Security recommendations - a reference guide

This article lists the recommendations you might see in Azure Security Center. The recommendations shown in your environment depend on the resources you're protecting and your customized configuration.

To learn about how to respond to these recommendations, see Remediate recommendations in Azure Security Center.

Your secure score is based on how many Security Center recommendations you have mitigated. To prioritize the recommendations to resolve first, consider the severity of each.

Network recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Just-in-time network access control should be applied on virtual machines Apply just-in-time (JIT) virtual machine (VM) access control to permanently lock down access to selected ports, and enable authorized users to open them, via JIT, for a limited amount of time only.
(Related policy: Just-In-Time network access control should be applied on virtual machines)
High N Virtual machine
Network security groups on the subnet level should be enabled Enable network security groups to control network access of resources deployed in your subnets.
(Related policy: Subnets should be associated with a Network Security Group.
This policy is disabled by default)
High/ Medium N Subnet
Internet-facing virtual machines should be protected with Network Security Groups Enable Network Security Groups to control network access of your virtual machines.
(Related policy: Internet-facing virtual machines should be protected with Network Security Groups)
High/ Medium N Virtual machine
All network ports should be restricted on NSG associated to your VM Harden the network security groups of your Internet-facing VMs by restricting the access of your existing allow rules.
This recommendation is triggered when any port is opened to all sources (except for ports 22, 3389, 5985, 5986, 80, and 1443).
(Related policy: Access through internet facing endpoint should be restricted)
High N Virtual machine
Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Customers on the standard pricing tier will see this recommendation when the Adaptive Network Hardening feature finds an overly-permissive NSG rule.
(Related policy: Adaptive Network Hardening recommendations should be applied on internet facing virtual machines)
High N Virtual machine
The rules for web applications on IaaS NSGs should be hardened
(DEPRECATED)
Harden the network security group (NSG) of your virtual machines that are running web applications, with NSG rules that are overly permissive with regards to web application ports.
(Related policy: The NSGs rules for web applications on IaaS should be hardened)
High N Virtual machine
Access to App Services should be restricted
(DEPRECATED)
Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad.
(Related policy: [Preview]: Access to App Services should be restricted)
High N App service
Management ports should be closed on your virtual machines Harden the network security group of your virtual machines to restrict access to management ports.
(Related policy: Management ports should be closed on your virtual machines)
High N Virtual machine
DDoS Protection Standard should be enabled Protect virtual networks containing applications with public IPs by enabling DDoS protection service standard. DDoS protection enables mitigation of network volumetric and protocol attacks.
(Related policy: DDoS Protection Standard should be enabled)
High N Virtual network
IP forwarding on your virtual machine should be disabled Disable IP forwarding. When IP forwarding is enabled on a virtual machine's NIC, the machine can receive traffic addressed to other destinations. IP forwarding is rarely required (for example, when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.
(Related policy: [Preview]: IP Forwarding on your virtual machine should be disabled)
Medium N Virtual machine
Web Application should only be accessible over HTTPS Enable "HTTPS only" access for web applications. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(Related policy: Web Application should only be accessible over HTTPS)
Medium Y Web application
Function App should only be accessible over HTTPS Enable "HTTPS only" access for function apps. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(Related policy: Function App should only be accessible over HTTPS)
Medium Y Function app
Secure transfer to storage accounts should be enabled Enable secure transfer to storage accounts. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks, such as man-in-the-middle, eavesdropping, and session-hijacking.
(Related policy: Secure transfer to storage accounts should be enabled)
High Y Storage account

Container recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster To provide granular filtering of the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. For more information see Azure role-based access control.
(Related policy: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services)
Medium N Compute resources (Containers)
The Kubernetes Service should be upgraded to the latest Kubernetes version Upgrade Azure Kubernetes Service clusters to the latest Kubernetes version in order to benefit from up-to-date vulnerability patches. For details regarding specific Kubernetes vulnerabilities see Kubernetes CVEs.
(Related policy: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version)
High N Compute resources (Containers)
Pod Security Policies should be defined to reduce the attack vector by removing unnecessary application privileges (Preview) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure pod security policies so pods can only access resources which they are allowed to access.
(Related policy: [Preview]: Pod Security Policies should be defined on Kubernetes Services)
Medium N Compute resources (Containers)
Access to a Kubernetes service management API should be limited by authorizing specific IP ranges only Restrict access to the Kubernetes service management API by granting API access only to IP addresses in specific ranges. It is recommended to configure authorized IP ranges so only applications from allowed networks can access the cluster.
(Related policy: [Preview]: Authorized IP ranges should be defined on Kubernetes Services)
High N Compute resources (Containers)
Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. Resolving the vulnerabilities can greatly improve your containers’ security posture and protect them from attacks.
(No related policy)
High N Compute resources (Containers)

App Service recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Web Application should only be accessible over HTTPS Limit access of Web Applications over HTTPS only.
(Related policy: )
Medium N App service
Function App should only be accessible over HTTPS Limit access of Function Apps over HTTPS only.
(Related policy: )
Medium N App service
API App should only be accessible over HTTPS Limit access of API Apps over HTTPS only.
(Related policy: )
Medium N App service
Remote debugging should be turned off for Web Applications Turn off debugging for Web Applications if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Web App.
(Related policy: Remote debugging should be turned off for Web Application)
Low Y App service
Remote debugging should be turned off for Function App Turn off debugging for Function App if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Function App.
(Related policy: Remote debugging should be turned off for Function App)
Low Y App service
Remote debugging should be turned off for API App Turn off debugging for API App if you no longer need to use it. Remote debugging requires inbound ports to be opened on an API App.
(Related policy: Remote debugging should be turned off for API App)
Low Y App service
CORS should not allow every resource to access your Web Applications Allow only required domains to interact with your web application. Cross origin resource sharing (CORS) should not allow all domains to access your web application.
(Related policy: CORS should not allow every resource to access your Web Application)
Low Y App service
CORS should not allow every resource to access your Function App Allow only required domains to interact with your function application. Cross origin resource sharing (CORS) should not allow all domains to access your function application.
(Related policy: CORS should not allow every resource to access your Function App)
Low Y App service
CORS should not allow every resource to access your API App Allow only required domains to interact with your API application. Cross origin resource sharing (CORS) should not allow all domains to access your API application.
(Related policy: CORS should not allow every resource to access your API App)
Low Y App service
Diagnostic logs in App Services should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in App Services should be enabled)
Low N App service

Compute and app recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Diagnostic logs in Azure Stream Analytics should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Azure Stream Analytics should be enabled)
Low Y Compute resources (stream analytics)
Diagnostic logs in Batch accounts should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Batch accounts should be enabled)
Low Y Compute resources (batch)
Diagnostic logs in Event Hub should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Event Hub should be enabled)
Low Y Compute resources (event hub)
Diagnostic logs in Logic Apps should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Logic Apps should be enabled)
Low Y Compute resources (logic apps)
Diagnostic logs in Search services should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Search services should be enabled)
Low Y Compute resources (search)
Diagnostic logs in Service Bus should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Service Bus should be enabled)
Low Y Compute resources (service bus)
Service Fabric clusters should only use Azure Active Directory for client authentication Perform Client authentication only via Azure Active Directory in Service Fabric.
(Related policy: Service Fabric clusters should only use Azure Active Directory for client authentication)
High N Compute resources (service fabric)
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.
(Related policy: The ClusterProtectionLevel property to EncryptAndSign in Service Fabric should be set)
High N Compute resources (service fabric)
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.
(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace)
Low N Compute resources (service bus)
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.
(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace)
Low N Compute resources (event hub)
Authorization rules on the Event Hub entity should be defined Audit authorization rules on the Event Hub entity to grant least-privileged access.
(Related policy: Authorization rules on the Event Hub entity should be defined)
Low N Compute resources (event hub)
Install monitoring agent on your virtual machines Install the Monitoring agent to enable data collection, updates scanning, baseline scanning, and endpoint protection on each machine.
(Related policy: Monitoring agent should be enabled on your virtual machines)
High Y Machine
Monitoring agent health issues should be resolved on your machines For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide
(No related policy - dependent upon "Install monitoring agent on your virtual machines")
Medium N Machine
Adaptive Application Controls should be enabled on virtual machines Enable application control to control which applications can run on your VMs located in Azure. This will help harden your VMs against malware. Security Center uses machine learning to analyze the applications running on each VM and helps you apply allow rules using this intelligence. This capability simplifies the process of configuring and maintaining application allow rules.
(Related policy: Adaptive Application Controls should be enabled on virtual machines)
High N Machine
Install endpoint protection solution on your machines Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.
(Related policy: Monitor missing Endpoint Protection in Azure Security Center)
Medium N Machine
Install endpoint protection solution on virtual machines Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.
(No related policy)
Medium N Machine
OS version should be updated for your cloud service roles Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.
(No related policy)
High N Machine
System updates should be installed on your machines Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers
(Related policy: System updates should be installed on your machines)
High N Machine
Your machines should be restarted to apply system updates Restart your machines to apply the system updates and secure the machine from vulnerabilities.
(No related policy - dependent upon "System updates should be installed on your machines")
Medium N Machine
Automation account variables should be encrypted Enable encryption of Automation account variable assets when storing sensitive data.
(Related policy: Encryption should be enabled on Automation account variables)
High N Compute resources (automation account)
Disk encryption should be applied on virtual machines Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines. Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and compliance commitments in customer Azure key vault. When your compliance and security requirement requires you to encrypt the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use Azure disk encryption. Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service Encryption where the encryption keys are Microsoft-managed keys in Azure. If this meets your compliance and security requirements, you can leverage the default Managed disk encryption to meet your requirements.
(Related policy: Disk encryption should be applied on virtual machines)
High N Machine
Virtual machines should be migrated to new Azure Resource Manager resources Use Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.
(Related policy: Virtual machines should be migrated to new Azure Resource Manager resources)
Low N Machine
Vulnerability assessment solution should be installed on your virtual machines Install a vulnerability assessment solution on your virtual machines
(Related policy: Vulnerability assessment should be installed on virtual machines)
Medium N Machine
Vulnerabilities should be remediated by a Vulnerability Assessment solution Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.
(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)
High N Machine
Vulnerabilities in security configuration on your machines should be remediated Remediate vulnerabilities in security configuration on your machines to protect them from attacks.
(Related policy: Vulnerabilities in security configuration on your machines should be remediated)
Low N Machine
Vulnerabilities in container security configurations should be remediated Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.
(Related policy: Vulnerabilities in container security configurations should be remediated)
High N Machine
Endpoint protection health issues should be resolved on your machines For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.
(No related policy - dependent upon "Install endpoint protection solution on your machines")
Medium N Machine

Virtual machine scale set recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Diagnostic logs in Virtual Machine Scale Sets should be enabled Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes. This is useful when a security incident occurs, or your network is compromised.
(Related policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled)
Low N Virtual machine scale set
Endpoint protection health failures should be remediated on virtual machine scale sets Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.
(No related policy - dependent upon "Endpoint protection solution should be installed on virtual machine scale sets")
Low N Virtual machine scale set
Endpoint protection solution should be installed on virtual machine scale sets Install an endpoint protection solution on your virtual machine scale sets, to protect them from threats and vulnerabilities.
(Related policy: Endpoint protection solution should be installed on virtual machine scale sets)
High N Virtual machine scale set
System updates on virtual machine scale sets should be installed Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.
(Related policy: System updates on virtual machine scale sets should be installed)
High N Virtual machine scale set
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks. 
(Related policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated)
High N Virtual machine scale set

Data and storage recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
Access to storage accounts with firewall and virtual network configurations should be restricted Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific Internet or on-premises clients, you can grant access to traffic from specific Azure virtual networks or to public Internet IP address ranges.
(Related policy: Audit unrestricted network access to storage accounts)
Low N Storage account
An Azure Active Directory administrator should be provisioned for SQL servers Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.
(Related policy: Audit provisioning of an Azure Active Directory administrator for SQL server)
High N SQL
Auditing on SQL server should be enabled Enable auditing for Azure SQL servers. (Azure SQL service only. Doesn't include SQL running on your virtual machines.)
(Related policy: Auditing should be enabled on advanced data security settings on SQL Server)
Low Y SQL
Diagnostic logs in Azure Data Lake Store should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Azure Data Lake Store should be enabled)
Low Y Data lake store
Diagnostic logs in Data Lake Analytics should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Data Lake Analytics should be enabled)
Low Y Data lake analytics
Only secure connections to your Redis Cache should be enabled Enable only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
(Related policy: Only secure connections to your Redis Cache should be enabled)
High N Redis
Secure transfer to storage accounts should be enabled Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
(Related policy: Secure transfer to storage accounts should be enabled)
High N Storage account
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, and Azure AD-based authentication and support for tags and resource groups for easier security management.
(Related policy: Storage accounts should be migrated to new Azure Resource Manager resources)
Low N Storage account
Transparent Data Encryption on SQL databases should be enabled Enable transparent data encryption to protect data-at-rest and meet compliance requirements.
(Related policy: Transparent Data Encryption on SQL databases should be enabled)
Low Y SQL
Vulnerability assessment should be enabled on your SQL servers Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
(Related policy: Vulnerability assessment should be enabled on your SQL servers)
High Y SQL
Vulnerabilities on your SQL databases should be remediated SQL Vulnerability Assessment scans your database for security vulnerabilities and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security stature.
(Related policy: Vulnerabilities on your SQL databases should be remediated)
High N SQL

Identity and access recommendations

Recommendation Description & related policy Severity Quick fix enabled?(Learn more) Resource type
MFA should be enabled on accounts with read permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with read privileges to prevent a breach of accounts or resources.
(Related policy: MFA should be enabled on accounts with read permissions on your subscription)
High N Subscription
MFA should be enabled on accounts with write permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with write privileges to prevent a breach of accounts or resources.
(Related policy: MFA should be enabled on accounts with write permissions on your subscription)
High N Subscription
MFA should be enabled on accounts with owner permissions on your subscription Enable Multi-Factor Authentication (MFA) for all subscription accounts with owner privileges to prevent a breach of accounts or resources.
(Related policy: MFA should be enabled on accounts with owner permissions on your subscription)
High N Subscription
External accounts with read permissions should be removed from your subscription Remove external accounts with read privileges from your subscription in order to prevent unmonitored access.
(Related policy: External accounts with read permissions should be removed from your subscription)
High N Subscription
External accounts with write permissions should be removed from your subscription Remove external accounts with write privileges from your subscription in order to prevent unmonitored access.
(Related policy: External accounts with write permissions should be removed from your subscription)
High N Subscription
External accounts with owner permissions should be removed from your subscription Remove external accounts with owner privileges from your subscription in order to prevent unmonitored access.
(Related policy: External accounts with owner permissions should be removed from your subscription)
High N Subscription
Deprecated accounts with owner permissions should be removed from your subscription Remove deprecated accounts with owner permissions from your subscriptions.
(Related policy: Deprecated accounts with owner permissions should be removed from your subscription)
High N Subscription
Deprecated accounts should be removed from your subscription Remove deprecated accounts from your subscriptions to enable access to only current users.
(Related policy: Deprecated accounts should be removed from your subscription)
High N Subscription
There should be more than one owner assigned to your subscription Designate more than one subscription owner in order to have administrator access redundancy.
(Related policy: There should be more than one owner assigned to your subscription)
High N Subscription
A maximum of 3 owners should be designated for your subscription Designate fewer than three subscription owners in order to reduce the potential for breach by a compromised owner.
(Related policy: A maximum of 3 owners should be designated for your subscription)
High N Subscription
Diagnostic logs in Key Vault should be enabled Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(Related policy: Diagnostic logs in Key Vault should be enabled)
Low Y Key Vault

Next steps

To learn more about recommendations, see the following: