AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

[Preview]: Host and VM networking should be protected on Azure Stack HCI systems

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

[Preview]: Host and VM networking should be protected on Azure Stack HCI systems

36f0d6bc-a253-4df8-b25b-c3a5023ff443

Version

1.0.0-preview
Details on versioning

Versioning

Versions supported for Versioning: 1
1.0.0-preview
Built-in Versioning [Preview]

Category

Stack HCI
Microsoft Learn

Description

Protect data on the Azure Stack HCI hosts network and on virtual machine network connections.

Cloud environments

AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown

Available in AzUSGov

Unknown, no evidence if Policy definition is/not available in AzureUSGovernment

Assessment(s)

Assessments count: 1
Assessment Id: 1e001767-5bd6-423f-9640-f61efa3d77c6
DisplayName: Host and VM networking should be protected on Azure Local instances
Description: Protect data on the Azure Local machines network and on virtual machine network connections.
Remediation description: To enable signing for external SMB traffic:
1. From the Azure Local instance page, go to Windows Admin Center and select Connect.
2. Go to the Security extension and select Azure Local system security.
3. Select Signing for external SMB traffic and click Enable.
Categories: Networking
Severity: Low
User impact: Low
Threats: DataExfiltration
preview: True

Mode

Indexed

Type

BuiltIn

Preview

True

Deprecated

False

Effect

Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists

RBAC role(s)

none

Rule aliases

IF (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.AzureStackHCI/clusters/reportedProperties.clusterVersion	Microsoft.AzureStackHCI	clusters	properties.reportedProperties.clusterVersion	True		False

THEN-ExistenceCondition (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.AzureStackHCI/clusters/securitySettings/securityComplianceStatus.dataInTransitProtected	Microsoft.AzureStackHCI	clusters/securitySettings	properties.securityComplianceStatus.dataInTransitProtected	True		False

Rule resource types

IF (1)

Microsoft.AzureStackHCI/clusters

Compliance

The following 2 compliance controls are associated with this Policy definition '[Preview]: Host and VM networking should be protected on Azure Stack HCI systems' (36f0d6bc-a253-4df8-b25b-c3a5023ff443)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
Azure_Security_Benchmark_v3.0	DP-3	Azure_Security_Benchmark_v3.0_DP-3	Microsoft cloud security benchmark DP-3	Data Protection	Encrypt sensitive data in transit	Shared	Security Principle: Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. Azure Guidance: Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default. Implementation and additional context: Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Enforce secure transfer in Azure storage: https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account	n/a	link	15
	U.10.5 - Competent	U.10.5 - Competent	404 not found				n/a	n/a		33

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type	polSet in AzUSGov
Microsoft cloud security benchmark	1f3afdf9-d0c9-4c3d-847f-89da613e70a8	Security Center	GA	BuiltIn	true
NL BIO Cloud Theme V2	d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee	Regulatory Compliance	GA	BuiltIn	unknown

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2024-03-01 17:50:27	add	36f0d6bc-a253-4df8-b25b-c3a5023ff443

JSON compare

n/a

JSON

api-version=2021-06-01
EPAC