last sync: 2020-Sep-30 14:32:32 UTC

Azure Policy

Windows machines should meet requirements for 'Security Options - Microsoft Network Client'

Policy DisplayName Windows machines should meet requirements for 'Security Options - Microsoft Network Client'
Policy Id d6c69680-54f0-4349-af10-94dd05f4225e
Policy Category Guest Configuration
Policy Description Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-09-15 14:06:41 change: DisplayName previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Client'
2020-08-20 14:05:01 add: Policy d6c69680-54f0-4349-af10-94dd05f4225e
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
[Preview]: Motion Picture Association of America (MPAA) 92646f03-e39d-47a9-9e24-58d60ef49af8
[Preview]: Windows machines should meet requirements for the Azure security baseline be7a78aa-3e10-4153-a5fd-8c6506dbc821
Policy Rule
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Options - Microsoft Network Client'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
        "version": "1.*",
        "configurationParameter": {
          "MicrosoftNetworkClientDigitallySignCommunicationsAlways": "Microsoft network client: Digitally sign communications (always);ExpectedValue",
          "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": "Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue",
          "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": "Microsoft network server: Amount of idle time required before suspending session;ExpectedValue",
          "MicrosoftNetworkServerDigitallySignCommunicationsAlways": "Microsoft network server: Digitally sign communications (always);ExpectedValue",
          "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": "Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "MicrosoftNetworkClientDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB client component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network client: Send unencrypted password to third-party SMB servers",
          "description": "Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it."
        },
        "defaultValue": "0"
      },
      "MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Amount of idle time required before suspending session",
          "description": "Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,15"
      },
      "MicrosoftNetworkServerDigitallySignCommunicationsAlways": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Digitally sign communications (always)",
          "description": "Specifies whether packet signing is required by the SMB server component."
        },
        "defaultValue": "1"
      },
      "MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
        "type": "String",
        "metadata": {
          "displayName": "Microsoft network server: Disconnect clients when logon hours expire",
          "description": "Specifies whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable 'Network security: Force logoff when logon hours expire'"
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
              "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecurityOptionsMicrosoftNetworkClient",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
              "equals": "[base64(concat('Microsoft network client: Digitally sign communications (always);ExpectedValue', '=', parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways'), ',', 'Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue', '=', parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'), ',', 'Microsoft network server: Amount of idle time required before suspending session;ExpectedValue', '=', parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'), ',', 'Microsoft network server: Digitally sign communications (always);ExpectedValue', '=', parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways'), ',', 'Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue', '=', parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/d6c69680-54f0-4349-af10-94dd05f4225e",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "d6c69680-54f0-4349-af10-94dd05f4225e"
}