last sync: 2024-Apr-19 17:43:58 UTC

Establish a password policy | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Establish a password policy
Id d8bbd80e-3bb1-5983-06c2-428526ec6a63
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0256 - Establish a password policy
Additional metadata Name/Id: CMA_0256 / CMA_0256
Category: Operational
Title: Establish a password policy
Ownership: Customer
Description: Microsoft recommends that your organization establish clear policies on password best practices to promote a culture of security and to keep passwords confidential. Consider including : - Password complexity requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters including minimum requirements for each type - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions on the minimum number of changed characters when a new password is created - Instructions to change passwords if there is any suspicion the password could be compromised - Use or prohibition of password managers
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 23 compliance controls are associated with this Policy definition 'Establish a password policy' (d8bbd80e-3bb1-5983-06c2-428526ec6a63)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IA-5(1) FedRAMP_High_R4_IA-5(1) FedRAMP High IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
FedRAMP_High_R4 IA-5(4) FedRAMP_High_R4_IA-5(4) FedRAMP High IA-5 (4) Identification And Authentication Automated Support For Password Strength Determination Shared n/a The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. link 3
FedRAMP_Moderate_R4 IA-5(1) FedRAMP_Moderate_R4_IA-5(1) FedRAMP Moderate IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
FedRAMP_Moderate_R4 IA-5(4) FedRAMP_Moderate_R4_IA-5(4) FedRAMP Moderate IA-5 (4) Identification And Authentication Automated Support For Password Strength Determination Shared n/a The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. link 3
hipaa 1004.01d1System.8913-01.d hipaa-1004.01d1System.8913-01.d 1004.01d1System.8913-01.d 10 Password Management 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization maintains a list of commonly-used, expected, or compromised passwords, and updates the list (i) at least every 180 days and (ii) when organizational passwords are suspected to have been compromised (either directly or indirectly); allows users to select long passwords and passphrases, including spaces and all printable characters; employs automated tools to assist the user in selecting strong passwords and authenticators; and verifies, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords. 8
hipaa 1005.01d1System.1011-01.d hipaa-1005.01d1System.1011-01.d 1005.01d1System.1011-01.d 10 Password Management 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization transmits passwords only when cryptographically-protected and stores passwords using an approved hash algorithm. 6
hipaa 1009.01d2System.4-01.d hipaa-1009.01d2System.4-01.d 1009.01d2System.4-01.d 10 Password Management 1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems Shared n/a Temporary passwords are unique and not guessable. 4
hipaa 1014.01d1System.12-01.d hipaa-1014.01d1System.12-01.d 1014.01d1System.12-01.d 10 Password Management 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization avoids the use of third-parties or unprotected (clear text) electronic mail messages for the dissemination of passwords. 11
hipaa 1022.01d1System.15-01.d hipaa-1022.01d1System.15-01.d 1022.01d1System.15-01.d 10 Password Management 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems Shared n/a Password policies, applicable to mobile devices, are documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements. 8
hipaa 1031.01d1System.34510-01.d hipaa-1031.01d1System.34510-01.d 1031.01d1System.34510-01.d 10 Password Management 1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization changes passwords for default system accounts, whenever there is any indication of password compromise, at first logon following the issuance of a temporary password, and requires immediate selection of a new password upon account recovery. 6
hipaa 1116.01j1Organizational.145-01.j hipaa-1116.01j1Organizational.145-01.j 1116.01j1Organizational.145-01.j 11 Access Control 1116.01j1Organizational.145-01.j 01.04 Network Access Control Shared n/a Strong authentication methods are implemented for all external connections to the organization’s network. 6
ISO27001-2013 A.10.1.2 ISO27001-2013_A.10.1.2 ISO 27001:2013 A.10.1.2 Cryptography Key Management Shared n/a A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. link 15
ISO27001-2013 A.9.2.4 ISO27001-2013_A.9.2.4 ISO 27001:2013 A.9.2.4 Access Control Management of secret authentication information of users Shared n/a The allocation of secret authentication information shall be controlled through a formal management process. link 21
ISO27001-2013 A.9.3.1 ISO27001-2013_A.9.3.1 ISO 27001:2013 A.9.3.1 Access Control Use of secret authentication information Shared n/a Users shall be required to follow the organization's practices in the use of secret authentication information. link 15
ISO27001-2013 A.9.4.3 ISO27001-2013_A.9.4.3 ISO 27001:2013 A.9.4.3 Access Control Password management system Shared n/a Password management systems shall be interactive and shall ensure quality password. link 22
NIST_SP_800-171_R2_3 .5.7 NIST_SP_800-171_R2_3.5.7 NIST SP 800-171 R2 3.5.7 Identification and Authentication Enforce a minimum password complexity and change of characters when new passwords are created. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. link 8
NIST_SP_800-53_R4 IA-5(1) NIST_SP_800-53_R4_IA-5(1) NIST SP 800-53 Rev. 4 IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
NIST_SP_800-53_R4 IA-5(4) NIST_SP_800-53_R4_IA-5(4) NIST SP 800-53 Rev. 4 IA-5 (4) Identification And Authentication Automated Support For Password Strength Determination Shared n/a The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. link 3
NIST_SP_800-53_R5 IA-5(1) NIST_SP_800-53_R5_IA-5(1) NIST SP 800-53 Rev. 5 IA-5 (1) Identification and Authentication Password-based Authentication Shared n/a For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. link 15
PCI_DSS_v4.0 8.3.6 PCI_DSS_v4.0_8.3.6 PCI DSS v4.0 8.3.6 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: • A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters). • Contain both numeric and alphabetic characters. link 9
PCI_DSS_v4.0 8.6.3 PCI_DSS_v4.0_8.6.3 PCI DSS v4.0 8.6.3 Requirement 08: Identify Users and Authenticate Access to System Components Use of application and system accounts and associated authentication factors is strictly managed Shared n/a Passwords/passphrases for any application and system accounts are protected against misuse as follows: • Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise. • Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases. link 6
SWIFT_CSCF_v2022 4.1 SWIFT_CSCF_v2022_4.1 SWIFT CSCF v2022 4.1 4. Prevent Compromise of Credentials Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Shared n/a All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts. Similarly, personal tokens and mobile devices enforce passwords or a Personal Identification Number (PIN) with appropriate parameters. link 17
SWIFT_CSCF_v2022 5.4 SWIFT_CSCF_v2022_5.4 SWIFT CSCF v2022 5.4 5. Manage Identities and Segregate Privileges Protect physically and logically the repository of recorded passwords. Shared n/a Recorded passwords are stored in a protected physical or logical location, with access restricted on a need-to-know basis. link 6
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add d8bbd80e-3bb1-5983-06c2-428526ec6a63
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC