Security benchmarks help organizations strengthen their security posture and meet various cloud security compliance requirements. The Microsoft cloud security benchmark announced at Ignite 2022 provides clear and concrete guidance to securely configure cloud resources.
Today, we are excited to announce a new Azure compute benchmark for Azure virtual machines. This newly released benchmark has the CIS recommended security configurations aligned with the Azure environment. This new benchmark takes into consideration the cloud-specific security controls and removes non-applicable controls that have no significant risk impact in cloud environment.
‘CIS Azure Compute Microsoft Windows Server 2019 Benchmark v1.0.0’ can be downloaded from CIS benchmark for Cloud compute. You will be able to seamlessly monitor the secure configuration settings of the new CIS benchmark in Microsoft Defender for Cloud as well as via the built-In Windows baseline Azure policy in the Azure policy Portal.
Figure 1: Azure Security and CIS benchmark team collaboration
Benchmark usage scenarios
Using Microsoft Defender for Cloud:
You will be able to monitor the security baseline settings for Windows Server in the Microsoft Defender for Cloud portal by going to the ‘Remediate Security Configurations’ in ‘Recommendations’ section and selecting ‘Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)’
Figure 2: Microsoft Defender for Cloud Portal
You will be able see the status of each baseline rule, view baseline failures through ‘Expected’ and ‘Actual’ values, understand the risk and impact of each misconfiguration, and view additional steps to remediate them.
Figure 3: Windows Baseline Recommendation
Using as a Built-In Policy in Azure Policy Portal:
Alternatively, you can also leverage the Windows Baseline available as a built-in policy to monitor the security configurations setting of your Windows servers. You can assign the “Windows machines should meet requirements of the Azure compute security baseline” and monitor the compliance results in the Azure Policy portal.
Figure 4: Azure Policy Portal
What Next?
- Achieving CIS benchmark certification for the Azure compute baseline: We will be working with the CIS benchmark team to certify the benchmark monitoring implementation to ensure it meets the CIS requirements.
- Publishing a Linux baseline for Ubuntu distributions that is specific to Azure compute: Similar to Windows Server Benchmark, we will be working with CIS benchmark team to develop the Linux baseline for Ubuntu distributions specific to Azure.
We want to thank the CIS benchmark team, contributors from the CIS community and multiple teams within Microsoft for their help with publishing the benchmark!
If you would like to participate in improving the benchmark or provide feedback, please send us an email. We would love to hear your success stories and feedback on how to make it better!
Additional References:
- CIS announces first Cloud-Focused Compute OS Benchmark for Azure ‘CIS Azure Compute Microsoft Windows Server 2019 Benchmark v1.0.0’ – Three Ways that Security in the Azure Cloud Just Got Simpler (cisecurity.org)
- CIS Azure Compute Microsoft Windows Server 2019 Benchmark v1.0.0 is now available to secure Azure compute VM (can be downloaded from – https://www.cisecurity.org/benchmark/microsoft_windows_server)
- Azure secure baseline rules alignment with new CIS Benchmark rule for the Azure computer – Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn
- Monitor the setting in Microsoft Defender for Cloud through Guest Configuration Agent – Understand the machine configuration feature of Azure Policy | Microsoft Learn
Microsoft
