last sync: 2024-Oct-04 17:51:30 UTC

Microsoft Managed Control 1345 - Cryptographic Module Authentication | Regulatory Compliance - Identification and Authentication

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1345 - Cryptographic Module Authentication
Id f86aa129-7c07-4aa4-bbf5-792d93ffd9ea
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Identification and Authentication control
Additional metadata Name/Id: ACF1345 / Microsoft Managed Control 1345
Category: Identification and Authentication
Title: Cryptographic Module Authentication
Ownership: Customer, Microsoft
Description: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Requirements: Azure implements encryption mechanisms on all internal and customer communications using cryptographic certificates issued by Certificate Management Tool which are anchored to the root Certificate Authority (CA). To request a cryptographic certificate, the Azure user interacts with an approved secret management store. The secret management store then interacts with Certificate Management Tool to process the request. The request is routed to the user’s manager for approval. Once the certificate is issued, the user uses multifactor authentication to access Azure assets to install the certificate. This process meets the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. Encryption mechanisms and techniques used by Azure follow the requirements and restrictions outlined in the Microsoft Cryptographic Standards for SDL Covered Products. These standards are in line with the use of only FIPS 140-2 compliant cyphers. Service data and information are handled in accordance with the requirements and restrictions specified in the Asset Classification Standard and the Asset Protection Standard when cryptography is used. The Asset Classification Standards and Asset Protection Standard establish the mandatory minimum requirements for Microsoft’s online services’ asset ownership, classification, and protection. Azure utilizes encryption for user authentication through Active Directory. The following FIPS-approved algorithms are supported: * 3690 - Virtual TPM * 3651 - Secure Kernel Code Integrity * 3644 - Code Integrity * 3630 - Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) * 3615 - Windows OS Loader * 3544 - Cryptographic Primitives Library * 3527 - Kernel Mode Cryptographic Primitives Library * 3513 - Secure Kernel Code Integrity (skci.dll) in Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 3510 - Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 3502 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 3501 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 3487 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 3480 - Windows OS Loader * 3469 - Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub * 3464 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise * 3451 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub * 3447 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub * 3197 - Cryptographic Primitives Library * 3196 - Kernel Mode Cryptographic Primitives Library * 3195 - Code Integrity * 3194 - Windows OS Loader * 3096 - Secure Kernel Code Integrity * 3095 - Cryptographic Primitives Library * 3094 - Kernel Mode Cryptographic Primitives Library * 3093 - Code Integrity * 3092 - BitLocker Dump Filter * 3091 - Windows Resume * 3090 - Windows OS Loader * 3089 - Boot Manager * 2938 - Secure Kernel Code Integrity (skci.dll) in Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 2937 - Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 2936 - Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 2935 - Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 2934 - BitLocker® Dump Filter (dumpfve.sys) in Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 2933 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 2932 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 2931 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 2703 - BitLocker® Dump Filter (dumpfve.sys) in Microsoft Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub * 2702 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise * 2701 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub * 2700 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub * 2607 - Secure Kernel Code Integrity (skci.dll) in Microsoft Windows 10 Enterprise, Windows 10 Enterprise LTSB * 2606 - Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows 10 for Surface Hub * 2605 - Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows 10 for Surface Hub * 2604 - Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows 10 for Surface Hub * 2603 - BitLocker® Dump Filter (dumpfve.sys) in Microsoft Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB * 2602 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB * 2601 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB * 2600 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB Network Devices AES-256 bit encrypted SSH is used for network device authentication using FIPS 140-2 approved algorithms: * SecureCRT® 5.1-6.1 (FIPS Validation Certificate 608) * SecureCRT 6.2-7.2 (FIPS Validation Certificate 1058) * SecureCRT 7.3 (FIPS Validation Certificate 0039) * SecureCRT 8.0 and later (FIPS Validation Certificate 0048)
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance
The following 1 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1345 - Cryptographic Module Authentication' (f86aa129-7c07-4aa4-bbf5-792d93ffd9ea)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
op.exp.10 Cryptographic key protection op.exp.10 Cryptographic key protection 404 not found n/a n/a 53
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC