lacework-global-523
2.6 Ensure Any of the Azure Security Center (ASC) Default Policy Settings are Not Set to 'Disabled' (Manual)
Profile Applicability
• Level 1
Description
Do not set any settings offered by ASC Default policy to effect Disabled.
Rationale
A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud - Then
Environment Settings - Select subscription
- Then on
Security Policyin the left column. - Followed by on
ASC DefaultunderDefault initiative - Scroll down to
Policy Enforcementand ensure it is set toEnabled - Click on the
Parameterstab and uncheckOnly show parameters that need input or review - Review the Parameters to ensure none of the items are set to Disabled.
The View effective Policy button can be used to see all effects of policies even if they have not been modified.
From Azure CLI
Ensure the properties.enforcementMode in the output of the below command is set to Default. If properties.enforcementMode is set to DoNotEnforce, the default policies are disabled and therefore out of compliance.
az account get-access-token --query "{<subscription:subscription>,<accessToken:accessToken>}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2021-06-01'
Note: policies that have not been modified will not be listed in this output
From Azure PowerShell
Get-AzPolicyAssignment | Where-Object {$_.Name -eq 'SecurityCenterBuiltIn' | Select-Object -ExpandProperty Properties
If the EnforcementMode value equals Default the ASC Default Policies are enabled. Because several of the policies are in the Disabled state by default, check to see if the Parameters attribute in the output of the above command contains policies with the value of Disabled or if it's empty altogether. If so, these settings are out of compliance. If none of the values in the Parameters attribute show Disabled, these settings are in compliance. If the EnforcementMode parameter equals DoNotEnforce the ASC Default Policies are all disabled and thus out of compliance.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Defender for Cloud. - Select
Environment Settings. - Click a subscription.
- Select
Security Policyin the left column. - Click
ASC DefaultunderDefault initiative. - Enable Policy Enforcement.
- Click the
Parameterstab and clearOnly show parameters that need input or review. - For any parameters set to
Disabledorempty, update to a valid value for the organization. - Click
Save.
References
https://docs.microsoft.com/en-us/azure/security-center/security-center-policies
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-transparent-data-encryption
https://msdn.microsoft.com/en-us/library/mt704062.aspx
https://msdn.microsoft.com/en-us/library/mt704063.aspx
https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/get
https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/create
https://docs.microsoft.com/en-in/azure/security-center/tutorial-security-policy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-7-define-and-implement-logging-threat-detection-and-incident-response-strategy