AzPolicyAdvertizer

last sync: 2025-Jul-03 17:22:55 UTC

Windows Defender Exploit Guard should be enabled on your machines

Azure BuiltIn Policy definition

Source Azure Portal
Display name Windows Defender Exploit Guard should be enabled on your machines
Id bed48b13-6647-468e-aa2f-1af1d3f4dd40
Version 2.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.0
Built-in Versioning [Preview]
Category Guest Configuration
Microsoft Learn
Description Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.1.1'
Repository: Azure-Policy bed48b13-6647-468e-aa2f-1af1d3f4dd40
Assessment(s) Assessments count: 1
Assessment Id: 22489c48-27d1-4e40-9420-4303ad9cffef
DisplayName: Windows Defender Exploit Guard should be enabled on machines
Description: Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).
Remediation description: 1. Enable controlled folder access.
2. Configure the following attack surface reduction rules: 'Block executable content from email client and webmail', 'Block untrusted and unsigned processes that run from USB', 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)', ' Block all Office applications from creating child processes', 'Block JavaScript or VBScript from launching downloaded executable content', 'Block execution of potentially obfuscated scripts ', 'Block Office applications from creating executable content', 'Block Office communication application from creating child processes', 'Block Win32 API calls from Office macros', 'Block Adobe Reader from creating child processes', 'Block Office applications from injecting code into other processes'.
Learn more in Use attack surface reduction rules to prevent malware infection.
Categories: Compute
Severity: Medium
User impact: Moderate
Implementation effort: Moderate
Threats: ThreatResistance, DataSpillage, DataExfiltration, AccountBreach
preview: True
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases IF (7)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/imageOffer Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.offer
properties.virtualMachineProfile.storageProfile.imageReference.offer
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/imageSKU Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.sku
properties.virtualMachineProfile.storageProfile.imageReference.sku
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration Microsoft.Compute virtualMachines properties.osProfile.windowsConfiguration True True
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType Microsoft.Compute virtualMachines properties.storageProfile.osDisk.osType True True
Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType Microsoft.ConnectedVMwarevSphere virtualmachines properties.osProfile.osType True False
Microsoft.HybridCompute/imageOffer Microsoft.HybridCompute machines properties.osName True False
THEN-ExistenceCondition (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus Microsoft.GuestConfiguration guestConfigurationAssignments properties.complianceStatus True False
Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash Microsoft.GuestConfiguration guestConfigurationAssignments properties.parameterHash True False
Rule resource types IF (3)
Compliance
The following 52 compliance controls are associated with this Policy definition 'Windows Defender Exploit Guard should be enabled on your machines' (bed48b13-6647-468e-aa2f-1af1d3f4dd40)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v2.0 ES-2 Azure_Security_Benchmark_v2.0_ES-2 Azure Security Benchmark ES-2 Endpoint Security Use centrally managed modern anti-malware software Customer Use a centrally managed endpoint anti-malware solution capable of real time and periodic scanning Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations. Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). For Linux VMs, use third-party antimalware solution. Also, you can use Azure Security Center's Threat detection for data services to detect malware uploaded to Azure Storage accounts. How to configure Microsoft Antimalware for Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware Supported endpoint protection solutions: https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- n/a link 3
Azure_Security_Benchmark_v3.0 ES-2 Azure_Security_Benchmark_v3.0_ES-2 Microsoft cloud security benchmark ES-2 Endpoint Security Use modern anti-malware software Shared **Security Principle:** Use anti-malware solutions capable of real-time protection and periodic scanning. **Azure Guidance:** Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured, and report the endpoint protection running status and make recommendations. Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection), and Microsoft Defender for Cloud to discover and assess the health status. For Linux VMs, use Microsoft Defender for Endpoint on Linux. Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts. **Implementation and additional context:** Supported endpoint protection solutions: https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- How to configure Microsoft Antimalware for Cloud Services and virtual machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware n/a link 1
Azure_Security_Benchmark_v3.0 LT-1 Azure_Security_Benchmark_v3.0_LT-1 Microsoft cloud security benchmark LT-1 Logging and Threat Detection Enable threat detection capabilities Shared **Security Principle:** To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. **Azure Guidance:** Use the threat detection capability of Azure Defender services in Microsoft Defender for Cloud for the respective Azure services. For threat detection not included in Azure Defender services, refer to the Azure Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Extract the alerts to your Azure Monitor or Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Defender for IoT to inventory assets and detect threats and vulnerabilities. For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Azure Sentinel. **Implementation and additional context:** Introduction to Azure Defender: https://docs.microsoft.com/azure/security-center/azure-defender Microsoft Defender for Cloud security alerts reference guide: https://docs.microsoft.com/azure/security-center/alerts-reference Create custom analytics rules to detect threats: https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom Cyber threat intelligence with Azure Sentinel: https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence n/a link 21
Azure_Security_Benchmark_v3.0 LT-2 Azure_Security_Benchmark_v3.0_LT-2 Microsoft cloud security benchmark LT-2 Logging and Threat Detection Enable threat detection for identity and access management Shared **Security Principle:** Detect threats for identities and access management by monitoring the user and application sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprecated accounts in the subscription, should be alerted. **Azure Guidance:** Microsoft Entra ID provides the following logs that can be viewed in Microsoft Entra reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: - Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities. - Audit logs: Provides traceability through logs for all changes done by various features within Microsoft Entra ID. Examples of audit logs include changes made to any resources within Microsoft Entra ID like adding or removing users, apps, groups, roles and policies. - Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. - Users flagged for risk: A risky user is an indicator for a user account that might have been compromised. Microsoft Entra ID also provides an Identity Protection module to detect, and remediate risks related to user accounts and sign-in behaviors. Examples risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The policies in the Microsoft Entra Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts. In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspicious activities such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. **Implementation and additional context:** Audit activity reports in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs Enable Azure Identity Protection: https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection Threat protection in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/threat-protection n/a link 20
C.04.3 - Technical vulnerabilities C.04.3 - Technical vulnerabilities 404 not found n/a n/a 26
C.04.3 - Timelines C.04.3 - Timelines 404 not found n/a n/a 20
C.04.6 - Technical vulnerabilities C.04.6 - Technical vulnerabilities 404 not found n/a n/a 27
C.04.6 - Timelines C.04.6 - Timelines 404 not found n/a n/a 20
C.04.7 - Evaluated C.04.7 - Evaluated 404 not found n/a n/a 55
CMMC_2.0_L2 SI.L1-3.14.1 CMMC_2.0_L2_SI.L1-3.14.1 404 not found n/a n/a 14
CMMC_2.0_L2 SI.L1-3.14.2 CMMC_2.0_L2_SI.L1-3.14.2 404 not found n/a n/a 11
CMMC_2.0_L2 SI.L1-3.14.4 CMMC_2.0_L2_SI.L1-3.14.4 404 not found n/a n/a 3
CMMC_2.0_L2 SI.L1-3.14.5 CMMC_2.0_L2_SI.L1-3.14.5 404 not found n/a n/a 4
DORA_2022_2554 10.1 DORA_2022_2554_10.1 DORA 2022 2554 10.1 10 Implement Mechanisms to Detect Anomalous Activities in ICT Systems Shared n/a Establish mechanisms to detect anomalous activities within information and communication technology (ICT) systems, including network performance issues and ICT-related incidents. Additionally, identify potential material single points of failure to enhance overall system resilience and response capabilities. 54
DORA_2022_2554 10.2 DORA_2022_2554_10.2 DORA 2022 2554 10.2 10 Establish Multi-Layered Detection Mechanisms for ICT Incidents Shared n/a Implement detection mechanisms that provide multiple layers of control, defining alert thresholds and criteria to trigger information and communication technology (ICT) related incident response processes. This includes automated alert mechanisms to notify resources managing ICT-related incidents. 57
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 306
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 306
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 306
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 306
FedRAMP_High_R4 SC-3 FedRAMP_High_R4_SC-3 FedRAMP High SC-3 System And Communications Protection Security Function Isolation Shared n/a The information system isolates security functions from nonsecurity functions. Supplemental Guidance: The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. Related controls: AC- 3, AC-6, SA-4, SA-5, SA-8, SA-13, SC-2, SC-7, SC-39. References: None. link 2
FedRAMP_High_R4 SI-16 FedRAMP_High_R4_SI-16 FedRAMP High SI-16 System And Information Integrity Memory Protection Shared n/a The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. Supplemental Guidance: Some adversaries launch attacks with the intent of executing code in non- executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Related controls: AC-25, SC-3. Control Enhancements: None. References: None. link 2
FedRAMP_High_R4 SI-3 FedRAMP_High_R4_SI-3 FedRAMP High SI-3 System And Information Integrity Malicious Code Protection Shared n/a The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. References: NIST Special Publication 800-83. link 9
FedRAMP_High_R4 SI-3(1) FedRAMP_High_R4_SI-3(1) FedRAMP High SI-3 (1) System And Information Integrity Central Management Shared n/a The organization centrally manages malicious code protection mechanisms. Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. link 8
FedRAMP_Moderate_R4 SI-16 FedRAMP_Moderate_R4_SI-16 FedRAMP Moderate SI-16 System And Information Integrity Memory Protection Shared n/a The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. Supplemental Guidance: Some adversaries launch attacks with the intent of executing code in non- executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Related controls: AC-25, SC-3. Control Enhancements: None. References: None. link 2
FedRAMP_Moderate_R4 SI-3 FedRAMP_Moderate_R4_SI-3 FedRAMP Moderate SI-3 System And Information Integrity Malicious Code Protection Shared n/a The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. References: NIST Special Publication 800-83. link 9
FedRAMP_Moderate_R4 SI-3(1) FedRAMP_Moderate_R4_SI-3(1) FedRAMP Moderate SI-3 (1) System And Information Integrity Central Management Shared n/a The organization centrally manages malicious code protection mechanisms. Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. link 8
K_ISMS_P_2018 2.10.1 K_ISMS_P_2018_2.10.1 K ISMS P 2018 2.10.1 2.10 Establish Procedures for Managing the Security of System Operations Shared n/a Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. 455
K_ISMS_P_2018 2.10.2 K_ISMS_P_2018_2.10.2 K ISMS P 2018 2.10.2 2.10 Establish Protective Measures for Administrator Privileges and Security Configurations Shared n/a Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. 431
K_ISMS_P_2018 2.10.9 K_ISMS_P_2018_2.10.9 K ISMS P 2018 2.10.9 2.10 Implement Protective Measures Against Malicious Code Shared n/a Establish and implement measures for preventing, detecting, and responding to malicious codes such as viruses, worms, trojan horses, or ransomware to protect information systems and personal information. 35
New_Zealand_ISM 14.1.9.C.01 New_Zealand_ISM_14.1.9.C.01 New_Zealand_ISM_14.1.9.C.01 14. Software security 14.1.9.C.01 Maintaining hardened SOEs n/a Agencies MUST ensure that for all servers and workstations: a technical specification is agreed for each platform with specified controls; a standard configuration created and updated for each operating system type and version; system users do not have the ability to install or disable software without approval; and installed software and operating system patching is up to date. 16
NIST_SP_800-171_R2_3 .14.1 NIST_SP_800-171_R2_3.14.1 NIST SP 800-171 R2 3.14.1 System and Information Integrity Identify, report, and correct system flaws in a timely manner. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. [SP 800-40] provides guidance on patch management technologies. link 17
NIST_SP_800-171_R2_3 .14.2 NIST_SP_800-171_R2_3.14.2 NIST SP 800-171 R2 3.14.2 System and Information Integrity Provide protection from malicious code at designated locations within organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Designated locations include system entry and exit points which may include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. [SP 800-83] provides guidance on malware incident prevention. link 18
NIST_SP_800-171_R2_3 .14.4 NIST_SP_800-171_R2_3.14.4 NIST SP 800-171 R2 3.14.4 System and Information Integrity Update malicious code protection mechanisms when new releases are available. Shared Microsoft and the customer share responsibilities for implementing this requirement. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. link 9
NIST_SP_800-171_R2_3 .14.5 NIST_SP_800-171_R2_3.14.5 NIST SP 800-171 R2 3.14.5 System and Information Integrity Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. Shared Microsoft and the customer share responsibilities for implementing this requirement. Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. link 4
NIST_SP_800-53_R4 SC-3 NIST_SP_800-53_R4_SC-3 NIST SP 800-53 Rev. 4 SC-3 System And Communications Protection Security Function Isolation Shared n/a The information system isolates security functions from nonsecurity functions. Supplemental Guidance: The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. Related controls: AC- 3, AC-6, SA-4, SA-5, SA-8, SA-13, SC-2, SC-7, SC-39. References: None. link 2
NIST_SP_800-53_R4 SI-16 NIST_SP_800-53_R4_SI-16 NIST SP 800-53 Rev. 4 SI-16 System And Information Integrity Memory Protection Shared n/a The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. Supplemental Guidance: Some adversaries launch attacks with the intent of executing code in non- executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Related controls: AC-25, SC-3. Control Enhancements: None. References: None. link 2
NIST_SP_800-53_R4 SI-3 NIST_SP_800-53_R4_SI-3 NIST SP 800-53 Rev. 4 SI-3 System And Information Integrity Malicious Code Protection Shared n/a The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. References: NIST Special Publication 800-83. link 9
NIST_SP_800-53_R4 SI-3(1) NIST_SP_800-53_R4_SI-3(1) NIST SP 800-53 Rev. 4 SI-3 (1) System And Information Integrity Central Management Shared n/a The organization centrally manages malicious code protection mechanisms. Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. link 8
NIST_SP_800-53_R5 SC-3 NIST_SP_800-53_R5_SC-3 NIST SP 800-53 Rev. 5 SC-3 System and Communications Protection Security Function Isolation Shared n/a Isolate security functions from nonsecurity functions. link 2
NIST_SP_800-53_R5 SI-16 NIST_SP_800-53_R5_SI-16 NIST SP 800-53 Rev. 5 SI-16 System and Information Integrity Memory Protection Shared n/a Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. link 2
NIST_SP_800-53_R5 SI-3 NIST_SP_800-53_R5_SI-3 NIST SP 800-53 Rev. 5 SI-3 System and Information Integrity Malicious Code Protection Shared n/a a. Implement [Selection (OneOrMore): signature based;non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (OneOrMore): endpoint;network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (OneOrMore): block malicious code;quarantine malicious code;take [Assignment: organization-defined action] ] ; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. link 9
NZ_ISM_v3.5 SS-3 NZ_ISM_v3.5_SS-3 NZISM Security Benchmark SS-3 Software security 14.1.9 Maintaining hardened SOEs Customer n/a Whilst a SOE can be sufficiently hardened when it is deployed, its security will progressively degrade over time. Agencies can address the degradation of the security of a SOE by ensuring that patches are continually applied, system users are not able to disable or bypass security functionality and antivirus and other security software is appropriately maintained with the latest signatures and updates. End Point Agents monitor traffic and apply security policies on applications, storage interfaces and data in real-time. Administrators actively block or monitor and log policy breaches. The End Point Agent can also create forensic monitoring to facilitate incident investigation. End Point Agents can monitor user activity, such as the cut, copy, paste, print, print screen operations and copying data to external drives and other devices. The Agent can then apply policies to limit such activity. link 15
op.exp.6 Protection against harmful code op.exp.6 Protection against harmful code 404 not found n/a n/a 61
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 50
RBI_CSF_Banks_v2016 13.1 RBI_CSF_Banks_v2016_13.1 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 n/a Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. 21
RBI_CSF_Banks_v2016 13.2 RBI_CSF_Banks_v2016_13.2 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.2 n/a Implement Anti-malware, Antivirus protection including behavioural detection systems for all categories of devices ???(Endpoints such as PCs/laptops/ mobile devices etc.), servers (operating systems, databases, applications, etc.), Web/Internet gateways, email-gateways, Wireless networks, SMS servers etc. including tools and processes for centralised management and monitoring. 17
RBI_CSF_Banks_v2016 15.1 RBI_CSF_Banks_v2016_15.1 Data Leak Prevention Strategy Data Leak Prevention Strategy-15.1 n/a Develop a comprehensive data loss/leakage prevention strategy to safeguard sensitive (including confidential)business and customer data/information. 4
RBI_CSF_Banks_v2016 15.3 RBI_CSF_Banks_v2016_15.3 Data Leak Prevention Strategy Data Leak Prevention Strategy-15.3 n/a Similar arrangements need to be ensured at the vendor managed facilities as well. 1
RBI_CSF_Banks_v2016 5.1 RBI_CSF_Banks_v2016_5.1 Secure Configuration Secure Configuration-5.1 n/a Document and apply baseline security requirements/configurations to all categories of devices (end-points/workstations, mobile devices, operating systems, databases, applications, network devices, security devices, security systems, etc.), throughout the lifecycle (from conception to deployment) and carry out reviews periodically. 8
SOC_2 CC7.2 SOC_2_CC7.2 SOC 2 Type 2 CC7.2 System Operations Monitor system components for anomalous behavior Shared The customer is responsible for implementing this recommendation. • Implements Detection Policies, Procedures, and Tools — Detection policies and procedures are defined and implemented and detection tools are implemented on infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities. • Designs Detection Measures — Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. • Implements Filters to Analyze Anomalies — Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events. • Monitors Detection Tools for Effective Operation — Management has implemented processes to monitor the effectiveness of detection tools 20
U.09.3 - Detection, prevention and recovery U.09.3 - Detection, prevention and recovery 404 not found n/a n/a 29
U.15.1 - Events Logged U.15.1 - Events Logged 404 not found n/a n/a 51
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
DORA 2022 2554 f9c0485f-da8e-43b5-961e-58ebd54b907c Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
K ISMS P 2018 e0782c37-30da-4a78-9f92-50bfe7aa2553 Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn true
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-01-28 17:51:01 change Major (1.1.1 > 2.0.0)
2021-01-22 09:14:53 change Patch (1.1.0 > 1.1.1)
2020-09-16 13:09:49 change Previous DisplayName: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
2020-09-15 14:06:41 change Previous DisplayName: [Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
2020-03-17 09:22:59 add bed48b13-6647-468e-aa2f-1af1d3f4dd40
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC