AzInitiativeAdvertizer

last sync: 2022-Dec-02 17:43:04 UTC

Azure Policy Initiative

[Preview]: SWIFT CSP-CSCF v2020

Name

[Preview]: SWIFT CSP-CSCF v2020
Azure Portal

3e0c67fc-8c7c-406c-89bd-6b6bdc986a22

Version

6.0.0-preview
details on versioning

Category

Regulatory Compliance
Microsoft docs

Description

This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2020-init.

Type

BuiltIn

Deprecated

False

Preview

True

History

Date/Time (UTC ymd) (i)	Changes
2022-07-07 16:32:14	Version change: '5.0.0-preview' to '6.0.0-preview' remove Policy [Deprecated]: Remote debugging should be turned off for API Apps (e9c8d085-d9cc-4b17-9cdc-059f1f01f19e)
2022-06-10 16:31:22	Version change: '3.1.1-preview' to '5.0.0-preview' remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)
2022-04-07 17:18:35	Version change: '3.1.0-preview' to '3.1.1-preview'
2022-04-01 20:29:13	Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift-blueprint.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift2020-init.'
2020-09-09 11:24:08	add Policy Audit Windows machines that do not restrict the minimum password length to 14 characters (a2d0e922-65d0-40c4-8f87-ea6da2d307a2) add Policy Audit Windows machines on which the Log Analytics agent is not connected as expected (6265018c-d7e2-432f-a75d-094d5f6f4465) add Policy Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e) add Policy Audit Windows machines that are not joined to the specified domain (84662df4-0e37-44a6-9ce1-c9d2150db18c) add Policy Audit Linux machines that do not have the passwd file permissions set to 0644 (e6955644-301c-44b5-a4c4-528577de6861) add Policy Audit Windows machines missing any of specified members in the Administrators group (30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) add Policy Audit Linux machines that allow remote connections from accounts without passwords (ea53dbee-c6c9-4f0e-9f9e-de0039b78023) add Policy Audit Windows machines that do not have a maximum password age of 70 days (4ceb8dc2-559c-478b-a15b-733fbf1e3738) add Policy Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6) add Policy Audit Linux machines that have accounts without passwords (f6ec09a3-78bf-4f8f-99dc-6c77182d0f99) add Policy Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6) add Policy Audit Windows machines that allow re-use of the previous 24 passwords (5b054a0d-39e2-4d53-bea3-9734cad2c69b) add Policy Audit Windows machines that do not have the password complexity setting enabled (bf16e0bb-31e1-4646-8202-60a235cc7e74) add Policy Audit Windows machines that do not have a minimum password age of 1 day (237b38db-ca4d-4259-9e47-7882441ca2c0) add Policy Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da) add Policy Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112) add Policy Audit Windows machines that do not store passwords using reversible encryption (da0f98fe-a24b-4ad5-af69-bd0400233661) remove Policy [Deprecated]: Show audit results from Windows VMs that are not joined to the specified domain (a29ee95c-0395-4515-9851-cc04ffe82a91) remove Policy [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters (5aebc8d1-020d-4037-89a0-02043a7524ec) remove Policy [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days (24dde96d-f0b1-425e-884f-4a1421e2dcdc) remove Policy [Deprecated]: Show audit results from Linux VMs that have accounts without passwords (c40c9087-1981-4e73-9f53-39743eda9d05) remove Policy [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords (2d67222d-05fd-4526-a171-2ee132ad9e83) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days (356a906e-05e5-4625-8729-90771e0ee934) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled (7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords (ec49586f-4939-402d-a29e-6ff502b20592) remove Policy [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords (cdbf72d9-ac9c-4026-8a3a-491a5ac59293) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords (3470477a-b35a-49db-aca5-1073d04524fe) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day (16390df4-2f73-4b42-af13-c801066763df) remove Policy [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled (f48b2913-1dc5-4834-8c72-ccc1dfd819bb) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain (315c850a-272d-4502-8935-b79010405970) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords (726671ac-c4de-4908-8c7d-6043ae62e3b6) remove Policy [Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members (f3b44e5d-1456-475f-9c67-c66c4618e85a) remove Policy [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols (b2fc8f91-866d-4434-9089-5ebfe38d6fd8) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members (93507a81-10a4-4af0-9ee2-34cf25a96e98) remove Policy [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 (b18175dd-c599-4c64-83ba-bb018a06d35b) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters (23020aa6-1135-4be2-bae2-149982b06eca) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption (8ff0b18b-262e-4512-857a-48ad0aeb9a78) remove Policy [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day (5aa11bbc-5c76-4302-80e5-aba46a4282e7) remove Policy [Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols (60ffe3e2-4604-4460-8f22-0f1da058266c) remove Policy [Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected (a030a57e-4639-4e8f-ade9-a92f33afe7ee) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected (68511db2-bd02-41c4-ae6b-1900a012968a) remove Policy [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption (2d60d3b7-aa10-454c-88a8-de39d99d17c6) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 (f19aa1c1-6b91-4c27-ae6a-970279f03db9)
2020-07-01 14:50:07	remove Policy [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts (9677b740-f641-4f3c-b9c5-466005c85278)
2020-06-16 14:55:25	Name change: '[Preview]: Audit SWIFT CSP-CSCF v2020 controls and deploy specific VM Extensions to support audit requirements' to '[Preview]: SWIFT CSP-CSCF v2020' Description change: 'This initiative includes audit and VM Extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/SWIFT-blueprint.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/swift-blueprint.'

Policy count

Total Policies: 59
Builtin Policies: 59
Static Policies: 0

Policy used

Policy DisplayName	Policy Id	Category	Effect	Roles#	Roles	State
A maximum of 3 owners should be designated for your subscription	4f11b553-d42e-4e3a-89be-32ca364cad4c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Adaptive application controls for defining safe applications should be enabled on your machines	47a6b606-51aa-4496-8bb7-64b11cf66adc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines	08e6af2d-db70-460a-bfe9-d5bd474ba9d6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	3cf2ab00-13f1-4d0c-8971-2ac904541a7e	Guest Configuration	Fixed modify	1	Contributor	GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	497dff13-db2a-4c0f-8603-28fa3b331ab6	Guest Configuration	Fixed modify	1	Contributor	GA
All network ports should be restricted on network security groups associated to your virtual machine	9daedab3-fb2d-461e-b861-71790eead4f6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
An Azure Active Directory administrator should be provisioned for SQL servers	1f314764-cb73-4fc9-b863-8eca98ac36e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should have remote debugging turned off	cb510bfd-1cba-4d9f-a230-cb0976f4bb71	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should only be accessible over HTTPS	a4af4a39-4135-47fb-b175-47fbdf85311d	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA
Audit diagnostic setting	7f89b1eb-583c-429a-8828-af049802c1d9	Monitoring	Fixed AuditIfNotExists	0		GA
Audit Linux machines that allow remote connections from accounts without passwords	ea53dbee-c6c9-4f0e-9f9e-de0039b78023	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Linux machines that do not have the passwd file permissions set to 0644	e6955644-301c-44b5-a4c4-528577de6861	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Linux machines that have accounts without passwords	f6ec09a3-78bf-4f8f-99dc-6c77182d0f99	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit usage of custom RBAC rules	a451c1ef-c6ca-483d-87ed-f49761e3ffb5	General	Default Audit Allowed Audit, Disabled	0		GA
Audit VMs that do not use managed disks	06a78e20-9358-41c9-923c-fb736d382a4d	Compute	Fixed audit	0		GA
Audit Windows machines missing any of specified members in the Administrators group	30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7	Guest Configuration	Fixed auditIfNotExists	0		GA
Audit Windows machines on which the Log Analytics agent is not connected as expected	6265018c-d7e2-432f-a75d-094d5f6f4465	Guest Configuration	Fixed auditIfNotExists	0		GA
Audit Windows machines that allow re-use of the previous 24 passwords	5b054a0d-39e2-4d53-bea3-9734cad2c69b	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that are not joined to the specified domain	84662df4-0e37-44a6-9ce1-c9d2150db18c	Guest Configuration	Fixed auditIfNotExists	0		GA
Audit Windows machines that do not have a maximum password age of 70 days	4ceb8dc2-559c-478b-a15b-733fbf1e3738	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not have a minimum password age of 1 day	237b38db-ca4d-4259-9e47-7882441ca2c0	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not have the password complexity setting enabled	bf16e0bb-31e1-4646-8202-60a235cc7e74	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not restrict the minimum password length to 14 characters	a2d0e922-65d0-40c4-8f87-ea6da2d307a2	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not store passwords using reversible encryption	da0f98fe-a24b-4ad5-af69-bd0400233661	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Auditing on SQL server should be enabled	a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Automation account variables should be encrypted	3657f5a0-770e-44a3-b44e-9431ba1e9735	Automation	Default Audit Allowed Audit, Deny, Disabled	0		GA
Azure DDoS Protection Standard should be enabled	a7aca53f-2ed4-4466-a25e-0b45ade68efd	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Azure Defender for SQL should be enabled for unprotected Azure SQL servers	abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images	e2dd799a-a932-4e9d-ac17-d473bc3c6c10	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs	331e8ea8-378a-410f-a2e5-ae22f38bb0da	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs	385f5831-96d4-41db-9a3c-cd3af78aaae6	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Deprecated accounts should be removed from your subscription	6b1cbf55-e8b6-442f-ba4c-7246b6381474	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Deprecated accounts with owner permissions should be removed from your subscription	ebb62a0c-3560-49e1-89ed-27e074e9f8ad	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Endpoint protection solution should be installed on virtual machine scale sets	26a828e1-e88f-464e-bbb3-c134a282b9de	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
External accounts with owner permissions should be removed from your subscription	f8456c1c-aa66-4dfb-861a-25d127b775c9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
External accounts with read permissions should be removed from your subscription	5f76cf89-fbf2-47fd-a3f4-b891fa780b60	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
External accounts with write permissions should be removed from your subscription	5c607a2e-c700-4744-8254-d77e7c9eb5e4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should have remote debugging turned off	0e60b895-3786-45da-8377-9c6b4b6ac5f9	App Service	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Function apps should only be accessible over HTTPS	6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA
Management ports of virtual machines should be protected with just-in-time network access control	b0f33259-77d7-4c9e-aac6-3aabcfae693c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
MFA should be enabled for accounts with write permissions on your subscription	9297c21d-2ed6-4474-b48f-163f75654ce3	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
MFA should be enabled on accounts with owner permissions on your subscription	aa633080-8b72-40c4-a2d7-d00c03e80bed	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
MFA should be enabled on accounts with read permissions on your subscription	e3576e28-8b17-4677-84c3-db2990658d64	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Monitor missing Endpoint Protection in Azure Security Center	af6cd1bd-1635-48cb-bde7-5b15693900b9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Only secure connections to your Azure Cache for Redis should be enabled	22bee202-a82f-4305-9a2a-6d7f44d4dedb	Cache	Default Audit Allowed Audit, Deny, Disabled	0		GA
Resource logs in Azure Stream Analytics should be enabled	f9be5368-9bf5-4b84-9e0a-7850da98bb46	Stream Analytics	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Secure transfer to storage accounts should be enabled	404c3081-a854-4457-ae30-26a93ef643f9	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Service Fabric clusters should only use Azure Active Directory for client authentication	b54ed75b-3e1a-44ac-a333-05ba39b99ff0	Service Fabric	Default Audit Allowed Audit, Deny, Disabled	0		GA
SQL databases should have vulnerability findings resolved	feedbf84-6b99-488c-acc2-71c829aa5ffc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Storage accounts should be migrated to new Azure Resource Manager resources	37e0d2fe-28a5-43d6-a273-67d37d1f5606	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Storage accounts should restrict network access	34c877ad-507e-4c82-993e-3452a6e0ad3c	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
System updates on virtual machine scale sets should be installed	c3f317a7-a95c-4547-b7e7-11017ebdf2fe	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
System updates should be installed on your machines	86b3d65f-7626-441e-b690-81a8b71cff60	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
There should be more than one owner assigned to your subscription	09024ccc-0c5f-475e-9457-b7c0d9ed487b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Transparent Data Encryption on SQL databases should be enabled	17k78e20-9358-41c9-923c-fb736d382a12	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Virtual machines should be migrated to new Azure Resource Manager resources	1d84d5fb-01f6-4d12-ba4f-4a26081d403d	Compute	Default Audit Allowed Audit, Deny, Disabled	0		GA
Vulnerabilities in security configuration on your machines should be remediated	e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated	3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Windows web servers should be configured to use secure communication protocols	5752e6d6-1206-46d8-8ab1-ecc2f71a8112	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA

Roles used

Total Roles usage: 4
Total Roles unique usage: 1

Role	Role Id	Policies count	Policies
Contributor	b24988ac-6180-42a0-ab88-20f7382dd24c	4	Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

JSON