AzPolicyAdvertizer

last sync: 2021-Sep-22 19:36:51 UTC

Azure Policy definition

Windows machines should meet requirements for 'Security Options - User Account Control'

Name Windows machines should meet requirements for 'Security Options - User Account Control'
Azure Portal

Id 492a29ed-d143-4f03-b6a4-705ce081b463

Version 2.0.0
details on versioning

Category Guest Configuration
Microsoft docs

Description Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Mode Indexed

Type BuiltIn

Preview FALSE

Deprecated FALSE

Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Used RBAC Role none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2020-09-15 14:06:41	change	Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - User Account Control'
2020-08-20 14:05:01	add	492a29ed-d143-4f03-b6a4-705ce081b463

Used in Initiatives

Initiative DisplayName	Initiative Id	Initiative Category	State
[Preview]: CMMC Level 3	b5629c75-5c77-4422-87b9-2509e680f8de	Regulatory Compliance	Preview
[Preview]: Windows machines should meet requirements for the Azure compute security baseline	be7a78aa-3e10-4153-a5fd-8c6506dbc821	Guest Configuration	Preview
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA

JSON

{
  "displayName": "Windows machines should meet requirements for 'Security Options - User Account Control'",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
  "metadata": {
    "category": "Guest Configuration",
    "version": "2.0.0",
    "requiredProviders": [
      "Microsoft.GuestConfiguration"
    ],
    "guestConfiguration": {
      "name": "AzureBaseline_SecurityOptionsUserAccountControl",
      "version": "1.*",
      "configurationParameter": {
        "UACAdminApprovalModeForTheBuiltinAdministratorAccount": "User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue",
        "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue",
        "UACDetectApplicationInstallationsAndPromptForElevation": "User Account Control: Detect application installations and prompt for elevation;ExpectedValue",
        "UACRunAllAdministratorsInAdminApprovalMode": "User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue"
      }
    }
  },
  "parameters": {
    "IncludeArcMachines": {
      "type": "String",
      "metadata": {
        "displayName": "Include Arc connected servers",
        "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
      },
      "allowedValues": [
        "true",
        "false"
      ],
      "defaultValue": "false"
    },
    "UACAdminApprovalModeForTheBuiltinAdministratorAccount": {
      "type": "String",
      "metadata": {
        "displayName": "UAC: Admin Approval Mode for the Built-in Administrator account",
        "description": "Specifies the behavior of Admin Approval Mode for the built-in Administrator account."
      },
      "defaultValue": "1"
    },
    "UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode": {
      "type": "String",
      "metadata": {
        "displayName": "UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode",
        "description": "Specifies the behavior of the elevation prompt for administrators."
      },
      "defaultValue": "2"
    },
    "UACDetectApplicationInstallationsAndPromptForElevation": {
      "type": "String",
      "metadata": {
        "displayName": "UAC: Detect application installations and prompt for elevation",
        "description": "Specifies the behavior of application installation detection for the computer."
      },
      "defaultValue": "1"
    },
    "UACRunAllAdministratorsInAdminApprovalMode": {
      "type": "String",
      "metadata": {
        "displayName": "UAC: Run all administrators in Admin Approval Mode",
        "description": "Specifies the behavior of all User Account Control (UAC) policy settings for the computer."
      },
      "defaultValue": "1"
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of this policy"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachines"
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Compute/imagePublisher",
                  "in": [
                    "esri",
                    "incredibuild",
                    "MicrosoftDynamicsAX",
                    "MicrosoftSharepoint",
                    "MicrosoftVisualStudio",
                    "MicrosoftWindowsDesktop",
                    "MicrosoftWindowsServerHPCPack"
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "MicrosoftWindowsServer"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "notLike": "2008*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "MicrosoftSQLServer"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "notLike": "SQL2008*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "microsoft-dsvm"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "dsvm-windows"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "microsoft-ads"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "standard-data-science-vm",
                        "windows-data-science-vm"
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "batch"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "rendering-windows2016"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "center-for-internet-security-inc"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "cis-windows-server-201*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "pivotal"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "bosh-windows-server*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "cloud-infrastructure-services"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "ad*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                          "exists": "true"
                        },
                        {
                          "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                          "like": "Windows*"
                        }
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "exists": "false"
                        },
                        {
                          "allOf": [
                            {
                              "field": "Microsoft.Compute/imageSKU",
                              "notLike": "2008*"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "notLike": "SQL2008*"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ]
            }
          ]
        },
        {
          "allOf": [
            {
              "value": "[parameters('IncludeArcMachines')]",
              "equals": "true"
            },
            {
              "field": "type",
              "equals": "Microsoft.HybridCompute/machines"
            },
            {
              "field": "Microsoft.HybridCompute/imageOffer",
              "like": "windows*"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
        "name": "AzureBaseline_SecurityOptionsUserAccountControl",
        "existenceCondition": {
          "allOf": [
            {
              "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
              "equals": "Compliant"
            },
            {
              "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
              "equals": "[base64(concat('User Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue', '=', parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount'), ',', 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode;ExpectedValue', '=', parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'), ',', 'User Account Control: Detect application installations and prompt for elevation;ExpectedValue', '=', parameters('UACDetectApplicationInstallationsAndPromptForElevation'), ',', 'User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue', '=', parameters('UACRunAllAdministratorsInAdminApprovalMode')))]"
            }
          ]
        }
      }
    }
  }
}