status

Author: alexbuckgit

articles/security/fundamentals/event-support-ticket.md

@@ -14,7 +14,7 @@ ms.author: terrylan
 ---
 # Log a security issue
 
-Visit the [Microsoft Security Response Center](https://msrc.microsoft.com/create-report) (MSRC) to report a security specific issue.
+Visit the [Microsoft Security Response Center (MSRC)](https://msrc.microsoft.com/create-report) to report a security specific issue.
 
 You can also create a tailored, Azure support request in the Azure portal. Visit the Azure portal [here](https://ms.portal.azure.com/#create/Microsoft.Support). Follow the prompts to receive recommended solutions or to log a support request.
 

articles/security/fundamentals/firmware.md

@@ -34,7 +34,7 @@ Microsoft actively partners within the cloud hardware ecosystem to drive continu
    > An example of our contribution to the OCP Security Project is the [Hardware Secure Boot](https://docs.google.com/document/d/1Se1Dd-raIZhl_xV3MnECeuu_I0nF-keg4kqXyK4k4Wc/edit#heading=h.5z2d7x9gbhk0) specification.
 
 ## Securing hardware and firmware supply chains
-Cloud hardware suppliers and vendors for Azure are also required to adhere to supply chain security processes and requirements developed by Microsoft. Hardware and firmware development and deployment processes are required to follow the Microsoft [Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl) (SDL) processes such as:
+Cloud hardware suppliers and vendors for Azure are also required to adhere to supply chain security processes and requirements developed by Microsoft. Hardware and firmware development and deployment processes are required to follow the Microsoft [Security Development Lifecycle (SDL)](https://www.microsoft.com/securityengineering/sdl) processes such as:
 
 - Threat modeling
 - Secure design reviews
@@ -50,4 +50,4 @@ To learn more about what we do to drive platform integrity and security, see:
 - [Measured boot and host attestation](measured-boot-host-attestation.md)
 - [Project Cerberus](project-cerberus.md)
 - [Encryption at rest](encryption-atrest.md)
-- [Hypervisor security](hypervisor.md)
+- [Hypervisor security](hypervisor.md)

articles/security/fundamentals/management.md

@@ -85,7 +85,7 @@ On a hardened workstation, the administrator runs a standard user account (which
 * Execution restriction. Allow only a set of predefined executable files that are needed for management to run (referred to as "default-deny"). By default, users should be denied permission to run any program unless it's explicitly defined in the allowlist.
 * Least privilege. Management workstation users shouldn't have any administrative privileges on the local machine itself. This way, they can't change the system configuration or the system files, either intentionally or unintentionally.
 
-You can enforce all this by using [Group Policy Objects](../../active-directory-domain-services/manage-group-policy.md) (GPOs) in Active Directory Domain Services (AD DS) and applying them through your (local) management domain to all management accounts.
+You can enforce all this by using [Group Policy Objects (GPOs)](../../active-directory-domain-services/manage-group-policy.md) in Active Directory Domain Services (AD DS) and applying them through your (local) management domain to all management accounts.
 
 ### Managing services, applications, and data
 Azure cloud services configuration is performed through either the Azure portal or SMAPI, via the Windows PowerShell command-line interface or a custom-built application that takes advantage of these RESTful interfaces. Services using these mechanisms include Microsoft Entra ID, Azure Storage, Azure Websites, and Azure Virtual Network, and others.

articles/security/fundamentals/measured-boot-host-attestation.md

@@ -15,7 +15,7 @@ This article describes how Microsoft ensures integrity and security of hosts thr
 
 ## Measured boot
 
-The [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-top-node) (TPM) is a tamper-proof, cryptographically secure auditing component with firmware supplied by a trusted third party. The boot configuration log contains hash-chained measurements recorded in its Platform Configuration Registers (PCR) when the host last underwent the bootstrapping sequence. The following figure shows this recording process. Incrementally adding a previously hashed measurement to the next measurement’s hash and running the hashing algorithm on the union accomplishes hash-chaining.
+The [Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-top-node) is a tamper-proof, cryptographically secure auditing component with firmware supplied by a trusted third party. The boot configuration log contains hash-chained measurements recorded in its Platform Configuration Registers (PCR) when the host last underwent the bootstrapping sequence. The following figure shows this recording process. Incrementally adding a previously hashed measurement to the next measurement’s hash and running the hashing algorithm on the union accomplishes hash-chaining.
 
 ![Diagram that shows Host Attestation Service hash-chaining.](./media/measured-boot-host-attestation/hash-chaining.png)
 

articles/security/fundamentals/network-best-practices.md

@@ -166,7 +166,7 @@ We recommend that you employ load balancing whenever you can, and as appropriate
 For example, if the user makes a request to your service from the EU, the connection is directed to your services located in an EU datacenter. This part of Traffic Manager global load balancing helps to improve performance because connecting to the nearest datacenter is faster than connecting to datacenters that are far away.
 
 ## Disable RDP/SSH Access to virtual machines
-It's possible to reach Azure virtual machines by using [Remote Desktop Protocol](https://en.wikipedia.org/wiki/Remote_Desktop_Protocol) (RDP) and the [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell) (SSH) protocol. These protocols enable the management VMs from remote locations and are standard in datacenter computing.
+It's possible to reach Azure virtual machines by using [Remote Desktop Protocol (RDP)](https://en.wikipedia.org/wiki/Remote_Desktop_Protocol) and the [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell) (SSH) protocol. These protocols enable the management VMs from remote locations and are standard in datacenter computing.
 
 The potential security problem with using these protocols over the internet is that attackers can use [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) techniques to gain access to Azure virtual machines. After the attackers gain access, they can use your VM as a launch point for compromising other machines on your virtual network or even attack networked devices outside Azure.
 

articles/security/fundamentals/network-overview.md

@@ -96,7 +96,7 @@ The ability to control routing behavior on your virtual networks is critical. If
 
 Azure networking supports the ability to customize the routing behavior for network traffic on your virtual networks. This enables you to alter the default routing table entries in your virtual network. Control of routing behavior helps you make sure that all traffic from a certain device or group of devices enters or leaves your virtual network through a specific location.
 
-For example, you might have a virtual network security appliance on your virtual network. You want to make sure that all traffic to and from your virtual network goes through that virtual security appliance. You can do this by configuring [User Defined Routes](../../virtual-network/virtual-networks-udr-overview.md#custom-routes) (UDRs) in Azure.
+For example, you might have a virtual network security appliance on your virtual network. You want to make sure that all traffic to and from your virtual network goes through that virtual security appliance. You can do this by configuring [User Defined Routes (UDRs)](../../virtual-network/virtual-networks-udr-overview.md#custom-routes) in Azure.
 
 [Forced tunneling](../../vpn-gateway/vpn-gateway-about-forced-tunneling.md) is a mechanism you can use to ensure that your services are not allowed to initiate a connection to devices on the internet. Note that this is different from accepting incoming connections and then responding to them. Front-end web servers need to respond to requests from internet hosts, and so internet-sourced traffic is allowed inbound to these web servers and the web servers are allowed to respond.
 

articles/security/fundamentals/operational-checklist.md

@@ -30,10 +30,10 @@ This checklist is intended to help enterprises think through various operational
 | ------------ | -------- |
 | [<br>Security Roles & Access Controls](../../defender-for-cloud/defender-for-cloud-planning-and-operations-guide.md)|<ul><li>Use [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.yml) to provide user-specific that used to assign permissions to users, groups, and applications at a certain scope.</li></ul> |
 | [<br>Data Protection & Storage](../../storage/blobs/security-recommendations.md)|<ul><li>Use Management Plane Security to secure your Storage Account using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.yml).</li><li>Data Plane Security to Securing Access to your Data using [Shared Access Signatures (SAS)](../../storage/common/storage-sas-overview.md) and Stored Access Policies.</li><li>Use Transport-Level Encryption – Using HTTPS and the encryption used by [SMB (Server message block protocols) 3.0](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview) for [Azure File Shares](../../storage/files/storage-dotnet-how-to-use-files.md).</li><li>Use [Client-side encryption](../../storage/common/storage-client-side-encryption.md) to secure data that you send to storage accounts when you require sole control of encryption keys. </li><li>Use [Storage Service Encryption (SSE)](../../storage/common/storage-service-encryption.md)  to automatically encrypt data in Azure Storage, and [Azure Disk Encryption for Linux VMs](../../virtual-machines/linux/disk-encryption-overview.md) and [Azure Disk Encryption for Windows VMs](../../virtual-machines/linux/disk-encryption-overview.md) to encrypt virtual machine disk files for the OS and data disks.</li><li>Use Azure [Storage Analytics](/rest/api/storageservices/storage-analytics) to monitor authorization type; like with Blob Storage, you can see if users have used a Shared Access Signature or the storage account keys.</li><li>Use [Cross-Origin Resource Sharing (CORS)](/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services) to access storage resources from different domains.</li></ul> |
-|[<br>Security Policies & Recommendations](../../defender-for-cloud/defender-for-cloud-planning-and-operations-guide.md#security-policies-and-recommendations)|<ul><li>Use [Microsoft Defender for Cloud](../../defender-for-cloud/integration-defender-for-endpoint.md) to deploy endpoint solutions.</li><li>Add a [web application firewall (WAF)](../../web-application-firewall/ag/ag-overview.md) to secure web applications.</li><li>Use [Azure Firewall](../../firewall/overview.md) to increase your security protections. </li><li>Apply security contact details for your Azure subscription. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn528958.aspx) (MSRC) contacts you if it discovers that your customer data has been accessed by an unlawful or unauthorized party.</li></ul> |
+|[<br>Security Policies & Recommendations](../../defender-for-cloud/defender-for-cloud-planning-and-operations-guide.md#security-policies-and-recommendations)|<ul><li>Use [Microsoft Defender for Cloud](../../defender-for-cloud/integration-defender-for-endpoint.md) to deploy endpoint solutions.</li><li>Add a [web application firewall (WAF)](../../web-application-firewall/ag/ag-overview.md) to secure web applications.</li><li>Use [Azure Firewall](../../firewall/overview.md) to increase your security protections. </li><li>Apply security contact details for your Azure subscription. The [Microsoft Security Response Center (MSRC)](https://technet.microsoft.com/security/dn528958.aspx) contacts you if it discovers that your customer data has been accessed by an unlawful or unauthorized party.</li></ul> |
 | [<br>Identity & Access Management](identity-management-best-practices.md)|<ul><li>[Synchronize your on-premises directory with your cloud directory using Microsoft Entra ID](../../active-directory/hybrid/whatis-hybrid-identity.md).</li><li>Use [single sign-on](../../active-directory/manage-apps/what-is-single-sign-on.md) to enable users to access their SaaS applications based on their organizational account in Azure AD.</li><li>Use the [Password Reset Registration Activity](../../active-directory/authentication/howto-sspr-reporting.md) report to monitor the users that are registering.</li><li>Enable [multi-factor authentication (MFA)](../../active-directory/authentication/concept-mfa-howitworks.md) for users.</li><li>Developers to use secure identity capabilities for apps like [Microsoft Security Development Lifecycle (SDL)](https://www.microsoft.com/download/details.aspx?id=12379).</li><li>Actively monitor for suspicious activities by using Microsoft Entra ID P1 or P2 anomaly reports and [Microsoft Entra ID Protection capability](../../active-directory/identity-protection/overview-identity-protection.md).</li></ul> |
 |[<br>Ongoing Security Monitoring](../../defender-for-cloud/defender-for-cloud-introduction.md)|<ul><li>Use Malware Assessment Solution [Azure Monitor logs](../../azure-monitor/logs/log-query-overview.md) to report on the status of antimalware protection in your infrastructure.</li><li>Use [Update Management](../../automation/update-management/overview.md) to determine the overall exposure to potential security problems, and whether or how critical these updates are for your environment.</li><li>The [Microsoft Entra admin center](https://entra.microsoft.com) provides visibility into the integrity and security of your organization's directory. |
-| [<br>Microsoft Defender for Cloud detection capabilities](../../security-center/security-center-alerts-overview.md#detect-threats)|<ul><li>Use [Cloud Security Posture Management](../../defender-for-cloud/concept-cloud-security-posture-management.md) (CSPM) for hardening guidance that helps you efficiently and effectively improve your security.</li><li>Use [alerts](../../defender-for-cloud/alerts-overview.md) to be notified when threats are identified in your cloud, hybrid, or on-premises environment. </li><li>Use [security policies, initiatives, and recommendations](../../defender-for-cloud/security-policy-concept.md) to improve your security posture.</li></ul> |
+| [<br>Microsoft Defender for Cloud detection capabilities](../../security-center/security-center-alerts-overview.md#detect-threats)|<ul><li>Use [Cloud Security Posture Management (CSPM)](../../defender-for-cloud/concept-cloud-security-posture-management.md) for hardening guidance that helps you efficiently and effectively improve your security.</li><li>Use [alerts](../../defender-for-cloud/alerts-overview.md) to be notified when threats are identified in your cloud, hybrid, or on-premises environment. </li><li>Use [security policies, initiatives, and recommendations](../../defender-for-cloud/security-policy-concept.md) to improve your security posture.</li></ul> |
 
 ## Conclusion
 Many organizations have successfully deployed and operated their cloud applications on Azure. The checklists provided highlight several checklists that are essential and help you to increase the likelihood of successful deployments and frustration-free operations. We highly recommend these operational and strategic considerations for your existing and new application deployments on Azure.

articles/security/fundamentals/ransomware-prepare.md

@@ -13,7 +13,7 @@ ms.date: 01/10/2022
 
 ## Adopt a Cybersecurity framework
 
-A good place to start is to adopt the [Microsoft cloud security benchmark](/security/benchmark/azure) (MCSB) to secure the Azure environment. The Microsoft cloud security benchmark is the Azure security control framework, based on industry-based security control frameworks such as NIST SP800-53, CIS Controls v7.1.
+A good place to start is to adopt the [Microsoft cloud security benchmark (MCSB)](/security/benchmark/azure) to secure the Azure environment. The Microsoft cloud security benchmark is the Azure security control framework, based on industry-based security control frameworks such as NIST SP800-53, CIS Controls v7.1.
 
 :::image type="content" source="./media/ransomware/ransomware-13.png" alt-text="Screenshot of the NS-1: Establish Network Segmentation Boundaries security control":::
 

articles/security/fundamentals/ransomware-protection-with-azure-firewall.md

@@ -27,7 +27,7 @@ A network intrusion detection and prevention system (IDPS) allows you to monitor
 
 The IDPS signatures are applicable for both application and network level traffic (Layers 4-7), fully managed, and contain more than 65,000 signatures in over 50 different categories. To keep them (the IDPS signatures?) up to date with the dynamic ever-changing attack landscape:
 
-- Azure Firewall has early access to vulnerability information from [Microsoft Active Protections Program](https://www.microsoft.com/msrc/mapp) (MAPP) and [Microsoft Security Response Center](https://www.microsoft.com/msrc/) (MSRC).
+- Azure Firewall has early access to vulnerability information from [Microsoft Active Protections Program (MAPP)](https://www.microsoft.com/msrc/mapp) and [Microsoft Security Response Center (MSRC)](https://www.microsoft.com/msrc/).
 - Azure Firewall releases 30 to 50 new signatures each day.
 
 Today, modern encryption (SSL/TLS) is used globally to secure Internet traffic. Attackers use encryption to carry their malicious software into the victim’s network. Therefore, customers must inspect their encrypted traffic just like any other traffic.
@@ -53,4 +53,4 @@ See [Ransomware protection in Azure](ransomware-protection.md) to learn more abo
 To learn more about Azure Firewall Premium, see:
 
 - [Azure Firewall Premium features](../../firewall/premium-features.md)
-- [Optimize security with Azure Firewall solution for Azure Sentinel](https://www.microsoft.com/security/blog/2021/06/08/optimize-security-with-azure-firewall-solution-for-azure-sentinel/)
+- [Optimize security with Azure Firewall solution for Azure Sentinel](https://www.microsoft.com/security/blog/2021/06/08/optimize-security-with-azure-firewall-solution-for-azure-sentinel/)