While reviewing security recommendations under the ‘Implement security best practices’ control with a customer through the Microsoft Defender for Cloud portal, the customer was asking about a particular recommendation around 'Guest Configuration extension should be installed on machines'.
A quick examination of this recommendation reveals the ability of Microsoft Defender for Cloud to extend and monitor security recommendations and posture management within the OS of Windows and Linux. By clicking on the related recommendations we were able to review additional recommendations to discover and check for compliance.
We did not stop there, explaining that Guest Configuration also supports the ability for you to customize your recommendations by looking for settings or software within the OS of servers. A whole entire security and best practices conversation opens with a world of possibilities to check for, including your organizations best practices and security recommendations developed and implemented over the years.
After discussing Guest Configuration and the ability to customize it look for your organizations recommendations, the customer had an immediate use case come to mind, they wanted to extend a new check for certain software in their Windows Servers. In this case they leveraged Nessus scanners and agents in their cloud assets and on-premises.
Much like a security recommendation to install an AV or install a vulnerability management they wanted to be notified of Windows servers that needed Nessus scanner agents. The following walkthrough can be used to understand the mechanics of authoring to check for installed software and provide a recommendation into Defender for Cloud. In this example you can use Nessus scanner agent.
Prerequisite:
In order to take advantage of this capability you must ensure that Guest Configuration is deployed to your Azure VMs and Azure Arc Connected servers. For enterprises you will want to take advantage of native built in capabilities like Auto provisioning the Guest Configuration extension in Microsoft Defender for Cloud. This way as new VMs are created or deallocated VMs are turned on they will also receive the Guest Configuration.
With the Guest Configuration extension set to deploy a variety of opportunities to check for your organizations software requirements and settings inside the OS awaits.
Development Process:
Overall, there is 7 steps documented process to author, develop, and deploy; this blog will summarize each step however will link to each Azure Doc along that step so you can get full details if desired.
Steps 1 through 6 are done in an Authoring VM with PowerShell.
Step 7 is done in the Microsoft Defender for Cloud portal, but could be done through PowerShell, this would allow a DevOps approach to existing and new subscriptions coming online.
4 of these steps are used to produce the Desired State Configuration files for Guest Configuration.
Steps 5 and 6 use PowerShell to create the custom Guest Configuration Azure Policy and publish it to your subscription.
Step 1: build Authoring VM and Author DSC checking for a windows service
To start be sure to use the following Azure documentation to create a Azure VM that will host the Authoring tools and software to work with Guest Configuration. The key here is a Azure VM with Windows 10 or Windows Server. You will want to install the following:
Download and Install PowerShell 7.1.3 or higher:
https://github.com/PowerShell/PowerShell/releases/download/v7.1.3/PowerShell-7.1.3-win-x64.msi
Be sure to install any software you want to detect in our example you can install through cmdline Nessus Agent
Using the PowerShell 7 (x64) console, install the following modules:
Install-Module Az
Install-Module GuestConfiguration
Once you have the tools installed and ready to go you can open up any text editor VS Code, Notepad, or PowerShell ISE console. The following below is used for checking a Windows Service, since most AV or Vulnerability scanning software on servers leverage a Windows Service and are always running this may be the easiest way to detect.
configuration WindowsNessusAgentService
{
Import-DscResource -ModuleName PSDSCResources
Node localhost
{
Service TenableNessusAgent
{
Name = "Tenable Nessus Agent"
StartupType = "Automatic"
State = "Running"
Ensure = "Present"
}
}
}
Save the file as WindowsNessusAgentService.ps1 . You have just created a DSC based powerShell script. DSC with Guest Configuration has many other states to check for, please use the PSDSCResources module as it works with Guest Configuration. Use the following website to see other states to check for: PowerShell/PSDscResources (github.com)
Step 2: Compile DSC .ps1 to generate the .mof state file
Using the PowerShell 7 (x64) console use the following PS commands to load the DSC into memory and compile the .mof file
. .\WindowsNessusAgentService.ps1
WindowsNessusAgentService
Afterwards a folder should be created called WindowsNessusAgentService and within the folder a compiled localhost.mof file. Open the localhost.mof file in a text editor and take a look, you may want to remove or update author as this is the account name on the VM used to generate the .mof file.
Step 3: Create a Guest Configuration package .zip file
In this next step you will use the cmdlets from the GuestConfiguration module to generate a package using the .mof and zip the data into a archive for Azure Policy Guest Configuration.
New-GuestConfigurationPackage `
-Name 'WindowsNessusAgentService' `
-Configuration './WindowsNessusAgentService/localhost.mof' `
-Type Audit `
-Force
Step 4: Test Guest Configuration policy in local environment
You want to be sure that the Guest Configuration will execute DSC properly and if the DSC results occur as desired. To do this use the following GuestConfiguration PS cmdlet to test the package.
Get-GuestConfigurationPackageComplianceStatus -Path ./WindowsNessusAgentService/WindowsNessusAgentService.zip
Step 5: Publish custom Guest Configuration package to Azure Blob Storage
In this step you will use another GuestConfiguration cmdlet to upload the .zip package you tested previously to a Azure Blob Storage account – in addition a blob uri will be returned with a sas signature that lasts a few years. This sas based signature will be used when creating the Azure policy and publishing it in the next step.
Publish-GuestConfigurationPackage -Path './WindowsNessusAgentService/WindowsNessusAgentService.zip' `
-ResourceGroupName SwiftSolvesDSC -StorageAccountName swiftsolvesdsc | % ContentUri
Copy the sas url signature
Step 6: Create the custom Azure Policy definition id
In this next step we are going to take the Guest Configuration package in Azure Blob Storage and use it to define a new custom Azure Policy definition. Start with creating a new guid.
New-Guid
With the new guid and sas blob uri use the following ps cmdlets and replace where necessary.
New-GuestConfigurationPolicy `
-PolicyId '79436b22-db38-4367-b41d-62a8181faf2c' `
-ContentUri 'https://somestorage.blob.core.windows.net/guestconfiguration/WindowsNessusAgentService.zip?sv=2020-08-04&st=2022-02-08T17%3A12%3A03Z&se=2025-02-08T17%3A12%3A03Z&sr=b&sp=rl&sig' `
-DisplayName 'Windows Nessus Agent Service.' `
-Description 'Compliance check for Windows Nessus Agent Service. Ensure it is present on VM, Startup set to Automatic and Status is Running' `
-Path './policies' `
-Platform 'Windows' `
-Version 1.0.0 `
-Verbose
To deploy and use:
Publish-GuestConfigurationPolicy -Path '.\policies'
Step 7: Using Defender for Cloud create a custom security recommendation
Now that you deployed and created a new custom Azure Policy using Guest Configuration, you can deploy the policy to check Windows VMs on Azure and Azure Arc enabled for the Nessus Agent software. In effect you have a Azure plane using Azure Policy to check for compliance and in more advanced cases using DSC check and change or install software inside the operating system– recall the PSDscResource module and it’s capabilities. PowerShell/PSDscResources (github.com). You have a outer Azure Policy set and managed a cloud scale your inner servers settings.
The last step is that non compliant states can be sent to Defender for Cloud in the form of Custom security recommendations .
In this last step go to Microsoft Defender for Cloud in the Azure portal and click on the left hand blade environment settings.
Search for your Azure Subscription you deployed the custom Guest Configuration Azure Policy and click on the subscription
Click on the Security policy on the left blade and scroll down and click on Add a custom initiative
Fill in information, choose the existing category Security Center
Choose Add policy definitions, filter on custom and choose your uploaded custom Azure Policy at the bottom of the right hand blade click add.
Click next until the Policy parameters, uncheck only show parameters that need input or review. You can now extend support to Azure Arc connected servers. By setting these values.
Afterwards you add the new custom initiative and Create new.
Now that you have connected and assigned the custom Guest Configuration Azure Policy to your subscription through Microsoft Defender for Cloud, within the recommendations screen you will now have timely (refresh every 30 minutes) accurate checks for Nessus software installed.
Some additional things to consider:
In Step 3 when generating the package .zip you can set –Type from Audit to AuditandSet which will also update the settings in the VM to match the desired state.
In PSDResources module there is a method for MSI Installer
Use Workflow Automation in some unique ways or a Logic App to generate a report to be emailed in html.
Take a DevOps approach as new Subscriptions come online generate the Guest Configuration policy definition in subscription and assign through Defender for Cloud custom initiatives.
Full 6 steps in authoring VM showing PS cmdlets involved.
Start thinking of the ways you can use PSDResources to craft your own Security recommendations across your hybrid clouds and on-premise servers.
Special thanks to:
@Yuri Diogenes for reviewing this post