Merge pull request #151405 from memildin/asc-melvyn-recs-stuff

Fixes to two recs lists

Author: ttorble

includes/asc-recs-compute.md

@@ -2,7 +2,7 @@
 author: memildin
 ms.service: security-center
 ms.topic: include
-ms.date: 03/14/2021
+ms.date: 03/21/2021
 ms.author: memildin
 ms.custom: generated
 ---
@@ -54,7 +54,7 @@ There are **54** recommendations in this category.
 |System updates should be installed on your machines |Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers<br />(Related policy: [System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fmicrosoft.authorization%2fpolicyDefinitions%2f86b3d65f-7626-441e-b690-81a8b71cff60)) |High |
 |System updates should be installed on your machines (powered by Update Center) |Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.<br />(No related policy) |High |
 |Virtual machines should be attested for boot integrity health |Security Center cannot attest that your virtual machine is running signed and trusted code. This could indicate a compromise of the boot chain, which might be the result of a persistent bootkit or rootkit infection. To ensure your VM is running in a safe state, we recommend investigating the machine, or redeploying it from a trusted OS image.<br />(No related policy) |Medium |
-|Virtual machines should be migrated to new Azure Resource Manager resources |Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.<br>Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.<br><br>Available resources and information about this tool & migration:<br>1. <a href='https://docs.microsoft.com/azure/virtual-machines/classic-vm-deprecation?toc=/azure/virtual-machines/windows/toc.json&bc=/azure/virtual-machines/windows/breadcrumb/toc.json'>Overview of Virtual machines (classic) deprecation, step by step process for migration & available Microsoft resources.</a><br>2. <a href='https://docs.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-deep-dive?toc=/azure/virtual-machines/windows/toc.json&bc=/azure/virtual-machines/windows/breadcrumb/toc.json'>Details about Migrate to ARM migration tool.</a><br>3. <a href='https://docs.microsoft.com/azure/virtual-machines/windows/migration-classic-resource-manager-ps'>Migrate to Azure Resource Manager migration tool using PowerShell.</a><br />(Related policy: [Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f1d84d5fb-01f6-4d12-ba4f-4a26081d403d)) |High |
+|Virtual machines should be migrated to new Azure Resource Manager resources |Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.<br>Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.<br><br>Available resources and information about this tool & migration:<br><a href='https://docs.microsoft.com/azure/virtual-machines/classic-vm-deprecation?toc=/azure/virtual-machines/windows/toc.json&bc=/azure/virtual-machines/windows/breadcrumb/toc.json'>Overview of Virtual machines (classic) deprecation, step by step process for migration & available Microsoft resources.</a><br><a href='https://docs.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-deep-dive?toc=/azure/virtual-machines/windows/toc.json&bc=/azure/virtual-machines/windows/breadcrumb/toc.json'>Details about Migrate to Azure Resource Manager migration tool.</a><br><a href='https://docs.microsoft.com/azure/virtual-machines/windows/migration-classic-resource-manager-ps'>Migrate to Azure Resource Manager migration tool using PowerShell.</a><br />(Related policy: [Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f1d84d5fb-01f6-4d12-ba4f-4a26081d403d)) |High |
 |Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. <a href='https://aka.ms/gcpol'>Learn more</a><br />(Related policy: [Guest Configuration extension should be deployed to Azure virtual machines with system assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fd26f7642-7545-4e18-9b75-8c9bbdee3a9a)) |Medium |
 |Vulnerabilities in container security configurations should be remediated |Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.<br />(Related policy: [Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fe8cbc669-f12d-49eb-93e7-9273119e9933)) |High |
 |Vulnerabilities in security configuration on your machines should be remediated |Remediate vulnerabilities in security configuration on your machines to protect them from attacks.<br />(Related policy: [Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15)) |Low |

includes/asc/recommendations-with-deny.md

@@ -2,13 +2,13 @@
 author: memildin
 ms.service: security-center
 ms.topic: include
-ms.date: 03/14/2021
+ms.date: 03/21/2021
 ms.author: memildin
 ms.custom: generated
 ---
 
-- Access to storage accounts with firewall and virtual network configurations should be restricted Storage accounts should restrict network access
-- Automation account variables should be encrypted Automation account variables should be encrypted
+- Access to storage accounts with firewall and virtual network configurations should be restricted
+- Automation account variables should be encrypted
 - Azure Cache for Redis should reside within a virtual network
 - Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
 - Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)
@@ -26,21 +26,21 @@ ms.custom: generated
 - Key vaults should have purge protection enabled
 - Key vaults should have soft delete enabled
 - Least privileged Linux capabilities should be enforced for containers
-- Only secure connections to your Redis Cache should be enabled Only secure connections to your Azure Cache for Redis should be enabled
+- Only secure connections to your Redis Cache should be enabled
 - Overriding or disabling of containers AppArmor profile should be restricted
 - Privileged containers should be avoided
 - Running containers as root user should be avoided
-- Secure transfer to storage accounts should be enabled Secure transfer to storage accounts should be enabled
-- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
-- Service Fabric clusters should only use Azure Active Directory for client authentication Service Fabric clusters should only use Azure Active Directory for client authentication
+- Secure transfer to storage accounts should be enabled
+- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
+- Service Fabric clusters should only use Azure Active Directory for client authentication
 - Services should listen on allowed ports only
 - Storage account public access should be disallowed
-- Storage accounts should be migrated to new Azure Resource Manager resources Storage accounts should be migrated to new Azure Resource Manager resources
+- Storage accounts should be migrated to new Azure Resource Manager resources
 - Storage accounts should restrict network access using virtual network rules
 - Usage of host networking and ports should be restricted
 - Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers
 - Validity period of certificates stored in Azure Key Vault should not exceed 12 months
-- Virtual machines should be migrated to new Azure Resource Manager resources Virtual machines should be migrated to new Azure Resource Manager resources
+- Virtual machines should be migrated to new Azure Resource Manager resources
 - Web Application Firewall (WAF) should be enabled for Application Gateway
 - Web Application Firewall (WAF) should be enabled for Azure Front Door Service service