зеркало из https://github.com/Azure/CCOInsights.git
29 KiB
29 KiB
Recommendation | Description | Severity | Quick fix enabled? | Resource type | Recommendation type |
---|---|---|---|---|---|
Just-in-time network access control should be applied on virtual machines | Apply just-in-time (JIT) virtual machine (VM) access control to permanently lock down access to selected ports, and enable authorized users to open them, via JIT, for a limited amount of time only. (Related policy: Just-In-Time network access control should be applied on virtual machines) |
High | N | Virtual machine | Network |
Network security groups on the subnet level should be enabled | Enable network security groups to control network access of resources deployed in your subnets. (Related policy: Subnets should be associated with a Network Security Group) |
High/ Medium | N | Subnet | Network |
Virtual machines should be associated with a network security group | Enable Network Security Groups to control network access of your virtual machines. (Related policy: Virtual machines should be associated with a Network Security Group) |
High/ Medium | N | Virtual machine | Network |
Access should be restricted for permissive network security groups with Internet-facing VMs | Harden the network security groups of your Internet-facing VMs by restricting the access of your existing allow rules. (Related policy: Network Security Group Rules for Internet facing virtual machines should be hardened) |
High | N | Virtual machine | Network |
The rules for web applications on IaaS NSGs should be hardened | Harden the network security group (NSG) of your virtual machines that are running web applications, with NSG rules that are overly permissive with regards to web application ports. (Related policy: The NSGs rules for web applications on IaaS should be hardened) |
High | N | Virtual machine | Network |
Access to App Services should be restricted | Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad. (Related policy: [Preview]: Access to App Services should be restricted) |
High | N | App service | Network |
Management ports should be closed on your virtual machines | Harden the network security group of your virtual machines to restrict access to management ports. (Related policy: Management ports should be closed on your virtual machines) |
High | N | Virtual machine | Network |
DDoS Protection Standard should be enabled | Protect virtual networks containing applications with public IPs by enabling DDoS protection service standard. DDoS protection enables mitigation of network volumetric and protocol attacks. (Related policy: DDoS Protection Standard should be enabled) |
High | N | Virtual network | Network |
IP forwarding on your virtual machine should be disabled | Disable IP forwarding. When IP forwarding is enabled on a virtual machine's NIC, the machine can receive traffic addressed to other destinations. IP forwarding is rarely required (for example, when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. (Related policy: [Preview]: IP Forwarding on your virtual machine should be disabled) |
Medium | N | Virtual machine | Network |
Web Application should only be accessible over HTTPS | Enable "HTTPS only" access for web applications. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. (Related policy: Web Application should only be accessible over HTTPS) |
Medium | Y | Web application | Network |
Function App should only be accessible over HTTPS | Enable "HTTPS only" access for function apps. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. (Related policy: Function App should only be accessible over HTTPS) |
Medium | Y | Function app | Network |
Secure transfer to storage accounts should be enabled | Enable secure transfer to storage accounts. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks, such as man-in-the-middle, eavesdropping, and session-hijacking. (Related policy: Secure transfer to storage accounts should be enabled) |
High | Y | Storage account | Network |
Web Application should only be accessible over HTTPS | Limit access of Web Applications over HTTPS only. (Related policy: ) |
Medium | N | App service | Compute |
Function App should only be accessible over HTTPS | Limit access of Function Apps over HTTPS only. (Related policy: ) |
Medium | N | App service | Compute |
API App should only be accessible over HTTPS | Limit access of API Apps over HTTPS only. (Related policy: ) |
Medium | N | App service | Compute |
Remote debugging should be turned off for Web Applications | Turn off debugging for Web Applications if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Web App. (Related policy: Remote debugging should be turned off for Web Application) |
Low | Y | App service | Compute |
Remote debugging should be turned off for Function App | Turn off debugging for Function App if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Function App. (Related policy: Remote debugging should be turned off for Function App) |
Low | Y | App service | Compute |
Remote debugging should be turned off for API App | Turn off debugging for API App if you no longer need to use it. Remote debugging requires inbound ports to be opened on an API App. (Related policy: Remote debugging should be turned off for API App) |
Low | Y | App service | Compute |
CORS should not allow every resource to access your Web Applications | Allow only required domains to interact with your web application. Cross origin resource sharing (CORS) should not allow all domains to access your web application. (Related policy: CORS should not allow every resource to access your Web Application) |
Low | Y | App service | Compute |
CORS should not allow every resource to access your Function App | Allow only required domains to interact with your function application. Cross origin resource sharing (CORS) should not allow all domains to access your function application. (Related policy: CORS should not allow every resource to access your Function App) |
Low | Y | App service | Compute |
CORS should not allow every resource to access your API App | Allow only required domains to interact with your API application. Cross origin resource sharing (CORS) should not allow all domains to access your API application. (Related policy: CORS should not allow every resource to access your API App) |
Low | Y | App service | Compute |
Diagnostic logs in App Services should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in App Services should be enabled) |
Low | N | App service | Compute |
Diagnostic logs in Azure Stream Analytics should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Azure Stream Analytics should be enabled) |
Low | Y | Compute resources (stream analytics) | Compute |
Diagnostic logs in Batch accounts should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Batch accounts should be enabled) |
Low | Y | Compute resources (batch) | Compute |
Diagnostic logs in Event Hub should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Event Hub should be enabled) |
Low | Y | Compute resources (event hub) | Compute |
Diagnostic logs in Logic Apps should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Logic Apps should be enabled) |
Low | Y | Compute resources (logic apps) | Compute |
Diagnostic logs in Search services should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Search services should be enabled) |
Low | Y | Compute resources (search) | Compute |
Diagnostic logs in Service Bus should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Service Bus should be enabled) |
Low | Y | Compute resources (service bus) | Compute |
Diagnostic logs in Virtual Machine Scale Sets should be enabled | Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes. This is useful when a security incident occurs, or your network is compromised. (Related policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled) |
Low | N | Virtual machine scale set | Compute |
Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster (Preview) | To provide granular filtering of the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information see Azure role-based access control. (Related policy: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services) |
Medium | N | Compute resources (Containers) | Compute |
The Kubernetes Service should be upgraded to the latest Kubernetes version (Preview) | Upgrade Azure Kubernetes Service clusters to the latest Kubernetes version in order to benefit from up-to-date vulnerability patches. For details regarding specific Kubernetes vulnerabilities see Kubernetes CVEs. (Related policy: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version) |
High | N | Compute resources (Containers) | Compute |
Pod Security Policies should be defined to reduce the attack vector by removing unnecessary application privileges (Preview) | Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure pod security policies so pods can only access resources which they are allowed to access. (Related policy: [Preview]: Pod Security Policies should be defined on Kubernetes Services) |
Medium | N | Compute resources (Containers) | Compute |
Access to a Kubernetes service management API should be limited by authorizing specific IP ranges only (Preview) | Restrict access to the Kubernetes service management API by granting API access only to IP addresses in specific ranges. It is recommended to configure authorized IP ranges so only applications from allowed networks can access the cluster. (Related policy: [Preview]: Authorized IP ranges should be defined on Kubernetes Services) |
High | N | Compute resources (Containers) | Compute |
Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) (Preview) | Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. Resolving the vulnerabilities can greatly improve your containers’ security posture and protect them from attacks. (No related policy) |
High | N | Compute resources (Containers) | Compute |
Service Fabric clusters should only use Azure Active Directory for client authentication | Perform Client authentication only via Azure Active Directory in Service Fabric. (Related policy: Service Fabric clusters should only use Azure Active Directory for client authentication) |
High | N | Compute resources (service fabric) | Compute |
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed. (Related policy: The ClusterProtectionLevel property to EncryptAndSign in Service Fabric should be set) |
High | N | Compute resources (service fabric) | Compute |
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace | Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity. (Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace) |
Low | N | Compute resources (service bus) | Compute |
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace | Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity. (Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace) |
Low | N | Compute resources (event hub) | Compute |
Authorization rules on the Event Hub entity should be defined | Audit authorization rules on the Event Hub entity to grant least-privileged access. (No related policy) |
Low | N | Compute resources (event hub) | Compute |
Install monitoring agent on your virtual machines | Install the Monitoring agent to enable data collection, updates scanning, baseline scanning, and endpoint protection on each machine. (Related policy: Monitoring agent should be enabled on your virtual machines) |
High | Y | Machine | Compute |
Monitoring agent health issues should be resolved on your machines | For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide (No related policy) |
Medium | N | Machine | Compute |
Adaptive Application Controls should be enabled on virtual machines | Enable application control to control which applications can run on your VMs located in Azure. This will help harden your VMs against malware. Security Center uses machine learning to analyze the applications running on each VM and helps you apply allow rules using this intelligence. This capability simplifies the process of configuring and maintaining application allow rules. (Related policy: Adaptive Application Controls should be enabled on virtual machines) |
High | N | Machine | Compute |
Install endpoint protection solution on your machines | Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities. (No related policy) |
Medium | N | Machine | Compute |
Install endpoint protection solution on virtual machines | Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities. (No related policy) |
Medium | N | Machine | Compute |
OS version should be updated for your cloud service roles | Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family. (No related policy) |
High | N | Machine | Compute |
System updates on virtual machine scale sets should be installed | Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets. (Related policy: System updates on virtual machine scale sets should be installed) |
High | N | Virtual machine scale set | Compute |
System updates should be installed on your machines | Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers (Related policy: System updates should be installed on your machines) |
High | N | Machine | Compute |
Your machines should be restarted to apply system updates | Restart your machines to apply the system updates and secure the machine from vulnerabilities. (No related policy) |
Medium | N | Machine | Compute |
Automation account variables should be encrypted | Enable encryption of Automation account variable assets when storing sensitive data. (Related policy: Encryption should be enabled on Automation account variables) |
High | N | Compute resources (automation account) | Compute |
Disk encryption should be applied on virtual machines | Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines. Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service Encryption where the encryption keys are Microsoft-managed keys in Azure. If this meets your compliance and security requirements, you can leverage the default Managed disk encryption to meet your requirements. (Related policy: Disk encryption should be applied on virtual machines) |
High | N | Machine | Compute |
Virtual machines should be migrated to new Azure Resource Manager resources | Use Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. (Related policy: Virtual machines should be migrated to new Azure Resource Manager resources) |
Low | N | Machine | Compute |
Vulnerability assessment solution should be installed on your virtual machines | Install a vulnerability assessment solution on your virtual machines (Related policy: Vulnerability assessment should be installed on virtual machines) |
Medium | N | Machine | Compute |
Vulnerabilities should be remediated by a Vulnerability Assessment solution | Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation. (Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution) |
High | N | Machine | Compute |
Vulnerabilities in security configuration on your machines should be remediated | Remediate vulnerabilities in security configuration on your machines to protect them from attacks. (Related policy: Vulnerabilities in security configuration on your machines should be remediated) |
Low | N | Machine | Compute |
Vulnerabilities in container security configurations should be remediated | Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks. (Related policy: Vulnerabilities in container security configurations should be remediated) |
High | N | Machine | Compute |
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks. (Related policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated) |
High | N | Virtual machine scale set | Compute |
Endpoint protection health issues should be resolved on your machines | For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide. (No related policy) |
Medium | N | Machine | Compute |
Endpoint protection health failures should be remediated on virtual machine scale sets | Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities. (No related policy) |
Low | N | Virtual machine scale set | Compute |
Endpoint protection solution should be installed on virtual machine scale sets | Install an endpoint protection solution on your virtual machine scale sets, to protect them from threats and vulnerabilities. (Related policy: Endpoint protection solution should be installed on virtual machine scale sets) |
High | N | Virtual machine scale set | Compute |
An Azure Active Directory administrator should be provisioned for SQL servers | Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services. (Related policy: Audit provisioning of an Azure Active Directory administrator for SQL server) |
High | N | SQL | Data and Storage |
Auditing on SQL server should be enabled | Enable auditing for Azure SQL servers. (Azure SQL service only. Doesn't include SQL running on your virtual machines.) (Related policy: Auditing should be enabled on advanced data security settings on SQL Server) |
Low | Y | SQL | Data and Storage |
Secure transfer to storage accounts should be enabled | Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking. (Related policy: Secure transfer to storage accounts should be enabled) |
High | N | Storage account | Data and Storage |
Only secure connections to your Redis Cache should be enabled | Enable only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking. (Related policy: Only secure connections to your Redis Cache should be enabled) |
High | N | Redis | Data and Storage |
Transparent Data Encryption on SQL databases should be enabled | Enable transparent data encryption to protect data-at-rest and meet compliance requirements. (Related policy: Transparent Data Encryption on SQL databases should be enabled) |
Low | Y | SQL | Data and Storage |
Diagnostic logs in Data Lake Analytics should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Data Lake Analytics should be enabled) |
Low | Y | Data lake analytics | Data and Storage |
Diagnostic logs in Azure Data Lake Store should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Azure Data Lake Store should be enabled) |
Low | Y | Data lake store | Data and Storage |
Vulnerability assessment should be enabled on your SQL servers | Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. (Related policy: Vulnerability assessment should be enabled on your SQL servers) |
High | Y | SQL | Data and Storage |
Vulnerabilities on your SQL databases should be remediated | SQL Vulnerability Assessment scans your database for security vulnerabilities and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature. (Related policy: Vulnerabilities on your SQL databases should be remediated) |
High | N | SQL | Data and Storage |
Access to storage accounts with firewall and virtual network configurations should be restricted | Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific Internet or on-premises clients, you can grant access to traffic from specific Azure virtual networks or to public Internet IP address ranges. (Related policy: Audit unrestricted network access to storage accounts) |
Low | N | Storage account | Data and Storage |
Storage accounts should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, and Azure AD-based authentication and support for tags and resource groups for easier security management. (Related policy: Storage accounts should be migrated to new Azure Resource Manager resources) |
Low | N | Storage account | Data and Storage |
MFA should be enabled on accounts with read permissions on your subscription | Enable Multi-Factor Authentication (MFA) for all subscription accounts with read privileges to prevent a breach of accounts or resources. (Related policy: MFA should be enabled on accounts with read permissions on your subscription) |
High | N | Subscription | IdentityAndAccess |
MFA should be enabled on accounts with write permissions on your subscription | Enable Multi-Factor Authentication (MFA) for all subscription accounts with write privileges to prevent a breach of accounts or resources. (Related policy: MFA should be enabled on accounts with write permissions on your subscription) |
High | N | Subscription | IdentityAndAccess |
MFA should be enabled on accounts with owner permissions on your subscription | Enable Multi-Factor Authentication (MFA) for all subscription accounts with owner privileges to prevent a breach of accounts or resources. (Related policy: MFA should be enabled on accounts with owner permissions on your subscription) |
High | N | Subscription | IdentityAndAccess |
External accounts with read permissions should be removed from your subscription | Remove external accounts with read privileges from your subscription in order to prevent unmonitored access. (Related policy: External accounts with read permissions should be removed from your subscription) |
High | N | Subscription | IdentityAndAccess |
External accounts with write permissions should be removed from your subscription | Remove external accounts with write privileges from your subscription in order to prevent unmonitored access. (Related policy: External accounts with write permissions should be removed from your subscription) |
High | N | Subscription | IdentityAndAccess |
External accounts with owner permissions should be removed from your subscription | Remove external accounts with owner privileges from your subscription in order to prevent unmonitored access. (Related policy: External accounts with owner permissions should be removed from your subscription) |
High | N | Subscription | IdentityAndAccess |
Deprecated accounts with owner permissions should be removed from your subscription | Remove deprecated accounts with owner permissions from your subscriptions. (Related policy: Deprecated accounts with owner permissions should be removed from your subscription) |
High | N | Subscription | IdentityAndAccess |
Deprecated accounts should be removed from your subscription | Remove deprecated accounts from your subscriptions to enable access to only current users. (Related policy: Deprecated accounts should be removed from your subscription) |
High | N | Subscription | IdentityAndAccess |
There should be more than one owner assigned to your subscription | Designate more than one subscription owner in order to have administrator access redundancy. (Related policy: There should be more than one owner assigned to your subscription) |
High | N | Subscription | IdentityAndAccess |
A maximum of 3 owners should be designated for your subscription | Designate fewer than three subscription owners in order to reduce the potential for breach by a compromised owner. (Related policy: A maximum of 3 owners should be designated for your subscription) |
High | N | Subscription | IdentityAndAccess |
Diagnostic logs in Key Vault should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Key Vault should be enabled) |
Low | Y | Key Vault | IdentityAndAccess |