Benchmark: 3.1.12 Monitor and control remote access sessions
Description
Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.1.12 Monitor and control remote access sessions.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_1_12
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_1_12 --share
Controls
- App Configuration should use private link
- App Service apps should have remote debugging turned off
- Function apps should have remote debugging turned off
- Cognitive Services should use private link
- Disk access resources should use private link
- Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
- Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
- Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
- Audit Linux machines that allow remote connections from accounts without passwords
- Container registries should use private link
- CosmosDB accounts should use private link
- Azure Data Factory should use private link
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Event Hub namespaces should use private link
- Azure API for FHIR should use private link
- IoT Hub device provisioning service instances should use private link
- Azure Key Vaults should use private link
- Private endpoint should be enabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Private endpoint should be enabled for PostgreSQL servers
- Azure Cache for Redis should use private link
- Azure Cognitive Search services should use private link
- Azure Cognitive Search service should use a SKU that supports private link
- Azure Service Bus namespaces should use private link
- Azure SignalR Service should use private link
- Azure Spring Cloud should use network injection
- Private endpoint connections on Azure SQL Database should be enabled
- Storage accounts should restrict network access
- Storage accounts should use private link
- Azure File Sync should use private link
- Azure Synapse workspaces should use private link