Remediate recommendations in Azure Security Center

Recommendations give you suggestions on how to better secure your resources. You implement a recommendation by following the remediation steps provided in the recommendation.

Remediation steps

After reviewing all the recommendations, decide which one to remediate first. We recommend that you use the secure score impact to help prioritize what to do first.

  1. From the list, click on the recommendation.

  2. Follow the instructions in the Remediation steps section. Each recommendation has its own set of instructions. The following shows remediation steps for configuring applications to only allow traffic over HTTPS.

    Recommendation details

  3. Once completed, a notification appears informing you if the remediation succeeded.

One-click fix remediation (Preview)

One-click fix enables you to remediate a recommendation on a bulk of resources, with a single click. It is an option only available for specific recommendations. One-click fix simplifies remediation and enables you to quickly improve your secure score and increase the security in your environment.

To implement one-click remediation:

  1. From the list of recommendations that have the 1-Click-fix label, click on the recommendation.

    Select one-click fix

  2. From the Unhealthy resources tab, select the resources that you want to implement the recommendation on, and click Remediate.

    Note

    Some of the listed resources might be disabled, because you do not have the appropriate permissions to modify them.

  3. In the confirmation box, read the remediation details and implications.

    One-click fix

    Note

    The implications are listed in the grey box in the Remediate resources window that opens after clicking Remediate. They list what changes happen when proceeding with the 1-click remediation.

  4. Insert the relevant parameters if necessary, and approve the remediation.

    Note

    It can take several minutes after remediation completes to see the resources in the Healthy resources tab. To view the remediation actions, check the activity log.

  5. Once completed, a notification appears informing you if the remediation succeeded.

One-click remediation logging in the activity log

The remediation operation uses a template deployment or REST PATCH API call to apply the configuration on the resource. These operations are logged in Azure activity log.

Recommendations with one-click remediation

Recommendation Implication
Auditing on SQL servers should be enabled This action will enable SQL auditing on these servers and their databases.
Note:
  • For each region of the selected SQL servers, a storage account for saving audit logs will be created and shared by all the servers in that region.
  • To ensure proper auditing, do not delete or rename the resource group or the storage accounts.
Advanced data security should be enabled on your SQL managed instances This action will enable SQL Advanced Data Security (ADS) on the selected SQL managed instances.
Note:
  • For each region and resource group of the selected SQL managed instances, a storage account for saving scan results will be created and shared by all the instances in that region.
  • ADS is charged at $15 per SQL managed instance.
Vulnerability assessment should be enabled on your SQL managed instances This action will enable SQL Vulnerability Assessment on the selected SQL managed instances.
Note:
  • SQL Vulnerability Assessment is part of the SQL Advanced Data Security (ADS) package. If ADS is not enabled already it will automatically be enabled on the managed instance.
  • For each region and resource group of the selected SQL managed instances, a storage account for storing scan results will be created and shared by all the instances in that region.
  • ADS is charged at $15 per SQL server.
Advanced Data Security should be enabled on your SQL servers This action will enable Advanced Data Security (ADS) on these selected servers and their databases.
Note:
  • For each region and resource group of the selected SQL servers, a storage account for storing scan results will be created and shared by all the servers in that region.<
  • ADS is charged at $15 per SQL server.
Vulnerability Assessment should be enabled on your SQL servers This action will enable SQL Vulnerability Assessment on these selected servers and their databases.
Note:
  • SQL Vulnerability Assessment is part of the SQL Advanced Data Security (ADS) package. If ADS is not enabled already, it will automatically be enabled on the SQL server.
  • For each region and resource group of the selected SQL servers, a storage account for storing scan results will be created and shared by all the instances in that region.
  • ADS is charged at $15 per SQL server.
Transparent data encryption on SQL databases should be enabled This action enables SQL Database Transparent Data Encryption (TDE) on the selected databases.
Note: By default, service-managed TDE keys will be used.
Secure transfer to storage accounts should be enabled This action updates your storage account security to only allow requests by secure connections. (HTTPS).
Note:
  • Any requests using HTTP will be rejected.
  • When you are using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Learn more.
Web Application should only be accessible over HTTPS This action will redirect all traffic from HTTP to HTTPS, on the selected resources.
Note:
  • An HTTPS endpoint which doesn’t have an SSL certificate will show up in the browser with a ‘Privacy Error’. Therefore, users who have a custom domain need to verify they have set up an SSL certificate.
  • Make sure packet and web application firewalls protecting the app service, allow HTTPS sessions forwarding.
Function App should only be accessible over HTTPS This action will redirect all traffic from HTTP to HTTPS, on the selected resources.
Note:
  • An HTTPS endpoint which doesn’t have an SSL certificate will show up in the browser with a ‘Privacy Error’. Therefore, users who have a custom domain need to verify they have set up an SSL certificate.
  • Make sure packet and web application firewalls protecting the app service, allow HTTPS sessions forwarding.
API App should only be accessible over HTTPS This action will redirect all traffic from HTTP to HTTPS, on the selected resources.
Note:
  • An HTTPS endpoint which doesn’t have an SSL certificate will show up in the browser with a ‘Privacy Error’. Therefore, users who have a custom domain need to verify they have set up an SSL certificate.
  • Make sure packet and web application firewalls protecting the app service, allow HTTPS sessions forwarding.
Remote debugging should be turned off for Web Application This action disables remote debugging.
Remote debugging should be turned off for Function App This action disables remote debugging.
Remote debugging should be turned off for API App This action disables remote debugging.
CORS should not allow every resource to access your Web Application This action blocks other domains from accessing your Web Application. To allow specific domains, enter them in the Allowed origins field (separated by commas).
Note: Leaving the field empty will block all cross-origin calls.’Param field title: ‘Allowed origins’
CORS should not allow every resource to access your Function App This action blocks other domains from accessing your Function Application. To allow specific domains, enter them in the Allowed origins field (separated by commas).
Note: Leaving the field empty will block all cross-origin calls.’Param field title: ‘Allowed origins’
CORS should not allow every resource to access your API App This action blocks other domains from accessing your API Application. To allow specific domains, enter them in the Allowed origins field (separated by commas).
Note: Leaving the field empty will block all cross-origin calls.’Param field title: ‘Allowed origins’
Monitoring agent should be enabled on your virtual machines This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to.
  • If your update policy is set to automatic, it will deploy on new existing instances.
  • If your update policy is set to manual and you would like to install the agent on existing instances, select the check box option. Learn more
Diagnostic logs in Key Vault should be enabled This action enables diagnostic logs on key vaults. Diagnostic logs and metrics are saved in the selected workspace.
Diagnostic logs in Service bus should be enabled This action enables diagnostic logs on the service bus. Diagnostic logs and metrics are saved in the selected workspace.

Next steps

In this document, you were shown how to remediate recommendations in Security Center. To learn more about Security Center, see the following topics: