Merge pull request #102660 from memildin/asc-melvyn-20200129

Tweaks following feedback from Rotem

Author: PRMerger10

articles/security-center/recommendations-reference.md

@@ -28,8 +28,8 @@ Your secure score is based on how many Security Center recommendations you have
 |Recommendation|Description & related policy|Severity|Quick fix enabled?([Learn more](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations#recommendations-with-quick-fix-remediation))|Resource type|
 |----|----|----|----|----|
 |**Just-in-time network access control should be applied on virtual machines**|Apply just-in-time (JIT) virtual machine (VM) access control to permanently lock down access to selected ports, and enable authorized users to open them, via JIT, for a limited amount of time only.<br>(Related policy: Just-In-Time network access control should be applied on virtual machines)|High|N|Virtual machine|
-|**Network security groups on the subnet level should be enabled**|Enable network security groups to control network access of resources deployed in your subnets.<br>(Related policy: Subnets should be associated with a Network Security Group)|High/ Medium|N|Subnet|
-|**Virtual machines should be associated with a network security group**|Enable Network Security Groups to control network access of your virtual machines.<br>(Related policy: Virtual machines should be associated with a Network Security Group)|High/ Medium|N|Virtual machine|
+|**Network security groups on the subnet level should be enabled**|Enable network security groups to control network access of resources deployed in your subnets.<br>(Related policy: Subnets should be associated with a Network Security Group.<br>This policy is disabled by default)|High/ Medium|N|Subnet|
+|**Internet-facing virtual machines should be protected with Network Security Groups**|Enable Network Security Groups to control network access of your virtual machines.<br>(Related policy: Internet-facing virtual machines should be protected with Network Security Groups)|High/ Medium|N|Virtual machine|
 |**Access should be restricted for permissive network security groups with Internet-facing VMs**|Harden the network security groups of your Internet-facing VMs by restricting the access of your existing allow rules.<br>(Related policy: Network Security Group Rules for Internet facing virtual machines should be hardened)|High|N|Virtual machine|
 |**The rules for web applications on IaaS NSGs should be hardened**|Harden the network security group (NSG) of your virtual machines that are running web applications, with NSG rules that are overly permissive with regards to web application ports.<br>(Related policy: The NSGs rules for web applications on IaaS should be hardened)|High|N|Virtual machine|
 |**Access to App Services should be restricted**|Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad.<br>(Related policy: [Preview]: Access to App Services should be restricted)|High|N|App service|