Blog Post

Azure Governance and Management Blog
3 MIN READ

Apply CIS compliant Azure Security baselines through Azure Automanage!

akanksha_agrawal's avatar
akanksha_agrawal
Icon for Microsoft rankMicrosoft
Mar 22, 2023

We are thrilled to announce that Azure Automanage Machine Best Practices now enables you to apply CIS aligned Azure security baselines through Automanage Machine Configuration.

 

Azure Automanage Machine Best Practices is a consolidated management solution that simplifies daily server management through effortless automation by handling the initial setup and configuration of Azure best practice services. Automanage continuously monitors machines across their entire lifecycle, automatically bringing them back into conformance should they drift from the desired state. And the best part - Automanage machine best practices is generally available and free to use! You only pay for the services you enable, just as you would if you were doing it all manually, without any additional cost.

 

Azure has released a new Windows server security benchmark that is fully compliant with the newly released CIS Azure Compute Microsoft Windows Server 2019 Benchmark. Working in partnership with CIS, this new compute benchmark includes cloud-specific security controls and removes non-applicable controls that have no significant risk impact in cloud environment.

 

 

What’s new for Azure Automanage machine best practices and server security baselines

 

Using Automanage Machine Best Practices, you can now apply the CIS compliant Windows baselines by leveraging the Automanage Machine Configuration offering.  Machine Configuration is a key service that you can enable on your Azure Virtual Machines and Arc-enabled servers through an Automanage configuration profile. Just as Machine Best Practices lets customers describe desired state for management services, Machine Configuration provides the same functionality within the actual resources, by auditing or configuring operating system settings as code. When you select Machine Configuration in your configuration profile, Machine Configuration will automatically apply Azure Windows security baseline settings*.

 

Machine Configuration can deliver changes within a machine in three different ways. This can be done by assigning the following modes as a parameter of machine configuration definitions that support the policy effect DeployIfNotExists (DINE) -

 

  • Audit - This mode reports the current state of the machine but does not implement any change.
  • Apply and monitor - This mode applies the recommended change to the machine once and then monitors it for deflections. If the configuration becomes non-compliant at any time, a manual remediation needs to be triggered to make any change. 
  • Apply and autocorrect - This mode applies the changes to the machine. If there is a deflection, the local service within the machine corrects it at the next evaluation.

 

These modes can be assigned through the Automanage Portal experience here (details in the Get started section below) or through an ARM template.

 

 

 

Get started

 

Let’s dive deeper and show you how to get started:

 

- To enable Azure Automanage for servers in Azure and Arc-enabled servers, start by browsing to the Automanage portal and click “Enable on existing machine”.

 


- Then create a custom configuration profile in the Configuration profile selection option.

 

- Enable the Machine Configuration service in the custom configuration profile and select the Assignment type/mode of your choice.

 

- After you choose/create your profile, select the Azure virtual machines and/or Arc-enabled servers that you want your custom profile applied to.

 

- Once you have selected the machines, you can click on “Review + Create”. This will initiate the Configuration profile assignment process. Automanage has now configured your machines with the best practices services. You can click on the status column to get the latest Automanage status report for your machines.

 

- You can query the compliance status for your entire environment using the Guest Assignments page in the Azure Portal, and through the Machine Configuration menu item within the Arc-enabled servers table of contents.

 

Through Guest Assignments:

 

Through the Guest Assignments view for Azure VMs and Arc-enabled servers, you can see all the configuration details for the selected subscriptions. At a high level, you are able to glance at the compliance across your environment.

 

Through clicking into an individual Guest Assignment, you can see a breakdown of this compliance on a per-rule basis as well as some additional context for the reasons for non-compliance.

 

Through Arc-enabled servers Table of Contents:

 

This view is only for non-Azure machines – here you can see all the compliance across your Arc-enabled servers.

 

Clicking into an individual entry links to a Guest Assignment, showing you the breakdown of this compliance on a per-rule basis and reasons for non-compliance.

 

Voila! With Azure Automanage, now you can just point and click to apply CIS compliant Azure Security baselines to your environment and view its compliance.

 

 

*Note: The Windows and Linux security baselines can be applied independently of Azure Automanage.

 

Related Resources

 

To keep learning about the exciting new capabilities of Azure Automanage:

 

Updated Sep 19, 2023
Version 3.0
azure arc
governance
guest configuration
management

8 Comments

  • Othmane_ElHanchi's avatar
    Othmane_ElHanchi
    Copper Contributor
    Jun 19, 2024

    Are there any plans to expand on this in the future ? 

     

    It would be great to be able to apply and monitor VM compliance directly from Azure, but as it is currently (June 2024), automanage still lacks some key features for it to be usable in the real world :

    • Ability to customise the baseline policy (enable/disable checks)
    • Manual enforcement of individual checks
    • Rollback to initial state (prior to the first policy deployment)

    Albeit feature 1 and 2 would already constitute a massive step forward.

  • -Dharma-'s avatar
    -Dharma-
    Copper Contributor
    Oct 12, 2023

    Somehow it would also be helpful to rebrand "Windows machines should meet requirements of the Azure compute security baseline" in something that holds the name "cis" in it or another reference to which CIS compute benchmark is actually being applied. 

     

    Not doing that makes it a bit of a guesswork which cis compute items ended up in the Benchmark. Or as Roger Carlsson did one would require to do that analysis themselves to see what the actual difference is. 

     

    In an enterprise landscape 'one' wants to hear that the VM is compliant against the CIS compute benchmark rather than saying it's compliant on the security baseline benchmark.

     

    Furthermore it would be helpful to have configurable benchmark profiles so that differentiations can be made depending on the security requirements of a VM. (to avoid breaking changes as a result of the benchmark). 

     

    Last question -> Is there somewhere a roadmap available for Automanage and it's features?

     

     

  • Roger Carlsson's avatar
    Roger Carlsson
    Copper Contributor
    Oct 03, 2023

    We applied the CIS Azure Compute Microsoft Windows Server Benchmark and did a CIS compliancy check through Qualys Cloud. 

     

    The standard Microsoft image without CIS Azure Compute Microsoft Windows Server Benchmark was showing 29% CIS compliancy.

    After applying the CIS Azure Compute Microsoft Windows Server Benchmark we could see 50% CIS compliancy.

    As a reference the CIS image from Cisecurity is showing 93% CIS compliancy.


    Is 50% CIS compliancy an expected result ?

  • jikuja's avatar
    jikuja
    Brass Contributor
    Jul 13, 2023

     Is there a way to add an exception for a particular baseline setting/server combo?

     

    Same question. Also how to change excepted values for some test?

     

    Also, ASC Default deploys Windows machines should meet requirements of the Azure compute security baseline(72650e9f-97bc-4b2a-ab5f-9781a9fcecbc) policy that deploys AzureWindowsBaseline guest config assignment with Audit mode. Is there best practices documentation how deployng same guest config assignment should work? 

     

    Any plans to support Baseline configs on automanage profile?

  • pj101's avatar
    pj101
    Copper Contributor
    Jun 23, 2023

    I don't see the option to select the assignment type for the Machine Configuration Service when creating a Configuration Profile. Just has the option to set Enable security baseline on or off.

  • Meenakshy's avatar
    Meenakshy
    Copper Contributor
    Jun 18, 2023

    Article specifically talks about CIS compliant Windows baselines by leveraging the https://learn.microsoft.com/en-us/azure/governance/machine-configuration/ offering. Is the case same with Linux ?
    By enabling security baseline in  https://learn.microsoft.com/en-us/azure/governance/machine-configuration/ offering in Linux VM can we expect it to be CIS complaint ?

  • steveburkettnz's avatar
    steveburkettnz
    Brass Contributor
    May 29, 2023

    And also note, https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#unsupported-features on Trusted Launch VMs. :cry:

  • steveburkettnz's avatar
    steveburkettnz
    Brass Contributor
    May 22, 2023

    Really useful offering, but no doubt one of these baseline settings is going to break a random app on a random server.  Is there a way to add an exception for a particular baseline setting/server combo?