5.3.1. Defender for Servers and Vulnerability Management
💡 First Principle: Defender for Servers protects Windows and Linux servers in Azure, on-premises, and other clouds with threat detection, vulnerability assessment, and file integrity monitoring.
Defender for Servers Plans
| Feature | Plan 1 | Plan 2 |
|---|---|---|
| Threat detection | Yes | Yes |
| Vulnerability scanning | No | Yes (agentless & agent-based) |
| File integrity monitoring | No | Yes |
| Just-in-time VM access | No | Yes |
Agentless Scanning Overview (2026 Focus)
💡 First Principle: Traditional vulnerability scanning relies on agents that consume CPU/RAM and require ongoing management. Agentless scanning shifts the burden to the cloud infrastructure, providing visibility without touching the workload's performance or configuration.
- Why agentless is the future: It eliminates the "agent gap" (unmanaged or legacy systems where agents cannot be installed) and ensures zero performance impact on production workloads.
- Methodology: Uses snapshot-based vulnerability assessment. The engine takes a point-in-time snapshot of the VM's disk, mounts it in a secure isolated environment, and analyzes the file system for vulnerabilities and misconfigurations.
- Expanded 2026 Scope: Now includes Azure Functions and Web Apps (App Service). Defender for Cloud can now analyze the underlying files and dependencies of serverless and PaaS workloads without requiring code changes or custom extensions.
- Multi-cloud parity: Identical snapshot-based methodology applied to Azure VMs, AWS EC2 instances, and GCP Compute Engine instances.
Configuration and Setup
- Prerequisites: Requires Defender for Servers Plan 2 or Defender for Containers (for containerized workloads).
- Enablement: In the Defender for Cloud portal, navigate to Environment Settings > Select Subscription > Settings & Monitoring.
- Provider Selection: Ensure "Agentless scanning for machines" is set to On.
- Scanning Schedules: Scans typically occur every 24 hours. While the exact timing is managed by Azure to optimize platform performance, you can trigger manual rescans via the portal for critical assets.
- Exclusions: Configure exclusions using Azure Resource Graph or portal settings to skip specific VMs or tags if compliance or data residency requires it.
Agentless vs. Agent-Based Comparison
| Criterion | Agentless Scanning | Agent-Based (MDE/Qualys) |
|---|---|---|
| Performance Impact | Zero (Scans snapshots) | Low (Uses guest OS resources) |
| Deployment | Instant (Cloud-side) | Requires installation/extensions |
| Visibility Window | Periodic (Snapshot-based) | Real-time (Continuous monitoring) |
| Legacy/Unsupported OS | High (Analyzes disk directly) | Low (Requires agent support) |
| Deep Threat Detection | Limited (No runtime analysis) | High (EDR/Runtime behavioral monitoring) |
| Serverless/PaaS Support | Yes (Azure Functions/Web Apps) | No (Usually restricted to IaaS) |
Hybrid Approach: For production-critical IaaS, the 2026 best practice is to use both. Use agentless for universal vulnerability coverage and agent-based (Microsoft Defender for Endpoint) for real-time EDR and active threat response.
Agentless Scanning for Azure Functions and Web Apps (NEW in 2026)
💡 First Principle: PaaS security often suffers from a "black box" problem where developers assume the provider handles everything. 2026 agentless scanning opens this box.
- Dependency Detection: Automatically identifies vulnerable libraries (NuGet, NPM, PyPI) within your Function or Web App code without requiring a CI/CD plugin.
- Integration: Findings are surfaced as Security Recommendations within the Defender for Cloud dashboard, mapping directly to the specific App Service or Function App resource.
- Serverless Posture: Extends Cloud Security Posture Management (CSPM) to verify that environment variables, secrets, and configuration settings follow the principle of least privilege.
Agentless Scanning Architecture
Practical Implementation Scenario
Scenario: Your organization has 500 VMs across dev, test, and production, plus 50 Azure Functions. 20% of the VMs are legacy systems that cannot support the MDE agent.
- Phase 1 (Broad Visibility): Enable Agentless Scanning on the entire subscription (Plan 2). Within 24 hours, you gain a 100% vulnerability inventory, including the legacy systems.
- Phase 2 (Deep Protection): Deploy the MDE agent to the 80% of VMs that support it. These production servers now have real-time EDR.
- Phase 3 (Remediation): Integrate findings with Azure Logic Apps. When a "High" vulnerability is found on a Dev VM, trigger an automated notification to the developer via Microsoft Teams.
- Phase 4 (PaaS Validation): Review the new "Vulnerabilities in Azure Functions" recommendations to identify outdated dependencies in serverless workloads before they are exploited.
Azure CLI Examples
# Enable Defender for Servers Plan 2 (required for agentless)
az security pricing create --name VirtualMachines --tier Standard
# Configure Agentless Scanning settings via REST API
# Note: Ensure you replace {subscriptionId} with your actual ID
az rest --method PUT --uri "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/serverVulnerabilityAssessmentsSettings/default?api-version=2023-05-01" --body '{"properties":{"selectedProvider":"MdeTvm"}}'
# Verify current scanning status
az security assessment list --query "[?contains(displayName, 'Vulnerability')]"
⚠️ Exam Trap: Relying solely on agentless scanning for critical production servers. While agentless is excellent for vulnerability discovery, it cannot stop an active attack in progress. For high-value targets, always combine agentless scanning with agent-based EDR (MDE) for comprehensive protection.
