Web security baseline assessment feature now in public preview

We are pleased to announce the public preview of the web security baseline assessment feature. You can scan Internet Information Service (IIS) web servers in any environment, including on-premises, Azure, and other cloud platforms monitored by Operations Management Suite (OMS). The feature checks for security vulnerabilities, and provides recommendations on configurations.

The web security baseline assessment helps identify potentially vulnerable web server settings. The three primary sources for the web baseline configurations on web servers are: .NET, ASP.NET, and IIS configuration. IIS configurations are highly customizable, enabling users to override granular settings for sites, and applications running under those sites. The scanner checks the settings at each application or site level, and also at the default root level, and compares these settings to what Microsoft recommends for security. This helps you to identify potentially vulnerable settings, and quickly remediate problems. Similar to the OMS security baseline assessment, the OMS security and audit solution scans web servers running IIS every 24 hours, and shows their security state in the OMS security and audit dashboard.

The web security baseline assessment findings are included in the security baseline assessment dashboard. You can see the servers that were assessed, and the unique rules that failed (along with their severity). You can also drill down into more details by selecting the failed rules.

Screenshot of security baseline assessment

Users can create their own queries by using the filters Type=SecurityBaseline or Type=SecurityBaselineSummary, and BaselineType=Web. For more details about how to use this feature, see Web baseline assessment in OMS security and audit solution. By drilling down into each rule, you can find information regarding potential impact, and vulnerabilities associated with the rules.

Screenshot of rule details

In addition to the rules that are currently supported, we plan to extend support for additional rules for evaluation, as well as the integration into Azure Security Center.

Sarah Andrabi, Software Engineer