last sync: 2021-May-17 14:22:45 UTC

Azure Policy definition

Windows machines should meet requirements for 'Security Settings - Account Policies'

Name Windows machines should meet requirements for 'Security Settings - Account Policies'
Azure Portal
Id f2143251-70de-4e81-87a8-36cee5a2f29d
Version 2.0.0
details on versioning
Category Guest Configuration
Microsoft docs
Description Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-09-15 14:06:41 change Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Settings - Account Policies'
2020-08-20 14:05:01 add f2143251-70de-4e81-87a8-36cee5a2f29d
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview
[Preview]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Preview
[Preview]: Windows machines should meet requirements for the Azure compute security baseline be7a78aa-3e10-4153-a5fd-8c6506dbc821 Guest Configuration Preview
JSON
{
  "properties": {
    "displayName": "Windows machines should meet requirements for 'Security Settings - Account Policies'",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
    "metadata": {
      "category": "Guest Configuration",
      "version": "2.0.0",
      "requiredProviders": [
        "Microsoft.GuestConfiguration"
      ],
      "guestConfiguration": {
        "name": "AzureBaseline_SecuritySettingsAccountPolicies",
        "version": "1.*",
        "configurationParameter": {
          "EnforcePasswordHistory": "Enforce password history;ExpectedValue",
          "MaximumPasswordAge": "Maximum password age;ExpectedValue",
          "MinimumPasswordAge": "Minimum password age;ExpectedValue",
          "MinimumPasswordLength": "Minimum password length;ExpectedValue",
          "PasswordMustMeetComplexityRequirements": "Password must meet complexity requirements;ExpectedValue"
        }
      }
    },
    "parameters": {
      "IncludeArcMachines": {
        "type": "String",
        "metadata": {
          "displayName": "Include Arc connected servers",
          "description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "false"
      },
      "EnforcePasswordHistory": {
        "type": "String",
        "metadata": {
          "displayName": "Enforce password history",
          "description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated."
        },
        "defaultValue": "24"
      },
      "MaximumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Maximum password age",
          "description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range."
        },
        "defaultValue": "1,70"
      },
      "MinimumPasswordAge": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password age",
          "description": "Specifies the minimum number of days that must elapse before a user account password can be changed."
        },
        "defaultValue": "1"
      },
      "MinimumPasswordLength": {
        "type": "String",
        "metadata": {
          "displayName": "Minimum password length",
          "description": "Specifies the minimum number of characters that a user account password may contain."
        },
        "defaultValue": "14"
      },
      "PasswordMustMeetComplexityRequirements": {
        "type": "String",
        "metadata": {
          "displayName": "Password must meet complexity requirements",
          "description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of  user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."
        },
        "defaultValue": "1"
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of this policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "in": [
                      "esri",
                      "incredibuild",
                      "MicrosoftDynamicsAX",
                      "MicrosoftSharepoint",
                      "MicrosoftVisualStudio",
                      "MicrosoftWindowsDesktop",
                      "MicrosoftWindowsServerHPCPack"
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftWindowsServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "notLike": "2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "MicrosoftSQLServer"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "notLike": "SQL2008*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-dsvm"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "dsvm-windows"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "microsoft-ads"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                          "standard-data-science-vm",
                          "windows-data-science-vm"
                        ]
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "batch"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "equals": "rendering-windows2016"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "center-for-internet-security-inc"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "cis-windows-server-201*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "pivotal"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "bosh-windows-server*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.Compute/imagePublisher",
                        "equals": "cloud-infrastructure-services"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "ad*"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                            "exists": "true"
                          },
                          {
                            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                            "like": "Windows*"
                          }
                        ]
                      },
                      {
                        "anyOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "exists": "false"
                          },
                          {
                            "allOf": [
                              {
                                "field": "Microsoft.Compute/imageSKU",
                                "notLike": "2008*"
                              },
                              {
                                "field": "Microsoft.Compute/imageOffer",
                                "notLike": "SQL2008*"
                              }
                            ]
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          },
          {
            "allOf": [
              {
              "value": "[parameters('IncludeArcMachines')]",
                "equals": "true"
              },
              {
                "field": "type",
                "equals": "Microsoft.HybridCompute/machines"
              },
              {
                "field": "Microsoft.HybridCompute/imageOffer",
                "like": "windows*"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "AzureBaseline_SecuritySettingsAccountPolicies",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
                "equals": "Compliant"
              },
              {
                "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
              "equals": "[base64(concat('Enforce password history;ExpectedValue', '=', parameters('EnforcePasswordHistory'), ',', 'Maximum password age;ExpectedValue', '=', parameters('MaximumPasswordAge'), ',', 'Minimum password age;ExpectedValue', '=', parameters('MinimumPasswordAge'), ',', 'Minimum password length;ExpectedValue', '=', parameters('MinimumPasswordLength'), ',', 'Password must meet complexity requirements;ExpectedValue', '=', parameters('PasswordMustMeetComplexityRequirements')))]"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f2143251-70de-4e81-87a8-36cee5a2f29d",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f2143251-70de-4e81-87a8-36cee5a2f29d"
}