Security Controls in Microsoft Defender for Cloud: Secure Score Series - Overview
Published May 04 2020 12:17 PM 25.3K Views

Microsoft Defender for Cloud released the enhanced score model as public preview earlier this year. As part of the enhanced score model, recommendations have been grouped into security controls, which are logical groups of security recommendations. The security controls allow organizations to focus on all recommendations that are relevant to a specific scenario, for example: encryption of data at rest.  Each control has a specific amount of points that will be added to the secure score, once all remediation steps are completed. The diagram below shows an example of some security controls that are part of the secure score:




In this first post of the series, we will give a brief overview of all security controls and what they entail. There will be additional blog posts in this series that will go deeper on each security control.


Security Control #1: Enable MFA

Multi-factor authentication (MFA) is a process where a user is prompted during sign-in for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password. With MFA enabled, your accounts are more secure, and users can still sign on to almost any application with single sign-on.


Security Control #2: Secure Management Ports

Brute force attacks target management ports to gain access to a VM. To limit a brute force attack, reducing exposure to the ports is a mitigation strategy you can use, since the ports don’t always need to be open. For example, these ports are to perform management and maintenance tasks.

Securing management ports can be implemented through a few different methods such as Just-in-time network access controls, Network security groups and virtual machine port management. A tunnel can be used to establish secure network connections to other systems. Since many IT do not block SSH communications outbound from their network, attackers can create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attacker command to control servers. WinRm uses the Windows Remote Management subsystem to provide remote management capabilities. Attackers can use WinRM to move laterally across your environment and use stolen credentials to access other resources on a network.


Security Control #3: Apply System Updates

System updates provide organizations with the ability to maintain operational efficiency, reduce security vulnerabilities, and provide a more stable environment for end users. Not applying updates can render environments susceptible to attacks due to unpatched vulnerabilities. These vulnerabilities can be exploited and lead to data loss, data exfiltration, ransomware, and resource abuse. To deploy system updates you can use the Update Management solution to manage patches and updates for your virtual machines. Update management is the process of controlling the deployment and maintenance of software releases.


Security Control #4: Remediate Vulnerabilities

A vulnerability is a weakness that a threat actor could leverage, to compromise the confidentiality, availability, or integrity of a resource. Managing vulnerabilities, reduces organizational exposure, hardens endpoint surface area and increases organizational resilience. By managing vulnerabilities, organizations reduce the attack surface of their resources. Identifying, assessing, and remediating endpoint weaknesses is pivotal when running a security program and reducing organizational risk. Threat and Vulnerability Management provides visibility into software and security misconfigurations and provide recommendations for mitigations.


Security Control #5: Enable encryption at Rest

Encryption at rest provides data protection for stored data at rest. Attacks against data at-rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromise the contained data. Encryption at rest designs in Azure use symmetric encryption to encrypt and decrypt large amounts of data. A symmetric encryption key is used to encrypt data as it is written to storage. The same encryption key is used to decrypt that data as it is readied for use in memory. Keys must be stored in a secure location with identity-based access control and audit policies. Data encryption keys are often encrypted with an encryption key in Azure Key Vault to further limit access.


Attacks against data at rest include attempts to obtain physical access to the hardware and try to compromise the data. Encrypting the data is designed to prevent the attacker from accessing the unencrypted data. If an attacker obtains data from the hard drive with the encrypted data, but not the encryption keys, the attacker must beat the encryption before accessing the data.


Security Control #6: Encrypt Data in Transit

Organizations that fail to protect data in transit are susceptible to man-in-the-middle attacks, eavesdropping and session hijacking. Data transmitted between components, locations or programs is “in transit”. Protecting this data should be part of a data protection strategy. SSL/TLS protocols should be used to exchange data and a VPN is recommended to isolate. When sending encrypted data between an Azure virtual and an on-premise location, over the internet, you can use Azure VPN Gateway, which is a virtual network gateway that sends encrypted traffic.


Security Control #7: Manage Access and Permissions

Managing access and permissions is critical for organizations. Giving users the necessary access to perform their jobs (need to know principle) and least privilege access are best practices. Role-based access control (RBAC) is the best way to control access to resources by creating role assignments. A role assignment consists of three elements: security principal, role definition and scope. These represent the object the user is requesting to access, the permissions they have and the set of resources the permissions apply to.


Security Control #8: Remediate Security Configurations

Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. The one thing that all organizations have in common is a need to keep their infrastructure, apps and devices secure. These resources must be compliant with the security standards (or security baselines) defined by the organization or its industry. Microsoft and industry work together to recommend these security configurations.  Defender for Cloud includes the CCEID and explanations on its potential security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, industry, partners, and customers.  The goal behind these recommendations is to prevent misconfigured assets.


Misconfigured IT assets have a higher risk of being attacked. Often, when assets are being deployed, there is a deployment deadline and basic hardening actions may be forgotten.  Security misconfigurations can be at any level in the infrastructure, from the operating systems and network appliances, to the resources in the cloud. 


Security Control #9: Restrict Unauthorized Network Access

Organizations can limit and protect against unauthorized traffic by creating inbound and outbound rules. Endpoints within an organization provide a direct connection from your virtual network to supported Azure services. VMs in a subnet can communicate with all resources. In order to limit communication to and from resources in a subnet, creating a network security group and associating it to the subnet. By creating inbound and outbound rules, organizations can limit and protect against unauthorized traffic.


Security Control #10: Apply Adaptive Application Control

Adaptive application control is an intelligent, automated, end-to-end solution which allows you to control which applications can run on your Azure and non-Azure machines. It also helps to harden your machines against malware. Defender for Cloud uses machine learning to analyze applications and creates an allow list from this intelligence.


AAC is an innovative approach to application whitelisting, enabling you to realize the security benefits without the management complexity. In addition to alerting on attempts to run malicious applications, that may have been missed by antimalware (blacklisting) solutions AAC can help with the following:

  • Comply with your organization's security policy that dictates the use of only licensed software.
  • Avoid unwanted software to be used in your environment.
  • Avoid old and unsupported apps to run.
  • Prevent specific software tools that are not allowed in your organization.
  • Enable IT to control the access to sensitive data through app usage.

This is particularly important for Programs of Record, industry certified machines (HIPPA/PCI DSS) or purpose-built servers that need run a specific set of applications.


Security Control #11: Apply Data Classification

Data classification allows you to determine and assign value to your organizations data and provides the strategy and basis for governance. The classification process allows data to be classified by sensitivity and business impact. Azure Information Protection is a great tool to assist with data classification. It uses encryption, identity, and authorization policies to protect data and restrict data access. Some classifications that Microsoft uses are Non-business, Public, General, Confidential, Highly Confidential. 


Security Control #12: Protect Applications against DDoS Attacks

DDoS attacks are a common concern amongst organizations. A DDoS attacks overwhelms resources, rendering the application unusable. There are 2 types of DDoS attacks. Volumetric attacks flood the network with legitimate traffic. DDoS Protection standard mitigates these attacks by absorbing of scrubbing them automatically. Protocol attacks render a target inaccessible, by exploiting weaknesses in the layer 3 and layer 4 protocol stack.


DDoS Protection Standard, mitigates these attacks by blocking malicious traffic. Resource layer attacks target web application packets. Using a web application firewall and DDoS Protection Standard, provide defense against these attacks.


Security Control #13: Enable Endpoint Protection

It is critical to make sure that your computer is running software that protects against malicious software. Malicious software, which includes viruses, spyware, or other potentially unwanted software can try to install itself on your computer any time you connect to the Internet. It can also infect your computer when you install a program using a CD, DVD, or other removable media. Malicious software can also be programmed to run at unexpected times, not just when it is installed. Endpoint behavioral sensors collect and process data from the operating systems and sends this data to the private cloud for analysis. Security analytics leverage big-data, machine-learning, and other sources to recommend responses to threats. For example, Microsoft Defender for Endpoint uses threat intelligence to identify attack methods and generate alerts.


Defender for Cloud supports 7 endpoint solutions: Microsoft Defender Antivirus, System Center Endpoint Protection, Trend Micro, Symantec v12.1.1.1100, McAfee v10 for Windows, McAfee v10 for Linux and Sophos v9 for Linux. Once Defender for Cloud detects these solutions, the recommendations to install endpoint protection will no longer appear.


Security Control #14: Enable Auditing and Logging

Security logging and auditing provides options to help identify gaps in your security policies and mechanisms. Logging data provides insights into past problems, prevents potential ones, can improve application performance, and provides the ability to automate actions that would otherwise be manual.


Control/management logs provide information about Azure Resource manager operations. Data plane logs provide information about events raised as part of Azure resource usage. Processed events provide information about analyzed events/alerts that have been processed.


Security Control #15: Implement Security Best Practices

Security has become less about defending the network and more about defending your data. Modern security practices “assume breach” of the network perimeter, so the next step is to manage identity. Losing keys and credentials is a common problem. Azure Key Vault protects keys and secrets by encrypting keys, .pfx files, and passwords. To protect VMs on PaaS and IaaS, direct remote access to the VMs from the internet.


Virtual private networks are a great resource to access VM’s. If VPN’s are not available, then complex passphrases and two-factor authentication such as Azure Multi-Factor Authentication. Two-factor authentication avoids the weaknesses inherent in username and password types of authentication. Using strong authentication and authorization platforms is another best practice. Using federated identities allows organizations to delegate management of authorized identities. This is also important when employees are terminated, and their access needs to be revoked. Lastly, penetration testing should be a standard part of your build and deployment process.



Now that you are aware of all security controls available in Defender for Cloud, make sure to continue to monitor your secure posture and prioritize your remediation based on the security control order and secure score impact. Next, we will release a series of blogs that will dive deeper on each security control, stay tuned!



P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Azure Security experts.


Version history
Last update:
‎Oct 25 2021 01:02 PM
Updated by: