This blog post is authored by Jonathan Trull, Cheif Security Advisor, Enterprise Cybersecurity Group.
While a securely configured operating system is essential to repelling today’s cyber attacks, the base images provided by vendors do not come pre-hardened and require significant research, expertise, and proper configuration by the customer. To make it easier for Microsoft customers to deploy secured virtual machines “out of the box,” I am excited to share the recent availability for purchase of hardened virtual machine images within Azure, based on the partnership between Microsoft and the Center for Internet Security (CIS). CIS is a non-profit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks. Hardened images are virtual machine images that have been hardened, or configured, to be more resilient to cyber attacks. These images are available in the Azure Marketplace and can be used by Azure customers to create new, securely configured virtual machines.
Establishing and maintaining the secure configuration of an entity’s IT infrastructure continues to be a core tenet of information security. History has shown that the misconfiguration or poor configuration of laptops, servers, and network devices is a common cause of data breaches. Global standards, governments, and regulatory bodies have also highlighted the importance of establishing and maintaining secure configurations, and in many cases, have mandated their use due to their effectiveness. I have included a few of the most relevant and wide-ranging examples in the table below.
|Center for Internet Security – Critical Security Controls||CIS Control 3 – Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers||https://www.cisecurity.org/controls/secure-configurations-for-hardware-and-software/|
|Australian Signals Directorate Strategies to Mitigate Cyber Security Incidents||User Application Hardening
Server Application Hardening
Operating System Hardening
|US NIST Cyber Framework||PR.IP-1: A baseline configuration of information technology/ industrial control systems is created and maintained||https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf|
|Payment Card Industry||Build and maintain a secure network and systems||https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf?agreement=true&time=1505339723255|
Accessing and Deploying CIS Hardened Images
To view the CIS hardened images, login to the Azure portal and navigate to the Marketplace. You can then search for and filter on the “Center for Internet Security.” As you can see below, there are hardened images for many of the common operating systems, including Windows Server 2012, Oracle Linux, and Windows Server 2016.
From within the Marketplace blade, you can then select the appropriate image and select the create button to start the deployment journey within the portal or gain further details on deploying the image programmatically. Below is an example showing the start of the deployment of new CIS hardened Windows Server 2016 image.
The hardened images are configured based on the technical specifications established in the related benchmark. These benchmarks are freely available on the CIS website in PDF format.
The CIS benchmarks contain two levels, each with slightly different technical specifications:
- Level 1 – Recommended, minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality
- Level 2 – Recommended security settings for highly secure environments and could result in some reduced functionality.
Prior to deploying one of the CIS hardened images, it is important for the administrator to review the benchmark’s specifications and ensure it conforms to the company’s policy, procedures, and standards and perform sufficient testing before deploying to a production environment.
CIS is working to release additional, hardened images, so check the Azure Marketplace for new updates.