Merge pull request #104691 from memildin/asc-melvyn-vmva

Deprecated two recommendations

Author: PRMerger10

articles/security-center/recommendations-reference.md

@@ -32,8 +32,8 @@ Your secure score is based on how many Security Center recommendations you have
 |**Internet-facing virtual machines should be protected with Network Security Groups**|Enable Network Security Groups to control network access of your virtual machines.<br>(Related policy: Internet-facing virtual machines should be protected with Network Security Groups)|High/ Medium|N|Virtual machine|
 |**All network ports should be restricted on NSG associated to your VM**|Harden the network security groups of your Internet-facing VMs by restricting the access of your existing allow rules.<br>This recommendation is triggered when any port is opened to *all* sources (except for ports 22, 3389, 5985, 5986, 80, and 1443).<br>(Related policy: Access through internet facing endpoint should be restricted)|High|N|Virtual machine|
 |**Adaptive Network Hardening recommendations should be applied on internet facing virtual machines**|Customers on the standard pricing tier will see this recommendation when the Adaptive Network Hardening feature finds an overly-permissive NSG rule.<br>(Related policy: Adaptive Network Hardening recommendations should be applied on internet facing virtual machines)|High|N|Virtual machine|
-|**The rules for web applications on IaaS NSGs should be hardened**|Harden the network security group (NSG) of your virtual machines that are running web applications, with NSG rules that are overly permissive with regards to web application ports.<br>(Related policy: The NSGs rules for web applications on IaaS should be hardened)|High|N|Virtual machine|
-|**Access to App Services should be restricted**|Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad.<br>(Related policy: [Preview]: Access to App Services should be restricted)|High|N|App service|
+|**The rules for web applications on IaaS NSGs should be hardened<br/>(DEPRECATED)**|Harden the network security group (NSG) of your virtual machines that are running web applications, with NSG rules that are overly permissive with regards to web application ports.<br>(Related policy: The NSGs rules for web applications on IaaS should be hardened)|High|N|Virtual machine|
+|**Access to App Services should be restricted<br/>(DEPRECATED)**|Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad.<br>(Related policy: [Preview]: Access to App Services should be restricted)|High|N|App service|
 |**Management ports should be closed on your virtual machines**|Harden the network security group of your virtual machines to restrict access to management ports.<br>(Related policy: Management ports should be closed on your virtual machines)|High|N|Virtual machine|
 |**DDoS Protection Standard should be enabled**|Protect virtual networks containing applications with public IPs by enabling DDoS protection service standard. DDoS protection enables mitigation of network volumetric and protocol attacks.<br>(Related policy: DDoS Protection Standard should be enabled)|High|N|Virtual network|
 |**IP forwarding on your virtual machine should be disabled**|Disable IP forwarding. When IP forwarding is enabled on a virtual machine's NIC, the machine can receive traffic addressed to other destinations. IP forwarding is rarely required (for example, when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.<br>(Related policy: [Preview]: IP Forwarding on your virtual machine should be disabled)|Medium|N|Virtual machine|

articles/security-center/secure-score-security-controls.md

@@ -97,7 +97,7 @@ The table below lists the Security Controls in Azure Security Center. For each c
 |**Encrypt data in transit**|4|- API App should only be accessible over HTTPS<br>- Function App should only be accessible over HTTPS<br>- Only secure connections to your Redis Cache should be enabled<br>- Secure transfer to storage accounts should be enabled<br>- Web Application should only be accessible over HTTPS|
 |**Manage access and permissions**|4|- A maximum of 3 owners should be designated for your subscription<br>- Deprecated accounts should be removed from your subscription (Preview)<br>- Deprecated accounts with owner permissions should be removed from your subscription (Preview)<br>- External accounts with owner permissions should be removed from your subscription (Preview)<br>- External accounts with read permissions should be removed from your subscription<br>- External accounts with write permissions should be removed from your subscription (Preview)<br>- There should be more than one owner assigned to your subscription<br>- Role-Based Access Control (RBAC) should be used on Kubernetes Services (Preview)<br>- Service Fabric clusters should only use Azure Active Directory for client authentication|
 |**Remediate security configurations**|4|- Pod Security Policies should be defined on Kubernetes Services (Preview)<br>- Vulnerabilities in container security configurations should be remediated<br>- Vulnerabilities in security configuration on your machines should be remediated<br>- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated<br>- Monitoring agent should be installed on your virtual machines<br>- Monitoring agent should be installed on your machines<br>- Monitoring agent should be installed on virtual machine scale sets<br>- Monitoring agent health issues should be resolved on your machines|
-|**Restrict unauthorized network access**|4|- IP forwarding on your virtual machine should be disabled<br>- Authorized IP ranges should be defined on Kubernetes Services (Preview)<br>- Access to App Services should be restricted (Preview)<br>- The rules for web applications on IaaS NSGs should be hardened<br>- Virtual machines should be associated with a Network Security Group<br>- CORS should not allow every resource to access your API App<br>- CORS should not allow every resource to access your Function App<br>- CORS should not allow every resource to access your Web Application<br>- Remote debugging should be turned off for API App<br>- Remote debugging should be turned off for Function App<br>- Remote debugging should be turned off for Web Application<br>- Access should be restricted for permissive Network Security Groups with Internet-facing VMs<br>- Network Security Group Rules for Internet facing virtual machines should be hardened|
+|**Restrict unauthorized network access**|4|- IP forwarding on your virtual machine should be disabled<br>- Authorized IP ranges should be defined on Kubernetes Services (Preview)<br>- (DEPRECATED) Access to App Services should be restricted (Preview)<br>- (DEPRECATED) The rules for web applications on IaaS NSGs should be hardened<br>- Virtual machines should be associated with a Network Security Group<br>- CORS should not allow every resource to access your API App<br>- CORS should not allow every resource to access your Function App<br>- CORS should not allow every resource to access your Web Application<br>- Remote debugging should be turned off for API App<br>- Remote debugging should be turned off for Function App<br>- Remote debugging should be turned off for Web Application<br>- Access should be restricted for permissive Network Security Groups with Internet-facing VMs<br>- Network Security Group Rules for Internet facing virtual machines should be hardened|
 |**Apply adaptive application control**|3|- Adaptive Application Controls should be enabled on virtual machines<br>- Monitoring agent should be installed on your virtual machines<br>- Monitoring agent should be installed on your machines<br>- Monitoring agent health issues should be resolved on your machines|
 |**Apply data classification**|2|- Sensitive data in your SQL databases should be classified (Preview)|
 |**Protect applications against DDoS attacks**|2|- DDoS Protection Standard should be enabled|