Reconfigured articles and TOC

Author: johnmarco

articles/azure-arc/servers/security-data-privacy.md

@@ -31,3 +31,52 @@ Azure Arc is regularly audited for compliance with many global, regional, and in
 
 For more information on a particular standard and to download audit documents, see [Azure and other Microsoft cloud services compliance offerings](/azure/compliance/offerings/).
 
+## Azure Activity log
+
+You can use the Azure Activity log to track actions taken on an Azure Arc-enabled server. Actions like installing extensions on an Arc server have unique operation identifiers (all starting with “Microsoft.HybridCompute”) that you can use to filter the log. Learn more about the [Azure Activity Log](/azure/azure-monitor/essentials/activity-log-insights) and how to retain activity logs for more than 30 days by [sending activity log data](/azure/azure-monitor/essentials/activity-log?tabs=powershell) to Log Analytics. 
+
+## Local logs
+
+The Azure Connected Machine agent keeps a set of local logs on each server that may be useful for troubleshooting or auditing when the Arc agent made a change to the system. The fastest way to get a copy of all logs from a server is to run [azcmagent logs](/azure/azure-arc/servers/azcmagent-logs), which generates a compressed folder of all the latest logs for you.
+
+## HIMDS log
+
+The HIMDS log file contains all log data from the HIMDS service. This data includes heartbeat information, connection and disconnection attempts, and a history of REST API requests for IMDS metadata and managed identity tokens from other apps on the system.
+OS	Log location
+Windows	%PROGRAMDATA%\AzureConnectedMachineAgent\Log\himds.log
+Linux	/var/opt/azcmagent/log/himds.log
+
+## azcmagent CLI log
+
+The azcmagent log file contains a history of commands run using the local “azcmagent” command line interface. This log provides the parameters used when connecting, disconnecting, or modifying the configuration of the agent.
+
+|OS  |Log location  |
+|---------|---------|
+|Windows |%PROGRAMDATA%\AzureConnectedMachineAgent\Log\azcmagent.log |
+|Linux |/var/opt/azcmagent/log/azcmagent.log |
+
+## Extension Manager log
+
+The extension manager log contains information about attempts to install, upgrade, reconfigure, and uninstall extensions on the machine.
+
+|OS  |Log location  |
+|---------|---------|
+|Windows |%PROGRAMDATA%\GuestConfig\ext_mgr_logs\gc_ext.log |
+|Linux |/var/lib/GuestConfig/ext_mgr_logs/gc_ext.log |
+
+Other logs may be generated by individual extensions. Logs for individual extensions aren't guaranteed to follow any standard log format.
+
+|OS  |Log location  |
+|---------|---------|
+|Windows |%PROGRAMDATA%\GuestConfig\extension_logs\* |
+|Linux |/var/lib/GuestConfig/extension_logs/* |
+
+## Machine Configuration log
+
+The machine configuration policy engine generates logs for the audit and enforcement of settings on the system.
+
+|OS  |Log location  |
+|---------|---------|
+|Windows |%PROGRAMDATA%\GuestConfig\arc_policy_logs\gc_agent.log |
+|Linux |/var/lib/GuestConfig/arc_policy_logs/gc_agent.log |
+

articles/azure-arc/servers/security-machine-configuration.md

@@ -7,7 +7,7 @@ ms.date: 06/06/2024
 
 # Machine configuration
 
-This article describes the basics of Azure Machine Configuration, a compliance reporting and configuration tool that can check and optionally remediate security and other settings on machines at scale. 
+This article describes the basics of Azure Machine Configuration, a compliance reporting and configuration tool that can check and optionally remediate security and other settings on machines at scale. This article also describes the Azure Arc connectivity platform, used for communication between the Azure Connected Machine agent and Azure.
 
 ## Machine configuration basics
 
@@ -33,3 +33,52 @@ If you’re using Arc solely for monitoring purposes, setting the agent to Monit
 
 `azcmagent config set config.mode monitor`
 
+## Azure Arc connectivity platform
+
+The Azure Arc connectivity platform is a web sockets-based experience to allow real-time communication between the Azure Connected Machine agent and Azure. This enables interactive remote access scenarios to your server without requiring direct line of sight from the management client to the server.
+
+The connectivity platform supports two scenarios:
+
+- SSH access to Azure Arc-enabled servers
+- Windows Admin Center for Azure Arc-enabled servers
+
+For both scenarios, the management client (SSH client or web browser) talks to the Azure Arc connectivity service that then relays the information to and from the Azure Connected Machine agent.
+
+Connectivity access is disabled by default and is enabled using a three step process:
+
+1. Create a connectivity endpoint in Azure for the Azure Arc-enabled server. The connectivity endpoint isn’t a real endpoint with an IP address. It’s just a way of saying that access to this server via Azure is allowed and provides an API to retrieve the connection details for management clients.
+
+1. Configure the connectivity endpoint to allow your specific intended scenarios. Having an endpoint created doesn’t allow any traffic through. Instead, you need to configure it to say, “we allow traffic to this local port on the target server.” For SSH, that’s commonly TCP port 22. For WAC, TCP port 6516.
+
+1. Assign the appropriate RBAC roles to the accounts that will use this feature. Remote access to servers requires other role assignments. Common roles like Azure Connected Machine Resource Administrator, Contributor, and Owner don't grant access to use SSH or WAC via the Azure Arc Connectivity Platform. Roles that allow remote access include:
+
+    - Virtual Machine Local User Login (SSH with local credentials)
+    - Virtual Machine User Login (SSH with Microsoft Entra ID, standard user access)
+    - Virtual Machine Administrator Login (SSH with Microsoft Entra ID, full admin access)
+    - Windows Admin Center Administrator Login (WAC with Microsoft Entra ID authentication)
+
+> [!TIP]
+> Consider using Microsoft Entra Privileged Identity Management to provide your IT operators with just-in-time access to these roles. This enables a least privilege approach to remote access.
+> 
+
+There's a local agent configuration control as well to block remote access, regardless of the configuration in Azure.
+
+## Disabling remote access
+
+To disable all remote access to your machine, run the following command on each machine:
+
+`azcmagent config set incomingconnections.enabled false`
+
+## SSH access to Azure Arc-enabled servers
+
+SSH access via the Azure Arc connectivity platform can help you avoid opening SSH ports directly through a firewall or requiring your IT operators to use a VPN. It also allows you to grant access to Linux servers using Entra IDs and Azure RBAC, reducing the management overhead of distributing and protecting SSH keys.
+
+When a user connects using SSH and Microsoft Entra ID authentication, a temporary account is created on the server to manage it on their behalf. The account is named after the user’s UPN in Azure to help you audit actions taken on the machine. If the user has the "Virtual Machine Administrator Login" role, the temporary account is created as a member of the sudoers group so that it can elevate to perform administrative tasks on the server. Otherwise, the account is just a standard user on the machine. If you change the role assignment from user to administrator or vice versa, it can take up to 10 minutes for the change to take effect. Users must disconnect any active SSH sessions and reconnect to see the changes reflected on the local user account.
+
+When a user connects using local credentials (SSH key or password), they get the permissions and group memberships of the account information they provided.
+
+## Windows Admin Center
+
+WAC in the Azure portal allows Windows users to see and manage their Windows Server without connecting over Remote Desktop Connection. The “Windows Admin Center Administrator Login” role is required  to use the WAC experience in the Azure portal. When the user opens the WAC experience, a virtual account is created on the Windows Server using the UPN of the Azure user to identify them. This virtual account is a member of the administrators group and can make changes to the system. Actions the user takes in WAC are then executed locally on the server using this virtual account.
+
+Interactive access to the machine with the PowerShell or Remote Desktop experiences in WAC don't currently support Microsoft Entra ID authentication and will prompt the user to provide local user credentials. These credentials aren't stored in Azure and are only used to establish the PowerShell or Remote Desktop session.

articles/azure-arc/servers/security-onboarding.md

@@ -1,5 +1,5 @@
 ---
-title: Security onboarding
+title: Security onboarding and updates
 description: Azure Arc-enabled servers planning and deployment guidance.
 ms.topic: conceptual
 ms.date: 06/06/2024
@@ -39,6 +39,33 @@ If your automation tool copies the configuration file to the server, make sure i
 
 Additionally, as with all Azure resources, tags for Azure Arc-enabled servers are stored as plain text. Don't put sensitive information in tags.
 
+## Agent updates
+
+A new version of the Azure Connected Machine agent is typically released every month. There isn’t an exact schedule of when the updates are available, but you should check for and apply updates on a monthly basis. Refer to the [list of all the new releases](/azure/azure-arc/servers/agent-release-notes), including what specific changes are included in them. Most updates include security, performance. and quality fixes. Some also include new features and functionality. When a hotfix is required to address an issue with a release, it's released as a new agent version and available via the same means as a regular agent release.
+
+The Azure Connected Machine agent doesn't update itself. You must update it using your preferred update management tool. For Windows machines, updates are delivered through Microsoft Update. Standalone servers should opt-in to Microsoft Updates (using the *receive updates for other Microsoft products* option). If your organization uses Windows Server Update Services to cache and approve updates locally, your WSUS admin must synchronize and approve updates for the Azure Connected Machine agent product.
+
+Linux updates are published to `packages.microsoft.com`. Your package management software (apt, yum, dnf, zypper, etc.) should show “azcmagent” updates alongside your other system packages. Learn more about [upgrading Linux agents](/azure/azure-arc/servers/manage-agent?tabs=linux-apt).
+
+Microsoft recommends staying up to date with the latest agent version whenever possible. If your maintenance windows are less frequent, Microsoft supports all agent versions released within the last 12 months. However, since the agent updates include security fixes, you should update as frequently as possible.
+
+If you're looking for a patch management tool to orchestrate updates of the Azure Connected Machine agent on both Windows and Linux, consider Azure Update Manager. 
+
+## Extension updates
+
+### Automatic extension updates
+
+By default, every extension you deploy to an Azure Arc-enabled server has automatic extension upgrades enabled. If the extension publisher supports this feature, new versions of the extension are automatically installed within 60 days of the new version becoming available. Automatic extension upgrades follow a safe deployment practice, meaning that only a small number of extensions are updated at a time. Rollouts continue slowly across regions and subscriptions until every extension is updated.
+
+There are no granular controls over automatic extension upgrades. You'll always be upgraded to the most recent version of the extension and can’t choose when the upgrade happens. The extension manager has [built-in resource governance](/azure/azure-arc/servers/agent-overview) to ensure an extension upgrade doesn't consume too much of the system’s CPU and interfere with your workloads during the upgrade.
+
+If you don't want to use automatic upgrades for extensions, you can disable them on a per-extension, per-server basis using the [Azure portal, CLI, or PowerShell](/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal).
+
+### Manual extension updates
+
+For extensions that don’t support automatic upgrades or have automatic upgrades disabled, you can use the Azure portal, CLI, or PowerShell to upgrade extensions to the newest version. The CLI and PowerShell commands also support downgrading an extension, in case you need to revert to an earlier version.
+
 ## Using disk encryption
 
 The Azure Connected Machine agent uses public key authentication to communicate with the Azure service. After you onboard a server to Azure Arc, a private key is saved to the disk and used whenever the agent communicates with Azure. If stolen, the private key can be used on another server to communicate with the service and act as if it were the original server. This includes getting access to the system assigned identity and any resources that identity has access to. The private key file is protected to only allow the **himds** account access to read it. To prevent offline attacks, we strongly recommend the use of full disk encryption (for example, BitLocker, dm-crypt, etc.) on the operating system volume of your server.
+

articles/azure-arc/servers/security-overview.md

@@ -64,7 +64,30 @@ The guest configuration service evaluates and enforces Azure machine (guest) con
 
 The Azure Arc proxy service is responsible for aggregating network traffic from the Azure Connected Machine agent services and any extensions you’ve installed and deciding where to route that data. If you’re using the Azure Arc Gateway to simplify your network endpoints, the Azure Arc Proxy service is the local component that forwards network requests via the Azure Arc Gateway instead of the default route. The Azure Arc proxy runs as Network Service on Windows and a standard user account (arcproxy) on Linux. It's disabled by default until you configure the agent to use the Azure Arc Gateway.
 
+## Security considerations for Tier 0 assets
 
+Tier 0 assets such as an Active Directory Domain Controller, Certificate Authority server, or highly sensitive business application server can be connected to Azure Arc with extra care to ensure only the desired management functions and authorized users can manage the servers. These recommendations are not required but are strongly recommended to maintain the security posture of your Tier 0 assets.
 
+### Dedicated Azure subscription
 
+Access to Azure Arc-enabled servers is often determined by the organizational hierarchy to which it belongs in Azure. You should treat any subscription or management group admin as equivalent to a local administrator on Tier 0 assets because they could use their permissions to add new role assignments to the Azure Arc resource. Additionally, policies applied at the subscription or management group level may also have permission to make changes to the server.
 
+To minimize the number of accounts and policies with access to your Tier 0 assets, consider using a dedicated Azure subscription that can be closely monitored and configured with as few persistent administrators as possible. Review Azure policies in any parent management groups to ensure they are aligned with your intent for these servers.
+
+### Disable unnecessary management features
+
+For a Tier 0 asset, you should use the local agent security controls to disable any unused functionality in the agent to prevent any intentional—or accidental—use of those features to make changes to the server. This includes:
+
+- Disabling remote access capabilities
+- Setting an extension allowlist for the extensions you intend to use, or disabling the extension manager if you are not using extensions
+- Disabling the machine configuration agent if you don’t intend to use machine configuration policies
+
+The following example shows how to lock down the Azure Connected Machine agent for a domain controller that needs to use the Azure Monitor Agent to collect security logs for Microsoft Sentinel and Microsoft Defender for Servers to protect against malware threats:
+
+```
+azcmagent config set incomingconnections.enabled false
+
+azcmagent config set guestconfiguration.enabled false
+
+azcmagent config set extensions.allowlist “Microsoft.Azure.Monitor/AzureMonitorWindowsAgent,Microsoft.Azure.AzureDefenderForServers/MDE.Windows”
+```

articles/azure-arc/servers/toc.yml

@@ -152,8 +152,6 @@
     href: security-overview.md
   - name: Onboarding
     href: security-onboarding.md
-  - name: Updates
-    href: security-updates.md
   - name: Networking security
     href: security-networking.md
   - name: Extensions security
@@ -162,14 +160,8 @@
     href: security-machine-configuration.md
   - name: Identify and authorization
     href: security-identity-authorization.md
-  - name: Remote access
-    href: security-remote-access.md
-  - name: Tier 0 security considerations
-    href: security-tier-zero.md
   - name: Data and privacy
     href: security-data-privacy.md
-  - name: Logging and auditing
-    href: security-logging-auditing.md
   - name: Security baseline
     href: /security/benchmark/azure/baselines/azure-arc-enabled-servers-security-baseline?toc=/azure/azure-arc/servers/toc.json
   - name: Security controls by Azure Policy