Implement security for servers and virtual machines
At a glance
-
Level
-
Skill
-
Role
-
Subject
Implement layered security controls across Azure virtual machines and Arc-enabled hybrid servers. Configure disk encryption options including encryption at host with customer-managed keys and confidential disk encryption. Enable Trusted Launch security features—Secure Boot, vTPM, and integrity monitoring—to protect against boot-level threats. Eliminate public RDP and SSH exposure with Azure Bastion. Extend Azure security governance to on-premises and multicloud servers using Azure Arc. Deploy Microsoft Defender for Servers for vulnerability scanning, endpoint detection, agentless machine scanning, and File Integrity Monitoring. Enforce just-in-time VM access to eliminate permanently open management ports. Apply Azure Machine Configuration to audit and enforce OS security baselines across your entire server estate.
Prerequisites
- Working knowledge of Azure Virtual Machines, including deploying and managing VMs
- Familiarity with Microsoft Defender for Cloud at a foundational level
- Understanding of Azure role-based access control (RBAC) and Azure Policy fundamentals
- Familiarity with Azure Arc server connectivity
- Completion of (or equivalent knowledge to) Connect hybrid and multicloud environments to Microsoft Defender for Cloud
- Completion of (or equivalent knowledge to) Enable and configure workload protection plans in Microsoft Defender for Cloud
Get started with Azure
Choose the Azure account that's right for you. Pay as you go or try Azure free for up to 30 days. Sign up.
Achievement Code
Would you like to request an achievement code?
Modules in this learning path
Select and configure the right disk encryption approach for Azure virtual machines. Compare managed disk encryption options, configure encryption at host with customer-managed keys using Disk Encryption Sets, apply confidential disk encryption to confidential virtual machines, and enforce disk encryption compliance using Azure Policy.
Configure Trusted Launch security features for Azure virtual machines. Enable Secure Boot, vTPM, and integrity monitoring to protect against boot-level malware and rootkits. Upgrade existing Gen1 and Gen2 VMs to the Trusted Launch security type and enforce adoption at scale using Azure Policy.
Plan and deploy Azure Bastion to provide secure, browser-based RDP and SSH access to virtual machines without exposing public IP addresses or management ports. Select the appropriate SKU based on scale and feature requirements, deploy and configure Bastion in an Azure virtual network, and connect to VMs using both portal and native client methods.
Manage security controls for Azure Arc-enabled hybrid servers. Configure RBAC and extension security to prevent unauthorized agent modifications. Then apply Azure Policy to enforce security baselines on Arc-enrolled machines. Finally, monitor hybrid server security posture in Microsoft Defender for Cloud.
Onboard Azure virtual machines and Arc-connected hybrid servers to Microsoft Defender for Servers. Select Plan 1 or Plan 2 based on capability requirements, configure vulnerability scanning using agentless and agent-based Defender Vulnerability Management. Then integrate Microsoft Defender for Endpoint, and manage agentless scanning capabilities for software inventory, secrets, malware detection, and File Integrity Monitoring.
Enable and configure just-in-time VM access in Microsoft Defender for Cloud to eliminate permanently open RDP and SSH ports. Configure per-port access policies, request time-bound access to VMs, audit access activity, and enforce JIT adoption across your VM estate using Azure Policy.
Audit and enforce OS security configuration on Azure virtual machines and Arc-enabled servers using Azure Machine Configuration. Apply built-in Windows and Linux security baseline policies, configure audit and enforce modes, and author custom machine configurations for organization-specific security requirements.