Enable All Parameters for ASC Default Policy

Risk level: High (not acceptable risk)

Rule ID: SecurityCenter-028

Ensure that none of the parameters (recommendations) provided by Azure Security Center (ASC) Default policy are disabled in order to meet security and compliance requirements.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A security policy defines the desired configuration of your workloads and helps ensure compliance with the organization or regulatory security requirements. Azure Security Center (ASC) Default policy is associated with every subscription by default. ASC Default policy assignment represents a set of security recommendations based on industry best practices. Having an active ASC Default policy (i.e. with all the parameters enabled) ensures that Microsoft Azure Security Center monitors all of the supported recommendations and allows automated action (optionally, for few of the recommendations). An example of the ASC Default policy parameter that can help to maintain the security of your Azure cloud infrastructure is Distributed Denial-of-Service (DDoS) protection monitoring (i.e. "vnetEnableDDoSProtectionMonitoringEffect" parameter). With DDoS protection monitoring enabled, Azure Security Center (ASC) can determine if the monitoring of DDoS protection is enabled for your Microsoft Azure public virtual networks and make the proper recommendations to protect against DDoS attacks.

Audit

To determine if all the ASC Default policy parameters (recommendations) are enabled for your Azure cloud subscriptions, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the left navigation panel, under Management, choose Security policy to access the Policy Management portal.

04 On the Policy Management page, click on the name of the Azure subscription that you want to examine, to access the ASC policies available for the selected subscription.

05 On the Security Policy page, click on the name of the ASC Default policy associated with your subscription, i.e. ASC Default (subscription: <subscription-id>), then choose the Parameters tab.

06 On the Parameters panel, deselect Only show parameters that require input, and check the configuration status of each parameter (recommendation) listed. If one or more policy parameters have the status set to Disabled, the configuration of the ASC Default policy available for the selected subscription is not compliant.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the name and the configuration status of each parameter (recommendation) defined within the ASC Default policy:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01'| jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters'

02 The command output should return the requested information:

{
  "vnetEnableDDoSProtectionMonitoringEffect": {
    "value": "Disabled"
  },
  "disableIPForwardingMonitoringEffect": {
    "value": "Disabled"
  }
}

Check the configuration status of each policy parameter returned by the account get-access-token command output (i.e. the "value" property value). If one or more policy parameters have the status set to "Disabled" or "Empty", the configuration of the ASC Default policy available for the current Azure subscription is not compliant.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your cloud account.

Remediation / Resolution

To enable all the ASC Default policy parameters for your Microsoft Azure subscriptions, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the left navigation panel, under Management, choose Security policy to access the Policy Management portal.

04 On the Policy Management page, click on the name of the Azure cloud subscription that you want to access.

05 On the Security Policy page, click on the name of the ASC Default policy associated with the selected subscription, i.e. ASC Default (subscription: <subscription-id>), then choose the Parameters tab.

06 On the Parameters panel, deselect Only show parameters that require input, and enable each parameter (recommendation) defined for the selected ASC Default policy. To enable a policy parameter, choose Audit or AuditIfNotExists from the parameter dropdown list. Select Review + save to review the changes, then choose Save to apply the policy changes.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Define the necessary specifications for the account get-access-token command, where the disabled policy parameters can be enabled using the "Audit" or "AuditIfNotExists" configuration option. The following command request example enables the monitoring of DDoS protection and IP forwarding on virtual machines for the ASC Default policy defined for the specified subscription. Replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details, and save the content to a JSON file named enable-asc-default-policy-params.json:

{
  "properties":{
    "displayName":"ASC Default (subscription: <azure-subscription-id>)",
    "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
    "scope":"/subscriptions/<azure-subscription-id>",
    "parameters":{
      "vnetEnableDDoSProtectionMonitoringEffect":{
        "value":"AuditIfNotExists"
      },
      "disableIPForwardingMonitoringEffect":{
        "value":"AuditIfNotExists"
      }
    }
  },
  "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type":"Microsoft.Authorization/policyAssignments",
  "name":"SecurityCenterBuiltIn",
  "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the specifications defined at the previous step (i.e. enable-asc-default-policy-params.json file) to enable the specified parameters (recommendations) for your Azure Security Center (ASC) Default policy:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01-d@"enable-asc-default-policy-params.json"'

03 If successful, the command output should return the updated ASC Default policy, e.g.:

{
  "sku":{
    "name":"A0",
    "tier":"Free"
  },
  "properties":{
    "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
    "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
    "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
    "parameters":{
      "vnetEnableDDoSProtectionMonitoringEffect":{
      "value":"AuditIfNotExists"
      },
      "disableIPForwardingMonitoringEffect":{
        "value":"AuditIfNotExists"
      }
    },
    "metadata":{
      "createdBy":"1234abcd-1234-abcd-1234-abcd1234abcd",
      "createdOn":"2021-09-14T15:38:40.00000000",
      "updatedBy":"abcd1234-abcd-1234-abcd-1234abcd1234",
      "updatedOn":"2021-09-14T19:06:48.00000000"
    }
  },
  "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type":"Microsoft.Authorization/policyAssignments",
  "name":"SecurityCenterBuiltIn",
  "location":"eastus"
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your cloud account.

References

Azure Command Line Interface (CLI) Documentation
az
az account get-access-token

Publication date Sep 19, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable All Parameters for ASC Default Policy

Risk level: High

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related SecurityCenter rules