| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1208 - Configuration Settings | ||
| Id | 5ea87673-d06b-456f-a324-8abcee5c159f | ||
| Version | 1.0.0 Details on versioning |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Configuration Management control | ||
| Additional metadata |
Name/Id: ACF1208 / Microsoft Managed Control 1208 Category: Configuration Management Title: Configuration Settings - Setting Checklists Ownership: Customer, Microsoft Description: The organization: Establishes and documents configuration settings for information technology products employed within the information system using United States Government Configuration Baseline (USGCB) that reflect the most restrictive mode consistent with operational requirements; Available USGCB Content is not applicable to Azure Infrastructure. Azure references several resources such as industry recommendations in developing and reviewing security baselines for the environment including CIS, NSA, Microsoft Solution Accelerators Security Compliance Manager reference library, and various vulnerability library knowledge bases that are configuration related. Requirements: Servers and Privileged Access Workstations (PAWs)Microsoft establishes custom configuration baselines and configuration settings for its server assets. To establish these configuration settings, Microsoft examines and ingests a variety of sources: * Product architecture * Security analysis and principles, such as least functionality, least privilege, authorization and access control, auditing, network security, and operating system hardening * Microsoft Solution Accelerators Security Compliance Manager reference library * Vulnerability library knowledge bases * The United States Government Configuration Baseline USGCB * National Institute of Standards and Technology (NIST) recommendations * National Security Agency (NSA) recommendations * Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) * Center for Internet Security (CIS) benchmarks Microsoft works closely with CIS, DoD, NIST, and other regulators to establish the configuration settings and works with CIS as a participant during benchmark establishment. The configuration settings are primarily based on the CIS benchmarks and DISA STIGs, modified to address the unique operating environment of Azure. By evaluating and incorporating the best practices, guidance, and testing, Microsoft ensures a secure defense-in-depth deployment of technologies. The industry standards and input from baseline experts across Microsoft along with the environment-specific considerations and some role-specific settings (e.g. domain controller, workgroup server, domain joined server) are used to establish the configuration settings. The baseline for servers is published and made available to Microsoft personnel through the Azure DevOps source code repository, and a copy of the official baseline is published internally to the Liquid requirements catalog that is the authoritative source of requirements authored and maintained by CELA policy owners as well as other groups across Microsoft. The selected settings reflect the most restrictive, secure mode consistent with operational requirements. Microsoft ensures these settings can be scanned with traditional vulnerability scanners, enabling SCAP compliance on all applicable assets. Network Devices For network devices, Azure Networking defines the approved configuration baselines based on industry best practices and recommendations from the hardware manufacturers, taking into consideration any applicable criteria listed in the Azure details above. These configuration baselines are then established as Gold images from which all network devices are deployed and configured. Network devices are scanned by the vulnerability management tool, which meets SCAP requirements. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|