Implement host security

Configure endpoint security

• Computer systems that interact directly with users are considered endpoint systems
• Endpoint systems are typically vulnerable to security attacks
• Azure Security Center provides the tools you need to harden your network, secure your services, and solidify your security posture
• First step: Protect against malware
  • Install and integrate your antimalware solution with Security Center
• Second step: Monitor the status of antimalware
  • Security Center monitors the status of antimalware protection and reports this under the Endpoint protection issues blade

Configure VM Security by using templates or VM-level policies

• Azure Resource Manager is the deployment and management service for your Azure subscription
• It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription
• When you take actions through the portal, PowerShell, Azure CLI, REST APIs, or client SDKs, the Azure Resource Manager API handles your request

Harden VMs on Azure

• Azure Security Center helps you prevent, detect, and respond to threats with increased visibility and control of Azure resource security
• When you use Security Center to safeguard your VMs, the following capabilities are available:
  • Operating system (OS) security settings with the recommended configuration rules
  • System security and critical updates that are missing
  • Endpoint protection recommendations
  • Disk encryption validation
  • Vulnerability assessment and remediation
  • Threat detection
• A security policy defines the set of recommended controls for resources within the specified subscription or resource group
• To harden VMs on Azure, you can:
  • Set security policies to manage vulnerabilities for VMs
  • Enable data collection so that Security Center can gather necessary information
  • Use Security Center to analyze the security state of your Azure resources
  • Use Security Center to monitor, analyze, and enable security policies to identify potential vulnerabilities

Configure system updates in Azure

• The Update Management service enables you to assess your update status across your environment and manage your Windows and Linux server patching 
• Your Azure subscription includes Update Management at no additional cost 
• Computers that are managed by Update Management use the following configurations to perform assessment and update deployments:
  • Microsoft Monitoring Agent (MMA) for Windows or Linux
  • Desired State Configuration (DSC) in Windows PowerShell for Linux
  • Hybrid Runbook Worker in Azure Automation
  • Microsoft Update or Windows Server Update Services (WSUS) for Windows computers

Implement platform updates

• We recommend that you use the Update Management solution in Azure Automation to manage operating system updates for your Windows and Linux computers in any scenario
• You can enable Update Management for virtual machines directly from your Azure Automation account

Harden devices connected to Azure
Windows 10, Windows Server 2016, and Windows Server 2019 include the following key security features:

• Windows Defender Credential Guard
  • Uses virtualization-based security to isolate secrets so that only privileged system software can access them
• Windows Defender Device Guard 
• Windows Defender Application Control 
  • Helps mitigate attacks from spyware, adware, rootkits, viruses, and keyloggers, by restricting the applications that users can run and the code that runs in the system core or kernel