|
Policy Rule
|
{
"properties": {
"displayName": "Windows machines should meet requirements for 'Windows Firewall Properties'",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
"metadata": {
"category": "Guest Configuration",
"version": "2.0.0",
"requiredProviders": [
"Microsoft.GuestConfiguration"
],
"guestConfiguration": {
"name": "AzureBaseline_WindowsFirewallProperties",
"version": "1.*",
"configurationParameter": {
"WindowsFirewallDomainUseProfileSettings": "Windows Firewall: Domain: Firewall state;ExpectedValue",
"WindowsFirewallDomainBehaviorForOutboundConnections": "Windows Firewall: Domain: Outbound connections;ExpectedValue",
"WindowsFirewallDomainApplyLocalConnectionSecurityRules": "Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue",
"WindowsFirewallDomainApplyLocalFirewallRules": "Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue",
"WindowsFirewallDomainDisplayNotifications": "Windows Firewall: Domain: Settings: Display a notification;ExpectedValue",
"WindowsFirewallPrivateUseProfileSettings": "Windows Firewall: Private: Firewall state;ExpectedValue",
"WindowsFirewallPrivateBehaviorForOutboundConnections": "Windows Firewall: Private: Outbound connections;ExpectedValue",
"WindowsFirewallPrivateApplyLocalConnectionSecurityRules": "Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue",
"WindowsFirewallPrivateApplyLocalFirewallRules": "Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue",
"WindowsFirewallPrivateDisplayNotifications": "Windows Firewall: Private: Settings: Display a notification;ExpectedValue",
"WindowsFirewallPublicUseProfileSettings": "Windows Firewall: Public: Firewall state;ExpectedValue",
"WindowsFirewallPublicBehaviorForOutboundConnections": "Windows Firewall: Public: Outbound connections;ExpectedValue",
"WindowsFirewallPublicApplyLocalConnectionSecurityRules": "Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue",
"WindowsFirewallPublicApplyLocalFirewallRules": "Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue",
"WindowsFirewallPublicDisplayNotifications": "Windows Firewall: Public: Settings: Display a notification;ExpectedValue",
"WindowsFirewallDomainAllowUnicastResponse": "Windows Firewall: Domain: Allow unicast response;ExpectedValue",
"WindowsFirewallPrivateAllowUnicastResponse": "Windows Firewall: Private: Allow unicast response;ExpectedValue",
"WindowsFirewallPublicAllowUnicastResponse": "Windows Firewall: Public: Allow unicast response;ExpectedValue"
}
}
},
"parameters": {
"IncludeArcMachines": {
"type": "String",
"metadata": {
"displayName": "Include Arc connected servers",
"description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "false"
},
"WindowsFirewallDomainUseProfileSettings": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Domain): Use profile settings",
"description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
},
"defaultValue": "1"
},
"WindowsFirewallDomainBehaviorForOutboundConnections": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Domain): Behavior for outbound connections",
"description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
},
"defaultValue": "0"
},
"WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Domain): Apply local connection security rules",
"description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
},
"defaultValue": "1"
},
"WindowsFirewallDomainApplyLocalFirewallRules": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Domain): Apply local firewall rules",
"description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
},
"defaultValue": "1"
},
"WindowsFirewallDomainDisplayNotifications": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Domain): Display notifications",
"description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
},
"defaultValue": "1"
},
"WindowsFirewallPrivateUseProfileSettings": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Private): Use profile settings",
"description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
},
"defaultValue": "1"
},
"WindowsFirewallPrivateBehaviorForOutboundConnections": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Private): Behavior for outbound connections",
"description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
},
"defaultValue": "0"
},
"WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Private): Apply local connection security rules",
"description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
},
"defaultValue": "1"
},
"WindowsFirewallPrivateApplyLocalFirewallRules": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Private): Apply local firewall rules",
"description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
},
"defaultValue": "1"
},
"WindowsFirewallPrivateDisplayNotifications": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Private): Display notifications",
"description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
},
"defaultValue": "1"
},
"WindowsFirewallPublicUseProfileSettings": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Public): Use profile settings",
"description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
},
"defaultValue": "1"
},
"WindowsFirewallPublicBehaviorForOutboundConnections": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Public): Behavior for outbound connections",
"description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
},
"defaultValue": "0"
},
"WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Public): Apply local connection security rules",
"description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
},
"defaultValue": "1"
},
"WindowsFirewallPublicApplyLocalFirewallRules": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Public): Apply local firewall rules",
"description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
},
"defaultValue": "1"
},
"WindowsFirewallPublicDisplayNotifications": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall (Public): Display notifications",
"description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
},
"defaultValue": "1"
},
"WindowsFirewallDomainAllowUnicastResponse": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall: Domain: Allow unicast response",
"description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
},
"defaultValue": "0"
},
"WindowsFirewallPrivateAllowUnicastResponse": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall: Private: Allow unicast response",
"description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
},
"defaultValue": "0"
},
"WindowsFirewallPublicAllowUnicastResponse": {
"type": "String",
"metadata": {
"displayName": "Windows Firewall: Public: Allow unicast response",
"description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
},
"defaultValue": "1"
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of this policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"esri",
"incredibuild",
"MicrosoftDynamicsAX",
"MicrosoftSharepoint",
"MicrosoftVisualStudio",
"MicrosoftWindowsDesktop",
"MicrosoftWindowsServerHPCPack"
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServer"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftSQLServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-dsvm"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "dsvm-windows"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-ads"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"standard-data-science-vm",
"windows-data-science-vm"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "batch"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "rendering-windows2016"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "center-for-internet-security-inc"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "cis-windows-server-201*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "pivotal"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "bosh-windows-server*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "cloud-infrastructure-services"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "ad*"
}
]
},
{
"allOf": [
{
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
"exists": "true"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"like": "Windows*"
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"exists": "false"
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "2008*"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
}
]
}
]
}
]
}
]
}
]
},
{
"allOf": [
{
"value": "[parameters('IncludeArcMachines')]",
"equals": "true"
},
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "Microsoft.HybridCompute/imageOffer",
"like": "windows*"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
"name": "AzureBaseline_WindowsFirewallProperties",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
"equals": "Compliant"
},
{
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
"equals": "[base64(concat('Windows Firewall: Domain: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallDomainUseProfileSettings'), ',', 'Windows Firewall: Domain: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallDomainBehaviorForOutboundConnections'), ',', 'Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallDomainApplyLocalFirewallRules'), ',', 'Windows Firewall: Domain: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallDomainDisplayNotifications'), ',', 'Windows Firewall: Private: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPrivateUseProfileSettings'), ',', 'Windows Firewall: Private: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallPrivateBehaviorForOutboundConnections'), ',', 'Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallPrivateApplyLocalFirewallRules'), ',', 'Windows Firewall: Private: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPrivateDisplayNotifications'), ',', 'Windows Firewall: Public: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPublicUseProfileSettings'), ',', 'Windows Firewall: Public: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallPublicBehaviorForOutboundConnections'), ',', 'Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallPublicApplyLocalFirewallRules'), ',', 'Windows Firewall: Public: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPublicDisplayNotifications'), ',', 'Windows Firewall: Domain: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallDomainAllowUnicastResponse'), ',', 'Windows Firewall: Private: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPrivateAllowUnicastResponse'), ',', 'Windows Firewall: Public: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPublicAllowUnicastResponse')))]"
}
]
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/35d9882c-993d-44e6-87d2-db66ce21b636",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "35d9882c-993d-44e6-87d2-db66ce21b636"
}
|