Integrate Security Center security policies with Azure Policy

This article helps you configure Azure Security Center security policies, which are powered by Azure Policy.

How security policies work

Security Center automatically creates a default security policy for each of your Azure subscriptions. You can edit the policies in Security Center or use Azure Policy to do the following things:

  • Create new policy definitions.
  • Assign policies across management groups and subscriptions, which can represent an entire organization or a business unit within the organization.
  • Monitor policy compliance.

For more information about Azure Policy, see Create and manage policies to enforce compliance.

An Azure policy consists of the following components:

  • A policy is a rule
  • An initiative is a collection of policies
  • An assignment is an application of an initiative or a policy to a specific scope (management group, subscription, or resource group)

A resource is evaluated against the policies that are assigned to it and receives a compliance ratio according to the number of policies the resource is compliant to.

Edit security policies

You can edit the default security policy for each of your Azure subscriptions and management groups in Security Center. To modify a security policy, you must be an owner, contributor, or security administrator of the subscription or the containing management group. To view your security policies in Security Center:

  1. On the Security Center dashboard, under POLICY & COMPLIANCE, select Security policy. Policy Management opens.

    The Policy Management pane

    Policy Management displays the number of management groups, subscriptions, and workspaces as well as your management group structure.

    Note

    The Security Center dashboard may show a higher number of subscriptions under Subscription coverage than the number of subscriptions shown under Policy Management. Subscription coverage shows the number of Standard, Free, and “not covered” subscriptions. The “not covered” subscriptions do not have Security Center enabled and are not displayed under Policy Management.

    The columns in the table display:

    • Policy Initiative Assignment –Security Center built-in policies and initiatives that are assigned to a subscription or management group.
    • Compliance – Overall compliance score for a management group, subscription, or workspace. The score is the weighted average of the assignments. The weighted average factors in the number of policies in a single assignment and the number of resources the assignment applies to.

    For example, if your subscription has two VMs and an initiative with five policies assigned to it, then you have 10 assessments in your subscription. If one of the VMs doesn't comply to two of the policies, then the overall compliance score of your subscription’s assignment is 80%.

    • Coverage – Identifies the pricing tier, Free or Standard, that the management group, subscription, or workspace is running on. See Pricing to learn more about Security Center's pricing tiers.
    • Settings – Subscriptions have the link Edit settings. Selecting Edit settings lets you update your subscription settings such as data collection, pricing tier, and email notifications.
  2. Select the subscription or management group that you want to enable a security policy for. Security policy opens.

  3. Under Security policy, select the controls that you want Security Center to monitor for and provide recommendations on by selecting On. Select Off if you don't want Security Center to monitor that control.

    Policy components

  4. Select Save.

Available security policy definitions

To understand the policy definitions that are available in the default security policy, refer to the following table:

Policy What the enabled policy does
System updates Retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. The retrieved list depends on the service that's configured for your virtual machines, and it recommends that missing updates be applied. For Linux systems, the policy uses the distro-provided package-management system to determine packages that have available updates. It also checks for security and critical updates from Azure Cloud Services virtual machines.
Security configurations Analyzes operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack. The policy also recommends configuration changes to address these vulnerabilities. For more information about the specific configurations that are being monitored, see the list of recommended baselines. (At this time, Windows Server 2016 isn't fully supported.)
Endpoint protection Recommends that endpoint protection be set up for all Windows virtual machines (VMs) to help identify and remove viruses, spyware, and other malicious software.
Disk encryption Recommends enabling disk encryption in all virtual machines to enhance data protection at rest.
Network security groups Recommends that network security groups be configured to control inbound and outbound traffic to VMs that have public endpoints. Network security groups that are configured for a subnet are inherited by all virtual machine network interfaces, unless otherwise specified. In addition to checking to see whether a network security group has been configured, this policy assesses inbound security rules to identify rules that allow incoming traffic.
Web application firewall Recommends that a web application firewall be set up on virtual machines when either of the following items is true:
  • An instance-level public IP is used, and the inbound security rules for the associated network security group are configured to allow access to port 80/443.
  • A load-balanced IP is used, and the associated load balancing and inbound network address translation (NAT) rules are configured to allow access to port 80/443. For more information, see Azure Resource Manager support for Load Balancer.
Next generation firewall Extends network protections beyond network security groups, which are built into Azure. Security Center discovers deployments for which a next generation firewall is recommended, and then you can set up a virtual appliance.
SQL auditing and threat detection Recommends that auditing of access to Azure Database be enabled for compliance and advanced threat detection, for investigation purposes.
SQL encryption Recommends that encryption at rest be enabled for your Azure SQL database, associated backups, and transaction log files. Even if your data is breached, it isn't readable.
Vulnerability assessment Recommends that you install a vulnerability assessment solution on your VM.
Storage encryption Currently, this feature is available for Azure Blob storage and Azure Files. After you enable Storage Service Encryption, only new data is encrypted, and any existing files in this storage account remain unencrypted.
JIT network access When just-in-time network access is enabled, Security Center locks down inbound traffic to your Azure VMs by creating a network security group rule. You select the ports on the VM to which inbound traffic should be locked down. For more information, see Manage virtual machine access using just in time.

Management groups

If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure Management Groups provides a level of scope above subscriptions. You organize subscriptions into containers called "management groups" and apply your governance policies to the management groups. All subscriptions within a management group automatically inherit the policies applied to the management group. Each directory is given a single top-level management group called the "root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and RBAC assignments to be applied at the directory level. To set up management groups for use with Azure Security Center, follow the instructions in the Gain tenant-wide visibility for Azure Security Center article.

Note

It’s important that you understand the hierarchy of management groups and subscriptions. See Organize your resources with Azure Management Groups to learn more about management groups, root management, and management group access.

Next steps

In this article, you learned how to configure security policies in Security Center. To learn more about Security Center, see the following articles:

To learn more about Azure Policy, see What is Azure Policy?