Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Policy Templates for Azure - DEPRECATED

For instructions on how to find Policy templates that are new or updated due to changed recommendations, see Find New and Updated Policy Templates

Policy Templates Deprecated in 6.6.1

The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.6.1. 

Policy Name Comments Web Link
AKS: Do not admit containers with NET_RAW capabilities in Pod Security Policies PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25.  

Policy Templates Deprecated in 6.2.0

The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.2.0. 

Policy Name Comments Web Link
Threat detection should be enabled for  SQL databases This setting is at the subscription level  

Policy Templates Deprecated in 6.1.2

The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.2.0. 

Policy Name Comments Web Link
Email service and co-administrators should be enabled for SQL databases This setting is at the top-level server, and not the constituent database  

Policy Templates Deprecated in 6.1.1

The following Policy Templates for Azure are deprecated in Skyhigh CASB 6.1.1. 

Policy Name Comments Web Link

Monitor access rules in Event Hub namespaces should be enabled in Security Center

Azure Microsoft Defender has deprecated multiple security recommendations. The corresponding Policy Templates for Azure Security Configuration Audit are now deprecated.

https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference 

 

Monitor Configure IP restrictions for API App should be enabled in Security Center

   

Web sockets for API App should be disabled in Security Center

   

Custom domain use in API App should be enabled in Security Center

   

Use latest DotNet version in API App should be enabled in Security Center

   

Use latest Java version in API App should be enabled in Security Center

   

Use latest PHP version in API App should be enabled in Security Center

   

Use latest Python version in API App should be enabled in Security Center

   

Monitor Configure IP restrictions for Function App should be enabled in Security Center

   

Web sockets for Function App should be disabled in Security Center

   

Custom domain use in Function App should be enabled in Security Center

   

Monitor Configure IP restrictions for Web App should be enabled in Security Center

   

Web sockets for Web App should be disabled in Security Center

   

Custom domain use in Web App should be enabled in Security Center

   

Use latest DotNet version in Web App should be enabled in Security Center

   

Use latest Node js version in Web App should be enabled in Security Center

   

Monitoring agent health issues should be resolved on virtual machines

   

Disk encryption should be applied on your Virtual Machines

   

IP restrictions for Web App should be configured

   

Custom domains should be used for Web application

   

Latest supported  .NET framework version should be used for Web Application

   

Web Sockets should be disabled for Web Application

   

IP restrictions for Function App should be configured

   

Custom domains should be used for Function App

   

Web Sockets should be disabled for function Application

   

All resources should not be allowed to access your application

   

Virtual Machines should be rebooted after system updates

   

Latest supported Node.js version should be used for Web Application

   

Application protection should be finalized

   

OS version should be updated

   

Policy Templates Deprecated in 5.2.0

The following Policy Templates for Azure are deprecated in Skyhigh CASB 5.2.0. 

Policy Name Comments Web Link
Unencrypted activity logs in storage account

As par Azure, post-June 2017: Storage Service Encryption is enabled by default and cannot be disabled.

Also, as part of latest CIS benchmark 1.1.0, the control " 3.6 Ensure that Storage service encryption is set to enabled for File Service" is marked as deleted.

Hence deprecating the policy

https://azure.microsoft.com/en-in/blog/announcing-default-encryption-for-azure-blobs-files-table-and-queue-storage/
 
Storage Service Encryption for Storage Accounts
 

As par Azure, post-June 2017: Storage Service Encryption is enabled by default and cannot be disabled.

Also, as part of latest CIS benchmark 1.1.0, the control " 3.6 Ensure that Storage service encryption is set to enabled for File Service" is marked as deleted.

Hence deprecating the policy

https://azure.microsoft.com/en-in/blog/announcing-default-encryption-for-azure-blobs-files-table-and-queue-storage/
 
Latest OS Patch Updates Enabled for Virtual Machines 1:This policy depends on the "osProfile.windowsConfiguration.enableAutomaticUpdates" . As this property does not come for Linux OS ,this policy will not work for Linux OS VMs.
 
2:If you create a windows machine from Azure Portal "osProfile.windowsConfiguration.enableAutomaticUpdates" this property is by default true and cannot be updated after VM is created.
 
3:Even though the osProfile.windowsConfiguration.enableAutomaticUpdates is by default true for windows VMs, on Azure Portal, it shows an option to enable the Update Management for windows VMs which it should not. 
 
4:Create a VM with Update Management disabled using Rest API, "osProfile.windowsConfiguration.enableAutomaticUpdates" will return false. Even after Enabling Update Management "osProfile.windowsConfiguration.enableAutomaticUpdates" will return false in data collection .
 
Due to the limitations mentioned above, deprecating the policy
Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push Windows updates to them. You need to manage your VM updates.
 
https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas#manage-operating-systems
 
Enable VM agent on Virtual Machines

We are dependent on Azure APIs to check the configuration check whether VM agent is installed in VM. The configuration parameter to check this is "provisionVMAgent". Even if agent is manually installed, the value of the parameter is returned as always false by the API.

Also, as part of latest CIS benchmark 1.1.0, the control " 7.1 Ensure that VM agent is installed" is marked as deleted. 

Hence deprecating the policy

https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get
 
  • Was this article helpful?