- Computer systems that interact directly with users are considered endpoint systems
- Endpoint systems are typically vulnerable to security attacks
- Azure Security Center provides the tools you need to harden your network, secure your services, and solidify your security posture
- First step: Protect against malware
- Install and integrate your antimalware solution with Security Center
- Second step: Monitor the status of antimalware
- Security Center monitors the status of antimalware protection and reports this under the Endpoint protection issues blade
- Azure Resource Manager is the deployment and management service for your Azure subscription
- It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription
- When you take actions through the portal, PowerShell, Azure CLI, REST APIs, or client SDKs, the Azure Resource Manager API handles your request
- Azure Security Center helps you prevent, detect, and respond to threats with increased visibility and control of Azure resource security
- When you use Security Center to safeguard your VMs, the following capabilities are available:
- Operating system (OS) security settings with the recommended configuration rules
- System security and critical updates that are missing
- Endpoint protection recommendations
- Disk encryption validation
- Vulnerability assessment and remediation
- Threat detection
- A security policy defines the set of recommended controls for resources within the specified subscription or resource group
- To harden VMs on Azure, you can:
- Set security policies to manage vulnerabilities for VMs
- Enable data collection so that Security Center can gather necessary information
- Use Security Center to analyze the security state of your Azure resources
- Use Security Center to monitor, analyze, and enable security policies to identify potential vulnerabilities
- The Update Management service enables you to assess your update status across your environment and manage your Windows and Linux server patching
- Your Azure subscription includes Update Management at no additional cost
- Computers that are managed by Update Management use the following configurations to perform assessment and update deployments:
- Microsoft Monitoring Agent (MMA) for Windows or Linux
- Desired State Configuration (DSC) in Windows PowerShell for Linux
- Hybrid Runbook Worker in Azure Automation
- Microsoft Update or Windows Server Update Services (WSUS) for Windows computers
- We recommend that you use the Update Management solution in Azure Automation to manage operating system updates for your Windows and Linux computers in any scenario
- You can enable Update Management for virtual machines directly from your Azure Automation account
Windows 10, Windows Server 2016, and Windows Server 2019 include the following key security features:
- Windows Defender Credential Guard
- Uses virtualization-based security to isolate secrets so that only privileged system software can access them
- Windows Defender Device Guard
- Windows Defender Application Control
- Helps mitigate attacks from spyware, adware, rootkits, viruses, and keyloggers, by restricting the applications that users can run and the code that runs in the system core or kernel