azure-blueprint's People
Forkers
llenroc davoodharun jmmcnj dhuynh ed-price gupta-yash sumitsancheti onceclick a-tri migolfi jschulleratwork saabdal bustosfj ssmbcloud albandrod vinzydev digitalarche fazalraza1azure-blueprint's Issues
Line no 1379-azuredeploy.json
remove "," at the end of the line no 1379
Communications protection
- Web traffic secured
- Application Gateway
Alternate processing site (premium / v2 feature)
Account Management Principals
For all accounts , as applicable (e.g OS-level, RDP, Azure Portal):
- Automatic disable of temporary accounts, inactive accounts
- Inactivity logout / session termination
- Unsuccessful logon attempts
- System use notification
- Concurrent session control
- Session lock, termination
Boundary protection
- Deny by default
- Restrict incoming traffic
- Application firewall
- NSGs
- Host-based firewall
password validation not working for keyvault creation
while running powershell script for keyvault.
given password in simple string ie. reetikatech and its accepted and created successfully. without validation check mentioned in #7.
also displayed error on powershell screen but still created key vault.
Azure Diagnostics storage accounts are not connected sources in Log Analytics
Web Tier and Jumpbox VMs not joining domain
Replicate and Deploy azure environment for commercial subscription
For working on custom script extension until Bhavya has access to Azure Gov tenant
Configure auditing based on FedRAMP requirements
- OS-level
- Azure resources
- Firewall / application gateway
- Account actions (create, enable, modify, disable, delete)
- Use of privileged functions
- Account use monitoring (Atypical activity)
SQL transaction recovery
Information at rest
- BitLocker
- SSE
- Backup
Deployment failed due to wafEnabled setting
Able to run and deploy in new resource group with provided steps it was successfully deployed yesterday for today displaying below error in template
for web application firewall enabled
ie. "wafEnabled": true
Deployment template validation failed: 'The value for the template parameter 'wafEnabled' at line '50' and column '20' is not provided. Please see https://aka.ms/arm-deploy/#parameter-file for usage details.'.
(Code: InvalidTemplate)
Offload to Log Analytics
- Central review / correlation
Add key vault authentication
SQL0BaselineDSC times out for SQL2016-WS2012R2
Uniform baseline applied to operating systems
- Baseline deviation reporting in OMS via Automation
- OS baseline configuration requirements
• Limit software installation
• Signed components only
• Whitelisting
• Alerting if unauthorized software installed
• Least functionality (ports, protocols, services, etc.)
Redundant storage (geo-replicated)
backup data
SQL AO extension timeout while deploying template
The template errored out while installing extension on SQLAO VM with message- "Provisioning of VM extension 'sqlAOPrepare' has timed out. Extension installation may be taking too long, or extension status could not be obtained.
This was while deploying the template for Azure commercial subscription. I forked the azure-blueprint directory to my own github repo and changed the values to deploy in an azure non-gov subscription.
Rest of the deployment succeeded.
sqlserver-0 having public IP
Audit protection against altering records, purging
Deployment speed comparison of using a pre configured Managed Disk vs applying a DSC/VM extension on an unconfigured VM
AD federation (pre-setup / guidance)
Remote Access
Managed access points (via bastion host / jumpbox)
Establish user account types
- Individual User
- System / service user
Unique identifiers (e.g., no “Administrator”)
ARM template provisioning speed
reduce time it takes to provision ARM template
Not dispalying connected servers under AZ-MGT-VM
Partitioning
- user / admin function separation
- security function isolation
- bastion host / management subnet
- NSGs
- Security component isolation
- SQL tier / DB tier separation
Backup
- User-level
- System-level
- Encrypted (SSE)
- Dashboard reporting
Password Restrictions
- Strong initial password
- Minimum lifetime (1 day)
- Maximum lifetime (60 days)
- Complexity (14 char. length, at least one of each: upper case, lower case, number, special char.)
- Change entropy (at least 50%)
- Reuse restrictions (24 generations)
- Change at first logon requirement [do not enable in ref. arch.]
- Password strength enforcement
- Storage/transmission encryption
Patching
- Windows update configured
- Dashboard reporting in OMS
Audit Storage Capacity
- Retention time of 1 year with capacity alerts
Anti-malware [SI-3(1), SI-3(2), SI-3(7)]
- Installed/configured on operating systems
- automatic signature updates
- periodic scanning
- real-time detection
- detection action(s)
- nonsignature-based detection
- logging/alerting
- OMS reporting
- Application firewall
- Inbound/outbound traffic monitoring
Application Configuration (e.g SQL server)
- Encryption / TDE
ExpressRoute (premium / v2 feature)
one more public IP dispalying in Resource group Bprint700 which is not expected as per the diagram
Time sync
- 1 second
- UTC
All VM Disks are not encrypted
in reference to the issue #35 information at rest
issue All Diskes should be encrypted
steps:
Checked disk encryption of all VMs
Expected : encrypted
Actual: not encrypted
Azure Commercial support
RDP sessions secured
Password Restriction Error in Pre Deploying AzureDeploy Script on using expected Password String also
Steps:
Followed the same steps provided by Harun on Code page to deploy AzureDeploy script
while setting up pre-deployment setup
throwing Password Complexity Error: Administrator password did not meet the complexity requirements
on using expected Password string also throwing same error and not letting to proceed.
Role Based Access Control (RBAC)
- OS roles, Azure roles
- Separation of duties
- Least privilege – e.g.:
• Security admin
• Web admin
• DB admin
• Audit manager
Add Application Gateway for Web Tier
Log Analytics retention period should be 1 year
Currently set to 7 days, which is a limitation of the free pricing tier selected.
Restrictions on audit configurations / tools (who can configure / view)
Audit system failure (action / alerts)
Key Management / Key Vault
Related to #39
- BitLocker
- SQL encryption - URL for TDE to enable SQL encryption
Information flow enforcement
- SQL tier to db tier
- Management
Template organization / cleanup
organize and clean up ARM template
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.