Saturday, 8 February 2020

Azure Security Center disabling a policy assessment


In Azure Security Center (ASC)/Security Center there is something known as “Azure secure score” and continuous assessment and security recommendations” which is part of the free tier offering. Both features are a great starter tool to help assess your security posture with the resources that you have deployed in your subscription.  The assessment policies are based on best practices from Microsoft and are there to help highlight where you may have mis-configured a resource whether it is deployed on the IaaS or PaaS platform. The policies are maintained by Microsoft and are always getting updated.

As Microsoft has been promoting Security Center as a starter tool, your management and security team might be watching the secure score like a hawk to make sure it never goes down. If the score goes down, then you might get collared by them asking why the score has gone down!!!

As I highlighted before the assessment policies are based on best practices  from Microsoft so there will be some policy checks that might not be relevant to your environment. For example, there is a policy which checks if you have disk encryption applied to your virtual machines which I don't need in my lab. We will take the example of disk encryption and show you how to see information about the policy and disable this policy in this article.  

Here is an example of my subscription’s security score at the overview page and you can see that it is at 152. So click on “Compute & Apps resources” so that we can drill in more specific around this area.

You now see a list of non-compliance policies and the one we want to look further in to is “Disk encryption should be applied on virtual machines”. So, hover over the text and click into it.

This screen will give you information about the policy, potentials threats and how-to remediation. You can see that I have 12 unhealthy resources based on this policy.


As I don’t need disk encryption in my lab subscription then I don’t really want the policy to run which would affect my secure score. I will now show you the steps on how to disable the policy “Disk encryption should be applied on virtual machines”


Steps to disable policy “Disk encryption should be applied on virtual machines”:

Within Security Center under “Policy & Compliance” blade select “Security Policy”
If you are using management groups, then you will need to navigate to the subscription that you are looking to disable the policy rules and click on it.

On this screen check that you have selected the correct subscription. You should see that there is one assignment (you can have more than one attached) attached to security center. Click on “View effective policy”

You should see the name of your policy which should have your subscription ID as part of the name if you used the default. If you scroll down this page you will see which policies have been enabled. You can see that “Disk encryption should be applied on virtual machines” is set as “AuditIfNotExists”. Click on the policy name to drill in to the configuration of the policy itself.




Now that you are viewing the policy and check that you are editing the right one. Select the “Parameters” tab. Locate “Disk encryption should be applied on virtual machines” and you can see the settings as "AuditifNotExists”. Click the down arrow to change it to “Disabled”

Once you have changed the policy to “Disabled” then click on “Review + Save”

Review the parameters section to see if your policy is disabled and ensure the “Scope” is the right subscription or management group that you are applying to. Once you are happy then click on “Save”
You will now need to follow the initial steps I described above on how to view the policy settings. Once you get back to the same screen you should see that "Disk encryption should be applied on virtual machines” is set to “Disabled”. A word of caution sometimes you might need to wait for a bit and click around or logout and login again before you see it take effect.

We now have the policy disabled but you may have to wait up to 24 hours before you see any changes to the secure score. From my experience I have seen some of my subscriptions taking only a few hours and some have taken well over 24 hours to change so be patience.

So if you score has changed then you may see something like this. If you compare this to my previous screenshot at the start of the article you will see that the secure score is now 220 and my “Compute & apps resources” is now orange colour and not red. Let’s click into that so that we can drill in a bit more.


Now on the overview page of the “compute” you can see that the recommendation for disk encryption is not there anymore. To make sure that the policy is not applied click on “VMs and Servers”
Click on one of the VMs. I usually click on ones which are powered on as some policies require the VM to be powered on so I have selected “vm001”
Under recommendation you should see that disk encryption is not there anymore. Click on “Passed assessments”
You should now see the disk encryption policy is showing as health.

This is just an example of how to disable a policy which may not be applicable to your environment such as you are using another 3rd party product to do the same job or that settings doesn't apply to you. Either way this is a way to improve your score if you know that a particular policy doesn’t apply to you. Microsoft always releases new policies so I would always check if your score has gone down because of a new policy that has been introduced. They always introduce “preview” ones which do affect your scores as well and sometimes these preview policies just disappear into thin air. One thing I would bear in mind is that security center scores are not in real time so any changes you have made can take some time to be reflected.

Its a good start to help you quickly look at your security posture without spending money on tools or writing complex scripts/policies to check your environment.


No comments:

Post a Comment

Azure Resource Support for Availability Zone

Over the years, an increasing number of services are consumed in the cloud and as architects one of the key considerations is designing the ...