resource show --resource-group --name scm --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/ az resource show --resource-group --name ftp --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/ ``` Ensure `allow` is set to `false` under `properties` within the output of each of the above commands. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc75248c1-ea1d-4a9c-8fc9-29a6aabd5da8) **- Name:** 'Function apps should have authentication enabled' - **Policy ID:** [95bccee9-a7f8-4bec-9ee9-62c3473701fc](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95bccee9-a7f8-4bec-9ee9-62c3473701fc) **- Name:** 'App Service apps should have authentication enabled'", + "AdditionalInformation": "You're not required to use App Service for authentication and authorization. Many web frameworks are bundled with security features, and you can use them if you like. If you need more flexibility than App Service provides, you can also write your own utilities. Secure authentication and authorization require deep understanding of security, including federation, encryption, JSON web tokens (JWT) management, grant types, and so on.", + "DefaultValue": "By default, App Service Authentication is disabled when a new app is created using the command-line tool or Azure Portal console.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview:https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy" + } + ] + }, + { + "Id": "9.2", + "Description": "Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service", + "Checks": [ + "app_ensure_http_is_redirected_to_https" + ], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.", + "RationaleStatement": "Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits.", + "ImpactStatement": "When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app.", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Click on configuration 5. Under the `HTTPS Only` heading select 'On' to enable https only 5. Click `Save` at the top **From Azure CLI** To set HTTPS-only traffic value for an existing app, run the following command: ``` az webapp update --resource-group --name --set httpsOnly=true ``` **From PowerShell** ``` Set-AzWebApp -ResourceGroupName -Name -HttpsOnly $true ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Click on `configuration` 5. Ensure that the `HTTPS Only` setting is toggled to `On` **From Azure CLI** To check HTTPS-only traffic value for an existing app, run the following command, ``` az webapp show --resource-group --name --query httpsOnly ``` The output should return `true` if HTTPS-only traffic value is set to `On`. **From PowerShell** List all the web apps configured within the subscription. ``` Get-AzWebApp | Select-Object ResourceGroup, Name, HttpsOnly ``` For each web app review the `HttpsOnly` setting and make sure it is set to `True`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [a4af4a39-4135-47fb-b175-47fbdf85311d](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) **- Name:** 'App Service apps should only be accessible over HTTPS'", + "AdditionalInformation": "", + "DefaultValue": "By default, HTTPS-only feature will be disabled when a new app is created using the command-line tool or Azure Portal console.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit:https://docs.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-8.1.0" + } + ] + }, + { + "Id": "9.3", + "Description": "Ensure Web App is using the latest version of TLS encryption", + "Checks": [ + "app_minimum_tls_version_12" + ], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.", + "RationaleStatement": "App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Under `Setting` section, Click on `SSL settings` 5. Under the `Bindings` pane, set `Minimum TLS Version` to `1.2` under `Protocol Settings` section **From Azure CLI** To set TLS Version for an existing app, run the following command: ``` az webapp config set --resource-group --name --min-tls-version 1.2 ``` **From PowerShell** ``` Set-AzWebApp -ResourceGroupName -Name -MinTlsVersion 1.2 ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Under `Setting` section, Click on `TLS/SSL settings` 5. Under the `Bindings` pane, ensure that `Minimum TLS Version` set to `1.2` under `Protocol Settings` **From Azure CLI** To check TLS Version for an existing app, run the following command, ``` az webapp config show --resource-group --name --query minTlsVersion ``` The output should return `1.2` if TLS Version is set to `1.2` (Which is currently the latest version). **From PowerShell** List all web apps. ``` Get-AzWebApp ``` For each web app run the following command. ``` Get-AzWebApp -ResourceGroupName -Name |Select-Object -ExpandProperty SiteConfig ``` Make sure the `minTlsVersion` is set to at least `1.2`. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [f9d614c5-c173-4d56-95a7-b4437057d193](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) **- Name:** 'Function apps should use the latest TLS version' - **Policy ID:** [f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) **- Name:** 'App Service apps should use the latest TLS version'", + "AdditionalInformation": "", + "DefaultValue": "By default, TLS Version feature will be set to 1.2 when a new app is created using the command-line tool or Azure Portal console.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-8-detect-and-disable-insecure-services-and-protocols:https://docs.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-8.1.0" + } + ] + }, + { + "Id": "9.4", + "Description": "Ensure that Register with Entra ID is enabled on App Service", + "Checks": [ + "app_client_certificates_on" + ], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords.", + "RationaleStatement": "App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Under `Setting` section, Click on `Identity` 5. Under the `System assigned` pane, set `Status` to `On` **From Azure CLI** To register with Entra ID for an existing app, run the following command: ``` az webapp identity assign --resource-group --name ``` **From PowerShell** To register with Entra ID for an existing app, run the following command: ``` Set-AzWebApp -AssignIdentity $True -ResourceGroupName -Name ```", + "AuditProcedure": "**From Azure Portal** 1. From Azure Portal open the Portal Menu in the top left 2. Go to `App Services` 3. Click on each App 4. Under the `Setting` section, Click on `Identity` 5. Under the `System assigned` pane, ensure that `Status` set to `On` **From Azure CLI** To check Register with Entra ID feature status for an existing app, run the following command, ``` az webapp identity show --resource-group --name --query principalId ``` The output should return unique Principal ID. If no output for the above command then Register with Entra ID is not set. **From PowerShell** List the web apps. ``` Get-AzWebApp ``` For each web app run the following command. ``` Get-AzWebapp -ResourceGroupName -Name ``` Make sure the `Identity` setting contains a unique Principal ID **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [0da106f2-4ca3-48e8-bc85-c638fe6aea8f](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) **- Name:** 'Function apps should use managed identity' - **Policy ID:** [2b9ad585-36bc-4615-b300-fd4435808332](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) **- Name:** 'App Service apps should use managed identity'", + "AdditionalInformation": "", + "DefaultValue": "By default, Managed service identity via Entra ID is disabled.", + "References": "https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-1-use-centralized-identity-and-authentication-system" + } + ] + }, + { + "Id": "9.5", + "Description": "Ensure That 'PHP version' is the Latest, If Used to Run the Web App", + "Checks": [ + "app_register_with_identity" + ], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.", + "RationaleStatement": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.", + "ImpactStatement": "If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home open the Portal Menu in the top left 2. Go to `App Services` 3. Click on each App 4. Under `Settings` section, click on `Configuration` 5. Click on the `General settings` pane, ensure that for a `Stack` of `PHP` the `Major Version` and `Minor Version` reflect the latest stable and supported release. NOTE: No action is required If `PHP version` is set to `Off` or is set with an empty value as PHP is not used by your web app. **From Azure CLI** List the available PHP runtimes: ``` az webapp list-runtimes ``` To set latest PHP version for an existing app, run the following command: ``` az webapp config set --resource-group --name [--linux-fx-version ][--php-version ] ``` **From PowerShell** To set latest PHP version for an existing app, run the following command: ``` Set-AzWebApp -ResourceGroupName -Name -phpVersion ``` *NOTE:* Currently there is no way to update an existing web app `Linux FX Version` setting using PowerShell, nor is there a way to create a new web app using PowerShell that configures the PHP runtime in the `Linux FX Version` setting.", + "AuditProcedure": "**From Azure Portal** 1. From Azure Home open the Portal Menu in the top left 2. Go to `App Services` 3. Click on each App 4. Under `Settings` section, click on `Configuration` 5. Click on the `General settings` pane, ensure that for a `Stack` of `PHP` the `Major Version` and `Minor Version` reflect the latest stable and supported release. ** The latest stable version can be confirmed by going to php.net. Navigate to the downloads, and then find the most recent version that is marked by `Current Stable PHP [version_number]`. ** *NOTE:* No action is required If `PHP version` is set to `Off` as PHP is not used by your web app. **From Azure CLI** To check PHP version for an existing app, run the following command, ``` az webapp config show --resource-group --name --query {LinuxFxVersion:linuxFxVersion,PHP_Version:phpVersion} ``` **From PowerShell** ``` $application = Get-AzWebApp -ResourceGroupName -Name $application.SiteConfig | select-object LinuxFXVersion, phpVersion ``` The output should return the latest available version of PHP. Any other version of PHP would be considered a finding. **NOTE:** No action is required, If the output is empty as PHP is not used by your web app. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [f466b2a6-823d-470d-8ea5-b031e72d79ae](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff466b2a6-823d-470d-8ea5-b031e72d79ae) **- Name:** 'App Service app slots that use PHP should use a specified 'PHP version'' - **Policy ID:** [7261b898-8a84-4db8-9e04-18527132abb3](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7261b898-8a84-4db8-9e04-18527132abb3) **- Name:** 'App Service apps that use PHP should use a specified 'PHP version''", + "AdditionalInformation": "", + "DefaultValue": "The version of PHP is whatever was selected upon App creation.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-6-rapidly-and-automatically-remediate-vulnerabilities:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-3-define-and-establish-secure-configurations-for-compute-resources:https://www.php.net/downloads" + } + ] + }, + { + "Id": "9.6", + "Description": "Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App", + "Checks": [ + "app_ensure_php_version_is_latest" + ], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.", + "RationaleStatement": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected. Using the latest full version will keep your stack secure to vulnerabilities and exploits.", + "ImpactStatement": "If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime.", + "RemediationProcedure": "**From Azure Portal** 1. From Azure Home open the Portal Menu in the top left 2. Go to `App Services` 3. Click on each App 4. Under `Settings` section, click on `Configuration` 5. Click on the General settings pane and ensure that the Major Version and the Minor Version is set to the latest stable version available (Python 3.11, at the time of writing) NOTE: No action is required if `Python version` is set to `Off`, as Python is not used by your web app. **From Azure CLI** To see the list of supported runtimes: ``` az webapp list-runtimes ``` To set latest Python version for an existing app, run the following command: ``` az webapp config set --resource-group --name [--windows-fx-version PYTHON|3.11] [--linux-fx-version PYTHON|3.11] ``` **From PowerShell** As of this writing, there is no way to update an existing application's `SiteConfig` or set the a new application's `SiteConfig` settings during creation via PowerShell.", + "AuditProcedure": "**From Azure Console** 1. From Azure Home open the Portal Menu in the top left 2. Go to `App Services` 3. Click on each App 4. Under `Settings` section, click on `Configuration` 5. Click on the General settings pane and ensure that for a Stack of Python, with Major Version of Python 3, that the Minor Version is set to the latest stable version available (Python 3.11, at the time of writing) NOTE: No action is required if `Python version` is set to `Off`, as Python is not used by your web app. **From Azure CLI** To check Python version for an existing app, run the following command ``` az webapp config show --resource-group --name --query {LinuxFxVersion:linuxFxVersion,WindowsFxVersion:windowsFxVersion,PythonVersion:pythonVersion} ``` The output should return the latest stable version of Python. *NOTE:* No action is required if the output is empty, as Python is not used by your web app. **From PowerShell** ``` $app = Get-AzWebApp -Name -ResourceGroup $app.SiteConfig |Select-Object LinuxFXVersion, WindowsFxVersion, PythonVersion ``` Ensure the output of the above command shows the latest version of Python. *NOTE:* No action is required if the output is empty, as Python is not used by your web app. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [9c014953-ef68-4a98-82af-fd0f6b2306c8](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9c014953-ef68-4a98-82af-fd0f6b2306c8) **- Name:** 'App Service app slots that use Python should use a specified 'Python version'' - **Policy ID:** [7008174a-fd10-4ef0-817e-fc820a951d73](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7008174a-fd10-4ef0-817e-fc820a951d73) **- Name:** 'App Service apps that use Python should use a specified 'Python version''", + "AdditionalInformation": "** The latest stable version can be confirmed by going to python.org. Navigate to the downloads, and then find the most recent version that is marked by `security` in the maintenance column. **", + "DefaultValue": "The version of Python is whatever was selected upon App creation.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-6-rapidly-and-automatically-remediate-vulnerabilities:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-3-define-and-establish-secure-configurations-for-compute-resources:https://www.python.org/downloads/" + } + ] + }, + { + "Id": "9.7", + "Description": "Ensure that 'Java version' is the latest, if used to run the Web App", + "Checks": [ + "app_ensure_python_version_is_latest" + ], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 1", + "AssessmentStatus": "Manual", + "Description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.", + "RationaleStatement": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.", + "ImpactStatement": "If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime.", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Under `Settings` section, click on `Configuration` 5. Click on the `General settings` pane and ensure that for a `Stack` of `Java` the `Major Version` and `Minor Version` reflect the latest stable and supported release, and that the `Java web server version` is set to the `auto-update` option. NOTE: No action is required if `Java version` is set to `Off`, as Java is not used by your web app. **From Azure CLI** To see the list of supported runtimes: ``` az webapp list-runtimes ``` To set latest Java version for an existing app, run the following command: ``` az webapp config set --resource-group --name [--java-version --java-container --java-container-version [--windows-fx-version ] [--linux-fx-version ] ``` If creating a new web application to use a currently supported version of Java, run the following commands. To create an app service plan: ``` az appservice plan create --resource-group --name --location [--is-linux --number-of-workers --sku ] [--hyper-v --sku ] ``` Get the app service plan ID: ``` az appservice plan list --query [].{Name:name, ID:id, SKU:sku, Location:location} ``` To create a new Java web application using the retrieved app service ID: ``` az webapp create --resource-group --plan --name [--linux-fx-version ] [--windows-fx-version ] ``` **From PowerShell** As of this writing, there is no way to update an existing application's `SiteConfig` or set a new application's `SiteConfig` settings during creation via PowerShell.", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Under `Settings` section, click on `Configuration` 5. Click on the `General settings` pane and ensure that for a `Stack` of `Java` the `Major Version` and `Minor Version` reflect the latest stable and supported release, and that the `Java web server version` is set to the `auto-update` option. NOTE: No action is required if `Java version` is set to `Off`, as Java is not used by your web app. **From Azure CLI** To check Java version for an existing app, run the following command, ``` az webapp config show --resource-group --name --query {LinuxFxVersion:linuxFxVersion, WindowsFxVersion:windowsFxVersion, JavaVersion:javaVersion, JavaContainerVersion:javaContainerVersion, JavaContainer:javaContainer} ``` The output should return the latest available version of Java (if java is being used for the web application being audited). **From PowerShell** For each application, store the application information within an object, and then interrogate the `SiteConfig` information for that application object. ``` $app = Get-AzWebApp -Name -ResourceGroup $app.SiteConfig |Select-Object LinuxFXVersion, WindowsFxVersion, JavaVersion, JavaContainerVersion, JavaContainer ``` Ensure the Java version used within the application is a currently supported version (if java is being used for the web application being audited). **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [e1d1b522-02b0-4d18-a04f-5ab62d20445f](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1d1b522-02b0-4d18-a04f-5ab62d20445f) **- Name:** 'Function app slots that use Java should use a specified 'Java version'' - **Policy ID:** [9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) **- Name:** 'Function apps that use Java should use a specified 'Java version''", + "AdditionalInformation": "", + "DefaultValue": "The default setting is whichever setting was chosen in the creation of the webapp.", + "References": "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-3-define-and-establish-secure-configurations-for-compute-resources:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-6-rapidly-and-automatically-remediate-vulnerabilities:https://www.oracle.com/java/technologies/downloads/#java11" + } + ] + }, + { + "Id": "9.8", + "Description": "Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App", + "Checks": [ + "app_ensure_java_version_is_latest" + ], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.", + "RationaleStatement": "Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected. HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.", + "ImpactStatement": "", + "RemediationProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Under `Setting` section, Click on `Configuration` 5. Set `HTTP version` to `2.0` under `General settings` NOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate. **From Azure CLI** To set HTTP 2.0 version for an existing app, run the following command: ``` az webapp config set --resource-group --name --http20-enabled true ``` **From PowerShell** To enable HTTP 2.0 version support, run the following command: ``` Set-AzWebApp -ResourceGroupName -Name -Http20Enabled $true ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal using https://portal.azure.com 2. Go to `App Services` 3. Click on each App 4. Under `Setting` section, Click on `Configuration` 5. Ensure that `HTTP Version` set to `2.0` version under `General settings` NOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate. **From Azure CLI** To check HTTP 2.0 version status for an existing app, run the following command, ``` az webapp config show --resource-group --name --query http20Enabled ``` The output should return `true` if HTTPS 2.0 traffic value is set to `On`. **From PowerShell** For each application, run the following command: ``` Get-AzWebApp -ResourceGroupName -Name |Select-Object -ExpandProperty SiteConfig ``` If the value of the **Http20Enabled** setting is **true**, the application is compliant. Otherwise if the value of the **Http20Enabled** setting is **false**, the application is non-compliant. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [e2c1c086-2d84-4019-bff3-c44ccd95113c](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2c1c086-2d84-4019-bff3-c44ccd95113c) **- Name:** 'Function apps should use latest 'HTTP Version'' - **Policy ID:** [8c122334-9d20-4eb8-89ea-ac9a705b74ae](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8c122334-9d20-4eb8-89ea-ac9a705b74ae) **- Name:** 'App Service apps should use latest 'HTTP Version''", + "AdditionalInformation": "", + "DefaultValue": "", + "References": "https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-3-define-and-establish-secure-configurations-for-compute-resources:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-6-rapidly-and-automatically-remediate-vulnerabilities" + } + ] + }, + { + "Id": "9.9", + "Description": "Ensure FTP deployments are Disabled", + "Checks": [ + "app_ensure_using_http20" + ], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.", + "RationaleStatement": "Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.", + "ImpactStatement": "Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.", + "RemediationProcedure": "**From Azure Portal** 1. Go to the Azure Portal 2. Select `App Services` 3. Click on an app 4. Select `Settings` and then `Configuration` 5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should be set to `Disabled` or `FTPS Only` **From Azure CLI** For each out of compliance application, run the following choosing either 'disabled' or 'FtpsOnly' as appropriate: ``` az webapp config set --resource-group --name --ftps-state [disabled|FtpsOnly] ``` **From PowerShell** For each out of compliance application, run the following: ``` Set-AzWebApp -ResourceGroupName -Name -FtpsState ```", + "AuditProcedure": "**From Azure Portal** 1. Go to the Azure Portal 2. Select `App Services` 3. Click on an app 4. Select `Settings` and then `Configuration` 5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should not be set to `All allowed` **From Azure CLI** List webapps to obtain the ids. ``` az webapp list ``` List the publish profiles to obtain the username, password and ftp server url. ``` az webapp deployment list-publishing-profiles --ids { publishUrl: , userName: , userPWD: , } ``` **From PowerShell** List all Web Apps: ``` Get-AzWebApp ``` For each app: ``` Get-AzWebApp -ResourceGroupName -Name | Select-Object -ExpandProperty SiteConfig ``` In the output, look for the value of **FtpsState**. If its value is **AllAllowed** the setting is out of compliance. Any other value is considered in compliance with this check. **From Azure Policy** If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure. If referencing a printed copy, you can search Policy IDs from this URL: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions - **Policy ID:** [399b2637-a50f-4f95-96f8-3a145476eb15](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F399b2637-a50f-4f95-96f8-3a145476eb15) **- Name:** 'Function apps should require FTPS only' - **Policy ID:** [4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) **- Name:** 'App Service apps should require FTPS only'", + "AdditionalInformation": "", + "DefaultValue": "By default, FTP based deployment is `All allowed`", + "References": "[Azure Web Service Deploy via FTP](https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp):[Azure Web Service Deployment](https://docs.microsoft.com/en-us/azure/app-service/overview-security):https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-6-rapidly-and-automatically-remediate-vulnerabilities" + } + ] + }, + { + "Id": "9.10", + "Description": "Ensure Azure Key Vaults are Used to Store Secrets", + "Checks": [ + "app_ftp_deployment_disabled" + ], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.", + "RationaleStatement": "The credentials given to an application have permissions to create, delete, or modify data stored within the systems they access. If these credentials are stored within the application itself, anyone with access to the application or a copy of the code has access to them. Storing within Azure Key Vault as secrets increases security by controlling access. This also allows for updates of the credentials without redeploying the entire application.", + "ImpactStatement": "Integrating references to secrets within the key vault are required to be specifically integrated within the application code. This will require additional configuration to be made during the writing of an application, or refactoring of an already written one. There are also additional costs that are charged per 10000 requests to the Key Vault.", + "RemediationProcedure": "Remediation has 2 steps 1. Setup the Key Vault 2. Setup the App Service to use the Key Vault **Step 1: Set up the Key Vault** **From Azure CLI** ``` az keyvault create --name --resource-group --location myLocation ``` **From Powershell** ``` New-AzKeyvault -name -ResourceGroupName -Location ``` **Step 2: Set up the App Service to use the Key Vault** Sample JSON Template for App Service Configuration: ``` { //... resources: [ { type: Microsoft.Storage/storageAccounts, name: [variables('storageAccountName')], //... }, { type: Microsoft.Insights/components, name: [variables('appInsightsName')], //... }, { type: Microsoft.Web/sites, name: [variables('functionAppName')], identity: { type: SystemAssigned }, //... resources: [ { type: config, name: appsettings, //... dependsOn: [ [resourceId('Microsoft.Web/sites', variables('functionAppName'))], [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))], [resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('storageConnectionStringName'))], [resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('appInsightsKeyName'))] ], properties: { AzureWebJobsStorage: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersion, ')')], WEBSITE_CONTENTAZUREFILECONNECTIONSTRING: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersion, ')')], APPINSIGHTS_INSTRUMENTATIONKEY: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('appInsightsKeyResourceId')).secretUriWithVersion, ')')], WEBSITE_ENABLE_SYNC_UPDATE_SITE: true //... } }, { type: sourcecontrols, name: web, //... dependsOn: [ [resourceId('Microsoft.Web/sites', variables('functionAppName'))], [resourceId('Microsoft.Web/sites/config', variables('functionAppName'), 'appsettings')] ], } ] }, { type: Microsoft.KeyVault/vaults, name: [variables('keyVaultName')], //... dependsOn: [ [resourceId('Microsoft.Web/sites', variables('functionAppName'))] ], properties: { //... accessPolicies: [ { tenantId: [reference(concat('Microsoft.Web/sites/', variables('functionAppName'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').tenantId], objectId: [reference(concat('Microsoft.Web/sites/', variables('functionAppName'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId], permissions: { secrets: [ get ] } } ] }, resources: [ { type: secrets, name: [variables('storageConnectionStringName')], //... dependsOn: [ [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))], [resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))] ], properties: { value: [concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2015-05-01-preview').key1)] } }, { type: secrets, name: [variables('appInsightsKeyName')], //... dependsOn: [ [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))], [resourceId('Microsoft.Insights/components', variables('appInsightsName'))] ], properties: { value: [reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey] } } ] } ] } ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal 2. In the expandable menu on the left go to `Key Vaults` 3. View the Key Vaults listed. **From Azure CLI** To list key vaults within a subscription run the following command: ``` Get-AzKeyVault ``` To list the secrets within these key vaults run the following command: ``` Get-AzKeyVaultSecret [-VaultName] ``` **From Powershell** To list key vaults within a subscription run the following command: ``` Get-AzKeyVault ``` To list all secrets in a key vault run the following command: ``` Get-AzKeyVaultSecret -VaultName ' --lock-type --resource-group --resource-name --resource-type ``` **From Powershell** ``` Get-AzResourceLock -ResourceName -ResourceType -ResourceGroupName -Locktype ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the specific Azure Resource or Resource Group 2. Click on `Locks` 3. Ensure the lock is defined with name and description, with type `Read-only` or `Delete` as appropriate. **From Azure CLI** Review the list of all locks set currently: ``` az lock list --resource-group --resource-name --namespace --resource-type --parent ``` **From Powershell** Run the following command to list all resources. ``` Get-AzResource ``` For each resource, run the following command to check for Resource Locks. ``` Get-AzResourceLock -ResourceName -ResourceType -ResourceGroupName ``` Review the output of the `Properties` setting. Compliant settings will have the `CanNotDelete` or `ReadOnly` value.", + "AdditionalInformation": "", + "DefaultValue": "By default, no locks are set.", + "References": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance#azure-resource-locks:https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking:https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-asset-management#am-4-limit-access-to-asset-management" + } + ] + }, + { + "Id": "9.10", + "Description": "Ensure FTP deployments are Disabled", + "Checks": [], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 1", + "AssessmentStatus": "Automated", + "Description": "By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.", + "RationaleStatement": "Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.", + "ImpactStatement": "Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.", + "RemediationProcedure": "**From Azure Portal** 1. Go to the Azure Portal 2. Select `App Services` 3. Click on an app 4. Select `Settings` and then `Configuration` 5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should be set to `Disabled` or `FTPS Only` **From Azure CLI** For each out of compliance application, run the following choosing either 'disabled' or 'FtpsOnly' as appropriate: ``` az webapp config set --resource-group --name --ftps-state [disabled|FtpsOnly] ``` **From PowerShell** For each out of compliance application, run the following: ``` Set-AzWebApp -ResourceGroupName -Name -FtpsState ```", + "AuditProcedure": "**From Azure Portal** 1. Go to the Azure Portal 2. Select `App Services` 3. Click on an app 4. Select `Settings` and then `Configuration` 5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should not be set to `All allowed` **From Azure CLI** List webapps to obtain the ids. ``` az webapp list ``` List the publish profiles to obtain the username, password and ftp server url. ``` az webapp deployment list-publishing-profiles --ids { publishUrl: , userName: , userPWD: , } ``` **From PowerShell** List all Web Apps: ``` Get-AzWebApp ``` For each app: ``` Get-AzWebApp -ResourceGroupName -Name | Select-Object -ExpandProperty SiteConfig ``` In the output, look for the value of **FtpsState**. If its value is **AllAllowed** the setting is out of compliance. Any other value is considered in compliance with this check.", + "AdditionalInformation": "", + "DefaultValue": "[Azure Web Service Deploy via FTP](https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp):[Azure Web Service Deployment](https://docs.microsoft.com/en-us/azure/app-service/overview-security):https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities", + "References": "TA0008, T1570, M1031" + } + ] + }, + { + "Id": "9.11", + "Description": "Ensure Azure Key Vaults are Used to Store Secrets", + "Checks": [], + "Attributes": [ + { + "Section": "9. AppService", + "Profile": "Level 2", + "AssessmentStatus": "Manual", + "Description": "Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.", + "RationaleStatement": "The credentials given to an application have permissions to create, delete, or modify data stored within the systems they access. If these credentials are stored within the application itself, anyone with access to the application or a copy of the code has access to them. Storing within Azure Key Vault as secrets increases security by controlling access. This also allows for updates of the credentials without redeploying the entire application.", + "ImpactStatement": "Integrating references to secrets within the key vault are required to be specifically integrated within the application code. This will require additional configuration to be made during the writing of an application, or refactoring of an already written one. There are also additional costs that are charged per 10000 requests to the Key Vault.", + "RemediationProcedure": "Remediation has 2 steps 1. Setup the Key Vault 2. Setup the App Service to use the Key Vault **Step 1: Set up the Key Vault** **From Azure CLI** ``` az keyvault create --name --resource-group --location myLocation ``` **From Powershell** ``` New-AzKeyvault -name -ResourceGroupName -Location ``` **Step 2: Set up the App Service to use the Key Vault** Sample JSON Template for App Service Configuration: ``` { //... resources: [ { type: Microsoft.Storage/storageAccounts, name: [variables('storageAccountName')], //... }, { type: Microsoft.Insights/components, name: [variables('appInsightsName')], //... }, { type: Microsoft.Web/sites, name: [variables('functionAppName')], identity: { type: SystemAssigned }, //... resources: [ { type: config, name: appsettings, //... dependsOn: [ [resourceId('Microsoft.Web/sites', variables('functionAppName'))], [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))], [resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('storageConnectionStringName'))], [resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('appInsightsKeyName'))] ], properties: { AzureWebJobsStorage: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersion, ')')], WEBSITE_CONTENTAZUREFILECONNECTIONSTRING: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersion, ')')], APPINSIGHTS_INSTRUMENTATIONKEY: [concat('@Microsoft.KeyVault(SecretUri=', reference(variables('appInsightsKeyResourceId')).secretUriWithVersion, ')')], WEBSITE_ENABLE_SYNC_UPDATE_SITE: true //... } }, { type: sourcecontrols, name: web, //... dependsOn: [ [resourceId('Microsoft.Web/sites', variables('functionAppName'))], [resourceId('Microsoft.Web/sites/config', variables('functionAppName'), 'appsettings')] ], } ] }, { type: Microsoft.KeyVault/vaults, name: [variables('keyVaultName')], //... dependsOn: [ [resourceId('Microsoft.Web/sites', variables('functionAppName'))] ], properties: { //... accessPolicies: [ { tenantId: [reference(concat('Microsoft.Web/sites/', variables('functionAppName'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').tenantId], objectId: [reference(concat('Microsoft.Web/sites/', variables('functionAppName'), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId], permissions: { secrets: [ get ] } } ] }, resources: [ { type: secrets, name: [variables('storageConnectionStringName')], //... dependsOn: [ [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))], [resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))] ], properties: { value: [concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2015-05-01-preview').key1)] } }, { type: secrets, name: [variables('appInsightsKeyName')], //... dependsOn: [ [resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))], [resourceId('Microsoft.Insights/components', variables('appInsightsName'))] ], properties: { value: [reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey] } } ] } ] } ```", + "AuditProcedure": "**From Azure Portal** 1. Login to Azure Portal 2. In the expandable menu on the left go to `Key Vaults` 3. View the Key Vaults listed. **From Azure CLI** To list key vaults within a subscription run the following command: ``` Get-AzKeyVault ``` To list the secrets within these key vaults run the following command: ``` Get-AzKeyVaultSecret [-VaultName] ``` **From Powershell** To list key vaults within a subscription run the following command: ``` Get-AzKeyVault ``` To list all secrets in a key vault run the following command: ``` Get-AzKeyVaultSecret -VaultName ' --lock-type --resource-group --resource-name --resource-type ``` **From Powershell** ``` Get-AzResourceLock -ResourceName -ResourceType -ResourceGroupName -Locktype ```", + "AuditProcedure": "**From Azure Portal** 1. Navigate to the specific Azure Resource or Resource Group 2. Click on `Locks` 3. Ensure the lock is defined with name and description, with type `Read-only` or `Delete` as appropriate. **From Azure CLI** Review the list of all locks set currently: ``` az lock list --resource-group --resource-name --namespace --resource-type --parent ``` **From Powershell** Run the following command to list all resources. ``` Get-AzResource ``` For each resource, run the following command to check for Resource Locks. ``` Get-AzResourceLock -ResourceName -ResourceType -ResourceGroupName ``` Review the output of the `Properties` setting. Compliant settings will have the `CanNotDelete` or `ReadOnly` value.", + "AdditionalInformation": "", + "DefaultValue": "https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-subscription-governance#azure-resource-locks:https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking:https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management#am-4-limit-access-to-asset-management", + "References": "" + } + ] + } + ] +} diff --git a/prowler/lib/check/compliance_models.py b/prowler/lib/check/compliance_models.py index dc089c379d..3fed097726 100644 --- a/prowler/lib/check/compliance_models.py +++ b/prowler/lib/check/compliance_models.py @@ -87,6 +87,7 @@ class CIS_Requirement_Attribute(BaseModel): RemediationProcedure: str AuditProcedure: str AdditionalInformation: str + DefaultValue: Optional[str] References: str diff --git a/prowler/lib/outputs/compliance.py b/prowler/lib/outputs/compliance.py index e5db8cd474..8f57919d37 100644 --- a/prowler/lib/outputs/compliance.py +++ b/prowler/lib/outputs/compliance.py @@ -11,6 +11,7 @@ Check_Output_CSV_AWS_CIS, Check_Output_CSV_AWS_ISO27001_2013, Check_Output_CSV_AWS_Well_Architected, + Check_Output_CSV_AZURE_CIS, Check_Output_CSV_ENS_RD2022, Check_Output_CSV_GCP_CIS, Check_Output_CSV_Generic_Compliance, @@ -35,6 +36,7 @@ def add_manual_controls(output_options, audit_info, file_descriptors): manual_finding.region = "" manual_finding.location = "" manual_finding.project_id = "" + manual_finding.subscription = "" fill_compliance( output_options, manual_finding, audit_info, file_descriptors ) @@ -161,7 +163,36 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors): csv_header = generate_csv_fields( Check_Output_CSV_GCP_CIS ) - + elif compliance.Provider == "AZURE": + compliance_row = Check_Output_CSV_AZURE_CIS( + Provider=finding.check_metadata.Provider, + Description=compliance.Description, + Subscription=finding.subscription, + AssessmentDate=outputs_unix_timestamp( + output_options.unix_timestamp, timestamp + ), + Requirements_Id=requirement_id, + Requirements_Description=requirement_description, + Requirements_Attributes_Section=attribute.Section, + Requirements_Attributes_Profile=attribute.Profile, + Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus, + Requirements_Attributes_Description=attribute.Description, + Requirements_Attributes_RationaleStatement=attribute.RationaleStatement, + Requirements_Attributes_ImpactStatement=attribute.ImpactStatement, + Requirements_Attributes_RemediationProcedure=attribute.RemediationProcedure, + Requirements_Attributes_AuditProcedure=attribute.AuditProcedure, + Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation, + Requirements_Attributes_DefaultValue=attribute.DefaultValue, + Requirements_Attributes_References=attribute.References, + Status=finding.status, + StatusExtended=finding.status_extended, + ResourceId=finding.resource_id, + ResourceName=finding.resource_name, + CheckId=finding.check_metadata.CheckID, + ) + csv_header = generate_csv_fields( + Check_Output_CSV_AZURE_CIS + ) elif ( "AWS-Well-Architected-Framework" in compliance.Framework and compliance.Provider == "AWS" diff --git a/prowler/lib/outputs/file_descriptors.py b/prowler/lib/outputs/file_descriptors.py index d17cb87f4d..9d296e2605 100644 --- a/prowler/lib/outputs/file_descriptors.py +++ b/prowler/lib/outputs/file_descriptors.py @@ -15,6 +15,7 @@ Check_Output_CSV_AWS_CIS, Check_Output_CSV_AWS_ISO27001_2013, Check_Output_CSV_AWS_Well_Architected, + Check_Output_CSV_AZURE_CIS, Check_Output_CSV_ENS_RD2022, Check_Output_CSV_GCP_CIS, Check_Output_CSV_Generic_Compliance, @@ -23,6 +24,7 @@ ) from prowler.lib.utils.utils import file_exists, open_file from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info +from prowler.providers.azure.lib.audit_info.models import Azure_Audit_Info from prowler.providers.common.outputs import get_provider_output_model from prowler.providers.gcp.lib.audit_info.models import GCP_Audit_Info @@ -113,7 +115,16 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit filename, output_mode, audit_info, Check_Output_CSV_GCP_CIS ) file_descriptors.update({output_mode: file_descriptor}) - + elif isinstance(audit_info, Azure_Audit_Info): + filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}" + if "cis_" in output_mode: + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_CSV_AZURE_CIS, + ) + file_descriptors.update({output_mode: file_descriptor}) elif isinstance(audit_info, AWS_Audit_Info): if output_mode == "json-asff": filename = f"{output_directory}/{output_filename}{json_asff_file_suffix}" diff --git a/prowler/lib/outputs/models.py b/prowler/lib/outputs/models.py index 73382748f8..146131585f 100644 --- a/prowler/lib/outputs/models.py +++ b/prowler/lib/outputs/models.py @@ -591,6 +591,35 @@ class Check_Output_CSV_GCP_CIS(BaseModel): Requirements_Attributes_RemediationProcedure: str Requirements_Attributes_AuditProcedure: str Requirements_Attributes_AdditionalInformation: str + Requirements_Attributes_DefaultValue: str + Requirements_Attributes_References: str + Status: str + StatusExtended: str + ResourceId: str + ResourceName: str + CheckId: str + + +class Check_Output_CSV_AZURE_CIS(BaseModel): + """ + Check_Output_CSV_CIS generates a finding's output in CSV CIS format. + """ + + Provider: str + Description: str + Subscription: str + AssessmentDate: str + Requirements_Id: str + Requirements_Description: str + Requirements_Attributes_Section: str + Requirements_Attributes_Profile: str + Requirements_Attributes_AssessmentStatus: str + Requirements_Attributes_Description: str + Requirements_Attributes_RationaleStatement: str + Requirements_Attributes_ImpactStatement: str + Requirements_Attributes_RemediationProcedure: str + Requirements_Attributes_AuditProcedure: str + Requirements_Attributes_AdditionalInformation: str Requirements_Attributes_References: str Status: str StatusExtended: str diff --git a/prowler/providers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/__init__.py b/prowler/providers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prowler/providers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/monitor_alert_create_update_public_ip_address_rule.py b/prowler/providers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/monitor_alert_create_update_public_ip_address_rule.py index c616f7c69c..4bf1a0b947 100644 --- a/prowler/providers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/monitor_alert_create_update_public_ip_address_rule.py +++ b/prowler/providers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/monitor_alert_create_update_public_ip_address_rule.py @@ -29,5 +29,4 @@ def execute(self) -> Check_Report_Azure: break findings.append(report) - return findings