Operating system misconfigurations

Microsoft Defender for Cloud provides security recommendations to improve organizational security posture and reduce risk. An important element in risk reduction is to harden machines across your business environment.

Assessment (Azure Machine Configuration extension)

Defender for Cloud assesses and enforces best-practice security configurations using built-in Azure policy initiatives. The Microsoft Cloud Security Benchmark (MCSB) is Defender for Cloud's default initiative.

MSCB includes compute security baselines for Windows and Linux operating systems.

Operating system recommendations based on these MCSB compute security baselines aren't included as part of Defender for Cloud's free foundational security posture capabilities

• The recommendations are available when Defender for Servers Plan 2 is enabled.

• When Defender for Servers Plan 2 is enabled, relevant Azure policies are enabled on the subscription:

  • "Windows machines should meet requirements of the Azure compute security baseline"
  • "Linux machines should meet requirements for the Azure compute security baseline"

• Make sure you don't remove these policies or you won't be able to leverage the machine configuration extension that's used to collect machine data.

Data collection

Machine information is gathered for assessment using the Azure machine configuration extension (formerly known as the Azure Policy guest configuration) running on the machine.

Installing the machine configuration extension

The machine configuration extension is installed as follows:

• Azure: On Azure machines, install by remediating the recommendation Guest Configuration extension should be installed on machines.
• AWS/GCP: On AWS and GCP machines, the machine configuration is installed by default when you select Arc provisioning in the AWS or GCP connector.
• On-premises: For on-premises machines, the machine configuration is enabled by default when you onboard on-premises VMs as Azure Arc-enabled VMs.
• Azure VMs: On Azure VMs only (not Arc-enabled VMs) you must assign a managed identity to the machine by remediating recommendation Virtual machines Guest Configuration extension should be deployed with system-assigned managed identity.

What's not included

Additional features provided by the extension machine outside Defender for Cloud aren't included, and are subject to Azure Policy machine configuration pricing.

• For example, remediation and custom policies.
• Review details on the Azure Policy machine configuration pricing page.

Assessment (Defender Vulnerability Management)

Microsoft Defender for Cloud integrates natively with Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management to provide machines with vulnerability protection, and endpoint detection and response (EDR) capabilities.

As part of that integration, security baselines assessment is provided by Defender Vulnerability Management.

• Security baselines assessment uses customized security baseline profiles.
• Profiles are basically a template that consists of device configuration settings, and benchmarks against which to compare them.

Support

• Assessing devices against the Defender Vulnerability Management security baselines assessment profiles is currently available in public preview.

• Defender for Servers Plan 2 must be enabled, and the Defender for Endpoint agent must be running on machines you want to assess.

• Assessment is supported for machines running security baseline profiles:

  • windows_server_2008_r2
  • windows_server_2016
  • windows_server_2019
  • windows_server_2022

Reviewing recommendations

To review recommendations made by security baseline assessments, search for the recommendation **Machines should be configured securely (powered by MDVM)", and view the recommendation for all resources.

Next steps

• Install the Azure Policy machine configuration.
• Remediate OS baseline misconfigurations.