last sync: 2024-Feb-21 20:03:25 UTC

Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting | Regulatory Compliance - Configuration Management

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting
Id 2a39ac75-622b-4c88-9a3f-45b7373f7ef7
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Configuration Management control
Additional metadata Name/Id: ACF1219 / Microsoft Managed Control 1219
Category: Configuration Management
Title: Least Functionality | Authorized Software / Whitelisting - Identification
Ownership: Customer, Microsoft
Description: The organization: Identifies Software programs authorized to execute on the information system as defined in baselines and configuration scripts;
Requirements: Azure identifies software authorized to execute within Azure via configuration baselines and configuration scripts. Both baselines and scripts are version controlled and under configuration management. Only software included in a baseline or configuration script may be installed on Azure. Azure uses Azure Security Monitoring (ASM) and SCUBA to identify unauthorized software execution and alert appropriate personnel for further review. In addition to the standard release processes as part of OneBranch processes which includes build release verification steps such as virus scanning, services running AzSecPack are monitored by the Azure System Lockdown (AzSysLock) team for unexpected running software. This is defined as any software that is not signed per the appropriate signing certificates. AzSysLock sends alerts for service teams that are not properly using AppLocker and Code Integrity. Additionally, for services running with AzSysLock in enforcement mode, which is currently an opt-in feature of AzSecPack, the binary does not run if it is not signed. Alerts for unsigned binaries running are created to service owners as a Severity 2 incident per Azure CEN. For services running Azure Security Pack, the OS security configuration baseline is also monitored for baseline violations, which are then reported to service owners through Incident Management (IcM) and/or Service 360 (S360) depending on the severity of the violation. Near real-time alerts include alerts for audit processing failures, such as system time changes or audit policy changes. Additionally, virtual components within Azure are managed by the Fabric Controller (FC), which is the component that is used to create, monitor, restart, and destroy virtual machines. Overall VM and Azure Host/Native management coverage of AzSecPack is maintained by AzSecPack.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a