last sync: 2020-Sep-30 14:32:32 UTC

Azure Policy

Windows machines should meet requirements for 'Windows Firewall Properties'

Policy DisplayName Windows machines should meet requirements for 'Windows Firewall Properties'
Policy Id 35d9882c-993d-44e6-87d2-db66ce21b636
Policy Category Guest Configuration
Policy Description Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-09-15 14:06:41 change: DisplayName previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Firewall Properties'
2020-08-20 14:05:01 add: Policy 35d9882c-993d-44e6-87d2-db66ce21b636
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
[Preview]: Motion Picture Association of America (MPAA) 92646f03-e39d-47a9-9e24-58d60ef49af8
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab
[Preview]: Windows machines should meet requirements for the Azure security baseline be7a78aa-3e10-4153-a5fd-8c6506dbc821
Policy Rule
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Windows Firewall Properties'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_WindowsFirewallProperties",
        "version": "1.*",
        "configurationParameter": {
          "WindowsFirewallDomainUseProfileSettings": "Windows Firewall: Domain: Firewall state;ExpectedValue",
          "WindowsFirewallDomainBehaviorForOutboundConnections": "Windows Firewall: Domain: Outbound connections;ExpectedValue",
          "WindowsFirewallDomainApplyLocalConnectionSecurityRules": "Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue",
          "WindowsFirewallDomainApplyLocalFirewallRules": "Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue",
          "WindowsFirewallDomainDisplayNotifications": "Windows Firewall: Domain: Settings: Display a notification;ExpectedValue",
          "WindowsFirewallPrivateUseProfileSettings": "Windows Firewall: Private: Firewall state;ExpectedValue",
          "WindowsFirewallPrivateBehaviorForOutboundConnections": "Windows Firewall: Private: Outbound connections;ExpectedValue",
          "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": "Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue",
          "WindowsFirewallPrivateApplyLocalFirewallRules": "Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue",
          "WindowsFirewallPrivateDisplayNotifications": "Windows Firewall: Private: Settings: Display a notification;ExpectedValue",
          "WindowsFirewallPublicUseProfileSettings": "Windows Firewall: Public: Firewall state;ExpectedValue",
          "WindowsFirewallPublicBehaviorForOutboundConnections": "Windows Firewall: Public: Outbound connections;ExpectedValue",
          "WindowsFirewallPublicApplyLocalConnectionSecurityRules": "Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue",
          "WindowsFirewallPublicApplyLocalFirewallRules": "Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue",
          "WindowsFirewallPublicDisplayNotifications": "Windows Firewall: Public: Settings: Display a notification;ExpectedValue",
          "WindowsFirewallDomainAllowUnicastResponse": "Windows Firewall: Domain: Allow unicast response;ExpectedValue",
          "WindowsFirewallPrivateAllowUnicastResponse": "Windows Firewall: Private: Allow unicast response;ExpectedValue",
          "WindowsFirewallPublicAllowUnicastResponse": "Windows Firewall: Public: Allow unicast response;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "WindowsFirewallDomainUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Domain: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Private: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Public: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
              "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_WindowsFirewallProperties",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
              "equals": "[base64(concat('Windows Firewall: Domain: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallDomainUseProfileSettings'), ',', 'Windows Firewall: Domain: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallDomainBehaviorForOutboundConnections'), ',', 'Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallDomainApplyLocalFirewallRules'), ',', 'Windows Firewall: Domain: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallDomainDisplayNotifications'), ',', 'Windows Firewall: Private: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPrivateUseProfileSettings'), ',', 'Windows Firewall: Private: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallPrivateBehaviorForOutboundConnections'), ',', 'Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallPrivateApplyLocalFirewallRules'), ',', 'Windows Firewall: Private: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPrivateDisplayNotifications'), ',', 'Windows Firewall: Public: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPublicUseProfileSettings'), ',', 'Windows Firewall: Public: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallPublicBehaviorForOutboundConnections'), ',', 'Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallPublicApplyLocalFirewallRules'), ',', 'Windows Firewall: Public: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPublicDisplayNotifications'), ',', 'Windows Firewall: Domain: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallDomainAllowUnicastResponse'), ',', 'Windows Firewall: Private: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPrivateAllowUnicastResponse'), ',', 'Windows Firewall: Public: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPublicAllowUnicastResponse')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/35d9882c-993d-44e6-87d2-db66ce21b636",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "35d9882c-993d-44e6-87d2-db66ce21b636"
}