Protect your machines and applications
When Azure Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your resources.
This article explains the Compute and Apps page of Security Center's resource security section.
For a full list of the recommendations you might see on this page, see Compute and apps recommendations.
View the security of your compute and apps resources
To view the status of your compute and apps resources, from the left pane in Security Center, select Compute & apps. The following tabs are available:
Overview: lists the recommendations for all the compute and apps resources as well as their current security status
VMs and Servers: lists the recommendations for your VMs, computers, and current security state of each
VM scale sets: lists the recommendations for your scale sets,
Cloud services: lists the recommendations for your web and worker roles monitored by Security Center
App services: lists the recommendations for your App service environments and the current security state of each
Containers: lists the recommendations for your containers and security assessment of their configurations
Compute resources: lists the recommendations for your compute resources, such as Service Fabric clusters and Event hubs
What's in each tab?
Each tab has multiple sections, and in each section, you can drill down to see additional details about the item shown.
In each tab, you will also see recommendations for the relevant resources in your monitored environment. The first column lists the recommendation, the second shows the total number of resources affected, and the third shows the severity of the issue.
Each recommendation has a set of actions that you can perform after you select it. For example, if you select Missing system updates, the number of VMs and computers that are missing patches, and the severity of the missing update appears.
The security recommendations are the same as those on the Recommendations page, but here they're filtered to the specific resource type you've selected. For more information about how to resolve recommendations, see Implementing security recommendations in Azure Security Center.
VMs and Servers
The VMs and computers section gives you an overview of all security recommendations for your VMs and computers. Four types of machines are included:
Azure Resource Manager VM.
Azure Classic VM.
VMs that are identified only from the workspace that is part of the viewed subscription. This includes VMs from other subscriptions that report to the workspace in this subscription, and VMs that were installed with Operations Manager direct agent, and have no resource ID.
The icon that appears under each recommendation helps you to quickly identify the VM and computer that needs attention, and the type of recommendation. You can also use the filters to search the list by Resource type and by Severity.
To drill down into the security recommendations for each VM, click on the VM. Here you see the security details for the VM or computer. At the bottom, you can see the recommended action and the severity of each issue.
Virtual machine scale sets
Security Center automatically discovers whether you have scale sets and recommends that you install the Log Analytics agent on them.
To install the Log Analytics agent:
Select the recommendation Install the monitoring agent on virtual machine scale set. You get a list of unmonitored scale sets.
Select an unhealthy scale set. Follow the instructions to install the monitoring agent using an existing populated workspace or create a new one. Make sure to set the workspace pricing tier if it's not set.
To set new scale sets to automatically install the Log Analytics agent:
Go to Azure Policy and click Definitions.
Search for the policy Deploy Log Analytics agent for Windows virtual machine scale sets and click on it.
Set the Scope and Log Analytics workspace and click Assign.
If you want to set all existing scale sets to install the Log Analytics agent, in Azure Policy, go to Remediation and apply the existing policy to existing scale sets.
For cloud services, a recommendation is created when the operating system version is out of date.
In a scenario where you have a recommendation, follow the steps in the recommendation to update the operating system. When an update is available, you will have an alert (red or orange - depending on the severity of the issue). For a full explanation of this recommendation, click Update OS version under the DESCRIPTION column.
To view the App Service information, you must be on Security Center's Standard pricing tier and enable App Service in your subscription. For instructions on enabling this feature, see Protect App Service with Azure Security Center.
Under App services, you find a list of your App service environments and the health summary based on the assessment Security Center performed.
There are three types of application services shown:
App services environment
If you select a web application, a summary view opens with three tabs:
- Recommendations: based on assessments performed by Security Center that failed.
- Passed assessments: list of assessments performed by Security Center that passed.
- Unavailable assessments: list of assessments that failed to run due to an error or the recommendation is not relevant for the specific App service
Under Recommendations is a list of the recommendations for the selected web application and severity of each recommendation.
Select a recommendation to see a description of the recommendation and a list of unhealthy resources, healthy resources, and unscanned resources.
The Passed assessments column shows a list of passed assessments. Severity of these assessments is always green.
Select a passed assessment from the list for a description of the assessment, a list of unhealthy and healthy resources, and a list of unscanned resources. There is a tab for unhealthy resources but that list is always empty since the assessment passed.
When you open the Containers tab, depending on your environment, you might see any of three types of resources:
Container hosts - VMs running docker
Azure Kubernetes Service (AKS) clusters
Azure Container Registry (ACR) registries - Shown only when you're on the standard pricing tier and when you have the Azure Container Registry bundle enabled.
For instructions on how to use the container security features, see Monitoring the security of your containers.
Benefits of the Azure Container Registry bundle are explained here
Benefits of the Kubernetes Services bundle are explained here
To see the recommendations for a specific resource in the list, click that resource.
Visibility into container registries
For example, clicking the asc-demo ACR registry from the list shown in the graphic above leads to this details page:
Visibility into containers hosted on IaaS Linux machines
When you click one of the VMs running docker, you'll see the details page with information related to the containers on the machine, such as Docker version and the number of images running on the host.
Security recommendations based on CIS benchmark for Docker
Security Center scans your Docker configurations and gives you visibility into misconfigurations by providing a list of all failed rules that were assessed. Security Center provides guidelines to help you resolve these issues quickly and save time. Security Center continuously assesses the Docker configurations and provides you with their latest state.
To learn more about recommendations that apply to other Azure resource types, see the following articles: