Security controls for Windows Virtual Machines

This article documents the security controls built into Windows Virtual Machines.

A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. We might also provide a note or links to more information about an attribute.

Network

Security control Yes/No Notes
Service endpoint support Yes
VNet injection support Yes
Network Isolation and Firewalling support Yes
Forced tunneling support Yes See Configure forced tunneling using the Azure Resource Manager deployment model.

Monitoring & logging

Security control Yes/No Notes
Azure monitoring support (Log analytics, App insights, etc.) Yes Monitor and update a Windows virtual machine in Azure.
Control and management plane logging and audit Yes
Data plane logging and audit No

Identity

Security control Yes/No Notes
Authentication Yes
Authorization Yes

Data protection

Security control Yes/No Notes
Server-side encryption at rest: Microsoft-managed keys Yes See Encrypt virtual disks on a Windows VM.
Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption ) Yes Azure Virtual Machines supports ExpressRoute and VNet encryption. See In-transit encryption in VMs.
Server-side encryption at rest: customer-managed keys (BYOK) Yes Customer-managed keys is a supported Azure encryption scenario; see Azure encryption overview.
Column level encryption (Azure Data Services) N/A
API calls encrypted Yes Via HTTPS and TLS.

Configuration management

Security control Yes/No Notes
Configuration management support (versioning of configuration, etc.) Yes

Next steps