Monkey365 report

Microsoft Azure Monkey365 Test Subscription

Findings By Service

Findings By severity

Dashboard Table

Services	Rules	Findings
General	10	2
Conditional Access	8	4
Users	3	1
Groups	4	1
Subscription Security	8	3
Defender for Cloud	22	20
Azure KeyVault	8	3
Storage Accounts	17	17
SQL Server	6	6
Azure SQL Firewall	2	1
PostgreSQL Server	2	1
PostgreSQL Configuration	6	3
MySQL Server	3	3
MySQL Configuration	1	1
Diagnostic Settings	7	7
Azure Alerts	10	9
Application Insights	2	2
Network Security Groups	10	2
Network Watcher	2	2
Bastion	1	1
Azure Virtual Machines	6	3
Azure Disks	4	2
App Services	12	7
Monkey365 Dashboard

General

Ensure Security Defaults is enabled on Microsoft Entra ID

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.1.1

Rule Violations
1

Description

Security defaults in Microsoft Entra ID (Azure Active Directory) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal.

Rationale

Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.For example doing the following:

Requiring all users and admins to register for MFA.
Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
Disabling authentication from legacy authentication clients, which canÃ¢â‚¬â„¢t do MFA.

Impact

Enabling security defaults may negatively impact the functionality of other Microsoft services, such as MS365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.

Remediation

From Azure Console

Sign in to Azure portal as a security administrator, Conditional Access administrator, or global administrator.
Browse to Microsoft Entra ID > Properties.
Select Manage security defaults.
Set the Enable security defaults toggle to Yes.
Select Save.

References

anyBaselinePolicyEnabled	anyCAPolicyEnabled	securityDefaultsEnabled	ignoreBaselineProtectionPolicies	anyClassicPolicyEnabled	anyIPCEnabled
Disabled	Enabled	Disabled	Disabled	Enabled	Enabled

Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled

Rule Id

Severity
low

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.1.4

Description

IMPORTANT - Please read the section overview

If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.Do not allow users to remember multi-factor authentication on devices.

Rationale

Remembering Multi-Factor Authentication (MFA) for devices and browsers allows users to have the option to bypass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.

Impact

For every login attempt, the user will be required to perform multi-factor authentication.

Remediation

Remediate from Azure Portal

From Azure Home select the Portal Menu
Select Microsoft Entra ID blade
Under Manage, click Users
Click on the Per-User MFA button in the top row menu
Click on Service settings
Uncheck the box next to Allow users to remember multi-factor authentication on devices they trust
Click Save

References

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#remember-multi-factor-authentication-for-devices-that-users-trust
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-6-use-strong-authentication-controls

Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.3

Description

Require administrators or appropriately delegated users to create new tenants.

Rationale

It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Microsoft Entra ID or Azure AD B2C tenants and ensures that only authorized users are able to do so.

Impact

Enforcing this setting will ensure that only authorized users are able to create new tenants.

References

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#tenant-creator
https://blog.admindroid.com/disable-users-creating-new-azure-ad-tenants-in-microsoft-365/

Ensure 'User consent for applications' is set to 'Do not allow user consent'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.12

Description

Require administrators to provide consent for applications before use.

Rationale

If Microsoft Entra ID is running as an identity provider for third-party applications, permissions and consent should be limited to administrators or pre-approved. Malicious applications may attempt to exfiltrate data or abuse privileged user accounts.

Impact

Enforcing this setting may create additional requests that administrators need to review.

Remediation

From Azure Console

Go to Microsoft Entra ID
Go to Users
Go to User settings
Click on Manage how end users launch and view their applications
Set Users can consent to apps accessing company data on their behalf to No

References

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/
https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/
https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#configure-user-consent-to-applications
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy

Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.13

Description

Allow users to provide consent for selected permissions when a request is coming from a verified publisher.

Rationale

Impact

Enforcing this setting may create additional requests that administrators need to fulfill quite often.

Remediation

From Azure Console

Go to Microsoft Entra ID
Go to Users
Go to User settings
Click on Manage how end users launch and view their applications
Click on Consent and Permissions
Set Allow user consent for apps from verified publishers, for selected permissions
Click on Save

References

Ensure That 'Users Can Register Applications' Is Set to 'No'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.14

Description

Require administrators or appropriately delegated users to register third-party applications.

Rationale

It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Microsoft Entra ID data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.

Impact

Enforcing this setting will create additional requests for approval that will need to be addressed by an administrator. If permissions are delegated, a user may approve a malevolent third party application, potentially giving it access to your data.

Remediation

From Azure Console

Go to Microsoft Entra ID
Go to Users
Go to User settings
Ensure that Users can register applications is set to No

References

https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles#restrict-who-can-create-applications
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems
https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/
https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx

Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.17

Description

Restrict access to the Microsoft Entra ID administration center to administrators only.NOTE: This only affects access to the Entra ID administrator's web portal. This setting does not prohibit privileged users from using other methods such as Rest API or Powershell to obtain sensitive information from Microsoft Entra ID.

Rationale

The Microsoft Entra ID administrative center has sensitive data and permission settings. All non-administrators should be prohibited from accessing any Microsoft Entra ID data in the administration center to avoid exposure.

Impact

All administrative tasks will need to be done by Administrators, causing additional overhead in management of users and resources.

Remediation

From Azure Console

From Azure Home select the Portal Menu
Select Microsoft Entra ID
Under Manage, select Users
Under Manage, select User settings
Under Administration centre, set Restrict access to Microsoft Entra admin center to Yes
Click Save

References

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles-azure-portal
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems

Conditional Access

Ensure Trusted Locations Are Defined

Rule Id

Severity
low

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.2.1

Description

Microsoft Entra ID Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization.

Rationale

Defining trusted source IP addresses or ranges helps organizations create and enforce Conditional Access policies around those trusted or untrusted IP addresses and ranges. Users authenticating from trusted IP addresses and/or ranges may have less access restrictions or access requirements when compared to users that try to authenticate to Microsoft Entra ID from untrusted locations or untrusted source IP addresses/ranges.

Impact

When configuring Named locations, the organization can create locations using geographical location data or by defining source IP addresses or ranges. Configuring Named locations using a Country location does not provide the organization the ability to mark those locations as trusted, and any Conditional Access policy relying on those Countries location setting will not be able to use the All trusted locations setting within the Conditional Access policy. They instead will have to rely on the Select locations setting. This may add additional resource requirements when configuring and will require thorough organizational testing.In general, Conditional Access policies may completely prevent users from authenticating to Microsoft Entra ID, and thorough testing is recommended. To avoid complete lockout, a 'Break Glass' account with full Global Administrator rights is recommended in the event all other administrators are locked out of authenticating to Microsoft Entra ID. This 'Break Glass' account should be excluded from Conditional Access Policies and should be configured with the longest pass phrase feasible in addition to a FIDO2 security key or certificate kept in a very secure physical location. This account should only be used in the event of an emergency and complete administrator lockout.NOTE: Starting July 2024, Microsoft will begin requiring MFA for All Users - including Break Glass Accounts. By the end of October 2024, this requirement will be enforced. Physical FIDO2 security keys, or a certificate kept on secure removable storage can fulfill this MFA requirement. If opting for a physical device, that device should be kept in a very secure, documented physical location.

Remediation

Remediate from Azure Portal

In the Azure Portal, navigate to Microsoft Entra ID
Under Manage, click Security
Under Protect, click Conditional Access
Under Manage, click Named locations
Within the Named locations blade, click on IP ranges location
Enter a name for this location setting in the Name text box
Click on the + sign
Add an IP Address Range in CIDR notation inside the text box that appears
Click on the Add button
Repeat steps 7 through 9 for each IP Range that needs to be added
If the information entered are trusted ranges, select the Mark as trusted location check box
Once finished, click on Create

References

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

Ensure that an exclusionary Geographic Access Policy is considered

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.2.2

Description

CAUTION: If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues.Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.

Rationale

Conditional Access, when used as a deny list for the tenant or subscription, is able to prevent ingress or egress of traffic to countries that are outside of the scope of interest (e.g.: customers, suppliers) or jurisdiction of an organization. This is an effective way to prevent unnecessary and long-lasting exposure to international threats such as APTs.

Impact

Microsoft Entra ID P1 or P2 is required. Limiting access geographically will deny access to users that are traveling or working remotely in a different part of the world. A point-to site or site to site tunnel such as a VPN is recommended to address exceptions to geographic access policies.

Remediation

First, set up the conditions objects values before updating an existing conditional access policy or before creating a new one. You may need to use additional PowerShell cmdlets to retrieve specific IDs such as the Get-MgIdentityConditionalAccessNamedLocation which outputs the Location IDs for use with conditional access policies.


$conditions = New-Object -TypeName 

Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet 



$conditions.Applications = New-Object -TypeName 

Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition 

$conditions.Applications.IncludeApplications = <"All" | "Office365" | "app 

ID" | @("app ID 1", "app ID 2", etc...> 

$conditions.Applications.ExcludeApplications = <"Office365" | "app ID" | 

@("app ID 1", "app ID 2", etc...)> 



$conditions.Users = New-Object -TypeName 

Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition 

$conditions.Users.IncludeUsers = <"All" | "None" | "GuestsOrExternalUsers" | 

"Specific User ID" | @("User ID 1", "User ID 2", etc.)> 

$conditions.Users.ExcludeUsers = <"GuestsOrExternalUsers" | "Specific User 

ID" | @("User ID 1", "User ID 2", etc.)> 

$conditions.Users.IncludeGroups = <"group ID" | "All" | @("Group ID 1", 

"Group ID 2", etc...)> 

$conditions.Users.ExcludeGroups = <"group ID" | @("Group ID 1", "Group ID 2", 

etc...)> 

$conditions.Users.IncludeRoles = <"Role ID" | "All" | @("Role ID 1", "Role ID 

2", etc...)> 

$conditions.Users.ExcludeRoles = <"Role ID" | @("Role ID 1", "Role ID 2", 

etc...)> 



$conditions.Locations = New-Object -TypeName 

Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition 

$conditions.Locations.IncludeLocations = <"Location ID" | @("Location ID 1", 

"Location ID 2", etc...) > 

$conditions.Locations.ExcludeLocations = <"AllTrusted" | "Location ID" | 

@("Location ID 1", "Location ID 2", etc...)> 





$controls = New-Object -TypeName 

Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls 

$controls._Operator = "OR" 

$controls.BuiltInControls = "block"

Next, update the existing conditional access policy with the condition set options configured with the previous commands.


Update-MgIdentityConditionalAccessPolicy -PolicyId <policy ID> -Conditions $conditions -GrantControls $controls

To create a new conditional access policy that complies with this best practice, run the following commands after creating the condition set above


New-MgIdentityConditionalAccessPolicy -Name "Policy Name" -State <enabled|disabled> -Conditions $conditions -GrantControls $controls

References

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-report-only
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions

Ensure that an exclusionary Device code flow policy is considered

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.2.3

Description

Conditional Access Policies can be used to prevent the Device code authentication flow. Device code flow should be permitted only for users that regularly perform duties that explicitly require the use of Device Code to authenticate, such as utilizing Azure with PowerShell.

Rationale

Attackers use Device code flow in phishing attacks and, if successful, results in the attacker gaining access tokens and refresh tokens which are scoped to user_impersonation, which can perform any action the user has permission to perform.

Impact

Microsoft Entra ID P1 or P2 is required.This policy should be tested using the Report-only mode before implementation. Without a full and careful understanding of the accounts and personnel who require Device code authentication flow, implementing this policy can block authentication for users and devices who rely on Device code flow. For users and devices that rely on device code flow authentication, more secure alternatives should be implemented wherever possible.

References

https://learn.microsoft.com/en-us/entra/identity/conditional-access/conceptauthentication-flows#device-code-flow
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identitymanagement#im-7-restrict-resource-access-based-on--conditions
https://docs.microsoft.com/en-us/azure/active-directory/conditionalaccess/concept-conditional-access-report-only
https://learn.microsoft.com/en-us/entra/identity/conditional-access/how-to-policyauthentication-flows

Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals

Rule Id

Severity
low

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.2.8

Description

This recommendation ensures that users accessing Microsoft Admin Portals (i.e. Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal, etc.) are required to use multi-factor authentication (MFA) credentials when logging into an Admin Portal.

Rationale

Administrative Portals for Microsoft Azure should be secured with a higher level of scrutiny to authenticating mechanisms. Enabling multi-factor authentication is recommended to reduce the potential for abuse of Administrative actions, and to prevent intruders or compromised admin credentials from changing administrative settings.IMPORTANT: While this recommendation allows exceptions to specific Users or Groups, they should be very carefully tracked and reviewed for necessity on a regular interval through an Access Review process. It is important that this rule be built to include "All Users" to ensure that all users not specifically excepted will be required to use MFA to access Admin Portals.

Impact

Conditional Access policies require Microsoft Entra ID P1 or P2 licenses. Similarly, they may require additional overhead to maintain if users lose access to their MFA. Any users or groups which are granted an exception to this policy should be carefully tracked, be granted only minimal necessary privileges, and conditional access exceptions should be reviewed or investigated.

References

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa
https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access-what-if
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions

Users

Ensure Guest Users are reviewed at least biweekly

Rule Id

Severity
low

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.4

Description

Guest users can be set up for those users not in the organization to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant.Ensure Guest Users are reviewed no less frequently than biweekly.Note : With the E5 license an access review can be configured to review guest accounts automatically on a reoccurring basis. This is the preferred method if the licensing is available.

Rationale

Periodic review of guest users ensures proper access to resources.

Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.15

Description

Limit guest user permissions.

Rationale

Limiting guest access ensures that guest accounts do not have permission for certain directory tasks, such as enumerating users, groups or other directory resources, and cannot be assigned to administrative roles in your directory. Guest access has three levels of restriction.

Guest users have the same access as members (most inclusive)
Guest users have limited access to properties and memberships of directory objects (default value)
Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)

The recommended option is the 3rd, most restrictive: Guest user access is restricted to their own directory object.

Impact

This may create additional requests for permissions to access resources that administrators will need to approve.

Remediation

From Azure Console

Go to Microsoft Entra ID
Go to External Identities
Go to External collaboration settings
Under Guest user access, change Guest user access restrictions to be Guest user access is restricted to properties and memberships of their own directory objects

References

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#member-and-guest-users
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy

Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.16

Description

Restrict invitations to users with specific administrative roles only.

Rationale

Restricting invitations to users with specific administrator roles ensures that only authorized accounts have access to cloud resources. This helps to maintain "Need to Know" permissions and prevents inadvertent access to data.By default the setting Guest invite restrictions is set to Anyone in the organization can invite guest users including guests and non-admins. This would allow anyone within the organization to invite guests and non-admins to the tenant, posing a security risk.

Impact

With the option of Only users assigned to specific admin roles can invite guest users selected, users with specific admin roles will be in charge of sending invitations to the Azure Workspace, requiring additional overhead by them to manage user accounts. This will mean coordinating with other departments as they are onboarding new users, and manually removing access from users who no longer need it.

Remediation

From Azure Console

Go to Microsoft Entra ID
Go to External Identities
Go to External collaboration settings
Under Guest invite settings, for Guest invite restrictions, ensure that that Only users assigned to specific admin roles can invite guest users is selected

References

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/external-collaboration-settings-configure
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management

Groups

Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.18

Description

Restrict access to group web interface in the Access Panel portal.

Rationale

Self-service group management enables users to create and manage security groups or Office 365 groups in Microsoft Entra ID. Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled. Any user can access the Access Panel, where they can reset their passwords, view their information, etc. By default, users are also allowed to access the Group feature, which shows groups, members, related resources (SharePoint URL, Group email address, Yammer URL, and Teams URL). By setting this feature to 'Yes', users will no longer have access to the web interface, but still have access to the data using the API. This is useful to prevent non-technical users from enumerating groups-related information, but technical users will still be able to access this information using APIs.

Impact

Setting to Yes could create administrative overhead by customers seeking certain group memberships that will have to be manually managed by administrators with appropriate permissions.

Remediation

From Azure Console

Go to Microsoft Entra ID
Go to Groups
Go to General
Ensure that Restrict user ability to access groups features in the Access Pane is set to Yes

References

https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-self-service-management
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems

Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.19

Description

Restrict security group creation to administrators only.

Rationale

When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.

Impact

Enabling this setting could create a number of request that would need to be managed by an administrator.

Remediation

From Azure Console

Go to Microsoft Entra ID
Go to Groups
Go to General
Ensure that Users can create security groups in Azure portals, API or PowerShell is set to No

References

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-self-service-management
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems

Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.20

Rule Violations
1

Description

Consider to prevent that regular users can manage security groups.

Rationale

Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.

Remediation

From Azure Console

Go to Microsoft Entra ID
Go to Groups
Go to General
Ensure that Owners can manage group membership requests in the Access Panel is set to No

References

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy

objectId	displayName	usersCanRegisterApps	isAnyAccessPanelPreviewFeaturesAvailable	showMyGroupsFeature	myGroupsFeatureValue	myGroupsGroupId	myGroupsGroupName	showMyAppsFeature	myAppsFeatureValue	myAppsGroupId	myAppsGroupName	showUserActivityReportsFeature	userActivityReportsFeatureValue	userActivityReportsGroupId	userActivityReportsGroupName	showRegisteredAuthMethodFeature	registeredAuthMethodFeatureValue	registeredAuthMethodGroupId	registeredAuthMethodGroupName	usersCanAddExternalUsers	limitedAccessCanAddExternalUsers	restrictDirectoryAccess	groupsInAccessPanelEnabled	selfServiceGroupManagementEnabled	securityGroupsEnabled	usersCanManageSecurityGroups	office365GroupsEnabled	usersCanManageOfficeGroups	allUsersGroupEnabled	scopingGroupIdForManagingSecurityGroups	scopingGroupIdForManagingOfficeGroups	scopingGroupNameForManagingSecurityGroups	scopingGroupNameForManagingOfficeGroups	objectIdForAllUserGroup	allowInvitations	isB2CTenant	restrictNonAdminUsers	enableLinkedInAppFamily	toEnableLinkedInUsers	toDisableLinkedInUsers	linkedInSelectedGroupObjectId	linkedInSelectedGroupDisplayName
00000000-0000-0000-0000-000000000000	NotSet	Disabled	Disabled	Disabled	NotSet	NotSet	NotSet	Disabled	NotSet	NotSet	NotSet	Disabled	NotSet	NotSet	NotSet	Disabled	NotSet	NotSet	NotSet	Disabled	Disabled	Disabled	Enabled	Enabled	Disabled	all	Disabled	all	Disabled	00000000-0000-0000-0000-000000000000	00000000-0000-0000-0000-000000000000	NotSet	NotSet	NotSet	Disabled	Disabled	Disabled	0	NotSet	NotSet	NotSet	NotSet

Subscription Security

Ensure That No Custom Subscription Administrator Roles Exist

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.23

Description

The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.

Rationale

Custom roles in Azure with administrative access can obfuscate the permissions granted and introduce complexity and blind spots to the management of privileged identities. For less mature security programs without regular identity audits, the creation of Custom roles should be avoided entirely. For more mature security programs with regular identity audits, Custom Roles should be audited for use and assignment, used minimally, and the principle of least privilege should be observed when granting permissions.

Impact

Subscriptions will need to be handled by Administrators with permissions.

Remediation

Using Azure Command Line Interface 2.0

az role definition listCheck for entries with assignableScope of / or a subscription, and an action of *.Verify the usage and impact of removing the role identified:az role definition delete --name 'rolename'

References

Ensure Custom Role is Assigned Permissions for Administering Resource Locks

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.24

Rule Violations
1

Description

Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration.

Rationale

Given the resource lock functionality is outside of standard Role Based Access Control(RBAC), it would be prudent to create a resource lock administrator role to prevent inadvertent unlocking of resources.

Impact

By adding this role is you can have specific permissions granted for managing just resource locks rather than needing to provide the wide owner or contributor role reducing the risk of the user being able to do unintentional damage.

Remediation

From Azure Console

In the Azure portal, open a subscription or resource group where you want the custom role to be assignable.
Select Access control (IAM)
Click Add
Select Add custom role
In the Custom Role Name field enter Resource Lock Administrator
In the Description field enter appropiate description
For Baseline permissions select Start from scratch
Click next
In the Permissions tab select Add permissions
in the Search for a permission box, type in Microsoft.Authorization/locks to search for permissions.
Select the check box next to the permission called Microsoft.Authorization/locks
Click add
Click Review+create
Click Create

Assign the newly created role to the appropriate user.

Using PowerShell:

Below is a power shell definition for a resource lock administrator role created at an Azure Management group level:


Import-Module Az.Accounts

Connect-AzAccount

$role = Get-AzRoleDefinition "User Access Administrator"

$role.Id = $null

$role.Name = "Resource Lock Administrator"

$role.Description = "Can Administer Resource Locks"

$role.Actions.Clear()

$role.Actions.Add("Microsoft.Authorization/locks/*")

$role.AssignableScopes.Clear()

#Scope at the Management group level Management group

$role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/MG-Name")

New-AzRoleDefinition -Role $role

Get-AzureRmRoleDefinition "Resource Lock Administrator"

References

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/check-access
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy

Missing Role	Status
Custom Resource Lock Administrator	DoesNotExists

Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 2.25

Rule Violations
1

Description

Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories.

Rationale

Permissions to move subscriptions in and out of Microsoft Entra ID must only be given to appropriate administrative personnel. A subscription that is moved into an Microsoft Entra ID may be within a folder to which other users have elevated permissions. This prevents loss of data or unapproved changes of the objects within by potential bad actors.

Impact

Subscriptions will need to have these settings turned off to be moved.

Remediation

From Azure Console

From the Azure Portal Home select the portal menu in the top left.
In the column that opens up select General and then Subscriptions within the page that opens up.
Select Manage policies
In the screen that next to Subscription leaving AAD directory and Subscription entering AAD select Permit no-one

References

https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-2-protect-identity-and-authentication-systems

id	name	type	properties
providers/Microsoft.Subscription/policies/default	default	providers/Microsoft.Subscription/policies	@{policyId=00000000-0000-0000-0000-000000000000; blockSubscriptionsLeavingTenant=Disabled; blockSubscriptionsIntoTenant=Disabled; exemptedPrincipals=NotSet}

Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.15

Description

An organization's attack surface is the collection of assets with a public network identifier or URI that an external threat actor can see or access from outside your cloud. It is the set of points on the boundary of a system, a system element, system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, system component, or environment. The larger the attack surface, the harder it is to protect.This tool can be configured to scan your organization's online infrastructure such as specified domains, hosts, CIDR blocks, and SSL certificates, and store them in an Inventory. Inventory items can be added, reviewed, approved, and removed, and may contain enrichments (insights) and additional information collected from the tool's different scan engines and open-source intelligence sources.A Defender EASM workspace will generate an Inventory of publicly exposed assets by crawling and scanning the internet using Seeds you provide when setting up the tool. Seeds can be FQDNs, IP CIDR blocks, and WHOIS records.Defender EASM will generate Insights within 24-48 hours after Seeds are provided, and these insights include vulnerability data (CVEs), ports and protocols, and weak or expired SSL certificates that could be used by an attacker for reconnaissance or exploitation.Results are classified High/Medium/Low and some of them include proposed mitigations.

Rationale

This tool can monitor the externally exposed resources of an organization, provide valuable insights, and export these findings in a variety of formats (including CSV) for use in vulnerability management operations and red/purple team exercises.

Impact

Microsoft Defender EASM workspaces are currently available as Azure Resources with a 30-day free trial period but can quickly accrue significant charges. The costs are calculated daily as (Number of "billable" inventory items) x (item cost per day; approximately: $0.017).Estimated cost is not provided within the tool, and users are strongly advised to contact their Microsoft sales representative for pricing and set a calendar reminder for the end of the trial period.For an EASM workspace having an Inventory of 5k-10k billable items (IP addresses, hostnames, SSL certificates, etc) a typical cost might be approximately $85-170 per day or $2500-5000 USD/month at the time of publication. If the workspace is deleted by the last day of a free trial period, no charges are billed.

Remediation

To begin remediation, a Microsoft Defender EASM workspace must be created. The resources and inventory items added to this workspace will depend on your environment.

References

https://learn.microsoft.com/en-us/azure/external-attack-surface-management/
https://learn.microsoft.com/en-us/azure/external-attack-surface-management/deploying-the-defender-easm-azure-resource
https://www.microsoft.com/en-us/security/blog/2022/08/02/microsoft-announces-new-solutions-for-threat-intelligence-and-attack-surface-management/

Ensure that Resource Locks are set for Mission Critical Azure Resources

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 2.0.0 10.1

Description

Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion.

Rationale

As an administrator, it may be necessary to lock a subscription, resource group, or resource to prevent other users in the organization from accidentally deleting or modifying critical resources. The lock level can be set to to CanNotDelete or ReadOnly to achieve this purpose.

CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

Impact

There can be unintended outcomes of locking a resource. Applying a lock to a parent service will cause it to be inherited by all resources within. Conversely, applying a lock to a resource may not apply to connected storage, leaving it unlocked. Please see the documentation for further information.

Remediation

From Azure Console

Navigate to the specific Azure Resource or Resource Group
For each of the mission critical resource, click on Locks
Click Add
Give the lock a name and a description, then select the type, CanNotDelete or ReadOnly as appropriate

Assign the newly created role to the appropriate user.

References

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

Defender for Cloud

Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.1.1

Rule Violations
1

Description

Enable automatic provisioning of the monitoring agent to collect security data.DEPRECATION PLANNED: The Log Analytics Agent is slated for deprecation in August 2024. The Microsoft Defender for Endpoint agent, in tandem with new agentless capabilities will be providing replacement functionality. More detail is available here: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoftdefender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341.

Rationale

When Log Analytics agent for Azure VMs is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Pricing & settings blade
Click on the subscription name
Click on Data Collection
Set Automatic provisioning to On
Select Save

References

https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
https://msdn.microsoft.com/en-us/library/mt704062.aspx
https://msdn.microsoft.com/en-us/library/mt704063.aspx
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification

Name	autoprovision
default	Off

Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.1.2

Description

This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.

Rationale

Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license. Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.

Impact

Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.

References

Ensure That Microsoft Defender for Servers Is Set to 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.3.1

Rule Violations
1

Description

Turning on Microsoft Defender for Cloud enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Rationale

Enabling Microsoft Defender for Cloud for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Impact

Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
On the line in the table for Servers Select On under Plan.
Select Save

References

https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview
https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update
https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr

Resource Name:	VirtualMachines
Pricing Tier:	Free

Ensure that 'Vulnerability assessment for machines' component status is set to 'On'

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.3.2

Description

Enable vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.

Rationale

Vulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.

Impact

Microsoft Defender for Servers plan 2 licensing is required, and configuration of Azure Arc introduces complexity beyond this recommendation.

Remediation

From Azure Portal

From Azure Home select the Portal Menu
Select Microsoft Defender for Cloud
Under Management, select Environment Settings
Select a subscription
Click on Settings & Monitoring
Set the Status of Vulnerability assessment for machines to On
Click Continue

References

Ensure that 'Endpoint protection' component status is set to 'On'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.3.3

Description

The Endpoint protection component enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.IMPORTANT: When enabling integration between DfE & DfC it needs to be taken into account that this will have some side effects that may be undesirable.

For server 2019 & above if defender is installed (default for these server SKUs) this will trigger a deployment of the new unified agent and link to any of the extended configuration in the Defender portal.
If the new unified agent is required for server SKUs of Win 2016 or Linux and lower there is additional integration that needs to be switched on and agents need to be aligned.

Rationale

Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud. MDE works only with Standard Tier subscriptions.

Impact

Endpoint protection requires licensing and is included in these plans:

Defender for Servers plan 1
Defender for Servers plan 2

References

https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware

Ensure that 'Agentless scanning for machines' component status is set to 'On'

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.3.4

Description

Using disk snapshots, the agentless scanner scans for installed software, vulnerabilities, and plain text secrets.

Rationale

The Microsoft Defender for Cloud agentless machine scanner provides threat detection, vulnerability detection, and discovery of sensitive information.

Impact

Agentless scanning for machines requires licensing and is included in these plans:

Defender CSPM
Defender for Servers plan 2

References

https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware

Ensure that 'File Integrity Monitoring' component status is set to 'On'

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.3.5

Description

File Integrity Monitoring (FIM) is a feature that monitors critical system files in Windows or Linux for potential signs of attack or compromise.

Rationale

FIM provides a detection mechanism for compromised files. When FIM is enabled, critical system files are monitored for changes that might indicate a threat actor is attempting to modify system files for lateral compromise within a host operating system.

Impact

File Integrity Monitoring requires licensing and is included in these plans:

Defender for Servers plan 2

Remediation

Audit from Azure Portal

From the Azure Portal Home page, select Microsoft Defender for Cloud
Under Management select Environment Settings
Select a subscription
Under Settings > Defender Plans, click Settings & monitoring
Under the Component column, locate the row for File Integrity Monitoring
Select On
Click Continue in the top left

Repeat the above for any additional subscriptions.

References

https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification
https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-enable-defender-endpoint

Ensure That Microsoft Defender for Containers Is Set To 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.4.1

Rule Violations
1

Description

Turning on Microsoft Defender for Cloud enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.The following services will be enabled for container instances:

Defender agent in Azure
Azure Policy for Kubernetes
Agentless discovery for Kubernetes
Agentless container vulnerability assessment

Rationale

Enabling Microsoft Defender for Cloud for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Impact

Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
On the line in the table for Container Registries Select On under Plan.
Select Save

References

Resource Name:	ContainerRegistry
Pricing Tier:	Free

Ensure that 'Agentless discovery for Kubernetes' component status 'On'

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.4.2

Description

Enable automatic discovery and configuration scanning of the Microsoft Kubernetes clusters.

Rationale

As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities.

Impact

Agentless discovery for Kubernetes requires licensing and is included in:

Defender CSPM
Defender for Containers plans.

Remediation

Audit from Azure Portal

From the Azure Portal Home page, select Microsoft Defender for Cloud
Under Management select Environment Settings
Select a subscription
Under Settings > Defender Plans, click Settings & monitoring
Locate the row for Agentless discovery for Kubernetes
Select On
Click Continue in the top left

Repeat the above for any additional subscriptions.

References

https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction
https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-containers
https://msdn.microsoft.com/en-us/library/mt704062.aspx
https://msdn.microsoft.com/en-us/library/mt704063.aspx
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification

Ensure that 'Agentless container vulnerability assessment' component status is 'On'

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.4.3

Description

Enable automatic vulnerability management for images stored in ACR or running in AKS clusters.

Rationale

Agentless vulnerability scanning will examine container images - whether running or in storage - for vulnerable configurations.

Impact

Agentless container vulnerability assessment requires licensing and is included in:

Defender CSPM
Defender for Containers plans.

Remediation

Audit from Azure Portal

From the Azure Portal Home page, select Microsoft Defender for Cloud
Under Management select Environment Settings
Select a subscription
Under Settings > Defender Plans, click Settings & monitoring
Locate the row for Agentless container vulnerability assessment
Select On
Click Continue in the top left

Repeat the above for any additional subscriptions.

References

Ensure That Microsoft Defender for Storage Is Set To 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.5.1

Rule Violations
1

Description

Turning on Microsoft Defender for Cloud enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Rationale

Enabling Microsoft Defender for Cloud for Storage allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Impact

Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
On the line in the table for Storage Select On under Plan.
Select Save

References

Resource Name:	StorageAccounts
Pricing Tier:	Free

Ensure That Microsoft Defender for App Services Is Set To 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.6.1

Rule Violations
1

Description

Turning on Microsoft Defender for Cloud enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Rationale

Enabling Microsoft Defender for Cloud for App Service allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Impact

Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
On the line in the table for App Service Select On under Plan.
Select Save

References

Resource Name:	AppServices
Pricing Tier:	Free

Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.7.1

Rule Violations
1

Description

Microsoft Defender for Cosmos DB scans all incoming network requests for changes to your virtual machine.

Rationale

In scanning Cosmos DB requests within a subscription, requests are compared to a heuristic list of potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.

Impact

Enabling Microsoft Defender for Cosmos requires enabling Microsoft Defender for your subscription. Both will incur additional charges.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
Review the chosen pricing tier. For the Cosmos DB resource type the radial button should be set to On
Select Save

References

https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-enable-database-protections
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview

Resource Name:	CosmosDbs
Pricing Tier:	Free

Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.7.2

Rule Violations
1

Description

Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Rationale

Enabling Microsoft Defender for Open-source relational databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Impact

Turning on Microsoft Defender for Open-source relational databases incurs an additional cost per resource.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
Review the chosen pricing tier. For the Open-source relational databases resource type the radial button should be set to On
Select Save

References

Resource Name:	OpenSourceRelationalDatabases
Pricing Tier:	Free

Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.7.3

Rule Violations
1

Description

Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Managed Instance Azure SQL databases, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.

Rationale

Enabling Microsoft Defender for Azure SQL Databases allows for greater defense-in-depth, includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.

Impact

Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
Click Select types > in the row for Databases.
Set the toggle switch next to Azure SQL Databases to On.

7 Select Continue.7 Select Save.

References

Resource Name:	SqlServers
Pricing Tier:	Free

Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.7.4

Rule Violations
1

Description

Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.

Rationale

Enabling Microsoft Defender for SQL servers on machines allows for greater defense in-depth, functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.

Impact

Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
On the line in the table for SQL Servers on machines Select On under Plan.
Select Save

References

Resource Name:	SqlServerVirtualMachines
Pricing Tier:	Free

Ensure That Microsoft Defender for Key Vault Is Set To 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.8.1

Rule Violations
1

Description

Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Rationale

Enabling Microsoft Defender for Cloud for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Impact

Turning on Microsoft Defender for Cloud in Microsoft Defender for Cloud incurs an additional cost per resource.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
On the line in the table for Key Vault Select On under Plan.
Select Save

References

Resource Name:	KeyVaults
Pricing Tier:	Free

Ensure That Microsoft Defender for Resource Manager Is Set To 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.9.1

Rule Violations
1

Description

Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.

Rationale

Scanning resource requests lets you be alerted every time there is suspicious activity in order to prevent a security threat from being introduced.

Impact

Enabling Microsoft Defender for Resource Manager requires enabling Microsoft Defender for your subscription. Both will incur additional charges.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
Review the chosen pricing tier. For the Resource Manager resource type the radial button should be set to On
Select Save

References

Resource Name:	Arm
Pricing Tier:	Free

Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.10

Description

Ensure that the latest OS patches for all virtual machines are applied.

Rationale

Windows and Linux virtual machines should be kept updated to:

Address a specific bug or flaw
Improve an OS or applicationÃ¢â‚¬â„¢s general stability
Fix a security vulnerability

Microsoft Defender for Cloud retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.

Impact

Running Microsoft Defender for Cloud incurs additional charges for each resource monitored. Please see attached reference for exact charges per hour.

Remediation

Follow Microsoft Azure documentation to apply security patches from the security center. Alternatively, you can employ your own patch assessment and management tool to periodically assess, report, and install the required security patches for your OS.

References

https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-6-rapidly-and-automatically-remediate-vulnerabilities
https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/
https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm

Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.11

Description

The Microsoft Cloud Security Benchmark (or MCSB) is an Azure Policy Initiative containing many security policies to evaluate resource configuration against best practice recommendations. If a policy in the MCSB is set with effect type Disabled, it is not evaluated and may prevent administrators from being informed of valuable security recommendations.

Rationale

A security policy defines the desired configuration of resources in your environment and helps ensure compliance with company or regulatory security requirements. The MCSB Policy Initiative a set of security recommendations based on best practices and is associated with every subscription by default. When a policy Effect is set to Audit, policies in the MCSB ensure that Defender for Cloud evaluates relevant resources for supported recommendations. To ensure that policies within the MCSB are not being missed when the Policy Initiative is evaluated, none of the policies should have an Effect of Disabled.

Impact

Policies within the MCSB default to an effect of Audit and will evaluate - but not enforce - policy recommendations. Ensuring these policies are set to Audit simply ensures that the evaluation occurs to allow administrators to understand where an improvement may be possible. Administrators will need to determine if the recommendations are relevant and desirable for their environment, then manually take action to resolve the status if desired.

Remediation

References

https://docs.microsoft.com/en-us/azure/security-center/security-center-policies
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-transparent-data-encryption
https://msdn.microsoft.com/en-us/library/mt704062.aspx
https://msdn.microsoft.com/en-us/library/mt704063.aspx
https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/get
https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/create
https://docs.microsoft.com/en-in/azure/security-center/tutorial-security-policy

Ensure That Microsoft Defender for DNS Is Set To 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.1.16

Rule Violations
1

Description

NOTE: As of August 1, 2023 customers with an existing subscription to Defender for DNS can continue to use the service, but new subscribers will receive alerts about suspicious DNS activity as part of Defender for Servers P2.Microsoft Defender for DNS scans all network traffic exiting from within a subscription.

Rationale

DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.

Impact

Enabling Microsoft Defender for DNS requires enabling Microsoft Defender for your subscription. Both will incur additional charges, with Defender for DNS being a small amount per million queries.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
Review the chosen pricing tier. For the DNS resource type the radial button should be set to On
Select Save

References

https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql
https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/
https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-dns-alerts

Resource Name:	Dns
Pricing Tier:	Free

Ensure That Microsoft Defender for IoT Hub Is Set To 'On'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.2.1

Description

Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.

Rationale

IoT devices are very rarely patched and can be potential attack vectors for enterprise networks. Updating their network configuration to use a central security hub allows for detection of these breaches.

Impact

Enabling Microsoft Defender for IoT will incur additional charges dependent on the level of usage.

Remediation

From Azure Console

Go to Microsoft Defender for Cloud
Select Environment settings
Click on the subscription name
Select the Defender plans blade
Review the chosen pricing tier. For the IoT resource type the radial button should be set to On
Select Save

References

Azure KeyVault

Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.3.1

Description

Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

Rationale

Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.

Impact

Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used.

Remediation

From Azure Portal

Go to Key vaults
For each Key vault, click on Keys.
Under the Settings section, Make sure Enabled? is set to Yes
Set an appropriate expiration date on all keys.

References

https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates

Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.3.2

Description

Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

Rationale

Impact

Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used.

Remediation

From Azure Portal

Go to Key vaults
For each Key vault, click on Keys.
Under the Settings section, Make sure Enabled? is set to Yes
Set an appropriate expiration date on all keys.

References

https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates

Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.3.3

Description

Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

Rationale

The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.

Impact

Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used.

Remediation

From Azure Portal

Go to Key vaults
For each Key vault, click on Secrets.
Under the Settings section, Make sure Enabled? is set to Yes
Set an appropriate expiration date on all keys.

References

https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates

Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.3.4

Description

Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

Rationale

Impact

Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used.

Remediation

From Azure Portal

Go to Key vaults
For each Key vault, click on Secrets.
Under the Settings section, Make sure Enabled? is set to Yes
Set an appropriate expiration date on all keys.

References

https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates

Ensure the key vault is recoverable

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.3.5

Description

The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.NOTE: In February 2025, Microsoft will enable soft-delete protection on all key vaults, and users will no longer be able to opt out of or turn off soft-delete.WARNING: A current limitation is that role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.

Rationale

There could be scenarios where users accidently run delete/purge commands on key vault or attacker/malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There are 2 key vault properties that plays role in permanent unavailability of a key vault.

enableSoftDelete:

Setting this parameter to true for a key vault ensures that even if key vault is deleted, Key vault itself or its objects remain recoverable for next 90days. In this span of 90 days either key vault/objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days key vault and its objects will be purged.

enablePurgeProtection:

enableSoftDelete only ensures that key vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are chances that the key vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to "true" ensures that the key vault and its objects cannot be purged.Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted/purged permanently.

Impact

Once purge-protection and soft-delete is enabled for a key vault, the action is irreversible.

Remediation

To enable "Do Not Purge" and "Soft Delete" for a Key Vault:

From Azure Portal

Azure Portal does not have provision to update the respective configurations

Using Azure CLI 2.0


az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true

References

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete

Enable Role Based Access Control for Azure Key Vault

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.3.6

Rule Violations
1

Description

The recommended way to access Key Vaults is to use the Azure Role-Based Access Control (RBAC) permissions model.Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It allows users to manage Key, Secret, and Certificate permissions. It provides one place to manage all permissions across all key vaults.

Rationale

The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.

Impact

Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs.

Remediation

Remediate from Azure Portal

Key Vaults can be configured to use Azure role-based access control on creation.For existing Key Vaults:

From Azure Home open the Portal Menu in the top left corner
Select Key Vaults
Select a Key Vault to audit
Select Access configuration
Set the Permission model radio button to Azure role-based access control,

taking note of the warning message

Click Save
Select Access Control (IAM)
Select the Role Assignments tab
Reapply permissions as needed to groups or users

References

https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-migration#vault-access-policy-to-azure-rbac-migration-steps
https://docs.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal?tabs=current
https://docs.microsoft.com/en-gb/azure/role-based-access-control/overview
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository

Key Vault Name	Location	RBAC Enabled	Actions
monley365-key-dev4560	eastus	NotSet

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.3.7

Rule Violations
1

Description

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

Rationale

Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.

Impact

Incorrect or poorly-timed changing of network configuration could result in service interruption. There are also additional costs tiers for running a private endpoint per petabyte or more of networking traffic.

References

https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview
https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
https://azure.microsoft.com/en-us/pricing/details/private-link/
https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal
https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal
https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal
https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
https://docs.microsoft.com/azure/dns/private-dns-getstarted-cli#create-an-additional-dns-record
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository

Key Vault Name	Location	Private Endpoints	Actions
monley365-key-dev4560	eastus	NotSet

Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 3.3.8

Rule Violations
1

Description

Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.

Rationale

Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.

Impact

There are an additional costs per operation in running the needed applications.

Remediation

Remediate from Azure Portal

From Azure Portal select the Portal Menu in the top left.
Select Key Vaults.
Select a Key Vault to audit.
Under Objects select Keys.
Select a key to audit.
In the top row select Rotation policy.
Select an Expiry time.
Set Enable auto rotation to Enabled.
Set an appropriate Rotation option and Rotation time.
Optionally set the Notification time.
Select Save.
Repeat steps 3-11 for each Key Vault and Key.

References

https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation
https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#update-the-key-version
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell#set-up-an-azure-key-vault-and-diskencryptionset-optionally-with-automatic-key-rotation
https://azure.microsoft.com/en-us/updates/public-preview-automatic-key-rotation-of-customermanaged-keys-for-encrypting-azure-managed-disks/
https://docs.microsoft.com/en-us/cli/azure/keyvault/key/rotation-policy?view=azure-cli-latest#az-keyvault-key-rotation-policy-update

Key Vault Name	Location	Allow Access From All Networks	Actions
monley365-key-dev4560	eastus	NotSet

Storage Accounts

Ensure that 'Secure transfer required' is set to 'Enabled'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.1

Rule Violations
1

Description

Enable data encryption in transit.

Rationale

The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage does not support HTTPS for custom domain names, this option is not applied when using a custom domain name.

Remediation

From Azure Console

Go to Storage Accounts
For each storage account, go to Configuration
Set Secure transfer required to Enabled

References

https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer
https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit
https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list
https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit

Name	Creation Time	Location	Https Only	Actions
str001account	2023-03-16T13:50:53.0049303Z	eastus	Disabled

Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.2

Rule Violations
4

Description

Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.

Rationale

Azure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption, which is one of the strongest, FIPS 140-2-compliant block ciphers available. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. Similarly, data is encrypted even before network transmission and in all backups. In this scenario, the additional layer of encryption continues to protect your data. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.

Impact

The read and write speeds to the storage will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This performance impact should be considered in an analysis for justifying use of the feature in your environment. Customer-managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the storage.

Remediation

From Azure Console

When creating a storage account, proceed as normal, but stop on the Advanced
Select Enabled next to Infrastructure Encryption

Enabling Infrastructure Encryption after Storage Account CreationIf a infrastructure encryption was not enabled on blob storage creation, there is no official way to enable it

References

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-encryption-status?tabs=portal
https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption
https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable?tabs=portal

Name	Location	ResourceGroupName	Infrastructure Encryption
Monkey365test	eastus	Monkey365-rg	Disabled
straccdev4560	eastus	monkey365rg-dev	Disabled
straccountdev4560	eastus	monkey365rg-dev	Disabled
monkeylabstrp5vixd	westus	MonkeyLabRG	Disabled

Ensure that 'Enable key rotation reminders' is enabled for each Storage Account

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.3

Rule Violations
4

Description

Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The "Rotation Reminder" is an automatic reminder feature for a manual procedure.

Rationale

Reminders such as those generated by this recommendation will help maintain a regular and healthy cadence for activities which improve the overall efficacy of a security program.Cryptographic key rotation periods will vary depending on your organization's security requirements and the type of data which is being stored in the Storage Account. For example, PCI DSS mandates that cryptographic keys be replaced or rotated regularly, and advises that keys for static data stores be rotated every few months. For the purposes of this recommendation, 90 days will prescribed for the reminder. Review and adjustment of the 90 day period is recommended, and may even be necessary. Your organization's security requirements should dictate the appropriate setting.

Impact

This recommendation only creates a periodic reminder to regenerate access keys. Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients that use the access key to access the storage account must be updated to use the new key.

Remediation

From Azure Console

Go to Storage Accounts
For each Storage Account that is not compliant, go to Access keys
Click Set rotation reminder
Check the Enable key rotation reminders

In the Send reminders field select Custom, then set the Remind me every: field to 90 and the period drop down menu to Days.

References

https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal#regenerate-storage-access-keys
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems

Name	Location	ResourceGroupName	Reminder in Days
str001account	eastus	Monkey365-rg	NotSet
straccdev4560	eastus	monkey365rg-dev	NotSet
straccountdev4560	eastus	monkey365rg-dev	NotSet
monkeylabstrp5vixd	westus	MonkeyLabRG	NotSet

Ensure that storage account access keys are periodically regenerated

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.4

Rule Violations
4

Description

Regenerate storage account access keys periodically.

Rationale

When a storage account is created, Azure generates two 512-bit storage access keys, which are used for authentication when the storage account is accessed. Rotating these keys periodically ensures that any inadvertent access or exposure does not result in these keys being compromised.

Impact

Regenerating access keys can affect services in Azure as well as the organization's applications that are dependent on the storage account. All clients that use the access key to access the storage account must be updated to use the new key.

Remediation

Follow Microsoft Azure documentation for regenerating storage account access keys.

References

https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#regenerate-storage-access-keys
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-2-manage-application-identities-securely-and-automatically
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy

Name	Location	ResourceGroupName	Key1 Rotated	Key2 Rotated
Monkey365test	eastus	Monkey365-rg	Enabled	Disabled
straccdev4560	eastus	monkey365rg-dev	Disabled	Disabled
straccountdev4560	eastus	monkey365rg-dev	Disabled	Disabled
monkeylabstrp5vixd	westus	MonkeyLabRG	Disabled	Disabled

Ensure that Shared Access Signature Tokens Expire Within an Hour

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.5

Description

Expire shared access signature tokens within an hour.

Rationale

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour.

Remediation

When generating shared access signature tokens, use start and end time such that it falls within an hour.

Remediate from Azure Portal

Go to Storage Accounts
For each storage account where a shared access signature is required, under Security + networking, go to Shared access signature
Select the appropriate Allowed resource types
Set the Start and expiry date/time to be within one hour
Click Generate SAS and connection string

References

https://docs.microsoft.com/en-us/rest/api/storageservices/delegating-access-with-a-shared-access-signature
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

Ensure that 'Public Network Access' is 'Disabled' for storage accounts

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.6

Rule Violations
4

Description

Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.

Rationale

The default network configuration for a storage account permits a user with appropriate permissions to configure public network access to containers and blobs in a storage account. Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide public network access to storage accounts until, and unless, it is strongly desired. A shared access signature token or Azure AD RBAC should be used for providing controlled and timed access to blob containers.

Impact

Access will have to be managed using shared access signatures or via Azure AD RBAC.

Remediation

Remediate from Azure Portal

First, follow Microsoft documentation and create shared access signature tokens for your blob containers. Then,

Go to Storage Accounts.
For each storage account, under the Security + networking section, click Networking.
Set Public network access to Disabled.
Click Save.

References

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls
https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

Name	Location	ResourceGroupName	Access From All Networks
Monkey365test	eastus	Monkey365-rg	Enabled
str001account	eastus	Monkey365-rg	Enabled
straccdev4560	eastus	monkey365rg-dev	Enabled
monkeylabstrp5vixd	westus	MonkeyLabRG	Enabled

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.7

Rule Violations
4

Description

Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.

Rationale

Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.

Impact

All allowed networks will need to be whitelisted on each specific network, creating administrative overhead. This may result in loss of network connectivity, so do not turn on for critical resources during business hours.

Remediation

Remediate from Azure Portal

Go to Storage Accounts.
For each storage account, under Security + networking, click Networking.
Click the Firewalls and virtual networks heading.
Set Public network access to Enabled from selected virtual networks and IP addresses.
Add rules to allow traffic from specific networks and IP addresses.
Click Save.

References

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls

Name	Location	ResourceGroupName	Default ACL Action
Monkey365test	eastus	Monkey365-rg	Allow
str001account	eastus	Monkey365-rg	Allow
straccdev4560	eastus	monkey365rg-dev	Allow
monkeylabstrp5vixd	westus	MonkeyLabRG	Allow

Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.8

Rule Violations
1

Description

NOTE: This recommendation assumes that the Public network access parameter is set to Enabled from selected virtual networks and IP addresses. Please ensure the prerequisite recommendation has been implemented before proceeding:

Ensure Default Network Access Rule for Storage Accounts is Set to Deny

Some Microsoft services that interact with storage accounts operate from networks that cannot be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. This includes using the Portal, writing logs, etc. We can re-enable functionality. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling "Trusted Microsoft Services" through exceptions. Also, Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported via creating an exception.

Rationale

Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. This includes using the Portal, writing logs, etc. We can re-enable functionality. The customer can get access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. Also, Backup and Restore of Virtual Machines using unmanaged disks in storage accounts with network rules applied is supported via creating an exception.

Impact

This creates authentication credentials for services that need access to storage resources so that services will no longer need to communicate via network request. There may be a temporary loss of communication as you set each Storage Account. It is recommended to not do this on mission-critical resources during business hours.

Remediation

From Azure Console

Go to Storage Accounts.
For each storage account, Click on the settings menu called Firewalls and virtual networks.
Ensure that you have elected to allow access from Selected networks.
Enable check box for Allow trusted Microsoft services to access this storage account.
Click Save to apply your changes

References

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy

Name	Creation Time	Location	Allow Azure services	Actions
straccountdev4560	2022-12-23T15:58:20.2650362Z	eastus	Disabled

Ensure Private Endpoints are used to access Storage Accounts

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.9

Rule Violations
4

Description

Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.

Rationale

Securing traffic between services through encryption protects the data from easy interception and reading.

Impact

A Private Endpoint costs approximately US$7.30 per month. If an Azure Virtual Network is not implemented correctly, this may result in the loss of critical network traffic.

References

https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal
https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-cli?tabs=dynamic-ip
https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell?tabs=dynamic-ip
https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls

Name	Creation Time	Location	Private Endpoints
str001account	2023-03-16T13:50:53.0049303Z	eastus	NotSet
straccdev4560	2022-12-23T15:58:16.0931871Z	eastus	NotSet
straccountdev4560	2022-12-23T15:58:20.2650362Z	eastus	NotSet
monkeylabstrp5vixd	2022-12-23T15:55:34.8262537Z	westus	NotSet

Ensure Soft Delete is Enabled for Azure Containers and Blob Storage

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.10

Rule Violations
4

Description

The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.

Rationale

Containers and Blob Storage data can be incorrectly deleted. An attacker/malicious user may do this deliberately in order to cause disruption. Deleting an Azure Storage blob causes immediate data loss. Enabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the "Retention policies", ranging from 7 days to 365 days.

Impact

Additional storage costs may be incurred as snapshots are retained.

Remediation

Remediate from Azure Portal

Go to Storage Accounts.
For each Storage Account, under Data management, go to Data protection.
Check the box next to Enable soft delete for blobs.
Check the box next to Enable soft delete for containers.
Set the retention period for both to a sufficient length for your organization.
Click Save.

References

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete
https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-overview
https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-enable?tabs=azure-portal

Name	Creation Time	Location	SoftDelete
str001account	2023-03-16T13:50:53.0049303Z	eastus	Disabled
straccdev4560	2022-12-23T15:58:16.0931871Z	eastus	Disabled
straccountdev4560	2022-12-23T15:58:20.2650362Z	eastus	Disabled
monkeylabstrp5vixd	2022-12-23T15:55:34.8262537Z	westus	Disabled

Ensure storage for critical data are encrypted with Customer Managed Key

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.11

Rule Violations
4

Description

Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.

Rationale

By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage this encryption key yourself, you can specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.

Impact

If the key expires by setting the 'activation date' and 'expiration date' of the key, the user must rotate the key manually.Using Customer Managed Keys may also incur additional man-hour requirements to create, store, manage, and protect the keys as needed.

Remediation

From Azure Console

Go to Storage Accounts.
For each storage account, go to Encryption
Set Customer Managed Keys
Select the Encryption key and enter the appropriate setting value
Click Save

References

https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest
https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data

Name	Location	ResourceGroupName	Customer Managed Key
str001account	eastus	Monkey365-rg	Disabled
straccdev4560	eastus	monkey365rg-dev	Disabled
straccountdev4560	eastus	monkey365rg-dev	Disabled
monkeylabstrp5vixd	westus	MonkeyLabRG	Disabled

Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.12

Rule Violations
5

Description

The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.

Rationale

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis. Storage Analytics logging is not enabled by default for your storage account.

Impact

Enabling this setting can have a high impact on the cost of the log analytics service and data storage used by logging more data per each request. Do not enable this without determining your need for this level of logging, and do not forget to check in on data usage and projected cost. Some users have seen their logging costs increase from $10 per month to $10,000 per month.

Remediation

Remediate from Azure Portal

Go to Storage Accounts.
For each storage account, under Monitoring, click Diagnostics settings.
Select the queue tab indented below the storage account.
To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
Select an appropriate destination.
Click Save.

References

https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging
https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation
https://docs.microsoft.com/en-us/azure/storage/queues/monitor-queue-storage?tabs=azure-portal

Name	Location	ResourceGroupName
Monkey365test	eastus	Monkey365-rg
str001account	eastus	Monkey365-rg
straccdev4560	eastus	monkey365rg-dev
straccountdev4560	eastus	monkey365rg-dev
monkeylabstrp5vixd	westus	MonkeyLabRG

Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.13

Rule Violations
4

Description

The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.

Rationale

Storage Analytics logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor each individual request to a storage service for increased security or diagnostics. Requests are logged on a besteffort basis. Storage Analytics logging is not enabled by default for your storage account.

Impact

Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.

Remediation

Remediate from Azure Portal

Go to Storage Accounts.
For each storage account, under Monitoring, click Diagnostics settings.
Select the blob tab indented below the storage account.
To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
Select an appropriate destination.
Click Save.

References

Name	Location	ResourceGroupName
str001account	eastus	Monkey365-rg
straccdev4560	eastus	monkey365rg-dev
straccountdev4560	eastus	monkey365rg-dev
monkeylabstrp5vixd	westus	MonkeyLabRG

Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.14

Rule Violations
5

Description

Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.

Rationale

Impact

Remediation

Remediate from Azure Portal

Go to Storage Accounts.
For each storage account, under Monitoring, click Diagnostics settings.
Select the table tab indented below the storage account.
To create a new diagnostic setting, click + Add diagnostic setting. To update an existing diagnostic setting, click Edit setting on the diagnostic setting.
Check the boxes next to StorageRead, StorageWrite, and StorageDelete.
Select an appropriate destination.
Click Save.

References

Name	Location	ResourceGroupName
Monkey365test	eastus	Monkey365-rg
str001account	eastus	Monkey365-rg
straccdev4560	eastus	monkey365rg-dev
straccountdev4560	eastus	monkey365rg-dev
monkeylabstrp5vixd	westus	MonkeyLabRG

Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.15

Rule Violations
5

Description

In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.

Rationale

TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.

Impact

When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail.

Remediation

From Azure Console

Go to Storage Accounts
For each storage account, go to Configuration
Under Setting section, Click on Configuration
Ensure that the minimum TLS version to 1.2

References

Name	Location	ResourceGroupName	TLS version
Monkey365test	eastus	Monkey365-rg	TLS1_0
str001account	eastus	Monkey365-rg	TLS1_0
straccdev4560	eastus	monkey365rg-dev	TLS1_2
straccountdev4560	eastus	monkey365rg-dev	TLS1_2
monkeylabstrp5vixd	westus	MonkeyLabRG	TLS1_0

Ensure 'Cross Tenant Replication' is not enabled

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.16

Rule Violations
5

Description

Cross Tenant Replication in Azure allows data to be replicated across multiple Azure tenants. While this feature can be beneficial for data sharing and availability, it also poses a significant security risk if not properly managed. Unauthorized data access, data leakage, and compliance violations are potential risks. Disabling Cross Tenant Replication ensures that data is not inadvertently replicated across different tenant boundaries without explicit authorization.

Rationale

Disabling Cross Tenant Replication minimizes the risk of unauthorized data access and ensures that data governance policies are strictly adhered to. This control is especially critical for organizations with stringent data security and privacy requirements, as it prevents the accidental sharing of sensitive information.

Impact

Disabling Cross Tenant Replication may affect data availability and sharing across different Azure tenants. Ensure that this change aligns with your organizational data sharing and availability requirements.

Remediation

Remediate from Azure Portal

Go to Storage Accounts.
For each storage account, under Data management, click Object replication.
Click Advanced settings.
Uncheck Allow cross-tenant replication.
Click OK.

References

https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal

Name	Location	ResourceGroupName	Cross Tenant Replication
Monkey365test	eastus	Monkey365-rg	NotSet
str001account	eastus	Monkey365-rg	NotSet
straccdev4560	eastus	monkey365rg-dev	NotSet
straccountdev4560	eastus	monkey365rg-dev	NotSet
monkeylabstrp5vixd	westus	MonkeyLabRG	NotSet

Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 4.17

Rule Violations
5

Description

The Azure Storage setting Ã¢â‚¬ËœAllow Blob Anonymous AccessÃ¢â‚¬â„¢ (aka "allowBlobPublicAccess") controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.

Rationale

If "Allow Blob Anonymous Access" is enabled, blobs can be accessed by adding the blob name to the URL to see the contents. An attacker can enumerate a blob using methods, such as brute force, and access them. Exfiltration of data by brute force enumeration of items from a storage account may occur if this setting is set to Enabled.

Impact

Additional consideration may be required for exceptional circumstances where elements of a storage account require public accessibility. In these circumstances, it is highly recommended that all data stored in the public facing storage account be reviewed for sensitive or potentially compromising data, and that sensitive or compromising data is never stored in these storage accounts.

Remediation

Remediate from Azure Portal

Go to Storage Accounts.
For each storage account, under Settings, click Configuration.
Set Allow Blob Anonymous Access to Disabled.
Click Save.

References

https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent?tabs=portal
https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent?source=recommendations&tabs=portal
https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent-classic?tabs=portal

Name	Location	ResourceGroupName	Allow blob Public Access
Monkey365test	eastus	Monkey365-rg	Enabled
str001account	eastus	Monkey365-rg	Enabled
straccdev4560	eastus	monkey365rg-dev	Enabled
straccountdev4560	eastus	monkey365rg-dev	Enabled
monkeylabstrp5vixd	westus	MonkeyLabRG	Enabled

SQL Server

Ensure that 'Auditing' is set to 'On'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.1.1

Rule Violations
1

Description

Enable auditing on SQL Servers.

Rationale

The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted.Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

Remediation

From Azure Console

Go to SQL servers.
For each server instance
Click on Auditing
Set Auditing to On

References

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers
https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0
https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources

Server Name:	mssql2-dev4560
Location:	eastus
Resource group name:	monkey365rg-dev
FQDN:	mssql2-dev4560.database.windows.net
Auditing policy state:	Disabled

Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.1.3

Rule Violations
2

Description

Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security.Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).

Rationale

Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azureâ€™s cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.

Impact

Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible.When deploying Customer Managed Keys it is also prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore E.G. Azure Keyvault).As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add on to their service.

References

https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql

Server Name:	mssql2-dev4560
Location:	eastus
Resource group name:	monkey365rg-dev
FQDN:	mssql2-dev4560.database.windows.net
TDE Protector mode:	servicemanaged
TDE Key Name:	ServiceManaged
TDE Key Type:	ServiceManaged

Server Name:	monkeylab-mssql1-dev4560
Location:	eastus
Resource group name:	monkey365rg-dev
FQDN:	monkeylab-mssql1-dev4560.database.windows.net
TDE Protector mode:	servicemanaged
TDE Key Name:	ServiceManaged
TDE Key Type:	ServiceManaged

Ensure that Microsoft Entra authentication is Configured for SQL Servers

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.1.4

Rule Violations
1

Description

Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.

Rationale

Microsoft Entra authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in the Microsoft Entra ID directory. With Entra ID authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management.

It provides an alternative to SQL Server authentication.
Helps stop the proliferation of user identities across database servers.
Allows password rotation in a single place.
Customers can manage database permissions using external (Entra ID) groups.
It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra.
Entra ID authentication uses contained database users to authenticate identities at the database level.
Entra ID supports token-based authentication for applications connecting to SQL Database.
Entra ID authentication supports ADFS (domain federation) or native user/password authentication for a local Active Directory without domain synchronization.
Entra ID supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options â€” phone call, text message, smart cards with pin, or mobile app notification.

Impact

This will create administrative overhead with user account and permission management. For further security on these administrative accounts, you may want to consider licensing which supports features like Multi Factor Authentication.

Remediation

Remediate from Azure Portal

Go to SQL servers
For each SQL server, under Settings, click Microsoft Entra ID
Click Set admin
Select an admin
Click Select
Click Save

References

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure

Server Name:	monkeylab-mssql1-dev4560
Location:	eastus
Resource group name:	monkey365rg-dev
FQDN:	monkeylab-mssql1-dev4560.database.windows.net
Active Directory Admin enabled:	Disabled

Ensure that 'Data encryption' is set to 'On' on a SQL Database

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.1.5

Rule Violations
1

Description

Enable Transparent Data Encryption on every SQL server.

Rationale

Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

References

https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-security-overview

id	name	location	identity	tags	properties	resourceGroupName	kind	fqdn	administratorLogin	minimalTlsVersion	sqlAd	tdeSettings	tdpSettings	auditing	vaConfig	fwRules	configuration	databases
/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/monkey365rg-dev/providers/Microsoft.Sql/servers/mssql2-dev4560	mssql2-dev4560	eastus	@{principalId=d1038527-90ca-400d-b8db-b4861b5af57c; type=SystemAssigned; tenantId=00000000-0000-0000-0000-000000000000}	@{version=1.0}	@{administratorLogin=superadmin; version=12.0; state=Ready; fullyQualifiedDomainName=mssql2-dev4560.database.windows.net; privateEndpointConnections=NotSet; minimalTlsVersion=1.2; publicNetworkAccess=Enabled; administrators=; restrictOutboundNetworkAccess=Disabled}	monkey365rg-dev	v12.0	mssql2-dev4560.database.windows.net	superadmin	1.2	@{enabled=Enabled; type=ActiveDirectory; login=; rawData=}	@{protectorUri=NotSet; protectorMode=servicemanaged; properties=; rawData=}	@{enabled=Enabled; disabledAlerts=System.Object[]; emailAddresses=System.Object[]; sentToAdmins=Disabled; retentionDays=20; rawData=}	@{enabled=Disabled; auditActionsAndGroups=NotSet; retentionDays=-1; isAzureMonitorTargetEnabled=Disabled; storageAccountAccessKey=NotSet; isStorageSecondaryKeyInUse=Disabled; rawData=}	@{properties=; id=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/monkey365rg-dev/providers/Microsoft.Sql/servers/mssql2-dev4560/vulnerabilityAssessments/Default; name=Default; type=Microsoft.Sql/servers/vulnerabilityAssessments}		NotSet

Ensure that 'Auditing' Retention is 'greater than 90 days'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.1.6

Rule Violations
2

Description

SQL Server Audit Retention should be configured to be greater than 90 days.

Rationale

Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.

Remediation

From Azure Console

Go to SQL servers.
For each server instance
Click on Auditing
Select Storage Details
Set Retention (days) setting greater than 90 days
Select OK
Select Save

References

https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-2017

Server Name:	mssql2-dev4560
Location:	eastus
Resource group name:	monkey365rg-dev
FQDN:	mssql2-dev4560.database.windows.net
Auditing policy state:	-1

Server Name:	monkeylab-mssql1-dev4560
Location:	eastus
Resource group name:	monkey365rg-dev
FQDN:	monkeylab-mssql1-dev4560.database.windows.net
Auditing policy state:	-1

Ensure Public Network Access is Disabled

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.1.7

Rule Violations
2

Description

Disabling public network access restricts the service from accessing public networks.

Rationale

A secure network architecture requires carefully constructed network segmentation. Public Network Access tends to be overly permissive and introduces unintended vectors for threat activity.

Impact

Some architectural consideration may be necessary to ensure that required network connectivity is still made available. No additional cost or performance impact is required to deploy this recommendation.

Remediation

From Azure Portal

Go to SQL servers.
For each SQL server, under Security, click Networking.
Set Public network access to Disable.
Click Save.

References

https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls
https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#deny-public-network-access

Server Name	Location	Public Network Access
mssql2-dev4560	eastus	Enabled
monkeylab-mssql1-dev4560	eastus	Enabled

Azure SQL Firewall

Ensure no Azure SQL Databases allow ingress from SQL

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.1.2

Rule Violations
2

Description

A custom rule was set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet

Rationale

Azure SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services.Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.If Allow Azure services and resources to access this server is Checked, this will allow resources outside of the subscription/tenant/organization boundary, within any region of Azure, to effectively bypass the defined SQL Server Network ACL on public endpoint. A malicious attacker can successfully launch a SQL server password bruteforce attack by creating a virtual machine in any Azure subscription/region, from outside of the subscription boundary where the SQL Server is residing.

Impact

Disabling Allow Azure services and resources to access this server will break all connections to SQL server and Hosted Databases unless custom IP specific rules are added in Firewall Policy.

Remediation

References

https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017
https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0
https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0
https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls
https://learn.microsoft.com/en-us/azure/azure-sql/database/network-access-controls-overview?view=azuresql#allow-azure-services

Server Name	Location	Resource Group	Rule Name	StartIpAddress	EndIpAddress	Actions
mssql2-dev4560	eastus	monkey365rg-dev	badrule	0.0.0.0	255.255.255.255
monkeylab-mssql1-dev4560	eastus	monkey365rg-dev	FirewallRule1	0.0.0.0	255.255.255.255

Ensure no Azure SQL Databases allow ingress from SQL

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.1.2

Description

By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services

Rationale

Impact

Disabling Allow Azure services and resources to access this server will break all connections to SQL server and Hosted Databases unless custom IP specific rules are added in Firewall Policy.

Remediation

References

PostgreSQL Server

Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.2.1

Description

Enable require_secure_transport on PostgreSQL flexible servers.

Rationale

SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

References

https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-ssl-tls
https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-tls-ssl
https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlflexibleserverconfiguration?view=azps-12.2.0#example-1-get-specified-postgresql-configuration-by-name
https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlflexibleserverconfiguration?view=azps-12.2.0#example-1-updatae-specified-postgresql-configuration-by-name
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit

Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.2.5

Rule Violations
1

Description

Disable access from Azure services to PostgreSQL Database Server.

Rationale

If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, setup firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.

References

https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules
https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic

Server Name	Rule Name	Start IP Address	End IP Address	Actions
NotSet	NotSet	NotSet	NotSet

PostgreSQL Configuration

Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.2.2

Rule Violations
1

Description

Enable log_checkpoints on PostgreSQL flexible servers.

Rationale

Enabling log_checkpoints helps the PostgreSQL Database to Log each checkpoint in turn generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

References

https://learn.microsoft.com/en-us/rest/api/postgresql/flexibleserver/configurations/list-by-server
https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-configure-server-parameters-using-portal
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-logging#configure-logging
https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlflexibleserverconfiguration?view=azps-12.2.0#example-1-get-specified-postgresql-configuration-by-name
https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlflexibleserverconfiguration?view=azps-12.2.0#example-1-updatae-specified-postgresql-configuration-by-name

Server Name	Parameter	Resource Group Name	Actions
monley365-postgresql-dev4560	eastus	monkey365rg-dev

Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.2.3

Rule Violations
1

Description

Enable connection throttling on PostgreSQL flexible servers.

Rationale

Enabling connection throttling helps the PostgreSQL Database to Set the verbosity of logged messages. This in turn generates query and error logs with respect to concurrent connections that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

References

Server Name	Parameter	Resource Group Name	Actions
postgresql0010	East US	Monkey365-rg

Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.2.4

Description

Ensure logfiles.retention_days on PostgreSQL flexible servers is set to an appropriate value.

Rationale

Configuring logfiles.retention_days determines the duration in days that Azure Database for PostgreSQL retains log files. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

Impact

Configuring this setting will result in logs being retained for the specified number of days. If this is configured on a high traffic server, the log may grow quickly to occupy a large amount of disk space. In this case you may want to set this to a lower number.

References

https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-configure-server-parameters-using-portal
https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention

Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.2.6

Description

Enable log_connections on PostgreSQL single servers.

Rationale

Enabling log_connections helps PostgreSQL Database to log attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.

References

https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver

Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.2.7

Rule Violations
1

Description

Enable log_disconnections on PostgreSQL Servers.NOTE : This recommendation currently only applies to Single Server, not Flexible Server. See additional information below for details about the planned retirement of Azure PostgreSQL Single Server.

Rationale

Enabling log_disconnections helps PostgreSQL Database to Logs end of a session, including duration, which in turn generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

Impact

Enabling this setting will enable a log of all disconnections. If this is enabled for a high traffic server, the log may grow exponentially.

References

Server Name	Parameter	Resource Group Name	Actions
monley365-postgresql-dev4560	eastus	monkey365rg-dev

Ensure Infrastructure double encryption for PostgreSQL Database Server is Enabled

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 5.2.8

Description

Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.NOTE : This recommendation currently only applies to Single Server, not Flexible Server. See additional information below for details about the planned retirement of Azure PostgreSQL Single Server.

Rationale

If Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level. Information will be encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or processor cache. Encryption will also be in place for any backups taken of the database, so the key will secure access the data in all forms. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.

Impact

The read and write speeds to the database will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This cost is justified for information security. Customer managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the database.

References

https://docs.microsoft.com/en-us/azure/postgresql/single-server/concepts-infrastructure-double-encryption

Diagnostic Settings

Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.1.1

Description

Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment.

Rationale

A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.

Remediation

Remediate from Azure Portal

To enable Diagnostic Settings on a Subscription:

Go to Monitor
Click on Activity log
Click on Export Activity Logs
Click + Add diagnostic setting
Enter a Diagnostic setting name
Select Categories for the diagnostic setting
Select the appropriate Destination details (this may be Log Analytics, Storage Account, Event Hub, or Partner solution)
Click Save

References

https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile
https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation

Ensure Diagnostic Setting captures appropriate categories

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.1.2

Description

Prerequisite : A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: Ensure that a Diagnostic Settings exists.The diagnostic setting should be configured to log the appropriate activities from the control/management plane.

Rationale

A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.

Remediation

Remediate from Azure Portal

Go to Monitor.
Click Activity log.
Click on Export Activity Logs.
Select the Subscription from the drop down menu.
Click Edit setting next to a diagnostic setting.
Check the following categories: Administrative, Alert, Policy, and Security.
Choose the destination details according to your organization's needs.
Click Save.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings
https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://learn.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest
https://learn.microsoft.com/en-us/powershell/module/az.monitor/new-azsubscriptiondiagnosticsetting?view=azps-9.2.0

Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.1.3

Description

Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).

Rationale

Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

Impact

NOTE : You must have your key vault setup to utilize this. All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.

Remediation

Remediate from Azure Portal

Go to Monitor.
Select Activity log.
Select Export Activity Logs.
Select a Subscription.
Note the name of the Storage Account for the diagnostic setting.
Navigate to Storage accounts.
Click on the storage account.
Under Security + networking, click Encryption.
Next to Encryption type, select Customer-managed keys.
Complete the steps to configure a customer-managed key for encryption of the storage account.

References

https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=cli#managing-legacy-log-profiles

Ensure that logging for Azure Key Vault is 'Enabled'

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.1.4

Description

Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. Monitoring how and when key vaults are accessed, and by whom enables an audit trail of interactions with confidential information, keys and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account that the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account, and this same storage account can be used for collecting logs for multiple key vaults.

Rationale

Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Key Vault. Enabling logging for Key Vault saves information in a user provided destination of either an Azure storage account or Log Analytics workspace. The same destination can be used for collecting logs for multiple Key Vaults.

Remediation

Remediate from Azure Portal

Go to Key vaults.
Select a Key vault.
Under Monitoring, select Diagnostic settings.
Click Edit setting to update an existing diagnostic setting, or Add diagnostic setting to create a new one.
If creating a new diagnostic setting, provide a name.
Configure an appropriate destination.
Under Category groups, check audit and allLogs.
Click Save.

References

https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation

Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.1.5

Description

Ensure that network flow logs are captured and fed into a central log analytics workspace.

Rationale

Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.

Impact

The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor.

Remediation

Remediate from Azure Portal

Navigate to Network Watcher.
Under Logs, select Flow logs.
Select + Create.
Select the desired Subscription.
For Flow log type, select Network security group.
Select + Select target resource.
Select Network security group.
Select a network security group.
Click Confirm selection.
Select or create a new Storage Account.
If using a v2 storage account, input the retention in days to retain the log.
Click Next.
Under Analytics, for Flow log version, select Version 2.
Check the box next to Enable traffic analytics.
Select a processing interval.
Select a Log Analytics Workspace.
Select Next.
Optionally add Tags.
Select Review + create.
Select Create.

References

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation

Ensure that logging for Azure AppService 'HTTP logs' is enabled

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.1.6

Rule Violations
1

Description

Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.

Rationale

Capturing web requests can be important supporting information for security analysts performing monitoring and incident response activities. Once logging, these logs can be ingested into SIEM or other central aggregation point for the organization

Impact

Log consumption and processing will incur additional cost.

Remediation

Using From Azure Portal

Go to the Azure Portal
Select App Services
For each App Service
Go to Diagnostic Settings
Click Add Diagnostic Setting
Check the checkbox next to 'AppServiceHTTPLogs'
Configure destination based on your specific logging consumption capability (for example Stream to an event hub and then consuming with SIEM integration for Event Hub logging)

References

https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation

Application Name	Kind	Location	HostName	Diagnostic Settings Enabled	Log Category	Actions
monley365-app-service1-dev4560	app,linux	East US	monley365-app-service1-dev4560.azurewebsites.net	Disabled	NotSet

Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.4

Description

Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type.A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended.

Rationale

A lack of monitoring reduces the visibility into the data plane, and therefore an organization's ability to detect reconnaissance, authorization attempts or other malicious activity. Unlike Activity Logs, Resource Logs are not enabled by default. Specifically, without monitoring it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Web Services or Databases are only possible when logging is enabled.

Impact

Costs for monitoring varies with Log Volume. Not every resource needs to have logging enabled. It is important to determine the security classification of the data being processed by the given resource and adjust the logging based on which events need to be tracked. This is typically determined by governance and compliance requirements.

Remediation

Remediate from Azure Portal

The specific steps for configuring resources within the Azure console vary depending on resource, but typically the steps are:

Go to the resource
Click on Diagnostic settings
In the blade that appears, click Add diagnostic setting
Configure the diagnostic settings
Click on Save

References

https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation

Azure Alerts

Create Policy Assignment missing alert

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.2.1

Rule Violations
1

Description

Create Policy Assignment alert was missing. Consider to add and enable this alert.

Rationale

Monitoring for create policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

operationName	Status
Microsoft.Authorization/policyAssignments/write	DoesNotExists

Delete Policy Assignment missing alert

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.2.2

Rule Violations
1

Description

Delete Policy Assignment alert was missing. Consider to add and enable this alert.

Rationale

Monitoring for delete policy assignment events gives insight into changes done in 'azure policy - assignments' and may reduce the time it takes to detect unsolicited changes.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

operationName	Status
Microsoft.Authorization/policyAssignments/delete	DoesNotExists

Create or Update Network Security Group missing alert

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.2.3

Rule Violations
1

Description

Create or Update Network Security Group alert was missing. Consider to add and enable this alert.

Rationale

Monitoring for 'Create' or 'Update Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

operationName	Status
Microsoft.Network/networkSecurityGroups/write	DoesNotExists

Delete Network Security Group missing alert

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.2.4

Rule Violations
1

Description

Delete Network Security Group alert was missing. Consider to add and enable this alert.

Rationale

Monitoring for 'Delete Network Security Group' events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

operationName	Status
Microsoft.Network/networkSecurityGroups/delete	DoesNotExists

Create or Update Security Solution missing alert

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.2.5

Rule Violations
1

Description

Create or Update Security Solution alert was missing. Consider to add and enable this alert.

Rationale

Monitoring for Create or Update Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

operationName	Status
Microsoft.Security/securitySolutions/write	DoesNotExists

Delete Security Solution missing alert

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.2.6

Rule Violations
1

Description

Delete Security Solution alert was missing. Consider to add and enable this alert.

Rationale

Monitoring for Delete Security Solution events gives insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

operationName	Status
Microsoft.Security/securitySolutions/delete	DoesNotExists

Create or Update SQL Server Firewall Rule missing alert

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.2.7

Rule Violations
1

Description

Create or Update SQL Server Firewall Rule alert was missing. Consider to add and enable this alert.

Rationale

Monitoring for Create or Update or Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

operationName	Status
Microsoft.Sql/servers/firewallRules/write	DoesNotExists

Delete SQL Server Firewall Rule missing alert

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.2.8

Rule Violations
1

Description

Delete SQL Server Firewall Rule alert was missing. Consider to add and enable this alert.

Rationale

Monitoring for Delete SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

operationName	Status
Microsoft.Sql/servers/firewallRules/delete	DoesNotExists

Create or Update Public IP Addresses rule missing alert

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.2.9

Rule Violations
1

Description

Create or Update Public IP Addresses rule alert was missing. Consider to add and enable this alert.

Rationale

Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

operationName	Status
Microsoft.Network/publicIPAddresses/write	DoesNotExists

Delete Public IP Addresses rule missing alert

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.2.10

Description

Delete Public IP Addresses rule alert was missing. Consider to add and enable this alert.

Rationale

Monitoring for Create or Update Public IP Address events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect

Application Insights

Ensure Application Insights are Configured

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.3.1

Description

Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. Both data sets help organizations adopt a proactive and retroactive means to handle security and performance related metrics within their modern applications.

Rationale

Configuring Application Insights provides additional data not found elsewhere within Azure as part of a much larger logging and monitoring program within an organization's Information Security practice. The types and contents of these logs will act as both a potential cost saving measure (application performance) and a means to potentially confirm the source of a potential incident (trace logging). Metrics and Telemetry data provide organizations with a proactive approach to cost savings by monitoring an application's performance, while the trace logging data provides necessary details in a reactive incident response scenario by helping organizations identify the potential source of an incident within their application.

Impact

Because Application Insights relies on a Log Analytics Workspace, an organization will incur additional expenses when using this service.

Remediation

Remediate from Azure Portal

Navigate to Application Insights.
Under the Basics tab within the PROJECT DETAILS section, select the Subscription.
Select the Resource group.
Within the INSTANCE DETAILS, enter a Name.
Select a Region.
Next to Resource Mode, select Workspace-based.
Within the WORKSPACE DETAILS, select the Subscription for the log analytics workspace.
Select the appropriate Log Analytics Workspace.
Click Next:Tags >.
Enter the appropriate Tags as Name, Value pairs.
Click Next:Review+Create.
Click Create.

References

https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview

Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 6.5

Description

The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft may refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.

Rationale

Typically, production workloads need to be monitored and should have an SLA with Microsoft, using Basic SKUs for any deployed product will mean that that these capabilities do not exist.The following resource types should use standard SKUs as a minimum.

Public IP Addresses
Network Load Balancers
REDIS Cache
SQL PaaS Databases
VPN Gateways

Impact

The impact of enforcing Standard SKU's is twofold

There will be a cost increase
The monitoring and service level agreements will be available and will support the production service.

All resources should be either tagged or in separate Management Groups/Subscriptions

Remediation

Each artifact has its own process for upgrading from basic to standard SKU's and this should be followed if required.

References

https://azure.microsoft.com/en-us/support/plans
https://azure.microsoft.com/en-us/support/plans/response/

Network Security Groups

Ensure that RDP access from the Internet is evaluated and restricted

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 7.1

Rule Violations
2

Description

Disable RDP access on network security groups from the Internet.

Rationale

The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure

References

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

name	location	ResourceGroupName	Rulename	RuleDescription	Protocol	SourcePortRange	SourcePortRanges	DestinationPortRange	DestinationPortRanges	SourceAddressPrefix	SourceAddressPrefixes	DestinationAddressPrefix	DestinationAddressPrefixes	Access	Priority	direction
monkeylab-dev	eastus	monkey365rg-dev	AllowRDP	NotSet	Tcp	*	NotSet	3389-3389	NotSet	*	NotSet	*	NotSet	Allow	300	Inbound
Windows2K12-nsg	eastus	VirtualMachineRG	RDP	NotSet	TCP	*	NotSet	3389	NotSet	*	NotSet	*	NotSet	Allow	300	Inbound

Ensure that SSH access from the Internet is evaluated and restricted

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 7.2

Rule Violations
2

Description

Disable SSH access on network security groups from the Internet.

Rationale

The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure

References

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

name	location	ResourceGroupName	Rulename	RuleDescription	Protocol	SourcePortRange	SourcePortRanges	DestinationPortRange	DestinationPortRanges	SourceAddressPrefix	SourceAddressPrefixes	DestinationAddressPrefix	DestinationAddressPrefixes	Access	Priority	direction
monkeylab-dev	eastus	monkey365rg-dev	AllowSSH	NotSet	Tcp	*	NotSet	22-22	NotSet	*	NotSet	*	NotSet	Allow	200	Inbound
Windows2K12-nsg	eastus	VirtualMachineRG	SSH	NotSet	TCP	*	NotSet	22	NotSet	*	NotSet	*	NotSet	Allow	320	Inbound

Network Watcher

Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 7.5

Rule Violations
2

Description

Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.

Rationale

Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.

Impact

This will keep IP traffic logs for longer than 90 days. As a level 2, first determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use.

Remediation

From Azure Console

Go to Network Watcher
Select NSG flow logs blade in the Logs section
Select each Network Security Group from the list
Ensure Status is set to On
Ensure Retention (days) setting greater than 90 days
Select your storage account in the Storage account field
Select Save

References

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview

target_resource_id	storageId	enabled	retentionPolicyEnabled	retentionPolicyDays
/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/monkey365rg-dev/providers/Microsoft.Network/networkSecurityGroups/monkeylab-dev	NotSet	Disabled	Disabled	0
/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/VirtualMachineRG/providers/Microsoft.Network/networkSecurityGroups/Windows2K12-nsg	NotSet	Disabled	Disabled	0

Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 7.6

Rule Violations
1

Description

Enable Network Watcher for physical regions in Azure subscriptions.

Rationale

Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.

Impact

There are additional costs per transaction to run and store network data. For high volume networks these charges will add up quickly.

Remediation

Opting-out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support.

References

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
https://learn.microsoft.com/en-us/cli/azure/network/watcher?view=azure-cli-latest
https://learn.microsoft.com/en-us/cli/azure/network/watcher?view=azure-cli-latest#az-network-watcher-configure
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-create
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation
https://azure.microsoft.com/en-ca/pricing/details/network-watcher/

all_locations_enabled

locations

Disabled

eastasia,southeastasia,centralus,eastus2,westus,northcentralus,southcentralus,northeurope,westeurope,japanwest,japaneast,brazilsouth,australiaeast,australiasoutheast,southindia,centralindia,westindia,jioindiawest,jioindiacentral,canadacentral,canadaeast,uksouth,ukwest,westcentralus,westus2,koreacentral,koreasouth,francecentral,francesouth,australiacentral,australiacentral2,uaecentral,uaenorth,southafricanorth,southafricawest,switzerlandnorth,switzerlandwest,germanynorth,germanywestcentral,norwaywest,norwayeast,brazilsoutheast,westus3,swedencentral,qatarcentral

Bastion

Ensure an Azure Bastion Host Exists

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.1

Description

The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.

Rationale

The Azure Bastion service allows organizations a more secure means of accessing Azure Virtual Machines over the Internet without assigning public IP addresses to those Virtual Machines. The Azure Bastion service provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Virtual Machines using TLS within a web browser, thus preventing organizations from opening up 3389/TCP and 22/TCP to the Internet on Azure Virtual Machines. Additional benefits of the Bastion service includes Multi-Factor Authentication, Conditional Access Policies, and any other hardening measures configured within Azure Active Directory using a central point of access.

Impact

The Azure Bastion service incurs additional costs and requires a specific virtual network configuration. The Standard tier offers additional configuration options compared to the Basic tier and may incur additional costs for those added features.

Remediation

Remediate from Azure Portal

Click on Bastions
Select the Subscription
Select the Resource group
Type a Name for the new Bastion host
Select a Region
Choose Standard next to Tier
Use the slider to set the Instance count
Select the Virtual network or Create new
Select the Subnet named AzureBastionSubnet. Create a Subnet named AzureBastionSubnet using a /26 CIDR range if it doesn't already exist.
Selct the appropriate Public IP address option.
If Create new is selected for the Public IP address option, provide a Public IP address name.
If Use existing is selected for Public IP address option, select an IP address from Choose public IP address
Click Next: Tags >
Configure the appropriate Tags
Click Next: Advanced >
Select the appropriate Advanced options
Click Next: Review + create >
Click Create

References

https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku
https://learn.microsoft.com/en-us/powershell/module/az.network/get-azbastion?view=azps-9.2.0
https://learn.microsoft.com/en-us/cli/azure/network/bastion?view=azure-cli-latest

Azure Virtual Machines

Ensure Virtual Machines are utilizing Managed Disks

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.2

Rule Violations
3

Description

Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include:

Default Disk Encryption
Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
Reduction of costs over storage accounts

Rationale

Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts.For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective.

Impact

There are additional costs for managed disks based off of disk space allocated. When converting to managed disks, VMs will be powered off and back on.

Remediation

From Azure Console

Using the search feature, go to Virtual Machines
Select the virtual machine you would like to convert
Select Disks in the menu for the VM
At the top select Migrate to managed disks
You may follow the prompts to convert the disk and finish by selecting Migrate to start the process

NOTE VMs will be stopped and restarted after migration is complete.

References

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default
https://docs.microsoft.com/en-us/azure/virtual-machines/faq-for-disks
https://azure.microsoft.com/en-us/pricing/details/managed-disks/

VM Name	Location	Managed Disk
monkeylab-linux	eastus	Enabled
monkeylab-win	eastus	Enabled
Windows2K12	eastus	Enabled

Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.3

Rule Violations
3

Description

Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE).

Rationale

Encrypting the IaaS VM's OS disk (boot volume) and Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key, thus protecting the volume from unwanted reads. PMK (Platform Managed Keys) are enabled by default in Azure-managed disks and allow encryption at rest. CMK is recommended because it gives the customer the option to control which specific keys are used for the encryption and decryption of the disk. The customer can then change keys and increase security by disabling them instead of relying on the PMK key that remains unchanging. There is also the option to increase security further by using automatically rotating keys so that access to disk is ensured to be limited. Organizations should evaluate what their security requirements are, however, for the data stored on the disk. For high-risk data using CMK is a must, as it provides extra steps of security. If the data is low risk, PMK is enabled by default and provides sufficient data security.

Impact

Using CMK/BYOK will entail additional management of keys.NOTE: You must have your key vault setup to utilize this.

Remediation

From Azure Console

Note: Disks must be detached from VMs to have encryption changed.

Go to Virtual machines
For each virtual machine, go to Settings
Click on Disks
Click the X to detach the disk from the VM
Now search for Disks and locate the unattached disk
Click the disk then select Encryption
Change your encryption type, then select your encryption set
Click Save
Go back to the VM and re-attach the disk

References

VM Name	Location	SSE Type
monkeylab-linux	eastus	NotSet
monkeylab-win	eastus	NotSet
Windows2K12	eastus	NotSet

Ensure that only approved extensions are installed

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.7

Description

For added security, only install organization-approved extensions on VMs.

Rationale

Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are actually implemented.

Remediation

From Azure Console

Go to Virtual machines
For each virtual machine, go to Settings
Click on Extensions
Ensure that the listed extensions are approved for use.

References

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-features
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-endpoint-security

Ensure that Endpoint Protection for all Virtual Machines is installed

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.8

Description

Install endpoint protection for all virtual machines.

Rationale

Installing endpoint protection systems (like anti-malware for Azure) provides for real time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems.

Impact

Endpoint protection will incur an additional cost to you.

Remediation

Follow Microsoft Azure documentation to install endpoint protection from the security center. Alternatively, you can employ your own endpoint protection tool for your OS.

References

https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection
https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware
https://docs.microsoft.com/en-us/cli/azure/vm/extension?view=azure-cli-latest#az_vm_extension_list
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-endpoint-security#es-1-use-endpoint-detection-and-response-edr

Ensure only MFA enabled identities can access privileged Virtual Machine

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.10

Description

Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal.

Rationale

Integrating multi-factor authentication (MFA) as part of the organizational policy can greatly reduce the risk of an identity gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.An Adversary may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized to move laterally and perform actions with the virtual machine's managed identity. The adversary may then perform management actions or access cloud-hosted resources as the logged-on managed identity.

Impact

This recommendation requires the Entra ID P2 license to implement.Ensure that identities that are provisioned to a virtual machine utilizes an RBAC/ABAC group and is allocated a role using Azure PIM, and the Role settings require MFA or use another third-party PAM solution for accessing Virtual Machines.

Ensure Trusted Launch is enabled on Virtual Machines

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.11

Description

When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. If the attacker is able to bypass Secure Boot and install a malicious bootloader, vTPM can be used to detect the intrusion and alert you.

Rationale

Secure Boot and vTPM work together to protect your VM from a variety of boot attacks, including bootkits, rootkits, and firmware rootkits. Not enabling Trusted Launch in Azure VM can lead to increased vulnerability to rootkits and boot-level malware, reduced ability to detect and prevent unauthorized changes to the boot process, and a potential compromise of system integrity and data security.

Impact

Secure Boot and vTPM are not currently supported for Azure Generation 1 VMs.IMPORTANT : Before enabling Secure Boot and vTPM on a Generation 2 VM which does not already have both enabled, it is highly recommended to create a restore point of the VM prior to remediation.

References

https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-existing-vm?tabs=portal
https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-existing-vm?tabs=portal#enable-trusted-launch-on-existing-vm
https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot

Azure Disks

Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.4

Rule Violations
1

Description

Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).

Rationale

Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.

Impact

NOTE : You must have your key vault set up to utilize this. Encryption is available only on Standard tier VMs. This might cost you more.Utilizing and maintaining Customer-managed keys will require additional work to create, protect, and rotate keys.

Remediation

If data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks at:

https://docs.microsoft.com/en-us/rest/api/compute/disks/delete
https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete

If data stored in the disk is important, To encrypt the disk refer azure documentation at:

https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal
https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings

References

https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss
https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json
https://docs.microsoft.com/en-us/rest/api/compute/disks/delete
https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete
https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings
https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest

Disk Name	Location	SKU Name	OS Type	SSE Encryption	Actions
Monkey365-disk-dev	eastus	Standard_LRS	NotSet	NotSet

Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.5

Description

Virtual Machine Disks and snapshots can be configured to allow access from different network resources.

Rationale

The setting 'Enable public access from all networks' is, in many cases, an overly permissive setting on Virtual Machine Disks that presents atypical attack, data infiltration, and data exfiltration vectors. If a disk to network connection is required, the preferred setting is to Disable public access and enable private access.

Impact

The setting Disable public access and enable private access will require configuring a private link (URL in references below).The setting Disable public and private access is most secure and preferred where disk network access is not needed.

References

https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-private-links-for-import-export-portal
https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-export-import-private-links-cli
https://learn.microsoft.com/en-us/azure/virtual-machines/disks-restrict-import-export-overview

Ensure that 'Enable Data Access Authentication Mode' is 'Checked'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.6

Rule Violations
4

Description

Data Access Authentication Mode provides a method of uploading or exporting Virtual Machine Disks.

Rationale

Enabling data access authentication mode adds a layer of protection using an Entra ID role to further restrict users from creating and using Secure Access Signature (SAS) tokens for exporting a detached managed disk or virtual machine state. Users will need the Data operator for managed disk role within Entra ID in order to download a VHD or VM Guest state using a secure URL.

Impact

In order to apply this setting, the virtual machine to which the disk or disks are attached will need to be powered down and have their disk detached. Users without the Data operator for managed disk role within Entra ID will not be able to export VHD or VM Guest state using the secure download URL.

References

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/download-vhd?tabs=azure-portal#secure-downloads-and-uploads-with-microsoft-entra-id

Disk Name	Location	SKU Name	Data access auth mode
Monkey365-disk-dev	eastus	Standard_LRS	NotSet
monkeylab-linux_OsDisk_1_3f3cff5b79ed44a6ad2801ac29a91f81	eastus	Standard_LRS	NotSet
monkeylab-win_OsDisk_1_ed22da4fd7b84a458ab7d4773e9b8c02	eastus	Standard_LRS	NotSet
Windows2K12_OsDisk_1_405dea5af0504528a054c289f235258c	eastus	StandardSSD_LRS	NotSet

Ensure that VHDs are Encrypted

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 8.9

Description

NOTE : This is a legacy recommendation. Managed Disks are encrypted by default and recommended for all new VM implementations.VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs.

Rationale

While it is recommended to use managed disks that are encrypted by default, legacy disk that may for a number of reasons need to be left as VHD's should also be encrypted to protect the data content. These legacy VHD's are not encrypted by default

Impact

Depending on how the encryption is implemented will change the size of the impact, if provider managed keys (PMK) are utilised the impact is relatively low, but processes need to be put in place to regularly rotate the keys. If Customer managed keys (CMK) are utilised a key management process needs to be implemented to store and manage key rotation and thus the impact is medium to high depending on user maturity with key management.

References

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview
https://docs.microsoft.com/en-us/azure/governance/policy/overview

App Services

Ensure 'HTTPS Only' is set to `On`

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 9.1

Rule Violations
1

Description

Azure App Service allows apps to run under both HTTP and HTTPS by default. Apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.

Rationale

Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits.

Impact

When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app.

Remediation

Remediate from Azure Portal

Login to Azure Portal using https://portal.azure.com
Go to App Services
For each App Service
Under Setting section, click on Configuration
Under the General Settings tab, set HTTPS Only to On under Platform Settings

References

https://learn.microsoft.com/en-us/azure/app-service/overview-security?source=recommendations#https-and-certificates
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit
https://learn.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp
https://techcommunity.microsoft.com/t5/azure-paas-blog/enable-https-setting-on-azure-app-service-using-azure-policy/ba-p/3286603

Application Name:	monley365-app-service-dev4560
Kind:	app,linux
Location:	East US
HostName:	monley365-app-service-dev4560.azurewebsites.net
Https Only:	Disabled
SSL FTP:	AllAllowed
TLS Version:	1.0

Ensure App Service Authentication is set up for apps in Azure App Service

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 3.0.0 9.2

Description

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.

Rationale

By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. Disabling HTTP Basic Authentication functionality further ensures legacy authentication methods are disabled within the application.

Impact

This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable.Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication.

References

https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy

Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 9.3

Rule Violations
2

Description

By default, App Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Services. If FTPS is not expressly required for the App, the recommended setting is Disabled.

Rationale

FTP is an unencrypted network protocol that will transmit data - including passwords - in clear-text. The use of this protocol can lead to both data and credential compromise, and can present opportunities for exfiltration, persistence, and lateral movement.

Impact

Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.

Remediation

Using From Azure Portal

Go to the Azure Portal
Select App Services
Click on an app
Select Settings and then Configuration
Under General Settings, for the Platform Settings, the FTP state should be set to Disabled or FTPS Only

References

https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp
https://docs.microsoft.com/en-us/azure/app-service/overview-security
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-configuration#ftpsstate

Application Name	Kind	Location	HostName	FTPS State	Actions
monley365-app-service1-dev4560	app,linux	East US	monley365-app-service1-dev4560.azurewebsites.net	AllAllowed
monley365-app-service-dev4560	app,linux	East US	monley365-app-service-dev4560.azurewebsites.net	AllAllowed

Ensure Web App is using the latest version of TLS encryption

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 9.4

Rule Violations
2

Description

The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.

Rationale

App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.

References

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-3-encrypt-sensitive-data-in-transit
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-8-detect-and-disable-insecure-services-and-protocols
https://docs.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-8.1.0

Application Name:	monley365-app-service1-dev4560
Kind:	app,linux
Location:	East US
HostName:	monley365-app-service1-dev4560.azurewebsites.net
Https Only:	Enabled
SSL FTP:	AllAllowed
TLS Version:	1.0

Application Name:	monley365-app-service-dev4560
Kind:	app,linux
Location:	East US
HostName:	monley365-app-service-dev4560.azurewebsites.net
Https Only:	Disabled
SSL FTP:	AllAllowed
TLS Version:	1.0

Ensure that Register with Entra ID is enabled on App Service

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 9.5

Description

Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords.

Rationale

App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.

References

https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-1-use-centralized-identity-and-authentication-system

Ensure that 'Basic Authentication' is 'Disabled'

Finding Details
Affected Resources

Rule Id

Severity
medium

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 9.6

Rule Violations
2

Description

Basic Authentication provides the ability to create identities and authentication for an App Service without a centralized Identity Provider. For a more effective, capable, and secure solution for Identity, Authentication, Authorization, and Accountability, a centralized Identity Provider such as Entra ID is strongly advised.

Rationale

Basic Authentication introduces an identity silo which can produce privileged access to a resource. This can be exploited in numerous ways and represents a significant vulnerability and attack vector.

Impact

An Identity Provider that can be used by the App Service for authenticating users is required.

References

https://learn.microsoft.com/en-us/azure/app-service/configure-basic-auth-disable?tabs=portal

Application Name	Kind	Location	HostName	Https Only	Principal ID	SSL FTP	TLS Version	SCM Basic Auth Enabled	Actions
monley365-app-service1-dev4560	app,linux	East US	monley365-app-service1-dev4560.azurewebsites.net	Enabled	NotSet	AllAllowed	1.0	NotSet
monley365-app-service-dev4560	app,linux	East US	monley365-app-service-dev4560.azurewebsites.net	Disabled	NotSet	AllAllowed	1.0	NotSet

Ensure that 'PHP version' is currently supported (if in use)

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 9.7

Description

Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.

Rationale

Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.

Impact

If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.

References

https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources
https://www.php.net/supported-versions.php

Ensure that 'Python version' is currently supported (if in use)

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 9.8

Description

Periodically, older versions of Python may be deprecated and no longer supported. Using a supported version of Python for app services is recommended to avoid potential unpatched vulnerabilities.

Rationale

Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.

Impact

If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.

References

Ensure that 'Java version' is currently supported (if in use)

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 3.0.0 9.9

Description

Periodically, older versions of Java may be deprecated and no longer supported. Using a supported version of Java for app services is recommended to avoid potential unpatched vulnerabilities.

Rationale

Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.

Impact

If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.

References

Ensure that 'HTTP20enabled' is set to 'true'

Finding Details
Affected Resources

Rule Id

Severity
low

Status
fail

Compliance
CIS Microsoft Azure Foundations 3.0.0 9.10

Rule Violations
2

Description

Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.

Rationale

Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.

Impact

Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third-party certificate.

Remediation

From Azure Console

Login to Azure Portal
Go to App Services
Click on each App
Under Setting section, click on Configuration
Set HTTP version to 2.0 under General settings

NOTE: Most modern browsers support HTTP 2.0 protocol over TLS only, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.

References

https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources

Application Name	Kind	Location	HostName	Https Only	TLS Version	HTTP 2.0 Enabled	Actions
monley365-app-service1-dev4560	app,linux	East US	monley365-app-service1-dev4560.azurewebsites.net	Enabled	1.0	Disabled
monley365-app-service-dev4560	app,linux	East US	monley365-app-service-dev4560.azurewebsites.net	Disabled	1.0	Disabled

Ensure Azure Key Vaults are Used to Store Secrets

Rule Id

Severity
medium

Status
manual

Compliance
CIS Microsoft Azure Foundations 2.0.0 9.11

Description

Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions.

Rationale

The credentials given to an application have permissions to create, delete, or modify data stored within the systems they access. If these credentials are stored within the application itself, anyone with access to the application or a copy of the code has access to them. Storing within Azure Key Vault as secrets increases security by controlling access. This also allows for updates of the credentials without redeploying the entire application.

Impact

Integrating references to secrets within the key vault are required to be specifically integrated within the application code. This will require additional configuration to be made during the writing of an application, or refactoring of an already written one. There are also additional costs that are charged per 10000 requests to the Key Vault.

References

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-3-manage-application-identities-securely-and-automatically
https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest

Ensure that 'Remote debugging' is set to 'Off'

Rule Id

Severity
good

Status
pass

Compliance
CIS Microsoft Azure Foundations 2.0.0 9.12

Description

Remote Debugging allows Azure App Service to be debugged in real-time directly on the Azure environment. When remote debugging is enabled, it opens a communication channel that could potentially be exploited by unauthorized users if not properly secured.

Rationale

Disabling remote debugging on Azure App Service is primarily about enhancing security.Remote debugging opens a communication channel that can be exploited by attackers. By disabling it, you reduce the number of potential entry points for unauthorized access.If remote debugging is enabled without proper access controls, it can allow unauthorized users to connect to your application, potentially leading to data breaches or malicious code execution.During a remote debugging session, sensitive information might be exposed. Disabling remote debugging helps ensure that such data remains secure. This minimizes the use of remote access tools to reduce risk.

Impact

You will not be able to connect to your application from a remote location to diagnose and fix issues in real-time. You will not be able to step through code, set breakpoints, or inspect variables and the call stack while the application is running on the server. Remote debugging is particularly useful for diagnosing issues that only occur in the production environment. Without it, you will need to rely on logs and other diagnostic tools.

References

https://learn.microsoft.com/en-us/visualstudio/debugger/remote-debugging-azure-app-service?view=vs-2022
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-2-audit-and-enforce-secure-configurations

Execution

Information

Juan Garrido

Execution info

Ruleset details

Findings By Service

Findings By severity

Dashboard Table

General

1

Description

Rationale

Impact