|
Policy Rule
|
{
"properties": {
"displayName": "Windows machines should meet requirements for 'Security Options - Microsoft Network Client'",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
"metadata": {
"category": "Guest Configuration",
"version": "2.0.0",
"requiredProviders": [
"Microsoft.GuestConfiguration"
],
"guestConfiguration": {
"name": "AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
"version": "1.*",
"configurationParameter": {
"MicrosoftNetworkClientDigitallySignCommunicationsAlways": "Microsoft network client: Digitally sign communications (always);ExpectedValue",
"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": "Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue",
"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": "Microsoft network server: Amount of idle time required before suspending session;ExpectedValue",
"MicrosoftNetworkServerDigitallySignCommunicationsAlways": "Microsoft network server: Digitally sign communications (always);ExpectedValue",
"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": "Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue"
}
}
},
"parameters": {
"IncludeArcMachines": {
"type": "String",
"metadata": {
"displayName": "Include Arc connected servers",
"description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "false"
},
"MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
"type": "String",
"metadata": {
"displayName": "Microsoft network client: Digitally sign communications (always)",
"description": "Specifies whether packet signing is required by the SMB client component."
},
"defaultValue": "1"
},
"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
"type": "String",
"metadata": {
"displayName": "Microsoft network client: Send unencrypted password to third-party SMB servers",
"description": "Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it."
},
"defaultValue": "0"
},
"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
"type": "String",
"metadata": {
"displayName": "Microsoft network server: Amount of idle time required before suspending session",
"description": "Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is two integers separated by a comma, denoting an inclusive range."
},
"defaultValue": "1,15"
},
"MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
"type": "String",
"metadata": {
"displayName": "Microsoft network server: Digitally sign communications (always)",
"description": "Specifies whether packet signing is required by the SMB server component."
},
"defaultValue": "1"
},
"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
"type": "String",
"metadata": {
"displayName": "Microsoft network server: Disconnect clients when logon hours expire",
"description": "Specifies whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable 'Network security: Force logoff when logon hours expire'"
},
"defaultValue": "1"
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of this policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"esri",
"incredibuild",
"MicrosoftDynamicsAX",
"MicrosoftSharepoint",
"MicrosoftVisualStudio",
"MicrosoftWindowsDesktop",
"MicrosoftWindowsServerHPCPack"
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServer"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftSQLServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-dsvm"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "dsvm-windows"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-ads"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"standard-data-science-vm",
"windows-data-science-vm"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "batch"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "rendering-windows2016"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "center-for-internet-security-inc"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "cis-windows-server-201*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "pivotal"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "bosh-windows-server*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "cloud-infrastructure-services"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "ad*"
}
]
},
{
"allOf": [
{
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
"exists": "true"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"like": "Windows*"
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"exists": "false"
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "2008*"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
}
]
}
]
}
]
}
]
}
]
},
{
"allOf": [
{
"value": "[parameters('IncludeArcMachines')]",
"equals": "true"
},
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "Microsoft.HybridCompute/imageOffer",
"like": "windows*"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
"name": "AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
"equals": "Compliant"
},
{
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
"equals": "[base64(concat('Microsoft network client: Digitally sign communications (always);ExpectedValue', '=', parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways'), ',', 'Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue', '=', parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'), ',', 'Microsoft network server: Amount of idle time required before suspending session;ExpectedValue', '=', parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'), ',', 'Microsoft network server: Digitally sign communications (always);ExpectedValue', '=', parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways'), ',', 'Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue', '=', parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')))]"
}
]
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/d6c69680-54f0-4349-af10-94dd05f4225e",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "d6c69680-54f0-4349-af10-94dd05f4225e"
}
|