Profile Applicability:
- Level 2
Description:
This check ensures that Endpoint Protection (such as antivirus or antimalware software) is installed and properly configured on all Azure Virtual Machines (VMs). Endpoint protection helps to secure VMs by detecting and preventing malware, viruses, and other types of threats from compromising the VM.
Rationale:
Endpoint protection is essential for securing virtual machines against malware, ransomware, and other threats. Without it, VMs are vulnerable to attacks that could result in data breaches, service disruptions, or unauthorized access. By ensuring that endpoint protection is installed and active, you reduce the risk of threats on your VMs and help meet security and compliance requirements.
Impact:
Pros:
Provides real-time protection against malware, viruses, and other threats.
Enhances overall security posture by mitigating the risk of malicious software.
Helps meet regulatory and compliance requirements (e.g., HIPAA, PCI-DSS).
Cons:
May introduce some overhead in terms of resource utilization and VM performance.
Requires regular updates and management to ensure endpoint protection remains effective.
Default Value:
Endpoint protection is not enabled by default on Azure Virtual Machines. It must be manually configured and installed.
Pre-requisites:
Ensure that the endpoint protection software (e.g., Microsoft Defender for Endpoint, third-party antivirus solutions) is available and compatible with the VMs.
Ensure that appropriate permissions are in place to install and configure endpoint protection software on the VMs.
Test Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to the Virtual Machines blade.
Select the VM you want to review.
Under the Settings section, check the Security or Endpoint Protection settings.
Verify that endpoint protection software (e.g., Microsoft Defender for Endpoint or other security solutions) is installed and running.
Ensure that the protection status shows as Active.
Using Azure CLI:
To check if Microsoft Defender for Endpoint or another security solution is installed on a VM, you can use:
az vm show --resource-group <RESOURCE_GROUP_NAME> --name <VM_NAME> --query "securityProfile"
Verify that the output confirms that endpoint protection (such as Microsoft Defender) is enabled and active on the VM.
Implementation Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to Security Center or Microsoft Defender.
Navigate to Endpoints or Recommendations and review if any virtual machines are missing endpoint protection.
Follow the prompts to install or enable Microsoft Defender for Endpoint or any third-party endpoint protection solution.
Ensure that endpoint protection is enabled and actively monitoring the virtual machine.
Using Azure CLI:
To enable Microsoft Defender for Endpoint on a VM, run the following command:
az vm extension set --resource-group <RESOURCE_GROUP_NAME> --vm-name <VM_NAME> --name CustomScriptExtension --publisher Microsoft.Compute --script <PATH_TO_INSTALL_SCRIPT>
You can also install Microsoft Defender or third-party endpoint protection software by running appropriate installation commands through custom script extensions.
To verify that Microsoft Defender for Endpoint or other protection software is installed, run:
az vm extension show --resource-group <RESOURCE_GROUP_NAME> --vm-name <VM_NAME> --name CustomScriptExtension
Backout Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to Security Center or Microsoft Defender.
Navigate to the Endpoint Protection settings.
If endpoint protection needs to be removed, follow the prompts to uninstall or disable it.
Using Azure CLI:
To uninstall endpoint protection or revert to a previous state, run the following command:
az vm extension delete --resource-group <RESOURCE_GROUP_NAME> --vm-name <VM_NAME> --name CustomScriptExtension
You may also disable Microsoft Defender for Endpoint using the Azure Security Center settings.