In the planning section, I wanted to share more information before enabling Security Center. However, I have decided to launch Security Center and show things I would like to show in planning article.
If you have an Azure subscription, now log in to Azure Portal (Portal.azure.com) and find Security Center on the left panel.
If you haven’t launched the security center before, first you will see Welcome page. Go to Overview tab and view your dashboard.
As you can see above dashboard has almost nothing. Also, I have a warning at the top “Your Security Experience may be limited”. Reason of this is I have right now free tier enabled by default. You don’t have to do anything to enable free tier. It is enabled by default.
Let’s view recommendation. I have no VM or Service enabled. Therefore, only recommendation is for my subscription and data collection.
Data collection is disabled in my tier. That used to be enabled and linked to a storage account but since June 2017, no storage account is required. Here is Microsoft announcement.
Changes to security data storage and prorated billing starting in June 2017 (phased roll-out)
Starting in June 2017, the following changes will be implemented in a phased roll out:
a) We will migrate customers to a new data platform instead of using Azure Storage. There will be no impact to your service, and you do not need to take any action. Once you have been transitioned to the new platform, you will no longer incur Azure Storage charges for the security data collected by Azure Security Center.
- Customers on the Free tier, after the transition: You will not incur any storage or data charges for as long as you remain on the Free tier.
- Customers on the Standard tier, after the transition: You will not incur any data charges as long as your data size does not exceed the daily ‘Included data’ limit as explained in the pricing table above. Based on observed usage to date, most deployments do not exceed the daily ‘included data’ limit.
Let’s enable data collection. Below shows that the data collection in Security Center is disabled.
Select your subscription and turn data collection on. You can turn it off anytime you want.
Also, I strongly recommend enabling email notification in case Microsoft wants to contact to you if they think your system is compromised.
Next Step is setting our prevention policy. There is one Prevention Policy per subscription. If you have multiple subscription, you must do it per subscription.
Above configuration shows that we have enabled our Policy and data collection. When we add a new VM or any Service from Azure, default recommendations will appear in the Security Center. After enabling Standard tier, we can see more detailed recommendations, Security alerts, attacks.
|Policy||When state is on|
|System updates||Retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. The retrieved list depends on the service that’s configured for that virtual machine and recommends that the missing updates be applied. For Linux systems, the policy uses the distro-provided package management system to determine packages that have available updates. It also checks for security and critical updates from Azure Cloud Services virtual machines.|
|OS vulnerabilities||Analyzes operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack. The policy also recommends configuration changes to address these vulnerabilities. See the list of recommended baselines for more information about the specific configurations that are being monitored. (At this time, Windows Server 2016 is not fully supported.)|
|Endpoint protection||Recommends endpoint protection to be provisioned for all Windows virtual machines to help identify and remove viruses, spyware, and other malicious software.|
|Disk encryption||Recommends enabling disk encryption in all virtual machines to enhance data protection at rest.|
|Network security groups||Recommends that network security groups be configured to control inbound and outbound traffic to VMs that have public endpoints. Network security groups that are configured for a subnet is inherited by all virtual machine network interfaces unless otherwise specified. In addition to checking that a network security group has been configured, this policy assesses inbound security rules to identify rules that allow incoming traffic.|
|Web application firewall||Recommends that a web application firewall be provisioned on virtual machines when either of the following is true:
Instance-level public IP (ILPIP) is used and the inbound security rules for the associated network security group are configured to allow access to port 80/443.Load-balanced IP is used and the associated load balancing and inbound network address translation (NAT) rules are configured to allow access to port 80/443. (For more information, see Azure Resource Manager support for Load Balancer.
|Next generation firewall||Extends network protections beyond network security groups, which are built into Azure. Security Center will discover deployments for which a next generation firewall is recommended and enable you to provision a virtual appliance.|
|SQL auditing & Threat detection||Recommends that auditing of access to Azure Database be enabled for compliance and also advanced threat detection, for investigation purposes.|
|SQL Encryption||Recommends that encryption at rest be enabled for your Azure SQL Database, associated backups, and transaction log files. Even if your data is breached, it will not be readable.|
|Vulnerability assessment||Recommends that you install a vulnerability assessment solution on your VM.|
|Storage Encryption||Currently, this feature is available for Azure Blobs and Files. After enabling Storage Service Encryption, only new data will be encrypted, and any existing files in this storage account will remain unencrypted.|
|JIT Network Access||When just in time is enabled, Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic should be locked down. For more information, see Manage virtual machine access using just in time.|