ais-open / azure-blueprint Goto Github PK

remove "," at the end of the line no 1379

• Web traffic secured
  • Application Gateway

For all accounts , as applicable (e.g OS-level, RDP, Azure Portal):

• Automatic disable of temporary accounts, inactive accounts
• Inactivity logout / session termination
• Unsuccessful logon attempts
• System use notification
• Concurrent session control
• Session lock, termination

• Deny by default
• Restrict incoming traffic
• Application firewall
• NSGs
• Host-based firewall

while running powershell script for keyvault.
given password in simple string ie. reetikatech and its accepted and created successfully. without validation check mentioned in #7.
also displayed error on powershell screen but still created key vault.

For working on custom script extension until Bhavya has access to Azure Gov tenant

• OS-level
• Azure resources
• Firewall / application gateway
• Account actions (create, enable, modify, disable, delete)
• Use of privileged functions
• Account use monitoring (Atypical activity)

• BitLocker
• SSE
• Backup

Able to run and deploy in new resource group with provided steps it was successfully deployed yesterday for today displaying below error in template
for web application firewall enabled
ie. "wafEnabled": true
Deployment template validation failed: 'The value for the template parameter 'wafEnabled' at line '50' and column '20' is not provided. Please see https://aka.ms/arm-deploy/#parameter-file for usage details.'.

(Code: InvalidTemplate)

• Central review / correlation

• Baseline deviation reporting in OMS via Automation
• OS baseline configuration requirements
  • Limit software installation
  • Signed components only
  • Whitelisting
  • Alerting if unauthorized software installed
  • Least functionality (ports, protocols, services, etc.)

backup data

The template errored out while installing extension on SQLAO VM with message- "Provisioning of VM extension 'sqlAOPrepare' has timed out. Extension installation may be taking too long, or extension status could not be obtained.

This was while deploying the template for Azure commercial subscription. I forked the azure-blueprint directory to my own github repo and changed the values to deploy in an azure non-gov subscription.

Rest of the deployment succeeded.

SQLserver-0
is displaying Public IP

Managed access points (via bastion host / jumpbox)

• Individual User
• System / service user

reduce time it takes to provision ARM template

Resource group: bPrint700
Steps:
Remote desktop login to AZ-MGT-VM publicip: 57.227.167.226

observation:
yesterday:
when previously logged in its displaying all Servers under MGT server,using resource group Blueprint40.
today :resource group bprint700 displaying no servers under MGT server.

• user / admin function separation
• security function isolation
• bastion host / management subnet
• NSGs
  • Security component isolation
  • SQL tier / DB tier separation

• User-level
• System-level
• Encrypted (SSE)
• Dashboard reporting

• Strong initial password
• Minimum lifetime (1 day)
• Maximum lifetime (60 days)
• Complexity (14 char. length, at least one of each: upper case, lower case, number, special char.)
• Change entropy (at least 50%)
• Reuse restrictions (24 generations)
• Change at first logon requirement [do not enable in ref. arch.]
• Password strength enforcement
• Storage/transmission encryption

• Windows update configured
• Dashboard reporting in OMS

• Retention time of 1 year with capacity alerts

• Installed/configured on operating systems
  • automatic signature updates
  • periodic scanning
  • real-time detection
  • detection action(s)
  • nonsignature-based detection
  • logging/alerting
  • OMS reporting
• Application firewall
  • Inbound/outbound traffic monitoring

• Encryption / TDE

• 1 second
• UTC

in reference to the issue #35 information at rest
issue All Diskes should be encrypted
steps:
Checked disk encryption of all VMs
Expected : encrypted
Actual: not encrypted

Hi Harun,

I am facing errors in the template- it errors out while provisioning the virtual machines:

When I looked at the template from where it is provisioning the diagnostic storage account- it is giving the URI as “blob.core.usgovcloudapi.net”

Please let me know what to do.

Thanks
Bhavya

Steps:
Followed the same steps provided by Harun on Code page to deploy AzureDeploy script
while setting up pre-deployment setup
throwing Password Complexity Error: Administrator password did not meet the complexity requirements
on using expected Password string also throwing same error and not letting to proceed.

screenshot below

• OS roles, Azure roles
• Separation of duties
• Least privilege – e.g.:
  • Security admin
  • Web admin
  • DB admin
  • Audit manager

Currently set to 7 days, which is a limitation of the free pricing tier selected.

Related to #39

• BitLocker
• SQL encryption - URL for TDE to enable SQL encryption

• SQL tier to db tier
• Management

organize and clean up ARM template