update

Author: ceperezb

learn-pr/wwl-sci/design-solutions-securing-server-client-endpoints/includes/2-specify-server-security-requirements.md

@@ -18,13 +18,15 @@ For each category, specify requirements that are measurable and auditable. For e
 
 ### MCSB Endpoint Security controls
 
-The Microsoft Cloud Security Benchmark (MCSB) provides a structured framework for endpoint security requirements. In MCSB v2, the Endpoint Security (ES) domain is organized into two pillars:
+The [Microsoft Cloud Security Benchmark (MCSB) v2 (preview)](/security/benchmark/azure/overview) provides a structured framework for endpoint security requirements. It supersedes MCSB v1, expanding security domains to 12 (including Artificial Intelligence Security), adding risk and threat-based guidance with MITRE ATT&CK mappings, and updating compliance framework mappings to NIST SP 800-53 Rev.5, PCI-DSS v4, CIS Controls v8.1, NIST CSF v2.0, ISO 27001:2022, and SOC 2.
 
-**Cloud endpoint threat protection** — Deploy comprehensive threat detection and response capabilities for servers, including anti-malware and behavioral analysis:
+The Endpoint Security (ES) domain is organized into two pillars:
+
+**Cloud endpoint threat protection** — Deploy comprehensive threat detection and response capabilities for servers, including behavioral analysis and extended detection and response (XDR) integration:
 
 | Control | Requirement | Implementation guidance |
 | --- | --- | --- |
-| ES-1 | Use Endpoint Detection and Response (EDR) | Deploy EDR solutions like Microsoft Defender for Endpoint to detect, investigate, and respond to advanced threats on servers |
+| ES-1 | Use Endpoint Detection and Response (EDR) | Deploy EDR solutions like Microsoft Defender for Endpoint to detect, investigate, and respond to advanced threats on servers. Includes subcontrols for EDR deployment (ES-1.1), XDR integration (ES-1.2), and EDR automation (ES-1.3). |
 | ES-2 | Use modern anti-malware software | Require anti-malware solutions that provide real-time protection, behavior monitoring, and integration with cloud-based threat intelligence |
 
 **Cloud endpoint security configuration** — Enforce security baselines and hardening standards across all servers:
@@ -33,7 +35,7 @@ The Microsoft Cloud Security Benchmark (MCSB) provides a structured framework fo
 | --- | --- | --- |
 | ES-3 | Ensure anti-malware software and signatures are updated | Configure automatic updates for anti-malware definitions and engines; specify maximum acceptable age for signatures |
 
-These controls apply across Windows and Linux servers in Azure, AWS, GCP, and on-premises environments. Microsoft Defender for Servers implements ES-1 and ES-2 through its integration with Defender for Endpoint. For detailed implementation guidance, see [Endpoint security controls in MCSB](/security/benchmark/azure/mcsb-endpoint-security).
+These controls apply across Windows and Linux servers in Azure, AWS, GCP, and on-premises environments. Microsoft Defender for Servers implements ES-1 and ES-2 through its integration with Defender for Endpoint. For detailed implementation guidance, see [Endpoint security controls in MCSB v2](/security/benchmark/azure/mcsb-v2-endpoint-security).
 
 ## Platform-specific considerations
 
@@ -53,6 +55,7 @@ Windows Server environments require specific attention to:
 
 Linux security requirements vary by distribution but should address:
 
+- **Microsoft Defender for Endpoint on Linux**: Require Defender for Endpoint for real-time antimalware protection, EDR capabilities, and vulnerability assessment on supported Linux distributions
 - **SSH hardening**: Require key-based authentication, disable root sign-in, and limit SSH access to specific users or groups
 - **SELinux or AppArmor**: Specify mandatory access control requirements based on your distribution (SELinux for RHEL-based distributions, AppArmor for Ubuntu/SUSE)
 - **Firewall configuration**: Require firewall or iptables rules that implement least-privilege network access
@@ -67,17 +70,19 @@ Server security requirements vary based on where servers are deployed. Your spec
 
 For Azure-hosted servers, use platform capabilities in your requirements:
 
-- **Microsoft Defender for Servers**: Require either Plan 1 or Plan 2 based on protection needs. Plan 1 provides Defender for Endpoint integration for EDR capabilities. Plan 2 adds agentless scanning (vulnerabilities, secrets, and malware), file integrity monitoring, just-in-time VM access, compliance assessment, and a free data ingestion benefit. Defender for Servers no longer relies on the Log Analytics agent or Azure Monitor Agent — all security features are delivered through the Defender for Endpoint integration and agentless machine scanning.
+- **Microsoft Defender for Servers**: Require Defender for Servers on all Azure VMs, selecting Plan 1 or Plan 2 based on workload criticality. See [Defender for Servers plan selection](/azure/defender-for-cloud/plan-defender-for-servers-select-plan) for guidance on matching plan capabilities to your security requirements.
+- **Trusted launch**: Require trusted launch with Secure Boot and vTPM enabled for Azure VMs to protect against boot-level attacks such as bootkits and rootkits
 - **Network security groups**: Require NSGs on all subnets with rules that follow least-privilege principles
 - **Azure Bastion**: Require Azure Bastion for administrative access instead of exposing RDP/SSH ports
 - **Managed identities**: Require managed identities for Azure resource access instead of stored credentials
-- **Disk encryption**: Require Azure Disk Encryption or server-side encryption with customer-managed keys
+- **Disk encryption**: Require Azure Disk Encryption, server-side encryption with customer-managed keys, or encryption at host based on workload requirements
+- **Confidential VMs**: For workloads processing highly sensitive data, consider Azure Confidential VMs that provide hardware-based memory encryption
 
 ### Multicloud environments (AWS and GCP)
 
 For servers in AWS or GCP, specify how to integrate with your security management:
 
-- **Azure Arc onboarding**: Require all non-Azure servers to connect through Azure Arc for centralized management. The multicloud connector enabled by Azure Arc can auto-discover EC2 instances and GCP VMs and install the Connected Machine agent at scale.
+- **Azure Arc onboarding**: Require all non-Azure servers to connect through Azure Arc for centralized management. The Defender for Cloud multicloud connectors for AWS and GCP can auto-discover EC2 instances and GCP VMs and install the Azure Connected Machine agent at scale.
 - **Connector configuration**: Specify whether to connect at the organization/account level or individual project/account level
 - **Defender for Servers coverage**: Extend Microsoft Defender for Servers protection to EC2 instances and Compute Engine VMs
 - **Compliance standards**: Apply consistent standards across clouds—AWS Foundational Security Best Practices, GCP CIS benchmarks, and MCSB all map to common controls
@@ -87,7 +92,7 @@ For servers in AWS or GCP, specify how to integrate with your security managemen
 On-premises servers require additional considerations:
 
 - **Azure Arc deployment**: Require the Azure Connected Machine agent on all servers to enable cloud-based management and full Plan 2 functionality
-- **Direct Defender for Endpoint onboarding**: For servers where Azure Arc isn't feasible, installing the Defender for Endpoint agent directly provides Plan 1 functionality only (EDR and premium Defender Vulnerability Management features, but no agentless scanning, FIM, or JIT access)
+- **Direct Defender for Endpoint onboarding**: For servers where Azure Arc isn't feasible, you can onboard directly with the Defender for Endpoint agent. With Plan 1, direct onboarding provides all Plan 1 features. With Plan 2, directly onboarded servers get Plan 1 features plus premium Defender Vulnerability Management capabilities, but don't get agentless scanning, file integrity monitoring, JIT VM access, or OS configuration assessment — those capabilities require Azure Arc
 - **Network connectivity**: Specify required endpoints for Azure Arc, Defender for Cloud, and any extensions
 - **Proxy configuration**: Define proxy requirements for servers without direct internet access
 - **Update management**: Integrate with Azure Update Manager for centralized patching across hybrid environments
@@ -110,7 +115,7 @@ Specify scanning frequency and remediation timelines:
 
 **File integrity monitoring**
 
-For servers processing sensitive data, require monitoring of critical system files and configuration files with alerts on unauthorized changes. File integrity monitoring is now delivered through the Defender for Endpoint integration in Defender for Servers Plan 2, replacing the previous Log Analytics agent-based approach.
+For servers processing sensitive data, require monitoring of critical system files and configuration files with alerts on unauthorized changes. File integrity monitoring in Defender for Servers Plan 2 uses both the Defender for Endpoint agent (near real-time change detection) and agentless scanning (24-hour cadence), replacing the previous Log Analytics agent-based approach.
 
 **Backup and recovery**
 
@@ -135,22 +140,27 @@ Map your specific requirements to control frameworks to demonstrate compliance.
 
 ## Design decision: Defender for Servers plan selection
 
-When specifying Defender for Servers requirements, choose the appropriate plan based on workload criticality:
+When specifying Defender for Servers requirements, focus on the security capabilities your workloads require rather than individual product features. Both plans include EDR through Defender for Endpoint, agent-based vulnerability assessment, and compliance assessment against regulatory standards. The decision between plans hinges on whether your requirements include capabilities that only Plan 2 provides.
 
-| Consideration | Plan 1 | Plan 2 |
-| --- | --- | --- |
-| **Best for** | Standard workloads requiring EDR | Critical workloads requiring comprehensive protection |
-| **Defender for Endpoint (EDR)** | ✓ Included | ✓ Included |
-| **Vulnerability assessment (agent-based)** | ✓ Included | ✓ Included |
-| **Vulnerability assessment (agentless)** | Not available | ✓ Included |
-| **Agentless malware and secrets scanning** | Not available | ✓ Software inventory, secrets, malware |
-| **Premium Defender Vulnerability Management** | Not available | ✓ Security baselines, block vulnerable apps, certificate and hardware assessment |
-| **Just-in-time VM access** | Not available | ✓ Reduces attack surface |
-| **File integrity monitoring** | Not available | ✓ Via Defender for Endpoint integration |
-| **Compliance assessment** | Not available | ✓ Regulatory standards assessment |
-| **Free data ingestion** | Not available | ✓ 500 MB/day for specific data types |
-
-For most organizations, specify Plan 1 as the baseline requirement for all servers, with Plan 2 required for servers that process sensitive data, are internet-facing, or are otherwise deemed critical.
+**Specify Plan 1** as the baseline for all servers when your requirements include:
+
+- Endpoint detection and response (EDR)
+- Agent-based vulnerability assessment
+- Compliance assessment against regulatory standards
+
+**Specify Plan 2** for servers where your requirements also include:
+
+- Agentless scanning for vulnerabilities, secrets, and malware (no agent installation required)
+- File integrity monitoring (via Defender for Endpoint agent and agentless scanning)
+- Just-in-time VM access to reduce attack surface (Azure and AWS only, not available on GCP)
+- OS configuration assessment against MCSB compute security baselines
+- OS system updates assessment integrated with Azure Update Manager
+- Premium Defender Vulnerability Management (security baselines, block vulnerable apps; available only in the Defender portal)
+- 500 MB/day free data ingestion for security data types (requires Azure Monitor Agent)
+
+For most organizations, specify Plan 1 as the baseline requirement for all servers, with Plan 2 required for servers that process sensitive data, are internet-facing, or are otherwise classified as critical. This requirements-based approach lets you align plan selection to workload criticality tiers without overprovisioning protection for standard workloads.
+
+For a complete comparison of plan features and cloud availability, see [Defender for Servers plan features](/azure/defender-for-cloud/defender-for-servers-overview#plan-protection-features).
 
 ## Documentation requirements