Skip to main content
McAfee MVISION Cloud

Policy Templates for Azure

This table lists the Policy Templates provided for use with Azure.  

For response actions, see Auto-Remediation of Azure Config Audit Policies

Policy Name

Resource/
Entity type

MVISION Cloud Recommended

CIS v1.0.0 Level 1

CIS v1.0.0  Level 2

CIS v1.1.0 Level 1

CIS v1.1.0 Level 2

CIS v1.2.0 Level 1

CIS v1.2.0 Level 2

CIS v1.3.0 Level 1

CIS v1.3.0 Level 2

PCI DSS v3.2

HIPAA

NIST 800-53 Rev4

Policy Description

"Monitor Disk Encryption" should be enabled in Azure Security Center Security Center   2.6   2.6             164.308(a)(3)(i)   Enable Disk encryption recommendations for virtual machines. When this setting is enabled, it recommends enabling disk encryption in all virtual machines to enhance data protection at rest.
ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" Security Center   2.14   2.14               SI-4 Enable SQL auditing & Threat detection recommendations. When this setting is enabled, it recommends that auditing of access to Azure Database be enabled for compliance and also advanced threat detection, for investigation purposes.
SQL Encryption recommendations should be enabled in Azure Security Center Security Center   2.15   2.15             164.308(a)(3)(i)   Enable SQL Encryption recommendations. When this setting is enabled, it recommends that encryption at rest be enabled for your Azure SQL Database, associated backups, and transaction log files. Even if your data is breached, it will not be readable.
"Monitor Storage Blob Encryption" should be enabled in Azure Security Center Security Center   2.11   2.11             164.308(a)(3)(i)   Enable Storage Encryption recommendations. When this setting is enabled, any new data in Azure Blobs and Files will be encrypted.
Storage Service Encryption should be enabled for Storage Accounts Storage Accounts   3.2                 164.308(a)(3)(i)   Enable data encryption at rest for blobs. Storage service encryption protects your data at rest. Azure Storage encrypts your data as it is written in its data centers, and automatically decrypts it for you as you access it.
Threat detection should be enabled for  SQL databases Database Services   4.2.2                     Enable threat detection on SQL databases. SQL Threat Detection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. SQL Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat.
Threat detection types should be set to "All"  for SQL databases Database Services   4.2.3   4.5                 Enable all types of threat detection on SQL databases. Enabling all threat detection types, you are protected against SQL injection, database vulnerabilities and any other anomalous activities.
Adaptive Application controls should be enabled in Azure Security Center Security Center                       CM-7(2),CM-7(5),CM-11 Security Center recommends that you enable adaptive applications controls on all the virtual machines. Application control helps you deal with malicious and/or unauthorized software, by allowing only specific applications to run on your VMs
Azure resources should be tagged                           A tag is a label that you assign to a resource. Each tag consists of a key and an optional value, both of which you define. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Ensure that user-defined tags (metadata) are being used for labelling, collecting and organizing resources available within your environment.
Deprecated accounts should be removed from the subscription Security Center                       AC-2 Security Center recommends that you remove deprecated accounts from your subscriptions.
Deprecated accounts with owner permissions should be removed from your subscription Security Center                       AC-2 Security Center recommends that you remove deprecated accounts with owner permissions from your subscriptions.
External accounts with owner permissions should be removed from your subscription Security Center                       AC-2 Security Center recommends that you remove external accounts with owner permissions from your subscription in order to prevent unmonitored access.
OS version should be updated Security Center                         Security Center recommends that you update the operating system (OS) version for your Cloud Service to the most recent version available for your OS family.
Network traffic should be routed through NGFW only Security Center                         Security Center recommends that you configure network security group (NSG) rules that force inbound traffic to your VM through your NGFW.
Network security group with non HTTP/HTTPS ports should not have unrestricted access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 Ensure that only ports 80 and 443 can be accessed publicly. Unrestricted access could lead to unauthorized access to data or lead to an accidental breach.
Network security groups should not have unrestricted CIFS access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 Ensure that access through port 445 (CIFS) is restricted to required entities only. CIFS is a commonly used protocol for communication and sharing data. Unrestricted access could lead to unauthorized access to data.
Network security groups should not have unrestricted DNS access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 If you are using DNS, ensure that access through port 53 is restricted to required entities only.
Network security groups should not have unrestricted FTP access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 Ensure that access through port 20/21 (FTP) is restricted to required entities only. FTP is a commonly used protocol for sharing data. Unrestricted access could lead to unauthorized access to data or lead to an accidental breach.
Network security groups should not have unrestricted MongoDB access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 If you are using MongoDB, ensure that access through port 27017, used for MongoDB, is restricted to required entities only.
Network security groups should not have unrestricted MSSQL access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 If you are using MSSQL, ensure that access through port 1433, used for MSSQL, is restricted to required entities only.
Network security groups should not have unrestricted MSSQL (UDP) access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 Check your security groups for inbound rules that allow unrestricted access to UDP port 1434 and restrict access to required IP addresses only. UDP port 1434 is used by the Microsoft SQL Server.
Network security groups should not have unrestricted MySQL access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 If you are using MySQL, ensure that access through port 3306, used for MySQL, is restricted to required entities only.
Network security groups should not have unrestricted NetBIOS (UDP) access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 If you are using NetBIOS, ensure that access through 137/138 (UDP) are restricted to required entities only.
Network security groups should not have unrestricted NetBIOS access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 If you are using NetBIOS, ensure that access through port 139 (TCP) are restricted to required entities only.
Network security groups should not have unrestricted Oracle DB access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 If you are using Oracle DB, ensure that access through port 1521, used for Oracle DB, is restricted to required entities only.
Network security groups should not have unrestricted PostgreSQL access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 If you are using PostgreSQL, ensure that access through port 5432, used for PostgreSQL, is restricted to required entities only.
Network security groups should not have unrestricted RPC access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 If you are using RPC, ensure that access through port 135, used for RPC, is restricted to required entities only.
Network security groups should not have unrestricted SMTP access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 If you are using SMTP, ensure that access through port 25, used for SMTP, is restricted to required entities only. Unrestricted SMTP access can be misused to spam your enterprise, DDOS, etc.
Network security groups should not have unrestricted VNC Listener access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 Check your security groups for inbound rules that allow unrestricted access to TCP port 5500 and restrict access to required IP addresses only. TCP port 5500 is used by the VNC Listener
Network security groups should not have unrestricted VNC Server access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 Check your security groups for inbound rules that allow unrestricted access to TCP port 5900 and restrict access to required IP addresses only. TCP port 5900 is used by the VNC Server
Network security groups should not have unrestricted RDP access Networking   6.1   6.1   6.1   6.1   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 Disable RDP access on Network Security Groups from Internet. The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use your virtual machine as a launch point for compromising other machines on your Azure Virtual Network or even attack networked devices outside of Azure.
Network security groups should not have unrestricted SSH access Networking   6.2   6.2   6.2   6.2   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 Disable SSH access on Network Security Groups from Internet. The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use your virtual machine as a launch point for compromising other machines on your Azure Virtual Network or even attack networked devices outside of Azure.
Network security groups should not have unrestricted Telnet access Networking                   1.2.1 164.308(a), 164.308(a)(1)(ii)(B) SC-7 Disable unrestricted access on Network Security Groups (i.e. 0.0.0.0/0) on TCP port 23 and restrict access to only those IP addresses that require it in order to implement the principle of least privilege and reduce the possibility of a breach. TCP port 23 is used by the Telnet server application (telnetd). Telnet is usually used to check whether a client is able to make TCP/IP connections to a particular service.
Azure blob storage containers should not be world readable Storage Accounts                         Risk of unauthorized access or loss of customer data increases with an Azure Blob Storage container that grants READ permissions access to everyone or Azure signed users. Malicious users can exploit the information acquired through the listing process to find objects with misconfigured Access Control Lists (ACLs) permissions and access these compromised objects. This is a Skyhigh recommended best practice.
VM agents should be installed on Virtual Machines Virtual Machines   7.1   Deprecated                 Install VM agent on Virtual Machines. The VM agent must be installed on Azure virtual machines (VMs) in order to enable Azure Security center for data collection. Security Center collects data from your virtual machines (VMs) to assess their security state, provide security recommendations, and alert you to threats.
A maximum of 3 owners should be designated for your subscription Security Center                       AC-5, AC-6(7) Security Center recommends that you designate less than 3 subscription owners in order to reduce the potential for breach by a compromised owner.
Auditing on SQL server should be enabled Database Services   4.1   4.1   4.1.1   4.1.1     164.308(a)(1)(ii)(D)   Security Center recommends that you enabled auditing on SQL servers to track database activities across all databases on the server and save them in an audit log.
User defined tags should be used for labeling Azure resources                           Ensure that user-defined tags (metadata) are being used for labeling, collecting and organizing resources available within your Azure environment.
Custom domains should be used for Function App Security Center                         Security Center recommends that you use custom domains to protect a function app from common attacks such as phishing and other DNS-related attacks.
Custom domains should be used for Web application Security Center                         Security Center recommends that you use custom domains to protect a web application from common attacks such as phishing and other DNS-related attacks.
Disk encryption should be applied on your Virtual Machines Security Center                     164.308(a)(3)(i)   Security Center recommends that you encrypt your VM disks using Azure Disk Encryption (Windows and Linux VMs). Encryption is recommended for both the OS and data volumes on your VM.
Endpoint protection health issues should be resolved on your machines Security Center                         Security Center recommends that you resolve health issues of VMs.
External accounts with read permissions should be removed from your subscription Security Center                       AC-2 Security Center recommends that you remove external accounts with read privileges from your subscription in order to prevent unmonitored access.
External accounts with write permissions should be removed from your subscription Security Center                       AC-2 Security Center recommends that you remove external accounts with write privileges from your subscription in order to prevent unmonitored access.
Latest supported PHP version should be used for Web Application AppService   9.7   9.7   9.7   9.6         Security Center recommends that you use the latest PHP version for the latest security classes. Using older classes and types can make your application vulnerable.
Latest supported Python version should be used for Web Application AppService   9.8   9.8   9.8   9.7         Security Center recommends that you use the latest Python version for the latest security classes. Using older classes and types can make your application vulnerable.
MFA for accounts with owner permissions on the subscription should be enabled Security Center                       IA-2(1) Security Center recommends that you enable Multi-Factor Authentication (MFA) for all subscription accounts with administrator privileges to prevent a breach of accounts or resources.
MFA for accounts with read permissions on subscription not enabled Security Center                       IA-2(2) Security Center recommends that you enable Multi-Factor Authentication (MFA) for all subscription accounts with read privileges to prevent a breach of accounts or resources.
MFA for accounts with write permissions on the subscription should be enabled Security Center                       IA-2(1) Security Center recommends that you enable Multi-Factor Authentication (MFA) for all subscription accounts with write privileges to prevent a breach of accounts or resources.
Monitoring agent health issues should be resolved on virtual machines Security Center                         Security Center recommends to resolve Microsoft Monitoring Agent health issues on VMs to complete their security coverage.
Monitoring agent should be installed on virtual machine scale sets Security Center                         Security Center recommends to install the Microsoft Monitoring Agent on VMs to complete their security coverage, VMs should be covered by Security Center's monitoring, assessments and threat detections.
There should be more than one owner assigned to your subscription Security Center                       AC-5, AC-6(7) Security Center recommends that you designate more than one subscription owner in order to have administrator access redundancy.
Vulnerabilities in security configuration on the machines should be remediated Security Center                         Security Center recommends that you align your OS configurations with the recommended security configuration rules, for example, do not allow passwords to be saved.
Unrestricted network access should be disabled in storage account Security Center                   1.2.1   AC-17(1), SC-7 Security Center recommends to configure network rules and disable unrestricted network access in your storage account firewall settings. So that only applications from allowed networks can access the storage account
Auditing on SQL databases should be enabled SQL Database   4.1   4.1   4.1.1   4.1.1   10.1, 10.2, 10.3, 10.5, 1.1.1 164.308(a)(1)(ii)(D), 164.312(b)   Enable auditing on SQL databases. Auditing tracks database events and writes them to an audit log in your Azure storage account.
Log Profile should be enabled Logging and Monitoring   5.1.1   5.1.1                 Enable log profile for exporting activity logs. A Log Profile controls how your Activity Log is exported. By default, activity logs are retained only for 90 days. It is thus recommended to define a log profile using which you could export the logs and store them for a longer duration for analyzing security activities within your Azure subscription.
Data collection should be enabled in Security Center Security Center       2.2   2.9   2.11         Enable Automatic provisioning of monitoring agent to collect security data. When Automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection and provides alerts.
"Monitor Endpoint protection" should be enabled in Azure Security Center Security Center   2.5   2.5               SI-3, SI-3(1) Enable Endpoint protection recommendations for virtual machines. When this setting is enabled, it recommends endpoint protection be provisioned for all Windows virtual machines to help identify and remove viruses, spyware, and other malicious software.
"Monitor Network Security groups" should be enabled in Azure Security Center Security Center   2.7   2.7                 Enable Network security groups recommendations for virtual machines. When this setting is enabled, it recommends that network security groups be configured to control inbound and outbound traffic to VMs that have public endpoints. Network security groups that are configured for a subnet is inherited by all virtual machine network interfaces unless otherwise specified. In addition to checking that a network security group has been configured, this policy assesses inbound security rules to identify rules that allow incoming traffic.
"Enable Next Generation Firewall monitoring" should be enabled in Azure Security Center Security Center   2.9   2.9                 Enable Next generation firewall recommendations for virtual machines. When this setting is enabled, it extends network protections beyond network security groups, which are built into Azure. Security Center will discover deployments for which a next generation firewall is recommended and enable you to provision a virtual appliance.
"Monitor OS vulnerabilities" should be enabled in Azure Security Center Security Center   2.4   2.4                 Enable OS vulnerabilities recommendations for virtual machines. When this setting is enabled, it analyzes operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack. The policy also recommends configuration changes to address these vulnerabilities.
"Secure Transfer required" should be set to 'Enabled' Storage Accounts   3.1   3.1   3.1   3.1   4.1 164.308(a)(3)(i), 164.312(a)(2)(iv), 164.312 (e)(1) , 164.312 (e)(2)(ii) SC-8(1) Enable data encryption is transit. The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access your storage accounts, you must connect using HTTPs. Any requests using HTTP will be rejected when secure transfer required is enabled. When you are using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. 
'Security Contact Emails' should be set in Security Center Security Center   2.16   2.16                 Provide a security contact email address. This ensures that you are aware of any potential compromise and you can timely mitigate the risk.
Security Contact Phone number should be set in Security Center Security Center   2.17   2.17                 Provide a security contact phone number. This ensures that you are aware of any potential compromise and you can timely mitigate the risk.
Transparent Data encryption should be enabled on SQL databases Security Center   2.3                     Enable system updates recommendations for virtual machines. When this setting is enabled, it retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. The retrieved list depends on the service that is configured for that virtual machine and recommends that the missing updates be applied. For Linux systems, the policy uses the distro-provided package management system to determine packages that have available updates. It also checks for security and critical updates from Azure Cloud Services virtual machines.
Transparent Data Encryption on SQL databases Database Services   4.2.6   4.9   4.1.2   4.1.2     164.308(a)(3)(i), 164.312(a)(2)(iv), 164.312 (e)(1), 164.312 (e)(2)(ii) SC-28(1) Encrypt database. Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Vulnerability Assessment should be enabled in Azure Security Center Security Center   2.1   2.10               RA-5, SI-2 Enable Vulnerability assessment recommendations for virtual machines. When this setting is enabled, it recommends that you install a vulnerability assessment solution on your VM.
"Monitor Web Application Firewall" should be enabled in Azure Security Center Security Center   2.8   2.8                 Enable Web application firewall recommendations for virtual machines. When this setting is enabled, it recommends that a web application firewall is provisioned on virtual machines when either of the following is true: Instance-level public IP (ILPIP) is used and the inbound security rules for the associated network security group are configured to allow access to port 80/443.Load-balanced IP is used and the associated load balancing and inbound network address translation (NAT) rules are configured to allow access to port 80/443.
"Monitor Adaptive Application Whitelisting" should be enabled in Azure Security Center Security Center   2.13   2.13                 Monitor Adaptive Application Controls is recommended to be enabled in Security Center.
All resources should not be allowed to access your application Security Center                         Security Center recommends that you do not set WEBSITE_LOAD_CERTIFICATES parameter to '*'. Setting the parameter to '*' means that all certificates will be loaded to your web applications personal certificate store. This can lead to abuse of the principle of least privilege as it is unlikely that the site needs access to all certificates at runtime.
Application protection should be finalized Security Center                         Security Center recommends that to complete the configuration of a WAF, traffic must be rerouted to the WAF appliance.
An Azure Active Directory administrator should be provisioned for SQL servers Database Services   4.19   4.19   4.4   4.4         Security Center recommends to enable Azure AD authentication for your SQL server. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.
CORS should not allow every resource to access your Function App Security Center                         Security Center recommends that you allow only required domains to interact with your function. Cross origin resource sharing (CORS) should not allow all domains to access your function application.
CORS should not allow every resource to access your Web App Security Center                       AC-4 Security Center recommends that you allow only required domains to interact with your web application. Cross origin resource sharing (CORS) should not allow all domains to access your web application.
Virtual Machines should be rebooted after system updates Security Center                         Security Center recommends that you reboot a VM to complete the process of applying system updates.
Diagnostic logs in Event Hub should be enabled Security Center                       AU-12 Security Center recommends that logs be enabled and retained for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
Function App should only be accessible over HTTPS Security Center                         Security Center recommends that you limit access of Function apps over HTTPS only.
IP restrictions for Function App should be configured Security Center                   1.2.1     Security Center recommends that you define a list of IP addresses that are allowed to access your application. Use of IP restrictions protects a function app from common attacks.
IP restrictions for Web App should be configured Security Center                   1.2.1     Security Center recommends that you define a list of IP addresses that are allowed to access your application. Use of IP restrictions protects a web application from common attacks.
Latest supported  .NET framework version should be used for Web Application AppService   9.6   9.6   9.6             Security Center recommends that you use the latest .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable.
Latest supported Java version should be used for Web Application AppService   9.9   9.9   9.9   9.8         Security Center recommends that you use the latest Java version for the latest security classes. Using older classes and types can make your application vulnerable.
Latest supported Node.js version should be used for Web Application Security Center                         Security Center recommends that you use the latest Node.js version for the latest security classes. Using older classes and types can make your application vulnerable.
Monitor access rules in Event Hub namespaces should be enabled in Security Center Security Center                         Monitor access rules in Event Hub namespaces is recommended to be enabled in Security Center.
Monitor access rules in Event Hubs should be enabled in Security Center Security Center                         Monitor access rules in Event Hubs is recommended to be enabled in Security Center.
Monitor Azure Active Directory Authentication in Service Fabric should be enabled in Security Center Security Center                       AC-2(7) Monitor Azure Active Directory Authentication in Service Fabric is recommended to be enabled in Security Center.
Monitor classic compute VMs should be enabled in Security Center Security Center                         Monitor classic compute VMs is recommended to be enabled in Security Center.
Monitor classic storage accounts should be enabled in Security Center Security Center                         Monitor classic storage accounts is recommended to be enabled in Security Center.
ClusterProtectionLevel property to EncryptAndSign in Service Fabric should be set  Security Center                         Monitor cluster protection level in Service Fabric is recommended to be enabled in Security Center.
Monitor Configure IP restrictions for API App should be enabled in Security Center Security Center                         Monitor Configure IP restrictions for API App is recommended to be enabled in Security Center.
Monitor Configure IP restrictions for Function App should be enabled in Security Center Security Center                         Monitor Configure IP restrictions for Function App is recommended to be enabled in Security Center.
Monitor Configure IP restrictions for Web App should be enabled in Security Center Security Center                         Monitor Configure IP restrictions for Web App is recommended to be enabled in Security Center.
Monitor diagnostic logs in Azure App Services should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Azure App Services is recommended to be enabled in Security Center.
Monitor diagnostic logs in Azure Redis Cache should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Azure Redis Cache is recommended to be enabled in Security Center.
Diagnostic logs in Azure Search service should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Azure Search service is recommended to be enabled in Security Center.
Diagnostic logs in Batch accounts should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Batch accounts is recommended to be enabled in Security Center.
Diagnostic logs in Data Lake Analytics accounts should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Data Lake Analytics accounts is recommended to be enabled in Security Center.
Diagnostic logs in Data Lake Store accounts should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Data Lake Store accounts is recommended to be enabled in Security Center.
Diagnostic logs in Event Hub accounts should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Event Hub accounts is recommended to be enabled in Security Center.
Diagnostic logs in Key Vault should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Key Vault vaults is recommended to be enabled in Security Center.
Diagnostic logs in Logic Apps should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Logic Apps workflows is recommended to be enabled in Security Center.
Diagnostic logs in Service Bus should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Service Bus is recommended to be enabled in Security Center.
Diagnostic logs in Service Fabric should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Service Fabric is recommended to be enabled in Security Center.
Diagnostic logs in Service Analytics should be enabled in Security Center Security Center                       AU-12 Monitor diagnostic logs in Stream Analytics is recommended to be enabled in Security Center.
Remote debugging should be disabled for API App in Security Center Security Center                       AC-17(1) Monitor disable remote debugging for API App is recommended to be enabled in Security Center.
Remote debugging should be disabled for Function App in Security Center Security Center                       AC-17(1) Monitor disable remote debugging for Function App is recommended to be enabled in Security Center.
Remote debugging should be disabled for Web App in Security Center Security Center                       AC-17(1) Monitor disable remote debugging for Web App is recommended to be enabled in Security Center.
Web sockets for API App should be disabled in Security Center Security Center                         Monitor disable web sockets for API App is recommended to be enabled in Security Center.
Web sockets for Function App should be disabled in Security Center Security Center                         Monitor disable web sockets for Function App is recommended to be enabled in Security Center.
Web sockets for Web App should be disabled in Security Center Security Center                         Monitor disable web sockets for Web App is recommended to be enabled in Security Center.
Unrestricted network access to storage account should be disabled in  Security Center Security Center                         Monitor disabling of unrestricted network access to storage account is recommended to be enabled in Security Center.
Encryption should be enabled on Automation account variables in Security Center Security Center                         Monitor encryption of automation accounts is recommended to be enabled in Security Center.
"Monitor maximum number of owners" should be enabled in Security Center Security Center                         Monitor maximum number of owners is recommended to be enabled in Security Center.
Metric alerts in Batch accounts should be enabled in Security Center Security Center                         Monitor metric alerts in Batch accounts is recommended to be enabled in Security Center.
MFA on accounts with owner permissions on the subscription should be enabled in Security Center Security Center                         Monitor MFA for accounts with owner permissions is recommended to be enabled in Security Center.
MFA for accounts with read permissions should be enabled in Security Center Security Center                         Monitor MFA for accounts with read permissions is recommended to be enabled in Security Center.
MFA for accounts with write permissions should be enabled in Security Center Security Center                         Monitor MFA for accounts with write permissions is recommended to be enabled in Security Center.
Minimum number of owners should be enabled in Security Center Security Center                         Monitor minimus number of owners is recommended to be enabled in Security Center.
Built-in RBAC rules should be enabled in Security Center Security Center                         Monitor of using built-in RBAC rules is recommended to be enabled in Security Center.
Remove deprecated accounts should be enabled in Security Center Security Center                         Monitor remove deprecated accounts is recommended to be enabled in Security Center.
Remove deprecated accounts with owner permissions should be enabled in Security Center Security Center                         Monitor remove deprecated accounts with owner permissions is recommended to be enabled in Security Center.
Remove external accounts with owner permissions should be enabled in Security Center Security Center                         Monitor remove external accounts with owner permissions is recommended to be enabled in Security Center.
Remove external accounts with read permissions enabled in Security Center Security Center                         Monitor remove external accounts with read permissions is recommended to be enabled in Security Center.
Remove external accounts with write permissions should be enabled in Security Center Security Center                         Monitor remove external accounts with write permissions is recommended to be enabled in Security Center.
Service Bus namespace authorization rules should be enabled in Security Center Security Center                         Monitor Service Bus namespace authorization rules is recommended to be enabled in Security Center.
"Monitor SQL Encryption" should be enabled in Azure Security Center Security Center                     164.308(a)(3)(i)   Monitor SQL Db encryption is recommended to be enabled in Security Center.
"Monitor SQL Auditing" should be enabled in Azure Security Center Security Center   2.14   2.14               AU-12 Monitor SQL Servers auditing is recommended to be enabled in Security Center.
"Monitor SQL Vulnerability Assessment results" should be enabled in Azure Security Center Security Center   2.10   2.1                 Monitor SQL vulnerability assessment results is recommended to be enabled in Security Center.
CORS restrictions for API App should be enabled in Security Center Security Center                         Monitor the CORS restrictions for API App is recommended to be enabled in Security Center.
CORS restrictions for API Function should be enabled in Security Center Security Center                         Monitor the CORS restrictions for API Function is recommended to be enabled in Security Center.
CORS restrictions for API Web should be enabled in Security Center Security Center                         Monitor the CORS restrictions for API Web is recommended to be enabled in Security Center.
Custom domain use in API App should be enabled in Security Center Security Center                         Monitor the custom domain use in API App is recommended to be enabled in Security Center.
Custom domain use in Function App should be enabled in Security Center Security Center                         Monitor the custom domain use in Function App is recommended to be enabled in Security Center.
Custom domain use in Web App should be enabled in Security Center Security Center                         Monitor the custom domain use in Web App is recommended to be enabled in Security Center.
Provisioning of an Azure AD administrator for SQL server should be enabled in Security Center Security Center                       AC-2(7) Monitor the provisioning of an Azure AD administrator for SQL server is recommended to be enabled in Security Center.
Secure transfer to storage accounts should be enabled Security Center                         Monitor the secure transfer to storage account is recommended to be enabled in Security Center.
Use of HTTPS in API App should be enabled in Security Center Security Center                       SC-8(1) Monitor the use of HTTPS in API App is recommended to be enabled in Security Center.
Use of HTTPS in Function App should be enabled in Security Center Security Center                       SC-8(1) Monitor the use of HTTPS in function App is recommended to be enabled in Security Center.
Use of HTTPS in Web App should be enabled in Security Center Security Center                       SC-8(1) Monitor the use of HTTPS in Web App is recommended to be enabled in Security Center.
Use latest DotNet version in API App should be enabled in Security Center Security Center                         Monitor use latest DotNet in API App is recommended to be enabled in Security Center.
Use latest DotNet version in Web App should be enabled in Security Center Security Center                         Monitor use latest DotNet in Web App is recommended to be enabled in Security Center.
Use latest Java version in API App should be enabled in Security Center Security Center                         Monitor use latest Java in API App is recommended to be enabled in Security Center.
Use latest Java version in Web App should be enabled in Security Center Security Center                         Monitor use latest Java in Web App is recommended to be enabled in Security Center.
Use latest Node js version in Web App should be enabled in Security Center Security Center                         Monitor use latest Node js in Web App is recommended to be enabled in Security Center.
Use latest PHP version in API App should be enabled in Security Center Security Center                         Monitor use latest PHP in API App is recommended to be enabled in Security Center.
Use latest PHP version in Web App should be enabled in Security Center Security Center                         Monitor use latest PHP in Web App is recommended to be enabled in Security Center.
Use latest Python version in API App should be enabled in Security Center Security Center                         Monitor use latest Python in API App is recommended to be enabled in Security Center.
Use latest Python version in Web App should be enabled in Security Center Security Center                         Monitor use latest Python in Web App is recommended to be enabled in Security Center.
DDoS Protection Standard should be enabled in Security Center Security Center                       SC-5 Monitor use of DDoS protection for virtual network is recommended to be enabled in Security Center.
Remote debugging should be turned off for Function App Security Center                       AC-17(1) Security Center recommends that you turn off debugging for Function App if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Function App.
Remote debugging should be turned off for Web Application Security Center                       AC-17(1) Security Center recommends that you turn off debugging for Web Application if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Web Application App.
System Configurations should be enabled in Security Center Security Center                         Monitor System Configurations is recommended to be enabled in Security Center.
Vulnerability assessment solution should be installed on your virtual machines Security Center                       RA-5, SI-2 Security Center recommends that you install a vulnerability assessment solution on your VM.
Web app should redirect all HTTP traffic to HTTPS in Azure App Service  AppService   9.2   9.2   9.2   9.2       SC-7 Security Center recommends that you limit access of Web Application over HTTPS only.
Web Sockets should be disabled for Function Application Security Center                         Security Center recommends that you carefully review the use of Web Sockets within Function Apps. The Web Sockets protocol is vulnerable to different types of security threats.
Web Sockets should be disabled for Web Application Security Center                         Security Center recommends that you carefully review the use of Web Sockets within web applications. The Web Sockets protocol is vulnerable to different types of security threats.
Email service and co-administrators should be enabled for SQL databases SQL Database   4.7   4.7           10.1, 10.2, 10.3 164.312(b)   Enable service and co-administrators to receive security alerts from SQL databases. Providing the email address to receive alerts ensures that any detection of anomalous activities is reported as soon as possible, making it more likely to mitigate any potential risk sooner.
Latest OS Patches updates should be enabled for Virtual Machines Virtual Machines   7.5   7.5   7.5   7.5       SI-2 Ensure Latest OS Patches for Virtual Machines. Windows and Linux virtual machines should be kept updated to Address a specific bug or flaw,Improve an OS or application‚Äôs general stability and Fix a security vulnerability
Activity Logs should be integrated with Azure Monitor Logging and Monitoring                         Azure Activity Log provides insight into subscription-level events that have occurred in your Azure subscription.Monitoring solutions typically collect log data and provide queries and views to analyze collected data. Activity log alerts using Azure Monitor can be used to create, view, and manage activity log alerts.
"Monitor maximum number of owners" should be enabled in Security Center Security Policy                         Monitor maximum number of owners is recommended to be enabled in Security Center.
Network Security Group should not have excessive inbound access Networking                         Ensure that excessive permissions to access network security groups is not specified, such as using RFC 1918 to white-list large ranges of IP Addresses. Only specific Private IP Addresses must have in-bound access.
Network security group should have specific ports configured Networking                         Ensure that ranges of ports are not open on your network security groups. Leaving large ranges of ports open leads to vulnerabilities potentially being exposed. In addition, attackers can scan ports and expose vulnerabilities of applications hosted without easy trace ability due to large port ranges being open.
NSG Flow logs should be enabled Networking                         Network security group (NSG) flow logs allows you to view information about ingress and egress IP traffic through an NSG. Enabling Flow logs on all NSGs will ensure that all traffic is recorded.
Send email also to subscription owners' should be 'ON' Security Center   2.19   2.19                 Enable security alerts emailing to security contact. This ensures that you are aware of any potential security issues and you can timely mitigate the risk.
Send email notification for high severity alerts' should be 'ON' Security Center   2.18   2.18   2.12   2.14         Enable security alerts emailing to subscription owners. This ensures that they are aware of any potential security issues and can timely mitigate the risk.
The storage account used to store activity logs should not be unencrypted Logging and Monitoring                         Archiving the Activity Log to a storage account is useful if you would like to retain your log data longer than 90 days. Storage service encryption protects your data at rest. Azure Storage encrypts your data as it is written in its data centers, and automatically decrypts it for you as you access it.
Data disks should not be unencrypted Disk                         Encrypting your IaaS VM's Data disks (non-boot volume) ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.
OS disks should not be unencrypted Disk                          
The storage account should not have unrestricted access to wide network Storage Accounts                         Storage accounts accept connections from clients on any network. Configure storage accounts to deny access to traffic from wide networks and add firewall rules to access specified set of networks for accessing a storage account.
The storage account used to store activity logs should not have unrestricted access Logging and Monitoring                         Archiving the Activity Log to a storage account is useful if you would like to retain your log data longer than 90 days. Storage accounts accept connections from clients on any network. Configure storage accounts to deny access to traffic from all networks and add firewall rules to access specified set of networks for accessing a storage account.
SQL servers should not have unrestricted access Networking                         Risk of unauthorized access or loss of customer data increases with unrestricted access to SQL Server instances
Storage account should not have unrestricted access Storage Accounts                         Storage accounts accept connections from clients on any network. Configure storage accounts to deny access to traffic from all networks and add firewall rules to access specified set of networks for accessing a storage account.
Network Security Groups should not have unrestricted inbound access Networking                         Allowing unrestricted inbound access to uncommon ports can increase opportunities for malicious activity such as hacking, data loss and all multiple types of attacks (brute-force attacks, Denial of Service (DoS) attacks, etc).
 "Monitor JIT Network Access" should be enabled in Azure Security Center Security Center     2.12   2.12             AC-2(12), SC-7(4) Enable JIT Network Access for virtual machines. When this setting is enabled, it Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic should be locked down. Just in time virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

Deprecated Policy Templates

The following Policy Templates for Azure are deprecated in MVISION Cloud 5.2.0. 

Policy Name Comments Web Link
Unencrypted activity logs in storage account

As par Azure, post-June 2017: Storage Service Encryption is enabled by default and cannot be disabled.

Also, as part of latest CIS benchmark 1.1.0, the control " 3.6 Ensure that Storage service encryption is set to enabled for File Service" is marked as deleted.

Hence deprecating the policy

https://azure.microsoft.com/en-in/blog/announcing-default-encryption-for-azure-blobs-files-table-and-queue-storage/
 
Storage Service Encryption for Storage Accounts
 

As par Azure, post-June 2017: Storage Service Encryption is enabled by default and cannot be disabled.

Also, as part of latest CIS benchmark 1.1.0, the control " 3.6 Ensure that Storage service encryption is set to enabled for File Service" is marked as deleted.

Hence deprecating the policy

https://azure.microsoft.com/en-in/blog/announcing-default-encryption-for-azure-blobs-files-table-and-queue-storage/
 
Latest OS Patch Updates Enabled for Virtual Machines 1:This policy depends on the "osProfile.windowsConfiguration.enableAutomaticUpdates" . As this property does not come for Linux OS ,this policy will not work for Linux OS VMs.
 
2:If you create a windows machine from Azure Portal "osProfile.windowsConfiguration.enableAutomaticUpdates" this property is by default true and cannot be updated after VM is created.
 
3:Even though the osProfile.windowsConfiguration.enableAutomaticUpdates is by default true for windows VMs, on Azure Portal, it shows an option to enable the Update Management for windows VMs which it should not. 
 
4:Create a VM with Update Management disabled using Rest API, "osProfile.windowsConfiguration.enableAutomaticUpdates" will return false. Even after Enabling Update Management "osProfile.windowsConfiguration.enableAutomaticUpdates" will return false in data collection .
 
Due to the limitations mentioned above, deprecating the policy
Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push Windows updates to them. You need to manage your VM updates.
 
https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas#manage-operating-systems
 
Enable VM agent on Virtual Machines

We are dependent on Azure APIs to check the configuration check whether VM agent is installed in VM. The configuration parameter to check this is "provisionVMAgent". Even if agent is manually installed, the value of the parameter is returned as always false by the API.

Also, as part of latest CIS benchmark 1.1.0, the control " 7.1 Ensure that VM agent is installed" is marked as deleted. 

Hence deprecating the policy

https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get
 

 

  • Was this article helpful?