📄️ 1.1.1
1.1.1 Enable Security Defaults on Azure Active Directory (Manual)
📄️ 1.1.2
1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users (Manual)
📄️ 1.1.3
1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users (Manual)
📄️ 1.1.4
1.1.4 Enable 'Restore multi-factor authentication on all remembered devices' (Manual)
📄️ 1.2.1
1.2.1 Define Trusted Locations (Manual)
📄️ 1.2.2
1.2.2 Consider an exclusionary Geographic Access Policy (Manual)
📄️ 1.2.3
1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups (Manual)
📄️ 1.2.4
1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users (Manual)
📄️ 1.2.5
1.2.5 Require Multi-factor Authentication for Risky Sign-ins (Manual)
📄️ 1.2.6
1.2.6 Require Multi-factor Authentication for Azure Management (Manual)
📄️ 1.3
1.3 Set Up Access Review for External Users in Azure AD Privileged Identity Management (Manual)
📄️ 1.4
1.4 Review Guest Users on a Regular Basis (Manual)
📄️ 1.5
1.5 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Manual)
📄️ 1.6
1.6 Set 'Number of methods required to reset' to '2' (Manual)
📄️ 1.7
1.7 Set a Custom Bad Password List to 'Enforce' for your Organization (Manual)
📄️ 1.8
1.8 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' (Manual)
📄️ 1.9
1.9 Set 'Notify users on password resets?' to 'Yes' (Manual)
📄️ 1.10
1.10 Set 'Notify all admins when other admins reset their password?' to 'Yes' (Manual)
📄️ 1.11
1.11 Set 'Users Can Consent to Apps Accessing Company Data on Their Behalf' To 'Allow for Verified Publishers' (Manual)
📄️ 1.12
1.12 Set 'Users can consent to apps accessing company data on their behalf' to 'No' (Manual)
📄️ 1.13
1.13 Set 'Users can add gallery apps to My Apps' to 'No' (Manual)
📄️ 1.14
1.14 Set 'Users Can Register Applications' to 'No' (Manual)
📄️ 1.15
1.15 Set 'Guest users access restrictions' to 'Guest user access is restricted to properties and memberships of their own directory objects' (Manual)
📄️ 1.16
1.16 Set 'Guest invite restrictions' to "Only users assigned to specific admin roles can invite guest users" (Manual)
📄️ 1.17
1.17 Set 'Restrict access to Azure AD administration portal' to 'Yes' (Manual)
📄️ 1.18
1.18 Set 'Restrict user ability to access groups features in the Access Pane' to 'Yes' (Manual)
📄️ 1.19
1.19 Set 'Users can create security groups in Azure portals, API or PowerShell' to 'No' (Manual)
📄️ 1.20
1.20 Set 'Owners can manage group membership requests in the Access Panel' to 'No' (Manual)
📄️ 1.21
1.21 Set 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' to 'No' (Manual)
📄️ 1.22
1.22 Set 'Require Multi-Factor Authentication to register or join devices with Azure AD' to 'Yes' (Manual)
📄️ 1.23
1.23 Ensure That No Custom Subscription Administrator Roles Exist (Automated)
📄️ 1.24
1.24 Assign Permissions for Administering Resource Locks to a Custom Role (Manual)
📄️ 1.25
1.25 Set 'Subscription Entering Azure Active Directory (AAD) Directory' and 'Subscription Leaving AAD Directory' To 'Permit No One' (Manual)
📄️ 2.1.1
2.1.1 Set Microsoft Defender for Servers to 'On' (Manual)
📄️ 2.1.2
2.1.2 Set Microsoft Defender for App Services To 'On' (Manual)
📄️ 2.1.3
2.1.3 Set Microsoft Defender for Databases To 'On' (Manual)
📄️ 2.1.4
2.1.4 Set Microsoft Defender for Azure SQL Databases To 'On' (Manual)
📄️ 2.1.5
2.1.5 Set Microsoft Defender for SQL Servers on Machines To 'On' (Manual)
📄️ 2.1.6
2.1.6 Set Microsoft Defender for Open-Source Relational Databases To 'On' (Manual)
📄️ 2.1.7
2.1.7 Set Microsoft Defender for Storage To 'On' (Manual)
📄️ 2.1.8
2.1.8 Set Microsoft Defender for Containers To 'On' (Manual)
📄️ 2.1.9
2.1.9 Set Microsoft Defender for Cosmos DB To 'On' (Manual)
📄️ 2.1.10
2.1.10 Set Microsoft Defender for Key Vault To 'On' (Manual)
📄️ 2.1.11
2.1.11 Set Microsoft Defender for Domain Name System (DNS) To 'On' (Manual)
📄️ 2.1.12
2.1.12 Set Microsoft Defender for IoT To 'On' (Manual)
📄️ 2.1.13
2.1.13 Set Microsoft Defender for Resource Manager To 'On' (Manual)
📄️ 2.2.1
2.2.1 Set Auto provisioning of 'Log Analytics agent for Azure VMs' to 'On' (Manual)
📄️ 2.2.2
2.2.2 Set Auto provisioning of 'Vulnerability assessment for machines' to 'On' (Manual)
📄️ 2.2.3
2.2.3 Set Auto provisioning of 'Microsoft Defender for Containers components' to 'On' (Manual)
📄️ 2.3.1
2.3.1 Set 'All users with the following roles' to 'Owner' (Manual)
📄️ 2.3.2
2.3.2 Configure 'Additional email addresses' with a Security Contact Email (Manual)
📄️ 2.3.3
2.3.3 Set 'Notify about alerts with the following severity' to 'High' (Manual)
📄️ 2.4.1
2.4.1 Select Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud (Manual)
📄️ 2.4.2
2.4.2 Select Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud (Manual)
📄️ 2.5
2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' (Manual)
📄️ 2.6
2.6 Ensure Any of the Azure Security Center (ASC) Default Policy Settings are Not Set to 'Disabled' (Manual)
📄️ 3.1
3.1 Set 'Secure transfer required' to 'Enabled' (Automated)
📄️ 3.2
3.2 Set 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage to 'enabled' (Automated)
📄️ 3.3
3.3 Enable 'Enable key rotation reminders' for each Storage Account (Manual)
📄️ 3.4
3.4 Ensure that Storage Account Access Keys are Periodically Regenerated (Manual)
📄️ 3.5
3.5 Enable Storage Logging for Queue Service for 'Read', 'Write', and 'Delete' requests (Manual)
📄️ 3.6
3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour (Manual)
📄️ 3.7
3.7 Disable 'Public access level' for storage accounts with blob containers (Automated)
📄️ 3.8
3.8 Set Default Network Access Rule for Storage Accounts to Deny (Automated)
📄️ 3.9
3.9 Enable 'Allow Azure services on the trusted services list to access this storage account' for Storage Account Access (Automated)
📄️ 3.10
3.10 Use Private Endpoints to access Storage Accounts (Automated)
📄️ 3.11
3.11 Enable Soft Delete for Azure Containers and Blob Storage (Manual)
📄️ 3.12
3.12 Encrypt Storage for Critical Data with Customer Managed Keys (Manual)
📄️ 3.13
3.13 Enable Storage logging for Blob Service for 'Read', 'Write', and 'Delete' requests (Manual)
📄️ 3.14
3.14 Enable Storage Logging for Table Service for 'Read', 'Write', and 'Delete' Requests (Manual)
📄️ 3.15
3.15 Set the "Minimum Transport Layer Security (TLS) version" for storage accounts to "Version 1.2" (Automated)
📄️ 4.1.1
4.1.1 Set 'Auditing' to 'On' (Manual)
📄️ 4.1.2
4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (any IP) (Automated)
📄️ 4.1.3
4.1.3 Encrypt SQL server's Transparent Data Encryption (TDE) protector with Customer-managed key (Automated)
📄️ 4.1.4
4.1.4 Configure Azure Active Directory Admin for SQL Servers (Automated)
📄️ 4.1.5
4.1.5 Set 'Data encryption' to 'On' on a SQL Database (Automated)
📄️ 4.1.6
4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' (Manual)
📄️ 4.2.1
4.2.1 Set Microsoft Defender for SQL to 'On' for critical SQL Servers (Automated)
📄️ 4.2.2
4.2.2 Enable Vulnerability Assessment (VA) on a SQL server by setting a Storage Account (Automated)
📄️ 4.2.3
4.2.3 Set Vulnerability Assessment (VA) setting 'Periodic recurring scans' to 'on' for each SQL server (Automated)
📄️ 4.2.4
4.2.4 Configure Vulnerability Assessment (VA) setting 'Send scan reports to' for a SQL server (Automated)
📄️ 4.2.5
4.2.5 Set Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' for each SQL Server (Automated)
📄️ 4.3.1
4.3.1 Set 'Enforce SSL connection' to 'ENABLED' for PostgreSQL Database Server (Automated)
📄️ 4.3.2
4.3.2 Set Server Parameter 'log_checkpoints' to 'ON' for PostgreSQL Database Server (Automated)
📄️ 4.3.3
4.3.3 Set server parameter 'log_connections' to 'ON' for PostgreSQL Database Server (Automated)
📄️ 4.3.4
4.3.4 Set server parameter 'log_disconnections' to 'ON' for PostgreSQL Database Server (Automated)
📄️ 4.3.5
4.3.5 Set server parameter 'connection_throttling' to 'ON' for PostgreSQL Database Server (Automated)
📄️ 4.3.6
4.3.6 Ensure Server Parameter 'logretentiondays' is greater than 3 days for PostgreSQL Database Server (Automated)
📄️ 4.3.7
4.3.7 Disable 'Allow access to Azure services' for PostgreSQL Database Server (Automated)
📄️ 4.3.8
4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' (Automated)
📄️ 4.4.1
4.4.1 Set 'Enforce SSL connection' to 'Enabled' for Standard MySQL Database Server (Automated)
📄️ 4.4.2
4.4.2 Set 'Transport Layer Security (TLS) Version' to at least 'TLSV1.2' for Azure Database for MySQL Flexible Server (Automated)
📄️ 4.4.3
4.4.3 Set server parameter 'auditlogenabled' to 'ON' for MySQL Database Server (Manual)
📄️ 4.4.4
4.4.4 Ensure server parameter 'auditlogevents' has 'CONNECTION' set for MySQL Database Server (Manual)
📄️ 4.5.1
4.5.1 Limit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks (Automated)
📄️ 4.5.2
4.5.2 Use Private Endpoints Where Possible (Automated)
📄️ 5.1.1
5.1.1 Ensure that a 'Diagnostic Setting' exists (Manual)
📄️ 5.1.2
5.1.2 Ensure Diagnostic Setting captures appropriate categories (Automated)
📄️ 5.1.3
5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible (Manual)
📄️ 5.1.4
5.1.4 Encrypt the storage account containing the container with activity logs with Customer Managed Key (Manual)
📄️ 5.1.5
5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' (Automated)
📄️ 5.1.6
5.1.6 Capture Network Security Group (NSG) Flow logs and send to Log Analytics (Manual)
📄️ 5.1.7
5.1.7 Enable logging for Azure AppService 'HTTP logs' (Manual)
📄️ 5.2.1
5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Automated)
📄️ 5.2.2
5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment (Automated)
📄️ 5.2.3
5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Automated)
📄️ 5.2.4
5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group (Automated)
📄️ 5.2.5
5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution (Automated)
📄️ 5.2.6
5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution (Automated)
📄️ 5.2.7
5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule (Automated)
📄️ 5.2.8
5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule (Automated)
📄️ 5.2.9
5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule (Automated)
📄️ 5.2.10
5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule (Automated)
📄️ 5.3
5.3 Enable Azure Monitor Resource Logging for All Services that Support it (Manual)
📄️ 6.1
6.1 Evaluate and restrict Remote Desktop Protocol (RDP) access from the Internet (Automated)
📄️ 6.2
6.2 Evaluate and restrict SSH access from the Internet (Automated)
📄️ 6.3
6.3 Evaluate and restrict User Datagram Protocol (UDP) access from the Internet (Automated)
📄️ 6.4
6.4 Evaluate and restrict HTTP(S) access from the Internet (Automated)
📄️ 6.5
6.5 Ensure that Network Security Group (NSG) Flow Log retention period is 'greater than 90 days' (Automated)
📄️ 6.6
This policy exists in addition to lacework-global-816. See Adjusted Controls - 6.6 Ensure that Network Watcher is 'Enabled' for details.
📄️ 6.6
This policy exists in addition to lacework-global-634. See Adjusted Controls - 6.6 Ensure that Network Watcher is 'Enabled' for details.
📄️ 6.7
6.7 Evaluate Public IP addresses on a Periodic Basis (Manual)
📄️ 7.1
7.1 Ensure Virtual Machines are utilizing Managed Disks (Automated)
📄️ 7.2
7.2 Encrypt 'OS and Data' disks with Customer Managed Key (CMK) (Automated)
📄️ 7.3
7.3 Encrypt 'Unattached disks' with Customer Managed Key (CMK) (Automated)
📄️ 7.4
7.4 Install Only Approved Extensions (Manual)
📄️ 7.5
7.5 Install Endpoint Protection for all Virtual Machines (Manual)
📄️ 7.6
7.6 (Legacy) Encrypt Virtual Hard Disks (VHD) (Manual)
📄️ 8.1
8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults (Automated)
📄️ 8.2
8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. (Automated)
📄️ 8.3
8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults (Automated)
📄️ 8.4
8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults (Automated)
📄️ 8.5
8.5 Ensure the Key Vault is Recoverable (Automated)
📄️ 8.6
8.6 Enable Role Based Access Control for Azure Key Vault (Automated)
📄️ 8.7
8.7 Use Private Endpoints for Azure Key Vault (Automated)
📄️ 8.8
8.8 Enable Automatic Key Rotation Within Azure Key Vault for the Supported Services (Manual)
📄️ 9.1
9.1 Set up App Service Authentication for apps in Azure App Service (Automated)
📄️ 9.2
9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service (Automated)
📄️ 9.3
9.3 Ensure Web App is using the latest version of Transport Layer Security (TLS) encryption (Automated)
📄️ 9.4
9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' (Automated)
📄️ 9.5
9.5 Enable Register with Azure Active Directory on App Service (Automated)
📄️ 9.6
9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App (Manual)
📄️ 9.7
9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App (Manual)
📄️ 9.8
9.8 Ensure that 'Java version' is the latest, if used to run the Web App (Manual)
📄️ 9.9
9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App (Automated)
📄️ 9.10
9.10 Disable File Transfer Protocol (FTP) deployments (Automated)
📄️ 9.11
9.11 Use Azure Key Vaults to Store Secrets (Manual)
📄️ 10.1
10.1 Set Resource Locks for Mission-Critical Azure Resources (Manual)