PesalaPavan
commented
6 months ago @CodingMaximus Thanks for your feedback! We will investigate and update as appropriate.
Closed CodussMaximus closed 6 months ago
PesalaPavan
commented
6 months ago @CodingMaximus Thanks for your feedback! We will investigate and update as appropriate.
AjayBathini-MSFT
commented
6 months ago @CodingMaximus Yes, the security baseline for Windows virtual machines in Azure provided by Microsoft can be mapped to the Center for Internet Security (CIS) Controls. The CIS Controls are a set of best practices for securing IT systems and are widely used by organizations to assess and improve their security posture.
The security baseline for Windows virtual machines in Azure covers a wide range of security settings, including network security, identity and access management, data protection, and more. Many of these settings align with the CIS Controls, such as:
Control 1: Inventory and Control of Hardware Assets Control 2: Inventory and Control of Software Assets Control 3: Continuous Vulnerability Management Control 4: Controlled Use of Administrative Privileges Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Control 6: Maintenance, Monitoring, and Analysis of Audit Logs Control 7: Email and Web Browser Protections Control 8: Malware Defenses Control 9: Limitation and Control of Network Ports, Protocols, and Services Control 10: Data Recovery Capability By implementing the security baseline for Windows virtual machines in Azure, you can help ensure that your virtual machines are configured in a secure and compliant manner. You can also use the CIS Controls as a framework for assessing and improving your overall security posture.
CodussMaximus
commented
6 months ago Thank you for your response.
How can see which Azure security controls are mapped to CIS controls?
I only ask because I am trying to confirm a VM itself is CIS compliant (rather than meets the Microsoft Security Benchmark).
AjayBathini-MSFT
commented
6 months ago @CodingMaximus To see which Azure security controls are mapped to CIS controls, you can use the Azure Security Benchmark. The Azure Security Benchmark is a set of security controls that are mapped to various security frameworks, including the CIS Controls. https://learn.microsoft.com/en-us/security/benchmark/azure/overview-v3
Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as convenient to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. https://www.cisecurity.org/insights/blog/microsoft-azure-security-benchmark-v3-is-now-mapped-to-cis-critical-security-controls-v8
Regarding your question about confirming whether a VM is CIS compliant, it is important to note that compliance with the CIS Controls is not a binary state. Rather, compliance is a continuous process that involves implementing and maintaining a set of security controls that align with the CIS Controls.
To assess whether a VM is compliant with the CIS Controls, you can use a variety of tools and techniques, such as vulnerability scanning, penetration testing, and security assessments. You can also refer to the CIS Controls themselves to ensure that the VM is configured in a secure and compliant manner.
[Hi there, is there any way to see if these settings marry with CIS controls?]
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.