Json |
{
"properties": {
"displayName": "Windows machines should meet requirements for 'Security Settings - Account Policies'",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.",
"metadata": {
"category": "Guest Configuration",
"version": "2.0.0",
"requiredProviders": [
"Microsoft.GuestConfiguration"
],
"guestConfiguration": {
"name": "AzureBaseline_SecuritySettingsAccountPolicies",
"version": "1.*",
"configurationParameter": {
"EnforcePasswordHistory": "Enforce password history;ExpectedValue",
"MaximumPasswordAge": "Maximum password age;ExpectedValue",
"MinimumPasswordAge": "Minimum password age;ExpectedValue",
"MinimumPasswordLength": "Minimum password length;ExpectedValue",
"PasswordMustMeetComplexityRequirements": "Password must meet complexity requirements;ExpectedValue"
}
}
},
"parameters": {
"IncludeArcMachines": {
"type": "String",
"metadata": {
"displayName": "Include Arc connected servers",
"description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "false"
},
"EnforcePasswordHistory": {
"type": "String",
"metadata": {
"displayName": "Enforce password history",
"description": "Specifies limits on password reuse - how many times a new password must be created for a user account before the password can be repeated."
},
"defaultValue": "24"
},
"MaximumPasswordAge": {
"type": "String",
"metadata": {
"displayName": "Maximum password age",
"description": "Specifies the maximum number of days that may elapse before a user account password must be changed. The format of the value is two integers separated by a comma, denoting an inclusive range."
},
"defaultValue": "1,70"
},
"MinimumPasswordAge": {
"type": "String",
"metadata": {
"displayName": "Minimum password age",
"description": "Specifies the minimum number of days that must elapse before a user account password can be changed."
},
"defaultValue": "1"
},
"MinimumPasswordLength": {
"type": "String",
"metadata": {
"displayName": "Minimum password length",
"description": "Specifies the minimum number of characters that a user account password may contain."
},
"defaultValue": "14"
},
"PasswordMustMeetComplexityRequirements": {
"type": "String",
"metadata": {
"displayName": "Password must meet complexity requirements",
"description": "Specifies whether a user account password must be complex. If required, a complex password must not contain part of user's account name or full name; be at least 6 characters long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters."
},
"defaultValue": "1"
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of this policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"esri",
"incredibuild",
"MicrosoftDynamicsAX",
"MicrosoftSharepoint",
"MicrosoftVisualStudio",
"MicrosoftWindowsDesktop",
"MicrosoftWindowsServerHPCPack"
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServer"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftSQLServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-dsvm"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "dsvm-windows"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-ads"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"standard-data-science-vm",
"windows-data-science-vm"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "batch"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "rendering-windows2016"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "center-for-internet-security-inc"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "cis-windows-server-201*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "pivotal"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "bosh-windows-server*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "cloud-infrastructure-services"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "ad*"
}
]
},
{
"allOf": [
{
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
"exists": "true"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"like": "Windows*"
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"exists": "false"
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "2008*"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "SQL2008*"
}
]
}
]
}
]
}
]
}
]
},
{
"allOf": [
{
"value": "[parameters('IncludeArcMachines')]",
"equals": "true"
},
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "Microsoft.HybridCompute/imageOffer",
"like": "windows*"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
"name": "AzureBaseline_SecuritySettingsAccountPolicies",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
"equals": "Compliant"
},
{
"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash",
"equals": "[base64(concat('Enforce password history;ExpectedValue', '=', parameters('EnforcePasswordHistory'), ',', 'Maximum password age;ExpectedValue', '=', parameters('MaximumPasswordAge'), ',', 'Minimum password age;ExpectedValue', '=', parameters('MinimumPasswordAge'), ',', 'Minimum password length;ExpectedValue', '=', parameters('MinimumPasswordLength'), ',', 'Password must meet complexity requirements;ExpectedValue', '=', parameters('PasswordMustMeetComplexityRequirements')))]"
}
]
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/f2143251-70de-4e81-87a8-36cee5a2f29d",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "f2143251-70de-4e81-87a8-36cee5a2f29d"
}
|