last sync: 2024-Oct-10 19:12:06 UTC

Enforce random unique session identifiers | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Enforce random unique session identifiers
Id c7d57a6a-7cc2-66c0-299f-83bf90558f5d
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0247 - Enforce random unique session identifiers
Additional metadata Name/Id: CMA_0247 / CMA_0247
Category: Operational
Title: Enforce random unique session identifiers
Ownership: Customer
Description: Microsoft recommends that your organization enforce random unique session identifiers to help prevent session ID reuse and brute-force attacks. It is recommended to only recognize identifiers that are generated by the system.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 7 compliance controls are associated with this Policy definition 'Enforce random unique session identifiers' (c7d57a6a-7cc2-66c0-299f-83bf90558f5d)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SC-23 FedRAMP_High_R4_SC-23 FedRAMP High SC-23 System And Communications Protection Session Authenticity Shared n/a The information system protects the authenticity of communications sessions. Supplemental Guidance: This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11. References: NIST Special Publications 800-52, 800-77, 800-95. link 2
FedRAMP_Moderate_R4 SC-23 FedRAMP_Moderate_R4_SC-23 FedRAMP Moderate SC-23 System And Communications Protection Session Authenticity Shared n/a The information system protects the authenticity of communications sessions. Supplemental Guidance: This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11. References: NIST Special Publications 800-52, 800-77, 800-95. link 2
hipaa 0948.09y2Organizational.3-09.y hipaa-0948.09y2Organizational.3-09.y 0948.09y2Organizational.3-09.y 09 Transmission Protection 0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services Shared n/a Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates), security is integrated and embedded throughout the entire end-to-end certificate/signature management process. 6
NIST_SP_800-171_R2_3 .13.15 NIST_SP_800-171_R2_3.13.15 NIST SP 800-171 R2 3.13.15 System and Communications Protection Protect the authenticity of communications sessions. Shared Microsoft and the customer share responsibilities for implementing this requirement. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. [SP 800-77], [SP 800-95], and [SP 800-113] provide guidance on secure communications sessions. link 2
NIST_SP_800-53_R4 SC-23 NIST_SP_800-53_R4_SC-23 NIST SP 800-53 Rev. 4 SC-23 System And Communications Protection Session Authenticity Shared n/a The information system protects the authenticity of communications sessions. Supplemental Guidance: This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11. References: NIST Special Publications 800-52, 800-77, 800-95. link 2
NIST_SP_800-53_R5 SC-23 NIST_SP_800-53_R5_SC-23 NIST SP 800-53 Rev. 5 SC-23 System and Communications Protection Session Authenticity Shared n/a Protect the authenticity of communications sessions. link 2
SWIFT_CSCF_v2022 2.1 SWIFT_CSCF_v2022_2.1 SWIFT CSCF v2022 2.1 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Shared n/a Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. link 36
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add c7d57a6a-7cc2-66c0-299f-83bf90558f5d
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC