Security Recommendations for Azure Marketplace Images
Your image must meet these security configuration recommendations. This helps maintain a high level of security for partner solution images in the Azure Marketplace.
Always run a security vulnerability detection on your image prior to submitting. If you detect a security vulnerability in your own published image, you must inform your customers in a timely manner of both the vulnerability and how to correct it.
Open Source-based Images
| Category | Check |
|---|---|
| Security | Install all the latest security patches for the Linux distribution. |
| Security | Follow industry guidelines to secure the VM image for the specific Linux distribution. |
| Security | Limit the attack surface by keeping minimal footprint with only necessary Windows Server roles, features, services, and networking ports. |
| Security | Scan source code and resulting VM image for malware. |
| Security | The VHD image only includes necessary locked accounts that do not have default passwords that would allow interactive login; no back doors. |
| Security | Disable firewall rules unless application functionally relies on them, such as a firewall appliance. |
| Security | Remove all sensitive information from the VHD image, such as test SSH keys, known hosts file, log files, and unnecessary certificates. |
| Security | Avoid using LVM. |
| Security | Include the latest versions of required libraries: - OpenSSL v1.0 or greater - Python 2.5 or above (Python 2.6+ is highly recommended) - Python pyasn1 package if not already installed - d.OpenSSL v 1.0 or greater |
| Security | Clear Bash/Shell history entries. |
| Networking | Include the SSH server by default. Set SSH keep alive to sshd config with the following option: ClientAliveInterval 180. |
| Networking | Remove any custom network configuration from the image. Delete the resolv.conf: rm /etc/resolv.conf. |
| Deployment | Install the latest Azure Linux Agent. - Install using the RPM or Deb package. - You may also use the manual install process, but the installer packages are recommended and preferred. - If installing the agent manually from the GitHub repository, first copy the waagent file to /usr/sbin and run (as root): # chmod 755 /usr/sbin/waagent # /usr/sbin/waagent -install The agent configuration file is placed at /etc/waagent.conf. |
| Deployment | Ensure Azure Support can provide our partners with serial console output when needed and provide adequate timeout for OS disk mounting from cloud storage. Add the following parameters to the image Kernel Boot Line: console=ttyS0 earlyprintk=ttyS0 rootdelay=300. |
| Deployment | No swap partition on the OS disk. Swap can be requested for creation on the local resource disk by the Linux Agent. |
| Deployment | Create a single root partition for the OS disk. |
| Deployment | 64-bit operating system only. |
Windows Server-based Images
| Category | Check |
|---|---|
| Security | Use a secure OS base image. The VHD used for the source of any image based on Windows Server must be from the Windows Server OS images provided through Microsoft Azure. |
| Security | Install all latest security updates. |
| Security | Applications should not depend on restricted user names like administrator, root, or admin. |
| Security | Enable BitLocker Drive Encryption for both OS hard drives and data hard drives. |
| Security | Limit the attack surface by keeping minimal footprint with only necessary Windows Server roles, features, services, and networking ports enabled. |
| Security | Scan source code and resulting VM image for malware. |
| Security | Set Windows Server images security update to auto-update. |
| Security | The VHD image only includes necessary locked accounts that do not have default passwords that would allow interactive login; no back doors. |
| Security | Disable firewall rules unless application functionally relies on them, such as a firewall appliance. |
| Security | Remove all sensitive information from the VHD image, including HOSTS files, log files, and unnecessary certificates. |
| Deployment | 64-bit operating system only. |
Even if your organization does not have images in the Azure marketplace, consider checking your Windows and Linux image configurations against these recommendations.
Feedback
Submit and view feedback for