Azure security baseline for Azure Arc-enabled servers
Article
This security baseline applies guidance from the Microsoft cloud security benchmark version 1.0 to Azure Arc-enabled servers. The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Microsoft cloud security benchmark and the related guidance applicable to Azure Arc-enabled servers.
You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud portal page.
When a feature has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance with the Microsoft cloud security benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.
Description: Service supports deployment into customer's private Virtual Network (VNet). Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
NS-2: Secure cloud services with network controls
Features
Azure Private Link
Description: Service native IP filtering capability for filtering network traffic (not to be confused with NSG or Azure Firewall). Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
False
Customer
Configuration Guidance: Deploy private endpoints for all Azure resources that support the Private Link feature to establish a private access point for the resources.
Description: Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
False
Customer
Configuration Guidance: Disable public network access either using the service-level IP ACL filtering rule or a toggling switch for public network access.
Local Authentication Methods for Data Plane Access
Description: Local authentications methods supported for data plane access, such as a local username and password. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
False
Customer
Feature notes: Local authentication is only used when connecting to the server using SSH or Windows Admin Center. Avoid the usage of local authentication methods or accounts, these should be disabled wherever possible. Instead use Azure AD to authenticate where possible.
Configuration Guidance: Restrict the use of local authentication methods for data plane access. Instead, use Azure Active Directory (Azure AD) as the default authentication method to control your data plane access.
Description: Data plane supports authentication using service principals. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
False
Customer
Configuration Guidance: There is no current Microsoft guidance for this feature configuration. Please review and determine if your organization wants to configure this security feature.
PA-1: Separate and limit highly privileged/administrative users
Features
Local Admin Accounts
Description: Service has the concept of a local administrative account. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
False
Customer
Feature notes: Avoid the usage of local authentication methods or accounts, these should be disabled wherever possible. Instead use Azure AD to authenticate where possible.
Configuration Guidance: If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.
DP-1: Discover, classify, and label sensitive data
Features
Sensitive Data Discovery and Classification
Description: Tools (such as Azure Purview or Azure Information Protection) can be used for data discovery and classification in the service. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
DP-3: Encrypt sensitive data in transit
Features
Data in Transit Encryption
Description: Service supports data in-transit encryption for data plane. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
True
Microsoft
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines.
Description: Data at-rest encryption using platform keys is supported, any customer content at rest is encrypted with these Microsoft managed keys. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
True
Microsoft
Configuration Guidance: No additional configurations are required as this is enabled on a default deployment.
Description: Service configurations can be monitored and enforced via Azure Policy. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
False
Customer
Configuration Guidance: Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Use Azure Policy [deny] and [deploy if not exists] effects to enforce secure configuration across Azure resources.
Description: Service has an offering-specific Microsoft Defender solution to monitor and alert on security issues. Learn more.
Supported
Enabled By Default
Configuration Responsibility
True
False
Customer
Configuration Guidance: Use Azure Active Directory (Azure AD) as the default authentication method to control your management plane access. When you get an alert from Microsoft Defender for Key Vault, investigate and respond to the alert.
Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).
Description: Service produces resource logs that can provide enhanced service-specific metrics and logging. The customer can configure these resource logs and send them to their own data sink like a storage account or log analytics workspace. Learn more.
Supported
Enabled By Default
Configuration Responsibility
False
Not Applicable
Not Applicable
Configuration Guidance: This feature is not supported to secure this service.
Learn about the benefits of and how to onboard Azure Arc-enabled servers to Microsoft Defender for Cloud, Microsoft Defender for Servers, and Microsoft Sentinel.
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.
Lists Azure Policy Regulatory Compliance controls available for Azure Arc-enabled servers (preview). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources.