πΌ Management Samenvatting
Deze security control waarborgt de correcte configuratie en beschermt tegen beveiligingsrisico's.
Aanbeveling
IMPLEMENTEER - ZIE vulnerability-assessment
Risico zonder
Critical
Risk Score
9/10
Implementatie
1.5u (tech: 1u)
Van toepassing op:
β Azure VMs
Deze instelling is essentieel voor het handhaven van een veilige omgeving en voorkomt bekende aanvalsvectoren door het afdwingen van security best practices.
PowerShell Modules Vereist
Primary API: Azure API
Connection:
Required Modules: Az.Accounts, Az.Security
Connection:
Connect-AzAccountRequired Modules: Az.Accounts, Az.Security
Implementatie
See vulnerability-beoordeling-machines-on in defender-cloud.
Vereisten
Defender voor servers
Monitoring
Gebruik PowerShell-script vm-vulnerability-assessment-enabled.ps1 (functie Invoke-Monitoring) β Controleren.
See vulnerability-beoordeling-machines-on control.
Compliance en Auditing
- CIS 2.1.19
- BIO 12.06
- ISO 27001:2022 A.8.8
Remediatie
Gebruik PowerShell-script vm-vulnerability-assessment-enabled.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control 2.1.19 (L2) - VA voor machines
- BIO: 12.06 - kwetsbaarheidsbeheer
- ISO 27001:2022: A.8.8 - Technical vulnerabilities
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
================================================================================
AZURE POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud
================================================================================
.SYNOPSIS
VM Vulnerability Assessment Enabled
.DESCRIPTION
CIS Azure Foundations Benchmark - Control 7.13
Controleert of vulnerability assessment is ingeschakeld op VMs.
.NOTES
Filename: vm-vulnerability-assessment-enabled.ps1
Author: Nederlandse Baseline voor Veilige Cloud
Version: 1.0
CIS Control: 7.13
#>
#Requires -Version 5.1
#Requires -Modules Az.Accounts, Az.Compute
[CmdletBinding()]
param([Parameter()][switch]$Monitoring)
$ErrorActionPreference = 'Stop'
$PolicyName = "VM Vulnerability Assessment Enabled"
function Connect-RequiredServices { if (-not (Get-AzContext)) { Connect-AzAccount | Out-Null } }
function Test-Compliance {
$vms = Get-AzVM -ErrorAction SilentlyContinue
$result = @{ TotalVMs = $vms.Count; WithVA = 0 }
foreach ($vm in $vms) {
$extensions = Get-AzVMExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -ErrorAction SilentlyContinue
$hasVA = $extensions | Where-Object {
$_.ExtensionType -like "*Qualys*" -or
$_.ExtensionType -like "*VulnerabilityAssessment*" -or
$_.Publisher -like "*Qualys*"
}
if ($hasVA) { $result.WithVA++ }
}
return $result
}
try {
Connect-RequiredServices
if ($Monitoring) {
$r = Test-Compliance
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "$PolicyName" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "Total VMs: $($r.TotalVMs)" -ForegroundColor White
Write-Host "With Vulnerability Assessment: $($r.WithVA)" -ForegroundColor $(if ($r.WithVA -gt 0) { 'Green' } else { 'Yellow' })
}
else {
$r = Test-Compliance
Write-Host "`nVulnerability Assessment: $($r.WithVA)/$($r.TotalVMs) VMs"
}
}
catch { Write-Error $_; exit 1 }
# ================================================================================
# Standaard Invoke-* Functions (Auto-generated)
# ================================================================================
function Invoke-Implementation {
<#
.SYNOPSIS
Implementeert de configuratie
#>
[CmdletBinding()]
param()
Invoke-Remediation
}
function Invoke-Monitoring {
<#
.SYNOPSIS
Controleert de huidige configuratie status
#>
[CmdletBinding()]
param()
$Monitoring = $true
try {
Connect-RequiredServices
if ($Monitoring) {
$r = Test-Compliance
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "$PolicyName" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "Total VMs: $($r.TotalVMs)" -ForegroundColor White
Write-Host "With Vulnerability Assessment: $($r.WithVA)" -ForegroundColor $(if ($r.WithVA -gt 0) { 'Green' } else { 'Yellow' })
}
else {
$r = Test-Compliance
Write-Host "`nVulnerability Assessment: $($r.WithVA)/$($r.TotalVMs) VMs"
}
}
catch { Write-Error $_; exit 1 }
}
function Invoke-Remediation {
<#
.SYNOPSIS
Herstelt de configuratie naar de gewenste staat
.DESCRIPTION
Dit is een monitoring-only control, remediation delegeert naar monitoring
#>
[CmdletBinding()]
param()
Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow
Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan
Invoke-Monitoring
}
Risico zonder implementatie
Risico zonder implementatie
Critical: Vulnerabilities undetected = exploitation window. Missing patches, misconfigurations blijven onbekend. Compliance: CIS 2.1.19, BIO 12.04. Het risico is KRITIEK.
Management Samenvatting
Alternatieve verificatie voor VM Vulnerability Assessment. Zie microsoft-defender/vulnerability-assessment-machines-on voor volledige implementatie (Qualys/Defender scanner, Defender for Servers P2). Verplicht CIS 2.1.19.
- Implementatietijd: 1.5 uur
- FTE required: 0.01 FTE