Azure – Azure Policy now audits installed applications on VM’s

You may already know Azure Policy, introduced during Ignite 2018.

If no, Azure Policy has the capability to apply audit settings on virtual machines (VM’s) running on Azure. The first policies can audit password security settings on both Windows and Linux VM’s or the encryption protocol used by IIS (aka TLS – in this case the VM is compliant if TLS 1.1 or 1.2 is enabled and other protocols disabled).

A new policy (prefixes with Preview) has been introduced to audit application installed on Windows.

Enable the audit policy

• To be able to get the audit policy working you need to have a virtual machine extension installed (https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/overview)
• Then you need to register the Microsoft.GuestConfiguration provider either using the Azure portal or PowerShell

Using the portal

• Access the Subscriptions blade (if you have multiple subscriptions you have to repeat the next step for each)

• Reach the Resource providers configuration blade and search for Microsoft.GuestConfiguration to enable it

The registration process may take few minutes

Using PowerShell

• You must have the Azure PowerShell module installed
• Connect to your Azure tenant

Connect-AzureRmAccount

• Execute the following command (keep in mind it will register the provide for the default/current subscription you are connected to; if you have multiple subscriptions you will have to repeat it)

Once executed, the command returns the RegistrationState as registering

Register-AzureRmResourceProvider -ProviderNamespace ‘Microsoft.GuestConfiguration’

You can check the registration process is completed using the command; it must then return Registered for the RegistratonState

Get-AzureRmResourceProvider -ProviderNamespace ‘Microsoft.GuestConfiguration’

 

Apply the policy

• You can apply a policy using either Desired State Configuration for Windows machine or Chef InSpec for Linux machine

The policies are available through the Policy blade on the Azure portal

When you go to the Definitions blade and filter for the Guest Configuration category you will be able to see all the policies applied – including the new ones prefixed with Preview

You can then assign the policy/policies you want using the Policy Assignment\Assign policy and add the policy you want to apply

 

Compliance

The compliance results are available through the Compliance blade