Skip to content

Latest commit

 

History

History
170 lines (88 loc) · 18.6 KB

ASCPoliciesCoverage.md

File metadata and controls

170 lines (88 loc) · 18.6 KB
Raw

IMPORTANT: DevOps Kit (AzSK) is being sunset by end of FY21. More details here

List of 'ASC default initiative' policies enabled via AzSK

Mandatory ASC policies

PolicyDescription
Audit remote debugging state for an API AppRemote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.
Audit remote debugging state for a Function AppRemote debugging requires inbound ports to be opened on a function app. Remote debugging should be turned off.
Audit remote debugging state for a Web ApplicationRemote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.
Audit HTTPS only access for an API AppUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit HTTPS only access for a Function AppUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit HTTPS only access for a Web ApplicationUse of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit enabling of only secure connections to your Redis CacheAudit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit usage of Azure Active Directory for client authentication in Service FabricAudit usage of client authentication only via Azure Active Directory in Service Fabric
Audit the setting of ClusterProtectionLevel property to EncryptAndSign in Service FabricService Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed
Audit SQL servers without Advanced Data SecurityAudit SQL servers without Advanced Data Security
Audit provisioning of an Azure Active Directory administrator for SQL serverAudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services
Monitor unencrypted SQL databases in Azure Security CenterUnencrypted SQL databases will be monitored by Azure Security Center as recommendations
Audit unrestricted network access to storage accountsAudit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges
Audit secure transfer to storage accountsAudit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit external accounts with owner permissions on a subscriptionExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.
Audit external accounts with write permissions on a subscriptionExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.
Audit external accounts with read permissions on a subscriptionExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.
Audit deprecated accounts on a subscriptionDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.
Audit use of classic storage accountsUse new Azure Resource Manager v2 for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Audit use of classic virtual machinesUse new Azure Resource Manager v2 for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Monitor unencrypted VM Disks in Azure Security CenterVMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations
Monitor OS vulnerabilities in Azure Security CenterServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations
Monitor VM Vulnerabilities in Azure Security CenterMonitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations.
Monitor missing Endpoint Protection in Azure Security CenterServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations
Monitor missing system updates in Azure Security CenterMissing security system updates on your servers will be monitored by Azure Security Center as recommendations
Audit OS vulnerabilities on your virtual machine scale sets in Azure Security CenterAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.
Audit the endpoint protection solution on virtual machine scale sets in Azure Security CenterAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.
Audit any missing system updates on virtual machine scale sets in Azure Security CenterAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.
Monitor SQL vulnerability assessment results in Azure Security CenterMonitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities.
Audit accounts with owner permissions who are not MFA enabled on a subscriptionMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.
Audit accounts with write permissions who are not MFA enabled on a subscriptionMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.
Audit accounts with read permissions who are not MFA enabled on a subscriptionMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.
Audit standard tier of DDoS protection is enabled for a virtual networkDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.
Audit SQL managed instances without Advanced Data SecurityAudit SQL managed instances without Advanced Data Security

Optional ASC policies

PolicyDescription
Audit CORS resource access restrictions for an API AppCross origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.
Audit CORS resource access restrictions for a Function AppCross origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.
Audit CORS resource access restrictions for a Web ApplicationCross origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.
Audit enabling of diagnostic logs in App ServicesAudit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised
Audit enablement of encryption of Automation account variablesIt is important to enable encryption of Automation account variable assets when storing sensitive data
Audit enabling of diagnostic logs in Batch accountsAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Audit configuration of metric alert rules on Batch accountsAudit configuration of metric alert rules on Batch account to enable the required metric
Audit enabling of diagnostic logs in Data Lake AnalyticsAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Audit enabling of diagnostic logs in Azure Data Lake StoreAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Audit enabling of diagnostic logs in Event HubAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Audit authorization rules on Event Hub namespacesEvent Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues and topics to provide access to only the specific entity
Audit existence of authorization rules on Event Hub entitiesAudit existence of authorization rules on Event Hub entities to grant least-privileged access
Audit enabling of diagnostic logs in Key VaultAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Audit enabling of diagnostic logs in Logic AppsAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Audit enabling of diagnostic logs for Search serviceAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Audit enabling of diagnostic logs in Service BusAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Audit authorization rules on Service Bus namespacesService Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues and topics to provide access to only the specific entity
Audit enabling of diagnostics logs in Service Fabric and Virtual Machine Scale SetsIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.
Audit SQL server level Auditing settingsAudits the existence of SQL Auditing at the server level
Monitor unaudited SQL servers in Azure Security CenterSQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations
Audit enabling of diagnostic logs in Azure Stream AnalyticsAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Audit usage of custom RBAC rulesAudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling
Audit maximum number of owners for a subscriptionIt is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.
Audit minimum number of owners for subscriptionIt is recommended to designate more than one subscription owner in order to have administrator access redundancy.
Audit deprecated accounts with owner permissions on a subscriptionDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.
[Preview]: Monitor open management ports on Virtual MachinesOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.
Monitor Internet-facing virtual machines for Network Security Group traffic hardening recommendationsAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface
Monitor permissive network access in Azure Security CenterNetwork Security Groups with too permissive rules will be monitored by Azure Security Center as recommendations
[Preview]: Monitor IP forwarding on virtual machinesEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.
Audit enabling of diagnostic logs in IoT HubsAudit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Monitor possible network Just In Time (JIT) access in Azure Security CenterPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations
Monitor possible app Whitelisting in Azure Security CenterPossible Application Whitelist configuration will be monitored by Azure Security Center
Monitor permissive network access of VMs running web-apps in Azure Security CenterAzure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports
Monitor unprotected network endpoints in Azure Security CenterNetwork endpoints without a Next Generation Firewall's protection will be monitored by Azure Security Center as recommendations
[Preview]: Monitor SQL data discovery and classification recommendations in Azure Security CenterAzure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security
Audit SQL servers without Vulnerability AssessmentAudit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
Audit SQL managed instances without Vulnerability AssessmentAudit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
[Preview]: Monitor permissive network access to app-servicesAzure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad