Performs comprehensive security assessment of Azure-hosted Windows environments, checking for cloud-specific security configurations, compliance requirements, and Azure best practices. This script helps maintain security standards across Azure Windows deployments.
- Azure-specific security checks
- Cloud service configuration audit
- Network security group verification
- Azure AD integration checks
- Storage security assessment
- Key Vault access review
- Azure backup verification
- Compliance monitoring
- Cost optimization checks
- Windows Server 2016 or later
- PowerShell 5.1 or later
- Az PowerShell module
- Azure AD PowerShell module
- Administrative privileges
- Azure subscription access
- Appropriate RBAC permissions
.\AzureWindowsSecurityCheck.ps1 [-Subscription <id>] [-ResourceGroup <name>] [-Report] [-Fix]
Parameters:
-Subscription Azure subscription ID
-ResourceGroup Target resource group
-Report Generate detailed HTML report
-Fix Attempt to fix found issues-
Azure Platform Security
- Azure Security Center status
- Azure Defender status
- Azure Monitor configuration
- Azure Policy compliance
- Resource locks
- Management group settings
-
Identity and Access
- Azure AD integration
- Managed identities
- RBAC assignments
- Service principals
- Conditional access
- MFA enforcement
-
Network Security
- NSG configurations
- Azure Firewall settings
- Virtual network security
- Load balancer security
- Private endpoints
- Service endpoints
-
Data Security
- Storage account encryption
- Key Vault access policies
- Disk encryption
- Backup configurations
- Recovery services
- Data retention policies
The script uses a JSON configuration file:
{
"AzureChecks": {
"SecurityCenter": true,
"NetworkSecurity": true,
"IdentityAccess": true,
"DataProtection": true
},
"Compliance": {
"Standards": ["ISO27001", "PCI-DSS", "HIPAA"],
"CustomPolicies": true
},
"Reporting": {
"OutputPath": "C:\\AzureReports",
"SendEmail": true,
"DetailLevel": "Verbose"
}
}The security report includes:
- Executive Summary
- Azure-Specific Findings
- Resource Security Status
- Compliance Status
- Cost Optimization
- Remediation Steps
- Technical Details
- Cloud Best Practices
- Validates Azure connectivity
- Checks permissions
- Logs all operations
- Handles API throttling
- Reports check failures
- Provides error solutions
The script maintains logs in:
- Main log:
C:\Windows\Logs\AzureSecurityCheck.log - Report file:
C:\AzureReports\<timestamp>_AzureSecurityReport.html - Error log:
C:\Windows\Logs\AzureSecurityErrors.log
- Safe read-only operations
- Encrypted report options
- Secure credential handling
- No sensitive data exposure
- Audit trail maintenance
- Compliance tracking
Built-in compliance checks for:
- Azure Security Benchmark
- CIS Azure Foundations
- NIST Guidelines
- PCI DSS Requirements
- HIPAA Standards
- ISO 27001 Controls
- Run daily security checks
- Review Azure Advisor
- Monitor Security Center
- Document exceptions
- Maintain baseline
- Update compliance profiles
- Monitor costs
- Address critical issues
- Keep reports archived
- Regular policy updates
- Staff cloud training
- Incident response planning
- Regular tool updates
- Resource tagging
- Backup verification
- Disaster recovery testing