More information about the rules covered by our integration with Azure Resource Manager Template Toolkit can be found here:
Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.
Recommendation: To enable diagnostic logging, in the Microsoft.Web/sites/config resource properties, add (or update) the detailedErrorLoggingEnabled, httpLoggingEnabled, and requestTracingEnabled properties, setting their values to true.
Remote debugging requires inbound ports to be opened on an API app. These ports become easy targets for compromise from various internet based attacks. If you no longer need to use remote debugging, it should be turned off.
Recommendation: To disable remote debugging, in the Microsoft.Web/sites/config resource properties, remove the remoteDebuggingEnabled property or update its value to false.
Enable FTPS enforcement for enhanced security.
Recommendation: To enforce FTPS, in the Microsoft.Web/sites/config resource properties, add (or update) the ftpsState property, setting its value to "FtpsOnly" or "Disabled" if you don't need FTPS enabled.
API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.
Recommendation: To use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks, in the Microsoft.Web/Sites resource properties, add (or update) the httpsOnly property, setting its value to true.
API apps should require the latest TLS version.
Recommendation:
To enforce the latest TLS version, in the Microsoft.Web/sites/config resource properties, add (or update) the minTlsVersion property, setting its value to 1.2.
Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.
Recommendation: To allow only required domains to interact with your API app, in the Microsoft.Web/sites/config resource cors settings object, add (or update) the allowedOrigins property, setting its value to an array of allowed origins. Ensure it is not set to "*" (asterisks allows all origins).
For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
Recommendation: To use Managed Identity, in the Microsoft.Web/sites resource managed identity property, add (or update) the type property, setting its value to "SystemAssigned" or "UserAssigned" and providing any necessary identifiers for the identity if required.
Remote debugging requires inbound ports to be opened on a function app. These ports become easy targets for compromise from various internet based attacks. If you no longer need to use remote debugging, it should be turned off.
Recommendation: To disable remote debugging, in the Microsoft.Web/sites/config resource properties, remove the remoteDebuggingEnabled property or update its value to false.
Enable FTPS enforcement for enhanced security.
Recommendation: To enforce FTPS, in the Microsoft.Web/sites/config resource properties, add (or update) the ftpsState property, setting its value to "FtpsOnly" or "Disabled" if you don't need FTPS enabled.
Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.
Recommendation: To use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks, in the Microsoft.Web/Sites resource properties, add (or update) the httpsOnly property, setting its value to true.
Function apps should require the latest TLS version.
Recommendation:
To enforce the latest TLS version, in the Microsoft.Web/sites/config resource properties, add (or update) the minTlsVersion property, setting its value to 1.2.
Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app.
Recommendation: To allow only required domains to interact with your function app, in the Microsoft.Web/sites/config resource cors settings object, add (or update) the allowedOrigins property, setting its value to an array of allowed origins. Ensure it is not set to "*" (asterisks allows all origins).
For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
Recommendation: To use Managed Identity, in the Microsoft.Web/sites resource managed identity property, add (or update) the type property, setting its value to "SystemAssigned" or "UserAssigned" and providing any necessary identifiers for the identity if required.
Remote debugging requires inbound ports to be opened on a web application. These ports become easy targets for compromise from various internet based attacks. If you no longer need to use remote debugging, it should be turned off.
Recommendation: To disable remote debugging, in the Microsoft.Web/sites/config resource properties, remove the remoteDebuggingEnabled property or update its value to false.
Enable FTPS enforcement for enhanced security.
Recommendation: To enforce FTPS, in the Microsoft.Web/sites/config resource properties, add (or update) the ftpsState property, setting its value to "FtpsOnly" or "Disabled" if you don't need FTPS enabled.
Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.
Recommendation: To use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks, in the Microsoft.Web/Sites resource properties, add (or update) the httpsOnly property, setting its value to true.
Web apps should require the latest TLS version.
Recommendation:
To enforce the latest TLS version, in the Microsoft.Web/sites/config resource properties, add (or update) the minTlsVersion property, setting its value to 1.2.
Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Web application. Allow only required domains to interact with your web app.
Recommendation: To allow only required domains to interact with your web app, in the Microsoft.Web/sites/config resource cors settings object, add (or update) the allowedOrigins property, setting its value to an array of allowed origins. Ensure it is not set to "*" (asterisks allows all origins).
For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
Recommendation: To use Managed Identity, in the Microsoft.Web/sites resource managed identity property, add (or update) the type property, setting its value to "SystemAssigned" or "UserAssigned" and providing any necessary identifiers for the identity if required.
You should only use built-in roles instead of cutom RBAC roles. Custom RBAC roles are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.
Recommendation: Use built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles
It is important to enable encryption of Automation account variable assets when storing sensitive data. This step can only be taken at creation time. If you have Automation Account Variables storing sensitive data that are not already encrypted, then you will need to delete them and recreate them as encrypted variables. To apply encryption of the Automation account variable assets, in Azure PowerShell - run the following command: Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'
Recommendation: Enable encryption of Automation account variable assets
Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
Recommendation: To enable only connections via SSL to Redis Cache, in the Microsoft.Cache/Redis resource properties, update the value of the enableNonSslPort property from true to false or remove the property from the template as the default value is false.
To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.
Recommendation: Restrict access by defining authorized IP ranges or set up your API servers as private clusters
To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process.
Recommendation: Enable RBAC in Kubernetes clusters
Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+. Running on older versions could mean you are not using latest security classes. Usage of such old classes and types can make your application vulnerable.
Recommendation: To upgrade Kubernetes service clusters, in the Microsoft.ContainerService/managedClusters resource properties, update the kubernetesVersion property, setting its value to one of the following versions (making sure to specify the minor version number): 1.11.9+, 1.12.7+, 1.13.5+, or 1.14.0+.
Service Fabric clusters should only use Azure Active Directory for client authentication. A Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer, Visual Studio and PowerShell. Access to the cluster must be controlled using AAD.
Recommendation: Enable AAD client authentication on your Service Fabric clusters
Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements.
Recommendation: To enable transparent data encryption, in the Microsoft.Sql/servers/databases/transparentDataEncryption resource properties, add (or update) the value of the state property to enabled.
TA-000028: SQL servers with auditing to storage account destination should be configured with 90 days retention or higher
Set the data retention for your SQL Server's auditing to storage account destination to at least 90 days.
Recommendation: For incident investigation purposes, we recommend setting the data retention for your SQL Server's auditing to storage account destination to at least 90 days, in the Microsoft.Sql/servers/auditingSettings resource properties, using the retentionDays property. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.