Logo of Trend Micro

Enable DDoS Protection Standard Monitoring for Public Virtual Networks

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: SecurityCenter-025

Ensure that the monitoring of "DDoS Protection Standard" feature is enabled within your Microsoft Azure cloud account settings so that Azure Security Center can assess if DDoS protection is enabled for all the Azure Virtual Networks (VNets) with a subnet that is part of an application gateway with a public IP.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

A Distributed Denial-of-Service (DDoS) attack represents a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its infrastructure with a flood of HTTP traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised machines or networks as the sources of traffic. With DDoS Protection Standard feature enabled, Azure Security Center can determine if the monitoring of DDoS protection is enabled for your Microsoft Azure public virtual networks and make the proper recommendations.

Audit

To determine if monitoring of DDoS protection for public virtual networks is enabled within Azure Security Center settings, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the policy configuration settings for the selected subscription.

05 On the Security Policy page, choose the Security center default policy, then click View effective policy button.

06 On the default security policy page, within the Network section, check the DDoS Protection Standard should be enabled setting status. If the configuration setting is Disabled, the Distributed Denial-of-Service (DDoS) protection monitoring is not enabled for the Azure public virtual networks available in the selected subscription.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to describe the monitoring status of the "DDoS Protection Standard" feature within the current subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.vnetEnableDDoSProtectionMonitoringEffect.value'

02 The command output should return the requested Azure Security Center monitoring status: 

"Disabled"

If the account get-access-token command output returns "Disabled", as shown in the example above, the DDoS protection monitoring is not enabled for the Microsoft Azure public virtual networks deployed within the current subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To enable the monitoring of Distributed Denial-of-Service (DDoS) protection for your Azure public virtual networks, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to reconfigure to access the policy settings available for the selected subscription.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) link to edit the default policy assignment.

06 On the selected policy assignment page, perform the following commands:

  1. Choose the Parameters tab to access the policy parameters.
  2. Select AuditIfNotExists from DDoS Protection Standard should be enabled dropdown list to enable the Distributed Denial-of-Service (DDoS) protection monitoring for all your Azure public virtual networks available in the selected subscription.
  3. Click Review + save to review the configuration changes, then click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the DDoS protection monitoring for public virtual networks becomes active for the selected Azure subscription.

07 If required, repeat steps no. 4 – 6 for other Microsoft Azure cloud subscriptions available.

Using Azure CLI and PowerShell

01 Define the necessary specifications for the account get-access-token command, where the vnetEnableDDoSProtectionMonitoringEffect configuration parameter is enabled using the "AuditIfNotExists" flag. Save the following content to a JSON file named enable-ddos-protection-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details: 

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "vnetEnableDDoSProtectionMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      }
   },
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the specifications defined at the previous step (i.e. enable-ddos-protection-monitoring.json file) to enable DDoS protection monitoring for all Microsoft Azure public virtual networks available within the current subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-ddos-protection-monitoring.json"'

03 If successful, the command output should return the updated Azure Security Center policy, e.g.: 

{
   "sku":{
      "name":"A0",
      "tier":"Free"
   },
   "properties":{
      "displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
      "scope":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
      "parameters":{
         "vnetEnableDDoSProtectionMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      },
      "metadata":{
         "createdBy":"1234abcd-1234-abcd-1234-abcd1234abcd",
         "createdOn":"2019-05-17T15:38:40.00000000",
         "updatedBy":"abcd1234-abcd-1234-abcd-1234abcd1234",
         "updatedOn":"2020-03-17T13:06:48.00000000"
      }
   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscriptions available.

References

Publication date Apr 27, 2020

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable DDoS Protection Standard Monitoring for Public Virtual Networks

Risk level: High