FREE TRIAL (Sophos) Azure - Sophos Cloud Optix Best Practices Report Report Date: 06-24-2021 00:14:56 GMT Execution Date: 06-24-2021 00:10:01 GMT Customer: Sophos | Cloud provider: Azure Environment: PCGOptix Sophos Demo | Environment ID: c3d7f5af-f4b8-4c8f-bfbe-98f683da76c4 EXECUTIVE SUMMARY Pass: 47 Fail: 16 Total: 63 AKS Pass: 1 Fail: 0 Total: 1 7.1 AZ-2405 Passed Ensure Http application routing is not enabled for aks cluster APP SERVICES (SERVERLESS) SECURITY 6.2 Pass: 11 AZ-3002 Fail: 3 Failed Ensure client certificate is required for authentication for all Azure functions AvidFlowLogsc3d7f5af3d5bad07eeu1 AvidActivityLogsc3d7f5af3d5bad07 6.3 AZ-3003 Failed AZ-3004 Failed Ensure all Azure functions have https only enabled AvidFlowLogsc3d7f5af3d5bad07eeu1 AvidActivityLogsc3d7f5af3d5bad07 6.4 Ensure all Azure functions that are using FTP services have FTPS only enabled AvidFlowLogsc3d7f5af3d5bad07eeu1 AvidActivityLogsc3d7f5af3d5bad07 6.1 AZ-3001 Passed AZ-3006 Passed Ensure Azure functions are not accessible to the world 6.5 Ensure all Azure functions have RemoteDebugging Disabled 6.6 AZ-3007 Ensure Azure functions CORS is not set to allow all resources Passed Total: 14 FREE TRIAL (Sophos) 6.7 AZ-3011 Passed Ensure all Azure Api Apps that are using FTP services have FTPS only enabled 6.8 AZ-3012 Passed AZ-3013 Passed Ensure all Azure Api Apps have https only enabled 6.9 Ensure all Azure Api Apps have RemoteDebugging Disabled 6.10 AZ-3014 Passed Ensure all Azure Api Apps CORS is not set to allow all resources 6.11 AZ-3021 Passed Ensure all Azure Web Apps that are using FTP services have FTPS only enabled 6.12 AZ-3022 Passed AZ-3023 Passed Ensure all Azure Web Apps have https only enabled 6.13 Ensure all Azure Web Apps have RemoteDebugging Disabled 6.14 AZ-3024 Passed Ensure all Azure Web Apps CORS is not set to allow all resources HOST SECURITY 5.1 Pass: 4 AZ-2351 Fail: 3 Total: 7 Failed Ensure that VM Agent is installed RG/TFVMEX-RESOURCES/VM/tfvmex-vm2 RG/MC_TEST-GROUP_DEMOAKSCLUSTER_WESTUS/VMSS/aks-agentpool-19472795-vmss/VM/2 RG/MC_TEST-GROUP_DEMOAKSCLUSTER_WESTUS/VMSS/aks-agentpool-19472795-vmss/VM/0 RG/TFVMEX-RESOURCES/VM/tfvmex-vm RG/TFVMEX-RESOURCES/VM/tfvmex-vm3 RG/TFVMEX-RESOURCES/VM/test2 RG/MC_TEST-GROUP_DEMOAKSCLUSTER_WESTUS/VMSS/aks-agentpool-19472795-vmss/VM/1 5.2 AZ-2359 Failed Ensure that OS Disk is encrypted with 'Customer-managed' or 'Platform-managed and customer-managed' keys RG/TFVMEX-RESOURCES/VM/tfvmex-vm2 RG/TFVMEX-RESOURCES/VM/tfvmex-vm RG/TFVMEX-RESOURCES/VM/tfvmex-vm3 RG/TFVMEX-RESOURCES/VM/test2 5.5 AZ-2361 Failed Recommended installation of Sophos server workload protection agents on all Azure VMs FREE TRIAL (Sophos) RG/TFVMEX-RESOURCES/VM/tfvmex-vm2 RG/MC_TEST-GROUP_DEMOAKSCLUSTER_WESTUS/VMSS/aks-agentpool-19472795-vmss/VM/2 RG/MC_TEST-GROUP_DEMOAKSCLUSTER_WESTUS/VMSS/aks-agentpool-19472795-vmss/VM/0 RG/TFVMEX-RESOURCES/VM/tfvmex-vm RG/TFVMEX-RESOURCES/VM/tfvmex-vm3 RG/TFVMEX-RESOURCES/VM/test2 RG/MC_TEST-GROUP_DEMOAKSCLUSTER_WESTUS/VMSS/aks-agentpool-19472795-vmss/VM/1 5.3 AZ-2360 Passed Ensure that Data Disks are encrypted with 'Customer-managed' or 'Platform-managed and customermanaged' keys 5.4 AZ-2358 Passed Ensure that 'Unattached disks' are encrypted with 'Customer-managed' or 'Platform-managed and customer-managed' keys 5.6 AZ-2362 Passed Flag VMs with Sophos agents installed with a ‘bad’ security health status 5.7 AZ-2363 Passed Flag VMs with Sophos agents installed with a ‘suspicious’ security health status DATA SECURITY 4.1.1 Pass: 25 AZ-2101 Fail: 3 Failed Ensure that 'Secure transfer required' is set to 'Enabled' avic3d7f5af3d5bad07eeu1 avidactc3d7f5af3d5bad07 tfvmexresourcesdiag 4.3 AZ-2101 Failed Ensure that 'Secure transfer required' is set to 'Enabled' avic3d7f5af3d5bad07eeu1 avidactc3d7f5af3d5bad07 tfvmexresourcesdiag 4.4 AZ-2904 Failed Scan all Azure storage accounts to see if they are accessible from all networks avic3d7f5af3d5bad07eeu1 avidactc3d7f5af3d5bad07 tfvmexresourcesdiag csbc3d7f5aff4b8x4c8fxbfb csg10032000491d29d3 csgc3d7f5aff4b8x4c8fxbfb testnewsophos testnewstoragearun 4.1.2 AZ-2102 Passed Total: 28 FREE TRIAL (Sophos) Ensure that 'Storage service encryption' is set to Enabled for Blob Service 4.1.3 AZ-2106 Passed Ensure that 'Storage service encryption' is set to Enabled for File Service 4.2.1 AZ-2151 Passed AZ-2152 Passed AZ-2153 Passed AZ-2154 Passed AZ-2155 Passed Ensure that 'Auditing' is set to 'On' 4.2.2 Ensure that 'Threat Detection' is set to 'On' 4.2.3 Ensure that 'Threat Detection types' is set to 'All' 4.2.4 Ensure that 'Send alerts to' is set 4.2.5 Ensure that 'Email service and co-administrators' is 'Enabled' 4.2.6 AZ-2156 Passed Ensure that 'Auditing' Retention is 'greater than 90 days' 4.2.7 AZ-2157 Passed Ensure that 'Threat Detection' Retention is 'greater than or equal to 90 days' 4.2.8 AZ-2158 Passed AZ-2201 Passed Ensure that Azure Active Directory Admin is configured 4.2.9 Ensure that 'Auditing' is set to 'On' for every SQL Database 4.2.11 AZ-2202 Passed Ensure that 'Threat Detection' is set to 'On' for every SQL database 4.2.12 AZ-2203 Passed Ensure that 'Threat Detection types' is set to 'All' for every SQL Database 4.2.13 AZ-2204 Passed Ensure that 'Send alerts to' is set for every SQL Database 4.2.14 AZ-2205 Passed Ensure that 'Email service and co-administrators' is 'Enabled' under Security Alerts for every SQL Database 4.2.15 AZ-2206 Passed FREE TRIAL (Sophos) Ensure that 'Data encryption' is set to 'On' for every SQL Database 4.2.16 AZ-2207 Passed Ensure that 'Auditing' Retention is 'greater than 90 days' for every SQL Database 4.2.17 AZ-2208 Passed Ensure that 'Threat' Retention is 'greater than 90 days' for every SQL database 4.2.18 AZ-2908 Passed Secure sql severs by checking if firewall open to internet 4.2.19 AZ-2217 Passed AZ-2218 Passed Ensure that Cosmos DB Firewall is not open to internet 4.2.20 Ensure that multiple write locations or automatic failover is enabled for Cosmos DB 4.5 AZ-2905 Passed Secure Paas DBs by checking if Active Directory Login is enabled 4.6 AZ-2906 Passed Secure Paas DBs by checking if Data at Rest Encryption is enabled 4.7 AZ-2907 Passed Secure Paas DBs by checking if Firewall rules are enabled 4.8 AZ-2909 Passed Secure databases (psql, mysql, mariadb) by checking if firewall open to internet NETWORK SECURITY 3.1 Pass: 5 Fail: 4 AZ-2301 Failed AZ-2302 Failed AZ-2902 Failed Total: 9 Ensure that RDP access is restricted from the internet RG/tfvmex-resources/NSG/test2-nsg 3.2 Ensure that SSH access is restricted from the Internet RG/tfvmex-resources/NSG/test2-nsg 3.7 Flag resource(s) with public IP and Security Group with ingress from any source to one or more ports rg : TFVMEX-RESOURCESvm : test2 network interface : test2369 FREE TRIAL (Sophos) 3.8 AZ-2355 Failed Ensure that RDP access is restricted on Virtual Machines from the internet RG/TFVMEX-RESOURCES/VM/test2 3.3 AZ-2303 Passed Ensure that SQL server access is restricted from the internet 3.5 AZ-2305 Passed AZ-2901 Passed Ensure that Network Watcher is 'Enabled' 3.6 Flag resource(s) with public IP and Security Group with ingress from any source on any port 3.9 AZ-2356 Passed Ensure that all Azure IoT Hubs are configured to only allow client connections that use TLS version 1.2 3.10 AZ-2357 Passed Ensure that connections to the Azure IoT Hub from the internet are restricted. LOGGING AND MONITORING 2.2 Pass: 1 AZ-2252 Fail: 1 Total: 2 Failed Ensure that Activity Log Retention is set 365 days or greater /subscriptions/c3d7f5af-f4b8-4c8f-bfbe-98f683da76c4 2.1 AZ-2251 Passed Ensure that a Log Profile exists AUTHENTICATION AND ACCESS MANAGEMENT 1.1 Pass: 0 AZ-2903 Fail: 2 Total: 2 Failed Check if SSH Password based auth is enabled on one or more Linux VMs RG/TFVMEX-RESOURCES/VM/tfvmex-vm2 RG/TFVMEX-RESOURCES/VM/tfvmex-vm RG/TFVMEX-RESOURCES/VM/tfvmex-vm3 RG/TFVMEX-RESOURCES/VM/test2 1.2 AZ-2024 Failed Do not provide guest users permission in Azure AD or Subscriptions deepak.yadav Principal : deepak.yadav_sophos.cpm#EXT#@pcgoptixdemo.onmicrosoft.com Arun Singh Principal : arun.singh_sophos.com#EXT#@pcgoptixdemo.onmicrosoft.com guy.davies Principal : guy.davies_sophos.com#EXT#@pcgoptixdemo.onmicrosoft.com Shagun Sharma Principal : shagun.sharma_sophos.com#EXT#@pcgoptixdemo.onmicrosoft.com FREE TRIAL (Sophos) Ganesh Krishnan Principal : ganesh.krishnan_sophos.com#EXT#@pcgoptixdemo.onmicrosoft.com Praneet Khare Principal : praneet.khare_sophos.com#EXT#@pcgoptixdemo.onmicrosoft.com Powered by Sophos