![]() You can use Microsoft Defender for Cloud's Just In Time Network access to limit exposure of Windows Virtual Machines to the approved IP addresses for a limited period. Configure appropriately Azure Firewall on each of your Virtual Network segments, with Threat Intelligence enabled and configured to "Alert and deny" for malicious network traffic. Using Microsoft Defender for Cloud Integrated Threat Intelligence, you can monitor communications with known malicious IP addresses. Guidance: Enable Distributed Denial of Service (DDoS) Standard protection on the Virtual Networks to guard against DDoS attacks. Responsibility: Customer 1.4: Deny communications with known-malicious IP addresses Enable Diagnostic Setting for WAF and ingest logs into a Storage Account, Event Hub, or Log Analytics Workspace.Ĭreate an application gateway with a Web Application Firewall using the Azure portal You can also deploy Azure Web Application Firewall (WAF) in front of critical web applications for additional inspection of incoming traffic. Follow a least privileged network approach when configuring your NSGs to only allow required traffic to your application. Guidance: If using your virtual machine (VM) to host web applications, use a network security group (NSG) on the VM's subnet to limit what network traffic, ports and protocols are allowed to communicate. Responsibility: Customer 1.3: Protect critical web applications Understand Network Security provided by Microsoft Defender for Cloud Enable NSG flow logs and send logs into a Storage Account for traffic audit for the VMs for unusual activity. Guidance: Use the Microsoft Defender for Cloud to identify and follow network protection recommendations to help secure your Azure Virtual Machine (VM) resources in Azure. Possible network Just In Time (JIT) access will be monitored by Microsoft Defender for Cloud as recommendationsġ.2: Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces Management ports of virtual machines should be protected with just-in-time network access control Microsoft Defender for Cloud analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface These attacks attempt to brute force credentials to gain admin access to the machine.Īzure Policy built-in definitions - Microsoft.Compute: Name (Azure portal)Īdaptive network hardening recommendations should be applied on internet facing virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. Management ports should be closed on your virtual machines IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. IP Forwarding on your virtual machine should be disabledĮnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. Learn more about controlling traffic with NSGs at Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Internet-facing virtual machines should be protected with network security groups Alerts related to this control may require a Microsoft Defender plan for the related services.Īzure Policy built-in definitions - Microsoft.ClassicCompute: Name (Azure portal) The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. How to deploy and configure Azure Firewall How to create an NSG with a Security Config Virtual networks and virtual machines in Azure Ensure that all deployed subnets have a Network Security Group applied with network access controls specific to your applications trusted ports and sources.Īlternatively, if you have a specific use case for a centralized firewall, Azure Firewall can also be used to meet those requirements. Guidance: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet and configure the VM with a subnet. 1.1: Protect Azure resources within virtual networks Network Securityįor more information, see the Azure Security Benchmark: Network Security. To see how Windows Virtual Machines completely maps to the Azure Security Benchmark, see the full Windows Virtual Machines security baseline mapping file. Controls not applicable to Windows Virtual Machines, and those for which the global guidance is recommended verbatim, have been excluded.
0 Comments
Leave a Reply. |