last sync: 2024-Jul-16 18:17:33 UTC

Provide secure name and address resolution services | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Provide secure name and address resolution services
Id bbb2e6d6-085f-5a35-a55d-e45daad38933
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0416 - Provide secure name and address resolution services
Additional metadata Name/Id: CMA_0416 / CMA_0416
Category: Operational
Title: Provide secure name and address resolution services
Ownership: Customer
Description: Microsoft recommends that your organization provide secure name and address resolution services using data origin authentication and integrity verification artifacts upon receiving internal/external name or address resolution queries. It is also recommended to implement means to determine the security status of child zones in cases in which the child supports secure resolution services. This will enable your organization to verify a chain of trust among parent and child domains and validate the authenticity of the information provided by the authority. This can help protect your organization from attacks such as man-in-the-middle attacks, Domain Name System (DNS) spoofing, DNS hijacking, DNS tunneling and redirecting a website's inbound traffic to a fake copy of the site, collecting sensitive user information and exposing businesses to major liability. It is recommended that your organization implement multifactor authentication for authoritative Domain Name Systems and registrar login, enable DNSSEC (Domain Name System Security Extensions) and zone signing, and monitor authoritative DNS activity logs to quickly spot issues.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 30 compliance controls are associated with this Policy definition 'Provide secure name and address resolution services' (bbb2e6d6-085f-5a35-a55d-e45daad38933)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SC-20 FedRAMP_High_R4_SC-20 FedRAMP High SC-20 System And Communications Protection Secure Name / Address Resolution Service (Authoritative Source) Shared n/a The information system: a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. Supplemental Guidance: This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22. References: OMB Memorandum 08-23; NIST Special Publication 800-81. link 2
FedRAMP_Moderate_R4 SC-20 FedRAMP_Moderate_R4_SC-20 FedRAMP Moderate SC-20 System And Communications Protection Secure Name / Address Resolution Service (Authoritative Source) Shared n/a The information system: a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. Supplemental Guidance: This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22. References: OMB Memorandum 08-23; NIST Special Publication 800-81. link 2
hipaa 0871.09m3Organizational.22-09.m hipaa-0871.09m3Organizational.22-09.m 0871.09m3Organizational.22-09.m 08 Network Protection 0871.09m3Organizational.22-09.m 09.06 Network Security Management Shared n/a Authoritative DNS servers are segregated into internal and external roles. 4
hipaa 0926.09v1Organizational.2-09.v hipaa-0926.09v1Organizational.2-09.v 0926.09v1Organizational.2-09.v 09 Transmission Protection 0926.09v1Organizational.2-09.v 09.08 Exchange of Information Shared n/a Approvals are obtained prior to using external public services, including instant messaging or file sharing. 5
hipaa 0929.09v1Organizational.6-09.v hipaa-0929.09v1Organizational.6-09.v 0929.09v1Organizational.6-09.v 09 Transmission Protection 0929.09v1Organizational.6-09.v 09.08 Exchange of Information Shared n/a The organization never sends unencrypted sensitive information by end-user messaging technologies (e.g., email, instant messaging, and chat). 9
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.1.3 ISO27001-2013_A.13.1.3 ISO 27001:2013 A.13.1.3 Communications Security Segregation of networks Shared n/a Groups of information services, users, and information systems shall be segregated on networks. link 17
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
ISO27001-2013 A.13.2.3 ISO27001-2013_A.13.2.3 ISO 27001:2013 A.13.2.3 Communications Security Electronic messaging Shared n/a Information involved in electronic messaging shall be appropriately protected. link 10
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.14.1.3 ISO27001-2013_A.14.1.3 ISO 27001:2013 A.14.1.3 System Acquisition, Development And Maintenance Protecting application services transactions Shared n/a Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. link 29
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.info.4 Time stamps mp.info.4 Time stamps 404 not found n/a n/a 33
mp.s.1 E-mail protection mp.s.1 E-mail protection 404 not found n/a n/a 48
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
NIST_SP_800-53_R4 SC-20 NIST_SP_800-53_R4_SC-20 NIST SP 800-53 Rev. 4 SC-20 System And Communications Protection Secure Name /Address Resolution Service (Authoritative Source) Shared n/a The information system: a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. Supplemental Guidance: This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22. References: OMB Memorandum 08-23; NIST Special Publication 800-81. link 2
NIST_SP_800-53_R5 SC-20 NIST_SP_800-53_R5_SC-20 NIST SP 800-53 Rev. 5 SC-20 System and Communications Protection Secure Name/address Resolution Service (authoritative Source) Shared n/a a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. link 2
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 50
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 127
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add bbb2e6d6-085f-5a35-a55d-e45daad38933
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC