Benefit/Result/Outcome
STIG'd images will allow for DoD compliance.
Description
Virtual machine compliance is layered. For example, to be compliance for DoD it will require that they are STIG'd. Currently guest configuration policy cannot be properly enabled since it requires the assigned initiative to grant the managed identity contributor role over the resources to be able to add policy extensions to VMs.
Review of how to STIG VM's will be required beyond the auditing of them via policy. Currently the NIST Policy Initiative finds these guest policies to be non-compliant on jumpboxes so at a minimum these should be looked at in the jumpboxes.
Virtual Machines
Note: These are unique case as they require the NIST Policy assignment to use 'DeployIfNotExist' capability to deploy the Policy Guest Configuration extension to the VM. In the case of MLZ this can not be done in a default configuration since the MI that is created for the policy can not be assigned the contributor role by the terraform SP being used. (these are reported from a subscription that had the policy configured correctly prior to MLZ for reporting purposes)
Policy
Description
[Preview]: Windows machines should meet requirements of the Azure compute security baseline
Requires that prerequisites are deployed to the policy assignment scope. For details
A vulnerability assessment solution should be enabled on your virtual machines
Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally
Audit virtual machines without disaster recovery configured
Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery
Audit Windows machines that allow re-use of the previous 24 passwords
Requires that prerequisites are deployed to the policy assignment scope. For details
Audit Windows machines that do not have a maximum password age of 70 days
Requires that prerequisites are deployed to the policy assignment scope. For details
Audit Windows machines that do not have a minimum password age of 1 day
Requires that prerequisites are deployed to the policy assignment scope. For details
Audit Windows machines that do not have the password complexity setting enabled
Requires that prerequisites are deployed to the policy assignment scope. For details
Audit Windows machines that do not restrict the minimum password length to 14 characters
Requires that prerequisites are deployed to the policy assignment scope. For details
Audit Windows machines that do not store passwords using reversible encryption
Requires that prerequisites are deployed to the policy assignment scope. For details
Azure Backup should be enabled for Virtual Machines
Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.
Log Analytics agent health issues should be resolved on your machines
Security Center uses the Log Analytics agent
OS and data disks should be encrypted with a customer-managed key
Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default
SQL servers on machines should have vulnerability findings resolved
SQL vulnerability assessment scans your database for security vulnerabilities
Virtual machines and virtual machine scale sets should have encryption at host enabled
Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key
Virtual machines should encrypt temp disks
caches
Windows Defender Exploit Guard should be enabled on your machines
Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).
Windows web servers should be configured to use secure communication protocols
To protect the privacy of information communicated over the Internet
Acceptance Criteria
Document requirements to manually complete policy setup for managed identity
Test these policy issues for true compliance
Validate need to STIG or not to STIG images in terms of MLZ as well as how to do it if needed.
Benefit/Result/Outcome
STIG'd images will allow for DoD compliance.
Description Virtual machine compliance is layered. For example, to be compliance for DoD it will require that they are STIG'd. Currently guest configuration policy cannot be properly enabled since it requires the assigned initiative to grant the managed identity contributor role over the resources to be able to add policy extensions to VMs.
Review of how to STIG VM's will be required beyond the auditing of them via policy. Currently the NIST Policy Initiative finds these guest policies to be non-compliant on jumpboxes so at a minimum these should be looked at in the jumpboxes.
Virtual Machines
Note: These are unique case as they require the NIST Policy assignment to use 'DeployIfNotExist' capability to deploy the Policy Guest Configuration extension to the VM. In the case of MLZ this can not be done in a default configuration since the MI that is created for the policy can not be assigned the contributor role by the terraform SP being used. (these are reported from a subscription that had the policy configured correctly prior to MLZ for reporting purposes)
Acceptance Criteria