AzPolicyAdvertizer

last sync: 2021-Sep-22 19:36:51 UTC

Azure Policy definition

Audit Windows machines that have the specified members in the Administrators group

Name Audit Windows machines that have the specified members in the Administrators group
Azure Portal

Id 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f

Version 1.0.0
details on versioning

Category Guest Configuration
Microsoft docs

Description Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter.

Mode Indexed

Type BuiltIn

Preview FALSE

Deprecated FALSE

Effect Fixed: auditIfNotExists

Used RBAC Role none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2020-09-09 11:24:03	add	69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f

Used in Initiatives

Initiative DisplayName	Initiative Id	Initiative Category	State
[Deprecated]: Azure Security Benchmark v1	42a694ed-f65e-42b2-aa9e-8052e9740a92	Regulatory Compliance	Deprecated
[Deprecated]: DoD Impact Level 4	8d792a84-723c-4d92-a3c3-e4ed16a2d133	Regulatory Compliance	Deprecated
[Preview]: Australian Government ISM PROTECTED	27272c0b-c225-4cc3-b8b0-f2534b093077	Regulatory Compliance	Preview
[Preview]: CMMC Level 3	b5629c75-5c77-4422-87b9-2509e680f8de	Regulatory Compliance	Preview
[Preview]: NIST SP 800-171 R2	03055927-78bd-4236-86c0-f36125a10dc9	Regulatory Compliance	Preview
Canada Federal PBMM	4c4a5f27-de81-430b-b4e5-9cbd50595a87	Regulatory Compliance	GA
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA
IRS1075 September 2016	105e0327-6175-4eb2-9af4-1fba43bdb39d	Regulatory Compliance	GA
New Zealand ISM Restricted	d1a462af-7e6d-4901-98ac-61570b4ed22a	Regulatory Compliance	GA

JSON

{
  "displayName": "Audit Windows machines that have the specified members in the Administrators group",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter.",
  "metadata": {
    "category": "Guest Configuration",
    "version": "1.0.0",
    "requiredProviders": [
      "Microsoft.GuestConfiguration"
    ],
    "guestConfiguration": {
      "name": "AdministratorsGroupMembersToExclude",
      "version": "1.*",
      "configurationParameter": {
        "MembersToExclude": "[LocalGroup]AdministratorsGroup;MembersToExclude"
      }
    }
  },
  "parameters": {
    "IncludeArcMachines": {
      "type": "String",
      "metadata": {
        "displayName": "Include Arc connected servers",
        "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
      },
      "allowedValues": [
        "true",
        "false"
      ],
      "defaultValue": "false"
    },
    "MembersToExclude": {
      "type": "String",
      "metadata": {
        "displayName": "Members to exclude",
        "description": "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
      }
    }
  },
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachines"
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Compute/imagePublisher",
                  "in": [
                    "esri",
                    "incredibuild",
                    "MicrosoftDynamicsAX",
                    "MicrosoftSharepoint",
                    "MicrosoftVisualStudio",
                    "MicrosoftWindowsDesktop",
                    "MicrosoftWindowsServerHPCPack"
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "MicrosoftWindowsServer"
                    },
                    {
                      "field": "Microsoft.Compute/imageSKU",
                      "notLike": "2008*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "MicrosoftSQLServer"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "notLike": "SQL2008*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "microsoft-dsvm"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "dsvm-windows"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "microsoft-ads"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "in": [
                        "standard-data-science-vm",
                        "windows-data-science-vm"
                      ]
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "batch"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "equals": "rendering-windows2016"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "center-for-internet-security-inc"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "cis-windows-server-201*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "pivotal"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "bosh-windows-server*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.Compute/imagePublisher",
                      "equals": "cloud-infrastructure-services"
                    },
                    {
                      "field": "Microsoft.Compute/imageOffer",
                      "like": "ad*"
                    }
                  ]
                },
                {
                  "allOf": [
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                          "exists": "true"
                        },
                        {
                          "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                          "like": "Windows*"
                        }
                      ]
                    },
                    {
                      "anyOf": [
                        {
                          "field": "Microsoft.Compute/imageSKU",
                          "exists": "false"
                        },
                        {
                          "allOf": [
                            {
                              "field": "Microsoft.Compute/imageSKU",
                              "notLike": "2008*"
                            },
                            {
                              "field": "Microsoft.Compute/imageOffer",
                              "notLike": "SQL2008*"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ]
            }
          ]
        },
        {
          "allOf": [
            {
              "value": "[parameters('IncludeArcMachines')]",
              "equals": "true"
            },
            {
              "field": "type",
              "equals": "Microsoft.HybridCompute/machines"
            },
            {
              "field": "Microsoft.HybridCompute/imageOffer",
              "like": "windows*"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "auditIfNotExists",
      "details": {
        "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
        "name": "AdministratorsGroupMembersToExclude",
        "existenceCondition": {
          "allOf": [
            {
              "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
              "equals": "Compliant"
            },
            {
              "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
              "equals": "[base64(concat('[LocalGroup]AdministratorsGroup;MembersToExclude', '=', parameters('MembersToExclude')))]"
            }
          ]
        }
      }
    }
  }
}