last sync: 2024-Mar-01 17:50:27 UTC

Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay... | Regulatory Compliance - Identification and Authentication

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay...
Id cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff
Version 1.0.1
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Identification and Authentication control
Additional metadata Name/Id: ACF1306 / Microsoft Managed Control 1306
Category: Identification and Authentication
Title: User Identification And Authentication | Network Access To Privileged Accounts - Replay Resistant
Ownership: Customer, Microsoft
Description: The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
Requirements: Azure implements multifactor authentication for network access by Azure personnel with eAuth Level 4 and FIPS 140-2 compliant Thales smart cards. All Microsoft users connect to Azure assets via Jumpboxes, Debug servers, and Network Hop Boxes. This requires the user to present a certificate bound to the card along with a PIN. Access to the Azure production environment using the smart card solution is protected from replay attacks by the built-in Kerberos v5 functionality of Active Directory (AD). In Kerberos authentication, the authenticator sent by the client contains additional data, such as an encrypted IP list, the client's timestamp, and the ticket lifetime. If a packet is replayed, the timestamp is checked. If the timestamp is earlier than or the same as a previous authenticator, the packet is rejected because it is a replay. For more information on Active Directory and Kerberos, see TechNet article 742516: Techniques used to address replay attacks from network connections to the Azure environment include the use of the TLS protocol that uses challenges. The TLS protocol is used to authenticate network access to prove the identities of parties engaged in secure communication. It also provides data integrity through an integrity check value. In addition to protecting against data disclosure, the TLS security protocol can be used to help protect against masquerade attacks, man-in-the-middle or bucket brigade attacks, rollback attacks, and replay attacks.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-04-01 20:29:14 change Patch (1.0.0 > 1.0.1)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC