Using Azure Security Score

Using Azure Security Score

First version: 2023-01-27
Last updated: 2024-03-21
Last update(s): Some more detailed explanations. Will be adding more recommendations over time.

The Azure Security Score is a valuable tool to identify, understand and improve the security posture with respect to Azure resources. anDREa recommends the local Research Support Team to check and possibly improve the Azure Security Score once a month. If you're a Research Support Team member and want to know more, you can schedule an appointment with anDREa's Security Officer.

The Azure Security Score is based on a combination of factors such as network security, identity and access management, and data protection. By identifying and addressing these issues, you can improve the security posture and reduce the risk of a security incident.

However, be aware that this is a score of what Azure thinks is secure. Please take in account your own organization's security demands. And, not all flagged items can resolved.


This article describes how to use Azure Security Score using a Subscription. The principle is the same if you do it on another level like a Resource Group which equates to a Workspace in the myDRE setting.

There are two main sections (use the TOC to navigate quickly):
  1. Azure Security Recommendations
  2. Azure Security incidents and alerts

Azure Security Recommendations

  1. Log in to the portal.azure.com with your ST account
  2. Go to Subscriptions
  3. Select a subscription belonging to your organization.
  4. On the left hand side, click on Security
  5. Recommendations - use the explanation below 

Recommendations explained

Machines should have a vulnerability assessment 

Type

REMEDIATE

Who

Any member of the Workspace, optionally Researcg Support Team (if added to the Workspace as a member).

Option 1

Start VM, install the vulnerability assessment solution and other updates. This mostly pops up when updates are available within the VM or if outdated software is being used within the VM.


The anDREa team is working on an Update Management Center to make this more insightful for the user.

Option 2

Delete the VM if it is no longer used.

Objective

Once this is done, this recommendation should disappear. 


Install endpoint protection on virtual machines

Type

REMEDIATE

Who

Any member of the Workspace, optionally Research Support Team.

Option 1

Start VM, install the vulnerability assessment solution and other updates.

Option 2

Delete the VM if it is no longer used.

Objective

Once this is done, this recommendation should disappear. 


Log analytics agent should be installed on virtual machines

Type

REMEDIATE

Who

Any member of the Workspace, optionally Research Support Team.

Option 1

Start VM, install the vulnerability assessment solution and other updates. This mostly pops up when updates are available within the VM or if outdated software is being used within the VM.


The anDREa team is working on an Update Management Center to make this more insightful for the user.

Option 2

Delete the VM if it is no longer used.

Objective

Once this is done, this recommendation should disappear. 


Machines should have vulnerability findings resolved

Type

REMEDIATE

Who

Reseach Support Team, optionally anDREa Support Team.

Option 1

A Monitoring Agent needs to be installed on the VM using a script.

Objective

Once this is done, this recommendation should disappear. 


Storage accounts should restrict network access using virtual network rules

Type

VERIFY REMEDIATE

Who

Support Team

Assess

Assess whether the storage accounts listed here are not Workspace storage accounts. 

Action 1

It is acceptable if only diagnostic and cloud shell storage accounts show up. 

Action 2

If there are Workspace storage accounts listed, then this is a high risk/red flag. Contact anDREa.

Objective

Accept if it is expected, remediate through anDREa when it is unexpected.


Adaptive network hardening recommendations should be applied on internet facing virtual machines

Type

VERIFY

Who

Research Support Team

Assess

Assess the listed Workspaces. These are most likely Workspaces with a lot of network rules enabled or full internet access enabled. 

Action 1

Disable full internet access. 

Action 2

Contact users to disable network rules or full internet access.

Objective

Accept if it is expected or resolved.


A maximum of 3 owners should be designated for subscriptions

Type

VERIFY

Who

Research Support Team

Assess

Assess who is Subscription Owner by inheritance.

Action

If Subscription Owners show up that you do not recognize or should not be owner, contact anDREa.

Objective

Accept if it is expected, remediate through anDREa when it is unexpected.


There should be more than one owner assigned to subscriptions

Type

VERIFY

Who

Research Support Team

Assess

Assess who is Subscription Owner by inheritance.

Action

Contact anDREa if there are NO owners, one is fine. More is also fine.

Objective

Accept if it is expected, remediate through anDREa when it is unexpected.


Keyvaults should have purge protection enabled

Type

WORKED UPON

Who

anDREa

Objective

Accept, after work completion the recommendation will disappear.


Deprecated accounts with owner permissions should be removed from subscriptions

Type

VERIFY

Who

Research Support Team, request for anDREa Support Team to remove Subscription Owners which do no longer work at the organisation.

Objective

Accept.


Deprecated accounts should be removed from subscriptions

Type

WORKED UPON

Who

anDREa, Support team after work completion.

Objective

Accept, after work completion the recommendation will disappear.


Diagnostic logs in Key Vault should be enabled

Type

WORKED UPON

Who

anDREa

Objective

Accept, after work completion the recommendation will disappear.


Type

ACCEPT

Explanation

Private link connections do make a Workspace a lot more secure, but these are quite expensive and are not needed for a standard Workspaces.

Alternative

If needed, contact anDREa.


Private end point should be configured for Keyvault

Type

ACCEPT

Explanation

Private link connections do make a Workspace a lot more secure, but these are quite expensive and are not needed for a standard Workspaces.

Alternative

If needed, contact anDREa.


Management ports of virtual machines should be protected with just-in-time network access control

Type

ACCEPT

Explanation

The recommendation itself is important, however anDREa uses its own implementation of just-in-time network access control. Therefore, this recommendation will show up in every subscription.

Objective

Accept, this recommendation is expected to show up in every subscription.


Guest configuration extension should be installed on machines

Type

ACCEPT

Explanation

anDREa does not do configuration management on VMs, so this is expected to be flagged in every subscription.

Objective

Accept, this recommendation is expected show up in every subscription.


Firewall should be enabled on Keyvault

Type

ACCEPT

Explanation

This recommendation cannot be achieved in the current state. anDREa will keep an eye on updates. Keyvaults can however only be queried by Workspace Accountables/Privileged members.

Objective

Accept, this recommendation will show up in every subscription. Will be worked on once updates are available.


Azure Backup should be enabled for virtual machines

Type

ACCEPT

Explanation

anDREa does not enable Azure Backup by default, this is quite expensive. Moreover, Virtual Machines are viewed as disposables, it is easy to set up a new Virtual Machine.

Objective

Accept. If Azure Backup is really needed, it can be requested. Contact anDREa.


Subnets should be associated with a network security group

Type

ACCEPT

Explanation

Per Subscription, 100 subnets are available for Workspaces. If there are 10 Workspaces created, it means that at least 90 subnets are not associated with a network security group. Once a Workspace is created, subnet will be associated with a network security group. Therefore, this recommendation can be ignored. 

Objective

Accept. 


Storage account public access should be disallowed

Type

ACCEPT

Explanation

This recommendation can be ignored and this is expected to show up in all subscriptions. The storage account settings are set to ‘only accessible to virtual networks and IP addresses’. Azure flags this as public, but in fact it is not publicly accessible. It is only accessible from within the associated Workspace.

Objective

Accept, this recommendation is expected to show up in every subscription.


Two recommendations to verify if the VM and data is encrypted

  1. In the same screen, click on View additional recommendations on Defender for Cloud.



  1. The status should be on Completed and there should be 0 unhealthy resources.
    1. If this deviates, please contact anDREa to remediate.

Security incidents and alerts

  1. Log in to the portal.azure.com with your ST account
  2. Go to Subscriptions
  3. Select a subscription belonging to your organization.
  4. On the left hand side, click on Security
  5. Security incidents and alerts - use the following steps
    1. Click on the alert
    2. Click on the alert once more
    3. Click on View full details
    4. Investigate the alert details
      Under related entities, you can unfold the Account pane and find the AAD User ID
  6. Assess based on Alerts Explained section

Alerts explained

Unusual execution of custom script extension in your virtual machine

Type

VERIFY

Who

Research Support Team

Explanation

This alert is seen in several subscriptions. Usually it is because a VM was removed and then a new one added. To able to log into a VM, a script adds the -RdpUsers group. This can be flagged as unusual execution of custom script extension.

Action 1

Click on the alert twice and click on View full details. Under the Account pane you should be able to find the AAD User ID. Activate your User Administrator PIM role and copy paste the AAD User ID in the search bar of the AAD.


Check all of them to see if it is a known entity:
  1. digital research environment app (weu-andrea)
  2. licenseadmin 

Objective

Accept if it is expected, remediate through anDREa when it is unexpected.


Type

VERIFY

Who

Research Support Team

Explanation

This alert is popping up from time to time in specific Client subscriptions, most likely because they mask their on-premise IP addresses. This is also expected to show up in the Shared Subscription if you're making a template for the whole organisation.

Action 1

Check the details of the alert. 

Objective

Accept if it is expected, remediate through anDREa when it is unexpected.


Unusual user password reset in your virtual machine

Type

VERIFY

Who

Research Support Team

Explanation

This alert has been observed in a test Workspace to solve testing a VM domain joining issueThis alert is expected to be flagged in that specific subscription. It should not appear in other Subscriptions.

Action 1

Contact anDREa if it appears in other Subscriptions.

Objective

Should not occure



Access from an unusual location to a storage file share

Type

VERIFY

Who

Research Support Team

Explanation

This appears also when an IP address is added to a storage account. Changes like this should be documented in a ticket.

Action 1

Search for the ticket. If it cannot be verified, please contact anDREa via security-related incidents.

Objective

Should not occur without a ticket to back it up.


Access from an unusual location to a storage file share

Type

VERIFY

Who

Research Support Team

Explanation

This alert might be for an authorised download.

Action 1

Verify with the users that this is indeed an authorised action, if this is cannot be corroborated, please contact anDREa via security-related incidents.

Objective

Should not occur without unauthorized downloads.


    • Related Articles

    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...
    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.
    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...
    • myDRE and Remote Desktop Protocol (RDP)

      What is RDP? RDP, or the Remote Desktop Protocol, is one of the main protocols used for remote desktop sessions, which is when users access desktop computers or virtual machines from another device. RDP is included with most Windows operating systems ...
    • 20230503 - Security Management Report

      anDREa's Security Officer annually provides the management board with the Security Management Report. An annual security management report is a key part of this auditing process. The report provides a summary of the organization's ISMS activities, ...