AzSDKPreview

2.5.1

Framework/Configurations/SVT/Services/CloudService.json

                                {

  "FeatureName": "CloudService",

  "Reference": "aka.ms/azsdkosstcp",

  "IsManintenanceMode": false,

   "Controls": [

      {

         "ControlID": "Azure_CloudService_AuthN_Use_AAD_for_Client_AuthN",

         "Description": "Cloud Service must authenticate users using Azure Active Directory backed credentials",

         "Id": "CloudService01",

         "ControlSeverity": "High",

         "Automated": "No",

         "Recommendation": "Create an AAD App. Configure the App with your cloud service URLs to enforce AAD auth for every request. Refer: https://blogs.msdn.microsoft.com/visualstudio/2014/11/19/connecting-to-cloud-services/",

         "Tags": [

            "SDL",

            "Classic"

         ],

         "Enabled": true

      },

      {

         "ControlID": "Azure_CloudService_DP_DontAllow_HTTP_Access_InputEndpoints",

         "Description": "Cloud Service must only be accessible over HTTPS. Enable https for InputEndpoints.",

         "Id": "CloudService03",

         "ControlSeverity": "High",

         "Automated": "Yes",

         "Recommendation": "Get an SSL certificate from a trusted certificate provider. Upload that certificate to cloud service. Update input endpoints by renaming HTTP to HTTPS in .csdef. Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate",

         "Tags": [

            "SDL"

         ],

         "Enabled": true,

         "MethodName": "CheckCloudServiceHttpCertificateSSLOnInputEndpoints"

      },

      {

         "ControlID": "Azure_CloudService_SI_Validate_InternalEndpoints",

         "Description": "Remove unused internal endpoints",

         "Id": "CloudService04",

         "ControlSeverity": "Medium",

         "Recommendation": "Remove unused internal endpoints from .csdef and redploy your cloud service to reflect the new changes. Refer: https://azure.microsoft.com/en-us/documentation/articles/cloud-services-enable-communication-role-instances",

         "Automated": "Yes",

         "Tags": [

            "SDL",

            "Classic"

         ],

         "Enabled": true,

         "MethodName": "CheckCloudServiceInstanceEndpoints"

      },

      {

         "ControlID": "Azure_CloudService_SI_Validate_InputEndpoints",

         "Description": "Remove unused internal endpoints",

         "Id": "CloudService05",

         "ControlSeverity": "Medium",

         "Recommendation": "Remove unused input endpoints from .csdef and redploy your cloud service to reflect the new changes. Refer: https://azure.microsoft.com/en-us/documentation/articles/cloud-services-enable-communication-role-instances",

         "Automated": "Yes",

         "Tags": [

            "SDL",

            "Classic"

         ],

         "Enabled": true,

         "MethodName": "CheckCloudServiceInputEndpoints"

      },

      {

         "ControlID": "Azure_CloudService_SI_Disable_RemoteDebugging",

         "Description": "Remote debugging must be turned off",

         "Id": "CloudService06",

         "ControlSeverity": "High",

         "Recommendation": "Remove [Microsoft.WindowsAzure.Plugins.RemoteDebugger*] endpoints from .csdef and redploy your cloud service to reflect the new changes. Refer: https://docs.microsoft.com/en-us/azure/vs-azure-tools-debug-cloud-services-virtual-machines",

         "Automated": "Yes",

         "Tags": [

            "SDL",

            "Classic"

         ],

         "Enabled": true,

         "MethodName": "CheckCloudServiceRemoteDebuggingStatus"

      },

      {

         "ControlID": "Azure_CloudService_DP_CNAME_with_SSL",

         "Description": "A CNAME should be configured for the cloud service.",

         "Id": "CloudService07",

         "ControlSeverity": "Medium",

         "Recommendation": "Get an SSL certificate for your CNAME from a trusted certificate provider and upload the same to your cloud service. Map the VIP of your cloud service at your DNS registrar's website. Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-custom-domain-name",

         "Automated": "No",

         "Tags": [

            "SDL",

            "Classic"

         ],

         "Enabled": true

      },

      {

         "ControlID": "Azure_CloudService_SI_Auto_OSUpdate",

         "Description": "OS version should be set to automatic.",

         "Id": "CloudService08",

         "ControlSeverity": "High",

         "Recommendation": "To enable automatic updates: Go to manage Azure portal --> your cloud service --> under configure tab --> set operating system version to automatic.",

         "Automated": "Yes",

         "Tags": [

            "SDL"

         ],

         "Enabled": true,

         "MethodName": "CheckCloudServiceOSPatchStatus"

      },

      {

         "ControlID": "Azure_CloudService_SI_Enable_AntiMalware",

         "Description": "Enable the Antimalware extension for the cloud service roles",

         "Id": "CloudService09",

         "ControlSeverity": "High",

         "Automated": "Yes",

         "Recommendation": "To enable Antimalware: Go to Azure portal --> your cloud service --> Antimalware under Settings section--> select role and enable Antimalware.",

         "Tags": [

            "SDL"

         ],

         "Enabled": true,

         "MethodName": "CheckCloudServiceAntiMalwareStatus"

      },

      {

         "ControlID": "Azure_CloudService_SI_Disable_RemoteDesktop_Access",

         "Description": "Remote Desktop (RDP) access must be disabled on cloud service roles",

         "Id": "CloudService10",

         "ControlSeverity": "High",

         "Recommendation": "Go to Azure portal --> your cloud service --> Remote Desktop under Settings section --> disable Remote Desktop",

         "Automated": "Yes",

         "Tags": [

            "SDL"

         ],

         "Enabled": true,

         "MethodName": "CheckCloudServiceRemoteDesktopAccess"

      }

   ]

}