Domain | Nr | Security Control Name |
Networking | 6.1 | Ensure that RDP access is restricted from the internet |
| 6.2 | Ensure that SSH access is restricted from the internet |
| 6.3 | Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) |
| 6.4 | Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
| 6.5 | Ensure that Network Watcher is ‘Enabled’ |
Virtual Machines | 7.1 | Ensure that ‘OS disk’ are encrypted |
| 7.2 | Ensure that ‘Data disks’ are encrypted |
| 7.3 | Ensure that ‘Unattached disks’ are encrypted |
| 7.4 | Ensure that only approved extensions are installed |
| 7.5 | Ensure that the latest OS Patches for all Virtual Machines are applied |
| 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed |
Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys |
| 8.2 | Ensure that the expiration date is set on all Secrets |
| 8.3 | Ensure that Resource Locks are set for mission critical Azure resources |
| 8.4 | Ensure the key vault is recoverable |
| 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services |
AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service |
| 9.2 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
| 9.3 | Ensure web app is using the latest version of TLS encryption |
| 9.4 | Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set to ‘On’ |
| 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service |
| 9.6 | Ensure that ‘.Net Framework’ version is the latest, if used as a part of the web app |
| 9.7 | Ensure that ‘PHP version’ is the latest, if used to run the web app |
| 9.8 | Ensure that ‘Python version’ is the latest, if used to run the web app |
| 9.9 | Ensure that ‘Java version’ is the latest, if used to run the web app |
| 9.10 | Ensure that ‘HTTP Version’ is the latest, if used to run the web app |