Microsoft cloud security benchmark: Azure compute benchmark is now aligned with CIS!
Published Nov 20 2022 07:20 AM 12.4K Views


Security benchmarks help organizations strengthen their security posture and meet various cloud security compliance requirements. The Microsoft cloud security benchmark announced at Ignite 2022 provides clear and concrete guidance to securely configure cloud resources.


Today, we are excited to announce a new Azure compute benchmark for Azure virtual machines. This newly released benchmark has the CIS recommended security configurations aligned with the Azure environment. This new benchmark takes into consideration the cloud-specific security controls and removes non-applicable controls that have no significant risk impact in cloud environment.


CIS Azure Compute Microsoft Windows Server 2019 Benchmark v1.0.0’ can be downloaded from CIS benchmark for Cloud computeYou will be able to seamlessly monitor the secure configuration settings of the new CIS benchmark in Microsoft Defender for Cloud as well as via the built-In Windows baseline Azure policy in the Azure policy Portal.



  Figure 1: Azure Security and CIS benchmark team collaboration


Benchmark usage scenarios

Using Microsoft Defender for Cloud:

You will be able to monitor the security baseline settings for Windows Server in the Microsoft Defender for Cloud portal by going to the ‘Remediate Security Configurations’ in ‘Recommendations’ section and selecting ‘Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)’



Figure 2: Microsoft Defender for Cloud Portal


You will be able see the status of each baseline rule, view baseline failures through ‘Expected’ and ‘Actual’ values, understand the risk and impact of each misconfiguration, and view additional steps to remediate them.



Figure 3: Windows Baseline Recommendation


Using as a Built-In Policy in Azure Policy Portal:

Alternatively, you can also leverage the Windows Baseline available as a built-in policy to monitor the security configurations setting of your Windows servers. You can assign the “Windows machines should meet requirements of the Azure compute security baseline” and monitor the compliance results in the Azure Policy portal.



Figure 4: Azure Policy Portal


What Next?

  • Achieving CIS benchmark certification for the Azure compute baseline: We will be working with the CIS benchmark team to certify the benchmark monitoring implementation to ensure it meets the CIS requirements.
  • Publishing a Linux baseline for Ubuntu distributions that is specific to Azure compute: Similar to Windows Server Benchmark, we will be working with CIS benchmark team to develop the Linux baseline for Ubuntu distributions specific to Azure.

We want to thank the CIS benchmark team, contributors from the CIS community and multiple teams within Microsoft for their help with publishing the benchmark!


If you would like to participate in improving the benchmark or provide feedback, please send us an email. We would love to hear your success stories and feedback on how to make it better!


Additional References:


Version history
Last update:
‎Nov 21 2022 10:18 AM
Updated by: