last sync: 2024-May-24 18:03:04 UTC

Microsoft Managed Control 1208 - Configuration Settings | Regulatory Compliance - Configuration Management

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1208 - Configuration Settings
Id 5ea87673-d06b-456f-a324-8abcee5c159f
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Configuration Management control
Additional metadata Name/Id: ACF1208 / Microsoft Managed Control 1208
Category: Configuration Management
Title: Configuration Settings - Setting Checklists
Ownership: Customer, Microsoft
Description: The organization: Establishes and documents configuration settings for information technology products employed within the information system using United States Government Configuration Baseline (USGCB) that reflect the most restrictive mode consistent with operational requirements; Available USGCB Content is not applicable to Azure Infrastructure.  Azure references several resources such as industry recommendations in developing and reviewing security baselines for the environment including CIS, NSA, Microsoft Solution Accelerators Security Compliance Manager reference library, and various vulnerability library knowledge bases that are configuration related.
Requirements: Servers and Privileged Access Workstations (PAWs)Microsoft establishes custom configuration baselines and configuration settings for its server assets. To establish these configuration settings, Microsoft examines and ingests a variety of sources: * Product architecture * Security analysis and principles, such as least functionality, least privilege, authorization and access control, auditing, network security, and operating system hardening * Microsoft Solution Accelerators Security Compliance Manager reference library * Vulnerability library knowledge bases * The United States Government Configuration Baseline USGCB * National Institute of Standards and Technology (NIST) recommendations * National Security Agency (NSA) recommendations * Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) * Center for Internet Security (CIS) benchmarks Microsoft works closely with CIS, DoD, NIST, and other regulators to establish the configuration settings and works with CIS as a participant during benchmark establishment. The configuration settings are primarily based on the CIS benchmarks and DISA STIGs, modified to address the unique operating environment of Azure. By evaluating and incorporating the best practices, guidance, and testing, Microsoft ensures a secure defense-in-depth deployment of technologies. The industry standards and input from baseline experts across Microsoft along with the environment-specific considerations and some role-specific settings (e.g. domain controller, workgroup server, domain joined server) are used to establish the configuration settings. The baseline for servers is published and made available to Microsoft personnel through the Azure DevOps source code repository, and a copy of the official baseline is published internally to the Liquid requirements catalog that is the authoritative source of requirements authored and maintained by CELA policy owners as well as other groups across Microsoft. The selected settings reflect the most restrictive, secure mode consistent with operational requirements. Microsoft ensures these settings can be scanned with traditional vulnerability scanners, enabling SCAP compliance on all applicable assets. Network Devices For network devices, Azure Networking defines the approved configuration baselines based on industry best practices and recommendations from the hardware manufacturers, taking into consideration any applicable criteria listed in the Azure details above. These configuration baselines are then established as Gold images from which all network devices are deployed and configured. Network devices are scanned by the vulnerability management tool, which meets SCAP requirements.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a