Cyber Guardian: Ensuring Antimalware Compliance on Azure Virtual Machines

Introduction

In today’s dynamic cloud computing environment, maintaining governance, compliance, and security across resources can be a daunting task. Microsoft Azure Policy emerges as a pivotal tool, enabling organizations to enforce rules and standards to manage and control the IT environment effectively. Azure Policy helps ensure resources comply with corporate standards and service level agreements, providing a robust framework for resource consistency, regulatory compliance, security, and cost management. This blog explores the intricacies of Azure Policy, its benefits, and why it is indispensable for any organization leveraging the Azure ecosystem. Consider Azure Policies –a service in Microsoft Azure that enables you to create, assign, and manage policies.

The interesting thing is that these policies enforce different rules and effects over your resources, ensuring such resources are in compliance with your corporate standards and service level agreements. Azure Policy helps to enforce organizational standards and assess compliance at scale. This blog will guide you through one of the use cases where Azure policy plays a vital role in enforcing policies and compliance for any organization.

Use Case: Azure Policy in Customized Installation on VMs

Azure Policy plays a crucial role in the automated and standardized management of Azure resources, including virtual machines (VMs). Here’s how it contributes to customized installations on VMs:

1. Enforcement of Compliance:
   • Policy Definitions: You can create policy definitions that specify the desired configuration or state of your resources. For instance, you can define a policy that ensures all VMs have a specific antimalware extension installed.
   • Policy Assignments: These definitions can be assigned to specific scopes such as subscriptions, resource groups, or individual resources. The assignment ensures that any new resource created within the scope complies with the defined policy.
2. Automatic Deployment of Configurations:
   • DeployIfNotExists Effect: Azure Policy can automatically deploy a configuration if it does not exist. For example, if a VM is created without the required antimalware extension, the policy can trigger the deployment of this extension automatically.
   • Parameters and Templates: Using ARM templates and parameters within policies, you can define complex configurations for VM extensions and other resources.
3. Audit and Remediation:
   • Compliance Monitoring: Azure Policy continuously evaluates resources and monitors compliance. If a VM deviates from the defined policy (e.g., a required extension is missing), it is marked as non-compliant.

Remediation Tasks: For non-compliant resources, Azure Policy can initiate remediation tasks that bring the resources into compliance, such as installing missing extensions on existing VMs.

Example Scenario: Customized Antimalware Installation on VMs

1. Define the Policy:
   • Create a policy definition that checks if VMs have the antimalware extension installed.
   • Use the deployIfNotExists effect to ensure that the extension is deployed if it is not present.
2. Assign the Policy:
   • Assign the policy to a specific scope, such as a subscription or resource group. This assignment will ensure that all VMs within this scope comply with the policy.
3. Policy Evaluation:
   • Azure Policy evaluates existing VMs and marks those without the antimalware extension as non-compliant.
   • New VMs created in the scope will automatically have the antimalware extension installed due to the policy.
4. Remediation:
   • For non-compliant VMs, you can create a remediation task that deploys the antimalware extension, ensuring all VMs meet the security requirements.

Benefits of Using Azure Policy for Customized Installations

• Consistency: Ensures all resources conform to organizational standards without manual intervention.
• Automation: Reduces the need for manual configuration by automatically applying necessary settings and extensions.
• Compliance: Helps maintain compliance with internal policies and external regulations by continuously monitoring and enforcing standards.
• Scalability: Efficiently manages configurations across a large number of resources and scales with your environment.

By leveraging Azure Policy, organizations can enforce standardized configurations across their Azure environment, automate the deployment of necessary extensions, and maintain compliance with security and operational standards.

DEMO

Imagine Your company’s Azure subscription includes Windows Server 2016 Azure virtual machines. You are informed that every virtual machine must have a custom antimalware virtual machine extension installed. Your task is to design and apply a custom Azure policy code that will help you achieve this.

To ensure that every Windows Server 2016 Azure virtual machine (VM) in your subscription has a custom antimalware extension installed, you can create an Azure Policy. This policy will audit existing VMs and enforce the installation of the antimalware extension on new VMs. Here’s a step-by-step tutorial on how to achieve this:

Step 1: Prepare the Custom Antimalware Extension Script

First, you need to have the configuration settings for your custom antimalware extension. Typically, this will be a JSON configuration file. Here’s an example configuration file:

Step 2: Create a Custom Policy Definition

1. Sign in to Azure Portal: Go to Azure Portal and sign in with your Azure account.
2. Navigate to Azure Policy: Search for and select “Azure Policy” from the top search bar.
3. Create a New Definition:
   • Select “Definitions” from the left-hand menu.
   • Click “+ Policy definition”.
4. Define the Policy:
   • Name: Enter a name for your policy, e.g., “Enforce Antimalware Extension on Windows VMs.”
   • Description: Provide a description, e.g., “Ensures all Windows Server 2016 VMs have the custom antimalware extension installed.”
   • Category: Select an existing category or create a new one.
   • Definition Location: Choose the scope for your policy (subscription or management group).
   • Policy Rule: Use the following JSON to define the policy rule:

   
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "properties.storageProfile.osDisk.osType",
"equals": "Windows"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "AntimalwareExtension",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "Microsoft.Azure.Security.AzureSecurityCenter"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/settings.name",
"equals": "AntimalwareExtension"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/Contributor"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2019-07-01",
"name": "[concat(parameters('vmName'), '/AntimalwareExtension')]",
"location": "[resourceGroup().location]",
"properties": {
"publisher": "Microsoft.Azure.Security",
"type": "IaaSAntimalware",
"typeHandlerVersion": "1.5",
"autoUpgradeMinorVersion": true,
"settings": {
"AntimalwareEnabled": true,
"RealtimeProtectionEnabled": true,
"ScheduledScanSettings": {
"isEnabled": true,
"day": "Sunday",
"time": "120"
}
}
}
}
]
},
"parameters": {
"vmName": {
"type": "string",
"metadata": {
"description": "The name of the VM to apply the extension to"
}
}
}
}
}
}
}
},
"parameters": {}
}


5. Save the Policy Definition:
   o Click “Save” to create the policy definition.

Step 3: Assign the Policy

1. Navigate to Assignments: In the Azure Policy page, select “Assignments” from the left-hand menu.
2. Assign the Policy:
   • Click “+ Assign Policy”.
   • Scope: Select the subscription or resource group where you want to enforce the policy.
   • Policy Definition: Select the policy definition you created earlier.
   • Assignment Name: Provide a name for the policy assignment.
   • Parameters: Set any required parameters if your policy definition includes them (in this case, it doesn’t).
3. Review and Create:
   • Click “Review + create” and then “Create” to assign the policy.

Step 4: Verify Compliance

1. Check Compliance: After assigning the policy, Azure Policy will evaluate the resources within the scope. This might take some time.
2. Review Compliance Status:
   • Navigate to the Azure Policy page.
   • Select “Compliance” from the left-hand menu to see the compliance status of your resources.

Step 5: Remediation (if necessary)

If there are existing VMs that are not compliant, you can create a remediation task:

1. Remediate Non-compliant Resources:
   • In the compliance tab, select the non-compliant policy assignment.
   • Click “Create Remediation Task”.
   • Follow the prompts to remediate non-compliant VMs.

Conclusion

By following these steps, you can ensure that all Windows Server 2016 VMs in your Azure subscription have the custom antimalware extension installed. Azure Policy will help you enforce this requirement and automatically apply the extension to new VMs and existing non-compliant VMs through remediation tasks.

About CloudThat

Established in 2012, CloudThat is a leading Cloud Training and Cloud Consulting services provider in India, USA, Asia, Europe, and Africa. Being a pioneer in the cloud domain, CloudThat has special expertise in catering to mid-market and enterprise clients from all the major cloud service providers like AWS, Microsoft, GCP, VMware, Databricks, HP, and more. Uniquely positioned to be a single source for both training and consulting for cloud technologies like Cloud Security, Data Platforms, Microsoft Dynamics 365, DevOps, IoT, and the latest technologies like AI/ML, it is a top-tier partner with AWS and Microsoft, winning more than 8 awards combined in 11 years. Recently, it was recognized as the ‘Think Big’ partner from AWS and won the Microsoft Superstars FY 2023 award in Asia & India. Leveraging its position as a leader in the market, CloudThat has trained 650k+ professionals in 500+ cloud certifications and delivered 300+ consulting projects for 100+ corporates in 28+ countries.