Azure security baseline for Batch

This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Batch. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Batch.

You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud dashboard.

When a section has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance to the Azure Security Benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.

Note

Controls not applicable to Batch, and those for which the global guidance is recommended verbatim, have been excluded. To see how Batch completely maps to the Azure Security Benchmark, see the full Batch security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: Deploy Azure Batch pools within a virtual network. You can provision the pool in a subnet of an Azure virtual network. With this action, pool compute nodes may communicate securely with other virtual machines or an on-premises network. Do you deploy your pool within a virtual network? Then you can control the network security group (NSG) that's used to secure the individual nodes' network interfaces (NIC) and the subnet. Configure the NSG to allow traffic from only trusted IPs or locations on the internet.

Disable publicly exposed RDP/SSH endpoints on port 3389 (Windows) or 22 (Linux). Then outside sources can't connect to or discover remote access to your Batch compute nodes. Configure these ports for access with just-in-time mechanisms on the assigned network security groups.

Do you need support for multi-instance tasks with certain MPI runtimes? On Linux, you may need to enable port 22 rules. Allowing traffic on these ports isn't strictly required for the pool compute nodes to be usable, though.

• How to create an Azure Batch Pool within a Virtual Network

• How to create an Azure Batch account with network access disabled

• How to create a private endpoint

• How to deny access to RDP/SSH traffic

Responsibility: Customer

NS-2: Connect private networks together

Guidance: Because you can deploy Azure Batch directly into virtual networks, you have many ways to enable Batch resource access from other networks.

With Azure ExpressRoute or Azure virtual private network (VPN), you can create private connections between Azure datacenters and on-premises infrastructure. These connections are in a colocation environment to the network that hosts your Batch resources. An ExpressRoute connection doesn't go over the public internet. Compared to a typical internet connection, an ExpressRoute connection offers:

• More reliability
• Faster speeds
• Lower latencies

For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute.

To connect two or more virtual networks in Azure together, use virtual network peering or Private Link. Network traffic between peered virtual networks is private and is kept on the Azure backbone network.

• What are the ExpressRoute connectivity models

• Azure VPN overview

• Virtual network peering

Responsibility: Customer

NS-3: Establish private network access to Azure services

Guidance: By provisioning the pool without public IP addresses, you can restrict access to nodes and reduce the discoverability of the nodes from the internet. If you provision the pool in a subnet of an Azure virtual network, the compute nodes can securely communicate with other virtual machines or with an on-premises network. With Azure Private Link, you can enable private access to Batch from your virtual networks without crossing the internet. The Azure Private Link service is secured. It accepts connections only from authenticated and authorized private endpoints. Configuring private endpoints for Azure Batch is more secure and doesn't limit the offering's capabilities.

• Create an Azure Batch pool without public IP addresses

• Restrict network endpoint access

• Use private endpoints with Azure Batch accounts

• Understand Azure Private Link

Responsibility: Customer

NS-4: Protect applications and services from external network attacks

Guidance: Azure resources are protected from external network attacks, such as:

• Distributed denial of service (DDoS) attacks.
• Application-specific attacks.
• Unsolicited, potentially malicious internet traffic.

With Azure Firewall, protect applications and services in your virtual networks. Avoid potentially malicious traffic from the internet and other external locations. To protect your assets against DDoS attacks, enable DDoS standard protection on your Azure virtual networks. Use Microsoft Defender for Cloud to detect misconfiguration risks to your network-related resources.

• Restrict network endpoint access

• Azure Firewall Documentation

• Manage Azure DDoS Protection Standard using the Azure portal

• Microsoft Defender for Cloud recommendations

• How to deploy Azure Web Application Firewall (WAF)

Responsibility: Shared

NS-6: Simplify network security rules

Guidance: In Azure Batch, use built-in Azure Virtual Network Service Tags to define network access controls. The network access controls apply to NSGs or Azure Firewalls that are configured for your Batch resources.

On deployments that are dedicated to Azure Batch, do you need to create network security rules for management traffic? Then use the 'BatchNodeManagement' service tag in place of specific IP addresses. While you access Azure services that have public endpoints, also achieve network isolation. And protect Azure resources from the general internet.

By specifying the service tag name in a rule's source or destination, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes that are encompassed by the service tag. It automatically updates the service tag as addresses change.

• Available service tags

NSGs help to define inbound and outbound traffic rules. Use tags for NSGs or other related network security and traffic flow that's associated with Azure batch pools. The IP protocols that are used in Azure batch services are IPv4 and Pv6.

• Understand and use service tags

• Understand and use application security groups

Responsibility: Customer

NS-7: Secure Domain Name Service (DNS)

Guidance: When you use Azure DNS as your authoritative DNS service, protect DNS zones and records from accidental or malicious modification by using Azure role-based access control (Azure RBAC) and resource locks. You can monitor Azure Activity logs to know how a user in your organization modified a resource. Or the logs can help you find an error when troubleshooting. When you use private endpoints with Azure Batch, we recommend that you integrate your private endpoint with a private DNS zone. You can use your own DNS servers, or you can create DNS records by using the host files on your virtual machines.

• Configure Private DNS Zone with Azure Batch

• Azure DNS overview

• Secure Domain Name System (DNS) Deployment Guide

• Prevent dangling DNS entries and avoid subdomain takeover

Responsibility: Customer

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Azure Active Directory (Azure AD) is used as Batch's default authentication and authorization system. Standardize Azure AD to govern your organization's identity and access management. Batch account access supports two methods of authentication: Shared Key and Azure Active Directory (Azure AD). We strongly recommend using Azure AD for Batch account authentication. Some Batch capabilities require this method of authentication, including many of the security-related features.

Make securing Azure AD a high priority in your organization’s cloud security practice. With Azure AD's identity security score, you can compare identity security posture with Microsoft’s best practice recommendations. To make improvements in your security posture, use the score to gauge how closely your configuration matches best practice recommendations.

• Tenancy in Azure Active Directory

• How to create and configure an Azure AD instance

• Custom roles to grant permission to an Azure AD

• Batch Account Authentication

• Assign Azure RBAC to your application

Responsibility: Customer

IM-2: Manage application identities securely and automatically

Guidance: Azure Batch supports managed identities for its Azure resources. Instead of creating service principals to access other resources, you can use managed identities with Batch. Batch can natively authenticate to the Azure services and resources that support Azure AD authentication. This authentication goes through a predefined access grant rule without using credentials that are hardcoded in source code or configuration files.

Batch recommends using Azure AD to create a service principal with restricted permissions at the resource level. Configure this service principal with certificate credentials and to fall back to client secrets. In both cases, Azure Key Vault can be used with Azure-managed identities. Then the runtime environment (such as an Azure Batch pool) can retrieve the credential from the key vault.

• Configure managed identities in Batch pools

• Azure-managed identities

• Azure service principal

• Use Azure Key Vault for security principal registration

Responsibility: Customer

IM-6: Restrict Azure resource access based on conditions

Guidance: To restrict management of your Azure Batch resources, use Azure AD conditional access for more granular access control based on user-defined conditions. For example, you might want to require user sign-ins from certain IP ranges to use MFA. You can also use a granular authentication session management through Azure AD conditional access policy for different use cases. This conditional access won't apply to any shared keys that are used for client authentication to Batch accounts. Using Azure AD instead of these keys is recommended.

• Batch account authentication

• Azure Conditional Access overview

Responsibility: Customer

IM-7: Eliminate unintended credential exposure

Guidance: Azure Batch allows customers to run code potentially with identities or secrets. To identify credentials within your Azure Batch code or your configurations, it's recommended to implement Credential Scanner. Credential Scanner will also encourage moving discovered credentials to more secure locations, such as Azure Key Vault.

For GitHub, you can use the native secret scanning feature to identify credentials or other forms of secrets within the code.

• Set up Credential Scanner

• GitHub secret scanning

Responsibility: Customer

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-1: Protect and limit highly privileged users

Guidance: Integrate authentication for Azure Batch applications with Azure AD. Create policies and procedures that use dedicated administrative roles and permissions.

The user account that runs tasks can be set to a level that indicates whether a task runs with elevated access. Both an auto-user account and a named user account can run with elevated access. The two options for elevation level are:

• NonAdmin: The task runs as a standard user without elevated access. The default elevation level for a Batch user account is always NonAdmin.

• Admin: The task runs as a user with elevated access and operates with full Administrator permissions.

Scope your Azure Batch task elevations appropriately. Avoid using permanent Admin-level permissions where possible.

• Elevated access for Batch

• How to authenticate Batch applications with Azure AD

• How to monitor identity and access with Microsoft Defender for Cloud

Responsibility: Customer

PA-3: Review and reconcile user access regularly

Guidance: Azure Batch uses Azure AD to provide authentication to manage its resources. To make sure the accounts and their access are valid, review the user accounts and access the assignments regularly. You can use Azure AD and the access reviews to review:

• Group memberships
• Access to enterprise applications
• Role assignments

Azure AD reporting can provide logs to help discover stale accounts. To improve the review process, you can also use Azure AD Privileged Identity Management (PIM) to create report workflows of the access review.

You can configure Azure AD PIM to alert you when an excessive number of administrator accounts are created. Or you can configure it to identify administrator accounts that are stale or improperly configured.

Note: Some Azure services support local users and roles that aren't managed through Azure AD, such as Azure Batch shared keys. Instead use Azure AD whenever possible, because you'll need to manage these keys separately when used.

• Batch account authentication

• Create an access review of Azure resource roles in Privileged Identity Management (PIM)

• How to use Azure AD identity and access reviews

• Azure AD with custom roles for Batch service

Responsibility: Customer

PA-7: Follow just enough administration (least privilege principle)

Guidance: Azure Batch is integrated with Azure RBAC to manage its resources. With Azure RBAC, you can manage Azure resource access through role assignments. You can assign these roles to:

• Users
• Groups
• Service principals
• Managed identities

There are predefined built-in roles for certain resources. These roles can be inventoried or queried through tools such as:

• Azure CLI
• Azure PowerShell
• Azure portal

The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. These privileges complement the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM) and should be occasionally reviewed.

Use built-in roles to grant permissions to your Azure Batch resources. With Azure Batch, users can create custom Azure RBAC roles that are based on Batch operations to fit your permission needs. Instead of creating custom roles, use built-in roles whenever possible.

• Azure Batch Custom roles

• What is Azure role-based access control (Azure RBAC)

• How to configure RBAC in Azure

• How to use Azure AD identity and access reviews

Responsibility: Customer

PA-8: Choose approval process for Microsoft support

Guidance: Batch doesn't support customer lockbox. To access customer data that's associated to Azure Batch resources, Microsoft may work with customers in support scenarios for approval through other methods.

Responsibility: Customer

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

DP-1: Discovery, classify, and label sensitive data

Guidance: You might have Azure Storage accounts that are associated with Azure Batch pools. If these accounts contain job and task output that have sensitive information, mark them as sensitive using tags. Secure those accounts with Azure best practices.

The following features aren't yet available for Azure Storage or compute resources:

• Data identification
• Classification
• Loss prevention

Implement a third-party solution for those features, if necessary for compliance purposes.

If Microsoft manages the underlying Azure Batch platform, it treats all customer content as sensitive. Microsoft goes to great lengths to guard against customer data loss and exposure. To make sure customer data within Azure remains secure, Microsoft maintains a suite of robust data protection controls and capabilities.

• Persist Azure Batch job and task output

• Understand customer data protection in Azure

• How to secure Azure Storage Accounts

Responsibility: Shared

DP-2: Protect sensitive data

Guidance: Azure Batch allows customers to manage their job and task output content. Protect sensitive data by restricting access using Azure RBAC. Batch supports Azure RBAC for managing access to these resource types:

• Accounts
• Jobs
• Tasks
• Pools

To make access control more consistent, align all types of access control with your enterprise segmentation strategy. Plan your enterprise segmentation strategy using the location of sensitive or business-critical data and systems. Implement separate subscriptions or management groups for:

• Development
• Test
• Production

Separate your Azure Batch pools by different virtual networks. Tag these virtual networks appropriately, and secure them with a network security group (NSG). Contain your Azure Batch data within a secured Azure Storage account.

For the underlying platform (managed by Microsoft), Microsoft treats all customer content as sensitive. It guards against customer data loss and exposure. To make sure customer data within Azure remains secure, Microsoft has some default data protection controls and capabilities.

• How to create an Azure Batch pool within a virtual network

• How to secure Azure Storage accounts

Responsibility: Customer

DP-3: Monitor for unauthorized transfer of sensitive data

Guidance: You might have Azure Storage accounts that are associated with your Azure Batch pools. If these accounts contain sensitive information, mark them as sensitive using Tags. Secure those accounts with Azure best-practices.

The following features aren't yet available for Azure Storage or compute resources:

• Data identification
• Classification
• Prevention

Implement a third-party solution, if necessary for compliance purposes.

If Microsoft manages an underlying platform, it treats all customer content as sensitive. Microsoft goes to great lengths to guard against customer data loss and exposure. To make sure customer data within Azure remains secure, Microsoft maintains a suite of robust data protection controls and capabilities.

• Understand customer data protection in Azure

• How to secure Azure Storage accounts

Responsibility: Shared

DP-4: Encrypt sensitive information in transit

Guidance: Encrypt all sensitive information in transit. Microsoft Azure resources will negotiate Transport Layer Security (TLS) 1.2 by default. If clients connect to your Azure Batch pools or data stores (Azure Storage accounts), make sure they can negotiate TLS 1.2 or greater.

Also make sure HTTPS is required for accessing the storage account containing your Azure Batch data.

• Understand Azure Storage account encryption in transit

Responsibility: Shared

DP-5: Encrypt sensitive data at rest

Guidance: To complement access controls, Batch encrypts data at rest, which protects against 'out of band' attacks (such as accessing underlying storage) using encryption. This practice helps ensure that attackers can't easily read or modify the data.

Azure provides encryption for data at rest by default. For highly sensitive data, you may implement extra encryption at rest on all Azure resources where available. Azure manages your encryption keys by default. To meet regulatory requirements, Azure also provides options to manage your own keys (customer-managed keys) for certain Azure services.

• How to manage encryption keys for Azure Storage Accounts

• How to configure customer-managed encryption keys

• How to create a pool with disk encryption enabled

Responsibility: Customer

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-2: Make sure security team can access asset inventory and metadata

Guidance: Let security teams access a continuously updated inventory of assets on Azure, like Batch. Security teams need this inventory to evaluate their organization's potential exposure to emerging risks. These teams also use the inventory as an input to continuous security improvements.

Create an Azure AD group to contain your organization's authorized security team. Assign read access to the group for all Batch resources. You can simplify the access to a single high-level role assignment within your subscription. Apply tags to Azure Batch resources to add more organizationally required metadata. The tags help to logically organize Batch resources under a taxonomy. At the Batch account level, you can add metadata tags for important security metadata. However, pools or other batch resources don't inherit these tags.

• Resource naming and tagging decision guide

Responsibility: Customer

AM-3: Use only approved Azure services

Guidance: With Azure Policy, audit and restrict which services (such as Azure Batch) users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. Use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

• How to configure and manage Azure Policy

• How to deny a specific resource type with Azure Policy

• How to create queries with Azure Resource Graph Explorer

Responsibility: Customer

AM-6: Use only approved applications in compute resources

Guidance: With Azure Batch, users may install software on its compute nodes. Currently Batch can't restrict or create an 'allowlist' of software that can be run on its nodes. You can manage and install software on Batch through the Azure portal or Batch Management APIs. To prevent the installation of malicious or dangerous applications, the customer must define the proper access through Azure RBAC to restrict who can update Batch nodes.

• Upload and manage applications

Responsibility: Customer

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: Forward any diagnostic and activity logs from Azure Batch to your SIEM solution. You can use SIEM to set up custom threat detections. Monitor different types of Azure assets for potential threats and anomalies. Get high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.

Microsoft Defender for Cloud doesn't provide vulnerability assessments for Azure Batch resources through Microsoft Defender. It does give security-based recommendations for Batch.

• Batch metrics, alerts, and logs for diagnostic evaluation and monitoring

• Microsoft Defender for Cloud Feature coverage for Azure PaaS services

• Cyber threat intelligence with Microsoft Sentinel

• Configure Azure Batch metric alerts

• Create custom analytics rules to detect threats

Responsibility: Customer

LT-4: Enable logging for Azure resources

Guidance: Activity logs, which are automatically available, contain all write operations (PUT, POST, and DELETE) for your Azure Batch resources. The logs don't contain read operations (GET). You can use activity logs to find an error when troubleshooting. Or the logs can help you monitor how a user in your organization modified a resource.

Enable Azure resource logs for Azure Batch for the following log types: ServiceLog and AllMetrics. Using these logs, you can investigate security incidents and do forensic exercises. Explicitly enable these logs for each Batch account that you want to monitor. Or you may use Azure Policy to enable resource logs and log data collecting at scale.

• How to collect platform logs and metrics with Azure Monitor

For Azure Batch resource level monitoring, use the Azure Batch APIs to monitor or query the status of your resources, including:

• Jobs
• Tasks
• Nodes
• Pools

For more information, see the following articles:

• How to configure Azure Batch account-level monitoring and logging

• Understand Batch resource-level monitoring

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Batch:

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Resource logs in Batch accounts should be enabled	Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised	AuditIfNotExists, Disabled	5.0.0

LT-6: Configure log storage retention

Guidance: Do you have any storage accounts or Log Analytics workspaces that are used for storing Azure Batch logs? Then set the log retention period according to your organization's compliance regulations.

• How to configure Log Analytics Workspace retention period

• Storing resource logs in an Azure Storage account

• Batch metrics, alerts, and logs for diagnostic evaluation and monitoring

Responsibility: Customer

LT-7: Use approved time synchronization sources

Guidance: Batch doesn't support configuring your own time synchronization sources.

Batch service relies on Microsoft time synchronization sources. It isn't exposed to customers for configuration.

Responsibility: Microsoft

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-1: Establish secure configurations for Azure services

Guidance: To audit and enforce configurations of your Batch resources, use Microsoft Defender for Cloud to configure built-in Azure Policy for Azure Batch.

For any scenarios where built-in policy definitions don't exist, you can use Azure Policy aliases in the "Microsoft.Batch" namespace. Use these aliases to create custom policies to audit. Or use the aliases to enforce the configuration of your Azure Batch accounts and pools.

You can use Azure Blueprints to automate the deployment and configuration of services and application environments. In a single blueprint definition, you can automate:

• Azure Resources Manager templates
• Azure RBAC controls
• Policies

For more information, read the following articles:

• How to view available Azure Policy aliases

• Tutorial: Create and manage policies to enforce compliance

• Azure Blueprints

• Azure policies built-in

Responsibility: Customer

PV-2: Sustain secure configurations for Azure services

Guidance: To enforce secure settings for the Azure resources related to your Batch account and pools, use the Azure Policy built-in definitions for [Deny] and [DeployIfNotExists]. These resources can include:

• Virtual networks
• Subnets
• Azure Firewalls
• Azure Storage accounts

To create custom policies, you may also use Azure Policy aliases from the following namespaces:

• Microsoft.Batch

• Microsoft.Storage

• Microsoft.Network

For more information, read the following articles:

• Create and manage policies to enforce compliance

• Azure Policies built-in

Responsibility: Customer

PV-3: Establish secure configurations for compute resources

Guidance: Customers may use custom operating system images for Azure Batch. Batch lets users install and load arbitrary software on its compute nodes.

When using the virtual machine configuration for your Azure Batch, pools use custom images that are hardened to your organization's needs. For lifecycle management, the pools store the images in a shared image gallery. You can set up a secure image build process using Azure automation tools, such as Azure Image Builder.

• Use the Shared Image Gallery to create a custom image pool

• Custom images for Virtual Machine pools

• Azure Image Builder overview

Responsibility: Customer

PV-4: Sustain secure configurations for compute resources

Guidance: Customers may use custom operating system images for Batch. Azure Batch lets users install and load arbitrary software on its compute nodes.

Create policy to require your Azure Batch pools to use only your approved secured images. This action sustains your securely configured compute resources on Azure Batch. To scan for unapproved or misconfigured Azure Batch resources, you can also apply Azure API or Azure CLI on a recurring Azure Automation runbook.

• Azure Batch CLI commands - az batch pool list

• Azure Batch CLI commands - az batch application

• Custom images for Virtual Machine pools

• Manage schedules in Azure Automation

Responsibility: Customer

PV-5: Securely store custom operating system and container images

Guidance: If you're using custom images for your Azure Batch pools, use Azure RBAC to make sure only authorized users may access the images. Store container images in Azure Container Registry. Use Azure RBAC to ensure that only authorized users have access.

• Understand Azure RBAC

• Understand Azure RBAC for Container Registry

• Shared Image Gallery overview

Responsibility: Customer

PV-6: Do software vulnerability assessments

Guidance: For Azure Batch pool nodes, you're responsible for managing any vulnerability management solution that's used. Azure Batch doesn't provide capabilities for native vulnerability assessment.

Do you have a subscription to Rapid7, Qualys, or another vulnerability management platform? You may manually install vulnerability assessment agents on Batch pool nodes. Then manage nodes through the respective portal.

• Deploy a bring your own license (BYOL) solution using PowerShell and the REST API

Responsibility: Customer

PV-7: Rapidly and automatically remediate software vulnerabilities

Guidance: Emphasize using a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings that are provided by your third-party scanning tool. Then tailor your environment using context for deciding which applications:

• Present a high security risk
• Require high uptime

Azure Batch currently doesn't have native, customer-facing vulnerability scanning. For the underlying platform that hosts Batch, Microsoft makes sure vulnerabilities are remediated. For software that runs on top of Batch, you can apply Azure API or Azure CLI on a recurring Azure Automation runbook. This action scans and updates any potentially vulnerable software that runs on your Azure Batch nodes.

• Azure Batch CLI commands - az batch pool list

• Azure Batch CLI commands - az batch application

• Upload and manage applications

Responsibility: Shared

Endpoint Security

For more information, see the Azure Security Benchmark: Endpoint Security.

ES-2: Use centrally managed modern antimalware software

Guidance: Azure Batch nodes can run any executable or script that's supported by the operating system environment of the node. For Windows operating systems, use Windows Defender on your individual Azure Batch pool nodes. For Linux, provide your own antimalware solution.

• Nodes and pools in Azure Batch

• Microsoft Antimalware for Azure Cloud Services and Virtual Machines

Responsibility: Shared

ES-3: Ensure antimalware software and signatures are updated

Guidance: Make sure to update antimalware signatures rapidly and consistently. Follow recommendations in Microsoft Defender for Cloud's "Compute & Apps" to ensure all endpoints are updated with the latest signatures. Azure Batch nodes can run any executable or script that's supported by the operating system environment of the node. For Windows operating systems, use Windows Defender on your individual Azure Batch pool nodes, and turn on automatic updates. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, use a third-party antimalware solution.

• Nodes and pools in Azure Batch

• How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines

• Endpoint protection assessment and recommendations in Microsoft Defender for Cloud

Responsibility: Customer

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-1: Ensure regular automated backups

Guidance: When you use an Azure Storage account for the Azure Batch pool data store, choose the appropriate redundancy option:

• Locally redundant storage (LRS)
• Zone-redundant storage (ZRS)
• Geo-redundant storage (GRS)
• Read-access geo-redundant storage (RA-GRS)

Back up your storage account in an Azure Backup Vault regularly.

• Back up all Azure blobs in a storage account using Azure PowerShell

• How to configure storage redundancy for Azure Storage Accounts

Responsibility: Customer

BR-2: Encrypt backup data

Guidance: When you use an Azure Storage account for the Azure Batch pool data store, the account is automatically encrypted at rest with Microsoft-managed keys. If an organization has a regulatory need to use its own customer-managed keys for encrypting Azure Batch storage, Azure stores these keys in an Azure Key Vault.

• How to back up key vault keys in Azure

• Overview of security features in Azure Backup

• Encryption of backup data using customer-managed keys

Responsibility: Customer

BR-3: Validate all backups including customer-managed keys

Guidance: If you manage your own keys for Azure Storage accounts (or any other resource that's related to your Azure Batch implementation), regularly test the restoration of backed-up keys.

• How to backup key vault keys in Azure

• How to restore Key Vault keys in Azure

Responsibility: Customer

BR-4: Mitigate risk of lost keys

Guidance: If Azure Key Vault is being used to hold any keys related to Azure Batch Pool Storage Accounts, enable Soft-Delete in Azure Key Vault to protect keys against accidental or malicious deletion.

• How to enable soft delete and purge protection in Key Vault

Responsibility: Customer

Next steps

• See the Azure Security Benchmark V2 overview
• Learn more about Azure security baselines