Skip to main content

Azure Security Center disabling a policy assessment


In Azure Security Center (ASC)/Security Center there is something known as “Azure secure score” and continuous assessment and security recommendations” which is part of the free tier offering. Both features are a great starter tool to help assess your security posture with the resources that you have deployed in your subscription.  The assessment policies are based on best practices from Microsoft and are there to help highlight where you may have mis-configured a resource whether it is deployed on the IaaS or PaaS platform. The policies are maintained by Microsoft and are always getting updated.

As Microsoft has been promoting Security Center as a starter tool, your management and security team might be watching the secure score like a hawk to make sure it never goes down. If the score goes down, then you might get collared by them asking why the score has gone down!!!

As I highlighted before the assessment policies are based on best practices  from Microsoft so there will be some policy checks that might not be relevant to your environment. For example, there is a policy which checks if you have disk encryption applied to your virtual machines which I don't need in my lab. We will take the example of disk encryption and show you how to see information about the policy and disable this policy in this article.  

Here is an example of my subscription’s security score at the overview page and you can see that it is at 152. So click on “Compute & Apps resources” so that we can drill in more specific around this area.

You now see a list of non-compliance policies and the one we want to look further in to is “Disk encryption should be applied on virtual machines”. So, hover over the text and click into it.

This screen will give you information about the policy, potentials threats and how-to remediation. You can see that I have 12 unhealthy resources based on this policy.


As I don’t need disk encryption in my lab subscription then I don’t really want the policy to run which would affect my secure score. I will now show you the steps on how to disable the policy “Disk encryption should be applied on virtual machines”


Steps to disable policy “Disk encryption should be applied on virtual machines”:

Within Security Center under “Policy & Compliance” blade select “Security Policy”
If you are using management groups, then you will need to navigate to the subscription that you are looking to disable the policy rules and click on it.

On this screen check that you have selected the correct subscription. You should see that there is one assignment (you can have more than one attached) attached to security center. Click on “View effective policy”

You should see the name of your policy which should have your subscription ID as part of the name if you used the default. If you scroll down this page you will see which policies have been enabled. You can see that “Disk encryption should be applied on virtual machines” is set as “AuditIfNotExists”. Click on the policy name to drill in to the configuration of the policy itself.




Now that you are viewing the policy and check that you are editing the right one. Select the “Parameters” tab. Locate “Disk encryption should be applied on virtual machines” and you can see the settings as "AuditifNotExists”. Click the down arrow to change it to “Disabled”

Once you have changed the policy to “Disabled” then click on “Review + Save”

Review the parameters section to see if your policy is disabled and ensure the “Scope” is the right subscription or management group that you are applying to. Once you are happy then click on “Save”
You will now need to follow the initial steps I described above on how to view the policy settings. Once you get back to the same screen you should see that "Disk encryption should be applied on virtual machines” is set to “Disabled”. A word of caution sometimes you might need to wait for a bit and click around or logout and login again before you see it take effect.

We now have the policy disabled but you may have to wait up to 24 hours before you see any changes to the secure score. From my experience I have seen some of my subscriptions taking only a few hours and some have taken well over 24 hours to change so be patience.

So if you score has changed then you may see something like this. If you compare this to my previous screenshot at the start of the article you will see that the secure score is now 220 and my “Compute & apps resources” is now orange colour and not red. Let’s click into that so that we can drill in a bit more.


Now on the overview page of the “compute” you can see that the recommendation for disk encryption is not there anymore. To make sure that the policy is not applied click on “VMs and Servers”
Click on one of the VMs. I usually click on ones which are powered on as some policies require the VM to be powered on so I have selected “vm001”
Under recommendation you should see that disk encryption is not there anymore. Click on “Passed assessments”
You should now see the disk encryption policy is showing as health.

This is just an example of how to disable a policy which may not be applicable to your environment such as you are using another 3rd party product to do the same job or that settings doesn't apply to you. Either way this is a way to improve your score if you know that a particular policy doesn’t apply to you. Microsoft always releases new policies so I would always check if your score has gone down because of a new policy that has been introduced. They always introduce “preview” ones which do affect your scores as well and sometimes these preview policies just disappear into thin air. One thing I would bear in mind is that security center scores are not in real time so any changes you have made can take some time to be reflected.

Its a good start to help you quickly look at your security posture without spending money on tools or writing complex scripts/policies to check your environment.


Comments

Popular posts from this blog

Rolling back a version of ESXi

There is an option in VMware where after you have performed an major upgrade of ESXi you can roll back to your previous version. The benefit of this is that you would not need to reinstall your ESXi and its configuration if you had issues with the new software. I had to do this on one occassion in my lab where I upgraded from 6.5 to 6.7 and my VMs would not run because the CPU was not supported in 6.7. Please remember if you are using ISO method to upgrade ESXi please ensure you select "Upgrade ESXi, preserve VMFS datastore". Selecting "Install ESXi, preserve VMFS datastore" does not mean preserving datastore means retaining ESXi as it will still do a clean install of ESXi. This method does not work for vSphere 7.0 as there are changes to the partitions on the boot device. Below are the steps to roll back to a previous version which is quite straight forward. As always perform an backup of your host configuration before you upgrade or rollback ( KB2042141 ). I have

Configuring ESXi 6 host to send logs to Syslog Server

In my previous post I talked about configuring VMware Syslog server for Windows which is installed and enabled by default on installation of vCenter 6 for Windows. I will now describe the basic configuration that is required on an ESXi 6 host to be able to send logs out to a syslog server using my vCenter as the example. 1) Navigate to your ESXi host within vCenter. Go to "Manage" tab and select "Settings" followed by "Advanced System Settings". Look for the settings "Syslog.global.loghost" and highlight this settings. Click the pencil icon to edit the configuration for this setting. 2) You can now add the host name or ip address of your syslog server/s. You can enter just hostname or IP address, use udp://hostname:514 or ssl://hostname:1514 to be more specific on the port and protocol to be used. If you have multiple hosts then you use the comma (,) to separate each server i.e. udp://192.168.0.1:514,udp://192.168.0.2:514 3)We n

Custom ESXi Image - ISO using PowerCLI

There comes a time when you have purchased a new hardware to run your ESXi software and discover that the installable base media provided by VMware does not include the drivers or the drivers are out of date. In the world of Windows (Plug and Play) it would discover the hardware and prompt you to provide the drivers so that Windows would install/update the drivers for the hardware. For ESXi if the drivers are not present during load time then the hardware will possibly not work. VMware uses VIB (vSphere Installation Bundle) as a way for vendors to distribute their drivers. To install these VIBs you can either use Update Manager or command line (esxcli). Now this is all good but it does mean you have to first install the base ESXi then use one of the steps above to install/update the drivers.   Some people might feel that it is OK to update the drivers using the above methods but what if it was the network card that was the new hardware and you needed new drivers. Without the net