1
00:00:01,640 --> 00:00:05,320
[Autogenerated] So let's now turn our attention in this demo to Azure policy,

2
00:00:05,320 --> 00:00:08,610
guest configuration Now we don't have the time or scope to

3
00:00:08,610 --> 00:00:11,410
do a full deep dive of Azure policy.

4
00:00:11,410 --> 00:00:15,700
So I would recommend you look for Azure policy in the Pluralsight library.

5
00:00:15,700 --> 00:00:20,420
I myself have done quite a bit of work in as your policy the workflow with

6
00:00:20,420 --> 00:00:24,690
policy is that you start over at definitions and you've got your individual

7
00:00:24,690 --> 00:00:29,280
JSON policy files and you also have what are called initiatives first let

8
00:00:29,280 --> 00:00:31,340
me change the definition type here,

9
00:00:31,340 --> 00:00:34,160
the policy and then for category notice all of the

10
00:00:34,160 --> 00:00:36,250
categories that Microsoft provides,

11
00:00:36,250 --> 00:00:39,510
you can go out to the Azure policy repo it GitHub to get

12
00:00:39,510 --> 00:00:41,470
all of these source files and more.

13
00:00:41,470 --> 00:00:46,440
I'm going to actually de select everything and look up just guest configuration.

14
00:00:46,440 --> 00:00:50,090
Alright, so here's where we can see what Microsoft is surfacing.

15
00:00:50,090 --> 00:00:53,840
Some of the things that we can audit and potentially remediate.

16
00:00:53,840 --> 00:00:56,850
Now notice here we have audit policies,

17
00:00:56,850 --> 00:01:00,860
we have machines should have the log analytics agent installed.

18
00:01:00,860 --> 00:01:04,440
Windows firewall policies, security settings,

19
00:01:04,440 --> 00:01:08,100
audit machines that don't have specific PowerShell modules

20
00:01:08,100 --> 00:01:11,550
installed audit Windows machines that have extra accounts

21
00:01:11,550 --> 00:01:12,800
in the administrators group.

22
00:01:12,800 --> 00:01:13,050
Again,

23
00:01:13,050 --> 00:01:16,950
the point with guest configuration is that we're creating compliance

24
00:01:16,950 --> 00:01:21,320
policies for the internal state of the machine that is the operating system

25
00:01:21,320 --> 00:01:26,180
environment and we can contrast that with just Azure policy in general we

26
00:01:26,180 --> 00:01:30,850
can look at something like the tags category and we've got all sorts of

27
00:01:30,850 --> 00:01:35,010
require a tag and its value and hair it attack now we can actually apply

28
00:01:35,010 --> 00:01:40,440
these regular Azure policies to our Azure arc enabled servers which really

29
00:01:40,440 --> 00:01:41,860
is a great great thing.

30
00:01:41,860 --> 00:01:46,390
So I just want to underline that we have as your policy for resource

31
00:01:46,390 --> 00:01:51,000
compliance and guest configuration for operating system compliance.

32
00:01:51,000 --> 00:01:54,400
Now I'm going to change the definition type two initiative and I'm going

33
00:01:54,400 --> 00:01:58,550
to come back to my original filter which is guest configuration because

34
00:01:58,550 --> 00:02:00,240
we're going to go ahead and apply one of these.

35
00:02:00,240 --> 00:02:03,720
Now we've got three as of this recording initiatives.

36
00:02:03,720 --> 00:02:08,210
An initiative is simply a container that contains one or more policy

37
00:02:08,210 --> 00:02:12,560
definitions and the ideas that you can assign an initiative to

38
00:02:12,560 --> 00:02:17,210
simultaneously assign those related policies instead of having to

39
00:02:17,210 --> 00:02:20,130
otherwise assign the policies individually.

40
00:02:20,130 --> 00:02:21,280
That's no way to work.

41
00:02:21,280 --> 00:02:25,820
And so we've got this important one in the middle here deploy prerequisites to

42
00:02:25,820 --> 00:02:29,460
enable guest configuration policies on virtual machines.

43
00:02:29,460 --> 00:02:33,960
This is important why while this is a convenient way to ensure that your

44
00:02:33,960 --> 00:02:38,340
machines are set to process guest configuration policies,

45
00:02:38,340 --> 00:02:41,530
there's some prerequisites like having a system assigned managed

46
00:02:41,530 --> 00:02:45,450
identity in Azure Active Directory and there's also the Windows

47
00:02:45,450 --> 00:02:49,240
guest configuration extension to enable guest configuration

48
00:02:49,240 --> 00:02:52,500
assignments on both Windows and Linux VMS.

49
00:02:52,500 --> 00:02:56,780
And the thing with Azure policy is that there are a number of effects,

50
00:02:56,780 --> 00:03:01,210
audit would be an effect that just determines compliance state and stops

51
00:03:01,210 --> 00:03:04,980
there but these particular effects are much more powerful,

52
00:03:04,980 --> 00:03:07,210
modify and deploy if not exists,

53
00:03:07,210 --> 00:03:10,880
will actually create remediation tasks to bring the

54
00:03:10,880 --> 00:03:12,740
resource into compliance you see.

55
00:03:12,740 --> 00:03:15,860
So I'm going to go ahead and assign this now in the real world,

56
00:03:15,860 --> 00:03:18,280
you'd normally duplicate your initiative.

57
00:03:18,280 --> 00:03:21,880
You're going to copy an existing system initiative so that you

58
00:03:21,880 --> 00:03:24,870
have full read write control over and I'm just going to go ahead

59
00:03:24,870 --> 00:03:29,200
and assign this as is and then the scope is going to be where in

60
00:03:29,200 --> 00:03:32,640
the Azure management hierarchy, this goes into effect,

61
00:03:32,640 --> 00:03:35,310
I'm going to scope it beyond the subscription,

62
00:03:35,310 --> 00:03:39,790
I'm going to bring it right down to my arc R G resource group so

63
00:03:39,790 --> 00:03:43,650
I'm going to affect just my arc virtual machines.

64
00:03:43,650 --> 00:03:46,690
You can optionally create exclusions of the scope.

65
00:03:46,690 --> 00:03:49,710
If we scoped this initiative at the subscription,

66
00:03:49,710 --> 00:03:52,210
the exclusions would be resource groups.

67
00:03:52,210 --> 00:03:55,680
I scoped this initiative at the resource group so we can

68
00:03:55,680 --> 00:04:00,200
create resource exceptions if we want to best idea to change

69
00:04:00,200 --> 00:04:02,160
the name to something more meaningful,

70
00:04:02,160 --> 00:04:04,600
but I'm going to let it roll right here in this demo,

71
00:04:04,600 --> 00:04:06,870
I don't have any parameters in this.

72
00:04:06,870 --> 00:04:08,130
So I'm going to continue.

73
00:04:08,130 --> 00:04:09,990
Do you want to create remediation,

74
00:04:09,990 --> 00:04:15,350
This is going to allow existing resources to process any changes that are in

75
00:04:15,350 --> 00:04:19,880
the initiative and I do want that and I'm going to let Azure create a system

76
00:04:19,880 --> 00:04:24,270
assigned managed identity and Azure will grant that identity the contributor

77
00:04:24,270 --> 00:04:26,580
role assignment at the appropriate scope.

78
00:04:26,580 --> 00:04:29,150
So that has that read, write access here.

79
00:04:29,150 --> 00:04:32,740
We can see our policies and we can provide custom

80
00:04:32,740 --> 00:04:35,840
noncompliance messages to let our compliance,

81
00:04:35,840 --> 00:04:36,830
people are support,

82
00:04:36,830 --> 00:04:41,650
people are colleagues know some justification for why whatever it is,

83
00:04:41,650 --> 00:04:46,170
whether it's a deployment or an existing resource is out of compliance when

84
00:04:46,170 --> 00:04:48,700
you click next and then we'll complete the assignment.

85
00:04:48,700 --> 00:04:52,510
Normally takes a few minutes for that to kick in and start to process.

86
00:04:52,510 --> 00:04:57,180
We can follow the compliance status of our work in a couple different spots.

87
00:04:57,180 --> 00:05:01,790
We can in the Azure policy go over to compliance and we can see what's going on.

88
00:05:01,790 --> 00:05:06,000
The overview pages you might have noticed before shows our compliance state.

89
00:05:06,000 --> 00:05:08,470
I've got some issues going on in my environment.

90
00:05:08,470 --> 00:05:11,630
As you can see back this Azure security benchmark,

91
00:05:11,630 --> 00:05:14,600
I don't have many resources that are in compliance.

92
00:05:14,600 --> 00:05:17,960
But what's cool about this is that you can report on the

93
00:05:17,960 --> 00:05:20,830
details of the compliance state and again,

94
00:05:20,830 --> 00:05:25,310
depending upon whether the policy is using modify or deploy,

95
00:05:25,310 --> 00:05:30,340
if not exists, you can do a remediation task to fix those errors.

96
00:05:30,340 --> 00:05:33,640
Yeah, well, this Azure security benchmark is one of the,

97
00:05:33,640 --> 00:05:33,760
well,

98
00:05:33,760 --> 00:05:36,680
it's actually the default initiative that comes

99
00:05:36,680 --> 00:05:38,750
with Microsoft defender for cloud.

100
00:05:38,750 --> 00:05:40,700
There's a lot of controls in there.

101
00:05:40,700 --> 00:05:43,650
And so it makes sense that I'm not compliant for most

102
00:05:43,650 --> 00:05:44,660
of these because they're again,

103
00:05:44,660 --> 00:05:52,000
there's a lot of controls in there that are giving me advice on how I should configure my environment