Protecting your machines and applications in Azure Security Center
Azure Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls. Recommendations apply to Azure resource types: virtual machines (VMs) and computers, applications, networking, SQL, and Identity and Access.
This article addresses recommendations that apply to machines and applications.
Monitoring security health
You can monitor the security state of your resources on the Security Center – Overview dashboard. The Resources section provides the number of issues identified and the security state for each resource type.
You can view a list of all issues by selecting Recommendations. For more information about how to apply recommendations, see Implementing security recommendations in Azure Security Center.
For a complete list of Compute and App services recommendations, see Recommendations.
To continue, select Compute & apps under Resources or the Security Center main menu.
Monitor Compute and App services
Under Compute, there are four tabs:
- Overview: monitoring and recommendations identified by Security Center.
- VMs and computers: list of your VMs, computers, and current security state of each.
- Cloud Services: list of your web and worker roles monitored by Security Center.
- App services (Preview): list of your App service environments and current security state of each. To continue, select Compute & apps under Resources or the Security Center main menu.
In each tab you can have multiple sections, and in each section, you can select an individual option to see more details about the recommended steps to address that particular issue.
This section shows the total number of VMs and computers that were initialized for automatic provisioning and their current statuses. In this example there is one recommendation, Monitoring agent health issues. Select this recommendation.
Monitoring agent health issues opens. VMs and computers that Security Center is unable to successfully monitor are listed. Select a VM or computer for detailed information. MONITORING STATE provides a reason why Security Center is unable to monitor. See the Security Center troubleshooting guide for a list of MONITORING STATE values, descriptions, and resolution steps.
Unmonitored VMs and computers
A VM or computer is unmonitored by Security Center if the machine is not running the Microsoft Monitoring Agent extension. A machine may have a local agent already installed, for example the OMS direct agent or the SCOM agent. Machines with these agents are identified as unmonitored because these agents are not fully supported in Security Center. To fully benefit from all of Security Center’s capabilities, the Microsoft Monitoring Agent extension is required.
You can install the extension on the unmonitored VM or computer in addition to the already installed local agent. Configure both agents the same, connecting them to the same workspace. This enables Security Center to interact with the Microsoft Monitoring Agent extension and collect data. See Enable the VM extension for instructions on how to install the Microsoft Monitoring Agent extension.
See Monitoring agent health issues to learn more about the reasons Security Center is unable to successfully monitor VMs and computers initialized for automatic provisioning.
This section has a set of recommendations for each VM and computer, web and worker roles, Azure App Service Web Apps, and Azure App Service Environment that Security Center monitors. The first column lists the recommendation. The second column shows the total number of resources that are affected by that recommendation. The third column shows the severity of the issue as illustrated in the following screenshot:
Each recommendation has a set of actions that you can perform after you select it. For example, if you select Missing system updates, the number of VMs and computers that are missing patches, and the severity of the missing update appears, as shown in the following screenshot:
Apply system updates has a summary of critical updates in a graph format, one for Windows, and one for Linux. The second part has a table with the following information:
- NAME: Name of the missing update.
- NO. OF VMs & COMPUTERS: Total number of VMs and computers that are missing this update.
UPDATE SEVERITY: Describes the severity of that particular recommendation:
- Critical: A vulnerability exists with a meaningful resource (application, virtual machine, or network security group) and requires attention.
- Important: Non-critical or additional steps are required to complete a process or eliminate a vulnerability.
- Moderate: A vulnerability should be addressed but does not require immediate attention. (By default, low recommendations are not presented, but you can filter on low recommendations if you want to view them.)
STATE: The current state of the recommendation:
- Open: The recommendation has not been addressed yet.
- In Progress: The recommendation is currently being applied to those resources, and no action is required by you.
- Resolved: The recommendation was already finished. (When the issue has been resolved, the entry is dimmed).
To view the recommendation details, click the name of the missing update from the list.
The security recommendations here are the same as those under the Recommendations tile. See Implementing security recommendations in Azure Security Center for more information about how to resolve recommendations.
VMs and computers
The VMs and computers section gives you an overview of all VM and computer recommendations. Each column represents one set of recommendations as shown in the following screenshot:
There are four types of icons represented in this list:
Azure Resource Manager VM.
Azure Classic VM.
VMs that are identified only from the workspace that is part of the viewed subscription. This includes VMs from other subscriptions that report to the workspace in this subscription, and VMs that were installed with SCOM direct agent, and have no resource ID.
The icon that appears under each recommendation helps you to quickly identify the VM and computer that needs attention, and the type of recommendation. You can also use the Filter option to select which options you will see on this screen.
In the previous example, one VM has a critical recommendation regarding endpoint protection. Select the VM to get more information about it:
Here you see the security details for the VM or computer. At the bottom you can see the recommended action and the severity of each issue.
For cloud services, a recommendation is created when the operating system version is out of date as shown in the following screenshot:
In a scenario where you do have a recommendation (which is not the case for the previous example), you need to follow the steps in the recommendation to update the operating system version. When an update is available, you will have an alert (red or orange - depends on the severity of the issue). When you select this alert in the WebRole1 (runs Windows Server with your web app automatically deployed to IIS) or WorkerRole1 (runs Windows Server with your web app automatically deployed to IIS) rows, you see more details about this recommendation as shown in the following screenshot:
To see a more prescriptive explanation about this recommendation, click Update OS version under the DESCRIPTION column.
App services (Preview)
Monitoring App Service is in preview and available only on the Standard tier of Security Center. See Pricing to learn more about Security Center's pricing tiers.
Under App services, you find a list of your App service environments and the health summary based on the assessment Security Center performed.
There are three types of icons represented in this list:
App services environment.
Select a web application. A summary view opens with three tabs:
- Recommendations: based on assessments performed by Security Center that failed.
- Passed assessments: list of assessments performed by Security Center that passed.
- Unavailable assessments: list of assessments that failed to run due to an error or the recommendation is not relevant for the specific App service
Under Recommendations is a list of the recommendations for the selected web application and severity of each recommendation.
Select a recommendation for a description of the recommendation and a list of unhealthy resources, healthy resources, and unscanned resources.
Under Passed assessments is a list of passed assessments. Severity of these assessments is always green.
Select a passed assessment from the list for a description of the assessment, a list of unhealthy and healthy resources, and a list of unscanned resources. There is a tab for unhealthy resources but that list is always empty since the assessment passed.
Use the tables below as a reference to help you understand the available Compute and App services recommendations and what each one does if you apply it.
|Enable data collection for subscriptions||Recommends that you turn on data collection in the security policy for each of your subscriptions and all virtual machines (VMs) in your subscriptions.|
|Enable encryption for Azure Storage Account||Recommends that you enable Azure Storage Service Encryption for data at rest. Storage Service Encryption (SSE) works by encrypting the data when it is written to Azure storage and decrypts before retrieval. SSE is currently available only for the Azure Blob service and can be used for block blobs, page blobs, and append blobs. To learn more, see Storage Service Encryption for data at rest.
SSE is only supported on Resource Manager storage accounts. Classic storage accounts are currently not supported. To understand the classic and Resource Manager deployment models, see Azure deployment models.
|Remediate security configurations||Recommends that you align your OS configurations with the recommended security configuration rules, e.g. do not allow passwords to be saved.|
|Apply system updates||Recommends that you deploy missing system security and critical updates to VMs.|
|Apply a Just-In-Time network access control||Recommends that you apply just in time VM access. The just in time feature is in preview and available on the Standard tier of Security Center. See Pricing to learn more about Security Center's pricing tiers.|
|Reboot after system updates||Recommends that you reboot a VM to complete the process of applying system updates.|
|Install Endpoint Protection||Recommends that you provision antimalware programs to VMs (Windows VMs only).|
|Enable VM Agent||Enables you to see which VMs require the VM Agent. The VM Agent must be installed on VMs in order to provision patch scanning, baseline scanning, and antimalware programs. The VM Agent is installed by default for VMs that are deployed from the Azure Marketplace. The article VM Agent and Extensions – Part 2 provides information on how to install the VM Agent.|
|Apply disk encryption||Recommends that you encrypt your VM disks using Azure Disk Encryption (Windows and Linux VMs). Encryption is recommended for both the OS and data volumes on your VM.|
|Update OS version||Recommends that you update the operating system (OS) version for your Cloud Service to the most recent version available for your OS family. To learn more about Cloud Services, see the Cloud Services overview.|
|Vulnerability assessment not installed||Recommends that you install a vulnerability assessment solution on your VM.|
|Remediate vulnerabilities||Enables you to see system and application vulnerabilities detected by the vulnerability assessment solution installed on your VM.|
|App Service should only be accessible over HTTPS||Recommends that you limit access of App Service over HTTPS only.|
|Web Sockets should be disabled for Web Application||Recommends that you carefully review the use of Web Sockets within web applications. The Web Sockets protocol is vulnerable to different types of security threats.|
|Use custom domains for your Web Application||Recommends that you use custom domains to protect a web application from common attacks such as phishing and other DNS-related attacks.|
|Configure IP restrictions for Web Application||Recommends that you define a list of IP addresses that are allowed to access your application. Use of IP restrictions protects a web application from common attacks.|
|Do not allow all ('*') resources to access your application||Recommends that you do not set WEBSITE_LOAD_CERTIFICATES parameter to ‘’. Setting the parameter to ‘’ means that all certificates will be loaded to your web applications personal certificate store. This can lead to abuse of the principle of least privilege as it is unlikely that the site needs access to all certificates at runtime.|
|CORS should not allow every resource to access your application||Recommends that you allow only required domains to interact with your web application. Cross origin resource sharing (CORS) should not allow all domains to access your web application.|
|Use the latest supported .NET Framework for Web Application||Recommends that you use the latest .NET Framework version for the latest security classes. Using older classes and types can make your application vulnerable.|
|Use the latest supported Java version for Web Application||Recommends that you use the latest Java version for the latest security classes. Using older classes and types can make your application vulnerable.|
|Use the latest supported PHP version for Web Application||Recommends that you use the latest PHP version for the latest security classes. Using older classes and types can make your application vulnerable.|
|Add a web application firewall||Recommends that you deploy a web application firewall (WAF) for web endpoints. A WAF recommendation is shown for any public facing IP (either Instance Level IP or Load Balanced IP) that has an associated network security group with open inbound web ports (80,443).
Security Center recommends that you provision a WAF to help defend against attacks targeting your web applications on virtual machines and on App Service Environment. An App Service Environment (ASE) is a Premium service plan option of Azure App Service that provides a fully isolated and dedicated environment for securely running Azure App Service apps. To learn more about ASE, see the App Service Environment Documentation.
You can protect multiple web applications in Security Center by adding these applications to your existing WAF deployments.
|Finalize application protection||To complete the configuration of a WAF, traffic must be rerouted to the WAF appliance. Following this recommendation completes the necessary setup changes.|
|Use the latest supported Node.js version for Web Application||Recommends that you use the latest Node.js version for the latest security classes. Using older classes and types can make your application vulnerable.|
|CORS should not allow every resource to access your Function App||Recommends that you allow only required domains to interact with your web application. Cross origin resource sharing (CORS) should not allow all domains to access your function application.|
|Use custom domains for Function App||Recommends that you use custom domains to protect a function app from common attacks such as phishing and other DNS-related attacks.|
|Configure IP restrictions for Function App||Recommends that you define a list of IP addresses that are allowed to access your application. Use of IP restrictions protects a function app from common attacks.|
|Function App should only be accessible over HTTPS||Recommends that you limit access of Function apps over HTTPS only.|
|Remote debugging should be turned off for Function App||Recommends that you turn off debugging for Function App if you no longer need to use it. Remote debugging requires inbound ports to be opened on a Function App.|
|Web Sockets should be disabled for Function App||Recommends that you carefully review the use of Web Sockets within Function Apps. The Web Sockets protocol is vulnerable to different types of security threats.|
To learn more about recommendations that apply to other Azure resource types, see the following:
- Monitor identity and access in Azure Security Center
- Protecting your network in Azure Security Center
- Protecting your Azure SQL service in Azure Security Center
To learn more about Security Center, see the following:
- Setting security policies in Azure Security Center -- Learn how to configure security policies for your Azure subscriptions and resource groups.
- Managing and responding to security alerts in Azure Security Center -- Learn how to manage and respond to security alerts.
- Azure Security Center FAQ -- Find frequently asked questions about using the service.