iCompaas Support

Description:

Microsoft Defender for Servers is a cloud-native security solution that helps protect your Azure virtual machines (VMs) by providing threat protection, vulnerability management, and advanced security features. Enabling Defender for Servers ensures that your virtual machines are continuously monitored for security threats, vulnerabilities, and compliance risks, offering enhanced protection from attacks and unauthorized access.

Rationale:

Enabling Defender for Servers ensures that virtual machines (VMs) running on Azure are secured with real-time monitoring, threat detection, and automated incident response. It enhances your security posture by continuously scanning VMs for known vulnerabilities and misconfigurations. Defender for Servers also integrates with Azure Security Center to provide alerts and actionable insights, improving the overall security of the infrastructure.

Impact:

Enabling Defender for Servers helps protect your VMs from potential vulnerabilities, attacks, and misconfigurations. The feature provides valuable security insights, but may increase costs due to monitoring and advanced security capabilities. Additionally, there may be performance overhead depending on the number of resources being monitored.

Default Value:

By default, Defender for Servers is not enabled for Azure subscriptions. It needs to be manually configured.

Pre-requisites:

• Azure subscription.
  

• Azure Security Center (Defender for Cloud) should be enabled.
  

• The user must have Owner, Contributor, or Security Admin role permissions in the Azure subscription.
  

• Defender for Servers requires Microsoft Defender for Cloud (formerly Azure Security Center) to be active.
  

Audit:

1. Sign in to the Azure portal as an Owner, Contributor, or Security Admin.
   

2. Navigate to Microsoft Defender for Cloud > Environment Settings.
   

3. Check the Defender for Servers component to verify that it is enabled for your Azure resources.
   

Implementation Steps (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Security Admin permissions.
     

2. Navigate to Microsoft Defender for Cloud:
   

   • In the Azure portal, go to Microsoft Defender for Cloud (formerly Azure Security Center).
     

3. Enable Defender for Servers:
   

   • In Microsoft Defender for Cloud, go to Environment settings.
     

   • Under Defender plans, ensure that Defender for Servers is enabled.
     

   • If not already enabled, select Enable for Defender for Servers. This will automatically start protecting all supported VMs in your subscription.
     

4. Use Azure CLI for Automated Enabling: If you prefer to enable Defender for Servers using Azure CLI, you can automate the process with the following commands:
   

   • Ensure that Azure CLI is installed and that you’re logged in with sufficient permissions.
     

Run the following command to enable Defender for Servers:

az security pricing create --name "VirtualMachines" --tier Standard

To verify that Defender for Servers is enabled, use the following command:

az security pricing show --name "VirtualMachines"

• Once Defender for Servers is enabled, configure alerting and monitoring settings to receive notifications about security incidents or vulnerabilities.
  

• In Microsoft Defender for Cloud, navigate to Security Policy and review the alert settings for Defender for Servers to ensure alerts are properly configured.
  

5. Monitor and Review Security Recommendations:
   

   • After enabling Defender for Servers, monitor the Security Center dashboard for new alerts or security recommendations related to your virtual machines.
     

   • Review vulnerability assessments and security alerts generated by Defender for Servers and apply necessary remediations.
     

6. Test the Configuration:
   

   • Test the Defender for Servers capabilities by triggering a security event or vulnerability, such as deploying a VM with known vulnerabilities, to ensure that Defender for Servers provides detection and alerting.
     

Backout Plan (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Security Admin permissions.
     

2. Navigate to Microsoft Defender for Cloud:
   

   • Go to Microsoft Defender for Cloud in the Azure portal.
     

3. Disable Defender for Servers:
   

   • In Microsoft Defender for Cloud, go to Environment settings.
     

   • Under Defender plans, toggle Defender for Servers to Off to disable the service.
     

Use Azure CLI to Disable Defender for Servers: If you want to disable Defender for Servers via Azure CLI, run the following command:

az security pricing create --name "VirtualMachines" --tier None

4. Verify Disabled Status:
   

Verify that Defender for Servers is disabled by running:

az security pricing show --name "VirtualMachines"

6. Monitor the Backout:
   

   • After disabling Defender for Servers, monitor Microsoft Defender for Cloud to ensure no further alerts or recommendations are generated for the VMs.
     

References:

• Microsoft Defender for Cloud - Overview
  

• Enable Microsoft Defender for Servers
  Azure CLI - Security Pricing