Operating system misconfigurations

Microsoft Defender for Cloud provides security recommendations to improve organizational security posture and reduce risk. An important element in risk reduction is to harden machines across your business environment.

Assessment (Azure Machine Configuration extension)

Defender for Cloud assesses and enforces best-practice security configurations using built-in Azure policy initiatives. The Microsoft Cloud Security Benchmark (MCSB) is Defender for Cloud's default initiative.

MSCB includes compute security baselines for Windows and Linux operating systems.

Operating system recommendations based on these MCSB compute security baselines aren't included as part of Defender for Cloud's free foundational security posture capabilities

  • The recommendations are available when Defender for Servers Plan 2 is enabled.

  • When Defender for Servers Plan 2 is enabled, relevant Azure policies are enabled on the subscription:

    • "Windows machines should meet requirements of the Azure compute security baseline"
    • "Linux machines should meet requirements for the Azure compute security baseline"
  • Make sure you don't remove these policies or you won't be able to leverage the machine configuration extension that's used to collect machine data.

Data collection

Machine information is gathered for assessment using the Azure machine configuration extension (formerly known as the Azure Policy guest configuration) running on the machine.

Installing the machine configuration extension

The machine configuration extension is installed as follows:

What's not included

Additional features provided by the extension machine outside Defender for Cloud aren't included, and are subject to Azure Policy machine configuration pricing.

Assessment (Defender Vulnerability Management)

Microsoft Defender for Cloud integrates natively with Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management to provide machines with vulnerability protection, and endpoint detection and response (EDR) capabilities.

As part of that integration, security baselines assessment is provided by Defender Vulnerability Management.

  • Security baselines assessment uses customized security baseline profiles.
  • Profiles are basically a template that consists of device configuration settings, and benchmarks against which to compare them.

Support

  • Assessing devices against the Defender Vulnerability Management security baselines assessment profiles is currently available in public preview.

  • Defender for Servers Plan 2 must be enabled, and the Defender for Endpoint agent must be running on machines you want to assess.

  • Assessment is supported for machines running security baseline profiles:

    • windows_server_2008_r2
    • windows_server_2016
    • windows_server_2019
    • windows_server_2022

Reviewing recommendations

To review recommendations made by security baseline assessments, search for the recommendation **Machines should be configured securely (powered by MDVM)", and view the recommendation for all resources.

Next steps