Description:
None of the settings offered by ASC Default policy should be set to effect "Disabled".
Rationale:
A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that the Azure security center provides the ability to monitor all of the supported recommendations and allow automated action optionally for a few of the supported recommendations.
Audit:
Go to Azure Security Center
Click On the security policy to Open Policy Management Blade.
Click Subscription View
Click on Subscription Name to open Security Policy Blade for the Subscription.
Expand All the available sections Compute And Apps, Data, Identity
Ensure that any of the settings is not set to Disabled
The 'View effective Policy' button can be used to see all effects of policies even if they have not been modified.
Using Azure Command-Line Interface 2.0
Ensure the output of the below command does not contain any setting which is set to Disable or Empty
az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json"
https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorizati on/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01'
Remediation:
Pre-Requisite:
An Azure account
An Azure Defender plan for Enhanced security plan (Azure Defender is free for the first 30 days. At the end of 30 days, if you choose to continue using the service, you’ll automatically charged for usage).
Implementation Steps:
Navigate to Azure Policy
On Policy "Overview" blade, Click on Policy ASC Default (Subscription: Subscription_ID)
On "ASC Default" blade, Click on Edit Assignments
In section PARAMETERS, configure the impacted setting to any other available value than Disabled or empty
Click Save
Backout Plan:
Go to Azure Security Center
Click On the security policy to Open Policy Management Blade.
Click Subscription View
Click on Subscription Name to open Security Policy Blade for the Subscription.
Expand All the available sections Compute And Apps, Data, Identity
Ensure that any of the settings is not set to Disabled(how we can revoke the changes)
Note:
Policies that have not been modified will not be listed in this output