You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security-center/recommendations-reference.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -95,9 +95,9 @@ Your Secure Score is based on the number of Security Center recommendations you'
95
95
|**Install endpoint protection solution on virtual machines**|Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.<br>(No related policy)|Medium|N|Machine|
96
96
|**OS version should be updated for your cloud service roles**|Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.<br>(No related policy)|High|N|Machine|
97
97
|**System updates should be installed on your machines**|Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers<br>(Related policy: System updates should be installed on your machines)|High|N|Machine|
98
-
|**Network traffic data collection agent should be installed on Linux virtual machines (Preview)**|Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.<br>(Related policy: [Preview]: Network traffic data collection agent should be installed on Linux virtual machines)|Medium|N|Machine|
99
-
|**Network traffic data collection agent should be installed on Windows virtual machines (Preview)**|Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.<br>(Related policy: [Preview]: Network traffic data collection agent should be installed on Windows virtual machines)|Medium|N|Machine|
100
-
|**Enable the built-in vulnerability assessment solution on virtual machines**|Install the Qualys agent (built-in the Azure Security Center standard tier offering) to enable a best of breed vulnerability assessment solution on your virtual machines.<br>(Related policy: [Preview] Vulnerability Assessment should be enabled on Virtual Machines)|Medium|N|Machine|
98
+
|**Network traffic data collection agent should be installed on Linux virtual machines (Preview)**|Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.<br>(Related policy: [Preview]: Network traffic data collection agent should be installed on Linux virtual machines)|Medium|**Y**|Machine|
99
+
|**Network traffic data collection agent should be installed on Windows virtual machines (Preview)**|Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.<br>(Related policy: [Preview]: Network traffic data collection agent should be installed on Windows virtual machines)|Medium|**Y**|Machine|
100
+
|**Enable the built-in vulnerability assessment solution on virtual machines**|Install the Qualys agent (built-in the Azure Security Center standard tier offering) to enable a best of breed vulnerability assessment solution on your virtual machines.<br>(Related policy: [Preview] Vulnerability Assessment should be enabled on Virtual Machines)|Medium|**Y**|Machine|
101
101
|**Remediate vulnerabilities found on your virtual machines (powered by Qualys)**|Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).<br>(Related policy: [Preview] Vulnerability Assessment should be enabled on Virtual Machines)|Low|N|Machine|
102
102
|**Your machines should be restarted to apply system updates**|Restart your machines to apply the system updates and secure the machine from vulnerabilities.<br>(No related policy - dependent upon "System updates should be installed on your machines")|Medium|N|Machine|
103
103
|**Automation account variables should be encrypted**|Enable encryption of Automation account variable assets when storing sensitive data.<br>(Related policy: Encryption should be enabled on Automation account variables)|High|N|Compute resources (automation account)|
@@ -118,7 +118,7 @@ Your Secure Score is based on the number of Security Center recommendations you'
118
118
|**Diagnostic logs in Virtual Machine Scale Sets should be enabled**|Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes. This is useful when a security incident occurs, or your network is compromised.<br>(Related policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled)|Low|N|Virtual machine scale set|
119
119
|**Endpoint protection health failures should be remediated on virtual machine scale sets**|Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.<br>(No related policy - dependent upon "Endpoint protection solution should be installed on virtual machine scale sets")|Low|N|Virtual machine scale set|
120
120
|**Endpoint protection solution should be installed on virtual machine scale sets**|Install an endpoint protection solution on your virtual machine scale sets, to protect them from threats and vulnerabilities.<br>(Related policy: Endpoint protection solution should be installed on virtual machine scale sets)|High|N|Virtual machine scale set|
121
-
|**Monitoring agent should be installed on virtual machine scale sets**|Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets. You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.|High|N|Virtual machine scale set|
121
+
|**Monitoring agent should be installed on virtual machine scale sets**|Security Center uses the Microsoft Monitoring Agent (MMA) to collect security events from your Azure virtual machine scale sets. You cannot configure auto-provisioning of the MMA for Azure virtual machine scale sets. To deploy the MMA on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), please follow the procedure in the remediation steps.|High|**Y**|Virtual machine scale set|
122
122
|**System updates on virtual machine scale sets should be installed**|Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.<br>(Related policy: System updates on virtual machine scale sets should be installed)|High|N|Virtual machine scale set|
123
123
|**Vulnerabilities in security configuration on your virtual machine scale sets should be remediated**|Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks. <br>(Related policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated)|High|N|Virtual machine scale set|
124
124
||||||
@@ -129,8 +129,8 @@ Your Secure Score is based on the number of Security Center recommendations you'
129
129
|Recommendation|Description & related policy|Severity|Quick fix enabled?([Learn more](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations#recommendations-with-quick-fix-remediation))|Resource type|
130
130
|----|----|----|----|----|
131
131
|**Access to storage accounts with firewall and virtual network configurations should be restricted**|Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific Internet or on-premises clients, you can grant access to traffic from specific Azure virtual networks or to public Internet IP address ranges.<br>(Related policy: Audit unrestricted network access to storage accounts)|Low|N|Storage account|
132
-
|**Advanced data security should be enabled on your managed instances**|Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.<br>(Related policy: Advanced data security should be enabled on your SQL managed instances)|High|N|SQL|
133
-
|**Advanced data security should be enabled on your SQL servers**|Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.<br>(Related policy: Advanced data security should be enabled on your SQL servers)|High|N|SQL|
132
+
|**Advanced data security should be enabled on your managed instances**|Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per managed SQL server.<br>(Related policy: Advanced data security should be enabled on your SQL managed instances)|High|**Y**|SQL|
133
+
|**Advanced data security should be enabled on your SQL servers**|Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS is charged at $15 per SQL server.<br>(Related policy: Advanced data security should be enabled on your SQL servers)|High|**Y**|SQL|
134
134
|**An Azure Active Directory administrator should be provisioned for SQL servers**|Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.<br>(Related policy: Audit provisioning of an Azure Active Directory administrator for SQL server)|High|N|SQL|
135
135
|**Auditing on SQL server should be enabled**|Enable auditing for Azure SQL servers. (Azure SQL service only. Doesn't include SQL running on your virtual machines.)<br>(Related policy: Auditing should be enabled on advanced data security settings on SQL Server)|Low|**Y**|SQL|
136
136
|**Diagnostic logs in Azure Data Lake Store should be enabled**|Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.<br>(Related policy: Diagnostic logs in Azure Data Lake Store should be enabled)|Low|**Y**|Data lake store|
0 commit comments