| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Protecting your virtual machines in Azure Security Center | Microsoft Docs |
This document addresses recommendations in Azure Security Center that help you protect your virtual machines and stay in compliance with security policies. |
security-center |
na |
TerryLanfear |
MBaldwin |
47fa1f76-683d-4230-b4ed-d123fef9a3e8 |
security-center |
na |
article |
na |
na |
01/04/2018 |
terrylan |
Azure Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls. Recommendations apply to Azure resource types: virtual machines (VMs), networking, SQL, and applications.
This article addresses recommendations that apply to VMs. VM recommendations center around data collection, applying system updates, provisioning antimalware, encrypting your VM disks, and more. Use the table below as a reference to help you understand the available VM recommendations and what each one will do if you apply it.
| Recommendation | Description |
|---|---|
| Enable data collection for subscriptions | Recommends that you turn on data collection in the security policy for each of your subscriptions and all virtual machines (VMs) in your subscriptions. |
| Enable encryption for Azure Storage Account | Recommends that you enable Azure Storage Service Encryption for data at rest. Storage Service Encryption (SSE) works by encrypting the data when it is written to Azure storage and decrypts before retrieval. SSE is currently available only for the Azure Blob service and can be used for block blobs, page blobs, and append blobs. To learn more, see Storage Service Encryption for data at rest. SSE is only supported on Resource Manager storage accounts. Classic storage accounts are currently not supported. To understand the classic and Resource Manager deployment models, see Azure deployment models. |
| Remediate security configurations | Recommends that you align your OS configurations with the recommended security configuration rules, e.g. do not allow passwords to be saved. |
| Apply system updates | Recommends that you deploy missing system security and critical updates to VMs. |
| Apply a Just-In-Time network access control | Recommends that you apply just in time VM access. The just in time feature is in preview and available on the Standard tier of Security Center. See Pricing to learn more about Security Center's pricing tiers. |
| Reboot after system updates | Recommends that you reboot a VM to complete the process of applying system updates. |
| Install Endpoint Protection | Recommends that you provision antimalware programs to VMs (Windows VMs only). |
| Enable VM Agent | Enables you to see which VMs require the VM Agent. The VM Agent must be installed on VMs in order to provision patch scanning, baseline scanning, and antimalware programs. The VM Agent is installed by default for VMs that are deployed from the Azure Marketplace. The article VM Agent and Extensions – Part 2 provides information on how to install the VM Agent. |
| Apply disk encryption | Recommends that you encrypt your VM disks using Azure Disk Encryption (Windows and Linux VMs). Encryption is recommended for both the OS and data volumes on your VM. |
| Update OS version | Recommends that you update the operating system (OS) version for your Cloud Service to the most recent version available for your OS family. To learn more about Cloud Services, see the Cloud Services overview. |
| Vulnerability assessment not installed | Recommends that you install a vulnerability assessment solution on your VM. |
| Remediate vulnerabilities | Enables you to see system and application vulnerabilities detected by the vulnerability assessment solution installed on your VM. |
To learn more about recommendations that apply to other Azure resource types, see the following:
- Protecting your applications in Azure Security Center
- Protecting your network in Azure Security Center
- Protecting your Azure SQL service in Azure Security Center
To learn more about Security Center, see the following:
- Setting security policies in Azure Security Center -- Learn how to configure security policies for your Azure subscriptions and resource groups.
- Managing and responding to security alerts in Azure Security Center -- Learn how to manage and respond to security alerts.
- Azure Security Center FAQ -- Find frequently asked questions about using the service.