Rediger

Deprecated security recommendations

This article lists all the deprecated security recommendations in Microsoft Defender for Cloud.

Azure deprecated recommendations

Access to App Services should be restricted

Description & related policy: Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad. (Related policy: [Preview]: Access to App Services should be restricted).

Severity: High

Endpoint protection health issues on machines should be resolved

Description: Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. See the documentation for the endpoint protection solutions supported by Defender for Cloud and the endpoint protection assessments. (No related policy)

Severity: Medium

Endpoint protection should be installed on machines

Description: To protect machines from threats and vulnerabilities, install a supported endpoint protection solution. Learn more about how endpoint protection for machines is evaluated in Endpoint protection assessment and recommendations in Microsoft Defender for Cloud. (No related policy)

Severity: High

Install Azure Security Center for IoT security module to get more visibility into your IoT devices

Description & related policy: Install Azure Security Center for IoT security module to get more visibility into your IoT devices.

Severity: Low

Java should be updated to the latest version for function apps

Description & related policy: Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version. (Related policy: Ensure that 'Java version' is the latest, if used as a part of the Function app).

Severity: Medium

Java should be updated to the latest version for web apps

Description & related policy: Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version. (Related policy: Ensure that 'Java version' is the latest, if used as a part of the Web app).

Severity: Medium

Monitoring agent should be installed on your machines

Description & related policy: This action installs a monitoring agent on the selected virtual machines. Select a workspace for the agent to report to. (No related policy)

Severity: High

PHP should be updated to the latest version for web apps

Description & related policy: Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version. (Related policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app).

Severity: Medium

Pod Security Policies should be defined to reduce the attack vector by removing unnecessary application privileges (Preview)

Description & related policy: Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure pod security policies so pods can only access resources which they are allowed to access. (Related policy: [Preview]: Pod Security Policies should be defined on Kubernetes Services).

Severity: Medium

Public network access should be disabled for Cognitive Services accounts

Description: This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed. (Related policy: Public network access should be disabled for Cognitive Services accounts).

Severity: Medium

Python should be updated to the latest version for function apps

Description & related policy: Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version. (Related policy: Ensure that 'Python version' is the latest, if used as a part of the Function app).

Severity: Medium

Python should be updated to the latest version for web apps

Description & related policy: Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version. (Related policy: Ensure that 'Python version' is the latest, if used as a part of the Web app).

Severity: Medium

The rules for web applications on IaaS NSGs should be hardened

Description & related policy: Harden the network security group (NSG) of your virtual machines that are running web applications, with NSG rules that are overly permissive with regard to web application ports. (Related policy: The NSGs rules for web applications on IaaS should be hardened).

Severity: High

Your machines should be restarted to apply system updates

Description & related policy: Restart your machines to apply the system updates and secure the machine from vulnerabilities. (Related policy: System updates should be installed on your machines).

Severity: Medium

MFA should be enabled on accounts with owner permissions on subscriptions

Description: Multifactor authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. (Related policy: MFA should be enabled on accounts with owner permissions on your subscription).

Severity: High

MFA should be enabled on accounts with read permissions on subscriptions

Description: Multifactor authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. (Related policy: MFA should be enabled on accounts with read permissions on your subscription).

Severity: High

MFA should be enabled on accounts with write permissions on subscriptions

Description: Multifactor authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. (Related policy: MFA should be enabled accounts with write permissions on your subscription).

Severity: High

Containers should only use allowed AppArmor profiles

Description: Containers running on Kubernetes clusters should be limited to allowed AppArmor profiles only. AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program. (Related policy: Kubernetes cluster containers should only use allowed AppArmor profiles).

Severity: High

Type: Kubernetes data plane

Kubernetes clusters should not grant CAPSYSADMIN security capabilities

Description: To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. (No related policy)

Severity: High

Type: Kubernetes data plane

Services should listen on allowed ports only

Description: To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports. (Related policy: Ensure services listen only on allowed ports in Kubernetes cluster).

Severity: Medium

Type: Kubernetes data plane

Usage of host networking and ports should be restricted

Description: Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. Pods created with the hostNetwork attribute enabled will share the node's network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. If you need to expose a container port on the node's network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec. (Related policy: Kubernetes cluster pods should only use approved host network and port range).

Severity: Medium

Type: Kubernetes data plane

Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers

Description: We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. If there's a compromise, the container node access from the containers should be restricted. (Related policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths).

Severity: Medium

Type: Kubernetes data plane