last sync: 2025-Mar-23 22:31:17 UTC

Windows machines should meet requirements for 'Administrative Templates - Network'

Azure BuiltIn Policy definition

Source Azure Portal
Display name Windows machines should meet requirements for 'Administrative Templates - Network'
Id 67e010c1-640d-438e-a3a5-feaccb533a98
Version 3.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
3.0.0
Built-in Versioning [Preview]
Category Guest Configuration
Microsoft Learn
Description Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '2.0.0'
Repository: Azure-Policy 67e010c1-640d-438e-a3a5-feaccb533a98
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases IF (7)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/imageOffer Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.offer
properties.virtualMachineProfile.storageProfile.imageReference.offer
properties.creationData.imageReference.id
True
True
True


False
False
False
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id
True
True
True


False
False
False
Microsoft.Compute/imageSKU Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.sku
properties.virtualMachineProfile.storageProfile.imageReference.sku
properties.creationData.imageReference.id
True
True
True


False
False
False
Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration Microsoft.Compute virtualMachines properties.osProfile.windowsConfiguration True True
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType Microsoft.Compute virtualMachines properties.storageProfile.osDisk.osType True True
Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType Microsoft.ConnectedVMwarevSphere virtualmachines properties.osProfile.osType True False
Microsoft.HybridCompute/imageOffer Microsoft.HybridCompute machines properties.osName True False
THEN-ExistenceCondition (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus Microsoft.GuestConfiguration guestConfigurationAssignments properties.complianceStatus True False
Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash Microsoft.GuestConfiguration guestConfigurationAssignments properties.parameterHash True False
Rule resource types IF (3)
Microsoft.Compute/virtualMachines
Microsoft.ConnectedVMwarevSphere/virtualMachines
Microsoft.HybridCompute/machines
Compliance
The following 23 compliance controls are associated with this Policy definition 'Windows machines should meet requirements for 'Administrative Templates - Network'' (67e010c1-640d-438e-a3a5-feaccb533a98)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 1.11 Azure_Security_Benchmark_v1.0_1.11 Azure Security Benchmark 1.11 Network Security Use automated tools to monitor network resource configurations and detect changes Customer Use Azure Policy to validate (and/or remediate) configuration for network resources. How to configure and manage Azure Policy: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Azure Policy samples for networking: https://docs.microsoft.com/azure/governance/policy/samples/#network n/a link 7
Canada_Federal_PBMM_3-1-2020 CM_3 Canada_Federal_PBMM_3-1-2020_CM_3 Canada Federal PBMM 3-1-2020 CM 3 Configuration Change Control Configuration Change Control Shared 1. The organization determines the types of changes to the information system that are configuration-controlled. 2. The organization reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses. 3. The organization documents configuration change decisions associated with the information system. 4. The organization implements approved configuration-controlled changes to the information system. 5. The organization retains records of configuration-controlled changes to the information system for at least 90 days. 6. The organization audits and reviews activities associated with configuration-controlled changes to the information system. 7. The organization coordinates and provides oversight for configuration change control activities through a central communication process that includes organizational governance bodies that convenes at least annually. To ensure systematic control and oversight of configuration changes to the information system, mitigating risks and maintaining system integrity. 5
Canada_Federal_PBMM_3-1-2020 CM_6 Canada_Federal_PBMM_3-1-2020_CM_6 Canada Federal PBMM 3-1-2020 CM 6 Configuration Settings Configuration Settings Shared 1. The organization establishes and documents configuration settings for information technology products employed within the information system using checklists from one or more of the following: a. Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), Defense Information Systems Agency (DISA) that reflect the most restrictive mode consistent with operational requirements. 2. The organization implements the configuration settings. 3. The organization identifies, documents, and approves any deviations from established configuration settings for any configurable information system components. 4. The organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. To ensure systematic configuration management of information technology products. 5
Canada_Federal_PBMM_3-1-2020 CM_6(1) Canada_Federal_PBMM_3-1-2020_CM_6(1) Canada Federal PBMM 3-1-2020 CM 6(1) Configuration Settings Configuration Settings | Automated Central Management / Application / Verification Shared The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for organization-defined information system components. To enhance efficiency, consistency, and security in configuration management processes. 5
Canada_Federal_PBMM_3-1-2020 CM_6(2) Canada_Federal_PBMM_3-1-2020_CM_6(2) Canada Federal PBMM 3-1-2020 CM 6(2) Configuration Settings Configuration Settings | Respond to Unauthorized Changes Shared The organization employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings. To ensure prompt detection, mitigation, and resolution of potential security risks. 5
Canada_Federal_PBMM_3-1-2020 CM_7 Canada_Federal_PBMM_3-1-2020_CM_7 Canada Federal PBMM 3-1-2020 CM 7 Least Functionality Least Functionality Shared 1. The organization configures the information system to provide only essential capabilities. 2. The organization prohibits or restricts the use of identified functions, ports, protocols, and/or services following one or more standards from Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), or Defense Information Systems Agency (DISA). To minimise the attack surface of the information system. 5
Canada_Federal_PBMM_3-1-2020 CM_7(1) Canada_Federal_PBMM_3-1-2020_CM_7(1) Canada Federal PBMM 3-1-2020 CM 7(1) Least Functionality Least Functionality | Periodic Review Shared 1. The organization reviews the information system at least annually to identify unnecessary and/or non-secure functions, ports, protocols, and services; and 2. The organization disables all functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. To strengthen overall cybersecurity posture. 5
Canada_Federal_PBMM_3-1-2020 CM_9 Canada_Federal_PBMM_3-1-2020_CM_9 Canada Federal PBMM 3-1-2020 CM 9 Configuration Management Plan Configuration Management Plan Shared 1. The organization develops, documents, and implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. 2. The organization develops, documents, and implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items. 3. The organization develops, documents, and implements a configuration management plan for the information system that defines the configuration items for the information system and places the configuration items under configuration management; and 4. The organization develops, documents, and implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification. To protect configuration items throughout their lifecycle while safeguarding the integrity of the configuration management plan. 5
Canada_Federal_PBMM_3-1-2020 SA_10 Canada_Federal_PBMM_3-1-2020_SA_10 Canada Federal PBMM 3-1-2020 SA 10 Developer Configuration Management Developer Configuration Management Shared 1. The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service development, implementation, and operation. 2. The organization requires the developer of the information system, system component, or information system service to document, manage, and control the integrity of changes to all items under configuration management; 3. The organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service; 4. The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service and the potential security impacts of such changes; and 5. The organization requires the developer of the information system, system component, or information system service to track security flaws and flaw resolution within the system, component, or service and report findings to the Chief Information Officer or delegate. To ensure systematic management of system integrity and security throughout the development lifecycle. 5
Canada_Federal_PBMM_3-1-2020 SA_4(9) Canada_Federal_PBMM_3-1-2020_SA_4(9) Canada Federal PBMM 3-1-2020 SA 4(9) Acquisition Process Acquisition Process | Functions / Ports / Protocols / Services in Use Shared The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. To facilitate early identification and assessment of potential security risks. 5
Canada_Federal_PBMM_3-1-2020 SA_9(2) Canada_Federal_PBMM_3-1-2020_SA_9(2) Canada Federal PBMM 3-1-2020 SA 9(2) External Information System Services External Information System Services | Identification of Functions / Ports / Protocols / Services Shared The organization requires providers of all external information systems and services to identify the functions, ports, protocols, and other services required for the use of such services. To manage security risks and ensure the secure and efficient operation of external systems and services. 5
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 96
FFIEC_CAT_2017 3.1.1 FFIEC_CAT_2017_3.1.1 FFIEC CAT 2017 3.1.1 Cybersecurity Controls Infrastructure Management Shared n/a - Network perimeter defense tools (e.g., border router and firewall) are used. - Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - All ports are monitored. - Up to date antivirus and anti-malware tools are used. - Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. - Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - Programs that can override system, object, network, virtual machine, and application controls are restricted. - System sessions are locked after a pre-defined period of inactivity and are terminated after pre-defined conditions are met. - Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) 72
HITRUST_CSF_v11.3 01.l HITRUST_CSF_v11.3_01.l HITRUST CSF v11.3 01.l Network Access Control To prevent unauthorized access to networked services. Shared Ports, services, and applications installed on a computer or network systems, which are not specifically required for business functionality, to be disabled or removed. Physical and logical access to diagnostic and configuration ports shall be controlled. 26
NIST_SP_800-171_R3_3 .4.6 NIST_SP_800-171_R3_3.4.6 404 not found n/a n/a 24
NIST_SP_800-53_R5.1.1 CM.7.1 NIST_SP_800-53_R5.1.1_CM.7.1 NIST SP 800-53 R5.1.1 CM.7.1 Configuration Management Control Least Functionality | Periodic Review Shared (a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and (b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking. 5
NZISM_v3.7 22.3.11.C.01. NZISM_v3.7_22.3.11.C.01. NZISM v3.7 22.3.11.C.01. Virtual Local Area Networks 22.3.11.C.01. - To ensure data security and integrity. Shared n/a Unused ports on the switches MUST be disabled. 18
NZISM_v3.7 22.3.11.C.02. NZISM_v3.7_22.3.11.C.02. NZISM v3.7 22.3.11.C.02. Virtual Local Area Networks 22.3.11.C.02. - To ensure data security and integrity. Shared n/a Unused ports on the switches SHOULD be disabled. 18
PCI_DSS_v4.0.1 2.2.4 PCI_DSS_v4.0.1_2.2.4 PCI DSS v4.0.1 2.2.4 Apply Secure Configurations to All System Components Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled Shared n/a Examine system configuration standards to verify necessary services, protocols, daemons, and functions are identified and documented. Examine system configurations to verify the following: All unnecessary functionality is removed or disabled. Only required functionality, as documented in the configuration standards, is enabled 25
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 213
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Preview]: Windows machines should meet requirements for the Azure compute security baseline be7a78aa-3e10-4153-a5fd-8c6506dbc821 Guest Configuration Preview BuiltIn true
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-01-28 17:51:01 change Major (2.0.0 > 3.0.0)
2020-09-15 14:06:41 change Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Network'
2020-08-20 14:05:01 add 67e010c1-640d-438e-a3a5-feaccb533a98
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC