last sync: 2021-Jan-27 16:54:46 UTC

Azure Policy definition

Windows machines should meet requirements for 'Windows Firewall Properties'

Name Windows machines should meet requirements for 'Windows Firewall Properties'
Azure Portal
Id 35d9882c-993d-44e6-87d2-db66ce21b636
Version 2.0.0
details on versioning
Category Guest Configuration
Microsoft docs
Description Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-09-15 14:06:41 change Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Firewall Properties'
2020-08-20 14:05:01 add 35d9882c-993d-44e6-87d2-db66ce21b636
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Preview]: Motion Picture Association of America (MPAA) 92646f03-e39d-47a9-9e24-58d60ef49af8 Regulatory Compliance Preview
[Preview]: Windows machines should meet requirements for the Azure security baseline be7a78aa-3e10-4153-a5fd-8c6506dbc821 Guest Configuration Preview
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA
Json
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Windows Firewall Properties'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_WindowsFirewallProperties",
        "version": "1.*",
        "configurationParameter": {
          "WindowsFirewallDomainUseProfileSettings": "Windows Firewall: Domain: Firewall state;ExpectedValue",
          "WindowsFirewallDomainBehaviorForOutboundConnections": "Windows Firewall: Domain: Outbound connections;ExpectedValue",
          "WindowsFirewallDomainApplyLocalConnectionSecurityRules": "Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue",
          "WindowsFirewallDomainApplyLocalFirewallRules": "Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue",
          "WindowsFirewallDomainDisplayNotifications": "Windows Firewall: Domain: Settings: Display a notification;ExpectedValue",
          "WindowsFirewallPrivateUseProfileSettings": "Windows Firewall: Private: Firewall state;ExpectedValue",
          "WindowsFirewallPrivateBehaviorForOutboundConnections": "Windows Firewall: Private: Outbound connections;ExpectedValue",
          "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": "Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue",
          "WindowsFirewallPrivateApplyLocalFirewallRules": "Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue",
          "WindowsFirewallPrivateDisplayNotifications": "Windows Firewall: Private: Settings: Display a notification;ExpectedValue",
          "WindowsFirewallPublicUseProfileSettings": "Windows Firewall: Public: Firewall state;ExpectedValue",
          "WindowsFirewallPublicBehaviorForOutboundConnections": "Windows Firewall: Public: Outbound connections;ExpectedValue",
          "WindowsFirewallPublicApplyLocalConnectionSecurityRules": "Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue",
          "WindowsFirewallPublicApplyLocalFirewallRules": "Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue",
          "WindowsFirewallPublicDisplayNotifications": "Windows Firewall: Public: Settings: Display a notification;ExpectedValue",
          "WindowsFirewallDomainAllowUnicastResponse": "Windows Firewall: Domain: Allow unicast response;ExpectedValue",
          "WindowsFirewallPrivateAllowUnicastResponse": "Windows Firewall: Private: Allow unicast response;ExpectedValue",
          "WindowsFirewallPublicAllowUnicastResponse": "Windows Firewall: Public: Allow unicast response;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "WindowsFirewallDomainUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallDomainApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Domain): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPrivateDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Private): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicUseProfileSettings": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Use profile settings",
          "description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicBehaviorForOutboundConnections": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Behavior for outbound connections",
          "description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicApplyLocalConnectionSecurityRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local connection security rules",
          "description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicApplyLocalFirewallRules": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Apply local firewall rules",
          "description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallPublicDisplayNotifications": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall (Public): Display notifications",
          "description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
        },
        "defaultValue": "1"
      },
      "WindowsFirewallDomainAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Domain: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPrivateAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Private: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
        },
        "defaultValue": "0"
      },
      "WindowsFirewallPublicAllowUnicastResponse": {
        "type": "String",
        "metadata": {
          "displayName": "Windows Firewall: Public: Allow unicast response",
          "description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
              "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_WindowsFirewallProperties",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
              "equals": "[base64(concat('Windows Firewall: Domain: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallDomainUseProfileSettings'), ',', 'Windows Firewall: Domain: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallDomainBehaviorForOutboundConnections'), ',', 'Windows Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallDomainApplyLocalFirewallRules'), ',', 'Windows Firewall: Domain: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallDomainDisplayNotifications'), ',', 'Windows Firewall: Private: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPrivateUseProfileSettings'), ',', 'Windows Firewall: Private: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallPrivateBehaviorForOutboundConnections'), ',', 'Windows Firewall: Private: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallPrivateApplyLocalFirewallRules'), ',', 'Windows Firewall: Private: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPrivateDisplayNotifications'), ',', 'Windows Firewall: Public: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPublicUseProfileSettings'), ',', 'Windows Firewall: Public: Outbound connections;ExpectedValue', '=', parameters('WindowsFirewallPublicBehaviorForOutboundConnections'), ',', 'Windows Firewall: Public: Settings: Apply local connection security rules;ExpectedValue', '=', parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules'), ',', 'Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue', '=', parameters('WindowsFirewallPublicApplyLocalFirewallRules'), ',', 'Windows Firewall: Public: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPublicDisplayNotifications'), ',', 'Windows Firewall: Domain: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallDomainAllowUnicastResponse'), ',', 'Windows Firewall: Private: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPrivateAllowUnicastResponse'), ',', 'Windows Firewall: Public: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPublicAllowUnicastResponse')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/35d9882c-993d-44e6-87d2-db66ce21b636",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "35d9882c-993d-44e6-87d2-db66ce21b636"
}