Enable All Parameters for Microsoft Defender for Cloud Default Policy

Risk Level: High (not acceptable risk)

Rule ID: SecurityCenter-028

Ensure that none of the supported parameters (recommendations) provided by Microsoft Defender for Cloud default policy are disabled in order to meet security and compliance requirements.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A security policy defines the desired configuration of your workloads and helps ensure compliance with the organization or regulatory security requirements. Microsoft Defender for Cloud default policy is associated with every Azure subscription by default. The default policy assignment represents a set of security recommendations based on the industry best practices. Having an active default policy (i.e. with all the parameters enabled) ensures that Microsoft Defender for Cloud monitors all of the supported recommendations and allows automated action (optionally, for few of the recommendations). An example of the default policy parameter that can help to maintain the security of your Azure cloud infrastructure is Distributed Denial-of-Service (DDoS) protection monitoring (i.e. vnetEnableDDoSProtectionMonitoringEffect parameter). With DDoS protection monitoring enabled, Microsoft Defender for Cloud can determine if the monitoring of DDoS protection is enabled for your Azure public virtual networks and make the proper recommendations to protect against DDoS attacks.

Audit

To determine if there are any of disabled Microsoft Defender for Cloud default policy parameters within your Azure subscription, perform the following actions:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Policy settings, choose Security policy.

06 In the Default initiative section, click on the name of the default policy enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

07 Choose the Parameters tab, uncheck Only show parameters that need input or review, and check the configuration status for each parameter (recommendation) listed on the page. If one or more policy parameters have the status set to Disabled and "Default setting value is not Disabled", the Microsoft Defender for Cloud default policy configuration available for the selected subscription is not compliant.

08 Repeat steps no. 4 – 7 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the name and the configuration status for each parameter (recommendation) defined within the default policy:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01'
| jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters'

02 The command output should return the requested information:

{
  "vnetEnableDDoSProtectionMonitoringEffect": {
    "value": "Disabled"
  },
  "disableIPForwardingMonitoringEffect": {
    "value": "Disabled"
  }
}

Check the configuration status for each policy parameter returned by the account get-access-token command output (i.e. the "value" property value). If one or more policy parameters have the status set to "Disabled", the Microsoft Defender for Cloud default policy configuration available for the selected subscription is not compliant.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To enable all the parameters (recommendations) supported by the Microsoft Defender for Cloud default policy, perform the following actions:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Policy settings, choose Security policy.

06 In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

07 Choose the Parameters tab and uncheck the Only show parameters that need input or review checkbox to list all the policy parameters.

08 Enable each parameter (recommendation) supported by the Microsoft Defender for Cloud default policy, listed on the page. To enable a parameter, choose Audit or AuditIfNotExists from the parameter dropdown list.

09 Select Review + save to review the configuration changes, then choose Save to apply the new changes. If the operation is successful, the following confirmation message should be displayed: "Updating policy assignment succeeded".

10 Repeat steps no. 4 – 9 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command, where the disabled parameters (recommendations) can be enabled using the "Audit" or "AuditIfNotExists" configuration option. The following command request example enables the monitoring of DDoS protection and IP forwarding on Azure virtual machines (VMs) for the specified subscription. Save the configuration document to a JSON file named enable-default-policy-parameters.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account subscription details:

{
  "properties":{
    "displayName":"ASC Default (subscription: <azure-subscription-id>)",
    "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
    "scope":"/subscriptions/<azure-subscription-id>",
    "parameters":{
      "vnetEnableDDoSProtectionMonitoringEffect":{
        "value":"AuditIfNotExists"
      },
      "disableIPForwardingMonitoringEffect":{
        "value":"AuditIfNotExists"
      }
    }
  },
  "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type":"Microsoft.Authorization/policyAssignments",
  "name":"SecurityCenterBuiltIn",
  "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-default-policy-parameters.json file), to enable the specified parameters (recommendations) for the Microsoft Defender for Cloud default policy, within the selected Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-default-policy-parameters.json"'

03 The command output should return information about the modified parameters (recommendations):

{
  "sku":{
    "name":"A0",
    "tier":"Free"
  },
  "properties":{
    "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
    "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
    "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
    "parameters":{
      "vnetEnableDDoSProtectionMonitoringEffect":{
        "value":"AuditIfNotExists"
      },
      "disableIPForwardingMonitoringEffect":{
        "value":"AuditIfNotExists"
      }
    },
    "metadata":{
      "createdBy": "abcdabcd-1234-1234-1234-abcdabcdabcd",
      "createdOn": "2019-05-17T15:38:40.3473931Z",
      "updatedBy": "1234abcd-1234-1234-1234-abcd1234abcd",
      "updatedOn": "2022-02-01T21:22:40.7422203Z"
    }
  },
  "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type":"Microsoft.Authorization/policyAssignments",
  "name":"SecurityCenterBuiltIn",
  "location":"eastus"
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Azure Official Documentation
Microsoft Defender for Cloud documentation
What is Microsoft Defender for Cloud?
Azure Policy built-in policy definitions
Manage security policies

Azure Command Line Interface (CLI) Documentation
az
az account get-access-token

Publication date Feb 19, 2022

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable All Parameters for Microsoft Defender for Cloud Default Policy

Risk Level: High

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related SecurityCenter rules