Compute security recommendations
This article lists all the compute security recommendations you might see in Microsoft Defender for Cloud.
The recommendations that appear in your environment are based on the resources that you're protecting and on your customized configuration.
To learn about actions that you can take in response to these recommendations, see Remediate recommendations in Defender for Cloud.
Tip
If a recommendation description says No related policy, usually it's because that recommendation is dependent on a different recommendation.
For example, the recommendation Endpoint protection health failures should be remediated relies on the recommendation that checks whether an endpoint protection solution is installed (Endpoint protection solution should be installed). The underlying recommendation does have a policy. Limiting policies to only foundational recommendations simplifies policy management.
Azure compute recommendations
Adaptive application controls for defining safe applications should be enabled on your machines
Description: Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Defender for Cloud uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. (Related policy: Adaptive application controls for defining safe applications should be enabled on your machines).
Severity: High
Allowlist rules in your adaptive application control policy should be updated
Description: Monitor for changes in behavior on groups of machines configured for auditing by Defender for Cloud's adaptive application controls. Defender for Cloud uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. (Related policy: Allowlist rules in your adaptive application control policy should be updated).
Severity: High
Authentication to Linux machines should require SSH keys
Description: Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more in Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure. (Related policy: Audit Linux machines that are not using SSH key for authentication).
Severity: Medium
Automation account variables should be encrypted
Description: It is important to enable encryption of Automation account variable assets when storing sensitive data. (Related policy: Automation account variables should be encrypted).
Severity: High
Azure Backup should be enabled for virtual machines
Description: Protect the data on your Azure virtual machines with Azure Backup. Azure Backup is an Azure-native, cost-effective, data protection solution. It creates recovery points that are stored in geo-redundant recovery vaults. When you restore from a recovery point, you can restore the whole VM or specific files. (Related policy: Azure Backup should be enabled for Virtual Machines).
Severity: Low
Container hosts should be configured securely
Description: Remediate vulnerabilities in security configuration settings on machines with Docker installed to protect them from attacks. (Related policy: Vulnerabilities in container security configurations should be remediated).
Severity: High
Diagnostic logs in Azure Stream Analytics should be enabled
Description: Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Azure Stream Analytics should be enabled).
Severity: Low
Diagnostic logs in Batch accounts should be enabled
Description: Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Batch accounts should be enabled).
Severity: Low
Diagnostic logs in Event Hubs should be enabled
Description: Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Event Hubs should be enabled).
Severity: Low
Diagnostic logs in Logic Apps should be enabled
Description: To ensure you can recreate activity trails for investigation purposes when a security incident occurs or your network is compromised, enable logging. If your diagnostic logs aren't being sent to a Log Analytics workspace, Azure Storage account, or Azure Event Hubs, ensure you've configured diagnostic settings to send platform metrics and platform logs to the relevant destinations. Learn more in Create diagnostic settings to send platform logs and metrics to different destinations. (Related policy: Diagnostic logs in Logic Apps should be enabled).
Severity: Low
Diagnostic logs in Service Bus should be enabled
Description: Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Service Bus should be enabled).
Severity: Low
Diagnostic logs in Virtual Machine Scale Sets should be enabled
Description: Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. (Related policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled).
Severity: High
Endpoint protection health issues on virtual machine scale sets should be resolved
Description: On virtual machine scale sets, remediate endpoint protection health failures to protect them from threats and vulnerabilities. (Related policy: Endpoint protection solution should be installed on virtual machine scale sets).
Severity: Low
Endpoint protection should be installed on virtual machine scale sets
Description: Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. (Related policy: Endpoint protection solution should be installed on virtual machine scale sets).
Severity: High
File integrity monitoring should be enabled on machines
Description: Defender for Cloud has identified machines that are missing a file integrity monitoring solution. To monitor changes to critical files, registry keys, and more on your servers, enable file integrity monitoring. When the file integrity monitoring solution is enabled, create data collection rules to define the files to be monitored. To define rules, or see the files changed on machines with existing rules, go to the file integrity monitoring management page. (No related policy)
Severity: High
Guest Attestation extension should be installed on supported Linux virtual machine scale sets
Description: Install Guest Attestation extension on supported Linux virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets.
- Trusted launch requires the creation of new virtual machines.
- You can't enable trusted launch on existing virtual machines that were initially created without it.
Learn more about Trusted launch for Azure virtual machines. (No related policy)
Severity: Low
Guest Attestation extension should be installed on supported Linux virtual machines
Description: Install Guest Attestation extension on supported Linux virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines.
- Trusted launch requires the creation of new virtual machines.
- You can't enable trusted launch on existing virtual machines that were initially created without it.
Learn more about Trusted launch for Azure virtual machines. (No related policy)
Severity: Low
Guest Attestation extension should be installed on supported Windows virtual machine scale sets
Description: Install Guest Attestation extension on supported virtual machine scale sets to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets.
- Trusted launch requires the creation of new virtual machines.
- You can't enable trusted launch on existing virtual machines that were initially created without it.
Learn more about Trusted launch for Azure virtual machines. (No related policy)
Severity: Low
Guest Attestation extension should be installed on supported Windows virtual machines
Description: Install Guest Attestation extension on supported virtual machines to allow Microsoft Defender for Cloud to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines.
- Trusted launch requires the creation of new virtual machines.
- You can't enable trusted launch on existing virtual machines that were initially created without it.
Learn more about Trusted launch for Azure virtual machines. (No related policy)
Severity: Low
Guest Configuration extension should be installed on machines
Description: To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as Windows Exploit guard should be enabled. (Related policy: Virtual machines should have the Guest Configuration extension).
Severity: Medium
Install endpoint protection solution on virtual machines
Description: Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities. (Related policy: Monitor missing Endpoint Protection in Azure Security Center).
Severity: High
Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost
Description: By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data. Visit Overview of managed disk encryption options to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. (Related policy: [Preview]: Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost).
Replaces the older recommendation Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources. The recommendation enables you to audit VM encryption compliance.
Severity: High
Linux virtual machines should enforce kernel module signature validation
Description: To help mitigate against the execution of malicious or unauthorized code in kernel mode, enforce kernel module signature validation on supported Linux virtual machines. Kernel module signature validation ensures that only trusted kernel modules will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed. (No related policy)
Severity: Low
Linux virtual machines should use only signed and trusted boot components
Description: With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allowlist or remove the identified components. (No related policy)
Severity: Low
Linux virtual machines should use Secure Boot
Description: To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed. (No related policy)
Severity: Low
Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines
Description: Defender for Cloud uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps. (No related policy)
Severity: High
As use of the AMA and MMA is phased out in Defender for Servers, recommendations that rely on those agents, like this one, will be removed. Instead, Defender for Servers features will use the Microsoft Defender for Endpoint agent, or agentless scanning, with no reliance on the MMA or AMA.
Estimated deprecation: July 2024
Log Analytics agent should be installed on virtual machine scale sets
Description: Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. You'll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps. (Related policy: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring).
As use of the AMA and MMA is phased out in Defender for Servers, recommendations that rely on those agents, like this one, will be removed. Instead, Defender for Servers features will use the Microsoft Defender for Endpoint agent, or agentless scanning, with no reliance on the MMA or AMA.
Estimated deprecation: July 2024
Severity: High
Log Analytics agent should be installed on virtual machines
Description: Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps. (Related policy: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring).
As use of the AMA and MMA is phased out in Defender for Servers, recommendations that rely on those agents, like this one, will be removed. Instead, Defender for Servers features will use the Microsoft Defender for Endpoint agent, or agentless scanning, with no reliance on the MMA or AMA.
Estimated deprecation: July 2024
Severity: High
Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines
Description: Defender for Cloud uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps. (No related policy)
Severity: High
As use of the AMA and MMA is phased out in Defender for Servers, recommendations that rely on those agents, like this one, will be removed. Instead, Defender for Servers features will use the Microsoft Defender for Endpoint agent, or agentless scanning, with no reliance on the MMA or AMA.
Estimated deprecation: July 2024
Machines should be configured securely
Description: Remediate vulnerabilities in security configuration on your machines to protect them from attacks. (Related policy: Vulnerabilities in security configuration on your machines should be remediated).
This recommendation helps you to improve server security posture. Defender for Cloud enhances the Center for Internet Security (CIS) benchmarks by providing security baselines that are powered by Microsoft Defender Vulnerability Management.
Severity: Low
Machines should be restarted to apply security configuration updates
Description: To apply security configuration updates and protect against vulnerabilities, restart your machines. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed. (No related policy)
Severity: Low
Machines should have a vulnerability assessment solution
Description: Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools. Use this recommendation to deploy a vulnerability assessment solution. (Related policy: A vulnerability assessment solution should be enabled on your virtual machines).
Severity: Medium
Machines should have vulnerability findings resolved
Description: Resolve the findings from the vulnerability assessment solutions on your virtual machines. (Related policy: A vulnerability assessment solution should be enabled on your virtual machines).
Severity: Low
Management ports of virtual machines should be protected with just-in-time network access control
Description: Defender for Cloud has identified some overly permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks. Learn more in Understanding just-in-time (JIT) VM access. (Related policy: Management ports of virtual machines should be protected with just-in-time network access control).
Severity: High
Microsoft Defender for Servers should be enabled
Description: Microsoft Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities. You can use this information to quickly remediate security issues and improve the security of your servers.
Remediating this recommendation will result in charges for protecting your servers. If you don't have any servers in this subscription, no charges will be incurred. If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time. Learn more in Introduction to Microsoft Defender for servers. (Related policy: Azure Defender for servers should be enabled).
Severity: High
Microsoft Defender for Servers should be enabled on workspaces
Description: Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines. With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits. When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources. Learn more in Introduction to Microsoft Defender for servers. (No related policy)
Severity: Medium
Secure Boot should be enabled on supported Windows virtual machines
Description: Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel, and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines.
- Trusted launch requires the creation of new virtual machines.
- You can't enable trusted launch on existing virtual machines that were initially created without it.
Learn more about Trusted launch for Azure virtual machines. (No related policy)
Severity: Low
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
Description: Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed. (Related policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign).
Severity: High
Service Fabric clusters should only use Azure Active Directory for client authentication
Description: Perform Client authentication only via Azure Active Directory in Service Fabric (Related policy: Service Fabric clusters should only use Azure Active Directory for client authentication).
Severity: High
System updates on virtual machine scale sets should be installed
Description: Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets. (Related policy: System updates on virtual machine scale sets should be installed).
As use of the Azure Monitor Agent (AMA) and the Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)) is phased out in Defender for Servers, recommendations that rely on those agents, like this one, will be removed. Instead, Defender for Servers features will use the Microsoft Defender for Endpoint agent, or agentless scanning, with no reliance on the MMA or AMA.
Estimated deprecation: July 2024.
Severity: High
System updates should be installed on your machines
Description: Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers (Related policy: System updates should be installed on your machines).
As use of the Azure Monitor Agent (AMA) and the Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)) is phased out in Defender for Servers, recommendations that rely on those agents, like this one, will be removed. Instead, Defender for Servers features will use the Microsoft Defender for Endpoint agent, or agentless scanning, with no reliance on the MMA or AMA.
Estimated deprecation: July 2024.
Severity: High
System updates should be installed on your machines (powered by Update Center)
Description: Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. (No related policy)
Severity: High
Virtual machines and virtual machine scale sets should have encryption at host enabled
Description: Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at Use the Azure portal to enable end-to-end encryption using encryption at host. (Related policy: Virtual machines and virtual machine scale sets should have encryption at host enabled).
Severity: Medium
Virtual machines should be migrated to new Azure Resource Manager resources
Description: Virtual machines (classic) are deprecated and these VMs should be migrated to Azure Resource Manager. Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on March 1, 2023.
To view all affected classic VMs make sure to select all your Azure subscriptions under 'directories + subscriptions' tab.
Available resources and information about this tool & migration: Overview of Virtual machines (classic) deprecation, step by step process for migration & available Microsoft resources. Details about Migrate to Azure Resource Manager migration tool. Migrate to Azure Resource Manager migration tool using PowerShell. (Related policy: Virtual machines should be migrated to new Azure Resource Manager resources).
Severity: High
Virtual machines guest attestation status should be healthy
Description: Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain, which might be the result of a bootkit
or rootkit
infection.
This assessment only applies to Trusted Launch enabled virtual machines that have the Guest Attestation extension installed.
(No related policy)
Severity: Medium
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
Description: The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. (Related policy: Guest Configuration extension should be deployed to Azure virtual machines with system assigned managed identity).
Severity: Medium
Virtual machine scale sets should be configured securely
Description: On virtual machine scale sets, remediate vulnerabilities to protect them from attacks. (Related policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated).
Severity: High
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
Description: By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. For a comparison of different disk encryption technologies in Azure, see Overview of managed disk encryption options. Use Azure Disk Encryption to encrypt all this data. Disregard this recommendation if:
You're using the encryption-at-host feature, or server-side encryption on Managed Disks meets your security requirements. Learn more in server-side encryption of Azure Disk Storage.
(Related policy: Disk encryption should be applied on virtual machines)
Severity: High
vTPM should be enabled on supported virtual machines
Description: Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.
- Trusted launch requires the creation of new virtual machines.
- You can't enable trusted launch on existing virtual machines that were initially created without it.
Learn more about Trusted launch for Azure virtual machines. (No related policy)
Severity: Low
Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)
Description: Remediate vulnerabilities in security configuration on your Linux machines to protect them from attacks. (Related policy: Linux machines should meet requirements for the Azure security baseline).
Severity: Low
Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)
Description: Remediate vulnerabilities in security configuration on your Windows machines to protect them from attacks. (No related policy)
Severity: Low
Windows Defender Exploit Guard should be enabled on machines
Description: Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). (Related policy: Audit Windows machines on which Windows Defender Exploit Guard is not enabled).
Severity: Medium
Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost
Description: By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources. Use Azure Disk Encryption or EncryptionAtHost to encrypt all this data. Visit Overview of managed disk encryption options to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. (Related policy: [Preview]: Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost).
Replaces the older recommendation Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources. The recommendation enables you to audit VM encryption compliance.
Severity: High
Windows web servers should be configured to use secure communication protocols
Description: To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. (Related policy: Audit Windows web servers that are not using secure communication protocols).
Severity: High