Create a platform security baseline
- The Microsoft cybersecurity group in conjunction with CIS developed best practices to help establish security baselines
- A variety of security standards can help cloud service customers achieve workload security when using cloud services
- CIS has the following implementation levels:
- Level 1. Recommended minimum security settings
- Level 2. Recommended for highly secure environments
Create an IAM baseline
Some common recommendations for IAM protection baselines include:
- Restricting access to the Azure AD admin portal
- Enabling MFA
- Properly managing guests
- Managing password security
- Managing member and guest invitation capabilities
- Disabling application options
Create an Azure Security Center baseline
- The following are Security Center recommendations that, if followed, will set various security policies on an Azure subscription:
- Enable the Standard pricing tier
- Enable the automatic provisioning of a monitoring agent
- Enable System updates
- Enable Security configurations
- Enable Endpoint protection
- Enable Disk encryption
- Enable Network security groups
- Enable Web application firewall
- Enable Vulnerability Assessment
Create a storage accounts baseline
Recommendations for an Azure storage account include:
- Require security-enhanced transfers
- Enable blob encryption
- Periodically regenerate access keys
- Require shared access signature (SAS) tokens to expire within an hour
- Require SAS tokens to be shared only via HTTPS
- Enable Azure Files encryption
- Require only private access to blob containers
Create an Azure SQL Database baseline
Microsoft SQL Server policy recommendations include:
- Enable auditing
- Enable a threat detection service
- Enable all threat detection types
- Enable the option to send security alerts
- Enable the email service and co-administrators
- Configure audit retention for more than 90 days
- Configure threat detection retention for more than 90 days
- Configure Azure AD administration
Create a logging and monitoring baseline
Logging and monitoring recommendations include:
- Ensure that a log profile exists
- Ensure that activity log retention is set to 365 days or more
- Create an activity log alert for:
- Creating a policy assignment
- Updating a security policy
- Creating, updating, or deleting a security solution
- Enable Azure Key Vault logging
Create an activity log alert for:
- Creating, updating, or deleting an NSG
- Creating, updating, or deleting an NSG rule
- Creating or updating an SQL Server firewall rule
- Creating an activity log alert for deleting an SQL Server firewall rule
Create a networking baseline
Networking recommendations include:
- Restrict RDP access from the internet
- Restrict SSH access from the internet
- Restrict SQL Server access from the internet
- Configure the NSG flow log retention period for more than 90 days
- Enable Azure Network Watcher
Create a VMs baseline
Azure VM security baseline recommendations include:
- Install a VM agent (required for enabling data collection for Azure Security Center)
- Ensure that encryption protects the OS disk and its content
- Carefully review extensions to help ensure that they don’t compromise the security of the host or Azure subscription
- Update VMs to help ensure their security
- Ensure that VMs have an installed and running endpoint protection solution
Other security considerations for a baseline
Some additional recommendations you should consider:
- Set an expiration date on all keys
- Set an expiration date on all secrets
- Set resource locks for mission-critical Azure resources
Top comments (0)