Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into vminsights-maps

Author: ShannonLeavitt

articles/app-service/containers/configure-language-php.md

@@ -164,7 +164,7 @@ Redeploy your app with the changes and restart it. If you deploy it with Kudu (f
 
 As an alternative to using *.htaccess*, you can use [ini_set()](https://www.php.net/manual/function.ini-set.php) in your app to customize these non-PHP_INI_SYSTEM directives.
 
-### Customize PHP_INI_SYSTEM directives
+### <a name="customize-php_ini_system-directives"></a>Customize PHP_INI_SYSTEM directives
 
 To customize PHP_INI_SYSTEM directives (see [php.ini directives](https://www.php.net/manual/ini.list.php)), you can't use the *.htaccess* approach. App Service provides a separate mechanism using the `PHP_INI_SCAN_DIR` app setting.
 

articles/app-service/containers/configure-language-ruby.md

@@ -139,7 +139,7 @@ However, this setting alone causes the Rails server to start in development mode
 az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings APP_COMMAND_LINE="rails server -b 0.0.0.0"
 ```
 
-### Set secret_key_base manually
+### <a name="set-secret_key_base-manually"></a> Set secret_key_base manually
 
 To use your own `secret_key_base` value instead of letting App Service generate one for you, set the `SECRET_KEY_BASE` [app setting](../configure-common.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#configure-app-settings) with the value you want. For example:
 
@@ -161,4 +161,4 @@ az webapp config appsettings set --name <app-name> --resource-group <resource-gr
 > [Tutorial: Rails app with PostgreSQL](tutorial-ruby-postgres-app.md)
 
 > [!div class="nextstepaction"]
-> [App Service Linux FAQ](app-service-linux-faq.md)
+> [App Service Linux FAQ](app-service-linux-faq.md)

articles/app-service/security-recommendations.md

@@ -0,0 +1,61 @@
+---
+title: Security recommendations for Azure App Service
+description: Security recommendations for the Azure App Service. Implementing these recommendations will help you fulfill your security obligations as described in our shared responsibility model and will improve the overall security for your web app solutions. 
+services: app-service
+author: barclayn
+manager: barbkess
+
+ms.service: app-service
+ms.topic: conceptual
+ms.date: 06/17/2019
+ms.author: barclayn
+
+---
+
+# Security recommendations for App Service
+
+This article contains security recommendations for Azure App Service. Implementing these recommendations will help you fulfill your security obligations as described in our shared responsibility model and will improve the overall security for your Web App solutions. For more information on what Microsoft does to fulfill service provider responsibilities, read [Azure infrastructure security](../security/azure-security-infrastructure.md).
+
+## General
+
+| Recommendation | Comments |
+|-|-|----|
+| Stay up-to-date | Use the latest versions of supported platforms, programming languages, protocols, and frameworks. |
+
+## Identity and access management
+
+| Recommendation | Comments |
+|-|----|
+| Disable anonymous access | Unless you need to support anonymous requests, disable anonymous access. For more information on Azure App Service authentication options, see [Authentication and authorization in Azure App Service](overview-authentication-authorization.md).|
+| Require authentication | Whenever possible, use the App Service authentication module instead of writing code to handle authentication and authorization. See [Authentication and authorization in Azure App Service](overview-authentication-authorization.md). |
+| Protect back-end resources with authenticated access | You can either use the user's identity or use an application identity to authenticate to a back-end resource. When you choose to use an application identity use a [managed identity](overview-managed-identity.md).
+| Require client certificate authentication | Client certificate authentication improves security by only allowing connections from clients that can authenticate using certificates that you provide. |
+
+## Data protection
+
+| Recommendation | Comments |
+|-|-|
+| Redirect HTTP to HTTPs | By default, clients can connect to web apps by using both HTTP or HTTPS. We recommend redirecting HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. |
+| Encrypt communication to Azure resources | When your app connects to Azure resources, such as [SQL Database](https://azure.microsoft.com/services/sql-database/) or [Azure Storage](/azure/storage/), the connection stays in Azure. Since the connection goes through the shared networking in Azure, you should always encrypt all communication. |
+| Require the latest TLS version possible | Since 2018 new Azure App Service apps use TLS 1.2. Newer versions of TLS include security improvements over older protocol versions. |
+| Use FTPS | App Service supports both FTP and FTPS for deploying your files. Use FTPS instead of FTP when possible. When one or both of these protocols are not in use, you should [disable them](deploy-ftp.md#enforce-ftps). |
+| Secure application data | Don't store application secrets, such as database credentials, API tokens, or private keys in your code or configuration files. The commonly accepted approach is to access them as [environment variables](https://wikipedia.org/wiki/Environment_variable) using the standard pattern in your language of choice. In Azure App Service, you can define environment variables through [app settings](web-sites-configure.md) and [connection strings](web-sites-configure.md). App settings and connection strings are stored encrypted in Azure. The app settings are decrypted only before being injected into your app's process memory when the app starts. The encryption keys are rotated regularly. Alternatively, you can integrate your Azure App Service app with [Azure Key Vault](/azure/key-vault/) for advanced secrets management. By [accessing the Key Vault with a managed identity](../key-vault/tutorial-web-application-keyvault.md), your App Service app can securely access the secrets you need. |
+
+## Networking
+
+| Recommendation | Comments |
+|-|-|
+| Use static IP restrictions | Azure App Service on Windows lets you define a list of IP addresses that are allowed to access your app. The allowed list can include individual IP addresses or a range of IP addresses defined by a subnet mask. For more information, see [Azure App Service Static IP Restrictions](app-service-ip-restrictions.md).  |
+| Use the isolated pricing tier | Except for the isolated pricing tier, all tiers run your apps on the shared network infrastructure in Azure App Service. The isolated tier gives you complete network isolation by running your apps inside a dedicated [App Service environment](environment/intro.md). An App Service environment runs in your own instance of [Azure Virtual Network](/azure/virtual-network/).|
+| Use secure connections when accessing on-premises resources | You can use [Hybrid connections](app-service-hybrid-connections.md), [Virtual Network integration](web-sites-integrate-with-vnet.md), or [App Service environment's](environment/intro.md) to connect to on-premises resources. |
+| Limit exposure to inbound network traffic | Network security groups allow you to restrict network access and control the number of exposed endpoints. For more information, see [How To Control Inbound Traffic to an App Service Environment](environment/app-service-app-service-environment-control-inbound-traffic.md). |
+
+## Monitoring
+
+| Recommendation | Comments |
+|-|-|
+|Use Azure Security Center standard tier | [Azure Security Center](../security-center/security-center-app-services.md) is natively integrated with Azure App Service. It can run assessments and provide security recommendations. |
+
+## Next steps
+
+Check with your application provider to see if there are additional security requirements. For more information on developing secure applications, see [Secure Development Documentation](../security/abstract-develop-secure-apps.md).

articles/app-service/toc.yml

@@ -70,14 +70,17 @@
   - name: OS functionality
     href: operating-system-functionality.md
   - name: Security
-    href: overview-security.md
     items:
+    - name: Recommendations
+      href: security-recommendations.md
     - name: Authentication and authorization
       href: overview-authentication-authorization.md
     - name: OS and runtime patching
       href: overview-patch-os-runtime.md
     - name: Security attributes
       href: app-service-security-attributes.md
+    - name: Security overview
+      href: overview-security.md
   - name: Networking features
     href: networking-features.md
   - name: Inbound and outbound IPs

articles/automation/automation-update-management.md

@@ -33,7 +33,7 @@ The following diagram shows a conceptual view of the behavior and data flow with
 
 Update Management can be used to natively onboard machines in multiple subscriptions in the same tenant.
 
-Once a CVE is released, it takes 2-3 hours for the patch to show up for Linux machines for assessment. For Windows machines, it takes 12-15 hours for the patch to show up for assessment after it has been released.
+Once a package is released, it takes 2-3 hours for the patch to show up for Linux machines for assessment. For Windows machines, it takes 12-15 hours for the patch to show up for assessment after it has been released.
 
 After a computer completes a scan for update compliance, the agent forwards the information in bulk to Azure Monitor logs. On a Windows computer, the compliance scan is run every 12 hours by default.
 

articles/backup/backup-azure-microsoft-azure-backup.md

@@ -37,19 +37,18 @@ Azure Backup Server inherits much of the workload backup functionality from Data
 The first step towards getting the Azure Backup Server up and running is to set up a Windows Server. Your server can be in Azure or on-premises.
 
 ### Using a server in Azure
-When choosing a server for running Azure Backup Server, it is recommended you start with a gallery image of Windows Server 2012 R2 Datacenter, Windows Server 2016 Datacenter or Windows Server 2019 Datacenter. The article, [Create your first Windows virtual machine in the Azure portal](../virtual-machines/virtual-machines-windows-hero-tutorial.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json), provides a tutorial for getting started with the recommended virtual machine in Azure, even if you've never used Azure before. The recommended minimum requirements for the server virtual machine (VM) should be: A2 Standard with two cores and 3.5 GB RAM.
+When choosing a server for running Azure Backup Server, it is recommended you start with a gallery image of Windows Server 2012 R2 Datacenter, Windows Server 2016 Datacenter or Windows Server 2019 Datacenter. The article, [Create your first Windows virtual machine in the Azure portal](../virtual-machines/virtual-machines-windows-hero-tutorial.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json), provides a tutorial for getting started with the recommended virtual machine in Azure, even if you've never used Azure before. The recommended minimum requirements for the server virtual machine (VM) should be: Standard_A4_v2  with four cores and 8 GB RAM.
 
 Protecting workloads with Azure Backup Server has many nuances. The article, [Install DPM as an Azure virtual machine](https://technet.microsoft.com/library/jj852163.aspx), helps explain these nuances. Before deploying the machine, read this article completely.
 
 ### Using an on-premises server
-If you do not want to run the base server in Azure, you can run the server on a Hyper-V VM, a VMware VM, or a physical host. The recommended minimum requirements for the server hardware are two cores and 4 GB RAM. The supported operating systems are listed in the following table:
+If you do not want to run the base server in Azure, you can run the server on a Hyper-V VM, a VMware VM, or a physical host. The recommended minimum requirements for the server hardware are two cores and 8 GB RAM. The supported operating systems are listed in the following table:
 
 | Operating System | Platform | SKU |
 |:--- | --- |:--- |
 | Windows Server 2019 |64 bit |Standard, Datacenter, Essentials (MABS V3 and later) |
 | Windows Server 2016 and latest SPs |64 bit |Standard, Datacenter, Essentials (MABS V2 and later) |
 | Windows Server 2012 R2 and latest SPs |64 bit |Standard, Datacenter, Foundation |
-| Windows Server 2012 and latest SPs |64 bit |Datacenter, Foundation, Standard |
 | Windows Storage Server 2012 R2 and latest SPs |64 bit |Standard, Workgroup |
 | Windows Storage Server 2012 and latest SPs |64 bit |Standard, Workgroup |
 
@@ -137,7 +136,7 @@ To edit the storage replication setting:
 After you've downloaded all the files, click **MicrosoftAzureBackupInstaller.exe**. This will start the **Microsoft Azure Backup Setup Wizard** to extract the setup files to a location specified by you. Continue through the wizard and click on the **Extract** button to begin the extraction process.
 
 > [!WARNING]
-> At least 4GB of free space is required to extract the setup files.
+> At least 4 GB of free space is required to extract the setup files.
 >
 >
 
@@ -201,7 +200,7 @@ Once the extraction process complete, check the box to launch the freshly extrac
 
     The next step is to configure the Microsoft Azure Recovery Services Agent. As a part of the configuration, you will have to provide your vault credentials to register the machine to the recovery services vault. You will also provide a passphrase to encrypt/decrypt the data sent between Azure and your premises. You can automatically generate a passphrase or provide your own minimum 16-character passphrase. Continue with the wizard until the agent has been configured.
 
-    ![Azure Backup Serer PreReq2](./media/backup-azure-microsoft-azure-backup/mars/04.png)
+    ![Azure Backup Server PreReq2](./media/backup-azure-microsoft-azure-backup/mars/04.png)
 9. Once registration of the Microsoft Azure Backup server successfully completes, the overall setup wizard proceeds to the installation and configuration of SQL Server and the Azure Backup Server components. Once the SQL Server component installation completes, the Azure Backup Server components are installed.
 
     ![Azure Backup Server](./media/backup-azure-microsoft-azure-backup/final-install/venus-installation-screen.png)
@@ -258,7 +257,7 @@ Here are the steps if you need to move MABS to a new server, while retaining the
 10. From admin command line on new server cd to Microsoft Azure Backup install location and bin folder
 
     Path example:
-    C:\windows\system32>cd "c:\Program Files\Microsoft Azure Backup\DPM\DPM\bin\" 
+    C:\windows\system32>cd "c:\Program Files\Microsoft Azure Backup\DPM\DPM\bin\"
 
 11. To Azure backup, Run DPMSYNC -SYNC
 
@@ -267,7 +266,7 @@ Here are the steps if you need to move MABS to a new server, while retaining the
 ## Network connectivity
 Azure Backup Server requires connectivity to the Azure Backup service for the product to work successfully. To validate whether the machine has the connectivity to Azure, use the ```Get-DPMCloudConnection``` cmdlet in the Azure Backup Server PowerShell console. If the output of the cmdlet is TRUE then connectivity exists, else there is no connectivity.
 
-At the same time, the Azure subscription needs to be in a healthy state. To find out the state of your subscription and to manage it, log in to the [subscription portal](https://account.windowsazure.com/Subscriptions).
+At the same time, the Azure subscription needs to be in a healthy state. To find out the state of your subscription and to manage it, sign in to the [subscription portal](https://account.windowsazure.com/Subscriptions).
 
 Once you know the state of the Azure connectivity and of the Azure subscription, you can use the table below to find out the impact on the backup/restore functionality offered.
 
@@ -281,7 +280,7 @@ Once you know the state of the Azure connectivity and of the Azure subscription,
 | Lost connectivity > 15 days |Deprovisioned |Stopped |Stopped |Stopped and Azure recovery points deleted |Stopped |
 
 ### Recovering from loss of connectivity
-If you have a firewall or a proxy that is preventing access to Azure, you need to whitelist the following domain addresses in the firewall/proxy profile:
+If you have a firewall or a proxy that is preventing access to Azure, you need to allow the following domain addresses in the firewall/proxy profile:
 
 * `http://www.msftncsi.com/ncsi.txt`
 * \*.Microsoft.com
@@ -303,7 +302,7 @@ Use the following procedures to upgrade MABS.
 ### Upgrade from MABS V2 to V3
 
 > [!NOTE]
-> 
+>
 > MABS V2 is not a prerequisite for installing MABS V3. However, you can upgrade to MABS V3 only from MABS V2.
 
 Use the following steps to upgrade MABS:
@@ -313,23 +312,23 @@ Use the following steps to upgrade MABS:
 2. Upgrade your server. The steps are similar to [installation](#install-and-upgrade-azure-backup-server). However, for SQL settings, you will get an option to upgrade your SQL instance to SQL 2017, or to use your own instance of SQL server 2017.
 
    > [!NOTE]
-   > 
+   >
    > Do not exit while your SQL instance is being upgraded, exiting will uninstall the SQL reporting instance and hence an attempt to re-upgrade MABS will fail.
 
    Important things to note:
 
    > [!IMPORTANT]
-   > 
+   >
    >  As part of SQL 2017 upgrade, we backup the SQL encryption keys and uninstall the reporting services. After SQL server upgrade,  reporting service(14.0.6827.4788) is installed & encryption keys are restored.
-   > 
+   >
    > When configuring SQL 2017 manually, refer to *SSRS configuration with SQL 2017* section under Install instructions.
 
 3. Update the protection agents on the protected servers.
 4. Backups should continue without the need to restart your production servers.
 5. You can begin protecting your data now. If you are upgrading to Modern Backup Storage, while protecting, you can also choose the volumes you wish to store the backups in, and check for under provisioned space. [Learn more](backup-mabs-add-storage.md).
 
 > [!NOTE]
-> 
+>
 > If you are upgrading from MABS V1 to V2, make sure your OS is Windows Server 2016 or Windows Server 2012 R2. To take advantage of new features like System Center 2016 Data Protection Manager Modern Backup Storage, you must install Backup Server V2 on Windows Server 2016. Before you upgrade to or install Backup Server V2, read about the [installation prerequisites](https://docs.microsoft.com/system-center/dpm/install-dpm?view=sc-dpm-1807#setup-prerequisites) applicable for MABS.
 
 ## Troubleshooting