last sync: 2024-Oct-04 17:51:30 UTC

[Preview]: Host and VM networking should be protected on Azure Stack HCI systems

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Preview]: Host and VM networking should be protected on Azure Stack HCI systems
Id 36f0d6bc-a253-4df8-b25b-c3a5023ff443
Version 1.0.0-preview
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0-preview
Built-in Versioning [Preview]
Category Stack HCI
Microsoft Learn
Description Protect data on the Azure Stack HCI hosts network and on virtual machine network connections.
Mode Indexed
Type BuiltIn
Preview True
Deprecated False
Effect Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.AzureStackHCI/clusters/reportedProperties.clusterVersion Microsoft.AzureStackHCI clusters properties.reportedProperties.clusterVersion True False
THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.AzureStackHCI/clusters/securitySettings/securityComplianceStatus.dataInTransitProtected Microsoft.AzureStackHCI clusters/securitySettings properties.securityComplianceStatus.dataInTransitProtected True False
Rule resource types IF (1)
Microsoft.AzureStackHCI/clusters
Compliance
The following 1 compliance controls are associated with this Policy definition '[Preview]: Host and VM networking should be protected on Azure Stack HCI systems' (36f0d6bc-a253-4df8-b25b-c3a5023ff443)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 DP-3 Azure_Security_Benchmark_v3.0_DP-3 Microsoft cloud security benchmark DP-3 Data Protection Encrypt sensitive data in transit Shared **Security Principle:** Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. **Azure Guidance:** Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default. **Implementation and additional context:** Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Enforce secure transfer in Azure storage: https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account n/a link 15
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-03-01 17:50:27 add 36f0d6bc-a253-4df8-b25b-c3a5023ff443
JSON compare n/a
JSON
api-version=2021-06-01
EPAC