In Azure Security Center (ASC)/Security Center there is
something known as “Azure secure score” and continuous assessment and security
recommendations” which is part of the free tier offering. Both features are a
great starter tool to help assess your security posture with the resources that
you have deployed in your subscription.
The assessment policies are based on best practices from Microsoft and
are there to help highlight where you may have mis-configured a resource
whether it is deployed on the IaaS or PaaS platform. The policies are
maintained by Microsoft and are always getting updated.
As Microsoft has been promoting Security Center as a starter
tool, your management and security team might be watching the secure score like a hawk to make sure it never goes down. If the score goes down, then
you might get collared by them asking why the score has gone down!!!
As I highlighted before the assessment policies are based on
best practices from Microsoft so there will be some policy checks that might not be relevant to your environment. For example, there is a policy which checks if you have
disk encryption applied to your virtual machines which I don't need in my lab. We will take the example of disk encryption and show you how
to see information about the policy and disable this policy in this article.
Here
is an example of my subscription’s security score at the overview page and you
can see that it is at 152. So click on “Compute & Apps resources” so that we
can drill in more specific around this area.
You now see a list of non-compliance policies and the one we
want to look further in to is “Disk encryption should be applied
on virtual machines”. So, hover over the text and click into it.
This screen will give you information about the policy,
potentials threats and how-to remediation. You can see that I have 12 unhealthy
resources based on this policy.
As I don’t need disk encryption in my lab subscription then
I don’t really want the policy to run which would affect my secure score. I
will now show you the steps on how to disable the policy “Disk encryption should
be applied on virtual machines”
Steps to disable policy “Disk encryption should be applied on
virtual machines”:
Within Security Center under “Policy & Compliance” blade select
“Security Policy”
If you are using management groups, then you will need to
navigate to the subscription that you are looking to disable the policy rules
and click on it.
On this screen check that you have selected the correct
subscription. You should see that there is one assignment (you can have more
than one attached) attached to security center. Click on “View effective
policy”
You should see the name of your policy which
should have your subscription ID as part of the name if you used the default. If
you scroll down this page you will see which policies have been enabled. You
can see that “Disk encryption should be applied on virtual machines” is set as “AuditIfNotExists”.
Click on the policy name to drill in to the configuration of the policy itself.
Now that you are viewing the policy and check that you
are editing the right one. Select the “Parameters” tab. Locate “Disk
encryption should be applied on virtual machines” and you can see the settings
as "AuditifNotExists”. Click the down arrow to change it to “Disabled”
Once you have changed the policy to “Disabled” then click on
“Review + Save”
Review the parameters section to see if your policy is
disabled and ensure the “Scope” is the right subscription or management group that you are applying to.
Once you are happy then click on “Save”
You will now need to follow the initial steps I described above on how to view the policy settings. Once you get back to the same screen you should see that "Disk encryption should be applied on virtual
machines” is set to “Disabled”. A word of caution sometimes you might need to
wait for a bit and click around or logout and login again before you see it take effect.
We now have the policy disabled but you may have to wait up
to 24 hours before you see any changes to the secure score. From my
experience I have seen some of my subscriptions taking only a few hours and
some have taken well over 24 hours to change so be patience.
So if you score has changed then you may see something like
this. If you compare this to my previous screenshot at the start of the article you will see that the
secure score is now 220 and my “Compute & apps resources” is now orange
colour and not red. Let’s click into that so that we can drill in a bit more.
Now on the overview page of the “compute” you can see that
the recommendation for disk encryption is not there anymore. To make sure that
the policy is not applied click on “VMs and Servers”
Click
on one of the VMs. I usually click on ones which are powered on as some policies require the VM to be powered on so I have
selected “vm001”
Under recommendation you should see that disk encryption is
not there anymore. Click on “Passed assessments”
You should now see the disk encryption policy is showing as
health.
This is just an example of how to
disable a policy which may not be applicable to your environment such as you
are using another 3rd party product to do the same job or that settings doesn't apply to you. Either way this is a way to improve your score if you know
that a particular policy doesn’t apply to you. Microsoft always releases new policies
so I would always check if your score has gone down because of a new policy
that has been introduced. They always introduce “preview” ones which do affect
your scores as well and sometimes these preview policies just disappear into thin air. One thing I would bear in mind is that security center
scores are not in real time so any changes you have made can take some time to
be reflected.
Its a good start to help you quickly look at your security posture without spending money on tools or writing complex scripts/policies to check your environment.
