Inspection Criteria
| Scope Scope | Item Name | Inspection Criteria |
|---|---|---|
| Account Management | AD User Account Management | Good Criteria: There are no multiple accounts with administrative privileges, and no unnecessary accounts exist. Vulnerable Criteria: Multiple accounts with administrative privileges exist, or unnecessary accounts are present. |
| AD User Profile and Directory Identification Management | Good Criteria: Mandatory profile fields (ID, work information, contact details, etc.) are completed. Vulnerable Criteria: Mandatory profile fields (ID, work information, contact details, etc.) are not completed. | |
| AD Group Owner and Member Management | Good Criteria: The group has an owner and members assigned. Vulnerable Criteria: The group does not have an owner or members assigned. | |
| AD Guest Users | Good Criteria: Guest user accounts (including unnecessary accounts with expired usage) are not in use. Vulnerable Criteria: Guest user accounts (including unnecessary accounts with expired usage) are in use. | |
| AD Password Reset Policy Management | Good Criteria: The password reset policy is configured according to mandatory configuration standards. Vulnerable Criteria: The password reset policy is not configured according to mandatory configuration standards. | |
| SSH Key Access Management | Good Criteria: SSH key creation, modification, and deletion are restricted to administrator and owner accounts only. Vulnerable Criteria: SSH key creation, modification, and deletion are not restricted to administrator and owner accounts only. | |
| MFA (Multi-Factor Authentication) Configuration | Good Criteria: MFA is enabled and in use for AD user accounts. Vulnerable Criteria: MFA is not enabled and in use for AD user accounts. | |
| MFA (Multi-Factor Authentication) Account Lock Policy Management | Good Criteria: The account lock settings are configured according to the policy. Vulnerable Criteria: The account lock settings are not configured according to the policy. | |
| Azure Password Policy Management | Good Criteria: Password protection policies are applied and used according to the policy. Vulnerable Criteria: Password protection policies are not applied and used according to the policy. | |
| Permission Management | Subscription Access Control (IAM) Role Management | Good Criteria: The access control roles set for the subscription are granted as unique permissions (read-only) for each service. Vulnerable Criteria: The access control roles set for the subscription are granted with full service permissions (Owner, Contributor, User Access Administrator, Reader). |
| Resource Group Access Control (IAM) Role Assignment | Good Criteria: AZURE user permissions/groups are assigned roles appropriately according to their purpose. Vulnerable Criteria: AZURE user permissions/groups are not assigned roles appropriately according to their purpose. | |
| AD User Role Permission Management | Good Criteria: AD administrative roles are granted appropriately according to business and service usage purposes. Vulnerable Criteria: AD administrative roles are not granted appropriately according to business and service usage purposes. | |
| Instance Service Access Policy Management | Good Criteria: Access control (IAM) for instance services is granted according to user roles. Vulnerable Criteria: Access control (IAM) for instance services is not granted according to user roles. | |
| Network Service Access Policy Management | Good Criteria: Access control (IAM) for network services is granted according to user roles. Vulnerable Criteria: Access control (IAM) for network services is not granted according to user roles. | |
| Other Service Access Policy Management | Good Criteria: Access control (IAM) for other services is granted according to user roles. Vulnerable Criteria: Access control (IAM) for other services is not granted according to user roles. | |
| Virtual Resource Management | Virtual Network Resource Management | Good Criteria: Public IP addresses do not exist for resources that use only the internal network among connected devices. Vulnerable Criteria: Public IP addresses exist for resources that use only the internal network among connected devices. |
| Internal Virtual Network Security Management | Good Criteria: Access control (VPN, Bastion) is applied when accessing internal resources. Vulnerable Criteria: Access control (VPN, Bastion) is not applied when accessing internal resources. | |
| Security Group Inbound/Outbound ANY Setting Management | Good Criteria: Ports in the security group's inbound/outbound rules are not allowed as "Any". Vulnerable Criteria: Ports in the security group's inbound/outbound rules are allowed as "Any". | |
| Security Group Inbound/Outbound Unnecessary Policy Management | Good Criteria: There are no unnecessary policies (Source, Destination) within the security group's inbound/outbound rules. Vulnerable Criteria:here are unnecessary policies (Source, Destination) within the security group's inbound/outbound rules. | |
| Firewall ANY Policy Setting Management | Good Criteria: Firewall policy rules (Source, Destination, Port) are not allowed as "Any". Vulnerable Criteria: Firewall policy rules (Source, Destination, Port) are allowed as "Any". | |
| Firewall Unnecessary Policy Management | Good Criteria: There are no unnecessary rules in the firewall policy. Vulnerable Criteria: There are unnecessary rules in the firewall policy. | |
| NAT Gateway Subnet Connection Management | Good Criteria: Only subnets that require public network access are connected. Vulnerable Criteria: Subnets that do not require public network access are connected | |
| Storage Account Security Settings | Good Criteria: Secure transfer is enabled, TLS version is set to 1.2, and public access is blocked. Vulnerable Criteria: Secure transfer is disabled, TLS version is set to 1.2 or lower, and public access is blocked. | |
| Storage Account Shared Access Signature Policy Management | Good Criteria: When using a shared access signature, the allowed permissions and IP addresses are minimally configured. Vulnerable Criteria: When using a shared access signature, the allowed permissions and IP addresses are not minimally configured. | |
| Operations Management | Database Encryption Settings Management | Good Criteria: Transparent data encryption and data encryption features are enabled. Vulnerable Criteria: Transparent data encryption and data encryption features are not enabled. |
| Storage Encryption Settings | Good Criteria: Encryption is configured using service-managed keys and customer-managed keys. Vulnerable Criteria: Encryption is not configured using service-managed keys and customer-managed keys. | |
| Disk Encryption Settings | Good Criteria: Encryption is configured using service-managed keys and customer-managed keys. Vulnerable Criteria: Encryption is not configured using service-managed keys and customer-managed keys. | |
| Encryption Settings for Communication Channels | Good Criteria: Encryption settings are applied within the communication channels of cloud resources. Vulnerable Criteria: Encryption settings are not applied within the communication channels of cloud resources. | |
| Key Vault Rotation Policy Management | Good Criteria: The rotation policy for user-managed keys is configured according to the standard (90 days). Vulnerable Criteria: The rotation policy for user-managed keys is not configured according to the standard (exceeding 90 days). | |
| AD Audit Log Settings | Good Criteria: An AD audit log retention policy exists. Vulnerable Criteria: An AD audit log retention policy does not exist. | |
| Instance Service Audit Log Settings | ||
| An instance service log retention policy exists. | Good Criteria: An instance service log retention policy does exist. Vulnerable Criteria: An instance service log retention policy does not exist. | |
| Network Service Audit Log Settings | Good Criteria: A network service log retention policy exists. Vulnerable Criteria: A network service log retention policy does not exist. | |
| Other Service Audit Log Settings | Good Criteria: A log retention policy exists for other services. Vulnerable Criteria: A log retention policy does not exist for other services. | |
| Resource Group Lock | Good Criteria: Customer services (commercial) and operational services use the lock function by enabling it. Vulnerable Criteria: Customer services (commercial) and operational services do not use the lock function by enabling it. | |
| Database Encryption Settings Management | Good Criteria: Transparent data encryption and data encryption features are enabled. Vulnerable Criteria: Transparent data encryption and data encryption features are not enabled. |