AzPolicyAdvertizer

last sync: 2023-Jun-09 17:46:13 UTC

Azure Policy definition

Windows machines should meet requirements for 'Security Settings - Account Policies'

Name

Windows machines should meet requirements for 'Security Settings - Account Policies'
Azure Portal

f2143251-70de-4e81-87a8-36cee5a2f29d

Version

3.0.0
details on versioning

Category

Guest Configuration
Microsoft docs

Description

Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Mode

Indexed

Type

BuiltIn

Preview

FALSE

Deprecated

FALSE

Effect

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

RBAC
Role(s)

none

Rule
Aliases

IF (7)

Alias	Namespace	ResourceType	DefaultPath	Modifiable
Microsoft.Compute/imageOffer	Microsoft.Compute Microsoft.Compute Microsoft.Compute	virtualMachines virtualMachineScaleSets disks	properties.storageProfile.imageReference.offer properties.virtualMachineProfile.storageProfile.imageReference.offer properties.creationData.imageReference.id	false false false
Microsoft.Compute/imagePublisher	Microsoft.Compute Microsoft.Compute Microsoft.Compute	virtualMachines virtualMachineScaleSets disks	properties.storageProfile.imageReference.publisher properties.virtualMachineProfile.storageProfile.imageReference.publisher properties.creationData.imageReference.id	false false false
Microsoft.Compute/imageSKU	Microsoft.Compute Microsoft.Compute Microsoft.Compute	virtualMachines virtualMachineScaleSets disks	properties.storageProfile.imageReference.sku properties.virtualMachineProfile.storageProfile.imageReference.sku properties.creationData.imageReference.id	false false false
Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration	Microsoft.Compute	virtualMachines	properties.osProfile.windowsConfiguration	true
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType	Microsoft.Compute	virtualMachines	properties.storageProfile.osDisk.osType	true
Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType	Microsoft.ConnectedVMwarevSphere	VirtualMachines	properties.osProfile.osType	false
Microsoft.HybridCompute/imageOffer	Microsoft.HybridCompute	machines	properties.osName	false

THEN-ExistenceCondition (2)

Alias	Namespace	ResourceType	DefaultPath	Modifiable
Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus	Microsoft.GuestConfiguration	guestConfigurationAssignments	properties.complianceStatus	false
Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash	Microsoft.GuestConfiguration	guestConfigurationAssignments	properties.parameterHash	false

Rule
ResourceTypes

IF (3)
Microsoft.Compute/virtualMachines
Microsoft.ConnectedVMwarevSphere/virtualMachines
Microsoft.HybridCompute/machines

Compliance

The following 2 compliance controls are associated with this Policy definition 'Windows machines should meet requirements for 'Security Settings - Account Policies'' (f2143251-70de-4e81-87a8-36cee5a2f29d)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
AU_ISM	421	AU_ISM_421	AU ISM 421	Guidelines for System Hardening - Authentication hardening	Single-factor authentication - 421		n/a	Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words.	link	4
NZISM_Security_Benchmark_v1.1	AC-4	NZISM_Security_Benchmark_v1.1_AC-4	NZISM Security Benchmark AC-4	Access Control and Passwords	16.1.40 Password selection policy	Customer	Agencies SHOULD implement a password policy enforcing either: a minimum password length of 16 characters with no complexity requirement; or -a minimum password length of ten characters, consisting of atleast three of the following character sets: - lowercase characters (a-z); - uppercase characters (A-Z); - digits (0-9); and - punctuation and special characters.	Passwords are the primary authentication mechanism for almost all information systems and are fundamental part of access and authentication processes and mechanisms. While there are some limitations in the use of passwords, they remain the most cost effective means available with current technology. Passwords are subject to three principal groups of risks: Intentional password sharing; Password theft, loss or compromise; and Password guessing and cracking. Associated with these risk groups are four principal methods of attacking passwords: Interactive attempts including password guessing, brute force attacks or some knowledge of the user or agency. Obtaining the password through social engineering or phishing. Compromising the password through oversight, observation, use of keyloggers, cameras etc. Cracking through network traffic interception, misconfiguration, malware, data capture etc. For example a simple eight-letter password can today be brute-forced in minutes by software freely available on the Internet. Password controls are designed to manage these risks and attack methods using the controls specified in this section. For example, passwords with at least ten characters utilising upper and lower case, numbers and special characters have a much greater resistance to brute force attacks. When use in combination with controls such as password history and regular password change, passwords can present high resistance to known attack methods.	link	2

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-01-28 17:51:01	change	Major (2.0.0 > 3.0.0)
2020-09-15 14:06:41	change	Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Settings - Account Policies'
2020-08-20 14:05:01	add	f2143251-70de-4e81-87a8-36cee5a2f29d

Initiatives
usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
[Preview]: Australian Government ISM PROTECTED	27272c0b-c225-4cc3-b8b0-f2534b093077	Regulatory Compliance	Preview	BuiltIn
[Preview]: Windows machines should meet requirements for the Azure compute security baseline	be7a78aa-3e10-4153-a5fd-8c6506dbc821	Guest Configuration	Preview	BuiltIn
New Zealand ISM Restricted	d1a462af-7e6d-4901-98ac-61570b4ed22a	Regulatory Compliance	GA	BuiltIn

JSON