lacework-global-574
Install Only Approved Extensions (Manual)
Profile Applicability
• Level 1
Description
For added security, only install organization-approved extensions on VMs.
Rationale
Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are actually implemented.
Impact
Functionality by unsupported extensions will be disabled.
Audit
From Azure Console
- Go to
Virtual machines
. - For each virtual machine, click on the server name to select it go to
- In the new column menu, under
Settings
Click onExtensions + applications
. - Ensure that all the listed extensions are approved by your organization for use.
From Azure Command Line Interface 2.0
Use the below command to list the extensions attached to a VM, and ensure the listed extensions are approved for use.
az vm extension list --vm-name <vmName> --resource-group <sourceGroupName> --query [*].name
Using Azure PowerShell
Get a list of VMs.
Get-AzVM
For each VM run the following command.
Get-AzVMExtension -ResourceGroupName <VM Resource Group> -VMName <VM Name>
Review each Name
, ExtensionType
, and ProvisioningState
to make sure no unauthorized extensions are installed on any virtual machines.
Remediation
From Azure Console
- Go to Virtual machines.
- For each virtual machine, go to Settings.
- Click Extensions + applications.
- Uninstall any unapproved extensions.
From Azure Command Line Interface 2.0
From the audit command identify the unapproved extensions, and use the below CLI command to remove an unapproved extension attached to VM:
az vm extension delete --resource-group <resourceGroupName> --vm-name <vmName> --name <extensionName>
Using Azure PowerShell
For each VM and each unsecured extension from the Audit Procedure run the following command:
Remove-AzVMExtension -ResourceGroupName <ResourceGroupName> -Name <ExtensionName> -VMName <VirtualMachineName>
References
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-features
https://docs.microsoft.com/en-us/powershell/module/az.compute/?view=azps-7.5.0#vm-extensions
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management#am-2-use-only-approved-services
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management#am-5-use-only-approved-applications-in-virtual-machine