Welcome back to the Security Controls in Microsoft Defender for Cloud blog series! This time we are here to talk about the security control: Implement security best practices.
Keeping your resources safe is a joint effort between your cloud provider, Azure, and you, the customer. You have to make sure your workloads are secure as you move to the cloud, and at the same time, when you move to IaaS (infrastructure as a service) there is more customer responsibility than there was in PaaS (platform as a service), and SaaS (software as a service). Microsoft Defender for Cloud provides you the tools needed to harden your network, secure your services and make sure you're on top of your security posture.
“Implement security best practices” is the largest control that includes more than 50 recommendations covering resources in Azure, AWS, GCP and on-premises. This list constantly gets updated as our teams add new resources and discover new attack technics, vulnerabilities, and risky misconfigurations.
As of this writing (April 2021) this control does not affect your Secure Score, but this does not mean that you want to ignore or shelve these recommendations.
Just a reminder, recommendations flagged as “Preview” are not included in the calculation of your Secure Score. However, they should still be remediated wherever possible, so that when the preview period ends, they will contribute towards your score.
Defender for Cloud provides a comprehensive description, manual remediation steps, additional helpful information, and a list of affected resources for all recommendations.
Some of the recommendations might have a “Quick Fix!” option that allows you to quickly remediate the issue. In such cases we also provide “View remediation logic” option so that you can review what happens behind the scenes when you click the “Remediate” button, for instance:
In addition, you may use the remediation scripts for your own automations/templates to avoid similar issues in the future. You can also find some remediation scripts in our GitHub Repository.
Let’s now review the most common recommendations from this security control that can be grouped into the following categories:
Category #1: App Services recommendations.
Keep your software up to date.
Keeping software up to date is one of the top security practices you need to implement to make sure your systems are not vulnerable to known threats. Out of date or not regularly updated operating systems and applications put you at risk because they have a lot of vulnerabilities. Many of these vulnerabilities can be easily detected and exploited by threat actors.
Periodically, newer versions are released for software either due to security flaws or to include additional functionality. Using the latest version of PHP/Java/Python/.NET/Node/Ruby for web/function/api apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
The following recommendations are part of this sub-category:
- Java should be updated to the latest version for your web app
- Java should be updated to the latest version for your API app
- Java should be updated to the latest version for your function app
- Python should be updated to the latest version for your web app
- Python should be updated to the latest version for your API app
- Python should be updated to the latest version for your function app
- PHP should be updated to the latest version for your web app
- Python should be updated to the latest version for your API app
- Python should be updated to the latest version for your function app
The manual remediation steps for these recommendations are:
- Navigate to Azure App Service
- Go to Configuration/General settings
- Select the latest stack version in the drop-down menu.
Implement Azure App Service best practices.
The following recommendations are part of this sub-category:
- Remote debugging should be turned off for API App
- Remote debugging should be turned off for Function App
- Remote debugging should be turned off for Web Applications
- Web apps should request an SSL certificate for all incoming requests
The manual remediation steps for these recommendations are:
- Navigate to Azure App Service
- Go to Configuration/General settings
- Make recommended changes.
Learn more about best practices for securing Azure App Services here.
Category #2: Identity and access recommendations.
Secure your Azure Key Vaults.
You use Azure Key Vault to protect encryption keys and secrets like certificates, connection strings, and passwords in the cloud. When storing sensitive and business critical data, you need to take steps to maximize the security of your vaults and the data stored in them.
The following recommendations are part of this sub-category:
- Key Vault keys should have an expiration date.
- Key Vault secrets should have an expiration date.
- Key vaults should have purge protection enabled.
- Key vaults should have soft delete enabled.
- Validity period of certificates stored in Azure Key Vault should not exceed 12 months.
Learn more about Azure Key Vault security here.
Protect your Azure Subscriptions.
To reduce the potential for breaches by compromised owner accounts, it is recommended to limit the number of owner accounts to as few as necessary and require two-step verification for all users.
The following recommendations are part of this sub-category:
- A maximum of 3 owners should be designated for your subscription.
- External accounts with read permissions should be removed from your subscription.
- MFA should be enabled on accounts with read permissions on your subscription
Configure notification settings.
To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Defender for Cloud.
The following recommendations are part of this sub-category:
- Email notification to subscription owner for high severity alerts should be enabled.
- Email notification for high severity alerts should be enabled.
- Subscriptions should have a contact email address for security issues.
The manual remediation steps for these recommendations are:
- From Defender for Cloud's menu, select Pricing & settings.
- Select the relevant subscription.
- Select 'Email notifications'.
- Enter the email recipients to receive notifications from Defender for Cloud.
- In the 'Notification type' area, ensure mails are sent regarding security alerts from severity 'high'.
- Select 'Save'.
Learn more about Azure Identity Management and Access Control security best practices here.
Category #3: Compute recommendations.
In most infrastructure as a service (IaaS) scenarios, Azure virtual machines (VMs) are the main workload for organizations that use cloud computing. This fact is evident in hybrid scenarios where organizations want to slowly migrate workloads to the cloud. In such scenarios, follow the general security considerations for IaaS, and apply security best practices to all your VMs.
The following recommendations are part of this category:
- Azure Backup should be enabled for virtual machines.
- Auto provisioning of the Log Analytics agent should be enabled on your subscription.
Defender for Cloud provides description, manual remediation steps and additional information for every recommendation in this category, e.g.:
Auto provisioning reduces management overhead by installing all required agents and extensions on existing - and new - machines to ensure faster security coverage for all supported resources. We recommend enabling auto provisioning, but it's disabled by default.
Learn more about securing IaaS workloads in Azure here.
Category #4: Data recommendations.
To help protect data in the cloud, you need to account for the possible states in which your data can occur, and what controls are available for that state. Best practices for Azure data security and encryption relate to the following data states:
- At rest: This includes all information storage objects, containers, and types that exist statically on physical media, whether magnetic or optical disk.
- In transit: When data is being transferred between components, locations, or programs, it’s in transit. Examples are transfer over the network, across a service bus (from on-premises to cloud and vice-versa, including hybrid connections such as ExpressRoute), or during an input/output process.
The following recommendations are part of this category:
- All advanced threat protection types should be enabled in SQL managed instance advanced data security settings.
- All advanced threat protection types should be enabled in SQL server advanced data security settings.
- An Azure Active Directory administrator should be provisioned for SQL servers.
- Audit retention for SQL servers should be set to at least 90 days.
- Azure Cosmos DB accounts should have firewall rules.
- Cognitive Services accounts should enable data encryption.
- Cognitive Services accounts should restrict network access.
- Cognitive Services accounts should use customer owned storage or enable data encryption.
- Geo-redundant backup should be enabled for Azure Database for MariaDB.
- Geo-redundant backup should be enabled for Azure Database for MySQL.
- Geo-redundant backup should be enabled for Azure Database for PostgreSQL.
- Public network access on Azure SQL Database should be disabled.
- Private endpoint connections on Azure SQL Database should be enabled.
Defender for Cloud provides description, manual remediation steps and additional information for every recommendation in this category, e.g.:
Learn more about:
- Azure data security here.
- Securing Azure SQL Database and SQL Managed Instances here.
- Cognitive Services security here.
Category #5: IoT recommendations.
Securing an Internet of Things (IoT) infrastructure requires a rigorous security-in-depth strategy. This strategy requires you to secure data in the cloud, protect data integrity while in transit over the public internet, and securely provision devices. Each layer builds greater security assurance in the overall infrastructure.
The following recommendations are part of this category:
- IoT Devices - Auditd process stopped sending events.
- IoT Devices - Operating system baseline validation failure.
- IoT Devices - TLS cipher suite upgrade needed.
- IoT Devices - Open Ports on Device.
- IoT Devices - Permissive firewall policy in one of the chains was found.
- IoT Devices - Permissive firewall rule in the input chain was found.
- IoT Devices - Permissive firewall rule in the output chain was found.
- IoT Devices - Agent sending underutilized messages.
- IoT Devices - Default IP Filter Policy should be Deny.
- IoT Devices - IP Filter rule large IP range.
- IoT Devices - Agent message intervals and size should be adjusted.
- IoT Devices - Identical Authentication Credentials.
- IoT Devices - Audited process stopped sending events.
- IoT Devices - Operating system (OS) baseline configuration should be fixed.
- Diagnostic logs in IoT Hub should be enabled.
Learn more about securing an Internet of Things (IoT) infrastructure here.
Category #6: Networking recommendations.
Network security could be defined as the process of protecting resources from unauthorized access or attack by applying controls to network traffic. The goal is to ensure that only legitimate traffic is allowed. Azure includes a robust networking infrastructure to support your application and service connectivity requirements. Network connectivity is possible between resources located in Azure, between on-premises and Azure hosted resources, and to and from the internet and Azure.
The following recommendations are part of this category:
- Network traffic data collection agent should be installed on Linux virtual machines.
- Network traffic data collection agent should be installed on Windows virtual machines.
- Network Watcher should be enabled.
- Non-internet-facing virtual machines should be protected with network security groups.
- Subnets should be associated with a network security group.
- Access to storage accounts with firewall and virtual network configurations should be restricted.
Defender for Cloud provides description, manual remediation steps and additional information for every recommendation in this category, e.g.:
Learn more about Azure best practices for network security here.
Category #7: AWS and GCP recommendations.
Defender for Cloud protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
Onboarding your AWS and/or GCP accounts into Defender for Cloud, integrates AWS Security Hub or GCP Security Command Center with Defender for Cloud. Defender for Cloud thus provides visibility and protection across these cloud environments:
- Detection of security misconfigurations.
- A single view showing Defender for Cloud recommendations and AWS/GCP security findings.
- Incorporation of your AWS/GCP resources into Defender for Cloud's secure score calculations.
- Regulatory compliance assessments of your AWS/GCP resources.
Defender for Cloud provides description, manual remediation steps and additional information for every recommendation, e.g.:
Note: Microsoft is actively partnering with other cloud providers to expand Defender for Cloud coverage and provide its customers with comprehensive visibility across and protection for their multi-cloud environments. A list of supported providers and security insights Defender for Cloud pulling from those cloud continues to grow, so please expect to see the number of recommendations in this category to increase as we progress.
Worth mentioning that some recommendation might have the “Deny” or “Enforce” option that allows you to prevent creation of potentially insecure or incompliant resources, for instance:
Reference:
Microsoft Security Best Practices
Azure security best practices and patterns
Top 10 Best Practices for Azure Security
Security controls and their recommendations
Security recommendations - a reference guide
Recommendations with deny/enforce options
P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Azure Security experts.