Create a platform security baseline

• The Microsoft cybersecurity group in conjunction with CIS developed best practices to help establish security baselines
• A variety of security standards can help cloud service customers achieve workload security when using cloud services
• CIS has the following implementation levels:
  • Level 1. Recommended minimum security settings
  • Level 2. Recommended for highly secure environments

Create an IAM baseline
Some common recommendations for IAM protection baselines include:

• Restricting access to the Azure AD admin portal
• Enabling MFA
• Properly managing guests
• Managing password security
• Managing member and guest invitation capabilities
• Disabling application options

Create an Azure Security Center baseline

• The following are Security Center recommendations that, if followed, will set various security policies on an Azure subscription:
  • Enable the Standard pricing tier
  • Enable the automatic provisioning of a monitoring agent
  • Enable System updates
  • Enable Security configurations
  • Enable Endpoint protection
  • Enable Disk encryption
  • Enable Network security groups
  • Enable Web application firewall
  • Enable Vulnerability Assessment

Create a storage accounts baseline
Recommendations for an Azure storage account include:
- Require security-enhanced transfers
- Enable blob encryption
- Periodically regenerate access keys
- Require shared access signature (SAS) tokens to expire within an hour
- Require SAS tokens to be shared only via HTTPS
- Enable Azure Files encryption
- Require only private access to blob containers

Create an Azure SQL Database baseline
Microsoft SQL Server policy recommendations include:
- Enable auditing
- Enable a threat detection service
- Enable all threat detection types
- Enable the option to send security alerts
- Enable the email service and co-administrators
- Configure audit retention for more than 90 days
- Configure threat detection retention for more than 90 days
- Configure Azure AD administration

Create a logging and monitoring baseline
Logging and monitoring recommendations include:

• Ensure that a log profile exists
• Ensure that activity log retention is set to 365 days or more
• Create an activity log alert for:
  • Creating a policy assignment
  • Updating a security policy
  • Creating, updating, or deleting a security solution
• Enable Azure Key Vault logging Create an activity log alert for:
  • Creating, updating, or deleting an NSG
  • Creating, updating, or deleting an NSG rule
  • Creating or updating an SQL Server firewall rule
  • Creating an activity log alert for deleting an SQL Server firewall rule

Create a networking baseline
Networking recommendations include:
- Restrict RDP access from the internet
- Restrict SSH access from the internet
- Restrict SQL Server access from the internet
- Configure the NSG flow log retention period for more than 90 days
- Enable Azure Network Watcher

Create a VMs baseline
Azure VM security baseline recommendations include:
- Install a VM agent (required for enabling data collection for Azure Security Center)
- Ensure that encryption protects the OS disk and its content 
- Carefully review extensions to help ensure that they don’t compromise the security of the host or Azure subscription
- Update VMs to help ensure their security
- Ensure that VMs have an installed and running endpoint protection solution

Other security considerations for a baseline
Some additional recommendations you should consider:
- Set an expiration date on all keys
- Set an expiration date on all secrets
- Set resource locks for mission-critical Azure resources