Merge pull request #16354 from alkohli/16-azlreb

Jill Grant · web-flow · commit 6e7110156545 · 2024-11-15T17:32:38.000-07:00
Rebrand security features
diff --git a/azure-local/concepts/security-features.md b/azure-local/concepts/security-features.md
@@ -1,40 +1,40 @@
 ---
-title: Security features for Azure Stack HCI, version 23H2.
-description: Learn about security features available for new deployments of Azure Stack HCI, version 23H2.
+title: Security features for Azure Local, version 23H2.
+description: Learn about security features available for new deployments of Azure Local, version 23H2.
 author: alkohli
 ms.author: alkohli
 ms.topic: conceptual
 ms.service: azure-stack-hci
-ms.date: 04/30/2024
+ms.date: 11/15/2024
 ---
 
-# Security features for Azure Stack HCI, version 23H2
+# Security features for Azure Local, version 23H2
 
 [!INCLUDE [hci-applies-to-23h2](../includes/hci-applies-to-23h2.md)]
 
-Azure Stack HCI is a secure-by-default product that has more than 300 security settings enabled right from the start. Default security settings provide a consistent security baseline to ensure that devices start in a known good state.
+Azure Local is a secure-by-default product that has more than 300 security settings enabled right from the start. Default security settings provide a consistent security baseline to ensure that devices start in a known good state.
 
-This article provides a brief conceptual overview of the various security features associated with your Azure Stack HCI cluster. Features include security defaults, Windows Defender for Application Control (WDAC), volume encryption via BitLocker, secret rotation, local built-in user accounts, Microsoft Defender for Cloud, and more.
+This article provides a brief conceptual overview of the various security features associated with your Azure Local instance. Features include security defaults, Windows Defender for Application Control (WDAC), volume encryption via BitLocker, secret rotation, local built-in user accounts, Microsoft Defender for Cloud, and more.
 
 ## Security defaults
 
-Your Azure Stack HCI has security settings enabled by default that provide a consistent security baseline, a baseline management system, and a drift control mechanism.
+Your Azure Local has security settings enabled by default that provide a consistent security baseline, a baseline management system, and a drift control mechanism.
 
 You can monitor the security baseline and secured-core settings during both deployment and runtime. You can also disable drift control during deployment when you configure security settings.
 
 With drift control applied, security settings are refreshed every 90 minutes. This refresh interval ensures remediation of any changes from the desired state. Continuous monitoring and autoremediation enable a consistent and reliable security posture throughout the lifecycle of the device.
 
-Secure baseline on Azure Stack HCI:
+Secure baseline on Azure Local:
 
 - Improves the security posture by disabling legacy protocols and ciphers.
 - Reduces OPEX with a built-in drift protection mechanism that enables consistent at-scale monitoring via the Azure Arc Hybrid Edge baseline.
 - Enables you to meet Center for Internet Security (CIS) benchmark and Defense Information System Agency (DISA) Security Technical Implementation Guide (STIG) requirements for the OS and recommended security baseline.
 
-For more information, see [Manage security defaults on Azure Stack HCI](../manage/manage-secure-baseline.md).
+For more information, see [Manage security defaults on Azure Local](../manage/manage-secure-baseline.md).
 
 ## Windows Defender Application Control
 
-WDAC is a software-based security layer that reduces attack surface by enforcing an explicit list of software that is allowed to run. WDAC is enabled by default and limits the applications and code that you can run on the core platform. For more information, see [Manage Windows Defender Application Control for Azure Stack HCI, version 23H2](../manage/manage-wdac.md#manage-wdac-settings-with-powershell).
+WDAC is a software-based security layer that reduces attack surface by enforcing an explicit list of software that is allowed to run. WDAC is enabled by default and limits the applications and code that you can run on the core platform. For more information, see [Manage Windows Defender Application Control for Azure Local, version 23H2](../manage/manage-wdac.md#manage-wdac-settings-with-powershell).
 
 WDAC provides two main operation modes, Enforcement mode and Audit mode. In Enforcement mode, untrusted code is blocked and events are recorded. In Audit mode, untrusted code is allowed to run and events are recorded. To learn more about WDAC-related events, see [List of Events](/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations).
 
@@ -43,11 +43,11 @@ WDAC provides two main operation modes, Enforcement mode and Audit mode. In Enfo
 
 ### About WDAC policy design
 
-Microsoft provides base signed policies on Azure Stack HCI for both Enforcement mode and Audit mode. Additionally, policies include a predefined set of platform behavior rules and block rules to apply to the application control layer.
+Microsoft provides base signed policies on Azure Local for both Enforcement mode and Audit mode. Additionally, policies include a predefined set of platform behavior rules and block rules to apply to the application control layer.
 
 #### Composition of base policies
 
-Azure Stack HCI base policies include the following sections:
+Azure Local base policies include the following sections:
 
 - **Metadata**: The metadata defines unique properties of the policy such as the policy name, version, GUID, and more.
 - **Option Rules**: These rules define policy behavior. Supplemental policies can only differ from a small set of the option rules tied to their base policy.
@@ -96,20 +96,20 @@ To learn more about Deny rules, see:
 
 ## BitLocker encryption
 
-Data-at-rest encryption is enabled on data volumes created during deployment. These data volumes include both infrastructure volumes and workload volumes. When you deploy your cluster, you can modify security settings.
+Data-at-rest encryption is enabled on data volumes created during deployment. These data volumes include both infrastructure volumes and workload volumes. When you deploy your system, you can modify security settings.
 
 By default, data-at-rest encryption is enabled during deployment. We recommend that you accept the default setting.
 
-Once Azure Stack HCI is successfully deployed, you can retrieve BitLocker recovery keys. You must store BitLocker recovery keys in a secure location outside of the system.
+Once Azure Local is successfully deployed, you can retrieve BitLocker recovery keys. You must store BitLocker recovery keys in a secure location outside of the system.
 
 For more information about BitLocker encryption, see:
 
 - [Use BitLocker with Cluster Shared Volumes (CSV)](../manage/bitlocker-on-csv.md).
-- [Manage BitLocker encryption on Azure Stack HCI](../manage/manage-bitlocker.md).
+- [Manage BitLocker encryption on Azure Local](../manage/manage-bitlocker.md).
 
 ## Local built-in user accounts
 
-In this release, the following local built-in users associated with `RID 500` and `RID 501` are available on your Azure Stack HCI system:
+In this release, the following local built-in users associated with `RID 500` and `RID 501` are available on your Azure Local system:
 
 |Name in initial OS image |Name after deployment |Enabled by default |Description |
 |-----|-----|-----|-----|
@@ -121,47 +121,47 @@ In this release, the following local built-in users associated with `RID 500` an
 
 ## Secret creation and rotation
 
-The orchestrator in Azure Stack HCI requires multiple components to maintain secure communications with other infrastructure resources and services. All services running on the cluster have authentication and encryption certificates associated with them.
+The orchestrator in Azure Local requires multiple components to maintain secure communications with other infrastructure resources and services. All services running on the system have authentication and encryption certificates associated with them.
 
-To ensure security, we implement internal secret creation and rotation capabilities. When you review your cluster nodes, you see several certificates created under the path LocalMachine/Personal certificate store (`Cert:\LocalMachine\My`).
+To ensure security, we implement internal secret creation and rotation capabilities. When you review your system nodes, you see several certificates created under the path LocalMachine/Personal certificate store (`Cert:\LocalMachine\My`).
 
 In this release, the following capabilities are enabled:
 
-- The ability to create certificates during deployment and after cluster scale operations.
-- Automated autorotation before certificates expire, and an option to rotate certificates during the lifetime of the cluster.
+- The ability to create certificates during deployment and after system scale operations.
+- Automated autorotation before certificates expire, and an option to rotate certificates during the lifetime of the system.
 - The ability to monitor and alert whether certificates are still valid.
 
 > [!NOTE]
-> Secret creation and rotation operations take about ten minutes to complete, depending on the size of the cluster.
+> Secret creation and rotation operations take about ten minutes to complete, depending on the size of the system.
 
 For more information, see [Manage secrets rotation](../manage/manage-secrets-rotation.md).
 
 ## Syslog forwarding of security events
 
-For customers and organizations that require their own local security information and event management (SIEM) system, Azure Stack HCI version 23H2 includes an integrated mechanism that enables you to forward security-related events to a SIEM.
+For customers and organizations that require their own local security information and event management (SIEM) system, Azure Local, version 23H2 includes an integrated mechanism that enables you to forward security-related events to a SIEM.
 
-Azure Stack HCI has an integrated syslog forwarder that, once configured, generates syslog messages defined in RFC3164, with the payload in Common Event Format (CEF).
+Azure Local has an integrated syslog forwarder that, once configured, generates syslog messages defined in RFC3164, with the payload in Common Event Format (CEF).
 
-The following diagram illustrates integration of Azure Stack HCI with an SIEM. All audits, security logs, and alerts are collected on each host and exposed via syslog with the CEF payload.
+The following diagram illustrates integration of Azure Local with an SIEM. All audits, security logs, and alerts are collected on each host and exposed via syslog with the CEF payload.
 
-:::image type="content" source="media/security-features/integration-of-azure-stack-hci-with-external-siem.png" alt-text="The following diagram describes the integration of Azure Stack HCI with an external security information and event management (SIEM) system." lightbox="media/security-features/integration-of-azure-stack-hci-with-external-siem.png":::
+:::image type="content" source="media/security-features/integration-of-azure-stack-hci-with-external-siem.png" alt-text="The following diagram describes the integration of Azure Local with an external security information and event management (SIEM) system." lightbox="media/security-features/integration-of-azure-stack-hci-with-external-siem.png":::
 
-Syslog forwarding agents are deployed on every Azure Stack HCI host to forward syslog messages to the customer-configured syslog server. Syslog forwarding agents work independently from each other but can be managed together on any one of the hosts.
+Syslog forwarding agents are deployed on every Azure Local host to forward syslog messages to the customer-configured syslog server. Syslog forwarding agents work independently from each other but can be managed together on any one of the hosts.
 
-The syslog forwarder in Azure Stack HCI supports various configurations based on whether syslog forwarding is with TCP or UDP, whether the encryption is enabled or not, and whether there's unidirectional or bidirectional authentication.
+The syslog forwarder in Azure Local supports various configurations based on whether syslog forwarding is with TCP or UDP, whether the encryption is enabled or not, and whether there's unidirectional or bidirectional authentication.
 
 For more information, see [Manage syslog forwarding](../manage/manage-syslog-forwarding.md).
 
 ## Microsoft Defender for Cloud (preview)
 
 Microsoft Defender for Cloud is a security posture management solution with advanced threat protection capabilities. It provides you with tools to assess the security status of your infrastructure, protect workloads, raise security alerts, and follow specific recommendations to remediate attacks and address future threats. It performs all these services at high speed in the cloud through autoprovisioning and protection with Azure services, with no deployment overhead.
 
-With the basic Defender for Cloud plan, you get recommendations on how to improve the security posture of your Azure Stack HCI system at no extra cost. With the paid Defender for Servers plan, you get enhanced security features including security alerts for individual servers and Arc VMs.
+With the basic Defender for Cloud plan, you get recommendations on how to improve the security posture of your Azure Local system at no extra cost. With the paid Defender for Servers plan, you get enhanced security features including security alerts for individual machines and Arc VMs.
 
 For more information, see [Manage system security with Microsoft Defender for Cloud (preview)](../manage/manage-security-with-defender-for-cloud.md).
 
 ## Next steps
 
 - [Assess deployment readiness via the Environment Checker](../manage/use-environment-checker.md).
-- [Read the Azure Stack HCI security book](https://assetsprod.microsoft.com/mpn/azure-stack-hci-security-book.pdf).
-- [View the Azure Stack HCI security standards](/azure-stack/hci/assurance/azure-stack-security-standards).
+- [Read the Azure Local security book](https://assetsprod.microsoft.com/mpn/azure-stack-hci-security-book.pdf).
+- [View the Azure Local security standards](/azure-stack/hci/assurance/azure-stack-security-standards).
