Use Azure Policy to audit if Azure Arc-enabled servers meet security baseline requirements

The following Jumpstart scenario will guide you on how to use Azure Policy to push Azure Security Baseline to Azure Arc-enabled Windows and Linux servers. With this feature, you can now use the Azure portal to view the compliance status of Azure Arc-enabled servers and whether they meet security baseline requirements, and if not, why.

You can use the Azure portal, an ARM template, or PowerShell script to assign policies to Azure subscriptions or resource groups. In this scenario, you will use the PowerShell script to assign Azure security baseline policies.

NOTE: This guide assumes you already deployed VMs or servers that are running on-premises or other clouds and you have connected them to Azure Arc but If you haven’t, this repository offers you a way to do so in an automated fashion:

Prerequisites

  • As mentioned, this scenario starts at the point where you already deployed and connected VMs or servers to Azure Arc. In the screenshots below we can see two Windows servers and one Linux server have been connected with Azure Arc and are visible as resources in Azure.

    Screenshot of Azure Arc-enabled servers in a resource group

    Screenshot of Azure Arc-enabled server connectivity status

Azure Security Baseline on Azure Arc connected machines

  • Now you can assign Azure security baseline policies to your Arc-connected machines. Note that there are different policies for Windows and Linux machines.

    To start the deployment on your Arc connected Windows machines, use the below command:

    $policy=Get-AzPolicyDefinition -Name '72650e9f-97bc-4b2a-ab5f-9781a9fcecbc'
$ResourceGroup = Get-AzResourceGroup -Name '<Name of the Azure resource group>'
$Parameter= @{'IncludeArcMachines'=('true')}

New-AzPolicyAssignment -Name 'Windows machines should meet requirements of the Azure compute security baseline' -PolicyDefinition $Policy -Scope $ResourceGroup.ResourceId -Location '<Azure Region>' -IdentityType 'SystemAssigned' -PolicyParameterObject $Parameter

    To start the deployment on your Arc-connected Linux machines, use the below command:

    $policy=Get-AzPolicyDefinition -Name 'fc9b3da7-8347-4380-8e70-0a0361d8dedd'
$ResourceGroup = Get-AzResourceGroup -Name '<Name of the Azure resource group>'
$Parameter= @{'IncludeArcMachines'=('true')}

New-AzPolicyAssignment -Name 'Linux machines should meet requirements for the Azure compute security baseline' -PolicyDefinition $Policy -Scope $ResourceGroup.ResourceId -Location '<Azure Region>' -IdentityType 'SystemAssigned' -PolicyParameterObject $Parameter

  • Once the policy is assigned, it takes around 30 minutes for the assignment to be applied to the defined scope. After those 30 minutes, Azure Policy will start the evaluation cycle against the Azure Arc connected machines and recognize them as “Compliant” or “Non-compliant” to the Azure security baseline. To check this, go to the Compliance section under Policy.

    Screenshot of Azure policy compliance

  • Now, you can view the evaluated details of why an Azure Arc-enabled server is not compliant with security baselines.

    Screenshot of Azure security baseline compliance

    Screenshot of Azure security baseline evaluated details

Cleanup

Complete the following steps to clean up your environment.

Remove the virtual machines from each environment by following the teardown instructions from each guide.

Remove the Azure security baseline policy assignments by executing the following PowerShell script,

$ResourceGroup = Get-AzResourceGroup -Name '<Name of the Azure resource group>'

Remove-AzPolicyAssignment -Name 'Windows machines should meet requirements of the Azure compute security baseline' -Scope $ResourceGroup.ResourceId -Confirm

Remove-AzPolicyAssignment -Name 'Linux machines should meet requirements for the Azure compute security baseline' -Scope $ResourceGroup.ResourceId -Confirm