If you are needing to secure Azure ARC enabled servers, you may choose to block guest configuration and extensions. This sounds like a great idea to block both, but some services may need to use the ARC Extension. One service that uses the extension is Azure Update Manager. When assessing and installing updates for Azure ARC servers there are 2 extension allow lists that need to be added.
Disable guest configuration:
azcmagent config set guestconfiguration.enabled false
Enable extensions:
azcmagent config set extensions.enabled true
Windows
Allow on-demand patching:
azcmagent config set extensions.allowlist "Microsoft.CPlat.Core/WindowsPatchExtension" --add
Allow periodic assessment:
azcmagent config set extensions.allowlist "Microsoft.SoftwareUpdateManagement/WindowsOsUpdateExtension" --add
Allow SQL Server ARC Extension:
azcmagent config set extensions.allowlist "Microsoft.AzureData/WindowsAgent.SqlServer" --add
Allow Azure Monitor ARC Extension:
azcmagent config set extensions.allowlist "Microsoft.EnterpriseCloud.Monitoring/MicrosoftMonitoringAgent,Microsoft.Azure.Monitoring.DependencyAgent/DependencyAgentWindows" --add
azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorWindowsAgent" --add
Allow Defender ARC Extension:
azcmagent config set extensions.allowlist "Qualys/WindowsAgent.AzureSecurityCenter,Microsoft.Azure.AzureDefenderForServers/MDE.Windows,Microsoft.Azure.AzureDefenderForSQL/AdvancedThreatProtection.Windows" --add
Disabling Run Command
To disable the Run Command on Azure Arc-enabled servers
azcmagent config set extensions.blocklist "microsoft.cplat.core/runcommandhandlerwindows"
Linux
Allow on-demand patching:
azcmagent config set extensions.allowlist "Microsoft.SoftwareUpdateManagement/LinuxOsUpdateExtension"
Allow periodic assessment:
azcmagent config set extensions.allowlist "Microsoft.CPlat.Core/LinuxPatchExtension" --add
Disabling Run Command
azcmagent config set extensions.blocklist "microsoft.cplat.core/runcommandhandlerlinux"
After running the commands, the output of “azmagent config list” should look like this image below.
This output shows that the allow list has the 2 extensions added, guest configuration is disabled, and that extensions are enabled, but would be limited to what is part of the allow list.
azcmagent config list
Windows
Linux
Here is the links for more Azure ARC security options: Security overview – Azure Arc | Microsoft Learn
Extensions security – Azure Arc | Microsoft Learn
VM extension management with Azure Arc-enabled servers – Azure Arc | Microsoft Learn