Microsoft Defender for Cloud - Recommendations
Microsoft Defender for Cloud - Recommendations
Recommendations
1. ‘container’
- Containers running in Azure should have vulnerability findings resolved
2. ‘microsoft.apimanagement/service’
- API Management minimum API version should be set to 2019-12-01 or higher
- API Management services should use a virtual network
- API Management should disable public network access to the service configuration endpoints
- Azure API Management platform version should be stv2
3. ‘microsoft.apimanagement/service/apis’
- API Management APIs should use only encrypted protocols
- ‘microsoft.apimanagement/service/subscriptions’
- API Management subscriptions should not be scoped to all APIs
4. ‘microsoft.cognitiveservices/accounts’
- Azure AI Services resources should have key access disabled (disable local authentication)
- Azure AI Services resources should restrict network access
- Cognitive Services should use private link
5. ‘microsoft.compute/virtualmachines’
- Adaptive application controls for defining safe applications should be enabled on your machines
- Adaptive network hardening recommendations should be applied on internet facing virtual machines
- All network ports should be restricted on network security groups associated to your virtual machine
- Allowlist rules in your adaptive application control policy should be updated
- Authentication to Linux machines should require SSH keys
- Azure Backup should be enabled for virtual machines
- EDR configuration issues should be resolved on virtual machines
- EDR solution should be installed on Virtual Machines
- Guest Attestation extension should be installed on supported Windows virtual machines
- Guest Configuration extension should be installed on machines
- Install endpoint protection solution on virtual machines
- Internet-facing virtual machines should be protected with network security groups
- IP forwarding on your virtual machine should be disabled
- Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.
- Log Analytics agent should be installed on virtual machines
- Machines should be configured securely
- Machines should be configured to periodically check for missing system updates
- Machines should have a vulnerability assessment solution
- Machines should have secrets findings resolved
- Machines should have vulnerability findings resolved
- Management ports of virtual machines should be protected with just-in-time network access control
- Management ports should be closed on your virtual machines
- Non-internet-facing virtual machines should be protected with network security groups
- Secure Boot should be enabled on supported Windows virtual machines
- System updates should be installed on your machines
- System updates should be installed on your machines (powered by Azure Update Manager)
- Virtual machines should be migrated to new Azure Resource Manager resources
- Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
- vTPM should be enabled on supported virtual machines
- Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)
- Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)
- Windows Defender Exploit Guard should be enabled on machines
- Windows servers should be configured to use secure communication protocols
- Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost.
6. ‘microsoft.compute/virtualmachines’,’microsoft.compute/virtualmachinescalesets’
- Virtual machines and virtual machine scale sets should have encryption at host enabled
7. ‘microsoft.compute/virtualmachines’,’microsoft.operationalinsights/workspaces/onpremisemachines’
- Endpoint protection health issues on machines should be resolved
8. ‘microsoft.compute/virtualmachinescalesets’
- Endpoint protection health issues on virtual machine scale sets should be resolved
- Endpoint protection should be installed on virtual machine scale sets
- Log Analytics agent should be installed on virtual machine scale sets
- System updates on virtual machine scale sets should be installed
- Virtual machine scale sets should be configured securely
- ‘microsoft.compute/virtualmachinescalesets’,’microsoft.compute/virtualmachines’
- File integrity monitoring should be enabled on machines
9. ‘microsoft.containerregistry/registries’
- Container registries should not allow unrestricted network access
- Container registries should use private link
10. ‘microsoft.containerservice/managedclusters’
- Azure Kubernetes Service clusters should have Defender profile enabled
- Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed
- Azure running container images should have vulnerabilities resolved
- Container CPU and memory limits should be enforced
- Container images should be deployed from trusted registries only
- Container with privilege escalation should be avoided
- Containers sharing sensitive host namespaces should be avoided
- Containers should only use allowed AppArmor profiles
- Diagnostic logs in Kubernetes services should be enabled
- Immutable (read-only) root filesystem should be enforced for containers
- Kubernetes API server should be configured with restricted access
- Kubernetes clusters should be accessible only over HTTPS
- Kubernetes clusters should disable automounting API credentials
- Kubernetes clusters should not grant CAPSYSADMIN security capabilities
- Kubernetes clusters should not use the default namespace
- Least privileged Linux capabilities should be enforced for containers
- Privileged containers should be avoided
- Role-Based Access Control should be used on Kubernetes Services
- Running containers as root user should be avoided
- Services should listen on allowed ports only
- Usage of host networking and ports should be restricted
- Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers
11. ‘microsoft.dbforpostgresql/flexibleservers’
- Microsoft Defender for SQL should be enabled for unprotected PostgreSQL flexible servers
12. ‘microsoft.documentdb/databaseaccounts’
- Azure Cosmos DB accounts should have firewall rules
- Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method
- Azure Cosmos DB should disable public network access
- CosmosDB accounts should use private link
13. ‘microsoft.eventhub/namespaces’
- Diagnostic logs in Event Hub should be enabled
14. ‘microsoft.keyvault/vaults’
- Diagnostic logs in Key Vault should be enabled
- Firewall should be enabled on Key Vault
- Key vaults should have purge protection enabled
- Key vaults should have soft delete enabled
15. ‘microsoft.network/applicationgateways’
- Web Application Firewall (WAF) should be enabled for Application Gateway
16. ‘microsoft.network/virtualnetworkgateways’
- VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users
17. ‘microsoft.network/virtualnetworks’
- Azure DDoS Protection Standard should be enabled
- Network Watcher should be enabled
- Virtual networks should be protected by Azure Firewall
18. ‘microsoft.network/virtualnetworks/subnets’
- Subnets should be associated with a network security group
19. ‘microsoft.operationalinsights/workspaces/onpremisemachines’
- Endpoint protection should be installed on machines
20. ‘microsoft.storage/storageaccounts’
- Secure transfer to storage accounts should be enabled
- Storage account public access should be disallowed
- Storage account should use a private link connection
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should prevent shared key access
- Storage accounts should restrict network access using virtual network rules
21. ‘subscription’
- A maximum of 3 owners should be designated for subscriptions
- Accounts with owner permissions on Azure resources should be MFA enabled
- Accounts with read permissions on Azure resources should be MFA enabled
- Accounts with write permissions on Azure resources should be MFA enabled
- Auto provisioning of the Log Analytics agent should be enabled on subscriptions
- Blocked accounts with owner permissions on Azure resources should be removed
- Blocked accounts with read and write permissions on Azure resources should be removed
- Email notification for high severity alerts should be enabled
- Email notification to subscription owner for high severity alerts should be enabled
- Guest accounts with owner permissions on Azure resources should be removed
- Guest accounts with read permissions on Azure resources should be removed
- Guest accounts with write permissions on Azure resources should be removed
- Microsoft Defender for APIs should be enabled
- Microsoft Defender for App Service should be enabled
- Microsoft Defender for Azure SQL Database servers should be enabled
- Microsoft Defender for Containers should be enabled
- Microsoft Defender for Key Vault should be enabled
- Microsoft Defender for open-source relational databases should be enabled
- Microsoft Defender for Resource Manager should be enabled
- Microsoft Defender for servers should be enabled
- Microsoft Defender for SQL servers on machines should be enabled
- Microsoft Defender for Storage plan should be enabled with Malware Scanning and Sensitive Data Threat Detection
- Subscriptions should have a contact email address for security issues
- There should be more than one owner assigned to subscriptions
This post is licensed under CC BY 4.0 by the author.