last sync: 2023-Nov-30 18:20:17 UTC

Azure Policy definition

Windows machines should meet requirements for 'Security Settings - Account Policies'

Source Azure Portal
Display name Windows machines should meet requirements for 'Security Settings - Account Policies'
Id f2143251-70de-4e81-87a8-36cee5a2f29d
Version 3.0.0
Details on versioning
Category Guest Configuration
Microsoft Learn
Description Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases IF (7)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Compute/imageOffer Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.offer
properties.virtualMachineProfile.storageProfile.imageReference.offer
properties.creationData.imageReference.id
false
false
false
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id
false
false
false
Microsoft.Compute/imageSKU Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.sku
properties.virtualMachineProfile.storageProfile.imageReference.sku
properties.creationData.imageReference.id
false
false
false
Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration Microsoft.Compute virtualMachines properties.osProfile.windowsConfiguration true
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType Microsoft.Compute virtualMachines properties.storageProfile.osDisk.osType true
Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType Microsoft.ConnectedVMwarevSphere virtualmachines properties.osProfile.osType false
Microsoft.HybridCompute/imageOffer Microsoft.HybridCompute machines properties.osName false
THEN-ExistenceCondition (2)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus Microsoft.GuestConfiguration guestConfigurationAssignments properties.complianceStatus false
Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash Microsoft.GuestConfiguration guestConfigurationAssignments properties.parameterHash false
Rule resource types IF (3)
Microsoft.Compute/virtualMachines
Microsoft.ConnectedVMwarevSphere/virtualMachines
Microsoft.HybridCompute/machines
Compliance
The following 2 compliance controls are associated with this Policy definition 'Windows machines should meet requirements for 'Security Settings - Account Policies'' (f2143251-70de-4e81-87a8-36cee5a2f29d)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 421 AU_ISM_421 AU ISM 421 Guidelines for System Hardening - Authentication hardening Single-factor authentication - 421 n/a Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words. link 4
NZISM_Security_Benchmark_v1.1 AC-4 NZISM_Security_Benchmark_v1.1_AC-4 NZISM Security Benchmark AC-4 Access Control and Passwords 16.1.40 Password selection policy Customer Agencies SHOULD implement a password policy enforcing either: a minimum password length of 16 characters with no complexity requirement; or -a minimum password length of ten characters, consisting of atleast three of the following character sets: - lowercase characters (a-z); - uppercase characters (A-Z); - digits (0-9); and - punctuation and special characters. Passwords are the primary authentication mechanism for almost all information systems and are fundamental part of access and authentication processes and mechanisms. While there are some limitations in the use of passwords, they remain the most cost effective means available with current technology. Passwords are subject to three principal groups of risks: Intentional password sharing; Password theft, loss or compromise; and Password guessing and cracking. Associated with these risk groups are four principal methods of attacking passwords: Interactive attempts including password guessing, brute force attacks or some knowledge of the user or agency. Obtaining the password through social engineering or phishing. Compromising the password through oversight, observation, use of keyloggers, cameras etc. Cracking through network traffic interception, misconfiguration, malware, data capture etc. For example a simple eight-letter password can today be brute-forced in minutes by software freely available on the Internet. Password controls are designed to manage these risks and attack methods using the controls specified in this section. For example, passwords with at least ten characters utilising upper and lower case, numbers and special characters have a much greater resistance to brute force attacks. When use in combination with controls such as password history and regular password change, passwords can present high resistance to known attack methods. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: Windows machines should meet requirements for the Azure compute security baseline be7a78aa-3e10-4153-a5fd-8c6506dbc821 Guest Configuration Preview BuiltIn
New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-01-28 17:51:01 change Major (2.0.0 > 3.0.0)
2020-09-15 14:06:41 change Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Settings - Account Policies'
2020-08-20 14:05:01 add f2143251-70de-4e81-87a8-36cee5a2f29d
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC