Azure Security Baseline
CIS has two implementation levels, and several categories of recommendations:
- Level 1: Recommended minimum security settings
- These should be configured on all systems
- These should cause little or no interruption of services nor reduced functionality
- Level 2: Recommendations for highly secure environments:
- These might result in reduced functionality
IAM Baseline¶
Control | Level |
---|---|
Restrict access to the Azure AD administration portal | 1 |
Enable Azure Multi-Factor Authentication (MFA) | 2 |
Block remembering MFA on trusted devices | 2 |
Disable guest accounts | 1 |
Establish an interval for reconfirming user authentication methods | 1 |
Forbid members and guests to invite | 2 |
Disable: Users can create and manage security groups | 2 |
Disable: Self-service group management enabled | 2 |
Disable: Application options - Allow users to register apps | 2 |
Password options: Notify users on password resets | 1 |
Password options: Notify all admins when other admins reset passwords | 2 |
Password options: Require two methods to reset passwords | 1 |
Azure Security Center Baseline¶
Control | Level |
---|---|
Enable the Standard pricing tier | 2 |
Enable the automatic provision of a monitoring agent1 | 1 |
Enable System Updates | 1 |
Enable Security Configurations2 | 1 |
Enable Endpoint Protection | 1 |
Enable Disk Encryption | 1 |
Enable Network Security Groups | 1 |
Enable Web Application Firewall | 1 |
Enable Vulnerability Assessment | 1 |
Enable Storage Encryption3 | 1 |
Enable JIT Network Access4 | 1 |
Enable Adaptive Application Controls5 | 1 |
Enable SQL Auditing & Threat Detection | 1 |
Enable SQL Encryption | 1 |
Storage accounts Baseline¶
Control | Level |
---|---|
Require security-enhanced transfers (HTTPS) | 1 |
Enable binary large object (blob) encryption | 1 |
Periodically regenerate access keys6 | 1 |
Require Shared Access Signature (SAS) tokens to expire within an hour7 | 1 |
Require SAS tokens to be shared only via HTTPS | 1 |
Enable Azure Files encryption | 1 |
Require only private access to blob containers8 | 1 |
Azure SQL Database Baseline¶
Control | Level |
---|---|
Enable auditing | 1 |
Enable a threat detection service9 | 1 |
Enable all threat detection types | 1 |
Enable the option to send security alerts | 1 |
Enable the email service and co-administrators | 1 |
Configure audit retention for more than 90 days | 1 |
Configure threat detection retention for more than 90 days | 1 |
Logging and monitoring Baseline¶
Control | Level |
---|---|
Ensure that a log profile exists10 | 1 |
Ensure that activity log retention is set to 365 days or more | 1 |
Create an activity log alert for "Creating a policy assignment" | 1 |
Create an activity log alert for "Creating, updating, or deleting a Network Security Group" | 1 |
Create an activity log alerts for "Creating or updating an SQL Server firewall rule" | 1 |
Networking Baseline¶
Control | Level |
---|---|
Restrict RDP and SSH access from the Internet | 1 |
Restrict SQL Server access from the Internet | 1 |
Configure the NSG flow log retention period for more than 90 days | 2 |
Enable Network Watcher11 | 1 |
VMs Baseline¶
Control | Level |
---|---|
A VM agent must be installed and enabled for data collection for Azure Security Center | 1 |
Ensure that OS disk are encrypted | 1 |
Ensure only approved extensions are installed | 1 |
Ensure that the OS patches for the VMs are applied | 1 |
Ensure that VMs have an installed and running endpoint protection solution | 1 |
Other Baseline¶
Control | Level |
---|---|
Set an expiration date on all keys in Azure Key Vault | 1 |
Set an expiration date on all secrets in Azure Key Vault | 1 |
Set resource locks for mission-critical Azure resources | 2 |
-
When automatic provisioning is enabled, Security Center installs the Microsoft Monitoring Agent on all supported Azure VMs and any new ones that are created. ↩
-
Azure Security Center monitors security configurations by applying a set of over 150 recommended rules for hardening the OS, including rules related to firewalls, auditing, password policies, and more. If a machine is found to have a vulnerable configuration, Security Center generates a security recommendation. ↩
-
When this setting is enabled, any new data in Azure Blobs and Files will be encrypted. ↩
-
Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. ↩
-
Adaptive application control is an automated end-to-end application whitelisting solution. It helps you control which applications can run on your Azure and non-Azure VMs (Windows and Linux). Security Center uses machine learning to analyze the applications running on your VMs and helps you apply the specific whitelisting rules using this intelligence. ↩
-
When you create a storage account, Azure generates two 512-bit storage access keys, which are used for authentication when the storage account is accessed. ↩
-
A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. ↩
-
When you grant public access to a container, then anonymous users can read blobs within a publicly accessible container without authorizing the request. ↩
-
Threat detection can identify Potential SQL injection, Access from unusual location or data center, Access from unfamiliar principal or potentially harmful application, and Brute force SQL credentials. Threat detection is part of the Advanced Data Security (ADS) offering. ↩
-
Azure Activity Log provides insight into subscription-level events that have occurred in Azure. There is a single Activity Log for each Azure subscription. It provides data about the operations on a resource from the outside. Diagnostic Logs are emitted by a resource and provide information about the operation of that resource. You must enable diagnostic settings for each resource. ↩
-
Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. ↩