Secure score in Azure Security Center

Introduction to secure score

Azure Security Center has two main goals:

  • to help you understand your current security situation
  • to help you efficiently and effectively improve your security

The central feature in Security Center that enables you to achieve those goals is secure score.

Security Center continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.

The secure score is shown in the Azure portal pages as a percentage value, but the underlying values are also clearly presented:

Overall secure score as shown in the portal

To increase your security, review Security Center's recommendations page for the outstanding actions necessary to raise your score. Each recommendation includes instructions to help you remediate the specific issue.

Recommendations are grouped into security controls. Each control is a logical group of related security recommendations, and reflects your vulnerable attack surfaces. Your score only improves when you remediate all of the recommendations for a single resource within a control. To see how well your organization is securing each individual attack surface, review the scores for each security control.

For more information, see How your secure score is calculated below.

How your secure score is calculated

The contribution of each security control towards the overall secure score is shown clearly on the recommendations page.

Azure Security Center's security controls and their impact on your secure score

To get all the possible points for a security control, all your resources must comply with all of the security recommendations within the security control. For example, Security Center has multiple recommendations regarding how to secure your management ports. You'll need to remediate them all to make a difference to your secure score.

Example scores for a control

Apply system updates security control

In this example:

# Name Description
1 Remediate vulnerabilities security control This control groups multiple recommendations related to discovering and resolving known vulnerabilities.
2 Max score The maximum number of points you can gain by completing all recommendations within a control. The maximum score for a control indicates the relative significance of that control and is fixed for every environment. Use the max score values to triage the issues to work on first.
For a list of all controls and their max scores, see Security controls and their recommendations.
3 Number of resources There are 35 resources affected by this control.
To understand the possible contribution of every resource, divide the max score by the number of resources.
For this example, 6/35=0.1714
Every resource contributes 0.1714 points.
4 Current score The current score for this control.
Current score=[Score per resource]*[Number of healthy resources]
0.1714 x 5 healthy resources = 0.86
Each control contributes towards the total score. In this example, the control is contributing 0.86 points to current total secure score.
5 Potential score increase The remaining points available to you within the control. If you remediate all the recommendations in this control, your score will increase by 9%.
Potential score increase=[Score per resource]*[Number of unhealthy resources]
0.1714 x 30 unhealthy resources = 5.14

Calculations - understanding your score

Metric Formula and example
Security control's current score
Equation for calculating a security control's score

Each individual security control contributes towards the Security Score. Each resource affected by a recommendation within the control, contributes towards the control's current score. The current score for each control is a measure of the status of the resources within the control.
Tooltips showing the values used when calculating the security control's current score
In this example, the max score of 6 would be divided by 78 because that's the sum of the healthy and unhealthy resources.
6 / 78 = 0.0769
Multiplying that by the number of healthy resources (4) results in the current score:
0.0769 * 4 = 0.31

Secure score
Single subscription

Equation for calculating a subscription's secure score

Single subscription secure score with all controls enabled
In this example, there is a single subscription with all security controls available (a potential maximum score of 60 points). The score shows 28 points out of a possible 60 and the remaining 32 points are reflected in the "Potential score increase" figures of the security controls.
List of controls and the potential score increase
Secure score
Multiple subscriptions

Equation for calculating the secure score for multiple subscriptions

When calculating the combined score for multiple subscriptions, Security Center includes a weight for each subscription. The relative weights for your subscriptions are determined by Security Center based on factors such as the number of resources.
The current score for each subscription is calculated in the same way as for a single subscription, but then the weight is applied as shown in the equation.
When viewing multiple subscriptions, secure score evaluates all resources within all enabled policies and groups their combined impact on each security control's maximum score.
Secure score for multiple subscriptions with all controls enabled
The combined score is not an average; rather it's the evaluated posture of the status of all resources across all subscriptions.
Here too, if you go to the recommendations page and add up the potential points available, you will find that it's the difference between the current score (24) and the maximum score available (60).

Which recommendations are included in the secure score calculations?

Only built-in recommendations have an impact on the secure score.

Recommendations flagged as Preview aren't included in the calculations of your secure score. They should still be remediated wherever possible, so that when the preview period ends they'll contribute towards your score.

An example of a preview recommendation:

Recommendation with the preview flag

Improve your secure score

To improve your secure score, remediate security recommendations from your recommendations list. You can remediate each recommendation manually for each resource, or by using the Fix option (when available) to resolve an issue on multiple resources quickly. For more information, see Remediate recommendations.

Another way to improve your score and ensure your users don't create resources that negatively impact your score is to configure the Enforce and Deny options on the relevant recommendations. Learn more in Prevent misconfigurations with Enforce/Deny recommendations.

Security controls and their recommendations

The table below lists the security controls in Azure Security Center. For each control, you can see the maximum number of points you can add to your secure score if you remediate all of the recommendations listed in the control, for all of your resources.

The set of security recommendations provided with Security Center is tailored to the available resources in each organization's environment. The recommendations can be further customized by disabling policies and exempting specific resources from a recommendation.

We recommend every organization carefully review their assigned Azure Policy initiatives.

Tip

For details of reviewing and editing your initiatives, see Working with security policies.

Even though Security Center's default security initiative is based on industry best practices and standards, there are scenarios in which the built-in recommendations listed below might not completely fit your organization. Consequently, it'll sometimes be necessary to adjust the default initiative - without compromising security - to ensure it's aligned with your organization's own policies. industry standards, regulatory standards, and benchmarks you're obligated to meet.

Secure score Security control and description Recommendations

10

Enable MFA

If you only use a password to authenticate a user, it leaves an attack vector open. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password?
With MFA enabled, your accounts are more secure, and users can still authenticate to almost any application with single sign-on (SSO).
- MFA should be enabled on accounts with owner permissions on your subscription
- MFA should be enabled on accounts with write permissions on your subscription

8

Secure management ports

Brute force attacks target management ports to gain access to a VM. Since the ports don't always need to be open, one mitigation strategy is to reduce exposure to the ports using just-in-time network access controls, network security groups, and virtual machine port management.
Since many IT organizations don't block SSH communications outbound from their network, attackers can create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attacker command to control servers. Attackers can use the Windows Remote Management subsystem to move laterally across your environment and use stolen credentials to access other resources on a network.
- Internet-facing virtual machines should be protected with network security groups
- Management ports of virtual machines should be protected with just-in-time network access control
- Management ports should be closed on your virtual machines

6

Apply system updates

System updates provide organizations with the ability to maintain operational efficiency, reduce security vulnerabilities, and provide a more stable environment for end users. Not applying updates leaves unpatched vulnerabilities and results in environments that are susceptible to attacks. These vulnerabilities can be exploited and lead to data loss, data exfiltration, ransomware, and resource abuse. To deploy system updates, you can use the Update Management solution to manage patches and updates for your virtual machines. Update management is the process of controlling the deployment and maintenance of software releases.
- Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
- Log Analytics agent health issues should be resolved on your machines
- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- Log Analytics agent should be installed on your virtual machine
- Log Analytics agent should be installed on your virtual machine scale sets
- Log Analytics agent should be installed on your Windows-based Azure Arc machines
- OS version should be updated for your cloud service roles
- System updates on virtual machine scale sets should be installed
- System updates should be installed on your machines
- System updates should be installed on your machines (powered by Update Center)

6

Remediate vulnerabilities

A vulnerability is a weakness that a threat actor could leverage, to compromise the confidentiality, availability, or integrity of a resource. Managing vulnerabilities reduces organizational exposure, hardens endpoint surface area, increases organizational resilience, and reduces the attack surface of your resources. Threat and Vulnerability Management provides visibility into software and security misconfigurations and provide recommendations for mitigations.
- A vulnerability assessment solution should be enabled on your virtual machines
- Azure Defender for SQL should be enabled on your managed instances
- Azure Defender for SQL should be enabled on your SQL servers
- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- Container images should be deployed from trusted registries only
- Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)
- Vulnerabilities in your virtual machines should be remediated

4

Encrypt data in transit

Data is "in transit" when it's transmitted between components, locations, or programs. Organizations that fail to protect data in transit are susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. SSL/TLS protocols should be used to exchange data and a VPN is recommended. When sending encrypted data between an Azure virtual machine and an on-premise location, over the internet, you can use a virtual network gateway such as Azure VPN Gateway to send encrypted traffic.
- API App should only be accessible over HTTPS
- Enforce SSL connection should be enabled for MySQL database servers
- Enforce SSL connection should be enabled for PostgreSQL database servers
- FTPS should be required in your API App
- FTPS should be required in your function App
- FTPS should be required in your web App
- Function App should only be accessible over HTTPS
- Only secure connections to your Redis Cache should be enabled
- Secure transfer to storage accounts should be enabled
- TLS should be updated to the latest version for your API app
- TLS should be updated to the latest version for your function app
- TLS should be updated to the latest version for your web app
- Web Application should only be accessible over HTTPS

4

Restrict unauthorized network access

Endpoints within an organization provide a direct connection from your virtual network to supported Azure services. Virtual machines in a subnet can communicate with all resources. To limit communication to and from resources within a subnet, create a network security group and associate it to the subnet. Organizations can limit and protect against unauthorized traffic by creating inbound and outbound rules.
- Adaptive network hardening recommendations should be applied on internet facing virtual machines
- All network ports should be restricted on network security groups associated to your virtual machine
- App Configuration should use private link
- Azure Cache for Redis should reside within a virtual network
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Azure Machine Learning workspaces should use private link
- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- Azure SignalR Service should use private link
- Azure Spring Cloud should use network injection
- Container registries should not allow unrestricted network access
- Container registries should use private link
- Containers should listen on allowed ports only
- CORS should not allow every resource to access your API App
- CORS should not allow every resource to access your Function App
- CORS should not allow every resource to access your Web Applications
- Firewall should be enabled on Key Vault
- Internet-facing virtual machines should be protected with network security groups
- IP forwarding on your virtual machine should be disabled
- Kubernetes Services Management API server should be configured with restricted access
- Private endpoint should be configured for Key Vault
- Private endpoint should be enabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Private endpoint should be enabled for PostgreSQL servers
- Public network access should be disabled for MariaDB servers
- Public network access should be disabled for MySQL servers
- Public network access should be disabled for PostgreSQL servers
- Services should listen on allowed ports only
- Storage account should use a private link connection
- Storage accounts should restrict network access using virtual network rules
- Usage of host networking and ports should be restricted
- Virtual networks should be protected by Azure Firewall
- VM Image Builder templates should use private link

4

Enable encryption at rest

Encryption at rest provides data protection for stored data. Attacks against data at rest include attempts to gain physical access to the hardware on which the data is stored. Azures use symmetric encryption to encrypt and decrypt large amounts of data at rest. A symmetric encryption key is used to encrypt data as it is written to storage. That encryption key is also used to decrypt that data as it is readied for use in memory. Keys must be stored in a secure location with identity-based access control and audit policies. One such secure location is Azure Key Vault. If an attacker obtains the encrypted data but not the encryption keys, the attacker can't access the data without breaking the encryption.
- Bring your own key data protection should be enabled for MySQL servers
- Bring your own key data protection should be enabled for PostgreSQL servers
- Disk encryption should be applied on virtual machines
- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- Transparent Data Encryption on SQL databases should be enabled

4

Manage access and permissions

A core part of a security program is ensuring your users have the necessary access to do their jobs but no more than that: the least privilege access model.
Control access to your resources by creating role assignments with Azure role-based access control (Azure RBAC). A role assignment consists of three elements:
- Security principal: the object the user is requesting access to
- Role definition: their permissions
- Scope: the set of resources to which the permissions apply
- Authentication to Linux machines should require SSH keys
- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- Container with privilege escalation should be avoided
- Containers sharing sensitive host namespaces should be avoided
- Deprecated accounts should be removed from your subscription
- Deprecated accounts with owner permissions should be removed from your subscription
- External accounts with owner permissions should be removed from your subscription
- External accounts with write permissions should be removed from your subscription
- Function apps should have Client Certificates (Incoming client certificates) enabled
- Guest Configuration extension should be installed on your machines
- Immutable (read-only) root filesystem should be enforced for containers
- Least privileged Linux capabilities should be enforced for containers
- Managed identity should be used in your API app
- Managed identity should be used in your function app
- Managed identity should be used in your web app
- Privileged containers should be avoided
- Role-Based Access Control should be used on Kubernetes Services
- Running containers as root user should be avoided
- Service Fabric clusters should only use Azure Active Directory for client authentication
- Service principals should be used to protect your subscriptions instead of Management Certificates
- Storage account public access should be disallowed
- Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers
- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity

4

Remediate security configurations

Misconfigured IT assets have a higher risk of being attacked. Basic hardening actions are often forgotten when assets are being deployed and deadlines must be met. Security misconfigurations can be at any level in the infrastructure: from the operating systems and network appliances, to cloud resources.
Azure Security Center continually compares the configuration of your resources with requirements in industry standards, regulations, and benchmarks. When you've configured the relevant "compliance packages" (standards and baselines) that matter to your organization, any gaps will result in security recommendations that include the CCEID and an explanation of the potential security impact.
Commonly used packages are Azure Security Benchmark and CIS Microsoft Azure Foundations Benchmark version 1.1.0.
- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- Log Analytics agent health issues should be resolved on your machines
- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- Log Analytics agent should be installed on your virtual machine
- Log Analytics agent should be installed on your virtual machine scale sets
- Log Analytics agent should be installed on your Windows-based Azure Arc machines
- Overriding or disabling of containers AppArmor profile should be restricted
- Pod Security Policies should be defined on Kubernetes Services (Deprecated)
- Secure Boot should be enabled on your Linux virtual machine
- SQL databases should have vulnerability findings resolved
- SQL servers on machines should have vulnerability findings resolved
- Virtual machines should be attested for boot integrity health
- Vulnerabilities in container security configurations should be remediated
- Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Config)
- Vulnerabilities in security configuration on your machines should be remediated
- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
- Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Config)
- Vulnerability assessment should be enabled on your SQL managed instances
- Vulnerability assessment should be enabled on your SQL servers

3

Apply adaptive application control

Adaptive application control (AAC) is an intelligent, automated, end-to-end solution, which allows you to control which applications can run on your Azure and non-Azure machines. It also helps to harden your machines against malware.
Security Center uses machine learning to create a list of known-safe applications for a group of machines.
This innovative approach to approved application listing provides the security benefits without the management complexity.
AAC is particularly relevant for purpose-built servers that need to run a specific set of applications.
- Adaptive application controls for defining safe applications should be enabled on your machines
- Allowlist rules in your adaptive application control policy should be updated
- Log Analytics agent health issues should be resolved on your machines
- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- Log Analytics agent should be installed on your virtual machine
- Log Analytics agent should be installed on your Windows-based Azure Arc machines

2

Protect your applications with Azure advanced networking solutions

- Azure DDoS Protection Standard should be enabled
- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- Container CPU and memory limits should be enforced
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service service

2

Enable endpoint protection

To ensure your endpoints are protected from malware, behavioral sensors collect and process data from your endpoints' operating systems and send this data to the private cloud for analysis. Security analytics leverage big-data, machine-learning, and other sources to recommend responses to threats. For example, Microsoft Defender ATP uses threat intelligence to identify attack methods and generate security alerts.
Security Center supports the following endpoint protection solutions: Windows Defender, System Center Endpoint Protection, Trend Micro, Symantec v12.1.1.1100, McAfee v10 for Windows, McAfee v10 for Linux and Sophos v9 for Linux. If Security Center detects any of these solutions, the recommendation to install endpoint protection will no longer appear.
- Endpoint protection health failures should be remediated on virtual machine scale sets
- Endpoint protection health issues should be resolved on your machines
- Endpoint protection health issues should be resolved on your machines
- Endpoint protection should be installed on your machines
- Endpoint protection solution should be installed on virtual machine scale sets
- File integrity monitoring should be enabled on servers
- Install endpoint protection solution on virtual machines
- Install endpoint protection solution on your machines
- Log Analytics agent health issues should be resolved on your machines
- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- Log Analytics agent should be installed on your virtual machine
- Log Analytics agent should be installed on your virtual machine scale sets
- Log Analytics agent should be installed on your Windows-based Azure Arc machines

1

Enable auditing and logging

Logging data provides insights into past problems, prevents potential ones, can improve application performance, and provides the ability to automate actions that would otherwise be manual.
- Control and management logs provide information about Azure Resource Manager operations.
- Data plane logs provide information about events raised as part of Azure resource usage.
- Processed events provide information about analyzed events/alerts that have been processed.
- Auditing on SQL server should be enabled
- Diagnostic logs in Azure Data Lake Store should be enabled
- Diagnostic logs in Azure Stream Analytics should be enabled
- Diagnostic logs in Batch accounts should be enabled
- Diagnostic logs in Data Lake Analytics should be enabled
- Diagnostic logs in Event Hub should be enabled
- Diagnostic logs in Key Vault should be enabled
- Diagnostic logs in Search services should be enabled
- Diagnostic logs in Service Bus should be enabled
- Diagnostic logs in Virtual Machine Scale Sets should be enabled
- Diagnostic logs in your logic apps should be enabled
- Diagnostic logs should be enabled in App Service

0

Implement security best practices

Modern security practices "assume breach" of the network perimeter. For that reason, many of the best practices in this control focus on managing identities.
Losing keys and credentials is a common problem. Azure Key Vault protects keys and secrets by encrypting keys, .pfx files, and passwords.
Virtual private networks (VPNs) are a secure way to access your virtual machines. If VPNs aren't available, use complex passphrases and two-factor authentication such as Azure AD Multi-Factor Authentication. Two-factor authentication avoids the weaknesses inherent in relying only on usernames and passwords.
Using strong authentication and authorization platforms is another best practice. Using federated identities allows organizations to delegate management of authorized identities. This is also important when employees are terminated, and their access needs to be revoked.
- A maximum of 3 owners should be designated for your subscription
- Access to storage accounts with firewall and virtual network configurations should be restricted
- All advanced threat protection types should be enabled in SQL managed instance advanced data security settings
- All advanced threat protection types should be enabled in SQL server advanced data security settings
- An Azure Active Directory administrator should be provisioned for SQL servers
- API Management services should use a virtual network
- Audit retention for SQL servers should be set to at least 90 days
- Auto provisioning of the Log Analytics agent should be enabled on your subscription
- Automation account variables should be encrypted
- Azure Backup should be enabled for virtual machines
- Azure Cosmos DB accounts should have firewall rules
- Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
- Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)
- Cognitive Services accounts should enable data encryption
- Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)
- Cognitive Services accounts should restrict network access
- Cognitive Services accounts should use customer owned storage or enable data encryption
- Container registries should be encrypted with a customer-managed key (CMK)
- Default IP Filter Policy should be Deny
- Diagnostic logs in IoT Hub should be enabled
- Email notification for high severity alerts should be enabled
- Email notification to subscription owner for high severity alerts should be enabled
- Ensure API app has Client Certificates Incoming client certificates set to On
- External accounts with read permissions should be removed from your subscription
- Geo-redundant backup should be enabled for Azure Database for MariaDB
- Geo-redundant backup should be enabled for Azure Database for MySQL
- Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- Guest Configuration extension should be installed on your machines
- Identical Authentication Credentials
- IoT Devices - Agent sending underutilized messages
- IoT Devices - Auditd process stopped sending events
- IoT Devices - Open Ports On Device
- IoT Devices - Operating system baseline validation failure
- IoT Devices - Permissive firewall policy in one of the chains was found
- IoT Devices - Permissive firewall rule in the input chain was found
- IoT Devices - Permissive firewall rule in the output chain was found
- IoT Devices - TLS cipher suite upgrade needed
- IP Filter rule large IP range
- Java should be updated to the latest version for your API app
- Java should be updated to the latest version for your function app
- Java should be updated to the latest version for your web app
- Key Vault keys should have an expiration date
- Key Vault secrets should have an expiration date
- Key vaults should have purge protection enabled
- Key vaults should have soft delete enabled
- Kubernetes clusters should be accessible only over HTTPS
- MFA should be enabled on accounts with read permissions on your subscription
- Network traffic data collection agent should be installed on Linux virtual machines
- Network traffic data collection agent should be installed on Windows virtual machines
- Network Watcher should be enabled
- Non-internet-facing virtual machines should be protected with network security groups
- PHP should be updated to the latest version for your API app
- PHP should be updated to the latest version for your web app
- Private endpoint connections on Azure SQL Database should be enabled
- Public network access on Azure SQL Database should be disabled
- Public network access should be disabled for Cognitive Services accounts
- Python should be updated to the latest version for your API app
- Python should be updated to the latest version for your function app
- Python should be updated to the latest version for your web app
- Remote debugging should be turned off for API App
- Remote debugging should be turned off for Function App
- Remote debugging should be turned off for Web Applications
- SQL managed instances should use customer-managed keys to encrypt data at rest
- SQL servers should use customer-managed keys to encrypt data at rest
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should use customer-managed key (CMK) for encryption
- Subnets should be associated with a network security group
- Subscriptions should have a contact email address for security issues
- There should be more than one owner assigned to your subscription
- Validity period of certificates stored in Azure Key Vault should not exceed 12 months
- Virtual machines should be migrated to new Azure Resource Manager resources
- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
- Web apps should request an SSL certificate for all incoming requests
- Windows Defender Exploit Guard should be enabled on your machines
- Windows web servers should be configured to use secure communication protocols

0

Apply data classification

Classifying your organization's data by sensitivity and business impact allows you to determine and assign value to the data, and provides the strategy and basis for governance.
Azure Information Protection can assist with data classification. It uses encryption, identity, and authorization policies to protect data and restrict data access. Some classifications that Microsoft uses are Non-business, Public, General, Confidential, and Highly Confidential.
- Sensitive data in your SQL databases should be classified

0

Enable Advanced Threat Protection

Azure Security Center's optional Azure Defender threat protection plans provide comprehensive defenses for your environment. When Security Center detects a threat in any area of your environment, it generates an alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response.
Each Azure Defender plan is a separate, optional offering which you can enable using the relevant recommendation in this security control.
Learn more about threat protection in Security Center.
- Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed
- Azure Defender for App Service should be enabled
- Azure Defender for Azure SQL Database servers should be enabled
- Azure Defender for container registries should be enabled
- Azure Defender for DNS should be enabled
- Azure Defender for Key Vault should be enabled
- Azure Defender for Kubernetes should be enabled
- Azure Defender for Resource Manager should be enabled
- Azure Defender for servers should be enabled
- Azure Defender for SQL servers on machines should be enabled
- Azure Defender for Storage should be enabled

Secure score FAQ

If I address only three out of four recommendations in a security control, will my secure score change?

No. It won't change until you remediate all of the recommendations for a single resource. To get the maximum score for a control, you must remediate all recommendations, for all resources.

If a recommendation isn't applicable to me, and I disable it in the policy, will my security control be fulfilled and my secure score updated?

Yes. We recommend disabling recommendations when they're inapplicable in your environment. For instructions on how to disable a specific recommendation, see Disable security policies.

If a security control offers me zero points towards my secure score, should I ignore it?

In some cases, you'll see a control max score greater than zero, but the impact is zero. When the incremental score for fixing resources is negligible, it's rounded to zero. Don't ignore these recommendations as they still bring security improvements. The only exception is the "Additional Best Practice" control. Remediating these recommendations won't increase your score, but it will enhance your overall security.

Next steps

This article described the secure score and the security controls it introduces. For related material, see the following articles: