Apply suggestions from code review

v-andreaco · web-flow · commit 98e2fa127783 · 2021-09-05T15:28:26.000-06:00
diff --git a/includes/asc-recs-compute.md b/includes/asc-recs-compute.md
@@ -40,7 +40,7 @@ There are **59** recommendations in this category.
 |[Install endpoint protection solution on virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/83f577bd-a1b6-b7e1-0891-12ca19d1e6df) |Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.<br />(Related policy: [Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2faf6cd1bd-1635-48cb-bde7-5b15693900b9)) |High |
 |[Install endpoint protection solution on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee) |Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.<br />(No related policy) |Medium |
 |[Linux virtual machines should enforce kernel module signature validation](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e2f798b8-621a-4d46-99d7-1310e09eba26) |To help mitigate against the execution of malicious or unauthorized code in kernel mode, enforce kernel module signature validation on supported Linux virtual machines. Kernel module signature validation ensures that only trusted kernel modules will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.<br />(No related policy) |Low |
-|[Linux virtual machines should use only signed and trusted boot components](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/ad50b498-f90c-451f-886f-d0a169cc5002) |With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Security Center has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components.<br />(No related policy) |Low |
+|[Linux virtual machines should use only signed and trusted boot components](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/ad50b498-f90c-451f-886f-d0a169cc5002) |With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Security Center has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allowlist or remove the identified components.<br />(No related policy) |Low |
 |[Linux virtual machines should use Secure Boot](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/0396b18c-41aa-489c-affd-4ee5d1714a59) |To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.<br />(No related policy) |Low |
 |[Log Analytics agent should be installed on your Linux-based Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1) |Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. To deploy the agent on all your Azure Arc machines, follow the remediation steps.<br />(Related policy: [Log Analytics agent should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fmicrosoft.authorization%2fpolicyDefinitions%2f842c54e8-c2f9-4d79-ae8d-38d8b8019373)) |High |
 |[Log Analytics agent should be installed on your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d1db3318-01ff-16de-29eb-28b344515626) |Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Data is collected using the <a target="_blank" href="/azure/azure-monitor/platform/log-analytics-agent">Log Analytics agent</a>, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. We recommend configuring <a target="_blank" href="/azure/security-center/security-center-enable-data-collection">auto-provisioning to automatically deploy the agent. If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.<br />(Related policy: [Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fa4fe33eb-e377-4efb-ab31-0784311bc499)) |High |
diff --git a/includes/asc/security-control-recommendations.md b/includes/asc/security-control-recommendations.md
@@ -83,7 +83,7 @@ ms.custom: generated
   </tr>
   <tr>
     <td class="tg-lboi"><strong>0</strong></td>
-    <td class="tg-lboi"><strong>Implement security best practices</strong> - This control has no impact on your secure score. For that reason, it’s a collection of recommendations which are important to fulfil for the sake of your organization’s security, but which we feel shouldn’t be a part of how you assess your overall score.</td>
+    <td class="tg-lboi"><strong>Implement security best practices</strong> - This control has no impact on your secure score. For that reason, it’s a collection of recommendations which are important to fulfill for the sake of your organization’s security, but which we feel shouldn’t be a part of how you assess your overall score.</td>
     <td class="tg-lboi" width=55%>- [Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest<br />- [Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)<br />- [Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)<br />- [Enable if required] Container registries should be encrypted with a customer-managed key (CMK)<br />- [Enable if required] MySQL servers should use customer-managed keys to encrypt data at rest<br />- [Enable if required] PostgreSQL servers should use customer-managed keys to encrypt data at rest<br />- [Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest<br />- [Enable if required] SQL servers should use customer-managed keys to encrypt data at rest<br />- [Enable if required] Storage accounts should use customer-managed key (CMK) for encryption<br />- A maximum of 3 owners should be designated for your subscription<br />- Access to storage accounts with firewall and virtual network configurations should be restricted<br />- All advanced threat protection types should be enabled in SQL managed instance advanced data security settings<br />- All advanced threat protection types should be enabled in SQL server advanced data security settings<br />- An Azure Active Directory administrator should be provisioned for SQL servers<br />- API Management services should use a virtual network<br />- Audit retention for SQL servers should be set to at least 90 days<br />- Auto provisioning of the Log Analytics agent should be enabled on your subscription<br />- Automation account variables should be encrypted<br />- Azure Backup should be enabled for virtual machines<br />- Azure Cosmos DB accounts should have firewall rules<br />- Azure Defender for SQL should be enabled for unprotected Azure SQL servers<br />- Azure Defender for SQL should be enabled for unprotected SQL Managed Instances<br />- Cognitive Services accounts should enable data encryption<br />- Cognitive Services accounts should restrict network access<br />- Cognitive Services accounts should use customer owned storage or enable data encryption<br />- Default IP Filter Policy should be Deny<br />- Diagnostic logs in IoT Hub should be enabled<br />- Email notification for high severity alerts should be enabled<br />- Email notification to subscription owner for high severity alerts should be enabled<br />- Ensure API app has Client Certificates Incoming client certificates set to On<br />- External accounts with read permissions should be removed from your subscription<br />- External accounts with read permissions should be removed from your subscription<br />- Geo-redundant backup should be enabled for Azure Database for MariaDB<br />- Geo-redundant backup should be enabled for Azure Database for MySQL<br />- Geo-redundant backup should be enabled for Azure Database for PostgreSQL<br />- Guest Attestation extension should be installed on supported Linux virtual machine scale sets<br />- Guest Attestation extension should be installed on supported Linux virtual machines<br />- Guest Attestation extension should be installed on supported Windows virtual machine scale sets<br />- Guest Attestation extension should be installed on supported Windows virtual machines<br />- Guest Configuration extension should be installed on your machines<br />- Identical Authentication Credentials<br />- IoT Devices - Agent sending underutilized messages<br />- IoT Devices - Auditd process stopped sending events<br />- IoT Devices - Open Ports On Device<br />- IoT Devices - Operating system baseline validation failure<br />- IoT Devices - Permissive firewall policy in one of the chains was found<br />- IoT Devices - Permissive firewall rule in the input chain was found<br />- IoT Devices - Permissive firewall rule in the output chain was found<br />- IoT Devices - TLS cipher suite upgrade needed<br />- IP Filter rule large IP range<br />- Java should be updated to the latest version for your API app<br />- Java should be updated to the latest version for your function app<br />- Java should be updated to the latest version for your web app<br />- Key Vault keys should have an expiration date<br />- Key Vault secrets should have an expiration date<br />- Key vaults should have purge protection enabled<br />- Key vaults should have soft delete enabled<br />- Kubernetes clusters should be accessible only over HTTPS<br />- Kubernetes clusters should disable automounting API credentials<br />- Kubernetes clusters should not grant CAPSYSADMIN security capabilities<br />- Kubernetes clusters should not use the default namespace<br />- Linux virtual machines should enforce kernel module signature validation<br />- Linux virtual machines should use only signed and trusted boot components<br />- Linux virtual machines should use Secure Boot<br />- Machines should be restarted to apply security configuration updates<br />- MFA should be enabled on accounts with read permissions on your subscription<br />- MFA should be enabled on accounts with read permissions on your subscription<br />- Network traffic data collection agent should be installed on Linux virtual machines<br />- Network traffic data collection agent should be installed on Windows virtual machines<br />- Network Watcher should be enabled<br />- Non-internet-facing virtual machines should be protected with network security groups<br />- PHP should be updated to the latest version for your API app<br />- PHP should be updated to the latest version for your web app<br />- Private endpoint connections on Azure SQL Database should be enabled<br />- Public network access on Azure SQL Database should be disabled<br />- Public network access should be disabled for Cognitive Services accounts<br />- Python should be updated to the latest version for your API app<br />- Python should be updated to the latest version for your function app<br />- Python should be updated to the latest version for your web app<br />- Remote debugging should be turned off for API App<br />- Remote debugging should be turned off for Function App<br />- Remote debugging should be turned off for Web Applications<br />- Secure Boot should be enabled on supported Windows virtual machines<br />- Storage accounts should be migrated to new Azure Resource Manager resources<br />- Subnets should be associated with a network security group<br />- Subscriptions should have a contact email address for security issues<br />- There should be more than one owner assigned to your subscription<br />- Validity period of certificates stored in Azure Key Vault should not exceed 12 months<br />- Virtual machines guest attestation status should be healthy<br />- Virtual machines should be migrated to new Azure Resource Manager resources<br />- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity<br />- vTPM should be enabled on supported virtual machines<br />- Web apps should request an SSL certificate for all incoming requests<br />- Windows Defender Exploit Guard should be enabled on your machines<br />- Windows web servers should be configured to use secure communication protocols</td>
   </tr>
   <tr>
