| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1059 - Remote Access | ||
| Id | a29b5d9f-4953-4afe-b560-203a6410b6b4 | ||
| Version | 1.0.0 Details on versioning |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Access Control control | ||
| Additional metadata |
Name/Id: ACF1059 / Microsoft Managed Control 1059 Category: Access Control Title: Remote Access - Usage, Requirements, And Implementation Guidance Ownership: Customer, Microsoft Description: The organization: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and Requirements: There are several authentication steps to be able to access Azure resources remotely. Authorized Microsoft personnel utilize Microsoft-issued Secure Admin Workstations (SAWs) and connect remotely to Azure from the Corporate Network (CorpNet). Microsoft internal user connections originate in CorpNet passing via the CorpNet Firewall through Azure-managed load balancers. Users are identified by a unique AD identifier and password on CorpNet via multifactor authentication. If a user is not at a physical Microsoft location, remote access to CorpNet also requires corporate MSFTVPN connectivity using Microsoft-issued smart card certificates and PIN-based authentication. Once authenticated through CorpNet, Microsoft personnel access the Azure environment in one of two ways – via the VPN or via the Jumpbox, Debug Server, and Network Hop Box infrastructure. This VPN provides direct access via RDP and SSH to the assets. Alternatively, personnel can log into Jumpboxes and Debug servers for server access and Network Hop Boxes for network device access. Once through the VPN, Jumpbox, Debug server, or Network Hop Box, the user can access Azure assets. Jumpboxes and Debug Servers Jumpboxes are servers in Azure datacenters that provide remote access paths into the Azure production environment. Azure users log into these Jumpboxes to perform routine maintenance, emergency repairs, diagnosis, and administration of Azure production environment. Access to the Jumpboxes via RDP is restricted to CorpNet and requires multifactor authentication using the user's AD credential and a smart card. Access to Jumpboxes is restricted to designated OneIdentity security groups. Similar to Jumpboxes, Debug servers are non-domain-joined servers located entirely within the Azure production environment. users connect to Debug servers via RDP using specific, CorpNet-exposed endpoints before accessing Azure assets. Access to Debug servers is similarly restricted to designated OneIdentity security groups. Network Hop Boxes Network Hop Boxes are the network device equivalent of the server Jumpboxes for Azure network devices. VPN The following methods are utilized via SSL VPN to access Azure production assets: * Public Key Infrastructure (PKI) to enable secure communication between the certificate server to the target asset by utilizing CRL Validation * Leveraging Azure Active Directory (AAD) through utilization of multifactor authentication via smart card from the identity server to the target asset |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|