Azure security baseline for ExpressRoute

This security baseline applies guidance from the Azure Security Benchmark version 1.0 to ExpressRoute. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to ExpressRoute.

When a feature has relevant Azure Policy Definitions they are listed in this baseline, to help you measure compliance to the Azure Security Benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.

Note

Controls not applicable to ExpressRoute, or for which the responsibility is Microsoft's, have been excluded. To see how ExpressRoute completely maps to the Azure Security Benchmark, see the full ExpressRoute security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

1.9: Maintain standard security configurations for network devices

Guidance: Define and implement standard security configurations for Azure ExpressRoute with Azure Policy. Use Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to audit or enforce the network configuration of your ExpressRoute.

• How to configure and manage Azure Policy

Responsibility: Customer

1.10: Document traffic configuration rules

Guidance: Use tags for your Azure ExpressRoute instances to provide metadata and logical organization.

Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with tags and to notify you of existing untagged resources.

You may use Azure PowerShell or Azure CLI to look up or perform actions on resources based on their tags.

• Use tags to organize your Azure resources

Responsibility: Customer

1.11: Use automated tools to monitor network resource configurations and detect changes

Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your ExpressRoute connections. Create alerts within Azure Monitor that will trigger when changes to critical resources take place.

• How to enable auditing in Microsoft Sentinel

• How to view and retrieve Azure Activity Log events

• How to create alerts in Azure Monitor

Responsibility: Customer

Logging and Monitoring

For more information, see the Azure Security Benchmark: Logging and Monitoring.

2.2: Configure central security log management

Guidance: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. Activity logs provide insight into the operations that were performed on your Azure ExpressRoute resources at the control plane level. Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your ExpressRoute resources.

• How to enable Diagnostic Settings for Azure Activity Log

Responsibility: Customer

2.3: Enable audit logging for Azure resources

Guidance: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. Activity logs provide insight into the operations that were performed on your Azure ExpressRoute resources at the control plane level. Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for your ExpressRoute resources.

• How to enable Diagnostic Settings for Azure Activity Log

Responsibility: Customer

2.5: Configure security log storage retention

Guidance: In Azure Monitor, set log retention period for Log Analytics workspaces associated with your Azure ExpressRoute resources according to your organization's compliance regulations.

• How to set log retention parameters

Responsibility: Customer

2.6: Monitor and review logs

Guidance: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace. Perform queries in Log Analytics to search terms, identify trends, analyze patterns, and provide many other insights based on the Activity Log Data that may have been collected for Azure ExpressRoute.

• How to enable Diagnostic Settings for Azure Activity Log

• How to collect and analyze Azure activity logs in Log Analytics workspace in Azure Monitor

Responsibility: Customer

2.7: Enable alerts for anomalous activities

Guidance: You can configure to receive alerts based on metrics and activity logs related to your Azure ExpressRoute resources. Azure Monitor allows you to configure an alert to send an email notification, call a webhook, or invoke an Azure Logic App.

• Understand monitoring and alerts in ExpressRoute

Responsibility: Customer

Identity and Access Control

For more information, see the Azure Security Benchmark: Identity and Access Control.

3.1: Maintain an inventory of administrative accounts

Guidance: Maintain an inventory of the user accounts that have administrative access to the control plane (e.g. Azure portal) of your Azure ExpressRoute resources.

You can use the Identity and Access control (IAM) pane in the Azure portal for your subscription to configure Azure role-based access control (Azure RBAC). The roles are applied to users, groups, service principals, and managed identities in Active Directory.

Additionally, partners using the ExpressRoute Partner Resource Manager API can apply Role-Based Access Control to the expressRouteCrossConnection resource. These controls can define permissions for which users accounts can modify the expressRouteCrossConnection resource and add/update/delete peering configurations.

• Understand Azure RBAC

• Leverage Azure RBAC in the ExpressRoute Partner Resource Manager API

Responsibility: Customer

3.2: Change default passwords where applicable

Guidance: Azure Active Directory (Azure AD) does not have the concept of default passwords. Other Azure resources requiring a password forces a password to be created with complexity requirements and a minimum password length, which differs depending on the service. You are responsible for third-party applications and marketplace services that may use default passwords.

Responsibility: Customer

3.3: Use dedicated administrative accounts

Guidance: Create standard operating procedures around the use of dedicated administrative accounts. Use Microsoft Defender for Cloud Identity and Access Management to monitor the number of administrative accounts.

Additionally, to help you keep track of dedicated administrative accounts, you may use recommendations from Microsoft Defender for Cloud or built-in Azure Policies, such as:

• There should be more than one owner assigned to your subscription
• Deprecated accounts with owner permissions should be removed from your subscription
• External accounts with owner permissions should be removed from your subscription

For more information, see the following references:

• How to use Microsoft Defender for Cloud to monitor identity and access (Preview)

• How to use Azure Policy

Responsibility: Customer

3.4: Use Azure Active Directory single sign-on (SSO)

Guidance: Not applicable; single sign-on (SSO) adds security and convenience when users sign in to custom applications in Azure Active Directory (Azure AD). Access to the Azure ExpressRoute control plane (e.g. Azure portal) is already integrated with Azure AD and is accessed through the Azure portal as well as the Azure Resource Manager REST API.

Responsibility: Customer

3.5: Use multi-factor authentication for all Azure Active Directory-based access

Guidance: Enable Azure Active Directory (Azure AD) Multi-Factor Authentication and follow Microsoft Defender for Cloud Identity and Access Management recommendations.

• How to enable Azure AD Multi-Factor Authentication

• How to monitor identity and access within Microsoft Defender for Cloud

Responsibility: Customer

3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

Guidance: Use a Privileged Access Workstation (PAW) with Azure Active Directory (Azure AD) Multi-Factor Authentication enabled to log into and configure your Microsoft Sentinel-related resources.

• Privileged Access Workstations

• Planning a cloud-based Azure AD Multi-Factor Authentication deployment

Responsibility: Customer

3.7: Log and alert on suspicious activities from administrative accounts

Guidance: Use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment.

In addition, use Azure AD risk detections to view alerts and reports on risky user behavior.

• How to deploy Privileged Identity Management (PIM)

• Understand Azure AD risk detections

Responsibility: Customer

3.8: Manage Azure resources from only approved locations

Guidance: Use Conditional Access Named Locations to allow access to the Azure portal from only specific logical groupings of IP address ranges or countries/regions.

• How to configure Named Locations in Azure

Responsibility: Customer

3.9: Use Azure Active Directory

Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system for your Microsoft Sentinel instances. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.

• How to create and configure an Azure AD instance

Responsibility: Customer

3.10: Regularly review and reconcile user access

Guidance: Azure Active Directory (Azure AD) provides logs to help you discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access.

• Understand Azure AD reporting

• How to use Azure Identity Access Reviews

Responsibility: Customer

3.11: Monitor attempts to access deactivated credentials

Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system for your Azure ExpressRoute resources. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.

You have access to Azure AD sign-in activity, audit and risk event log sources, which allow you to integrate with Microsoft Sentinel or a third-party SIEM.

You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. You can configure desired log alerts within Log Analytics.

• How to integrate Azure Activity Logs into Azure Monitor

• How to on-board Microsoft Sentinel

Responsibility: Customer

3.12: Alert on account sign-in behavior deviation

Guidance: For account login behavior deviation on the control plane (e.g. Azure portal), use Azure Active Directory (Azure AD) Identity Protection and risk detection features to configure automated responses to detected suspicious actions related to user identities. You can also ingest data into Microsoft Sentinel for further investigation.

• How to view Azure AD risky sign-in

• How to configure and enable Identity Protection risk policies

• How to onboard Microsoft Sentinel

Responsibility: Customer

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

4.4: Encrypt all sensitive information in transit

Guidance: IPsec is an IETF standard. It encrypts data at the Internet Protocol (IP) level or Network Layer 3. You can use IPsec to encrypt an end-to-end connection between your on-premises network and your virtual network (VNET) on Azure.

• How to configure Site to Site IPSEC over ExpressRoute

• How to configure Site to Site IPSEC over ExpressRoute

Responsibility: Shared

4.6: Use Azure RBAC to control access to resources

Guidance: You can use the Identity and Access control (IAM) pane in the Azure portal for your subscription to configure Azure role-based access control (Azure RBAC). The roles are applied to users, groups, service principals, and managed identities in Active Directory. You can use built-in roles or custom roles for individuals and groups.

Azure ExpressRoute also has circuit owner and circuit user roles. Circuit users are owners of virtual network gateways that are not within the same subscription as the ExpressRoute circuit. The circuit owner has the power to modify and revoke authorizations at any time. Revoking an authorization results in all link connections being deleted from the subscription whose access was revoked. Circuit users can redeem authorizations (one authorization per virtual network).

Additionally, partners using the ExpressRoute Partner Resource Manager API can apply Role-Based Access Control to the expressRouteCrossConnection resource. These controls can define permissions for which users accounts can modify the expressRouteCrossConnection resource and add/update/delete peering configurations.

• Understand Azure RBAC

• Leverage Azure RBAC in the ExpressRoute Partner Resource Manager API

• Understand administration roles in ExpressRoute

Responsibility: Customer

4.9: Log and alert on changes to critical Azure resources

Guidance: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production instances of Azure ExpressRoute and other critical or related resources.

• How to create alerts for Azure Activity Log events

Responsibility: Customer

Inventory and Asset Management

For more information, see the Azure Security Benchmark: Inventory and Asset Management.

6.1: Use automated asset discovery solution

Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

Although classic Azure resources may be discovered via Resource Graph, it is highly recommended that you create and use Azure Resource Manager resources going forward.

• How to create queries with Azure Resource Graph

• How to view your Azure Subscriptions

• Understand Azure RBAC

Responsibility: Customer

6.3: Delete unauthorized Azure resources

Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure resources. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

In addition, use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

• Not allowed resource types
• Allowed resource types

For more information, see the following references:

• How to create additional Azure subscriptions

• How to create Management Groups

• How to create and use Tags

Responsibility: Customer

6.5: Monitor for unapproved Azure resources

Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscription(s).

Use Azure Resource Graph to query/discover resources within their subscription(s). Ensure that all Azure resources present in the environment are approved.

• How to configure and manage Azure Policy

• How to create queries with Azure Resource Graph

Responsibility: Customer

6.9: Use only approved Azure services

Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

• Not allowed resource types
• Allowed resource types

For more information, see the following references:

• How to configure and manage Azure Policy

• How to deny a specific resource type with Azure Policy

Responsibility: Customer

6.11: Limit users' ability to interact with Azure Resource Manager

Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.

• How to configure Conditional Access to block access to Azure Resource Manager

Responsibility: Customer

Secure Configuration

For more information, see the Azure Security Benchmark: Secure Configuration.

7.1: Establish secure configurations for all Azure resources

Guidance: Define and implement standard security configurations for Azure ExpressRoute with Azure Policy. Use Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to audit or enforce the network configuration of your ExpressRoute.

• How to view available Azure Policy Aliases

• How to configure and manage Azure Policy

Responsibility: Customer

7.7: Deploy configuration management tools for Azure resources

Guidance: Define and implement standard security configurations for Azure ExpressRoute with Azure Policy. Use Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to audit or enforce the network configuration of your ExpressRoute.

• How to view available Azure Policy Aliases

• How to configure and manage Azure Policy

Responsibility: Customer

7.9: Implement automated configuration monitoring for Azure resources

Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.Network" namespace to create custom policies to alert, audit, and enforce system configurations. Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure resources.

• How to configure and manage Azure Policy

Responsibility: Customer

7.13: Eliminate unintended credential exposure

Guidance: Implement Credential Scanner to identify credentials within code. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

• How to setup Credential Scanner

Responsibility: Customer

Malware Defense

For more information, see the Azure Security Benchmark: Malware Defense.

8.2: Pre-scan files to be uploaded to non-compute Azure resources

Guidance: Microsoft Anti-malware is enabled on the underlying host that supports Azure services (for example, Azure ExpressRoute), however it does not run on customer content.

It is your responsibility to pre-scan any content being uploaded to non-compute Azure resources. Microsoft cannot access customer data, and therefore cannot conduct anti-malware scans of customer content on your behalf.

Responsibility: Customer

Incident Response

For more information, see the Azure Security Benchmark: Incident Response.

10.1: Create an incident response guide

Guidance: Build out an incident response guide for your organization. Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

• How to configure Workflow Automation within Microsoft Defender for Cloud

• Guidance on building your own security incident response process

• Microsoft Security Response Center's Anatomy of an Incident

• NIST's Computer Security Incident Handling Guide

Responsibility: Customer

10.2: Create an incident scoring and prioritization procedure

Guidance: Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

Additionally, clearly mark subscriptions (for ex. production, non-prod) and create a naming system to clearly identify and categorize Azure resources.

Responsibility: Customer

10.3: Test security response procedures

Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence. Identify weak points and gaps and revise plan as needed.

• NIST's publication--Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities

Responsibility: Customer

10.4: Provide security incident contact details and configure alert notifications for security incidents

Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved.

• How to set the Microsoft Defender for Cloud Security Contact

Responsibility: Customer

10.5: Incorporate security alerts into your incident response system

Guidance: Export your Microsoft Defender for Cloud alerts and recommendations using the Continuous Export feature. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You may use the Microsoft Defender for Cloud data connector to stream the alerts to Microsoft Sentinel.

• How to configure continuous export

• How to stream alerts into Microsoft Sentinel

Responsibility: Customer

10.6: Automate the response to security alerts

Guidance: Use the Workflow Automation feature in Microsoft Defender for Cloud to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

• How to configure Workflow Automation and Logic Apps

Responsibility: Customer

Penetration Tests and Red Team Exercises

For more information, see the Azure Security Benchmark: Penetration Tests and Red Team Exercises.

11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

• Penetration Testing Rules of Engagement

• Microsoft Cloud Red Teaming

Responsibility: Shared

Next steps

• See the Azure Security Benchmark V2 overview
• Learn more about Azure security baselines