AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay... | Regulatory Compliance - Identification and Authentication

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay...
Id cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff
Version 1.0.1
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Identification and Authentication control
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.0.0'
Repository: Azure-Policy cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff
Additional metadata Name/Id: ACF1306 / Microsoft Managed Control 1306
Category: Identification and Authentication
Title: User Identification And Authentication | Network Access To Privileged Accounts - Replay Resistant
Ownership: Customer, Microsoft
Description: The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
Requirements: Azure implements multifactor authentication for network access by Azure personnel with eAuth Level 4 and FIPS 140-2 compliant Thales smart cards. All Microsoft users connect to Azure assets via Jumpboxes, Debug servers, and Network Hop Boxes. This requires the user to present a certificate bound to the card along with a PIN. Access to the Azure production environment using the smart card solution is protected from replay attacks by the built-in Kerberos v5 functionality of Active Directory (AD). In Kerberos authentication, the authenticator sent by the client contains additional data, such as an encrypted IP list, the client's timestamp, and the ticket lifetime. If a packet is replayed, the timestamp is checked. If the timestamp is earlier than or the same as a previous authenticator, the packet is rejected because it is a replay. For more information on Active Directory and Kerberos, see TechNet article 742516: Techniques used to address replay attacks from network connections to the Azure environment include the use of the TLS protocol that uses challenges. The TLS protocol is used to authenticate network access to prove the identities of parties engaged in secure communication. It also provides data integrity through an integrity check value. In addition to protecting against data disclosure, the TLS security protocol can be used to help protect against masquerade attacks, man-in-the-middle or bucket brigade attacks, rollback attacks, and replay attacks.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Compliance
The following 1 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay...' (cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
NIS2 IM._Identity_Management_10 NIS2_IM._Identity_Management_10 NIS2_IM._Identity_Management_10 IM. Identity Management The use of multi-factor authentication Customer, Microsoft Cryptographic Module Authentication The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate. 29
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Preview]: NIS2 32ff9e30-4725-4ca7-ba3a-904a7721ee87 Regulatory Compliance Preview BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-04-01 20:29:14 change Patch (1.0.0 > 1.0.1)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC