Compliant: 0
Partial: 0
Non-Compliant: 0
Total Items: 0
Completion Percentage: 0%
Import a CSV file of Azure Advisor recommendations.
| Category | Business Impact | Recommendation | Resource Group | Resource Name | Type |
|---|
Summary of key findings:
Ensure network segmentation and controls are implemented to protect your virtual machines.
Ensure virtual machines are deployed within secure and segmented network boundaries.
Guidance: Deploy your virtual machines into Azure Virtual Networks (VNets) to create a private network environment. VNets provide isolation and segmentation for your compute resources.
Virtual networks and virtual machines in Azure
Guidance: Use Network Security Groups (NSGs) to filter network traffic to and from Azure resources. Define inbound and outbound security rules to control traffic based on port, protocol, and IP address.
Ensure network controls are in place to secure access to cloud services.
Guidance: Disable public network access to your virtual machines where possible. Use OS-level firewalls like Windows Defender Firewall to block unauthorized access.
Secure access to virtual machines by enforcing identity management practices.
Leverage Azure Active Directory (Azure AD) for centralized identity management and authentication.
Guidance: Configure your virtual machines to use Azure Active Directory (Azure AD) for authentication. This allows centralized identity management and enhances security.
Log in to a Windows virtual machine in Azure by using Azure AD
Guidance: Avoid using local accounts and passwords for authentication. Where possible, disable local authentication methods and enforce Azure AD authentication.
Use secure methods to manage application identities and avoid exposing credentials.
Guidance: Leverage Azure Managed Identities for your applications running on virtual machines to access Azure resources securely without hard-coding credentials.
Managed identities for Azure resources
Guidance: If managed identities are not suitable, use Azure AD service principals for application authentication, ensuring credentials are securely stored and rotated.
Implement conditional access policies to enhance security and compliance.
Guidance: Use Azure AD Conditional Access to define conditions under which access to virtual machines is granted or denied, such as requiring multi-factor authentication or compliant devices.
Conditional Access for Azure Virtual Machines
Use secure methods to store and manage credentials and secrets.
Guidance: Store application secrets and certificates in Azure Key Vault rather than in code or configuration files. This ensures secure storage and management of sensitive information.
Ensure privileged access is strictly controlled and adheres to the principle of least privilege.
Control administrative access and minimize the use of local administrator accounts.
Guidance: Minimize the use of local administrator accounts. Instead, use Azure AD privileged roles to manage virtual machines securely.
Adopt least privilege principles using Azure Role-Based Access Control (RBAC).
Guidance: Use Azure Role-Based Access Control (RBAC) to assign the minimum required permissions to users and applications accessing your virtual machines.
Establish a secure process for granting support-related access to cloud providers.
Guidance: Enable Customer Lockbox to control Microsoft support engineers' access to your data during support scenarios.
Customer Lockbox for Microsoft Azure
Ensure data is protected at rest and in transit using encryption and secure key management practices.
Ensure all sensitive data in transit is encrypted using secure protocols.
Guidance: Ensure that all data in transit to and from your virtual machines is encrypted. Use protocols like HTTPS, SSH, or RDP/TLS for secure communication.
Ensure all data at rest is encrypted by default using platform-managed keys.
Guidance: By default, Azure encrypts managed disks with platform-managed keys. Ensure this feature remains enabled to protect data at rest.
Server-side encryption of Azure Disk Storage
Adopt customer-managed keys for regulatory compliance or enhanced control.
Guidance: If regulatory compliance requires, use customer-managed keys stored in Azure Key Vault for encrypting your managed disks.
Server-side encryption with customer-managed keys
Use Azure Key Vault to manage encryption keys securely.
Guidance: Use Azure Key Vault to securely manage your encryption keys, including key generation, rotation, and revocation.
Ensure only approved services and applications are used on your virtual machines.
Monitor and enforce configurations to ensure compliance with approved services.
Guidance: Use Azure Policy to audit and enforce the use of approved Azure services and configurations, including virtual machines.
Azure Policy built-in definitions for Azure Virtual Machines
Restrict application usage on virtual machines to approved software.
Guidance: Use Microsoft Defender for Cloud's adaptive application controls to define and enforce a list of approved applications on your virtual machines.
Use adaptive application controls to reduce your machines' attack surfaces
Enable threat detection and logging to monitor and respond to security incidents effectively.
Deploy tools to detect and respond to threats on your virtual machines.
Guidance: Use Microsoft Defender for Servers to provide advanced threat detection and response capabilities for your virtual machines.
Plan your Defender for Servers deployment
Configure logging to collect data for analysis and security investigations.
Guidance: Collect resource logs from your virtual machines by installing the Azure Monitor agent and configuring data collection rules.
Monitor Windows virtual machines with Azure Monitor
Ensure secure configurations, vulnerability assessments, and rapid remediation for compute resources.
Maintain secure configurations for operating systems and compute resources.
Guidance: Utilize Azure Automation State Configuration to maintain and enforce secure configurations on your virtual machines.
Configure a VM with Desired State Configuration
Guidance: Use Azure Automanage Machine Configuration (formerly Azure Policy Guest Configuration) to assess and remediate configuration drift in your virtual machines.
Understand the machine configuration feature of Azure Automanage
Guidance: Deploy virtual machines using pre-configured hardened images from trusted sources or customize images with your organization's security baselines.
Tutorial: Create Windows VM images with Azure PowerShell
Enable trusted features to secure virtual machine deployments.
Guidance: Use Trusted Launch to protect your virtual machines against advanced threats with features like Secure Boot, virtual Trusted Platform Module (vTPM), and integrity monitoring.
Deploy a VM with trusted launch enabled
Regularly assess virtual machines for vulnerabilities to ensure a secure environment.
Guidance: Use Microsoft Defender for Servers to perform regular vulnerability assessments on your virtual machines and remediate identified issues.
Plan your Defender for Servers deployment
Implement automated tools to rapidly remediate identified vulnerabilities.
Guidance: Automate the deployment of operating system updates and patches using Azure Automation Update Management.
Manage updates and patches for your VMs
Guidance: Use Azure Guest Patching to automatically apply security updates to your virtual machines during off-peak hours.
Automatic VM Guest Patching for Azure VMs
Ensure endpoints are protected against malware and other threats through advanced detection and response capabilities.
Deploy tools to detect, investigate, and respond to endpoint threats.
Guidance: Implement Microsoft Defender for Endpoint on your virtual machines to provide EDR capabilities that detect and respond to advanced threats.
Plan your Defender for Servers deployment
Ensure all virtual machines are equipped with up-to-date anti-malware protection.
Guidance: Ensure that Microsoft Defender Antivirus or a third-party anti-malware solution is installed and active on all your virtual machines.
Defender for Endpoint onboarding Windows Server
Ensure all anti-malware software on virtual machines is regularly updated.
Guidance: Configure your anti-malware solutions to automatically update signatures, engines, and platforms to maintain protection against new threats.
Ensure regular backups are in place to protect data and enable recovery in case of failures.
Implement automated and secure backup solutions to safeguard critical data.
Guidance: Enable Azure Backup to protect Azure Virtual Machines, SQL Server, HANA databases, or File Shares. Configure backup policies to specify the source, frequency, and retention period. Use Azure Policy to automate backups where applicable.
Backup and restore options for virtual machines in Azure
Guidance: Use the built-in Azure Policy definition "Azure Backup should be enabled for Virtual Machines" to ensure compliance with backup configurations. This policy audits virtual machines without backup enabled and can be used to trigger corrective actions.
Azure Backup policy monitoring