Understand Azure Security Center resource recommendations

Recommendations

Use the tables below as a reference to help you understand the available Compute and App services recommendations and what each one does if you apply it.

Computers

Recommendation Description
Enable data collection for subscriptions Recommends that you turn on data collection in the security policy for each of your subscriptions and all virtual machines (VMs) in your subscriptions.
Enable encryption for Azure Storage Account Recommends that you enable Azure Storage Service Encryption for data at rest. Storage Service Encryption (SSE) works by encrypting the data when it is written to Azure storage and decrypts before retrieval. SSE is currently available only for the Azure Blob service and can be used for block blobs, page blobs, and append blobs. To learn more, see Storage Service Encryption for data at rest.
SSE is only supported on Resource Manager storage accounts. Classic storage accounts are currently not supported. To understand the classic and Resource Manager deployment models, see Azure deployment models.
Remediate security configurations Recommends that you align your OS configurations with the recommended security configuration rules, e.g. do not allow passwords to be saved.
Apply system updates Recommends that you deploy missing system security and critical updates to VMs.
Apply a Just-In-Time network access control Recommends that you apply just in time VM access. The just in time feature is in preview and available on the Standard tier of Security Center. See Pricing to learn more about Security Center's pricing tiers.
Reboot after system updates Recommends that you reboot a VM to complete the process of applying system updates.
Install Endpoint Protection Recommends that you provision antimalware programs to VMs (Windows VMs only).
Enable VM Agent Enables you to see which VMs require the VM Agent. The VM Agent must be installed on VMs in order to provision patch scanning, baseline scanning, and antimalware programs. The VM Agent is installed by default for VMs that are deployed from the Azure Marketplace. The article VM Agent and Extensions – Part 2 provides information on how to install the VM Agent.
Apply disk encryption Recommends that you encrypt your VM disks using Azure Disk Encryption (Windows and Linux VMs). Encryption is recommended for both the OS and data volumes on your VM.
Update OS version Recommends that you update the operating system (OS) version for your Cloud Service to the most recent version available for your OS family. To learn more about Cloud Services, see the Cloud Services overview.
Vulnerability assessment not installed Recommends that you install a vulnerability assessment solution on your VM.
Remediate vulnerabilities Enables you to see system and application vulnerabilities detected by the vulnerability assessment solution installed on your VM.

App services

Recommendation Description
App Service should only be accessible over HTTPS Recommends that you limit access of App Service over HTTPS only.
Web Sockets should be disabled for Web Application Recommends that you carefully review the use of Web Sockets within web applications. The Web Sockets protocol is vulnerable to different types of security threats.
Use custom domains for your Web Application Recommends that you use custom domains to protect a web application from common attacks such as phishing and other DNS-related attacks.
Configure IP restrictions for Web Application Recommends that you define a list of IP addresses that are allowed to access your application. Use of IP restrictions protects a web application from common attacks.
Do not allow all ('*') resources to access your application Recommends that you do not set WEBSITE_LOAD_CERTIFICATES parameter to ‘’. Setting the parameter to ‘’ means that all certificates will be loaded to your web applications personal certificate store. This can lead to abuse of the principle of least privilege as it is unlikely that the site needs access to all certificates at runtime.
CORS should not allow every resource to access your application Recommends that you allow only required domains to interact with your web application. Cross origin resource sharing (CORS) should not allow all domains to access your web application.
Use the latest supported .NET Framework for Web Application Recommends that you use the latest .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable.
Use the latest supported Java version for Web Application Recommends that you use the latest Java version for the latest security classes. Using older classes and types can make your application vulnerable.
Use the latest supported PHP version for Web Application Recommends that you use the latest PHP version for the latest security classes. Using older classes and types can make your application vulnerable.
Add a web application firewall Recommends that you deploy a web application firewall (WAF) for web endpoints. A WAF recommendation is shown for any public facing IP (either Instance Level IP or Load Balanced IP) that has an associated network security group with open inbound web ports (80,443).
Security Center recommends that you provision a WAF to help defend against attacks targeting your web applications on virtual machines and on App Service Environment. An App Service Environment (ASE) is a Premium service plan option of Azure App Service that provides a fully isolated and dedicated environment for securely running Azure App Service apps. To learn more about ASE, see the App Service Environment Documentation.

You can protect multiple web applications in Security Center by adding these applications to your existing WAF deployments.
Finalize application protection To complete the configuration of a WAF, traffic must be rerouted to the WAF appliance. Following this recommendation completes the necessary setup changes.
Use the latest supported Node.js version for Web Application Recommends that you use the latest Node.js version for the latest security classes. Using older classes and types can make your application vulnerable.
CORS should not allow every resource to access your Function App Recommends that you allow only required domains to interact with your web application. Cross origin resource sharing (CORS) should not allow all domains to access your function application.
Use custom domains for Function App Recommends that you use custom domains to protect a function app from common attacks such as phishing and other DNS-related attacks.
Configure IP restrictions for Function App Recommends that you define a list of IP addresses that are allowed to access your application. Use of IP restrictions protects a function app from common attacks.
Function App should only be accessible over HTTPS Recommends that you limit access of Function apps over HTTPS only.
Remote debugging should be turned off for Function App Recommends that you turn off debugging for Function App if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Function App.
Web Sockets should be disabled for Function App Recommends that you carefully review the use of Web Sockets within Function Apps. The Web Sockets protocol is vulnerable to different types of security threats.

Next steps

To learn more about recommendations that apply to other Azure resource types, see the following:

To learn more about Security Center, see the following: