Framework/Configurations/SVT/SubscriptionCore/SubscriptionCore.json
{
"FeatureName": "SubscriptionCore", "Reference": "aka.ms/azsktcp/sshealth", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_Subscription_AuthZ_Limit_Admin_Owner_Count", "Description": "Minimize the number of admins/owners", "Id": "SubscriptionCore110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSubscriptionAdminCount", "Recommendation": "There are 2 steps involved. (1) You need to remove any 'Classic Administrators/Co-Administrators' who should not be in the role. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' (e) Select the co-administrator account that has to be removed and click on the 'Remove' button. (f) Perform this operation for all the co-administrators that need to be removed from the subscription. (2) You need to remove any unwanted members from the Owners group. To do this simply run the command 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName Owner'.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": true, "Rationale": "Each additional person in the Owner/Contributor role increases the attack surface for the entire subscription. The number of members in these roles should be kept to as low as possible." }, { "ControlID": "Azure_Subscription_AuthZ_Justify_Admins_Owners", "Description": "Justify all identities that are granted with admin/owner access on your subscription.", "Id": "SubscriptionCore111", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "ValidateCentralAccountsRBAC", "Recommendation": "There are 2 steps involved. (1) You need to remove any 'Classic Administrators/Co-Administrators/Owners' who should not be in the role. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' (e) Right click the co-administrator account that has to be removed and click on the 'Remove co-administrator'. (f) Perform this operation for all the co-administrators that need to be removed from the subscription. (2) You need to remove any unwanted members from the Owners group. To do this simply run the command 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName Owner'.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "Owners.ObjectId", "Owners.RoleDefinitionId", "Owners.RoleDefinitionName", "Owners.Scope", "Owners.SignInName", "CoAdmins.RoleDefinitionName", "CoAdmins.Scope", "CoAdmins.SignInName" ], "Rationale": "Accounts that are a member of these groups without a legitimate business reason increase the risk for your subscription. By carefully reviewing and removing accounts that shouldn't be there in the first place, you can avoid attacks if those accounts are compromised." }, { "ControlID": "Azure_Subscription_AuthZ_Add_Required_Central_Accounts", "Description": "Mandatory central accounts must be present on the subscription", "Id": "SubscriptionCore120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckApprovedCentralAccountsRBAC", "Recommendation": "Run command 'Set-AzSKSubscriptionRBAC'. This command sets up all mandatory accounts on the target subscription. Run 'Get-Help Set-AzSKSubscriptionRBAC -full' for more help. ", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "ObjectId", "ObjectType", "RoleDefinitionName", "Scope", "Enabled" ], "FixControl": { "FixControlImpact": "Medium", "FixMethodName": "AddRequiredCentralAccounts", "Parameters": { "Tags": "" } }, "Rationale": "Certain central accounts are expected to be present in all subscriptions to support enterprise wide functions (e.g., security scanning, cost optimization, etc.). Certain other accounts may also be required depending on special functionality enabled in a subscription (e.g., Express Route network management). The script checks for presence of such 'mandatory' and 'scenario-specific' accounts. If these are not present per the current baseline, there may be security/functionality impact for your subscription." }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Deprecated_Accounts", "Description": "Deprecated/stale accounts must not be present on the subscription", "Id": "SubscriptionCore130", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckDeprecatedAccountsRBAC", "Recommendation": "Run command 'Remove-AzSKSubscriptionRBAC'. You can remove all the deprecated accounts using this command. Run 'Get-Help Remove-AzSKSubscriptionRBAC -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "ObjectId", "ObjectType", "Scope" ], "FixControl": { "FixControlImpact": "Medium", "FixMethodName": "RemoveDeprecatedAccounts" }, "PolicyDefinitionGuid": "6b1cbf55-e8b6-442f-ba4c-7246b6381474", "Rationale": "Deprecated accounts are ones that were once deployed to your subscription for some trial/pilot initiative (or some other purpose). These are not required any more and are a standing risk if present in any role on the subscription." }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities", "Description": "Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription)", "Id": "SubscriptionCore140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckNonAADAccountsRBAC", "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "OwnerAccess", "GraphRead", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "ObjectId", "RoleDefinitionId", "SignInName", "Scope" ], "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a subscription subject your cloud assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled. Etc." }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Use_SVC_Accounts_No_MFA", "Description": "Service accounts cannot support MFA and should not be used for subscription activity", "Id": "SubscriptionCore150", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckSVCAccountsRBAC", "Recommendation": "Run command Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "OwnerAccess", "GraphRead", "SubscriptionCore" ], "Enabled": true, "Rationale": "Service accounts are typically not multi-factor authentication capable. Quite often, teams who own these accounts don't exercise due care (e.g., someone may login interactively on servers using a service account exposing their credentials to attacks such as pass-the-hash, phishing, etc.) As a result, using service accounts in any privileged role in a subscription exposes the subscription to 'credential theft'-related attack vectors. (In effect, the subscription becomes accessible after just one factor (password) is compromised...this defeats the whole purpose of imposing the MFA requirement for cloud subscriptions.)" }, { "ControlID": "Azure_Subscription_AuthZ_Limit_ClassicAdmin_Count", "Description": "There should not be more than $($this.ControlSettings.NoOfClassicAdminsLimit) classic administrators", "Id": "SubscriptionCore160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCoAdminCount", "Recommendation": "You need to remove any 'Classic Administrators/Co-Administrators' who should not be in the role. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to 'Access Control (IAM)' and select the 'Classic Administrators' tab. (e) Select the co-administrator account that has to be removed and click on the 'Remove' button. (f) Perform this operation for all the co-administrators that need to be removed from the subscription.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "RoleDefinitionName", "Scope", "SignInName" ], "Rationale": "The v1 (ASM-based) version of Azure resource access model did not have much in terms of RBAC granularity. As a result, everyone who needed any access on a subscription or its resources had to be added to the Co-administrator role. These individuals are referred to as 'classic' administrators. In the v2 (ARM-based) model, this is not required at all and even the count of 2 classic admins currently permitted is for backward compatibility. (Some Azure services are still migrating onto the ARM-based model so creating/operating on them needs 'classic' admin privilege.)" }, { "ControlID": "Azure_Subscription_AuthZ_Remove_Management_Certs", "Description": "Use of management certificates is not permitted.", "Id": "SubscriptionCore170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckManagementCertsPresence", "Recommendation": "You need to remove any management certificates that are not required. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Subscriptions (c) Select the subscription (d) Go to Settings tab --> Management Certificates tab --> Delete unwanted management certificates.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "OwnerAccess", "GraphRead", "SubscriptionCore" ], "Enabled": true, "Rationale": "Just like classic admins, management certificates were used in the v1 model for script/tool based automation on Azure subscriptions. These management certificates are risky because the (private) key management hygiene tends to be lax. These certificates have no role to play in the current ARM-based model and should be immediately cleaned up if found on a subscription. (VS-deployment certificates from v1 timeframe are a good example of these.)" }, { "ControlID": "Azure_Subscription_Audit_Resolve_Azure_Security_Center_Alerts", "Description": "Pending Azure Security Center (ASC) alerts must be resolved", "Id": "SubscriptionCore190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAzureSecurityCenterAlerts", "Recommendation": "You need to address all active alerts on Azure Security Center. Please follow these steps: (a) Logon to https://portal.azure.com/ (b) Navigate to Security Center. (c) Click on Security Alerts under 'Threat Protection' category. (d) Take appropriate actions on all active alerts.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "SubscriptionCore" ], "Enabled": true, "PolicyDefinitionGuid": "SubscriptionCore190", "Rationale": "Based on the policies that are enabled in the subscription, Azure Security Center raises alerts (which are typically indicative of resources that ASC suspects might be under attack or needing immediate attention). It is important that these alerts/actions are resolved promptly in order to eliminate the exposure to attacks." }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Add_SPNs_as_Owner", "Description": "Service Principal Names (SPNs) should not be Owners or Contributors on the subscription", "Id": "SubscriptionCore210", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSPNsRBAC", "Recommendation": "If this SPN needs access to your subscription, make sure you add it at the specific permission scope and role required for your scenario. For example, sometimes 'Contributor' access at 'Resource Group' scope might work. In other scenarios you may need 'Reader' access at 'Subscription' scope. Exact permission will vary based on your use case. If you want to remove the SPN, run command Remove-AzRoleAssignment -ObjectId '{objectId}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "OwnerAccess", "GraphRead", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "ObjectId", "ObjectType", "RoleDefinitionId", "RoleDefinitionName", "Scope" ], "Rationale": "Just like AD-based service accounts, SPNs have a single credential and most scenarios that use them cannot support multi-factor authentication. As a result, adding SPNs to a subscription in 'Owners' or 'Contributors' roles is risky." }, { "ControlID": "Azure_Subscription_SI_Lock_Critical_Resources", "Description": "Critical application resources should be protected using a resource lock", "Id": "SubscriptionCore220", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckResourceLocksUsage", "Recommendation": "Consider using Azure resource locks to protect those resources in the subscription that you absolutely cannot afford to be deleted (by accident). You have to identify such resources and apply locks to them. Run command 'New-AzResourceLock'. Run 'Get-Help New-AzResourceLock -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "SI", "SubscriptionCore" ], "Enabled": true, "Rationale": "A resource lock protects a resource from getting accidentally deleted. With proper RBAC configuration, it is possible to setup critical resources in a subscription in such a way that people can perform most operations on them but cannot delete them. resource locks can help ensure that important data is not lost by accidental/malicious deletion of such resources (thus ensuring that availability is not impacted)." }, { "ControlID": "Azure_Subscription_Config_ARM_Policy", "Description": "ARM policies should be used to audit or deny certain activities in the subscription that can impact security", "Id": "SubscriptionCore230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckARMPoliciesCompliance", "Recommendation": "Run command 'Set-AzSKARMPolicies'. Run 'Get-Help Set-AzSKARMPolicies -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "Config", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "policyDefinition", "policyDefinitionName", "scope", "enabled" ], "FixControl": { "FixMethodName": "ConfigureARMPolicies", "FixControlImpact": "Medium", "Parameters": { "Tags": "" } }, "Rationale": "The AzSK subscription security setup configures a set of ARM policies which result in audit log entries upon actions that violate the policies. (For instance, an audit event is generated if someone creates a v1 resource in a subscription.) These policies help by raising visibility to potentially insecure actions. " }, { "ControlID": "Azure_Subscription_Audit_Configure_Critical_Alerts", "Description": "Alerts must be configured for critical actions on subscription and resources", "Id": "SubscriptionCore240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCriticalAlertsPresence", "Recommendation": "Run command 'Set-AzSKAlerts -Force'. Run 'Get-Help Set-AzSKAlerts -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "Audit", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "Name", "OperationName", "Severity", "Enabled" ], "FixControl": { "FixMethodName": "ConfigureAlerts", "FixControlImpact": "Medium", "Parameters": { "SecurityContactEmails": "", "Tags": "" } }, "PolicyDefinitionGuid": "SubscriptionCore240", "Rationale": "The AzSK subscription security setup configures Insights-based alerts for sensitive operations in the subscription. These alerts notify the configured security point of contact about various sensitive activities on the subscription and its resources (for instance, adding a new member to subscription 'Owners' group or deleting a firewall setting or creating a new web app deployment, etc.)" }, { "ControlID": "Azure_Subscription_AuthZ_Custom_RBAC_Roles", "Description": "Do not use custom-defined RBAC roles", "Id": "SubscriptionCore250", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckCustomRBACRolesPresence", "Recommendation": "Run command 'Remove-AzRoleDefinition -Id {id}'. Run 'Get-Help Remove-AzRoleDefinition -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": true, "Rationale": "Custom RBAC role definitions are usually tricky to get right. A lot of threat modeling goes in when the product team works on and defines the various 'out-of-box' roles ('Owners', 'Contributors', etc.). As much as possible, teams should use these roles for their RBAC needs. Using custom roles is treated as an exception and requires a rigorous review." }, { "ControlID": "Azure_Subscription_SI_Classic_Resources", "Description": "Do not use any classic resources on a subscription", "Id": "SubscriptionCore260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPresenceOfClassicResources", "Recommendation": "Migrate each v1/ASM-based resource in your app to a corresponding v2/ARM-based resource. Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SubscriptionCore" ], "AttestComparisionType": "NumLesserOrEqual", "Enabled": true, "PolicyDefinitionGuid": "37e0d2fe-28a5-43d6-a273-67d37d1f5606", "Rationale": "You should use new ARM/v2 resources as the ARM model provides several security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment/governance, access to managed identities, access to key vault for secrets, AAD-based authentication, support for tags and resource groups for easier security management, etc." }, { "ControlID": "Azure_Subscription_SI_Dont_Use_Classic_VMs", "Description": "Do not use any classic virtual machines on your subscription.", "Id": "SubscriptionCore261", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPresenceOfClassicVMs", "Recommendation": "Migrate each v1/ASM Virtual Machine in your subscription to a v2/ARM-based VM. Refer link https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-overview for resource migration.", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ", "SI", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "ResourceId", "SubscriptionId" ], "Rationale": "You should use new Azure (v2) resources as the ARM model provides several security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment/governance, access to managed identities, access to key vault for secrets, AAD-based authentication, support for tags and resource groups for easier security management, etc." }, { "ControlID": "Azure_Subscription_NetSec_Justify_PublicIPs", "Description": "Verify the list of public IP addresses on your subscription", "Id": "SubscriptionCore270", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIpUsage", "Recommendation": "Verify the list of public IP addresses used and delete the unwanted and unused ones immediately! To delete run 'Remove-AzPublicIpAddress -ResourceGroupName {ResourceGroupName} -Name {PublicIpAddressName}'. You might encounter an error if the public IP resource is associated with some other resource. Refer link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address#view-change-settings-for-or-delete-a-public-ip-address for more details.", "Tags": [ "SDL", "Automated", "Access", "NetSec", "SubscriptionCore" ], "Enabled": true, "Rationale": "Public IPs provide direct access over the internet exposing a cloud resource to all type of attacks over the public network. Hence use of public IPs should be carefully scrutinized/reviewed." }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access", "Description": "Permanent access should not be granted for privileged subscription level roles", "Id": "SubscriptionCore281", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPermanentRoleAssignments", "Recommendation": "Use Privileged Identity Management (PIM) to grant access to privileged roles at subscription scope. To remove existing assignments run: 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}' -RoleDefinitionName {RoleDefinitionName}'. Refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-resource-rbac#assign-roles.", "Tags": [ "SDL", "Automated", "Access", "AuthZ", "SubscriptionCore" ], "Enabled": true, "Rationale": "Permanent access increase the risk of a malicious user getting that access and inadvertently impacting a sensitive resource. To minimize this risk ensure that critical resources present in subscription are accessed only by the legitimate users when required. PIM facilitates this by limiting users to only assume higher privileges in a just in time (JIT) manner (or by assigning privileges for a shortened duration after which privileges are revoked automatically)." }, { "ControlID": "Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access_RG", "Description": "Permanent access should not be granted for privileged roles at resource group level", "Id": "SubscriptionCore282", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRGLevelPermanentRoleAssignments", "Recommendation": "Use Privileged Identity Management (PIM) to grant access to privileged roles at resource group scope. To remove existing assignments run: 'Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '/subscriptions/{subscriptionid}/resourceGroups/{resourceGroupName}' -RoleDefinitionName {RoleDefinitionName}'. Refer https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-pim-resource-rbac#assign-roles.", "Tags": [ "SDL", "Automated", "Access", "AuthZ", "SubscriptionCore", "RGPersistentAccess" ], "Enabled": true, "Rationale": "Permanent access increase the risk of a malicious user getting that access and inadvertently impacting a sensitive resource. To minimize this risk ensure that critical resources present in resource group are accessed only by the legitimate users when required. PIM facilitates this by limiting users to only assume higher privileges in a just in time (JIT) manner (or by assigning privileges for a shortened duration after which privileges are revoked automatically)." }, { "ControlID": "Azure_Subscription_Config_Add_Required_Tags", "Description": "Mandatory tags must be set per your organization policy", "Id": "SubscriptionCore290", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMandatoryTags", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags#portal", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": true, "Rationale": "Certain tags are expected to be present in all resources to support enterprise wide functions (e.g., security visibility based on environment, security scanning, cost optimization, etc.). The script checks for presence of such 'mandatory' and 'scenario-specific' tags. " }, { "ControlID": "Azure_Subscription_Config_ASC_Tier", "Description": "$($this.ControlSettings.SubscriptionCore.ASCTier) tier must be enabled for Azure Security Center", "Id": "SubscriptionCore300", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckASCTier", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": true, "Rationale": "ASC standard tier enables advanced threat detection capabilities, which uses built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more" }, { "ControlID": "Azure_Subscription_Check_Credential_Rotation", "Description": "Ensure any credentials approaching expiry are rotated soon.", "Id": "SubscriptionCore310", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCredentialHygiene", "Recommendation": "Run Update-AzSKTrackedCredential with the 'ResetLastUpdate' switch with other required parameters (Subscription Id, credential name, etc.).", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": true, "Rationale": "Periodic credential rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks. Credential expiry can also impact availability of existing apps." }, { "ControlID": "Azure_Subscription_Use_Only_Alt_Credentials", "Description": "Ensure that critical operations in the subscription are conducted using alternate (ALT) credentials", "Id": "SubscriptionCore320", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNonAlternateAccountsinPIMAccess", "Recommendation": "Go to Azure portal -> Priviledged Identity Management -> Azure Resources -> Select the scope -> Members-> Eligible roles and verify the non alernate accounts. Ensure that only alternate accounts are used as members of critical roles in the subscription. Do not use day to day user accounts.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "SubscriptionCore" ], "Enabled": true, "Rationale": "The regular / day to day use accounts are subject to a lot of credential theft attacks due to various activities that a user conducts using such accounts (e.g., browsing the web, clicking on email links, etc.). A user account that gets compromised (say via a phishing attack) immediately subjects the entire cloud subscription to risk if it is a member of critical roles in the subscription. Use of smartcard-backed alternate (SC-ALT) accounts instead protects the cloud subscriptions from this risk. Moreover, for complete protection, all sensitive access must be done using a secure admin workstation (SAW) and Azure Privileged Identity Management (PIM)." }, { "ControlID": "Azure_Subscription_Config_ASC_Security_Policy", "Description": "Azure Security Center (ASC) policies must be correctly configured on the subscription.", "Id": "SubscriptionCore330", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecurityPolicy", "Recommendation": "Run command 'Set-AzSKAzureSecurityCenterPolicies -SubscriptionId '<SubscriptionId>'. Run 'Get-Help Set-AzSKAzureSecurityCenterPolicies -full' for more help. You can also manage your policy settings from azure portal https://portal.azure.com for more details, visit https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy ", "Tags": [ "SDL", "TCP", "Automated", "Config", "SOX", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "id", "properties.logCollection", "properties.recommendations", "properties.securityContactConfiguration.areNotificationsOn", "properties.securityContactConfiguration.securityContactEmails", "properties.securityContactConfiguration.securityContactPhone", "properties.securityContactConfiguration.sendToAdminOn" ], "FixControl": { "FixMethodName": "ConfigureSecurityCenter", "FixControlImpact": "Medium" }, "Rationale": "ASC security policies define the desired configuration of your workloads and helps ensure you're complying with the security requirements of your company or regulators. It provides key policy settings (e.g., is patching configured for VMs?, is threat detection enabled for SQL?, etc.) and alerts about resources which are not compliant to those policy settings. Correctly configuring ASC is critical as it gives a baseline layer of protection for the subscription and commonly used resource types." }, { "ControlID": "Azure_Subscription_Config_ASC_Enable_AutoProvisioning", "Description": "Auto Provisioning must be set to ON in Azure Security Center.", "Id": "SubscriptionCore340", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAutoProvisioningForSecurity", "Recommendation": "For setting AutoProvisioning settings for your subscription, go to azure portal https://portal.azure.com. On the portal go to -->Seurity center - Pricing & Settings-->Select your subscription-->Settings - Data Collection, you can also run command 'Set-AzSKAzureSecurityCenterPolicies -SubscriptionId '<SubscriptionId>'' for setting up AutoProvisioning settings ", "Tags": [ "SDL", "TCP", "Automated", "Config", "SOX", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "id", "properties.logCollection", "properties.recommendations", "properties.securityContactConfiguration.areNotificationsOn", "properties.securityContactConfiguration.securityContactEmails", "properties.securityContactConfiguration.securityContactPhone", "properties.securityContactConfiguration.sendToAdminOn" ], "FixControl": { "FixMethodName": "ConfigureSecurityCenter", "FixControlImpact": "Medium" }, "Rationale": "ASC monitors various security parameters on a VM such as missing updates, OS security settings, endpoint protection status, and health and threat detections, etc using a monitoring agent. This agent needs to be provisioned and running on VMs for the monitoring work. When automatic provisioning is ON, ASC provisions the Microsoft Monitoring Agent (MMA) on all supported Azure VMs and any new ones that are created." }, { "ControlID": "Azure_Subscription_Config_ASC_Setup_SecurityContacts", "Description": "Security contact details must be configured in Azure Security Center. ", "Id": "SubscriptionCore350", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecurityContactDetails", "Recommendation": "Run command 'Set-AzSKAzureSecurityCenterPolicies -SubscriptionId '<SubscriptionId>' -SecurityContactEmails '<comma separated emails ids>' -SecurityPhoneNumber '<contact number>'. Run 'Get-Help Set-AzSKAzureSecurityCenterPolicies -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "Config", "SOX", "SubscriptionCore" ], "Enabled": true, "DataObjectProperties": [ "id", "properties.logCollection", "properties.recommendations", "properties.securityContactConfiguration.areNotificationsOn", "properties.securityContactConfiguration.securityContactEmails", "properties.securityContactConfiguration.securityContactPhone", "properties.securityContactConfiguration.sendToAdminOn" ], "FixControl": { "FixMethodName": "ConfigureSecurityContact", "FixControlImpact": "Medium", "Parameters": { "SecurityContactEmails": "", "SecurityPhoneNumber": "" } }, "Rationale": "Security contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your customer data has been accessed by an unlawful or unauthorized party." } ] } |