last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Identify and authenticate network devices

Name Identify and authenticate network devices
Azure Portal
Id ae5345d5-8dab-086a-7290-db43a3272198
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0296 - Identify and authenticate network devices
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 42 compliance controls are associated with this Policy definition 'Identify and authenticate network devices' (ae5345d5-8dab-086a-7290-db43a3272198)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 1.22 CIS_Azure_1.1.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.1.0 1.4 CIS_Azure_1.1.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link 3
CIS_Azure_1.3.0 1.20 CIS_Azure_1.3.0_1.20 CIS Microsoft Azure Foundations Benchmark recommendation 1.20 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.3.0 1.22 CIS_Azure_1.3.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.3.0 1.4 CIS_Azure_1.3.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link 3
CIS_Azure_1.4.0 1.19 CIS_Azure_1.4.0_1.19 CIS Microsoft Azure Foundations Benchmark recommendation 1.19 1 Identity and Access Management Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining or registering devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.4.0 1.21 CIS_Azure_1.4.0_1.21 CIS Microsoft Azure Foundations Benchmark recommendation 1.21 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.4.0 1.4 CIS_Azure_1.4.0_1.4 CIS Microsoft Azure Foundations Benchmark recommendation 1.4 1 Identity and Access Management Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled Shared The customer is responsible for implementing this recommendation. Do not allow users to remember multi-factor authentication on devices. link 3
FedRAMP_High_R4 AC-18(1) FedRAMP_High_R4_AC-18(1) FedRAMP High AC-18 (1) Access Control Authentication And Encryption Shared n/a The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. Supplemental Guidance: Related controls: SC-8, SC-13. link 3
FedRAMP_High_R4 IA-2(11) FedRAMP_High_R4_IA-2(11) FedRAMP High IA-2 (11) Identification And Authentication Remote Access - Separate Device Shared n/a The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. Supplemental Guidance: For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. link 2
FedRAMP_Moderate_R4 AC-18(1) FedRAMP_Moderate_R4_AC-18(1) FedRAMP Moderate AC-18 (1) Access Control Authentication And Encryption Shared n/a The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. Supplemental Guidance: Related controls: SC-8, SC-13. link 3
FedRAMP_Moderate_R4 IA-2(11) FedRAMP_Moderate_R4_IA-2(11) FedRAMP Moderate IA-2 (11) Identification And Authentication Remote Access - Separate Device Shared n/a The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. Supplemental Guidance: For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. link 2
hipaa 0504.09m2Organizational.5-09.m hipaa-0504.09m2Organizational.5-09.m 0504.09m2Organizational.5-09.m 05 Wireless Security 0504.09m2Organizational.5-09.m 09.06 Network Security Management Shared n/a Firewalls are configured to deny or control any traffic from a wireless environment into the covered data environment. 4
hipaa 0858.09m1Organizational.4-09.m hipaa-0858.09m1Organizational.4-09.m 0858.09m1Organizational.4-09.m 08 Network Protection 0858.09m1Organizational.4-09.m 09.06 Network Security Management Shared n/a The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. 7
hipaa 0861.09m2Organizational.67-09.m hipaa-0861.09m2Organizational.67-09.m 0861.09m2Organizational.67-09.m 08 Network Protection 0861.09m2Organizational.67-09.m 09.06 Network Security Management Shared n/a To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution, or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. 7
hipaa 0916.09s2Organizational.4-09.s hipaa-0916.09s2Organizational.4-09.s 0916.09s2Organizational.4-09.s 09 Transmission Protection 0916.09s2Organizational.4-09.s 09.08 Exchange of Information Shared n/a The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. 7
hipaa 0927.09v1Organizational.3-09.v hipaa-0927.09v1Organizational.3-09.v 0927.09v1Organizational.3-09.v 09 Transmission Protection 0927.09v1Organizational.3-09.v 09.08 Exchange of Information Shared n/a Stronger levels of authentication are implemented to control access from publicly accessible networks. 4
hipaa 1022.01d1System.15-01.d hipaa-1022.01d1System.15-01.d 1022.01d1System.15-01.d 10 Password Management 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems Shared n/a Password policies, applicable to mobile devices, are documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements. 8
hipaa 11190.01t1Organizational.3-01.t hipaa-11190.01t1Organizational.3-01.t 11190.01t1Organizational.3-01.t 11 Access Control 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control Shared n/a Bring your own device (BYOD) and/or company-owned devices are configured to require an automatic lockout screen, and the requirement is enforced through technical controls. 5
hipaa 1121.01j3Organizational.2-01.j hipaa-1121.01j3Organizational.2-01.j 1121.01j3Organizational.2-01.j 11 Access Control 1121.01j3Organizational.2-01.j 01.04 Network Access Control Shared n/a Remote administration sessions are authorized, encrypted, and employ increased security measures. 11
hipaa 1175.01j1Organizational.8-01.j hipaa-1175.01j1Organizational.8-01.j 1175.01j1Organizational.8-01.j 11 Access Control 1175.01j1Organizational.8-01.j 01.04 Network Access Control Shared n/a Remote access to business information across public networks only takes place after successful identification and authentication. 5
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.6.2.1 ISO27001-2013_A.6.2.1 ISO 27001:2013 A.6.2.1 Organization of Information Security Mobile device policy Shared n/a A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. link 13
ISO27001-2013 A.6.2.2 ISO27001-2013_A.6.2.2 ISO 27001:2013 A.6.2.2 Organization of Information Security Teleworking Shared n/a A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. link 16
NIST_SP_800-171_R2_3 .1.17 NIST_SP_800-171_R2_3.1.17 NIST SP 800-171 R2 3.1.17 Access Control Protect wireless access using authentication and encryption Shared Microsoft is responsible for implementing this requirement. Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention is given to the wide variety of devices that are part of the Internet of Things with potential wireless access to organizational systems. See [NIST CRYPTO]. link 3
NIST_SP_800-171_R2_3 .5.3 NIST_SP_800-171_R2_3.5.3 NIST SP 800-171 R2 3.5.3 Identification and Authentication Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts Shared Microsoft and the customer share responsibilities for implementing this requirement. Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. [SP 800-63-3] provides guidance on digital identities. Multifactor authentication requires two or more different factors to achieve authentication. The factors include: something you know (e.g., password/PIN); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). The requirement for multifactor authentication should not be interpreted as requiring federal Personal Identity Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. A variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokens (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. Local access is any access to a system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. Network access is any access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). link 5
NIST_SP_800-53_R4 AC-18(1) NIST_SP_800-53_R4_AC-18(1) NIST SP 800-53 Rev. 4 AC-18 (1) Access Control Authentication And Encryption Shared n/a The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. Supplemental Guidance: Related controls: SC-8, SC-13. link 3
NIST_SP_800-53_R4 IA-2(11) NIST_SP_800-53_R4_IA-2(11) NIST SP 800-53 Rev. 4 IA-2 (11) Identification And Authentication Remote Access - Separate Device Shared n/a The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. Supplemental Guidance: For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. link 2
NIST_SP_800-53_R5 AC-18(1) NIST_SP_800-53_R5_AC-18(1) NIST SP 800-53 Rev. 5 AC-18 (1) Access Control Authentication and Encryption Shared n/a Protect wireless access to the system using authentication of [Selection (OneOrMore): users;devices] and encryption. link 3
PCI_DSS_v4.0 2.3.1 PCI_DSS_v4.0_2.3.1 PCI DSS v4.0 2.3.1 Requirement 02: Apply Secure Configurations to All System Components Wireless environments are configured and managed securely Shared n/a For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: • Default wireless encryption keys. • Passwords or wireless access points. • SNMP defaults. • Any other security-related wireless vendor defaults. link 3
PCI_DSS_v4.0 2.3.2 PCI_DSS_v4.0_2.3.2 PCI DSS v4.0 2.3.2 Requirement 02: Apply Secure Configurations to All System Components Wireless environments are configured and managed securely Shared n/a For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are changed as follows: • Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary. • Whenever a key is suspected of or known to be compromised. link 3
PCI_DSS_v4.0 4.2.1.2 PCI_DSS_v4.0_4.2.1.2 PCI DSS v4.0 4.2.1.2 Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks PAN is protected with strong cryptography during transmission Shared n/a Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission. link 3
PCI_DSS_v4.0 8.2.3 PCI_DSS_v4.0_8.2.3 PCI DSS v4.0 8.2.3 Requirement 08: Identify Users and Authenticate Access to System Components User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle Shared n/a Service providers with remote access to customer premises use unique authentication factors for each customer premises. link 3
PCI_DSS_v4.0 8.3.1 PCI_DSS_v4.0_8.3.1 PCI DSS v4.0 8.3.1 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a All user access to system components for users and administrators is authenticated via at least one of the following authentication factors: • Something you know, such as a password or passphrase. • Something you have, such as a token device or smart card. • Something you are, such as a biometric element. link 4
PCI_DSS_v4.0 8.3.11 PCI_DSS_v4.0_8.3.11 PCI DSS v4.0 8.3.11 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used: • Factors are assigned to an individual user and not shared among multiple users. • Physical and/or logical controls ensure only the intended user can use that factor to gain access. link 6
PCI_DSS_v4.0 8.4.2 PCI_DSS_v4.0_8.4.2 PCI DSS v4.0 8.4.2 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all access into the CDE. link 8
PCI_DSS_v4.0 8.4.3 PCI_DSS_v4.0_8.4.3 PCI DSS v4.0 8.4.3 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE as follows: • All remote access by all personnel, both users and administrators, originating from outside the entity’s network. • All remote access by third parties and vendors. link 8
PCI_DSS_v4.0 8.5.1 PCI_DSS_v4.0_8.5.1 PCI DSS v4.0 8.5.1 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) systems are configured to prevent misuse Shared n/a MFA systems are implemented as follows: • The MFA system is not susceptible to replay attacks. • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. • At least two different types of authentication factors are used. • Success of all authentication factors is required before access is granted. link 8
SOC_2 CC6.6 SOC_2_CC6.6 SOC 2 Type 2 CC6.6 Logical and Physical Access Controls Security measures against threats outside system boundaries Shared The customer is responsible for implementing this recommendation. • Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. • Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. • Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. • Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts 41
SWIFT_CSCF_v2022 2.6 SWIFT_CSCF_v2022_2.6 SWIFT CSCF v2022 2.6 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications Shared n/a The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. link 17
SWIFT_CSCF_v2022 4.2 SWIFT_CSCF_v2022_4.2 SWIFT CSCF v2022 4.2 4. Prevent Compromise of Credentials Prevent that a compromise of a single authentication factor allows access into SWIFT-related systems or applications by implementing multi-factor authentication. Shared n/a Multi-factor authentication is used for interactive user access to SWIFT-related applications and operating system accounts. link 5
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add ae5345d5-8dab-086a-7290-db43a3272198
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON