1.1.1 Ensure Security Defaults is enabled on Microsoft Entra ID | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | IDENTIFICATION AND AUTHENTICATION |
1.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled | IDENTIFICATION AND AUTHENTICATION |
1.2.1 Ensure Trusted Locations Are Defined | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
1.2.2 Ensure that an exclusionary Geographic Access Policy is considered | ACCESS CONTROL |
1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
1.2.6 Ensure Multifactor Authentication is Required for Windows Azure Service Management API | IDENTIFICATION AND AUTHENTICATION |
1.2.7 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals | IDENTIFICATION AND AUTHENTICATION |
1.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
1.4 Ensure Guest Users Are Reviewed on a Regular Basis | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
1.5 Ensure That 'Number of methods required to reset' is set to '2' | IDENTIFICATION AND AUTHENTICATION |
1.6 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
1.7 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | ACCESS CONTROL |
1.8 Ensure that 'Notify users on password resets?' is set to 'Yes' | ACCESS CONTROL |
1.9 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | ACCESS CONTROL |
1.10 Ensure 'User consent for applications' is set to 'Do not allow user consent' | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
1.12 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | CONFIGURATION MANAGEMENT |
1.13 Ensure That 'Users Can Register Applications' Is Set to 'No' | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
1.14 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION, RISK ASSESSMENT |
1.16 Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
1.21 Ensure that 'Require Multi-Factor Authentication to register or join devices with Microsoft Entra ID' is set to 'Yes' | IDENTIFICATION AND AUTHENTICATION |
1.22 Ensure That No Custom Subscription Administrator Roles Exist | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
1.25 Ensure fewer than 5 users have global administrator assignment | ACCESS CONTROL |
2.1.12 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
2.1.13 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.1.14 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | RISK ASSESSMENT |
2.1.17 Ensure That 'All users with the following roles' is set to 'Owner' | INCIDENT RESPONSE |
2.1.18 Ensure 'Additional email addresses' is Configured with a Security Contact Email | INCIDENT RESPONSE |
2.1.19 Ensure That 'Notify about alerts with the following severity' is Set to 'High' | SYSTEM AND INFORMATION INTEGRITY |
3.1 Ensure that 'Secure transfer required' is set to 'Enabled' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND INFORMATION INTEGRITY |
3.4 Ensure that Storage Account Access Keys are Periodically Regenerated | ACCESS CONTROL, CONFIGURATION MANAGEMENT, MAINTENANCE |
3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour | ACCESS CONTROL |
3.7 Ensure that 'Public Network Access' is 'Disabled' for storage accounts | ACCESS CONTROL, MEDIA PROTECTION |
3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.10 Ensure Private Endpoints are used to access Storage Accounts | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | CONTINGENCY PLANNING |
3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.16 Ensure 'Cross Tenant Replication' is not enabled | ACCESS CONTROL, MEDIA PROTECTION |
3.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' | ACCESS CONTROL, MEDIA PROTECTION |
4.1.1 Ensure that 'Auditing' is set to 'On' | AUDIT AND ACCOUNTABILITY |
4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | ACCESS CONTROL, MEDIA PROTECTION |
4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers | ACCESS CONTROL |
4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' | AUDIT AND ACCOUNTABILITY |
4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | AUDIT AND ACCOUNTABILITY |
4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | AUDIT AND ACCOUNTABILITY |