Skip to content

Releases in 2020

September 2020 - v3.03.0

  • User Experience Improvements

    • Updated the Utilization dashboard this release provides billing visibility to the consumed workload capacity. Customers/Partners can now use the workload consumption data to calculate the monthly/yearly invoices across all accounts in a license. Refer documentation

      Azure Resources

    • Updated the Asset Security Dashboard to have asset visibility aggregated at license level for asset compliance status and risk. filtering options added for Asset type, region, compliance status, risk level, tags. Refer documentation

      Azure Resources

    • GCP integration (preview) Onboard of GCP Projects and Organizations to Zscaler CSPM now supported. Customer will be able to get security & compliance posture for various Identity & Access Management (IaM), Compute instances, Storage Buckets, Networks, etc. Refer documentation

  • Platform & Stability Improvements

    • Updated AWS Data collection and processing mechanisms to use AWS config to support massive scale requirements for the following AWS services.

    • Fixed following bugs

      • Incorrect reference link on AWS onboarding health status for 'Z CSPM Agent on Kubernetes configuration for last execution'

      • After executing IAM runbook, 4 policies are not visible on Cloud Security Best Practices and CIS

      • Policy is not working properly "Ensure access keys are rotated every 90 days or less"

      • CMMC logo missing on features and quotas under compliance frameworks for "CyberSecurity Maturity model certification" Benchmark.

      • K8s Clusters' is misspelled on Utilization dashboard

      • Remediation applicable flag is false for 'Ensure that Termination Protection feature is enabled for AWS CloudFormation stacks' policy

      • Associate K8s cluster screen is visible for M365 accounts

      • AWS::EC2::Windows2016::BaselinePolicy showing incorrect resource in Assets Security Page

      • Getting error on onboarding health status page intermittently for any cloud account (migrated license) specifically for Azure AWS.

      • Policy is having different control number on CMMC benchmark

      • Data is not visible on Summary table for previous months for all connector types when All Accounts is selected

      • Spelling error 'Regenearate' instead of 'Regenerate' on Onboarding health status page reference link

      • Incorrect resources for Virtual network are displayed on Policy Details page in CSBP

  • Updates to Security Policies & Benchmarks 

    Added following 63 new security policies for GCP cloud account

    Category Name Policy Name
    GCP - Identity and Access Management Ensure that corporate login credentials are used
    GCP - Identity and Access Management Ensure that multi-factor authentication is enabled for all non-service accounts
    GCP - Identity and Access Management Ensure that there are only GCP-managed service account keys for each service account
    GCP - Identity and Access Management Ensure that Service Account has no Admin privileges
    GCP - Identity and Access Management Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
    GCP - Identity and Access Management Ensure user-managed/external keys for service accounts are rotated every 90 days or less
    GCP - Identity and Access Management Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
    GCP - Identity and Access Management Ensure KMS encryption keys are rotated within a period of 90 days
    GCP - Identity and Access Management Ensure API keys are restricted to use by only specified Hosts and Apps
    GCP - Identity and Access Management Ensure API keys are restricted to only APIs that application needs access
    GCP - Identity and Access Management Ensure that corporate login credentials are used
    GCP - Identity and Access Management Ensure that Security Key Enforcement is enabled for all admin accounts
    GCP - Identity and Access Management Ensure that Separation of duties is enforced while assigning service account related roles to users
    GCP - Identity and Access Management Ensure that Separation of duties is enforced while assigning KMS related roles to users
    GCP - Identity and Access Management Ensure API keys are not created for a project
    GCP - Logging and Monitoring Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
    GCP - Logging and Monitoring Ensure that sinks are configured for all log entries
    GCP - Logging and Monitoring Ensure that retention policies on log buckets are configured using Bucket Lock
    GCP - Logging and Monitoring Ensure log metric filter and alerts exist for project ownership assignments/changes
    GCP - Logging and Monitoring Ensure that the log metric filter and alerts exist for Audit Configuration changes
    GCP - Logging and Monitoring Ensure that the log metric filter and alerts exist for Custom Role changes
    GCP - Logging and Monitoring Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes
    GCP - Logging and Monitoring Ensure that the log metric filter and alerts exist for VPC network route changes
    GCP - Logging and Monitoring Ensure that the log metric filter and alerts exist for VPC network changes
    GCP - Logging and Monitoring Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes
    GCP - Logging and Monitoring Ensure that the log metric filter and alerts exist for SQL instance configuration changes
    GCP - Networking Ensure that the default network does not exist in a project
    GCP - Networking Ensure legacy networks do not exist for a project
    GCP - Networking Ensure that DNSSEC is enabled for Cloud DNS
    GCP - Networking Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC
    GCP - Networking Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC
    GCP - Networking Ensure that SSH access is restricted from the internet
    GCP - Networking Ensure that RDP access is restricted from the Internet
    GCP - Networking Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network
    GCP - Networking Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
    GCP - Compute Ensure that instances are not configured to use the default service account
    GCP - Compute Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
    GCP - Compute Ensure "Block Project-wide SSH keys" is enabled for VM instances
    GCP - Compute Ensure oslogin is enabled for a Project
    GCP - Compute Ensure "Enable connecting to serial ports" is not enabled for VM Instance
    GCP - Compute Ensure that IP forwarding is not enabled on Instances
    GCP - Compute Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys
    GCP - Compute Ensure Compute instances are launched with Shielded VM enabled
    GCP - Compute Ensure that Compute instances do not have public IP addresses
    GCP - Compute Ensure that App Engine applications enforce HTTPS connections
    GCP - Storage and Database Ensure that Cloud Storage bucket is not anonymously or publicly accessible
    GCP - Storage and Database Ensure that Cloud Storage buckets have uniform bucket-level access enabled
    GCP - Storage and Database Ensure that the Cloud SQL database instance requires all incoming connections to use SSL
    GCP - Storage and Database Ensure that Cloud SQL database instances are not open to the world
    GCP - Storage and Database Ensure that Cloud SQL database instances do not have public IPs
    GCP - Storage and Database Ensure that Cloud SQL database instances are configured with automated backups
    GCP - Storage and Database Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges
    GCP - Storage and Database Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
    GCP - Storage and Database Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
    GCP - Storage and Database Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
    GCP - Storage and Database Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
    GCP - Storage and Database Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
    GCP - Storage and Database Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately
    GCP - Storage and Database Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on)
    GCP - Storage and Database Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
    GCP - Storage and Database Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
    GCP - Storage and Database Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
    GCP - Storage and Database Ensure that BigQuery datasets are not anonymously or publicly accessible
    • Updated Audit and Remediation steps for 42 Azure policies from below categories

      • Azure - Business continuity and DR
      • Azure - Compute (PaaS and Serverless)
      • Azure - Data in Transit
      • Azure - Logging and Auditing
      • Azure - Storage and Databases
    • Updated Audit and Remediation steps for 213 AWS from below categories

      • AWS - Identity and Access Management
      • AWS - Data In Transit Encryption
      • AWS - Compute
      • AWS - Networking
      • AWS - Business Continuity
      • AWS - Monitoring
      • AWS - Audit and Logging
      • AWS - Storage and Databases
      • AWS - Data Protection
      • AWS - Governance

August 2020 - v3.02.0

  • User Experience Improvements

    • Updated the Utilization dashboard for additional filter and UI updates.

      • Note - Please note that Resource trend graph will show data collected from latest version (3.02) scans
    • Updated the Onboarding Health Status page to include Kubernetes health status separated for cluster hosting type.

  • Platform & Stability Improvements

    • Updated platform by deploying multiple instances (horizontal scaling) to support massive scale requirements for the across Cloud Service Providers (CSP) like Azure, AWS.

    • Fixed following bugs

      1. On-boarding procedure link for Azure account getting redirected to Amazon EKS

      2. Health status check for AWS remediation should be re sequenced and updated link

      3. Blank Compliance Dashboard page is displayed after clicking on Cancel button of Add Cloud Account page.

      4. Mismatch in count of Security groups on AWS asset security dashboard

      5. Benchmark logo is not visible in PDF Report

      6. Audit logs are not generating when user updates the ServiceNow/Zendesk configuration

      7. Docs: Incorrect URL resolution for docs links on Z-help page

      8. Incorrect resource count on Asset Security dashboard for Azure scaled account

      9. Fixed issues in Private Benchmark Collaboration

      10. Getting error "Invalid or expired token" on subscribing Marketplace Paid offer and navigating to Cloudneeti

      11. Aggregated billing dashboard shows incorrect values for resource and user tiles

  • Updates to Security Policies & Benchmarks 

    • Added the following benchmark for AWS, Azure, and Office 365 cloud accounts.

      • Cybersecurity Maturity Model Certification (CMMC)

        Deprecated following 5 policies for K8s baseline as data from Cloud Service Provider API is deprecated

        Category Policy Title Connector Type
        Kubernetes - Control Plane Components - API Server VM Hosted - Ensure that the --encryption-provider-config argument is set as appropriate Azure
        Kubernetes - Control Plane Components - Controller Manager VM Hosted - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate Azure
        Kubernetes - Control Plane Components - API Server AKS Engine - Ensure that the --encryption-provider-config argument is set as appropriate Azure
        Kubernetes - Control Plane Components - API Server EC2-Instance Hosted - Ensure that the --encryption-provider-config argument is set as appropriate AWS
        Kubernetes - Control Plane Components - Controller Manager EC2-Instance Hosted - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate AWS

        Deprecated following 2 policies for AWS as additional check needs to added as per API response

        Category Policy Title
        AWS - Audit and Logging Ensure Global resources are included into Amazon Config service configuration
        AWS - Identity and Access Management Ensure you do not allow unknown cross account access via permission policies to AWS Lambda functions

July 2020 - v3.01.0

  • User Experience Improvements

    • Updated Product branding to Zscaler theme across all pages, controls, Email notifications, etc.

    • Updated the ‘Onboarding Health Status’ page to include new Account level checks of AWS Role and external id, AWS remediation and Kubernetes CSP agent configuration. Refer documentation

    • Added support for Vulnerability Solutions using AWS Inspector. Configuring AWS inspector with Common Vulnerability rule packages allows us to collect all the vulnerabilities associated with each of the EC2 instances. Refer documentation

  • Platform & Stability Improvements

    • Fixed following bugs
      • Asset Security dashboard takes long time to load for large accounts
      • Duplicate resources and policy mismatch in LinuxVirtualMachine on asset security
      • Incorrect Audit log when user disables AWS Config based data collection
      • Azure application validity check should be the first entry on Onboarding health status page permissions section
      • Incorrect doc link on O365 onboarding health status page
      • Control numbers not visible in CSV Report
      • Duplicate resources in Azure ADCertificate on asset security
      • ResourceTypes are missing on Asset Security
      • Missing resources for Blob container policies on Policy details
      • Incorrect round off values on Aggregated billing dashboard
      • Getting extra benchmarks for in GetBenchmarkList API for Healthcare marketplace license
      • Resource search is not working on Asset security dashboard
      • Extra comma is visible at the end of CVE id for Vulnerability (Rapid7 and Qualys)
  • Updates to Security Policies & Benchmarks 

    • Updated policy benchmark mappings for SOC2 - AICPA TSC 2017 for AWS, Azure, and Office 365 cloud accounts.

    Added the following 8 API Gateway resource - related policies for the AWS account.

    Category Policy Title
    AWS - Audit and Logging Ensure that CloudWatch Log feature is enabled for Amazon API Gateway
    AWS - Audit and Logging Ensure that Detailed CloudWatch Metrics feature is enabled for Amazon API Gateway
    AWS - Compute Ensure that AWS X-Ray Tracing feature is enabled for Amazon API Gateway
    AWS - Data Protection Ensure that SSL certificates attached with Amazon API Gateway to verify HTTP requests made to backend system are from API Gateway service
    AWS - Storage and Databases Ensure that Content Encoding feature is enabled for Amazon API Gateway APIs
    AWS - Networking Ensure that Amazon API Gateway APIs accessible only through private API endpoints
    AWS - Data Protection Ensure that API Gateway client-side SSL certificate is renewed before expiration
    AWS - Networking Ensure that AWS WAF is integrated with Amazon API Gateway to protect APIs from common web exploits

    Added the following 193 OS hardening policies for Windows Server 2019 server hosted in an Azure cloud account

    Category name Policy Title
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Group Membership' is set to 'Success'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Authentication Policy Change' is set to 'Success'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Account Lockout' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Logon' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Credential Validation' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit System Integrity' is set to 'Success and Failure
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Special Logon' is set to 'Success'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit PNP Activity' is set to 'Success'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Logoff' is set to 'Success'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit User Account Management' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Security System Extension' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Security State Change' is set to 'Success'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Security Group Management' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Removable Storage' is set to 'Success and Failure'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Process Creation' is set to 'Success'
    Win OS-19 - Audit Policy Windows 2019 - Ensure 'Audit Audit Policy Change' is set to 'Success and Failure'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Include command line in process creation events' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Disallow Digest authentication' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Require secure RPC communication' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Always prompt for password upon connection' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Allow input personalization' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Allow Cortana' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Allow Cortana above lock screen' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Enable 'Turn on behavior monitoring'
    Win OS-19 - Registry Policy Windows 2019 - Enable 'Send file samples when further analysis is required' for 'Send Safe Samples'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Do not display the password reveal button' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Scan removable drives' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Search Service' is configured
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Configure SMB v1 server' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Devices: Allow undock without having to log on' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Detect change from default RDP port' is configured
    Win OS-19 - Registry Policy Windows 2019 - Configure 'Network access: Remotely accessible registry paths and sub-paths'
    Win OS-19 - Registry Policy Windows 2019 - Configure 'Network access: Remotely accessible registry paths'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Enable insecure guest logons' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Do not use temporary folders per session' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Do not show feedback notifications' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Do not display network selection UI' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Allow Basic authentication' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Continue experiences on this device' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Enable Windows NTP Client' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Always install with elevated privileges' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Allow user control over installs' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Allow unencrypted traffic' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Allow search and Cortana to use location' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Private: Allow unicast response' is set to 'No'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Domain: Allow unicast response' is set to 'No'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Shutdown: Clear virtual memory pagefile' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Public: Allow unicast response' is set to 'No'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Recovery console: Allow floppy copy and access to all drives and all folders' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'Yes'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Specify the interval to check for definition updates' is set to 'Enabled:1'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Turn off multicast name resolution' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
    Win OS-19 - Registry Policy Windows 2019 - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Password must meet complexity requirements' is set to 'Enabled'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Modify an object label' is set to 'No One'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Create permanent shared objects' is set to 'No One'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Maximum password age' is set to '70 or fewer days, but not 0'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Shut down the system' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Deny log on as a batch job' to include 'Guests'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Minimum password length' is set to '14 or more character(s)'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Load and unload device drivers' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Allow log on locally' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Take ownership of files or other objects' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Create a pagefile' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Create a token object' is set to 'No One'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Increase a process working set' is set to 'Usres'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Deny log on as a service' to include 'Guests'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Deny log on locally' to include 'Guests'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Enforce password history' is set to '24 or more password(s)'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Force shutdown from a remote system' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Minimum password age' is set to '1 or more day(s)'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Lock pages in memory' is set to 'No One'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Back up files and directories' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Profile single process' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Restore files and directories' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Modify firmware environment values' is set to 'Administrators'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account'
    Win OS-19 - Security Policy Windows 2019 - Ensure 'Act as part of the operating system' is set to 'No One'

    Deprecated following 30 policies for OS baseline for Windows-2016 server as data from Microsoft API is deprecated

    Category Policy Title
    Win OS-16 - Audit Policy Ensure 'Audit Application Group Management' is set
    Win OS-16 - Audit Policy Ensure 'Audit IPsec Driver' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit Other System Events' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit Authorization Policy Change' is set to 'Success'
    Win OS-16 - Audit Policy Audit IPsec Extended Mode
    Win OS-16 - Audit Policy Audit Detailed File Share
    Win OS-16 - Audit Policy Audit Filtering Platform Packet Drop
    Win OS-16 - Audit Policy Audit Kernel Object
    Win OS-16 - Audit Policy Audit IPsec Main Mode
    Win OS-16 - Audit Policy Audit File Share
    Win OS-16 - Audit Policy Audit IPsec Quick Mode
    Win OS-16 - Audit Policy Audit Filtering Platform Policy Change
    Win OS-16 - Audit Policy Audit Handle Manipulation
    Win OS-16 - Audit Policy Audit Network Policy Server
    Win OS-16 - Audit Policy Audit Central Access Policy Staging
    Win OS-16 - Audit Policy Audit Other Account Logon Events
    Win OS-16 - Audit Policy Audit Non Sensitive Privilege Use
    Win OS-16 - Audit Policy Audit Filtering Platform Connection
    Win OS-16 - Audit Policy Audit Application Generated
    Win OS-16 - Audit Policy Audit DPAPI Activity
    Win OS-16 - Audit Policy Audit File System
    Win OS-16 - Audit Policy Audit User/Device Claims
    Win OS-16 - Audit Policy Audit Policy: Detailed Tracking: Process Termination
    Win OS-16 - Audit Policy Audit Policy: Logon-Logoff: IPsec Main Mode
    Win OS-16 - Audit Policy Audit Process Termination
    Win OS-16 - Audit Policy Audit SAM
    Win OS-16 - Audit Policy Audit Registry
    Win OS-16 - Audit Policy Audit Other Policy Change Events
    Win OS-16 - Audit Policy Audit Other Privilege Use Events
    Win OS-16 - Audit Policy Audit RPC Events

    Deprecated following 30 policies for OS baseline for Windows-2012 R2 server as data from Microsoft API is deprecated

    Category Policy Title
    Win OS-12R2 - Audit Policy Ensure 'Audit Application Group Management' is set
    Win OS-12R2 - Audit Policy Ensure 'Audit Authorization Policy Change' is set to 'Success'
    Win OS-12R2 - Audit Policy Audit Policy: System: IPsec Driver
    Win OS-12R2 - Audit Policy Audit Policy: System: Other System Events
    Win OS-12R2 - Audit Policy Audit Central Access Policy Staging
    Win OS-12R2 - Audit Policy Audit Handle Manipulation
    Win OS-12R2 - Audit Policy Audit Kernel Object
    Win OS-12R2 - Audit Policy Audit File System
    Win OS-12R2 - Audit Policy Audit Detailed File Share
    Win OS-12R2 - Audit Policy Audit Filtering Platform Packet Drop
    Win OS-12R2 - Audit Policy Audit Non Sensitive Privilege Use
    Win OS-12R2 - Audit Policy Audit Network Policy Server
    Win OS-12R2 - Audit Policy Audit File Share
    Win OS-12R2 - Audit Policy Audit IPsec Main Mode
    Win OS-12R2 - Audit Policy Audit IPsec Quick Mode
    Win OS-12R2 - Audit Policy Audit Filtering Platform Policy Change
    Win OS-12R2 - Audit Policy Audit Filtering Platform Connection
    Win OS-12R2 - Audit Policy Audit Application Generated
    Win OS-12R2 - Audit Policy Audit IPsec Extended Mode
    Win OS-12R2 - Audit Policy Audit DPAPI Activity
    Win OS-12R2 - Audit Policy Audit Other Privilege Use Events
    Win OS-12R2 - Audit Policy Audit Other Account Logon Events
    Win OS-12R2 - Audit Policy Audit Policy: Detailed Tracking: Process Termination
    Win OS-12R2 - Audit Policy Audit RPC Events
    Win OS-12R2 - Audit Policy Audit Registry
    Win OS-12R2 - Audit Policy Audit User/Device Claims
    Win OS-12R2 - Audit Policy Audit Policy: Logon-Logoff: IPsec Main Mode
    Win OS-12R2 - Audit Policy Audit Other Policy Change Events
    Win OS-12R2 - Audit Policy Audit Process Termination
    Win OS-12R2 - Audit Policy Audit SAM

June 2020 - v3.00.0

  • User Experience Improvements

    • Initial release for Product branding and logo updates. Various features including Landing pages, Login page, Email notifications etc., were updated to display Zscaler Cloud Security Posture Management (CSPM) branding.

    • Updated the 'Billing Dashboard page' to allow for a CSV file download detailing utilization information for individual cloud Accounts and aggregated License levels - CSV report.

    • Updated Detailed Word report to be now download for Private Benchmarks.

    • Updated the 'Onboarding Health Status' page to now include the pre-requisite checks for Azure Service Principal, M365 Service Principal, and Partner Admin Link (PAL). Refer documentation.

    • Added integrations with Rapid7 Azure Vulnerability Solutions. Customers with Rapid7 VA solution on Azure can now visualize Rapid7 reported vulnerabilities on Cloudneeti’s Asset Security Posture dashboard. Refer documentation

  • Platform & Stability Improvements

    • Scale, and stability improvements in data collection and processing by using auto scaling Cloudneeti’s backend databases.

    • Fixed following bugs

      • AWS CloudTrail policies are not getting remediated in multi-account remediation
      • On updating the API App, event type in audit logs displays 'Created' and 'Secret Regenerated for Connected App' instead of 'Updated'
      • Incorrect command in Audit procedure for 'Ensure packet redirect sending is disabled' policy
      • 'Ensure syslog-ng service is enabled' policy is Pass even if syslog-ng is disabled
      • Incorrect remediation procedure for 'Ensure Audit Profile captures all the Activities'
      • Incorrect count of AWS OS baseline policies on Onboarding Health status page
      • Auto remediation is not working for new RDS resources deployed using script
      • 'Windows 2012R2 - Ensure 'Restore files and directories' is set to 'Administrators'' not able to open details page
      • When policy details resource table is scrolled horizontally, the cells move horizontally without the header
      • Ubuntu 18.04 & CentOS 7 : Second command in Audit procedure are not applicable for mentioned policies
      • 'Ubuntu 18.04 - Ensure RDS is disabled' policy is passing even if Audit procedure is not followed completely
      • 'Ubuntu 18.04 - Ensure LDAP server is not enabled' policy is failing even if LDAP server is not enabled
      • Word report doesn't show manual, pre-requisite and override policies
      • Unable to download word report for Azure Marketplace license
      • Audit and Remediation procedure not working for "Ensure sticky bit is set on all world-writable directories"
  • Updates to Security Policies & Benchmarks 

    • CIS certified Cloudneeti for Red Hat Enterprise Linux 7

      • CIS Red Hat Enterprise Linux 7 Benchmark, v2.2.0, Level 1 - Server

      • CIS Red Hat Enterprise Linux 7 Benchmark, v2.2.0, Level 2 - Server

      • CIS Red Hat Enterprise Linux 7 Benchmark, v2.2.0, Level 1 - Workstation

      • CIS Red Hat Enterprise Linux 7 Benchmark, v2.2.0, Level 2 - Workstation

    • Updated policy benchmark mappings for PCI DSS 3.2.1 for AWS, Azure, and Office 365 cloud accounts.

    Added the following 10 policies for S3 and Networking resource-related policies for the AWS account.

    Category Policy Title
    AWS - Networking Ensure that Data Trace logging is enabled for WebSocket APIs
    AWS - Networking Ensure that Access logging is enabled for WebSocket APIs
    AWS - Networking Ensure that Access-Control-Allow-Origin is not set to all sources for HTTP APIs
    AWS - Networking Ensure that Access-Control-Allow-Methods is set to specific methods and not * for HTTP APIs
    AWS - Networking Ensure that Access-Control-Allow-Headers is set to specific Header and not * for HTTP APIs
    AWS - Networking Ensure that Access-Control-Allow-Credentials is set to True for HTTP APIs
    AWS - Storage and Databases Ensure that Block public access to buckets and objects granted through new access control lists (ACLs) is turned on for S3 buckets
    AWS - Storage and Databases Ensure that Block public access to buckets and objects granted through any access control lists (ACLs) is turned on for S3 buckets
    AWS - Storage and Databases Ensure that Block public access to buckets and objects granted through new public bucket or access point policies is turned on for S3 buckets
    AWS - Storage and Databases Ensure that Block public and cross-account access to buckets and objects through any public bucket or access point policies are turned on for S3 buckets

June 2020 - v2.32.1

  • User Experience Improvements

    • Added new Cloudneeti API: Added the following API’s.

      • GetHealthStatus: The API provides account health status for given cloud account. Refer documentation

      • GetLicenseAccounts: The API provides a list of Cloud Accounts for given License. Refer documentation

      • GetBenchmarkSummary: The Audit Summary Report API provide information related to your compliance posture across various compliance standards. The filters available through the API enable you to view your status across different cloud accounts and for different benchmarks. Refer documentation

    • Updated the 'Billing Dashboard page'. This release provides aggregated billing visibility to the consumed resource capacity. Customers/Partners can now use the resource consumption data to calculate the monthly/yearly invoices across all accounts in a license. Refer documentation

    • Updated the ‘Onboarding Health Status’ page to now includes the accounts scan quota. It will display a consumed account scan quota along with a total available quota. Refer documentation

    • Added Summary Word report to download the summary report in word format apart from the existing PDF report Refer documentation

  • Platform & Stability Improvements

    • Fixed following bugs
      • Resource count incorrect and less policies for: S3 Buckets on Asset security dashboard
      • Incorrect Remediation procedure for 'Ensure Audit Profile captures all the Activities'
      • Search filters are not working on Onboarding Health status page
  • Updates to Security Policies & Benchmarks 

    • CIS certified Cloudneeti for benchmarks

      • CIS Benchmark for Kubernetes v1.5.1, Level 1

      • CIS Benchmark for Kubernetes v1.5.1, Level 2

    • Updated policy benchmark mappings for NIST-CSF for AWS, Azure, and Office 365 cloud accounts.

    Added the following 9 ASG resource-related policies for the AWS account.

    Category Policy Title
    AWS - Business Continuity Ensure that autoscaling group has a healthcheck type set to ELB
    AWS - Business Continuity Ensure that termination policy for instances in an ASG is in place
    AWS - Business Continuity Ensure that MaxInstanceLifetime of instances in an ASG is set
    AWS - Business Continuity Ensure that DeleteOnTermination is enabled for EBS volumes in ASG launch configurations
    AWS - Audit and Logging Ensure that Cloudwatch detailed monitoring is enabled in ASG launch configurations
    AWS - Data Protection Ensure that encrypted EBS volume is being used in ASG launch configurations
    AWS - Compute Ensure that EBS optimized instances are launched using ASG launch configurations
    AWS - Networking Ensure that security group in ASG launch configuration does not have SSH port open to the internet
    AWS - Networking Ensure that security group in ASG launch configuration does not have RDP port open to the internet

    Added the following 183 OS hardening policies for Windows Server 2016 server hosted in an AWS cloud account

    Category Policy Title
    Win OS-16 - Registry Policy Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)
    Win OS-16 - Registry Policy Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)
    Win OS-16 - Registry Policy Ensure 'Synchronize directory service data' is set to 'No One' (DC only)
    Win OS-16 - Registry Policy Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
    Win OS-16 - Registry Policy Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)
    Win OS-16 - Registry Policy Ensure 'Debug programs' is set to 'Administrators'
    Win OS-16 - Audit Policy Ensure 'Deny access to this computer from the network' is set to 'Guests, Local account and member of Administrators group' (MS only)
    Win OS-16 - Registry Policy Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)
    Win OS-16 - Registry Policy Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)
    Win OS-16 - Registry Policy Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Account lockout duration' is set to '15 or more minute(s)'
    Win OS-16 - Registry Policy Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'
    Win OS-16 - Registry Policy Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
    Win OS-16 - Registry Policy Ensure 'Enable screen saver' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'
    Win OS-16 - Registry Policy Ensure 'Password protect the screen saver' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'
    Win OS-16 - Registry Policy Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'
    Win OS-16 - Registry Policy Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Prevent users from sharing files within their profile' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Prevent Codec Download' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)
    Win OS-16 - Registry Policy Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)
    Win OS-16 - Registry Policy Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)
    Win OS-16 - Registry Policy Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only)
    Win OS-16 - Registry Policy Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)
    Win OS-16 - Registry Policy Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)
    Win OS-16 - Registry Policy Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'
    Win OS-16 - Registry Policy Ensure 'Configure SMB v1 server' is set to 'Disabled'
    Win OS-16 - Audit Policy Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
    Win OS-16 - Audit Policy Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'
    Win OS-16 - Audit Policy Ensure 'WDigest Authentication' is set to 'Disabled'
    Win OS-16 - Audit Policy Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
    Win OS-16 - Audit Policy Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'
    Win OS-16 - Audit Policy Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
    Win OS-16 - Audit Policy Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
    Win OS-16 - Audit Policy Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'
    Win OS-16 - Registry Policy Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
    Win OS-16 - Audit Policy Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')
    Win OS-16 - Audit Policy Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
    Win OS-16 - Audit Policy Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'
    Win OS-16 - Audit Policy Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
    Win OS-16 - Audit Policy Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
    Win OS-16 - Audit Policy Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
    Win OS-16 - Audit Policy Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off printing over HTTP' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
    Win OS-16 - Security Policy Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)
    Win OS-16 - Security Policy Ensure 'Turn off picture password sign-in' is set to 'Enabled'
    Win OS-16 - Security Policy Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block untrusted fonts and log events'
    Win OS-16 - Registry Policy Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Require pin for pairing' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Disable pre-release features or settings' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not allow drive redirection' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn on behavior monitoring' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Scan removable drives' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn on e-mail scanning' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'
    Win OS-16 - Registry Policy Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'
    Win OS-16 - Registry Policy Ensure 'Prevent users from modifying settings' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'
    Win OS-16 - Registry Policy Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Configure Automatic Updates' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
    Win OS-16 - Registry Policy Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'
    Win OS-16 - Registry Policy Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'
    Win OS-16 - Registry Policy Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'
    Win OS-16 - Registry Policy Ensure 'Allow Online Tips' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'
    Win OS-16 - Registry Policy Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
    Win OS-16 - Registry Policy Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'
    Win OS-16 - Registry Policy Ensure 'Enable Font Providers' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'
    Win OS-16 - Registry Policy Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
    Win OS-16 - Registry Policy Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'
    Win OS-16 - Registry Policy Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn off the advertising ID' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Allow Use of Camera' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'
    Win OS-16 - Registry Policy Ensure 'Turn off location' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not allow COM port redirection' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not allow LPT port redirection' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'
    Win OS-16 - Registry Policy Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'
    Win OS-16 - Registry Policy Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'
    Win OS-16 - Registry Policy Ensure 'Join Microsoft MAPS' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Configure Watson events' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Allow remote server management through WinRM' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)
    Win OS-16 - Registry Policy Ensure 'Allow Remote Shell Access' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)
    Win OS-16 - Registry Policy Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)
    Win OS-16 - Registry Policy Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' (MS Only)
    Win OS-16 - Registry Policy Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' (MS Only)
    Win OS-16 - Registry Policy Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' (MS Only)
    Win OS-16 - Registry Policy Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' (MS Only)
    Win OS-16 - Registry Policy Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)
    Win OS-16 - Registry Policy Ensure 'Audit Distribution Group Management' is set to 'Success and Failure' (DC only)
    Win OS-16 - Registry Policy Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'
    Win OS-16 - Registry Policy Ensure 'Audit Computer Account Management' is set to 'Success and Failure'
    Win OS-16 - Registry Policy Ensure 'Audit Security Group Management' is set to 'Success and Failure'
    Win OS-16 - Registry Policy Ensure 'Audit Process Creation' is set to 'Success'
    Win OS-16 - Registry Policy Ensure 'Audit Audit Policy Change' is set to 'Success and Failure'
    Win OS-16 - Registry Policy Ensure 'Audit Security System Extension' is set to 'Success and Failure'
    Win OS-16 - Registry Policy Ensure 'Audit System Integrity' is set to 'Success and Failure'
    Win OS-16 - Registry Policy Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)
    Win OS-16 - Registry Policy Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)
    Win OS-16 - Registry Policy Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
    Win OS-16 - Registry Policy Configure 'Accounts: Rename administrator account'
    Win OS-16 - Registry Policy Configure 'Accounts: Rename guest account'
    Win OS-16 - Registry Policy Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'
    Win OS-16 - Registry Policy Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
    Win OS-16 - Registry Policy Configure 'Interactive logon: Message text for users attempting to log on'
    Win OS-16 - Registry Policy Configure 'Interactive logon: Message title for users attempting to log on'
    Win OS-16 - Registry Policy Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
    Win OS-16 - Registry Policy Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)
    Win OS-16 - Registry Policy Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher
    Win OS-16 - Registry Policy Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only)
    Win OS-16 - Registry Policy Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
    Win OS-16 - Registry Policy Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)
    Win OS-16 - Registry Policy Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'

June 2020 - v2.31.1

  • User Experience Improvements

    • Added 'Billing Dashboard page'. This release provides billing visibility to the consumed resource capacity. Customers/Partners can now use the resource consumption data to calculate the monthly/yearly invoices. Refer documentation

    • Updated 'Onboarding Health Status' page to now include a Customer pre-requisite of Enabling AWS config on their AWS accounts. Refer documentation

    • Updated Asset Security for “Total Resources” and “Protected Total Resources”

  • Platform & Stability Improvements

    • Fixed following bugs

      • Getting error on Benchmark summary page when user switch between accounts before page loads

      • Benchmark logo is missing on feature and quotas page for "Center for Internet Security Microsoft Windows Server 2016 Benchmark v1.0.0 [preview]".

      • Few Categories are not visible on the Private Benchmark summary page even after adding

  • Updates to Security Policies & Benchmarks 

    • Updated 'Ensure Advanced Threat Protection safe links policy is enabled' policy for M365 is marked as Manual as compliant status not reflecting correct results from Agent.

    • Added new security benchmark “Center for Internet Security Microsoft Windows Server 2016 Benchmark v1.0.0” for AWS cloud account

    • Added a new security benchmark “Unclassified - Naval Nuclear Propulsion Information (U-NNPI)” for workloads (includes Cloud Resources, IAM, OS Baselines, Kubernetes clusters) in the following cloud accounts.

      • Azure

      • AWS

      • M365

    Added the following 167 new OS hardening policies for Windows Server 2016 server hosted in an AWS cloud account

    Category Policy Title
    Win OS-16 - Registry Policy Ensure 'Include command line in process creation events' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Disallow Digest authentication' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'
    Win OS-16 - Registry Policy Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Do not display the password reveal button' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
    Win OS-16 - Registry Policy Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
    Win OS-16 - Registry Policy Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
    Win OS-16 - Registry Policy Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn off heap termination on corruption' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Require secure RPC communication' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'
    Win OS-16 - Registry Policy Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Do not allow passwords to be saved' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Allow Basic authentication' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Allow user control over installs' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
    Win OS-16 - Registry Policy Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'
    Win OS-16 - Registry Policy Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'
    Win OS-16 - Registry Policy Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
    Win OS-16 - Registry Policy Configure 'Network access: Remotely accessible registry paths and sub-paths'
    Win OS-16 - Registry Policy Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'
    Win OS-16 - Registry Policy Configure 'Network access: Remotely accessible registry paths'
    Win OS-16 - Registry Policy Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
    Win OS-16 - Registry Policy Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
    Win OS-16 - Registry Policy Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
    Win OS-16 - Registry Policy Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
    Win OS-16 - Registry Policy Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'
    Win OS-16 - Registry Policy Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
    Win OS-16 - Registry Policy Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'
    Win OS-16 - Registry Policy Ensure 'Always install with elevated privileges' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'
    Win OS-16 - Registry Policy Ensure 'Enable insecure guest logons' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Enable Windows NTP Client' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'
    Win OS-16 - Registry Policy Ensure 'Turn off multicast name resolution' is set to 'Enabled' (MS Only)
    Win OS-16 - Registry Policy Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)
    Win OS-16 - Registry Policy Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Allow input personalization' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Continue experiences on this device' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Do not show feedback notifications' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Shut down the system' is set to 'Administrators'
    Win OS-16 - Registry Policy Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)
    Win OS-16 - Registry Policy Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
    Win OS-16 - Registry Policy Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
    Win OS-16 - Registry Policy Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
    Win OS-16 - Registry Policy Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Always prompt for password upon connection' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Do not use temporary folders per session' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Allow indexing of encrypted files' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Allow unencrypted traffic' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)
    Win OS-16 - Registry Policy Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)
    Win OS-16 - Registry Policy Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'
    Win OS-16 - Registry Policy Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'
    Win OS-16 - Registry Policy Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'
    Win OS-16 - Registry Policy Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Do not display network selection UI' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
    Win OS-16 - Registry Policy Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'
    Win OS-16 - Registry Policy Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
    Win OS-16 - Security Policy Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)
    Win OS-16 - Security Policy Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
    Win OS-16 - Security Policy Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)
    Win OS-16 - Security Policy Ensure 'Create symbolic links' is set to 'Administrators' (DC only)
    Win OS-16 - Security Policy Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)
    Win OS-16 - Security Policy Ensure 'Modify an object label' is set to 'No One'
    Win OS-16 - Security Policy Ensure 'Enforce password history' is set to '24 or more password(s)'
    Win OS-16 - Security Policy Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'
    Win OS-16 - Security Policy Ensure 'Minimum password age' is set to '1 or more day(s)'
    Win OS-16 - Security Policy Ensure 'Minimum password length' is set to '14 or more character(s)'
    Win OS-16 - Security Policy Ensure 'Password must meet complexity requirements' is set to 'Enabled'
    Win OS-16 - Security Policy Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
    Win OS-16 - Security Policy Ensure 'Act as part of the operating system' is set to 'No One'
    Win OS-16 - Security Policy Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
    Win OS-16 - Security Policy Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'
    Win OS-16 - Security Policy Ensure 'Back up files and directories' is set to 'Administrators'
    Win OS-16 - Security Policy Ensure 'Create a pagefile' is set to 'Administrators'
    Win OS-16 - Security Policy Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'
    Win OS-16 - Security Policy Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
    Win OS-16 - Security Policy Ensure 'Create a token object' is set to 'No One'
    Win OS-16 - Security Policy Ensure 'Deny log on as a batch job' to include 'Guests'
    Win OS-16 - Security Policy Ensure 'Create permanent shared objects' is set to 'No One'
    Win OS-16 - Security Policy Ensure 'Deny log on locally' to include 'Guests'
    Win OS-16 - Security Policy Ensure 'Deny log on as a service' to include 'Guests'
    Win OS-16 - Security Policy Ensure 'Load and unload device drivers' is set to 'Administrators'
    Win OS-16 - Security Policy Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
    Win OS-16 - Security Policy Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
    Win OS-16 - Security Policy Ensure 'Lock pages in memory' is set to 'No One'
    Win OS-16 - Security Policy Ensure 'Restore files and directories' is set to 'Administrators'
    Win OS-16 - Security Policy Ensure 'Profile single process' is set to 'Administrators'
    Win OS-16 - Security Policy Ensure 'Take ownership of files or other objects' is set to 'Administrators'
    Win OS-16 - Security Policy Ensure 'Modify firmware environment values' is set to 'Administrators'
    Win OS-16 - Security Policy Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)
    Win OS-16 - Security Policy Ensure 'Force shutdown from a remote system' is set to 'Administrators'
    Win OS-16 - Security Policy Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'
    Win OS-16 - Security Policy Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests' (DC only)
    Win OS-16 - Security Policy Ensure 'Increase scheduling priority' is set to 'Administrators'
    Win OS-16 - Security Policy Ensure 'Deny access to this computer from the network' is set to 'Guests' (DC only)
    Win OS-16 - Security Policy Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)
    Win OS-16 - Security Policy Ensure 'Allow log on locally' is set to 'Administrators'
    Win OS-16 - Audit Policy Ensure 'Audit Account Lockout' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit Special Logon' is set to 'Success'
    Win OS-16 - Audit Policy Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit Authorization Policy Change' is set to 'Success'
    Win OS-16 - Audit Policy Ensure 'Audit Removable Storage' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit Group Membership' is set to 'Success'
    Win OS-16 - Audit Policy Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit Logoff' is set to 'Success'
    Win OS-16 - Audit Policy Ensure 'Audit User Account Management' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit Other System Events' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit Logon' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit IPsec Driver' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit Security State Change' is set to 'Success'
    Win OS-16 - Audit Policy Ensure 'Audit Application Group Management' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'
    Win OS-16 - Audit Policy Ensure 'Audit PNP Activity' is set to 'Success'
    Win OS-16 - Audit Policy Ensure 'Audit Authentication Policy Change' is set to 'Success'

May 2020 - v2.30.1

  1. User Experience Improvements

    • None
  2. Platform & Stability Improvements

    • Microsoft Azure

      • Updated Azure Data collection and processing mechanisms to use Azure Resource Graph API to support massive scale requirements for following Azure Services.

        • Virtual Machine

        • Storage Account

        • COSMOS DB

        • MySQLDatabaseServer

    • Amazon Web Services

      • New AWS account onboarding using AWS config: AWS Account onboarding now supports AWS Config for bulk data collection from AWS accounts. This change allows customers with large number of cloud resources to be onboarded to Cloudneeti.

        Details: AWS Config enables you to assess, audit and evaluate configurations of your AWS resources. Using AWS Config APIs, Cloudneeti will now be able to pull out resource configuration metadata at scale. This optional onboarding configuration will be used by default for accounts with larger number of resources. Refer documentation for more details here

      • Updated AWS Data collection and processing mechanisms to use AWS config to support massive scale requirements for the following AWS services.

        • AWS::EC2::Instance

        • AWS::EC2::Volume

        • AWS::EC2::SecurityGroup

        • AWS::S3::Bucket

    • Fixed following bugs

      • AWS k8s benchmark 'CIS K8s v1.5.0' has benchmark logo missing

      • Duplicate resources are visible on policy details for 'Ensure that Windows Virtual - Machines are always AD Domain joined'

      • 'Enable audit data recording' policy for M365 is marked as Manual even if it is Prerequisite and steps for prereq are also missing in specification

  3. Updates to Security Policies & Benchmarks

    Added following 44 AWS Red Hat Enterprise Linux (RHEL) VM Baseline policies

    Category Policy name
    RHEL 7 - Initial Setup Ensure bootloader password is set
    RHEL 7 - Initial Setup Ensure authentication required for single user mode
    RHEL 7 - Initial Setup Ensure separate partition exists for /tmp
    RHEL 7 - Initial Setup Ensure separate partition exists for /var
    RHEL 7 - Initial Setup Ensure separate partition exists for /var/tmp
    RHEL 7 - Initial Setup Ensure separate partition exists for /var/log
    RHEL 7 - Initial Setup Ensure separate partition exists for /var/log/audit
    RHEL 7 - Initial Setup Ensure separate partition exists for /home
    RHEL 7 - Initial Setup Ensure mounting of FAT filesystems is disabled
    RHEL 7 - Initial Setup Ensure GDM login banner is configured
    RHEL 7 - Initial Setup Ensure message of the day is configured properly
    RHEL 7 - Services Ensure mail transfer agent is configured for local-only mode
    RHEL 7 - Network Configuration Ensure /etc/hosts.allow is configured
    RHEL 7 - Network Configuration Ensure /etc/hosts.deny is configured
    RHEL 7 - Network Configuration Ensure permissions on /etc/hosts.allow are configured
    RHEL 7 - Access, Authentication and Authorization Ensure access to the su command is restricted
    RHEL 7 - Access, Authentication and Authorization Ensure permissions on /etc/crontab are configured
    RHEL 7 - Access, Authentication and Authorization Ensure permissions on /etc/cron.hourly are configured
    RHEL 7 - Access, Authentication and Authorization Ensure permissions on /etc/cron.daily are configured
    RHEL 7 - Access, Authentication and Authorization Ensure permissions on /etc/cron.weekly are configured
    RHEL 7 - Access, Authentication and Authorization Ensure permissions on /etc/cron.monthly are configured
    RHEL 7 - Access, Authentication and Authorization Ensure permissions on /etc/cron.d are configured
    RHEL 7 - Access, Authentication and Authorization Ensure permissions on /etc/ssh/sshd_config are configured
    RHEL 7 - Access, Authentication and Authorization Ensure password creation requirements are configured
    RHEL 7 - Access, Authentication and Authorization Ensure system accounts are non-login
    RHEL 7 - Access, Authentication and Authorization Ensure inactive password lock is 30 days or less
    RHEL 7 - System Maintenance Ensure permissions on /etc/passwd are configured
    RHEL 7 - System Maintenance Ensure permissions on /etc/shadow are configured
    RHEL 7 - System Maintenance Ensure permissions on /etc/group are configured
    RHEL 7 - System Maintenance Ensure permissions on /etc/gshadow are configured
    RHEL 7 - System Maintenance Ensure permissions on /etc/passwd- are configured
    RHEL 7 - System Maintenance Ensure password fields are not empty
    RHEL 7 - System Maintenance Ensure root PATH Integrity
    RHEL 7 - System Maintenance Ensure all users' home directories exist
    RHEL 7 - System Maintenance Ensure users' home directories permissions are 750 or more restrictive
    RHEL 7 - System Maintenance Ensure users own their home directories
    RHEL 7 - System Maintenance Ensure users' dot files are not group or world writable
    RHEL 7 - System Maintenance Ensure users' .netrc Files are not group or world accessible
    RHEL 7 - System Maintenance Ensure no users have .rhosts files
    RHEL 7 - System Maintenance Ensure all groups in /etc/passwd exist in /etc/group
    RHEL 7 - System Maintenance Ensure no duplicate UIDs exist
    RHEL 7 - System Maintenance Ensure no duplicate GIDs exist
    RHEL 7 - System Maintenance Ensure no duplicate user names exist
    RHEL 7 - System Maintenance Ensure no duplicate group names exist

    Added the following 2 new security policies for AWS cloud account

    Category Policy name
    AWS - Compute Ensure that EC2 instances provisioned in your AWS account are not associated with security groups that have their name prefixed with 'launch-wizard'
    AWS - Storage and Databases Ensure that AWS S3 buckets use Object Lock for data protection and/or regulatory compliance

    Updated following 3 policies for M365 to automatically get data from Microsoft 365 using automation account (PS).

    Category Policy name
    M365 - Data Enable audit data recording
    M365 - Data Ensure Advanced Threat Protection safe attach policy is Enabled
    M365 - Data Ensure Advanced Threat Protection safe links policy is Enabled

    Updated following 10 AWS policies as Manual as AWS config API does not support these as of now

    Category Policy name
    AWS - Compute Ensure all AWS EC2 instances are launched from approved AMIs
    AWS - Compute Ensure no backend EC2 instances are running in public subnets
    AWS - Compute Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices
    AWS - Compute Ensure that there are no AWS EC2 instances that have scheduled events
    AWS - Compute Ensure that the security group(s) associated with an EC2 instance does not have an excessive number of rules defined
    AWS - Compute Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs
    AWS - Compute "Ensure no EC2 security group allows inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices"
    AWS - Data In Transit Encryption Ensure EBS volumes are encrypted with KMS CMKs in order to have full control over data encryption and decryption
    AWS - Audit and Logging Ensure that Object level write event log is enabled for S3 bucket
    AWS - Audit and Logging Ensure that Object level read event log is enabled for S3 bucket

April 2020 - v2.29.1

  1. User Experience Improvements

    • New Cloudneeti API: Added API to get a benchmark list for a cloud account. This API will be useful to get a list of all benchmarks supported for a given cloud account. Refer documentation for more details here

    • New Account onboarding health-status page (Preview) : Added new page to display health status of an onboarded cloud account. For customers/partners managing large number of cloud accounts , the feature provides insights into the state of your cloud account onboarded to Cloudneeti like missing permissions, pre-requisites, etc. Refer documentation for more details here

    • Updates to AWS Remediation framework: Releasing new version to AWS Remediation framework. Includes new sets of auto-remediation policies for AWS accounts. Existing customer deployments will need to upgraded to the newwe version of the AWS remediation framework. Refer documentation for more details here

    • New Security Policy Status: Policies that are overridden using the policy governance features released in v2.28, will now be marked with status “Policy(O)”, indicating a Pass due to an Override. Refer documentation for more details here

      • Pass(O) – a security policy that is managed over-ride by the customer as Pass.
    • New Risk Status: Cloudneeti provides various security policies that are to be governed manually, either due to no automation being available, or it might be a related to a process/procedure that can’t be automatically deduced. As deduction is not automatic, the risk likelihood calculations mark them as “Undetermined”. This is available on the “Risk” dashboard and “Cloud Security Best Practices”. Refer documentation for more details here

      • Undetermined – security policies with status ‘No Resources’ or ‘Manual’ or ‘Prerequisite’ or ‘Excluded’ are marked with this risk likelihood.
  2. Platform & Stability Improvements

    • Fixed following bugs

      • "Ensure that the --insecure-bind-address argument is not set" is duplicated In Benchmark category Kubernetes - API Server and Kubernetes

        • etcd respectively
      • Getting 'No resources' even if 'Storage Account Key Operator Service' role is assigned and storage accounts are also present

      • Duplicate manual policies are visible with status Manual and 'No resources' for private benchmark

  3. Policies & Benchmarks Additions/Updates  

    • Updated policy benchmark mappings for NIST SP 800-53 Rev. 4, ISO/IEC 27001 for AWS, Azure and Office 365 cloud accounts.

    • Added support for Amazon Elastic Kubernetes Service (Amazon EKS): Cloudneeti includes CIS recommendations for AWS EKS workloads. Customer would deploy a a Cloudneeti docker agent to EKS Kubernetes Cluster. Cloudneeti provides automated CIS hardening policies and out-of-box mappings for all 13+ compliance frameworks included in the product.

      Refer documentation for more details here

    Added following 21 AWS Elastic Kubernetes Service (EKS) related policies

    Category Name Policy Title
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet service file has permissions of 644 or more restrictive
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet service file ownership is set to root:root
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the proxy kubeconfig file ownership is set to root:root
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet.conf file permissions are set to 644 or more restrictive
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet.conf file ownership is set to root:root
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the client certificate authorities file ownership is set to root:root
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet configuration file has permissions set to 644 or more restrictive
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet configuration file ownership is set to root:root
    Kubernetes - Worker Nodes - Kubelet Ensure that the --anonymous-auth argument is set to false
    Kubernetes - Worker Nodes - Kubelet Ensure that the --authorization-mode argument is not set to AlwaysAllow
    Kubernetes - Worker Nodes - Kubelet Ensure that the --client-ca-file argument is set as appropriate
    Kubernetes - Worker Nodes - Kubelet Ensure that the --read-only-port argument is set to 0
    Kubernetes - Worker Nodes - Kubelet Ensure that the --streaming-connection-idle-timeout argument is not set to 0
    Kubernetes - Worker Nodes - Kubelet Ensure that the --protect-kernel-defaults argument is set to true
    Kubernetes - Worker Nodes - Kubelet Ensure that the --make-iptables-util-chains argument is set to true
    Kubernetes - Worker Nodes - Kubelet Ensure that the --hostname-override argument is not set
    Kubernetes - Worker Nodes - Kubelet Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
    Kubernetes - Worker Nodes - Kubelet Ensure that the --rotate-certificates argument is not set to false
    Kubernetes - Worker Nodes - Kubelet Ensure that the RotateKubeletServerCertificate argument is set to true
    Kubernetes - Worker Nodes - Kubelet Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers

    Added following 25 manual policies for Azure

    Category Policy name
    Azure - Kubernetes & Containers Ensure that credentials of service principal used for Container Registry are stored in Key Vault
    Azure - Kubernetes & Containers Ensure that Container Registry has latest/patched image(s) all the time
    Azure - Kubernetes & Containers Ensure that Activity logs for Data Container Registry are reviewed periodically
    Azure - Kubernetes & Containers Ensure that only signed images are pushed to Container Registry
    Azure - Kubernetes & Containers Ensure that a service principal is used to access container images in Container Registry
    Azure - Kubernetes & Containers Ensure that all users/identities are granted minimum required permissions using Role Based Access Control (RBAC)
    Azure - Kubernetes & Containers Ensure that management ports are not kept open on Kubernetes nodes unless required
    Azure - Kubernetes & Containers Ensure that cluster admin level access is not directly or indirectly granted to developers
    Azure - Kubernetes & Containers Ensure that container images (including nested images) deployed in Kubernetes are from a trustworthy source
    Azure - Kubernetes & Containers Ensure that default cluster namespace is not used to deploy applications
    Azure - Kubernetes & Containers Ensure that all Kubernetes Service secrets are stored in Key Vault
    Azure - Kubernetes & Containers Ensure that all the Kubernetes cluster nodes have all the required OS patches installed
    Azure - Kubernetes & Containers Ensure that Pod Identity is used for accessing other AAD(Azure Active Directory)-protected resources from the Kubernetes Service
    Azure - Kubernetes & Containers Ensure that issues/recommendations provided by kube advisor are reviewed periodically
    Azure - Kubernetes & Containers Ensure that data transit inside/across Kubernetes are using encrypted channel
    Azure - Kubernetes & Containers Ensure that all users/identities are granted minimum required permissions using Role Based Access Control (RBAC)
    Azure - Storage and Databases Ensure that secrets and keys must not be in plain text in notebooks and jobs
    Azure - Storage and Databases Ensure that use Azure Key Vault backed secret scope to hold secrets
    Azure - Storage and Databases Ensure that all users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)
    Azure - Storage and Databases Ensure that Minimize the number of workspace admins
    Azure - Storage and Databases Ensure that All users must be granted minimum required permissions on clusters
    Azure - Storage and Databases Ensure that the parameterized SQL queries used to access the database
    Azure - Storage and Databases Ensure that CosmosDb Account keys are rotated periodically
    Azure - Storage and Databases Ensure that resource tokens are generated with least privileges and expiry needed by clients
    Azure - Storage and Databases Do not send resource token with read write (RW) permission to untrusted clients

    Updated following 16 policies for M365 to automatically get data from Microsoft 365 security APIs.

    Category Name Policy Name
    M365 - Device Create a Microsoft Intune Compliance Policy for iOS
    M365 - Device Create a Microsoft Intune Compliance Policy for Android
    M365 - Device Create a Microsoft Intune Compliance Policy for Android for Work
    M365 - Device Create a Microsoft Intune Compliance Policy for Windows
    M365 - Device Create a Microsoft Intune Compliance Policy for macOS
    M365 - Device Create a Microsoft Intune App Protection Policy for iOS
    M365 - Device Create a Microsoft Intune App Protection Policy for Android
    M365 - Device Create a Microsoft Intune Windows Information Protection Policy
    M365 - Device Create a Microsoft Intune Configuration Profile for iOS
    M365 - Device Create a Microsoft Intune Configuration Profile for Android
    M365 - Device Create a Microsoft Intune Configuration Profile for Android for Work
    M365 - Device Create a Microsoft Intune Configuration Profile for Windows
    M365 - Device Create a Microsoft Intune Configuration Profile for macOS
    M365 - Device Require mobile devices to manage email profile
    M365 - Device Ensure that users cannot connect from devices that are jail broken or rooted
    M365 - Device Enable Enhanced Jailbreak Detection in Microsoft Intune

    Added the following 33 AWS security policies for Auto remediation

    Policy Title
    Ensure AWS Neptune clusters have a sufficient backup retention period set for compliance purposes
    Ensure IAM Database Authentication feature is enabled for Amazon Neptune clusters
    Ensure Amazon Neptune instances have Auto Minor Version Upgrade feature enabled
    Ensure Log Exports feature is enabled for RDS Aurora MySQL Serverless Cluster
    Ensure Log Exports feature is enabled for RDS MySQL Instance
    Ensure Log Exports feature is enabled for RDS Mariadb Instance
    Ensure Log Exports feature is enabled for Aurora cluster
    Ensure Log Exports feature is enabled for Oracle instances
    Ensure Auto Minor Version Upgrade feature is Enabled for RDS MySQL Instances
    Ensure backup retention policy is set for RDS MySQL Instances
    Ensure that Copy Tags to Snapshots feature is enabled for RDS MySQL Instances
    Ensure Deletion Protection feature is enabled for RDS MySQL Instances
    Ensure Performance Insights feature is enabled for RDS MySQL Instances
    Ensure that public access is not given to RDS MySQL Instance
    Ensure Multi-AZ feature is Enabled for RDS MySQL Instance
    Ensure that sufficient backup retention period is applied to RDS MySQL Instances
    Ensure that detailed monitoring is enabled for the AWS EC2 instances that you need to monitor closely
    Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs
    Ensure Amazon Auto Scaling Groups are utilizing cooldown periods
    Ensure Global resources are included into Amazon Config service configuration
    Ensure Amazon DynamoDB tables have continuous backups enabled
    Ensure that Server-Side Encryption is enabled for Amazon SQS queues
    Ensure that Termination Protection feature is enabled for AWS CloudFormation stacks
    Ensure that CloudTrail trail have logging enabled
    Ensure that Amazon S3 buckets use Transfer Acceleration feature for faster data transfers
    Ensure that S3 buckets are not publicly accessible
    Ensure IAM Database Authentication feature is enabled for RDS Postgre Instances
    Ensure IAM Database Authentication feature is enabled for RDS Aurora Cluster
    Ensure IAM Database Authentication feature is enabled for RDS MySQL Instances
    Ensure that Amazon RDS database snapshots are not accessible to all AWS accounts
    Ensure Amazon Kinesis streams enforce Server-Side Encryption (SSE)
    Ensure to enable FIPS standards on the server side for RDS MySQL Instance --not applicable for rds instance using default parameter group
    Ensure that latest block encryption algorithms is used for RDS MySQL Instance --not applicable for rds instance using default parameter group

April 2020 - v2.28.1

  1. User Experience Improvements

    • Azure Security Center Push Integration (Preview): The integration between Azure Security Center and Cloudneeti provides a seamless experience to customers in protecting their Azure environments against cyber-threats and mitigating compliance risks. Cloudneeti application will push custom recommendations with assessment data of Azure Cloud Account(s) to Microsoft Azure Security Center. Refer documentation for more details here.

    • Override security policy status : Cloudneeti allows admin users to override the security policy status. After an evaluation of a risk associated to policy compliance, Customers/Auditors can decide on overriding the policy to meet the internal governance needs. Various options to indicate 3rd party compensating controls, time-bound exceptions to exclude policies are available. Overriding policy status indicates that you have completed resolution and if done without caution, it might carry an inherent security risk. New resolution status will be effective at the cloud account level across all benchmarks post next successful Cloud account scan. Refer documentation for more details here.

    • Added support for Azure Kubernetes Service (AKS): Cloudneeti includes and extends Azure Security center recommendations for AKS by deploying a Cloudneeti agent to Azure Kubernetes Cluster. A docker container agent is deployed to collect data for additional security policies. Cloudneeti then provides out-of-box mappings for all 13+ compliance frameworks included in the product. Refer documentation for more details here.

    • Security Policy Status: Added new policy statuses to provide more clarity to the security posture. This helps enterprise customers, MSPs and large risk auditors to conduct continuous security assurance using the Cloudneeti product. Refer documentation for more details here.

      • Manual – a security policy that is managed manually by the customer.
      • Prerequisite – indicates that the policy needs actions by customers, e.g. configure permissions or deploy agents to collect meta-data.
      • Excluded – indicates the policy was excluded as part of a policy governance actions.
    • Deprecated the “Security” dashboard and added navigation for dashboards (Compliance, Risk, & Assets Security) in the left navigation menu.

  2. Platform & Stability Improvements

    • Fixed following bugs

      • "Windows 2012R2 - Ensure 'Restore files and directories' is set to 'Administrators'" not able to open details page.
      • Getting 'No resources' even if 'Storage Contributor' role is assigned and storage accounts are also present.
  3. Policies & Benchmarks Additions/Updates 

    Added following 73 Azure Kubernetes Service (AKS) related policies

    Category Policy Title
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the API server pod specification file permissions are set to 644 or more restrictive
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the API server pod specification file ownership is set to root:root
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the controller manager pod specification file ownership is set to root:root
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the scheduler pod specification file ownership is set to root:root
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the etcd pod specification file permissions are set to 644 or more restrictive
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the etcd pod specification file ownership is set to root:root
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the etcd data directory permissions are set to 700 or more restrictive
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the etcd data directory ownership is set to etcd:etcd
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the admin.conf file permissions are set to 644 or more restrictive
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the admin.conf file ownership is set to root:root
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the scheduler.conf file permissions are set to 644 or more restrictive
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the scheduler.conf file ownership is set to root:root
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive
    Kubernetes - Control Plane Components - Master Node Configuration Files Ensure that the controller-manager.conf file ownership is set to root:root
    Kubernetes - Control Plane Components - API Server Ensure that the --basic-auth-file argument is not set
    Kubernetes - Control Plane Components - API Server Ensure that the --token-auth-file argument is not set
    Kubernetes - Control Plane Components - API Server Ensure that the --kubelet-https argument is set to true
    Kubernetes - Control Plane Components - API Server Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --kubelet-certificate-authority argument is set as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --authorization-mode argument is not set to AlwaysAllow
    Kubernetes - Control Plane Components - API Server Ensure that the --authorization-mode argument includes Node
    Kubernetes - Control Plane Components - API Server Ensure that the --authorization-mode argument includes RBAC
    Kubernetes - Control Plane Components - API Server Ensure that the admission control plugin AlwaysAdmit is not set
    Kubernetes - Control Plane Components - API Server Ensure that the admission control plugin ServiceAccount is set
    Kubernetes - Control Plane Components - API Server Ensure that the admission control plugin NamespaceLifecycle is set
    Kubernetes - Control Plane Components - API Server Ensure that the admission control plugin PodSecurityPolicy is set
    Kubernetes - Control Plane Components - API Server Ensure that the admission control plugin NodeRestriction is set
    Kubernetes - Control Plane Components - API Server Ensure that the --insecure-bind-address argument is not set
    Kubernetes - Control Plane Components - API Server Ensure that the --insecure-port argument is set to 0
    Kubernetes - Control Plane Components - API Server Ensure that the --secure-port argument is not set to 0
    Kubernetes - Control Plane Components - API Server Ensure that the --profiling argument is set to false
    Kubernetes - Control Plane Components - API Server Ensure that the --request-timeout argument is set as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --service-account-lookup argument is set to true
    Kubernetes - Control Plane Components - API Server Ensure that the --service-account-key-file argument is set as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --client-ca-file argument is set as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --etcd-cafile argument is set as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --encryption-provider-config argument is set as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --audit-log-path argument is set
    Kubernetes - Control Plane Components - API Server Ensure that the --audit-log-maxage argument is set to 30 or as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate
    Kubernetes - Control Plane Components - API Server Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate
    Kubernetes - Control Plane Components - Controller Manager Ensure that the --terminated-pod-gc-threshold argument is set as appropriate
    Kubernetes - Control Plane Components - Controller Manager Ensure that the --profiling argument is set to false
    Kubernetes - Control Plane Components - Controller Manager Ensure that the --use-service-account-credentials argument is set to true
    Kubernetes - Control Plane Components - Controller Manager Ensure that the --service-account-private-key-file argument is set as appropriate
    Kubernetes - Control Plane Components - Controller Manager Ensure that the --root-ca-file argument is set as appropriate
    Kubernetes - Control Plane Components - Controller Manager Ensure that the RotateKubeletServerCertificate argument is set to true
    Kubernetes - Control Plane Components - Controller Manager Ensure that the --bind-address argument is set to 127.0.0.1
    Kubernetes - Control Plane Components - Scheduler Ensure that the --profiling argument is set to false
    Kubernetes - Control Plane Components - Scheduler Ensure that the --bind-address argument is set to 127.0.0.1
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet service file has permissions of 644 or more restrictive
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet service file ownership is set to root:root
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the proxy kubeconfig file ownership is set to root:root
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet.conf file permissions are set to 644 or more restrictive
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet.conf file ownership is set to root:root
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the client certificate authorities file ownership is set to root:root
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet configuration file has permissions set to 644 or more restrictive
    Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet configuration file ownership is set to root:root
    Kubernetes - Worker Nodes - Kubelet Ensure that the --anonymous-auth argument is set to false
    Kubernetes - Worker Nodes - Kubelet Ensure that the --authorization-mode argument is not set to AlwaysAllow
    Kubernetes - Worker Nodes - Kubelet Ensure that the --client-ca-file argument is set as appropriate
    Kubernetes - Worker Nodes - Kubelet Ensure that the --read-only-port argument is set to 0
    Kubernetes - Worker Nodes - Kubelet Ensure that the --streaming-connection-idle-timeout argument is not set to 0
    Kubernetes - Worker Nodes - Kubelet Ensure that the --protect-kernel-defaults argument is set to true
    Kubernetes - Worker Nodes - Kubelet Ensure that the --make-iptables-util-chains argument is set to true
    Kubernetes - Worker Nodes - Kubelet Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
    Kubernetes - Worker Nodes - Kubelet Ensure that the --rotate-certificates argument is not set to false
    Kubernetes - Worker Nodes - Kubelet Ensure that the RotateKubeletServerCertificate argument is set to true

    Added following 14 AWS Red Hat Enterprise Linux (RHEL) VM Baseline policies

    Category Policy Title
    RHEL 7 - Initial Setup Ensure local login warning banner is configured properly
    RHEL 7 - Initial Setup Ensure remote login warning banner is configured properly
    RHEL 7 - Initial Setup Ensure permissions on /etc/motd are configured
    RHEL 7 - Initial Setup Ensure permissions on /etc/issue.net are configured
    RHEL 7 - Network Configuration Ensure IPv6 router advertisements are not accepted
    RHEL 7 - Network Configuration Ensure IPv6 redirects are not accepted
    RHEL 7 - Network Configuration Ensure IPv6 is disabled
    RHEL 7 - Network Configuration Ensure permissions on /etc/hosts.deny are 644
    RHEL 7 - Network Configuration Ensure DCCP is disabled
    RHEL 7 - Network Configuration Ensure SCTP is disabled
    RHEL 7 - Network Configuration Ensure RDS is disabled
    RHEL 7 - Network Configuration Ensure TIPC is disabled
    RHEL 7 - Access, Authentication and Authorization Ensure password expiration is 90 days or less
    RHEL 7 - Initial Setup Ensure XD/NX support is enabled

    Added following 6 manual policies for Azure

    Category Policy Title
    Azure - Storage and Databases Ensure that shared access signature tokens are allowed only over https
    Azure - Storage and Databases Ensure that shared access signature tokens expire within an hour
    Azure - Storage and Databases Ensure Storage logging is enabled for Queue service for read, write, and delete requests
    Azure - Storage and Databases Ensure that storage account access keys are periodically regenerated
    Azure - Compute (IaaS) Ensure that only approved extensions are installed
    Azure - Identity and Access Ensure that multi-factor authentication is enabled for all privileged users

    Added following 3 manual policies for AWS

    Category Policy Title
    AWS - Identity and Access Management Ensure security questions are registered in the AWS account
    AWS - Identity and Access Management Maintain current contact details
    AWS - Identity and Access Management Ensure security contact information is registered

    Added following 16 manual policies for M365

    Category Policy Title
    M365 - Account / Authentication Ensure modern authentication for Skype for Business Online is enabled
    M365 - Identity Ensure that password protection is enabled for Active Directory in hybrid environments
    M365 - Auditing Ensure mailbox auditing for all users is Enabled
    M365 - Auditing Ensure the self-service password reset activity report is reviewed at least weekly
    M365 - Auditing Ensure mail forwarding rules are reviewed at least weekly
    M365 - Auditing Ensure non-global administrator role group assignments are reviewed at least weekly
    M365 - Auditing Ensure the report of users who have had their email privileges restricted due to spamming is reviewed
    M365 - Auditing Ensure Guest Users are reviewed at least biweekly
    M365 - Device Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks
    M365 - Device Ensure that devices connecting have AV and a local firewall enabled
    M365 - Data Ensure external domains are not allowed in Skype or Teams
    M365 - Data Ensure external file sharing in Teams is enabled for only approved cloud storage services
    M365 - Auditing Ensure the Application Usage report is reviewed at least weekly
    M365 - Identity Enabled Identity Protection to identify anomalous logon behavior
    M365 - Data Ensure DLP policies are enabled for Microsoft Teams
    M365 - Identity Use Just In Time privileged access to Office 365 roles
    M365 - Identity Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly

    Updated following 42 policies for M365 as manual as data from secure score API (Microsoft Office API) is deprecated

    Category Policy Title
    M365 - Apps Enable Microsoft 365 Cloud App Security
    M365 - Apps Discover risky and non-compliant Shadow IT applications used in your organization
    M365 - Apps Review permissions & block risky OAuth applications connected to your corporate environment
    M365 - Apps Ensure that AD Application keys are rotated before they expires
    M365 - Data Enable audit data recording
    M365 - Data Store user documents in OneDrive for Business
    M365 - Data Review audit data for illicit activity detection and security breach
    M365 - Data Ensure mail transport rules do not forward email to external domains
    M365 - Data Ensure mailbox access by non-owners report is reviewed bi-weekly
    M365 - Data Ensure malware detections report is reviewed weekly
    M365 - Data Ensure expiration time for external sharing links is set
    M365 - Data Enable versioning on all SharePoint online document libraries
    M365 - Data Review list of external users you have invited to documents monthly
    M365 - Data Do not allow mailbox delegation
    M365 - Data Allow anonymous guest sharing links for sites and docs
    M365 - Data Ensure Advanced Threat Protection safe attach policy is Enabled
    M365 - Data Ensure Advanced Threat Protection safe links policy is Enabled
    M365 - Device Require mobile devices to manage email profile
    M365 - Device Ensure that users cannot connect from devices that are jail broken or rooted
    M365 - Device Enable mobile device management services
    M365 - Device Require mobile devices to block access and report policy violations
    M365 - Device Enable Microsoft Intune Mobile Device Management
    M365 - Device Create a Microsoft Intune Compliance Policy for iOS
    M365 - Device Create a Microsoft Intune Compliance Policy for Android
    M365 - Device Create a Microsoft Intune Compliance Policy for Android for Work
    M365 - Device Create a Microsoft Intune Compliance Policy for Windows
    M365 - Device Create a Microsoft Intune Compliance Policy for macOS
    M365 - Device Create a Microsoft Intune App Protection Policy for iOS
    M365 - Device Create a Microsoft Intune App Protection Policy for Android
    M365 - Device Create a Microsoft Intune Windows Information Protection Policy
    M365 - Device Create a Microsoft Intune Configuration Profile for iOS
    M365 - Device Create a Microsoft Intune Configuration Profile for Android
    M365 - Device Create a Microsoft Intune Configuration Profile for Android for Work
    M365 - Device Create a Microsoft Intune Configuration Profile for Windows
    M365 - Device Create a Microsoft Intune Configuration Profile for macOS
    M365 - Device Mark devices with no Microsoft Intune Compliance Policy assigned as Non Compliant
    M365 - Device Enable Enhanced Jailbreak Detection in Microsoft Intune
    M365 - Device Enable Windows Defender ATP integration into Microsoft Intune
    M365 - Identity User alternate contact info is completed for all users
    M365 - Identity Ensure multifactor authentication is enabled for all users in all roles
    M365 - Identity Ensure that Service Principal Certificate are renewed before it expires
    M365 - Identity Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly

March 2020 - v2.27.1

  1. User Experience Improvements

    • Cloudneeti API access: Cloudneeti exposes API to access for Cloud Account onboarding, audit report, scan etc . Refer documentation for more details here

    • Added “Asset Security (Preview)” dashboard: View protected Azure and AWS assets per region. Refer documentation for more details here. Added vulnerabilities for Azure VM

    • Deprecated “Assets” dashboard

    • Private Benchmarks: restrict user deletion, role changes in case collaborated.

    • Updates in benchmark sequence on “Compliance” dashboard.

  2. Platform & Stability Improvements

    • Fixed following bugs

      • Audit log not showing Initiated by when user tries to remediate AWS/Azure policy.
    • Updated implementation for following policies

      • Ensure that Logging is enabled for Azure Key Vault

      • Ensure that Service Principal Certificates are renewed before it expires

    • Audit and Remediation procedures commands are not properly given in the below policies.

      • Ensure discretionary access control permission modification events are collected

      • Ensure unsuccessful unauthorized file access attempts are collected

      • Ensure successful file system mounts are collected

      • Ensure file deletion events by users are collected

      • Ensure changes to system administration scope (sudoers) is collected

      • Ensure kernel module loading and unloading is collected

      • Ensure events that modify date and time information are collected

      • Ensure events that modify user/group information are collected

      • Ensure events that modify the system's network environment are collected

      • Ensure login and logout events are collected

      • Ensure session initiation information is collected

      • Ensure Storage Container storing activity logs is not Publicly accessible

      • 'Ensure that monitoring of unencrypted SQL databases is enabled in ASC

  3. Policies & Benchmarks Additions/Updates 

    Added following 3 Azure account related policies

    Category Policy Title
    Azure - Security Center Ensure that Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version in ASC
    Azure - Security Center Ensure that Vulnerabilities in container security configurations should be remediated in ASC
    Azure - Compute (IaaS) Ensure that Virtual Machine's are used managed disks

    Added following 38 AWS RHEL VM Baseline policies

    Category Policy Title
    RHEL 7 -  Initial Setup Ensure address space layout randomization (ASLR) is enabled
    RHEL 7 -  Initial Setup Ensure prelink is disabled
    RHEL 7 -  Initial Setup Ensure permissions on /etc/issue are configured
    RHEL 7 -  Network Configuration Ensure TCP SYN Cookies is enabled
    RHEL 7 -  Network Configuration Ensure TCP Wrappers is installed
    RHEL 7 -  Network Configuration Ensure iptables is installed
    RHEL 7 -  Network Configuration Ensure firewall rules exist for all open ports
    RHEL 7 - Access, Authentication and Authorization Ensure default user shell timeout is 900 seconds or less
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH X11 forwarding is disabled
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH MaxAuthTries is set to 4 or less
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH IgnoreRhosts is enabled
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH HostbasedAuthentication is disabled
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH root login is disabled
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH PermitEmptyPasswords is disabled
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH PermitUserEnvironment is disabled
    RHEL 7 -  Access, Authentication and Authorization Ensure only approved MAC algorithms are used
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH Idle Timeout Interval is configured
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH LoginGraceTime is set to one minute or less
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH access is limited
    RHEL 7 -  Access, Authentication and Authorization Ensure SSH warning banner is configured
    RHEL 7 -  Access, Authentication and Authorization Ensure password reuse is limited
    RHEL 7 -  Access, Authentication and Authorization Ensure password hashing algorithm is SHA-512
    RHEL 7 -  Access, Authentication and Authorization Ensure default group for the root account is GID 0
    RHEL 7 -  Access, Authentication and Authorization Ensure minimum days between password changes is 7 or more
    RHEL 7 -  Access, Authentication and Authorization Ensure password expiration warning days is 7 or more
    RHEL 7 -  Access, Authentication and Authorization Ensure all users last password change date is in the past
    RHEL 7 -  System Maintenance Ensure permissions on /etc/shadow- are configured
    RHEL 7 -  System Maintenance Ensure permissions on /etc/group- are configured
    RHEL 7 -  System Maintenance Ensure permissions on /etc/gshadow- are configured
    RHEL 7 -  System Maintenance Ensure no world writable files exist
    RHEL 7 -  System Maintenance Ensure no unowned files or directories exist
    RHEL 7 -  System Maintenance Ensure no ungrouped files or directories exist
    RHEL 7 -  System Maintenance Ensure no legacy "+" entries exist in /etc/passwd
    RHEL 7 -  System Maintenance Ensure no legacy "+" entries exist in /etc/shadow
    RHEL 7 -  System Maintenance Ensure no legacy "+" entries exist in /etc/group
    RHEL 7 -  System Maintenance Ensure root is the only UID 0 account
    RHEL 7 -  System Maintenance Ensure no users have .forward files
    RHEL 7 -  System Maintenance Ensure no users have .netrc files

February 2020 - v2.26.1

  1. User Experience Improvements

    • Asset Security Dashboard Preview: View protected Azure and AWS assets per region. Refer documentation for more details here.

    • Risk Dashboard: Updates to user interface.

    • Release Notification: Users will be notified on a new Cloudneeti SaaS release.

    • AWS Remediation: Support for deploying Cloudneeti Remediation Framework in selected region.

    • Auto Remediation: Added audit logs for successful configuration of Azure and AWS auto remediation.

  2. Platform & Stability Improvements

    • Fixed following bugs

      • Subsequent AWS resources should get remediated in case one of the resources remediation fails from AWS

      • Authentication token enhancements

  3. Policies & Benchmarks Additions/Updates

    Added following 66 AWS RHEL VM Baseline policies

    Category Policy Title
    RHEL 7 - Access, Authentication and Authorization Ensure at/cron is restricted to authorized users
    RHEL 7 - Access, Authentication and Authorization Ensure SSH Protocol is set to 2
    RHEL 7 - Access, Authentication and Authorization Ensure SSH LogLevel is set to INFO
    RHEL 7 - Access, Authentication and Authorization Ensure default user shell timeout is 900 seconds or less
    RHEL 7 - Initial Setup Ensure updates, patches, and additional security software are installed
    RHEL 7 - Initial Setup Ensure nodev option set on /tmp partition
    RHEL 7 - Initial Setup Ensure nosuid option set on /tmp partition
    RHEL 7 - Initial Setup Ensure noexec option set on /tmp partition
    RHEL 7 - Initial Setup Ensure nodev option set on /dev/shm partition
    RHEL 7 - Initial Setup Ensure nosuid option set on /dev/shm partition
    RHEL 7 - Initial Setup Ensure noexec option set on /dev/shm partition
    RHEL 7 - Initial Setup Ensure mounting of cramfs filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of freevxfs filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of jffs2 filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of hfs filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of hfsplus filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of squashfs filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of udf filesystems is disabled
    RHEL 7 - Initial Setup Ensure gpgcheck is globally activated
    RHEL 7 - Initial Setup Ensure AIDE is installed
    RHEL 7 - Initial Setup Ensure filesystem integrity is regularly checked
    RHEL 7 - Initial Setup Ensure permissions on bootloader config are configured
    RHEL 7 - Initial Setup Ensure SELinux is installed
    RHEL 7 - Initial Setup Ensure SELinux is not disabled in bootloader configuration
    RHEL 7 - Initial Setup Ensure the SELinux state is enforcing
    RHEL 7 - Initial Setup Ensure SELinux policy is configured
    RHEL 7 - Initial Setup Ensure SETroubleshoot is not installed
    RHEL 7 - Initial Setup Ensure the MCS Translation Service (mcstrans) is not installed
    RHEL 7 - Logging and Auditing Ensure rsyslog or syslog-ng is installed
    RHEL 7 - Logging and Auditing Ensure permissions on all logfiles are configured
    RHEL 7 - Logging and Auditing Ensure rsyslog default file permissions configured
    RHEL 7 - Logging and Auditing Ensure rsyslog is configured to send logs to a remote log host
    RHEL 7 - Logging and Auditing Ensure syslog-ng default file permissions configured
    RHEL 7 - Logging and Auditing Ensure auditing for processes that start prior to auditd is enabled
    RHEL 7 - Logging and Auditing Ensure events that modify date and time information are collected
    RHEL 7 - Logging and Auditing Ensure events that modify user/group information are collected
    RHEL 7 - Logging and Auditing Ensure events that modify the system's network environment are collected
    RHEL 7 - Logging and Auditing Ensure events that modify the system's Mandatory Access Controls are collected
    RHEL 7 - Logging and Auditing Ensure login and logout events are collected
    RHEL 7 - Logging and Auditing Ensure session initiation information is collected
    RHEL 7 - Logging and Auditing Ensure discretionary access control permission modification events are collected
    RHEL 7 - Logging and Auditing Ensure unsuccessful unauthorized file access attempts are collected
    RHEL 7 - Logging and Auditing Ensure successful file system mounts are collected
    RHEL 7 - Logging and Auditing Ensure file deletion events by users are collected
    RHEL 7 - Logging and Auditing Ensure system administrator actions (sudolog) are collected
    RHEL 7 - Logging and Auditing Ensure the audit configuration is immutable
    RHEL 7 - Logging and Auditing Ensure audit log storage size is configured
    RHEL 7 - Logging and Auditing Ensure system is disabled when audit logs are full
    RHEL 7 - Logging and Auditing Ensure audit logs are not automatically deleted
    RHEL 7 - Network Configuration Ensure IP forwarding is disabled
    RHEL 7 - Network Configuration Ensure packet redirect sending is disabled
    RHEL 7 - Network Configuration Ensure source routed packets are not accepted
    RHEL 7 - Network Configuration Ensure ICMP redirects are not accepted
    RHEL 7 - Network Configuration Ensure secure ICMP redirects are not accepted
    RHEL 7 - Network Configuration Ensure suspicious packets are logged
    RHEL 7 - Network Configuration Ensure broadcast ICMP requests are ignored
    RHEL 7 - Network Configuration Ensure bogus ICMP responses are ignored
    RHEL 7 - Network Configuration Ensure Reverse Path Filtering is enabled
    RHEL 7 - Services Ensure X Window System is not installed
    RHEL 7 - Services Ensure time synchronization is in use
    RHEL 7 - Services Ensure ntp is configured
    RHEL 7 - Services Ensure chrony is configured
    RHEL 7 - Services Ensure NIS Client is not installed
    RHEL 7 - Services Ensure rsh client is not installed
    RHEL 7 - Services Ensure talk client is not installed
    RHEL 7 - Services Ensure telnet client is not installed
    RHEL 7 - Services Ensure LDAP client is not installed

    Added following 3 Azure Data Lake policies

    Category Policy Title
    Azure - Storage and Databases Ensure that firewall is enabled for Azure Data Lake Storage Gen1
    Azure - Storage and Databases Ensure that encryption of sensitive data is enabled for Azure Data Lake Storage Gen1
    Azure - Storage and Databases Ensure that diagnostics log is enabled for Azure Data Lake Storage Gen1
    • Added following 18 M365 IAM policies To get data for these policies, please provide version 1.4 while executing the script for upgrade or creation of Office 365 advance security configuration.

      M365 IAM policies added

      Category Policy Title
      Identity Ensure that 'Number of methods required to reset' is set to '2'
      Identity Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
      Identity Ensure that 'Notify users on password resets?' is set to 'Yes
      Identity Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
      Identity Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'
      Identity Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'
      Identity Ensure that 'Users can register applications' is set to 'No'
      Identity Ensure that 'Guest user permissions are limited' is set to 'Yes'
      Identity Ensure that 'Members can invite' is set to 'No'
      Identity Ensure that 'Guests can invite' is set to 'No'
      Identity Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'
      Identity Ensure that 'Self-service group management enabled' is set to 'No'
      Identity Ensure that 'Users can create security groups' is set to 'No'
      Identity Ensure that 'Users who can manage security groups' is set to 'None'
      Identity Ensure that 'Users can create Office 365 groups' is set to 'No'
      Identity Ensure that 'Users who can manage Office 365 groups' is set to 'None'
      Identity Ensure that 'Enable All Users group' is set to 'Yes'
      Identity Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'
    • Updated following 115 Azure security center policies to support Azure Management Group level scope and show No Data as default behaviour.

      References

      Configure ASC policies at Management Group level

      ASC Policy list updated

      Policy Title Category
      Azure - Security Center Ensure that AAD authentication in Service Fabric is set to enabled in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days for Batch accounts is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Azure Search service is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Data Lake Analytics is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Data Lake Store accounts is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Event Hub accounts is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in IoT Hub accounts is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Key Vault vaults is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Logic Apps workflows is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Service Bus is set in ASC
      Azure - Security Center Ensure that monitoring of Kubernetes Services without RBAC is enabled in ASC
      Azure - Security Center Ensure that monitoring of sensitive data is classified on SQL database is enabled in ASC
      Azure - Security Center Ensure that monitoring of SQL managed instances alerts being sent to admins and subscription owners is enabled in ASC
      Azure - Security Center Ensure that monitoring of classic storage accounts migration to ARM is enabled in ASC
      Azure - Security Center Ensure that reporting of system updates in virtual machine scale sets is enabled in ASC
      Azure - Security Center Ensure that monitoring of unencrypted SQL databases is enabled in ASC
      Azure - Security Center Ensure that monitoring of classic virtual machines is enabled in ASC
      Azure - Security Center Ensure that OS vulnerabilities monitoring for virtual machine scale sets is enabled in ASC
      Azure - Security Center Ensure that the detection of VM vulnerabilities by a Vulnerability Assessment solution is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Redis Cache is set to enabled in ASC
      Azure - Security Center Ensure that Vulnerability Assessment on your SQL servers is enabled in ASC
      Azure - Security Center Ensure that monitoring of the use of HTTPS in Web App is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Search Service is set to enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Service Bus is set to enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Virtual Machine Scale Sets is set to enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Stream Analytics is set to enabled in ASC
      Azure - Security Center Ensure that disable unrestricted network to storage account is set to enabled in ASC
      Azure - Security Center Ensure that monitor disk encryption is set to enabled in ASC
      Azure - Security Center Ensure that monitor for Endpoint Protection is set to enabled in ASC
      Azure - Security Center Ensure that AAD authentication in SQL server is set to enabled in ASC
      Azure - Security Center Ensure that MFA is enabled for all subscription accounts with owner permissions in ASC
      Azure - Security Center Ensure that MFA is enabled for all subscription accounts with read permissions in ASC
      Azure - Security Center Ensure that MFA is enabled for all subscription accounts with write permissions in ASC
      Azure - Security Center Ensure that deprecated accounts is removed on subscription are set to enabled in ASC
      Azure - Security Center Ensure that deprecated accounts with owner permissions are removed from subscription is set to enabled in ASC
      Azure - Security Center Ensure that external accounts with owner permissions are removed from subscription is set to enabled in ASC
      Azure - Security Center Ensure that external accounts with read permissions are removed from subscription is set to enabled in ASC
      Azure - Security Center Ensure that external accounts with write permissions are removed from subscription is set to enabled in ASC
      Azure - Security Center Ensure that monitor of Adaptive Application whitelisting is set to enabled in ASC
      Azure - Security Center Ensure that metric alerts in Batch account is set to enabled in ASC
      Azure - Security Center Ensure that namespace authorization rules in service bus is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of network security groups is set to enabled in ASC
      Azure - Security Center Ensure that next generation firewall is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of OS vulnerabilities is set to enabled in ASC
      Azure - Security Center Ensure that secure transfer to storage account is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of SQL auditing is set to enabled in ASC
      Azure - Security Center Ensure that SqlDb Vulnerability Assesment is set to enabled in ASC
      Azure - Security Center Ensure that monitor SQL encryption is set to enabled in ASC
      Azure - Security Center Ensure that monitor storage blob encryption is set to enabled in ASC
      Azure - Security Center Ensure that monitor system updates is set to enabled in ASC
      Azure - Security Center Ensure that vulnerability assessment is set to enabled in ASC
      Azure - Security Center Ensure that web application firewall is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of permissive network access to app-services is enabled in ASC
      Azure - Security Center Ensure that Cluster Protection level in Service Fabric is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of SQL managed server without Advanced Data Security is enabled in ASC
      Azure - Security Center Ensure that all Advanced Threat Protection types on SQL server is enabled in ASC
      Azure - Security Center Ensure that monitoring of access rules in Event Hub namespaces is enabled in ASC
      Azure - Security Center Ensure that monitoring of the use of HTTPS in API app is enable in ASC
      Azure - Security Center Ensure that the Audit monitoring of SQL Servers is enabled in ASC
      Azure - Security Center Ensure that monitoring of using built-in RBAC rules is enabled in ASC
      Azure - Security Center Ensure that monitoring of access rules in Event Hubs is enabled in ASC
      Azure - Security Center Ensure that monitoring of Kubernetes Services without authorized IP ranges is enabled in ASC
      Azure - Security Center Ensure that monitoring of Automation Account Encryption is enabled in ASC
      Azure - Security Center Ensure that monitoring of CORS restrictions for API Function is enabled in ASC
      Azure - Security Center Ensure that monitoring of CORS restrictions for API Web is enabled in ASC
      Azure - Security Center Ensure that monitoring of DDoS protection for virtual network is enabled in ASC
      Azure - Security Center Ensure that monitoring of diagnostics logs in selective app services is enabled in ASC
      Azure - Security Center Ensure that monitoring of diagnostic logs in IoT Hubs is enabled in ASC
      Azure - Security Center Ensure that endpoint protection monitoring for virtual machine scale sets is enabled in ASC
      Azure - Security Center Ensure that 'Send alerts to' is set in SQL server Advanced Data Security settings is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Data Lake Analytics is set to enabled in ASC
      Azure - Security Center Ensure that IP Forwarding monitoring on virtual machines is disabled in ASC
      Azure - Security Center Ensure that monitoring of network just In time access is enabled in ASC
      Azure - Security Center Ensure that monitoring of Open Management Ports on virtual machines is enabled in ASC
      Azure - Security Center Ensure that monitoring of IP restrictions for API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of IP restrictions for Function App is enabled in ASC
      Azure - Security Center Ensure that monitoring of IP restrictions for Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of diagnostics logs in App Services is enabled in ASC
      Azure - Security Center Ensure that monitoring of web sockets for API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of web sockets for Function App is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Data Lake Store is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of Endpoint Protection is enabled in ASC
      Azure - Security Center Ensure that monitoring of custom domain use in API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of custom domain use in Function App is enabled in ASC
      Azure - Security Center Ensure that monitoring of custom domain use in Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of .Net version in API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of .Net version in Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of Java version in API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of Java version in web app is enabled in ASC
      Azure - Security Center Ensure that monitoring of Node.js version in Web App is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Event Hub is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of PHP version in Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of Python version in API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of Python version in Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of Internet-facing VM for NSG traffic hardening is enabled in ASC
      Azure - Security Center Ensure that monitoring of NSG for virtual machines is enabled in ASC
      Azure - Security Center Ensure that monitoring of NSG for Subnet is enabled in ASC
      Azure - Security Center Ensure that monitoring of Kubernetes Services without pod security policy is enabled in ASC
      Azure - Security Center Ensure that monitoring of remote debugging for API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of remote debugging for Function App is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Key Vault is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of remote debugging for Web App is enabled in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Stream Analytics is set in ASC
      Azure - Security Center Ensure that Vulnerability Assessment on your SQL managed instances is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Logic Apps is set to enabled in ASC
      Azure - Security Center Ensure that JIT network access policy is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of SQL managed instances without Advanced Data Security is enabled in ASC
      Azure - Security Center Ensure that all Advanced Threat Protection types on SQL managed instance is enabled in ASC
      Azure - Security Center Ensure that monitoring of auditing policy Action-Groups and Actions setting is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Batch Account is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of CORS restrictions for API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of the use of HTTPS in function app is enabled in ASC
      Azure - Security Center Ensure that monitoring of web sockets for Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of PHP version in the API App is enabled in ASC

February 2020 - v2.25.1

  1. User Experience Improvements

    • Private Benchmarks : Added audit log, reports, and email notifications for an association to an active License.
  2. Platform & Stability Improvements

    • Fixed following bugs
      • Extra categories are visible in the Baseline benchmark list
      • Incorrect x/y count found for policy -> Ensure that 'Send alerts to' in Advanced Threat Protection Settings is set for SQL database
      • 'Ensure Log Exports feature is enabled for Oracle instances' policy audit/remediation procedure is incorrect
      • 'Ensure Log Exports feature is enabled for RDS MySQL Instance': Audit log is invalid for latest versions of mySQL instances
  3. Policies & Benchmarks Additions/Updates

    • Added the following 5 new security policies for Office 365 cloud account. To get data for these policies, please provide version 1.3 while executing the script for upgrade or creation of Office 365 advance security configuration.

      Office 365 added 5 policies

      Category Policy Title
      M365 - Account / Authentication Ensure modern authentication for Exchange Online is enabled
      M365 - Data Management Use custom sensitive infromation type classification for information protection
      M365 - Email Security / Exchange Online Ensure MailTips are enabled for end users
      M365 - Email Security / Exchange Online Ensure basic authentication for Exchange Online is disabled
      M365 - Storage Block OneDrive for Business sync from unmanaged devices

January 2020 - v2.24.1

  1. User Experience Improvements

    • Added email notifications to collaborators of private benchmark
  2. Platform & Stability Improvements

    • Fixed following bugs
      • Private benchmark: Associated/Dissociated benchmarks are not visible under Private Benchmark tab unless user refreshes the UI
      • Private benchmark: Private benchmark details are not opening in single click on navigating to the benchmark list page
      • Private benchmark: Incorrect total count of policies in a category on Configure Benchmark
      • Private benchmark: Arrow button is inconsistent for Private Benchmark 'configurations'
      • Manage Users: Email notification not received on adding Account user
      • Duplicate policies found for SQL Server for NIST-CSF benchmark
  3. Policies & Benchmarks Additions/Updates

    Added the following 20 new security policies for Azure cloud account

    Category Policy Title
    Azure - Logging and Auditing Ensure that 'Send scan reports to' is set for SQL Server
    Azure - Logging and Auditing Ensure that 'Send scan reports to' is set for SQL database
    Identity & Access Management Ensure that 'Number of methods required to reset' is set to '2'
    Identity & Access Management Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
    Identity & Access Management Ensure that 'Notify users on password resets?' is set to 'Yes
    Identity & Access Management Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
    Identity & Access Management Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'
    Identity & Access Management Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'
    Identity & Access Management Ensure that 'Users can register applications' is set to 'No'
    Identity & Access Management Ensure that 'Guest user permissions are limited' is set to 'Yes'
    Identity & Access Management Ensure that 'Members can invite' is set to 'No'
    Identity & Access Management Ensure that 'Guests can invite' is set to 'No'
    Identity & Access Management Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'
    Identity & Access Management Ensure that 'Self-service group management enabled' is set to 'No'
    Identity & Access Management Ensure that 'Users can create security groups' is set to 'No'
    Identity & Access Management Ensure that 'Users who can manage security groups' is set to 'None'
    Identity & Access Management Ensure that 'Users can create Office 365 groups' is set to 'No'
    Identity & Access Management Ensure that 'Users who can manage Office 365 groups' is set to 'None'
    Identity & Access Management Ensure that 'Enable "All Users" group' is set to 'Yes'
    Identity & Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'

    Added the following 28 new security policies for AWS cloud account

    Category Policy Title
    AWS - Audit and Logging Ensure to enable unsafe statement transaction logging for RDS MySQL Instance
    AWS - Data Protection Ensure that latest block encryption algorithms is used for RDS MySQL Instance
    AWS - Data Protection Ensure that server loads the validate password plugin at startup for RDS MySQL Instance
    AWS - Data Protection Ensure to enable FIPS standards on the server side for RDS MySQL Instance
    AWS - Audit and Logging Ensure Log Exports feature is enabled for RDS MySQL Instance
    AWS - Audit and Logging Ensure Log Exports feature is enabled for RDS Mariadb Instance
    AWS - Audit and Logging Ensure Log Exports feature is enabled for Aurora cluster
    AWS - Audit and Logging Ensure Log Exports feature is enabled for Oracle instances
    AWS - Business Continuity Ensure Auto Minor Version Upgrade feature is Enabled for RDS MySQL Instances
    AWS - Business Continuity Ensure backup retention policy is set for RDS MySQL Instances
    AWS - Governance Ensure that Copy Tags to Snapshots feature is enabled for RDS MySQL Instances
    AWS - Data Protection Ensure Deletion Protection feature is enabled for RDS MySQL Instances
    AWS - Identity and Access Management Ensure IAM Database Authentication feature is enabled for RDS MySQL Instances
    AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS MySQL Instance
    AWS - Data Protection Ensure Performance Insights feature is enabled for RDS MySQL Instances
    AWS - Networking Ensure that public access is not given to RDS MySQL Instance
    AWS - Storage and Databases Ensure that port number should not be set as default port number for RDS MySQL Instances
    AWS - Networking Ensure that public subnets are not assigned to RDS MySQL Instances
    AWS - Governance Ensure that unique master user name is used for each RDS MySQL Instance
    AWS - Identity and Access Management Ensure data-tier security group are configured for RDS MySQL Instances
    AWS - Business Continuity Ensure that sufficient backup retention period is applied to RDS MySQL Instances
    AWS - Data Protection Ensure that encryption is enabled for RDS MySQL Instances
    AWS - Business Continuity Ensure Multi-AZ feature is Enabled for RDS MySQL Instance
    AWS - Data Protection Ensure that encryption for storage done with KMS CMKs for each RDS MySQL Instance
    AWS - Audit and Logging Ensure that CloudTrail trail have logging enabled
    AWS - Monitoring Ensure a log metric filter and alarm exist for S3 bucket object read operations
    AWS - Monitoring Ensure a log metric filter and alarm exist for S3 bucket object write operations
    AWS - Monitoring Ensure that S3 buckets are not publicly accessible

January 2020 - v2.23.1

  1. Features & User Experience Improvements

    • Private Benchmark : Cloudneeti offers an ability for Organizations to create their own Information Security benchmark by either deriving from an existing baseline of Cloudneeti supported benchmarks or by creating completely on your own. Refer documentation for more details here.
    • Audit Report API: Cloudneeti offers an Audit report API to get automated access of security and compliance posture. This API is part of a larger set of features for a deeper integration with DevOps and Risk Auditors tooling. Refer details here.
    • Added consistent tooltip across Compliance, Security, Risk, Asset dashboards, and benchmark summary pages.
  2. Platform & Stability Improvements

    • Fixed following bugs
      • Delete Account User email notification missing
      • Fixed the implementation of Application Gateway policies for TLS version 1.0,1.1 and 1.2
  3. Policies & Benchmarks Additions/Updates

    Added the following 23 Azure security policies for Auto remediation.

    Policy Title
    Ensure that 'Secure transfer required' is 'Enabled' for Storage Account
    Ensure that 'Geo-redundant' is enabled for Azure Storage
    Ensure that remote debugging is turned off for App Service
    Ensure that remote debugging is turned off for Function App
    Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
    Ensure that Auditing and Monitoring is enabled for App Service
    Ensure HTTP/2 is enabled for an App Service Function Apps
    Ensure HTTP/2 is enabled for an App Service API Apps
    Ensure HTTP/2 is enabled for an App Service Mobile Apps
    Ensure Web Sockets are disabled for App Services
    Ensure Web Sockets are disabled for Mobile Apps
    Ensure Web Sockets are disabled for API Apps
    Ensure Web Sockets are disabled for Function Apps
    Ensure web app is using the latest version of TLS encryption
    Ensure that TLS is configured for Function Apps
    Ensure that TLS is configured for Mobile Apps
    Ensure that TLS is configured for API Apps
    Ensure that Auditing and Monitoring is enabled for Mobile App
    Ensure that Auditing and Monitoring is enabled for API App
    Ensure that Mobile App is only accessible over HTTPS
    Ensure that remote debugging is turned off for Mobile App
    Ensure that remote debugging is turned off for API App
    Ensure that Auditing and Monitoring is enabled for Function App

    Removed the following Azure security policy for Auto remediation due to change in Microsoft Azure

    Policy Title
    Ensure that Network Watcher is 'Enabled

    Added the following 4 new security policies for Azure cloud account

    Category Policy Title
    Azure - Logging and Auditing Ensure that periodic recurring scans is enabled for SQL server
    Azure - Logging and Auditing Ensure that 'Also send email notification to admin and subscription owners' in Periodic recurring scan is enabled for SQL Server
    Azure - Logging and Auditing Ensure that periodic recurring scans is enabled for SQL database
    Azure - Logging and Auditing Ensure that 'Also send email notification to admin and subscription owners' in Periodic recurring scan is enabled for SQL database

    Updated Policy titles and implementation for following 5 policies as per recent updates in Microsoft Azure.

    Old policy title Updated policy title
    Ensure that 'Send alerts to' is set for SQL Server Ensure that 'Send alerts to' in Advanced Threat Protection Settings is set for SQL Server
    Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Server Ensure that 'Also send email notification to admin and subscription owners' in Advanced Threat Protection Settings is enabled for SQL Server
    Ensure that 'Threat Detection' is set to 'On' for SQL Databases Ensure that 'Advanced Data Security' on a SQL database is set to 'On'
    Ensure that 'Send alerts to' is set for SQL Databases Ensure that 'Send alerts to' in Advanced Threat Protection Settings is set for SQL database
    Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Server Ensure that 'Also send email notification to admin and subscription owners' in Advanced Threat Protection Settings is enabled for SQL database