Skip to main content

lacework-global-574

Install Only Approved Extensions (Manual)

Profile Applicability

• Level 1

Description

For added security, only install organization-approved extensions on VMs.

Rationale

Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are actually implemented.

Impact

Functionality by unsupported extensions will be disabled.

Audit

From Azure Console

  1. Go to Virtual machines.
  2. For each virtual machine, click on the server name to select it go to
  3. In the new column menu, under Settings Click on Extensions + applications.
  4. Ensure that all the listed extensions are approved by your organization for use.

From Azure Command Line Interface 2.0

Use the below command to list the extensions attached to a VM, and ensure the listed extensions are approved for use.

az vm extension list --vm-name <vmName> --resource-group <sourceGroupName> --query [*].name

Using Azure PowerShell

Get a list of VMs.

Get-AzVM

For each VM run the following command.

Get-AzVMExtension -ResourceGroupName <VM Resource Group> -VMName <VM Name>

Review each Name, ExtensionType, and ProvisioningState to make sure no unauthorized extensions are installed on any virtual machines.

Remediation

From Azure Console

  1. Go to Virtual machines.
  2. For each virtual machine, go to Settings.
  3. Click Extensions + applications.
  4. Uninstall any unapproved extensions.

From Azure Command Line Interface 2.0

From the audit command identify the unapproved extensions, and use the below CLI command to remove an unapproved extension attached to VM:

az vm extension delete --resource-group <resourceGroupName> --vm-name <vmName> --name <extensionName>

Using Azure PowerShell

For each VM and each unsecured extension from the Audit Procedure run the following command:

Remove-AzVMExtension -ResourceGroupName <ResourceGroupName> -Name <ExtensionName> -VMName <VirtualMachineName>

References

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-features
https://docs.microsoft.com/en-us/powershell/module/az.compute/?view=azps-7.5.0#vm-extensions
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management#am-2-use-only-approved-services
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management#am-5-use-only-approved-applications-in-virtual-machine