lacework-global-523
Ensure Any of the Azure Security Center (ASC) Default Policy Settings are Not Set to 'Disabled' (Manual)
Profile Applicability
• Level 1
Description
Do not set any settings offered by ASC Default policy to effect Disabled.
Rationale
A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud
- Then
Environment Settings
- Select subscription
- Then on
Security Policy
in the left column. - Followed by on
ASC Default
underDefault initiative
- Scroll down to
Policy Enforcement
and ensure it is set toEnabled
- Click on the
Parameters
tab and uncheckOnly show parameters that need input or review
- Review the Parameters to ensure none of the items are set to Disabled.
The View effective Policy
button can be used to see all effects of policies even if they have not been modified.
From Azure CLI
Ensure the properties.enforcementMode
in the output of the below command is set to Default
. If properties.enforcementMode
is set to DoNotEnforce
, the default policies are disabled and therefore out of compliance.
az account get-access-token --query "{<subscription:subscription>,<accessToken:accessToken>}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2021-06-01'
Note: policies that have not been modified will not be listed in this output
From Azure PowerShell
Get-AzPolicyAssignment | Where-Object {$_.Name -eq 'SecurityCenterBuiltIn' | Select-Object -ExpandProperty Properties
If the EnforcementMode
value equals Default
the ASC Default Policies are enabled. Because several of the policies are in the Disabled
state by default, check to see if the Parameters
attribute in the output of the above command contains policies with the value of Disabled
or if it's empty altogether. If so, these settings are out of compliance. If none of the values in the Parameters
attribute show Disabled
, these settings are in compliance. If the EnforcementMode
parameter equals DoNotEnforce
the ASC Default Policies are all disabled and thus out of compliance.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Defender for Cloud
. - Select
Environment Settings
. - Click a subscription.
- Select
Security Policy
in the left column. - Click
ASC Default
underDefault initiative
. - Enable Policy Enforcement.
- Click the
Parameters
tab and clearOnly show parameters that need input or review
. - For any parameters set to
Disabled
orempty
, update to a valid value for the organization. - Click
Save
.
References
https://docs.microsoft.com/en-us/azure/security-center/security-center-policies
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-transparent-data-encryption
https://msdn.microsoft.com/en-us/library/mt704062.aspx
https://msdn.microsoft.com/en-us/library/mt704063.aspx
https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/get
https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/create
https://docs.microsoft.com/en-in/azure/security-center/tutorial-security-policy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-7-define-and-implement-logging-threat-detection-and-incident-response-strategy