Azure security baseline for Azure DevTest Labs

This security baseline applies guidance from the Azure Security Benchmark version 1.0 to Azure DevTest Labs. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure DevTest Labs.

Note

Controls not applicable to Azure DevTest Labs, or for which the responsibility is Microsoft's, have been excluded. To see how Azure DevTest Labs completely maps to the Azure Security Benchmark, see the full Azure DevTest Labs security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

1.1: Protect Azure resources within virtual networks

Guidance: When you deploy Azure DevTest Lab resources you must create or use an existing virtual network. Ensure that the chosen virtual network has a network security group applied to its subnets and network access controls configured specific to your application's trusted ports and sources. When a lab resources are configured with a virtual network, they are not publicly addressable and can only be accessed from within the virtual network. You can also choose to create a network isolated lab, where alongside lab environments, lab resources such as Storage Account and Key Vaults will also be completely isolated and only accessible through specified end points.

Depending on your organizational needs, use the Azure Firewall service to centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

Responsibility: Customer

Azure Security Center monitoring: None

1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs

Guidance: Deploy a network security group on the network that your Azure DevTest Lab resources are deployed to. Enable network security group flow logs on your network security groups for traffic auditing.

You may also send NSG flow logs to a Log Analytics Workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

Responsibility: Customer

Azure Security Center monitoring: None

1.3: Protect critical web applications

Guidance: Deploy Azure Web Application Firewall (WAF) in front of critical web applications deployed using Azure Resource Manager (ARM) templates for additional inspection of incoming traffic. Enable diagnostic setting for WAF and ingest logs into a Storage Account, Event Hub, or Log Analytics workspace.

Responsibility: Customer

Azure Security Center monitoring: None

1.4: Deny communications with known malicious IP addresses

Guidance: Deploying a Azure Virtual Network (VNet) for a lab enhances security and isolation for your lab. Subnets, access control policies, and other features also aid in restricting access. When deployed in a VNet, Azure DevTest Lab is not publicly addressable and can only be accessed from virtual machines and applications within the VNet.

Enable DDoS Standard protection on your Azure Virtual Networks to guard against DDoS attacks. Use Azure Security Center Integrated Threat Intelligence to deny communications with known malicious IP addresses.

Deploy Azure Firewall at each of the organization's network boundaries with Threat Intelligence enabled and configured to "Alert and deny" for malicious network traffic. Use Azure Security Center Just In Time Network access to configure NSGs to limit exposure of endpoints to approved IP addresses for a limited period. Use Azure Security Center Adaptive Network Hardening to recommend NSG configurations that limit ports and source IPs based on actual traffic and threat intelligence.

Responsibility: Customer

Azure Security Center monitoring: None

1.5: Record network packets

Guidance: Enable Network Watcher packet capture on your lab virtual network to investigate anomalous activities.

Responsibility: Customer

Azure Security Center monitoring: None

1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)

Guidance: Use an Azure Firewall deployed on your virtual network with Threat Intelligence enabled. Azure Firewall Threat intelligence-based filtering can alert and deny traffic to and from known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. If your organization requires additional functionality on top of what Azure Firewall can provide, select an appropriate offer from the Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities.

Deploy the firewall solution of your choice at each of your organization's network boundaries to detect and/or deny malicious traffic.

Responsibility: Customer

Azure Security Center monitoring: None

1.7: Manage traffic to web applications

Guidance: When working with DevTest Lab Azure Resource Manager (ARM) based environments that include web applications, deploy an Azure Application Gateway with HTTPS/TLS enabled for trusted certificates.

Responsibility: Customer

Azure Security Center monitoring: None

1.8: Minimize complexity and administrative overhead of network security rules

Guidance: Use Virtual Network Service Tags to define network access controls on Network Security Groups or Azure Firewall configured for your DevTest Lab resources. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (e.g., ApiManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

You may also use Application Security Groups to help simplify complex security configuration. Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.

Responsibility: Customer

Azure Security Center monitoring: None

1.9: Maintain standard security configurations for network devices

Guidance: Define and implement standard security configurations for network resources with Azure Policy.

You may also use Azure Blueprints to simplify large scale Azure deployments by packaging key environment artifacts, such as Azure Resources Manager templates, RBAC controls, and policies, in a single blueprint definition. You can apply the blueprint to new subscriptions, and fine-tune control and management through versioning.

Responsibility: Customer

Azure Security Center monitoring: None

1.10: Document traffic configuration rules

Guidance: Use tags for network resources associated with your Azure DevTest Lab deployment in order to logically organize them into a taxonomy. For individual NSG rules, use the "Description" field to specify business need and/or duration (etc.) for any rules that allow traffic to/from a network.

Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with Tags and to notify you of existing untagged resources.

You may use Azure PowerShell or Azure CLI to look-up or perform actions on resources based on their Tags.

Responsibility: Customer

Azure Security Center monitoring: None

1.11: Use automated tools to monitor network resource configurations and detect changes

Guidance: Use Azure Activity Log to monitor resource configurations and detect changes to your Azure resources. Create alerts within Azure Monitor that will trigger when changes to critical resources take place.

Responsibility: Customer

Azure Security Center monitoring: None

Logging and Monitoring

For more information, see the Azure Security Benchmark: Logging and Monitoring.

2.1: Use approved time synchronization sources

Guidance: Microsoft maintains time sources for Azure resources. However, you can manage time synchronization settings for your compute resources.

Responsibility: Shared

Azure Security Center monitoring: None

2.2: Configure central security log management

Guidance: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. Activity logs provide insight into the operations that were done on your Azure DevTest Labs instances at the management plane-level. Using Azure activity log data, you can determine "what, who, and when" for any write operations (PUT, POST, DELETE) done at the management plane-level for your DevTest Labs instances.

Responsibility: Customer

Azure Security Center monitoring: None

2.3: Enable audit logging for Azure resources

Guidance: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace, Azure event hub, or Azure storage account for archive. Activity logs provide insight into the operations that were done on your Azure DevTest Labs instances at the management plane-level. Using Azure Activity Log data, you can determine the "what, who, and when" for any write operations (PUT, POST, DELETE) done at the management plane-level for your DevTest Labs instances.

Responsibility: Customer

Azure Security Center monitoring: None

2.4: Collect security logs from operating systems

Guidance: Azure DevTest Labs virtual machines (VMs) are created and owned by the customer. So, it’s the organization’s responsibility to monitor it. You can use Azure Security Center to monitor the compute OS. Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files.

For more information, see the following articles:

Responsibility: Customer

Azure Security Center monitoring: None

2.5: Configure security log storage retention

Guidance: In Azure Monitor, set log retention period for Log Analytics workspaces associated with your Azure DevTest Labs instances according to your organization's compliance regulations.

Responsibility: Customer

Azure Security Center monitoring: None

2.6: Monitor and review Logs

Guidance: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace. Run queries in Log Analytics to search terms, identify trends, analyze patterns, and provide many other insights based on the activity log data that may have been collected for Azure DevTest Labs.

For more information, see the following articles:

Responsibility: Customer

Azure Security Center monitoring: None

2.7: Enable alerts for anomalous activities

Guidance: Use Azure Log Analytics workspace for monitoring and alerting on anomalous activities in security logs and events related to your Azure DevTest Labs.

Responsibility: Customer

Azure Security Center monitoring: None

Identity and Access Control

For more information, see the Azure Security Benchmark: Identity and Access Control.

3.1: Maintain an inventory of administrative accounts

Guidance: Azure Active Directory (Azure AD) has built-in roles that must be explicitly assigned and are queryable. Use the Azure AD PowerShell module to run ad-hoc queries to discover accounts that are members of administrative groups.

Responsibility: Customer

Azure Security Center monitoring: None

3.2: Change default passwords where applicable

Guidance: Azure Active Directory (Azure AD) doesn't have the concept of default passwords. Other Azure resources requiring a password force a password to be created with complexity requirements and a minimum password length, which differ depending on the service. You're responsible for third-party applications and Marketplace services that may use default passwords.

DevTest Labs doesn't have the concept of default passwords.

Responsibility: Customer

Azure Security Center monitoring: None

3.3: Use dedicated administrative accounts

Guidance: Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

Additionally, to help you keep track of dedicated administrative accounts, you may use recommendations from Azure Security Center or built-in Azure Policies, such as:

  • There should be more than one owner assigned to your subscription

  • Deprecated accounts with owner permissions should be removed from your subscription

  • External accounts with owner permissions should be removed from your subscription

For more information, see the reference links below.

Responsibility: Customer

Azure Security Center monitoring: None

3.4: Use single sign-on (SSO) with Azure Active Directory

Guidance: DevTest Labs uses the Azure Active Directory (Azure AD) service for identity management. Consider these two key aspects when you give users access to an environment based on DevTest Labs:

  • Resource management: It provides access to the Azure portal to manage resources (create VMs, create environments, start, stop, restart, delete, and apply artifacts, and so on). Resource management is done in Azure by using Azure role-based access control (Azure RBAC). You assign roles to users and set resource and access-level permissions.
  • Virtual machines (network-level): In the default configuration, VMs use a local admin account. If there's a domain available (Azure Active Directory Domain Services (Azure AD DS), an on-premises domain, or a cloud-based domain), machines can be joined to the domain. Users can then use their domain-based identities using the domain join artifact to connect to the machines.

For more information, see the reference links below.

Responsibility: Customer

Azure Security Center monitoring: None

3.5: Use multi-factor authentication for all Azure Active Directory based access

Guidance: Enable Azure Active Directory (Azure AD) multifactor authentication and follow Azure Security Center Identity and Access Management recommendations.

Responsibility: Customer

Azure Security Center monitoring: None

3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

Guidance: Use privileged access workstations (PAWs) with multifactor authentication configured to log into and configure Azure resources.

Responsibility: Customer

Azure Security Center monitoring: None

3.7: Log and alert on suspicious activities from administrative accounts

Guidance: Use Azure Active Directory (Azure AD) security reports for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. Use Azure Security Center to monitor identity and access activity.

Responsibility: Customer

Azure Security Center monitoring: None

3.8: Manage Azure resources only from approved locations

Guidance: Use conditional access named locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

Responsibility: Customer

Azure Security Center monitoring: None

3.9: Use Azure Active Directory

Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system. Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD also salts, hashes, and securely stores user credentials.

Responsibility: Customer

Azure Security Center monitoring: None

3.10: Regularly review and reconcile user access

Guidance: Azure Active Directory (Azure AD) provides logs to help discover stale accounts. Also, use Azure identity access reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access.

Responsibility: Customer

Azure Security Center monitoring: None

3.11: Monitor attempts to access deactivated credentials

Guidance: You have access to Azure Active Directory (Azure AD) sign in Activity, Audit, and Risk Event log sources, which allow you to integrate with any Security Information and Event Management (SIEM) /Monitoring tool.

You can streamline this process by creating Diagnostic Settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. You can configure alerts within Log Analytics Workspace.

Responsibility: Customer

Azure Security Center monitoring: None

3.12: Alert on account login behavior deviation

Guidance: Use Azure Active Directory (Azure AD) Risk and Identity Protection features to configure automated responses to detected suspicious actions related to user identities.

Responsibility: Customer

Azure Security Center monitoring: None

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

4.1: Maintain an inventory of sensitive Information

Guidance: Use tags to assist in tracking Azure resources that store or process sensitive information.

Responsibility: Customer

Azure Security Center monitoring: None

4.6: Use Azure RBAC to manage access to resources

Guidance: Use Azure role-based access control (Azure RBAC) to control access to labs in Azure DevTest Labs.

Responsibility: Customer

Azure Security Center monitoring: None

4.9: Log and alert on changes to critical Azure resources

Guidance: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to DevTest Labs instances and other critical or related resources.

Responsibility: Customer

Azure Security Center monitoring: None

Inventory and Asset Management

For more information, see the Azure Security Benchmark: Inventory and Asset Management.

6.1: Use automated asset discovery solution

Guidance: Use Azure Resource Graph to query and discover all resources (including DevTest Labs resources) within your subscriptions. Ensure you have appropriate (read) permissions in your tenant and can enumerate all Azure subscriptions and resources within your subscriptions.

Responsibility: Customer

Azure Security Center monitoring: None

6.2: Maintain asset metadata

Guidance: Apply tags to Azure resources giving metadata to logically organize them according to a taxonomy.

Responsibility: Customer

Azure Security Center monitoring: None

6.3: Delete unauthorized Azure resources

Guidance: Use tagging, management groups, and separate subscriptions, and separate labs where appropriate, to organize and track labs and lab-related resources. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription quickly.

Responsibility: Customer

Azure Security Center monitoring: None

6.4: Define and maintain an inventory of approved Azure resources

Guidance: Create an inventory of approved Azure resources and approved software for compute resources as per organizational needs. As a subscription admin, you can also use adaptive application controls, a feature of Azure Security Center to help you define a set of applications that are allowed to run on configured groups of lab machines. This feature is available for both Azure and non-Azure Windows (all versions, classic, or Azure Resource Manager) and Linux machines.

Responsibility: Customer

Azure Security Center monitoring: None

6.5: Monitor for unapproved Azure resources

Guidance: Use Azure policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • Not allowed resource types

  • Allowed resource types

Also, use the Azure Resource Graph to query/discover resources within the subscriptions. It can help in high security-based environments, such as those with Storage accounts.

Responsibility: Customer

Azure Security Center monitoring: None

6.6: Monitor for unapproved software applications within compute resources

Guidance: Azure Automation provides complete control during deployment, operations, and decommissioning of workloads and resources. As a subscription admin, you can use Azure Virtual Machine inventory to automate the collection of information about all software on DevTest Labs VMs in your subscription. The software name, version, publisher, and refresh time properties are available from the Azure portal. To get access to install date and other information, customer required to enable guest-level diagnostic and bring the Windows Event logs into a Log Analytics Workspace.

In addition to using Change Tracking for monitoring of software applications, adaptive application controls in Azure Security Center use machine learning to analyze the applications running on your machines and create an allow list from this intelligence. This capability greatly simplifies the process of configuring and maintaining application allow list policies, enabling you to avoid unwanted software to be used in your environment. You can configure audit mode or enforce mode. Audit mode only audits the activity on the protected VMs. Enforce mode does enforce the rules and makes sure that applications that aren't allowed to run are blocked.

Responsibility: Customer

Azure Security Center monitoring: None

6.7: Remove unapproved Azure resources and software applications

Guidance: Azure Automation provides complete control during deployment, operations, and decommissioning of workloads and resources. As a subscription admin, you may use Change Tracking to identify all software installed on VMs hosted in DevTest Labs. You can implement your own process or use Azure Automation State Configuration for removing unauthorized software.

Responsibility: Customer

Azure Security Center monitoring: None

6.8: Use only approved applications

Guidance: As a subscription admin, you can use Azure Security Center Adaptive Application Controls to ensure that only authorized software executes, and all unauthorized software is blocked from executing on Azure VMs hosted in DevTest Labs.

Responsibility: Customer

Azure Security Center monitoring: None

6.9: Use only approved Azure services

Guidance: Use Azure policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • Not allowed resource types
  • Allowed resource types

Reference Material:

Responsibility: Customer

Azure Security Center monitoring: None

6.10: Maintain an inventory of approved software titles

Guidance: Adaptive application control is an intelligent, automated, end-to-end solution from Azure Security Center, which helps you control which applications can run on your Azure and non-Azure machines (Windows and Linux), hosted in DevTest Labs. Note you need to be a subscription admin to configure this setting for the underlying compute resources hosted in DevTest Labs. Implement third-party solution if this setting doesn't meet your organization's requirement.

Responsibility: Customer

Azure Security Center monitoring: None

6.11: Limit users' ability to interact with Azure Resource Manager

Guidance: Use Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring Block access for the Microsoft Azure Management App.

Responsibility: Customer

Azure Security Center monitoring: None

6.12: Limit users' ability to execute scripts in compute resources

Guidance: Depending on the type of scripts, you may use operating system-specific configurations or third-party resources to limit users' ability to execute scripts within the VMs hosted in DevTest Labs. You can also use Azure Security Center Adaptive Application Controls to ensure that only authorized software executes, and all unauthorized software is blocked from executing on the underlying Azure VMs.

Responsibility: Customer

Azure Security Center monitoring: None

6.13: Physically or logically segregate high risk applications

Guidance: High risk applications deployed in your Azure environment may be isolated using virtual network, subnet, subscriptions, management groups, and so on. and sufficiently secured with either an Azure Firewall, Web Application Firewall (WAF), or network security group (NSG).

Responsibility: Customer

Azure Security Center monitoring: None

Secure Configuration

For more information, see the Azure Security Benchmark: Secure Configuration.

7.1: Establish secure configurations for all Azure resources

Guidance: Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure resources created as part of DevTest Labs. You may also use built-in Azure Policy definitions.

Also, Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet / exceed the security requirements for your organization.

You may also use recommendations from Azure Security Center as a secure configuration baseline for your Azure resources.

Responsibility: Customer

Azure Security Center monitoring: None

7.2: Establish secure operating system configurations

Guidance: Use Azure Security Center recommendations to maintain security configurations on all underlying compute resources created as part of DevTest Labs. Additionally, you may use custom operating system images or Azure Automation State configuration or DevTest Labs artifacts to establish the security configuration of the operating system required by your organization.

Responsibility: Shared

Azure Security Center monitoring: None

7.3: Maintain secure Azure resource configurations

Guidance: Use Azure Policy deny and deploy if not exist rules to enforce secure settings across your Azure resources created as a part of DevTest Labs. Also, you may use Azure Resource Manager templates to maintain the security configuration of your Azure resources required by your organization.

Responsibility: Customer

Azure Security Center monitoring: None

7.4: Maintain secure operating system configurations

Guidance: Follow recommendations from Azure Security Center on performing vulnerability assessments on your underlying Azure compute resources created as part of a lab. Also, you may use Azure Resource Manager templates, custom operating system images, or Azure Automation State configuration to maintain the security configuration of the operating system required by your organization. You can also use the image factory solution, which is a configuration-as-code solution that builds and distributes images automatically on a regular basis with all the desired configurations.

Also, Azure Marketplace Virtual Machine Images published by Microsoft are managed and maintained by Microsoft.

Responsibility: Shared

Azure Security Center monitoring: None

7.5: Securely store configuration of Azure resources

Guidance: Use Azure DevOps to securely store and manage your code like custom Azure policies, Azure Resource Manager templates and Desired State Configuration scripts. To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps.

Responsibility: Customer

Azure Security Center monitoring: None

7.6: Securely store custom operating system images

Guidance: If using custom images, use Azure role-based access control (Azure RBAC) to ensure only authorized users may access the images. Using a Shared Image Gallery, you can share your images to specific labs that need it. For container images, store them in Azure Container Registry and use Azure RBAC to ensure only authorized users may access the images.

Responsibility: Customer

Azure Security Center monitoring: None

7.7: Deploy configuration management tools for Azure resources

Guidance: Define and implement standard security configurations for Azure resources using Azure Policy. Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure resources created under DevTest Labs. You may also make use of built-in policy definitions related to your specific resources. Additionally, you may use Azure Automation to deploy configuration changes.

Responsibility: Customer

Azure Security Center monitoring: None

7.8: Deploy configuration management tools for operating systems

Guidance: Azure Automation State Configuration is a configuration management service for Desired State Configuration (DSC) nodes in any cloud or on-premises datacenter. You can easily onboard machines, assign them declarative configurations, and view reports showing each machine's compliance to the desired state you specified. You can also write a custom artifact that can installed on every lab machine to ensure they are follow organizational policies.

Responsibility: Customer

Azure Security Center monitoring: None

7.9: Implement automated configuration monitoring for Azure resources

Guidance: Use Azure Security Center to perform baseline scans for your Azure Resources created under DevTest Labs. Additionally, use Azure Policy to alert and audit Azure resource configurations.

Responsibility: Customer

Azure Security Center monitoring: None

7.10: Implement automated configuration monitoring for operating systems

Guidance: Use Azure Security Center to perform baseline scans for OS and Docker settings for containers that are ran in your lab.

Responsibility: Customer

Azure Security Center monitoring: None

7.11: Manage Azure secrets securely

Guidance: Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications.

Responsibility: Customer

Azure Security Center monitoring: None

7.12: Manage identities securely and automatically

Guidance: Use Managed Identities to provide Azure services with an automatically managed identity in Azure Active Directory (Azure AD). Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

Responsibility: Customer

Azure Security Center monitoring: None

7.13: Eliminate unintended credential exposure

Guidance: Implement Credential Scanner to identify credentials within code. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Responsibility: Customer

Azure Security Center monitoring: None

Malware Defense

For more information, see the Azure Security Benchmark: Malware Defense.

8.1: Use centrally managed antimalware software

Guidance: Use Microsoft Antimalware for Azure to continuously monitor and defend your resources. For Linux, use third party antimalware solution. Also, use Azure Security Center's Threat detection for data services to detect malware uploaded to storage accounts.

Responsibility: Customer

Azure Security Center monitoring: None

8.2: Pre-scan files to be uploaded to non-compute Azure resources

Guidance: Microsoft Antimalware is enabled on the underlying host that supports Azure services (for example, Azure App Service hosted in a lab), however, it does not run on your content.

Pre-scan files uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, Blob Storage, and so on.

Use Azure Security Center's threat detection for data services to detect malware uploaded to storage accounts.

Responsibility: Customer

Azure Security Center monitoring: None

8.3: Ensure antimalware software and signatures are updated

Guidance: When deployed, Microsoft Antimalware for Azure will automatically install the latest signature, platform, and engine updates by default. Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints for DevTest Labs underlying compute resources are up to date with the latest signatures. The Windows OS can be further protected with additional security to limit the risk of virus or malware-based attacks with the Microsoft Defender Advanced Threat Protection service that integrates with Azure Security Center.

Responsibility: Customer

Azure Security Center monitoring: None

Data Recovery

For more information, see the Azure Security Benchmark: Data Recovery.

9.1: Ensure regular automated back ups

Guidance: Currently, Azure DevTest Labs doesn't support VM backups and snapshots. However, you can enable and configure Azure Backup on the underlying Azure VMs hosted in DevTest Labs. And, you can also configure the wanted frequency and retention period for automatic backups as long as you have appropriate access to the underlying compute resources.

Responsibility: Customer

Azure Security Center monitoring: None

9.2: Perform complete system backups and backup any customer-managed keys

Guidance: Currently, Azure DevTest Labs doesn't support VM backups and snapshots. However, you can create snapshots of your underlying Azure VMs hosted in the DevTest Labs or the managed disks attached to those instances using PowerShell or REST APIs as long as you have appropriate access to the underlying compute resources. You can also back up any customer-managed keys within Azure Key Vault.

Enable Azure Backup on target Azure VMs, and the wanted frequency and retention periods. It includes complete system state backup. If you're using Azure disk encryption, Azure VM backup automatically handles the backup of customer-managed keys.

Responsibility: Customer

Azure Security Center monitoring: None

9.3: Validate all backups including customer-managed keys

Guidance: Ensure ability to periodically perform data restoration of content within Azure Backup. If necessary, test restoration of content to an isolated virtual network or subscription. Also, test restoration of backed up customer-managed keys.

If you're using Azure disk encryption, you can restore the Azure VM with the disk encryption keys. When using disk encryption, you can restore the Azure VM with the disk encryption keys.

Responsibility: Customer

Azure Security Center monitoring: None

9.4: Ensure protection of backups and customer-managed keys

Guidance: When you back up managed disks with Azure Backup, VMs are encrypted at rest with Storage Service Encryption (SSE). Azure Backup can also back up Azure VMs that are encrypted by using Azure Disk Encryption. Azure Disk Encryption integrates with BitLocker encryption keys (BEKs), which are safeguarded in a key vault as secrets. Azure Disk Encryption also integrates with Azure Key Vault key encryption keys (KEKs). Enable Soft-Delete in Key Vault to protect keys against accidental or malicious deletion.

Responsibility: Customer

Azure Security Center monitoring: None

Incident Response

For more information, see the Azure Security Benchmark: Incident Response.

10.1: Create an incident response guide

Guidance: Develop an incident response guide for your organization. Ensure there are written incident response plans that define all the roles of personnel as well as the phases of incident handling and management from detection to post-incident review.

Responsibility: Customer

Azure Security Center monitoring: None

10.2: Create an incident scoring and prioritization procedure

Guidance: Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

Additionally, mark subscriptions using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It's your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Responsibility: Customer

Azure Security Center monitoring: None

10.3: Test security response procedures

Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. Identify weak points and gaps and then revise your response plan as needed.

Responsibility: Customer

Azure Security Center monitoring: None

10.4: Provide security incident contact details and configure alert notifications for security incidents

Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. Review incidents after the fact to ensure that issues are resolved.

Responsibility: Customer

Azure Security Center monitoring: None

10.5: Incorporate security alerts into your incident response system

Guidance: Export your Azure Security Center alerts and recommendations using the continuous export feature to help identify risks to Azure resources. Continuous export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. You can use the Azure Security Center data connector to stream the alerts to Azure Sentinel.

Responsibility: Customer

Azure Security Center monitoring: None

10.6: Automate the response to security alerts

Guidance: Use workflow automation feature Azure Security Center to automatically trigger responses to security alerts and recommendations to protect your Azure resources.

Responsibility: Customer

Azure Security Center monitoring: None

Penetration Tests and Red Team Exercises

For more information, see the Azure Security Benchmark: Penetration Tests and Red Team Exercises.

11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Shared

Azure Security Center monitoring: None

Next steps