Exploring Azure Security Center VM Custom Baseline Policies

In this blog we’ll be explaining on what basis ASC scans your VMs for security vulnerabilities and how can we customize the scan

by | Feb 14, 2019 | General


Azure Security Center is a unified infrastructure security management system that strengthens the security posture of data centers, and provides advanced threat protection across hybrid workloads in the cloud. Whether they’re in Azure or not,  as well as on premises.

Azure Security Center helps prevent, detect, and respond to threats. It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions. 

Ankit Rao

In this blog we have guest blogger together with John. His name is Ankit Rao and we talked a lot about OS security configurations on yammer, after a while we decided to create a blog together on this topic.

Ankit is a cloud enthusiast, who works as a DevOps engineer at Cloudneeti. He works on Azure and AWS and has around 2-2.5 years of industry experience.Ankit completed a Bachelors degree in Computer Engineering from Pune Institute of Computer technology. His twitter handle is @AnkitRao171994

Azure security center and virtual machines

Security Center helps safeguarding virtual machine data in Azure by providing visibility into the virtual machine’s security settings. When Security Center safeguards virtual machines, the following capabilities will be available:

  • Operating System (OS) security settings with the recommended configuration rules
  • System security and critical updates that are missing
  • Endpoint protection recommendations
  • Disk encryption validation
  • Vulnerability assessment and remediation
  • Threat detection

In this blog we’ll be exploring the Operating System (OS) security settings with the recommended configuration rules that the ASC provides and look into how it works and how we can customize the rules so that we can remediate vulnerabilities in security configuration on our machines.


Before the Virtual Machines in a subscription are being scanned the subscription need to be configured. If a new subscription is created this is automatically set for you. To configure a subscription you need to go to Security Center > Security policy.

    Manage security settings

    The security policies can be managed by choosing a subscription or management group from the list. More options to define additional policies, manage exclusions and advanced settings can be found in Azure Policies.

    Enable Auto provisioning

    Security Center collects data from your Azure virtual machines (VMs) and non-Azure computers to monitor for security vulnerabilities and threats. Data is collected using the Microsoft Monitoring Agent, which reads various security-related configurations and event logs from the machine and copies the data to the selected workspace for analysis.

    Enabling this setting will install the Microsoft Monitoring Agent on every Virtual Machine, which collect the Security configuration data.

    Workspace configuratioN

    Data collected by Security Center is stored in a Log Analytics workspace. You can select to have data collected from Azure VMs stored in workspace(s) created by Security Center or in an existing workspace you created.

    • Default workspace created by Security Center:
      If you select this option, ASC will create a default workspace where all the data related to the VMs will be collected. Also, ASC created a new default workspace per region depending on the regions your Virtual Machines are created in.
      For example : If you have a VM in east-us and other in southeast Asia, the ASC will create two default workspaces to store the ASC scan data. The name of that workspace will be ‘DefaultWorkSpace’ with you subscription id behind it.
    • Use Another Workspace You can connect a user created workspace to the ASC and all the scan data will be collected in this single workspace independent of the region your VMs are deployed in.

    If you want to be in charge of your Log analytics workspace name, choose ‘Use another workspace’


    Integrations, user information and pricing

    The last couple of things you need to check are:

    • Enable Integrations Under Threat Protection This settings are enabled by default but you just want to check before running live. 
    • Email notifications This setting is recommended because all alerts regarding your environment will be send to email and telephone is you enable both.
    • Pricing tier the standard tier gives more features then the basic (free) tier:
      • Just in time VM Access
      • Adaptive application controls
      • Network threat detection

    ASC now let you decide what resource type you want to have the standard tier. If you do not enable all resource types it will show ‘partially covered’ on the ASC dashboard in subscription coverage.

    Besides these settings, make sure that the Virtual Machines you expect to get scanned are up and in the running state.

    Azure states that the scan may take place any where between 24 to 48 hours after the VM is set up. The scan is periodic and may take place during the similar time span thereafter as well.

    ACCESSING scan results

    Once the scan is complete, you can view the scan results using the Azure Portal as follows:
    Go to the security center > compute and apps. Select the VM you want to view the scan results for. 

    First, you need to verify if the scan has took place. You can check that using the Security Configurations field as shown. The last scan time is displayed for that particular VM.


    Remediate vulnerabilities

    On the same screen, you can see the option of remediate vulnerabilities in security configuration on your machines. This is the security configuration scan ASC does on our VM and provides a result for the so called “baseline” policies.


    Failed security configurations

    When you click on this link, it redirects you to the Log Analytics Workspace, which you had set up earlier. By default, it will display a list of the “Failed” security configurations on our VM. The query can be modified to fit your needs.

    The example in the screenshot gives all details of the security configurations on the VM. All the passed and failed configurations are displayed and we can remediate the same using the remediation process that is available on the web.



    How the scan works

    You must be wondering why did the ASC scan the VM shown in the sample screenshot for 217 policies only. The number could have been more or less, but why 217. The answer to this is the configuration file. While configuring the ASC, we did not look into the tab called “Edit Configuration File”


    configuration file

    In the ‘Edit security configuration’ area you can download the OS Security Configuration file. The file is a JSON file, which consists of all the policies, the ASC will scan a VM of a particular OS for.

    There are basically three categories of policies-rules

    • Audit
    • Registry
    • Security

    The basic structure of the JSON is shown in the screenshot. The example JSON file has a complete object for Windows Server 2012 R2. Each rule array has multiple policies with all the details as shown.

    Whatever the count of policies in this JSON for a particular operating system Azure Security Center will scan the virtual machine based on this list.



    customizing the security configuration scan

    If you noticed, the name of this setting is Edit Configuration scan and also there is a field to upload a file as well. And so, this file can be updated and new custom policies can be added thereby resulting in the ASC agent to scan our VMs for policies specified by yourself.


    creating custom rules

    One can add custom roles in the similar json format as the existing rules. Below are some points to consider before you create a custom role:

    • Schema version, baselineId and baselineName can’t be changed.
    • Ruleset cannot be removed.
    • Ruleset cannot be added.
    • The maximum number of rules allowed (including default rules) is 1000.


      New custom rules are marked with a new custom source (!= “Microsoft”). The ruleId field can be null or empty. If it is empty, Microsoft generates one. If it is not empty, it must have a valid GUID that’s unique across all rules (default and custom). Review the following constraints for the core fields:


      • originalId: Can be null or empty. If originalId is not empty, it should be a valid GUID.
      • cceId: Can be null or empty. If cceId is not empty, it must be unique.
      • ruleType: (select one) Registry, AuditPolicy, or SecurityPolicy.
      • Severity: (select one) Unknown, Critical, Warning, or Informational.
      • analyzeOperation: Must be Equals.
      • auditPolicyId: Must be a valid GUID.
      • regValueType: (select one) Int


      Basically you want to start with a virtual machine with Windows Server 2012 R2 installed. We started to add some Registry Policies from the CIS * Microsoft Windows Server 2012 R2 Benchmark [imported] v1.0.0. Link here. 

      We added three policies (CCE-37226-8, CCE-37622-8,CCE-38235-8) from the CIS benchmark excel, which can be found here. these three policies are for Windows Server 2012R2 and fall under the Registry type.

      So make sure, you add the role block inside the JSON block with  the baselineName : WS2012R2 Server Security Compliance and inside the baseline RegistryRules Array

      As already mentioned above, many of the fields are self explainatory, but we will demonstrate how you add a new policy end to end. 

      For example : CCE-38235-8. Policy : Ensure ‘Interactive logon: Machine inactivity limit’ is set to ‘900 or fewer second(s), but not 0’

      You can refer the excel in the link provided earlier for policy details.

      Below is the policy block for the custom policies:

          "hive": "LocalMachine",
          "regValueType": "Int", //these fields to be populated as explained above
          "keyPath": "Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System", //This is the path from which the ASC agent will look for the security configuration of the VM. You should be able to provide the correct path from which the current VM configuration is to be picked from.
          "valueName": "InactivityTimeoutSecs", //This is the field from which the agent should get the configuration value from // I took the keypath and the valuename fileds from the CIS excel’s audit procedure provided for the policy
          "ruleId": "",
          "originalId": "", //ruleId and originalId can be kept blank. They are auto-populated once this file is uploaded in ASC
          "cceId": "CCE-38235-8", //The policy CCE-ID in the CIS excel
          "ruleName": "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'", //The policy Title from the CIS excel
          "baselineRuleType": "Registry", //Category in which the policy falls
          "expectedValue": "900", //Configuration value that is ideal. So, as per the policy statement it is 900
          "remediationValue": "900", //Same as expectedValue
          "severity": "Critical", //Severity of the policy as per its impact on the VM
          "analyzeOperation": "Equals", //Operation to perform on the actual configuration value retrieved and the expectedValue/remediationValue
          "source": "MyCustomSource", //Anything other than Microsoft
          "state": "Enabled" //Enabled so that ASC agent scans our VM for this policy
      This is how you can add your custom policies.
      This is how the custom deployed OS security configuration looks like in Log Analytics.


      Microsoft offers the ability to create your own custom security baselines, they made it quite easy to edit and deploy the adjusted security baseline. With this knowledge we can start building our own CIS baseline to confirm to the latest CIS standards. Stay tuned for more information on hardening your systems, automation this hardening and more explanations of the features in Azure Security Center.

      John de Jager and Ankit Rao