Blog Post

Microsoft Defender for Cloud Blog
6 MIN READ

Security Control: Remediate Security Configurations

Future_Kortor's avatar
Future_Kortor
Icon for Microsoft rankMicrosoft
Dec 02, 2020

Thanks for tuning back into our Microsoft Defender for Cloud Security Control Series, where we dive into different Secure Controls within Defender for Cloud's Secure Score. This post is dedicated to the Remediate Security Configurations Secure Control.  As previously mentioned, organizations face different kinds of threats and the need to keep infrastructure, apps and devices secure is essential across the business. Misconfigurations at any level in infrastructure, operating systems (OS) and network appliances lead to a heightened risk of attack. This security control enables Defender for Cloud to list possible misconfigurations within your environment. Remediate Security Configurations can provide a maximum four-point score increase to your secure score.

 

By the time this blog was written, Remediate Security Configurations includes the following recommendations:

  • Log Analytics agent should be installed on your virtual machines
  • Log Analytics agent health issues should be resolved on your machines
  • Vulnerabilities in security configuration on your machines should be remediated.
  • Log Analytics agent should be installed on virtual machine scale sets
  • Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
  • Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters(preview)
  • Overriding or disabling of containers AppArmor profile should be restricted (preview)
  • Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)
  • Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)

 

Explanation of recommendations
Every organization’s environment is made up of resources that need to be kept secure to maintain the security hygiene of the company. For a more in-depth look at how Defender for Cloud can help you maintain those resources, keep reading!

 

Log Analytics Agent should be installed on your virtual machine
Defender for Cloud monitors and collects data from virtual machines (VMs) using the Log Analytics Agent. The agent reads security-related configurations and event logs from the machines, then copies only the necessary data to your Log Analytics workspace. Data collection from the agent is essential in giving Defender for Cloud visibility into missing updates, misconfigured OS security settings, endpoint protection status and health, and threat protection. Data collection is only needed for compute resources. Configuring auto-provisioning on these machines is recommended. By turning auto provisioning Defender for Cloud deploy the Log Analytics Agent on all Azure VMs and any VMs that are created in the future within the same subscription. 

 

While it is recommended that the agent’s installation is to be done automatically, it can also be installed manually. When manually installing the agent on an Azure VM, make sure to download the latest version of the agent to ensure that it functions properly.

 

Log analytics agent health issues should be resolved on your machines.
Aside from just installing the agent, it also needs to be configured correctly to make sure that your machines are being properly monitored. In case you’re wondering how you would know if the agent is set up correctly, this recommendation is here to tell you! When viewing this recommendation, click the Unhealthy Resources tab to see which VMs do not have the Agent properly installed. If any agents were manually installed, you must verify that the latest version of the agent is in use. After confirming that you’re using the latest version of the agent, check the "Reason" column to guide you in remediating your machine.

 

Vulnerabilities in security configuration on your machines should be remediated.
This recommendation covers the security configuration of your machines. Here we are focusing on the vulnerability of the machine’s operating system (OS).


Clicking on this recommendation will take you to the screen below. This page gives you information about the specific VMs in your environment and their OS configurations that do not align with Defender for Cloud’s recommended settings. VMs  in the environment below have failed 246 total OS configuration rules. The number of failed rules are provided by each type of machine, Linux or Windows. The rules are also broken down into severity and type.

 

 

In the Operating System tab, the column titled "State" shows the state of the OS’s vulnerability. The state here will be listed as "open" because the vulnerability has not yet been resolved. Defender for Cloud uses Common Configuration Enumeration (CCE) which assigns a unique identifier, as shown in the CCeId tab, to different security-related system configuration issues.

 

Log Analytics agent should be installed on virtual machine scale sets
We have encountered our good friend, the Log Analytics Agent, once again. If you’re looking to bypass the redundancy of updating numerous virtual machines in your environment one by one, virtual machine scale sets are the way to go! Virtual machine scale sets enable you to manage, update and configure multiple virtual machines as a unit. Scale sets can support up to 1,000 VM instances and up to 600 instances if you choose to create and upload your own custom virtual machine images. In order to give Defender for Cloud access into the security configurations of your scale sets and an accurate look into your environment’s security hygiene, the Log Analytics agent should also be installed on your virtual machine scale sets. Auto-provisioning of the agent for Azure virtual machine scale sets is currently not available.

 

 

 

Vulnerabilities in security configuration on your machines should be remediated.

Remediating security configurations on VMs doesn’t stop at the machine itself.  Vulnerabilities in the security configuration of VM scale sets are also significant to prevent them from attacks.  By clicking on the unhealthy scale set, Defender for Cloud will then give you a list of rules and descriptions that your scale sets did not meet.

 

 

Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters (Preview)
Azure Policy for Kubernetes clusters safeguards your clusters by managing and reporting their compliance state. The Add-on policy uses Gatekeeper v3 of Open Policy Agent (OPA) to communicate any policies that have been assigned to the clusters, apply those policies to your Kubernetes cluster and report the details back to Azure Policy.

This remediation comes with a Quick Fix button that allows you to deploy Azure Policy Add on for AKS with only a couple of clicks. The installation can also be completed manually. Azure policy provides the option to assign built-in policy definitions to you Kubernetes clusters where you see fit.

 

Overriding or disabling of containers AppArmor profile should be restricted (Preview)
Application Armor, or AppArmor, is a Linux security module which protects an OS and its applications from both external and internal security threats. A system administrator can restrict a program’s capabilities by associating it with an AppArmor security profile. The security profile protects against attacks by limiting access and privileges of different resources. In order to protect your containers running on your Kubernetes cluster, they need to be limited to allowed AppArmor profiles only.

 

 

Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)
Linux-based machines onboarded through Azure Arc should also have the Log Analytics Agent. Although the machine uploaded through Azure Arc may be a VM hosted on-premises or in another Cloud Solution Provider (CSP), it still needs the Log Analytics Agent fornDefender for Cloud monitor its security configuration and workloads. The Quick Fix button can install the agent through a single click, or you can manually install the agent by following the remediation steps.

 

Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)
Like Linux-based machines, Windows-based machines onboarded through Azure Arc also need to have the Log Analytics Agent. A Quick Fix button is also available here to install the agent as well as the option to manually install it on Windows-based machines.

 

Conclusion
The Remediate security configurations control is not a one-time fix. As you continue to onboard machines into your environment, these recommendations should be re-visited to make sure you’re keeping up with the security hygiene of your machines. Improving the security hygiene of your VMs and infrastructure is another great step forward in improving your overall security posture and increasing your secure score.

 

P.S. Consider joining our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.

 

Acknowledgements

Reviewer: Yuri Diogenes, Principal PM for ASC CxE Team

Contributor: @Kerinne Browne

Thank you so much for assisting me in writing this blog post!

 

Updated Dec 20, 2021
Version 5.0
  • Hi Microsoft, I'm wondering if Microsoft could provide better documentation about the control "Vulnerabilities in security configuration on your machines should be remediated." The items that are flagged by Security Center do not seem to have correlation with existing Windows OS security baselines in the Security Compliance Toolkit. For example, in my experience a newly deployed domain controller running Server 2019 and having the baseline applied still has over 50 recommended misconfigurations in Azure Security Center. It seems that even if these recommendations were on a specific location in docs, then it would enable customers to proactively apply the recommended configurations rather than have to wade through Security Center and then manually fix them--because often the recommendations are Group Policy setting recommendations that can't be easily automatically remediated by Azure but nonetheless still need to be mitigated. Any thoughts from the team? Thank you.

  • SergioT1228's avatar
    SergioT1228
    Brass Contributor

    Hello, I also have a question regarding the "Remediate security configurations" from the Machines should be configured securely control.  How can we export all the critical findings?  I've tried to isolate a query or use the gui but I have not been able to find a way to get the list to distribute to our tower leads for review.  Please advise.

    Cheers,

  • One of my customers would like to know if the 'Remediate security configurations' can be applied to the resource of AWS account in Defender for Cloud. Please advise.

     

    Regards,