Saturday, August 11, 2018

CIS Control 2 on Azure - Application Whitelisting

Continuing on from the first post to chat about CIS Control 2, lets now have a look at 2.7: Utilize Application Whitelisting.  In the context of CIS, this references that application whitelisting is in use on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.

In the terms of Azure, I think the closets thing to software would be the Azure resources that one can deploy.  In this case, we want to be able to white list the Azure resources that can be deployed, and block all others.

It turns out that doing this via Azure policy is actually quite easy.  Here is an example:

{
  "if": {
    "field": "type",
    "notIn": [
      "Microsoft.Compute/VirtualMachines",
      "Microsoft.Compute/disks",
      "Microsoft.Compute/networkInterfaces"
    ]
  },
  "then": {
    "effect": "audit"
  }
}

The above policy (as written) will throw an audit even when a resource is deployed that is not of the listed types.  Using Azure Policy effects, one could switch the result to deny, which would then enforce that no resource types that were not previously approved could be deployed.  Building out a policy such as this would likely satisfy the application whitelisting control of CIS Control 2.