AzInitiativeAdvertizer

last sync: 2023-Sep-26 18:00:58 UTC

Azure Policy Initiative (PolicySet)

[Preview]: Australian Government ISM PROTECTED

Source

Azure Portal

Display name

[Preview]: Australian Government ISM PROTECTED

27272c0b-c225-4cc3-b8b0-f2534b093077

Version

8.2.0-preview
details on versioning

Category

Regulatory Compliance
Microsoft docs

Description

This initiative includes policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/auism-initiative.

Type

BuiltIn

Deprecated

False

Preview

True

Policy count

Total Policies: 54
Builtin Policies: 54
Static Policies: 0

Policy used

Policy DisplayName	Policy Id	Category	Effect	Roles#	Roles	State
A maximum of 3 owners should be designated for your subscription	4f11b553-d42e-4e3a-89be-32ca364cad4c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
A vulnerability assessment solution should be enabled on your virtual machines	501541f7-f7e7-4cd6-868c-4190fdad3ac9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Accounts with owner permissions on Azure resources should be MFA enabled	e3e008c3-56b9-4133-8fd7-d3347377402a	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Accounts with read permissions on Azure resources should be MFA enabled	81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Accounts with write permissions on Azure resources should be MFA enabled	931e118d-50a1-4457-a5e4-78550e086c52	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Adaptive application controls for defining safe applications should be enabled on your machines	47a6b606-51aa-4496-8bb7-64b11cf66adc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines	08e6af2d-db70-460a-bfe9-d5bd474ba9d6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	3cf2ab00-13f1-4d0c-8971-2ac904541a7e	Guest Configuration	Fixed modify	1	Contributor	GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	497dff13-db2a-4c0f-8603-28fa3b331ab6	Guest Configuration	Fixed modify	1	Contributor	GA
An Azure Active Directory administrator should be provisioned for SQL servers	1f314764-cb73-4fc9-b863-8eca98ac36e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should have remote debugging turned off	cb510bfd-1cba-4d9f-a230-cb0976f4bb71	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should not have CORS configured to allow every resource to access your apps	5744710e-cc2f-4ee8-8809-3b11e89f4bc9	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should only be accessible over HTTPS	a4af4a39-4135-47fb-b175-47fbdf85311d	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA
App Service apps should use the latest TLS version	f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit diagnostic setting for selected resource types	7f89b1eb-583c-429a-8828-af049802c1d9	Monitoring	Fixed AuditIfNotExists	0		GA
Audit Linux machines that allow remote connections from accounts without passwords	ea53dbee-c6c9-4f0e-9f9e-de0039b78023	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Linux machines that have accounts without passwords	f6ec09a3-78bf-4f8f-99dc-6c77182d0f99	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit virtual machines without disaster recovery configured	0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56	Compute	Fixed auditIfNotExists	0		GA
Audit Windows machines that have the specified members in the Administrators group	69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f	Guest Configuration	Fixed auditIfNotExists	0		GA
Azure DDoS Protection Standard should be enabled	a7aca53f-2ed4-4466-a25e-0b45ade68efd	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for SQL should be enabled for unprotected Azure SQL servers	abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances	abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Blocked accounts with owner permissions on Azure resources should be removed	0cfea604-3201-4e14-88fc-fae4c427a6c5	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Blocked accounts with read and write permissions on Azure resources should be removed	8d7e1fde-fe26-4b5f-8108-f8e432cbc2be	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs	331e8ea8-378a-410f-a2e5-ae22f38bb0da	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs	385f5831-96d4-41db-9a3c-cd3af78aaae6	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Endpoint protection solution should be installed on virtual machine scale sets	26a828e1-e88f-464e-bbb3-c134a282b9de	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should have remote debugging turned off	0e60b895-3786-45da-8377-9c6b4b6ac5f9	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should only be accessible over HTTPS	6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA
Function apps should use the latest TLS version	f9d614c5-c173-4d56-95a7-b4437057d193	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Guest accounts with owner permissions on Azure resources should be removed	339353f6-2387-4a45-abe4-7f529d121046	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Guest accounts with write permissions on Azure resources should be removed	94e1c2ac-cbbe-4cac-a2b5-389c812dee87	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Internet-facing virtual machines should be protected with network security groups	f6de0be7-9a8a-4b8a-b349-43cf02d22f7c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Management ports of virtual machines should be protected with just-in-time network access control	b0f33259-77d7-4c9e-aac6-3aabcfae693c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Microsoft IaaSAntimalware extension should be deployed on Windows servers	9b597639-28e4-48eb-b506-56b05d366257	Compute	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Monitor missing Endpoint Protection in Azure Security Center	af6cd1bd-1635-48cb-bde7-5b15693900b9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Only secure connections to your Azure Cache for Redis should be enabled	22bee202-a82f-4305-9a2a-6d7f44d4dedb	Cache	Default Audit Allowed Audit, Deny, Disabled	0		GA
Secure transfer to storage accounts should be enabled	404c3081-a854-4457-ae30-26a93ef643f9	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Service Fabric clusters should only use Azure Active Directory for client authentication	b54ed75b-3e1a-44ac-a333-05ba39b99ff0	Service Fabric	Default Audit Allowed Audit, Deny, Disabled	0		GA
SQL databases should have vulnerability findings resolved	feedbf84-6b99-488c-acc2-71c829aa5ffc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Storage accounts should restrict network access	34c877ad-507e-4c82-993e-3452a6e0ad3c	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
System updates on virtual machine scale sets should be installed	c3f317a7-a95c-4547-b7e7-11017ebdf2fe	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
System updates should be installed on your machines	86b3d65f-7626-441e-b690-81a8b71cff60	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
There should be more than one owner assigned to your subscription	09024ccc-0c5f-475e-9457-b7c0d9ed487b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Transparent Data Encryption on SQL databases should be enabled	17k78e20-9358-41c9-923c-fb736d382a12	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Virtual machines should be connected to a specified workspace	f47b5582-33ec-4c5c-87c0-b010a6b2e917	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources	0961003e-5a0a-4549-abde-af6a37f2724d	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerabilities in container security configurations should be remediated	e8cbc669-f12d-49eb-93e7-9273119e9933	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerabilities in security configuration on your machines should be remediated	e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated	3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerability assessment should be enabled on SQL Managed Instance	1b7aa243-30e4-4c9e-bca8-d0d3022b634a	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerability assessment should be enabled on your SQL servers	ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Windows machines should meet requirements for 'Security Settings - Account Policies'	f2143251-70de-4e81-87a8-36cee5a2f29d	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Windows web servers should be configured to use secure communication protocols	5752e6d6-1206-46d8-8ab1-ecc2f71a8112	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA

Roles used

Total Roles usage: 4
Total Roles unique usage: 1

Role	Role Id	Policies count	Policies
Contributor	b24988ac-6180-42a0-ab88-20f7382dd24c	4	Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

History

Date/Time (UTC ymd) (i)	Changes
2023-05-04 17:45:12	add Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046) add Policy Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) add Policy Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a) add Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) add Policy Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52) add Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5) add Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87) Version change: '8.1.0-preview' to '8.2.0-preview' remove Policy [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64) remove Policy [Deprecated]: External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4) remove Policy [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3) remove Policy [Deprecated]: Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474) remove Policy [Deprecated]: External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9) remove Policy [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed) remove Policy [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad)
2023-01-19 18:07:18	Version change: '8.0.0-preview' to '8.1.0-preview' remove Policy [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports (057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9)
2022-07-07 16:32:14	Version change: '7.0.0-preview' to '8.0.0-preview' remove Policy [Deprecated]: Remote debugging should be turned off for API Apps (e9c8d085-d9cc-4b17-9cdc-059f1f01f19e) remove Policy [Deprecated]: Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e)
2022-06-10 16:31:22	Version change: '5.1.0-preview' to '7.0.0-preview' remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)
2021-08-12 19:47:01	remove Policy Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images (5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) remove Policy Azure subscriptions should have a log profile for Activity Log (7796937f-307b-4598-941c-67d3a05ebfe7) remove Policy [Preview]: Log Analytics Extension should be enabled for listed virtual machine images (32133ab0-ee4b-4b44-98d6-042180979d50)
2021-08-11 15:29:42	Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Australian Government Information Security Manual(ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint.' to 'This initiative includes policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/auism-initiative.'
2021-01-22 09:14:56	remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c)
2020-09-09 11:24:08	add Policy Audit Linux machines that allow remote connections from accounts without passwords (ea53dbee-c6c9-4f0e-9f9e-de0039b78023) add Policy Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da) add Policy Audit Windows machines that have the specified members in the Administrators group (69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) add Policy Audit Linux machines that have accounts without passwords (f6ec09a3-78bf-4f8f-99dc-6c77182d0f99) add Policy Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members (144f1397-32f9-4598-8c88-118decc3ccba) remove Policy [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords (2d67222d-05fd-4526-a171-2ee132ad9e83) remove Policy [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols (b2fc8f91-866d-4434-9089-5ebfe38d6fd8) remove Policy [Deprecated]: Show audit results from Linux VMs that have accounts without passwords (c40c9087-1981-4e73-9f53-39743eda9d05) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords (ec49586f-4939-402d-a29e-6ff502b20592) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords (3470477a-b35a-49db-aca5-1073d04524fe) remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members (bde62c94-ccca-4821-a815-92c1d31a76de) remove Policy [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols (60ffe3e2-4604-4460-8f22-0f1da058266c)
2020-08-21 13:50:30	add Policy Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6) add Policy Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e) add Policy Windows machines should meet requirements for 'Security Settings - Account Policies' (f2143251-70de-4e81-87a8-36cee5a2f29d) add Policy Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' (e3d95ab7-f47a-49d8-a347-784177b6c94c) remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' (ddb53c61-9db4-41d4-a953-2abff5b66c12)
2020-06-16 14:55:25	Name change: '[Preview]: Audit Australian Government ISM PROTECTED controls and deploy specific VM Extensions to support audit requirements' to '[Preview]: Australian Government ISM PROTECTED' Description change: 'This initiative includes audit and VM Extension deployment policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Australian Government Information Security Manual(ISM) controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/AustralianGovernmentISM-blueprint.'
2020-04-22 04:43:14	add Initiative 27272c0b-c225-4cc3-b8b0-f2534b093077

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01