Skip to main content

lacework-global-523

Ensure Any of the Azure Security Center (ASC) Default Policy Settings are Not Set to 'Disabled' (Manual)

Profile Applicability

• Level 1

Description

Do not set any settings offered by ASC Default policy to effect Disabled.

Rationale

A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Microsoft Defender for Cloud
  3. Then Environment Settings
  4. Select subscription
  5. Then on Security Policy in the left column.
  6. Followed by on ASC Default under Default initiative
  7. Scroll down to Policy Enforcement and ensure it is set to Enabled
  8. Click on the Parameters tab and uncheck Only show parameters that need input or review
  9. Review the Parameters to ensure none of the items are set to Disabled.

The View effective Policy button can be used to see all effects of policies even if they have not been modified.

From Azure CLI

Ensure the properties.enforcementMode in the output of the below command is set to Default. If properties.enforcementMode is set to DoNotEnforce, the default policies are disabled and therefore out of compliance.

az account get-access-token --query "{<subscription:subscription>,<accessToken:accessToken>}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2021-06-01'

Note: policies that have not been modified will not be listed in this output

From Azure PowerShell

Get-AzPolicyAssignment | Where-Object {$_.Name -eq 'SecurityCenterBuiltIn' | Select-Object -ExpandProperty Properties

If the EnforcementMode value equals Default the ASC Default Policies are enabled. Because several of the policies are in the Disabled state by default, check to see if the Parameters attribute in the output of the above command contains policies with the value of Disabled or if it's empty altogether. If so, these settings are out of compliance. If none of the values in the Parameters attribute show Disabled, these settings are in compliance. If the EnforcementMode parameter equals DoNotEnforce the ASC Default Policies are all disabled and thus out of compliance.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Select Environment Settings.
  4. Click a subscription.
  5. Select Security Policy in the left column.
  6. Click ASC Default under Default initiative.
  7. Enable Policy Enforcement.
  8. Click the Parameters tab and clear Only show parameters that need input or review.
  9. For any parameters set to Disabled or empty, update to a valid value for the organization.
  10. Click Save.

References

https://docs.microsoft.com/en-us/azure/security-center/security-center-policies
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-transparent-data-encryption
https://msdn.microsoft.com/en-us/library/mt704062.aspx
https://msdn.microsoft.com/en-us/library/mt704063.aspx
https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/get
https://docs.microsoft.com/en-us/rest/api/policy/policy-assignments/create
https://docs.microsoft.com/en-in/azure/security-center/tutorial-security-policy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-7-define-and-implement-logging-threat-detection-and-incident-response-strategy