iCompaas Support

Description:

Ensures that virtual machines run only organization-approved extensions, preventing unauthorized software from being installed through VM extensions and reducing configuration, security, and compliance risks.

Rationale:

VM extensions execute code inside the VM. Restricting extensions to an approved list prevents malicious or untested tools from being deployed and helps maintain a secure, standardized VM environment.

Impact:

Limiting VM extensions improves security and stability by blocking unauthorized or risky software. It reduces exposure to malware, minimizes configuration drift, and ensures workloads comply with security standards while maintaining control over what executes inside virtual machines.

Default value:

By default, no extensions are added to the virtual machines.

Test plan:

1. Log in to the Microsoft Azure Portal https://portal.azure.com

2. Navigate to Virtual machines.

3. Select a virtual machine.

4. Under Settings, select Extensions + applications.

5. Review the list of installed extensions.

6. Compare the installed extensions against the organization’s approved extension list.

7. Verify that no unapproved or unknown extensions are installed.

8. Repeat the above steps for all virtual machines in scope.

9. If any unapproved extensions are found, follow the Implementation Steps

Implementation Steps:

1. Log in to the Microsoft Azure Portal https://portal.azure.com

2. Navigate to Virtual machines.

3. Select a virtual machine.

4. Under Settings, select Extensions + applications.

5. Review the list of installed extensions.

6. Compare each installed extension against the organization’s approved extension list.

7. Select any extension that is not approved.

8. Click Uninstall to remove the unapproved extension.

9. Confirm the extension is removed successfully.

10. Repeat these steps for all virtual machines in scope.

Backout plan:

1. Log in to the Microsoft Azure Portal https://portal.azure.com

2. Navigate to Virtual machines.

3. Select the virtual machine where an extension was removed.

4. Under Settings, select Extensions + applications.

5. Click Add to install a new extension.

6. Select the required extension from the list.

7. Re-enter any required configuration details or credentials.

8. Click Create or Install to reinstall the extension.

References:

• https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensionsfeatures

• https://docs.microsoft.com/en-us/powershell/module/az.compute/?view=azps7.5.0#vm-extensions

• https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management      #am-2-use-only-approved-services

• https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-asset-management  #am-5-use-only-approved-applications-in-virtual-machine