You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security-center/recommendations-reference.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -86,23 +86,23 @@ Your secure score is based on how many Security Center recommendations you have
86
86
|**Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign**|Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.<br>(Related policy: The ClusterProtectionLevel property to EncryptAndSign in Service Fabric should be set)|High|N|Compute resources (service fabric)|
87
87
|**All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace**|Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.<br>(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace)|Low|N|Compute resources (service bus)|
88
88
|**All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace**|Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.<br>(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace)|Low|N|Compute resources (event hub)|
89
-
|**Authorization rules on the Event Hub entity should be defined**|Audit authorization rules on the Event Hub entity to grant least-privileged access.<br>(No related policy)|Low|N|Compute resources (event hub)|
89
+
|**Authorization rules on the Event Hub entity should be defined**|Audit authorization rules on the Event Hub entity to grant least-privileged access.<br>(Related policy: Authorization rules on the Event Hub entity should be defined)|Low|N|Compute resources (event hub)|
90
90
|**Install monitoring agent on your virtual machines**|Install the Monitoring agent to enable data collection, updates scanning, baseline scanning, and endpoint protection on each machine.<br>(Related policy: Monitoring agent should be enabled on your virtual machines)|High|**Y**|Machine|
91
-
|**Monitoring agent health issues should be resolved on your machines**|For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide<br>(No related policy)|Medium|N|Machine|
91
+
|**Monitoring agent health issues should be resolved on your machines**|For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide<br>(No related policy - dependent upon "Install monitoring agent on your virtual machines")|Medium|N|Machine|
92
92
|**Adaptive Application Controls should be enabled on virtual machines**|Enable application control to control which applications can run on your VMs located in Azure. This will help harden your VMs against malware. Security Center uses machine learning to analyze the applications running on each VM and helps you apply allow rules using this intelligence. This capability simplifies the process of configuring and maintaining application allow rules.<br>(Related policy: Adaptive Application Controls should be enabled on virtual machines)|High|N|Machine|
93
-
|**Install endpoint protection solution on your machines**|Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.<br>(No related policy)|Medium|N|Machine|
93
+
|**Install endpoint protection solution on your machines**|Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.<br>(Related policy: Monitor missing Endpoint Protection in Azure Security Center)|Medium|N|Machine|
94
94
|**Install endpoint protection solution on virtual machines**|Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.<br>(No related policy)|Medium|N|Machine|
95
95
|**OS version should be updated for your cloud service roles**|Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.<br>(No related policy)|High|N|Machine|
96
96
|**System updates should be installed on your machines**|Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers<br>(Related policy: System updates should be installed on your machines)|High|N|Machine|
97
-
|**Your machines should be restarted to apply system updates**|Restart your machines to apply the system updates and secure the machine from vulnerabilities.<br>(No related policy)|Medium|N|Machine|
97
+
|**Your machines should be restarted to apply system updates**|Restart your machines to apply the system updates and secure the machine from vulnerabilities.<br>(No related policy - dependent upon "System updates should be installed on your machines")|Medium|N|Machine|
98
98
|**Automation account variables should be encrypted**|Enable encryption of Automation account variable assets when storing sensitive data.<br>(Related policy: Encryption should be enabled on Automation account variables)|High|N|Compute resources (automation account)|
99
99
|**Disk encryption should be applied on virtual machines**|Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines. Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service Encryption where the encryption keys are Microsoft-managed keys in Azure. If this meets your compliance and security requirements, you can leverage the default Managed disk encryption to meet your requirements.<br>(Related policy: Disk encryption should be applied on virtual machines)|High|N|Machine|
100
100
|**Virtual machines should be migrated to new Azure Resource Manager resources**|Use Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.<br>(Related policy: Virtual machines should be migrated to new Azure Resource Manager resources)|Low|N|Machine|
101
101
|**Vulnerability assessment solution should be installed on your virtual machines**|Install a vulnerability assessment solution on your virtual machines<br>(Related policy: Vulnerability assessment should be installed on virtual machines)|Medium|N|Machine|
102
102
|**Vulnerabilities should be remediated by a Vulnerability Assessment solution**|Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.<br>(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)|High|N|Machine|
103
103
|**Vulnerabilities in security configuration on your machines should be remediated**|Remediate vulnerabilities in security configuration on your machines to protect them from attacks.<br>(Related policy: Vulnerabilities in security configuration on your machines should be remediated)|Low|N|Machine|
104
104
|**Vulnerabilities in container security configurations should be remediated**|Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.<br>(Related policy: Vulnerabilities in container security configurations should be remediated)|High|N|Machine|
105
-
|**Endpoint protection health issues should be resolved on your machines**|For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.<br>(No related policy)|Medium|N|Machine|
105
+
|**Endpoint protection health issues should be resolved on your machines**|For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.<br>(No related policy - dependent upon "Install endpoint protection solution on your machines")|Medium|N|Machine|
106
106
||||||
107
107
108
108
@@ -111,28 +111,28 @@ Your secure score is based on how many Security Center recommendations you have
111
111
|Recommendation|Description & related policy|Severity|Quick fix enabled?([Learn more](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations#recommendations-with-quick-fix-remediation))|Resource type|
112
112
|----|----|----|----|----|
113
113
|**Diagnostic logs in Virtual Machine Scale Sets should be enabled**|Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes. This is useful when a security incident occurs, or your network is compromised.<br>(Related policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled)|Low|N|Virtual machine scale set|
114
+
|**Endpoint protection health failures should be remediated on virtual machine scale sets**|Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.<br>(No related policy - dependent upon "Endpoint protection solution should be installed on virtual machine scale sets")|Low|N|Virtual machine scale set|
115
+
|**Endpoint protection solution should be installed on virtual machine scale sets**|Install an endpoint protection solution on your virtual machine scale sets, to protect them from threats and vulnerabilities.<br>(Related policy: Endpoint protection solution should be installed on virtual machine scale sets)|High|N|Virtual machine scale set|
114
116
|**System updates on virtual machine scale sets should be installed**|Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.<br>(Related policy: System updates on virtual machine scale sets should be installed)|High|N|Virtual machine scale set|
115
117
|**Vulnerabilities in security configuration on your virtual machine scale sets should be remediated**|Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks. <br>(Related policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated)|High|N|Virtual machine scale set|
116
-
|**Endpoint protection health failures should be remediated on virtual machine scale sets**|Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.<br>(No related policy)|Low|N|Virtual machine scale set|
117
-
|**Endpoint protection solution should be installed on virtual machine scale sets**|Install an endpoint protection solution on your virtual machine scale sets, to protect them from threats and vulnerabilities.<br>(Related policy: Endpoint protection solution should be installed on virtual machine scale sets)|High|N|Virtual machine scale set|
118
118
||||||
119
119
120
120
121
121
## <aname="recs-datastorage"></a>Data and storage recommendations
122
122
123
123
|Recommendation|Description & related policy|Severity|Quick fix enabled?([Learn more](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations#recommendations-with-quick-fix-remediation))|Resource type|
124
124
|----|----|----|----|----|
125
+
|**Access to storage accounts with firewall and virtual network configurations should be restricted**|Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific Internet or on-premises clients, you can grant access to traffic from specific Azure virtual networks or to public Internet IP address ranges.<br>(Related policy: Audit unrestricted network access to storage accounts)|Low|N|Storage account|
125
126
|**An Azure Active Directory administrator should be provisioned for SQL servers**|Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.<br>(Related policy: Audit provisioning of an Azure Active Directory administrator for SQL server)|High|N|SQL|
126
127
|**Auditing on SQL server should be enabled**|Enable auditing for Azure SQL servers. (Azure SQL service only. Doesn't include SQL running on your virtual machines.)<br>(Related policy: Auditing should be enabled on advanced data security settings on SQL Server)|Low|**Y**|SQL|
127
-
|**Secure transfer to storage accounts should be enabled**|Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.<br>(Related policy: Secure transfer to storage accounts should be enabled)|High|N|Storage account|
128
+
|**Diagnostic logs in Azure Data Lake Store should be enabled**|Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.<br>(Related policy: Diagnostic logs in Azure Data Lake Store should be enabled)|Low|**Y**|Data lake store|
129
+
|**Diagnostic logs in Data Lake Analytics should be enabled**|Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.<br>(Related policy: Diagnostic logs in Data Lake Analytics should be enabled)|Low|**Y**|Data lake analytics|
128
130
|**Only secure connections to your Redis Cache should be enabled**|Enable only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.<br>(Related policy: Only secure connections to your Redis Cache should be enabled)|High|N|Redis|
131
+
|**Secure transfer to storage accounts should be enabled**|Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.<br>(Related policy: Secure transfer to storage accounts should be enabled)|High|N|Storage account|
132
+
|**Storage accounts should be migrated to new Azure Resource Manager resources**|Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, and Azure AD-based authentication and support for tags and resource groups for easier security management.<br>(Related policy: Storage accounts should be migrated to new Azure Resource Manager resources)|Low|N|Storage account|
129
133
|**Transparent Data Encryption on SQL databases should be enabled**|Enable transparent data encryption to protect data-at-rest and meet compliance requirements.<br>(Related policy: Transparent Data Encryption on SQL databases should be enabled)|Low|**Y**|SQL|
130
-
|**Diagnostic logs in Data Lake Analytics should be enabled**|Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.<br>(Related policy: Diagnostic logs in Data Lake Analytics should be enabled)|Low|**Y**|Data lake analytics|
131
-
|**Diagnostic logs in Azure Data Lake Store should be enabled**|Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.<br>(Related policy: Diagnostic logs in Azure Data Lake Store should be enabled)|Low|**Y**|Data lake store|
132
134
|**Vulnerability assessment should be enabled on your SQL servers**|Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.<br>(Related policy: Vulnerability assessment should be enabled on your SQL servers)|High|**Y**|SQL|
133
135
|**Vulnerabilities on your SQL databases should be remediated**|SQL Vulnerability Assessment scans your database for security vulnerabilities and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.<br>(Related policy: Vulnerabilities on your SQL databases should be remediated)|High|N|SQL|
134
-
|**Access to storage accounts with firewall and virtual network configurations should be restricted**|Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific Internet or on-premises clients, you can grant access to traffic from specific Azure virtual networks or to public Internet IP address ranges.<br>(Related policy: Audit unrestricted network access to storage accounts)|Low|N|Storage account|
135
-
|**Storage accounts should be migrated to new Azure Resource Manager resources**|Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, and Azure AD-based authentication and support for tags and resource groups for easier security management.<br>(Related policy: Storage accounts should be migrated to new Azure Resource Manager resources)|Low|N|Storage account|
0 commit comments