last sync: 2022-Dec-02 17:43:04 UTC

Azure Policy Initiative

[Preview]: Motion Picture Association of America (MPAA)

Name[Preview]: Motion Picture Association of America (MPAA)
Azure Portal
Id92646f03-e39d-47a9-9e24-58d60ef49af8
Version4.0.3-preview
details on versioning
CategoryRegulatory Compliance
Microsoft docs
DescriptionThis initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/mpaa-init.
TypeBuiltIn
DeprecatedFalse
PreviewTrue
History
Date/Time (UTC ymd) (i) Changes
2022-04-07 17:18:35 Version change: '4.0.2-preview' to '4.0.3-preview'
2022-04-01 20:29:13 Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/mpaa-blueprint.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/mpaa-init.'
2021-01-22 09:14:56 add Policy A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9)
remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c)
2020-09-09 11:24:08 add Policy Audit Windows machines that do not contain the specified certificates in Trusted Root (934345e1-4dfb-4c70-90d7-41990dc9608b)
add Policy Audit Windows machines that do not restrict the minimum password length to 14 characters (a2d0e922-65d0-40c4-8f87-ea6da2d307a2)
add Policy Audit Linux machines that allow remote connections from accounts without passwords (ea53dbee-c6c9-4f0e-9f9e-de0039b78023)
add Policy Audit Linux machines that don't have the specified applications installed (d3b823c9-e0fc-4453-9fb2-8213b7338523)
add Policy Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da)
add Policy Audit Windows machines that contain certificates expiring within the specified number of days (1417908b-4bff-46ee-a2a6-4acc899320ab)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters (23020aa6-1135-4be2-bae2-149982b06eca)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days (c5fbc59e-fb6f-494f-81e2-d99a671bdaa8)
remove Policy [Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days (9328f27e-611e-44a7-a244-39109d7d35ab)
remove Policy [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords (2d67222d-05fd-4526-a171-2ee132ad9e83)
remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords (ec49586f-4939-402d-a29e-6ff502b20592)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root (106ccbe4-a791-4f33-a44a-06796944b8d5)
remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed (4d1c04de-2172-403f-901b-90608c35c721)
remove Policy [Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root (f3b9ad83-000d-4dc1-bff0-6d54533dd03f)
remove Policy [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed (fee5cb2b-9d9b-410e-afe3-2902d90d0004)
remove Policy [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters (5aebc8d1-020d-4037-89a0-02043a7524ec)
2020-08-21 13:50:30 add Policy Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6)
add Policy Windows machines should meet requirements for 'Security Options - Accounts' (ee984370-154a-4ee8-9726-19d900e56fc0)
add Policy Windows machines should meet requirements for 'Security Options - Microsoft Network Client' (d6c69680-54f0-4349-af10-94dd05f4225e)
add Policy Windows machines should meet requirements for 'User Rights Assignment' (e068b215-0026-4354-b347-8fb2766f73a2)
add Policy Windows machines should meet requirements for 'Security Options - System settings' (12017595-5a75-4bb1-9d97-4c2c939ea3c3)
add Policy Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6)
add Policy Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e)
add Policy Windows machines should meet requirements for 'Security Options - Network Access' (3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd)
add Policy Windows machines should meet requirements for 'Windows Firewall Properties' (35d9882c-993d-44e6-87d2-db66ce21b636)
add Policy Windows machines should meet requirements for 'Security Options - Recovery console' (f71be03e-e25b-4d0f-b8bc-9b3e309b66c0)
remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings' (8a39d1f1-5513-4628-b261-f469a5a3341b)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' (f56a3ab2-89d1-44de-ac0d-2ada5962e22a)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' (bbcdd8fa-b600-4ee3-85b8-d184e3339652)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' (815dcc9f-6662-43f2-9a03-1b83e9876f24)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' (ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' (437a1f8f-8552-47a8-8b12-a2fee3269dd5)
remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' (fcbc55c9-f25a-4e55-a6cb-33acb3be778b)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' (e5b81f87-9185-4224-bf00-9f505e9f89f3)
remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment' (c961dac9-5916-42e8-8fb1-703148323994)
remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console' (ba12366f-f9a6-42b8-9d98-157d0b1a837b)
remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access' (30040dab-4e75-4456-8273-14b8f75d91d9)
remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' (909c958d-1b99-4c74-b88f-46a5c5bc34f9)
remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts' (b872a447-cc6f-43b9-bccf-45703cd81607)
remove Policy [Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties' (8bbd627e-4d25-4906-9a6e-3789780af3ec)
2020-07-01 14:50:07 remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings (bda18df3-5e41-4709-add9-2554ce68c966)
2020-06-16 14:55:25 Name change: '[Preview]: Audit Motion Picture Association of America (MPAA) controls and deploy specific VM Extensions to support audit requirements' to '[Preview]: Motion Picture Association of America (MPAA)'
Description change: 'This initiative includes policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/mpaa-blueprint' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/mpaa-blueprint.'
2020-01-09 16:38:57 add Initiative 92646f03-e39d-47a9-9e24-58d60ef49af8
Policy count Total Policies: 36
Builtin Policies: 36
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State
A vulnerability assessment solution should be enabled on your virtual machines 501541f7-f7e7-4cd6-868c-4190fdad3ac9 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Guest Configuration Fixed
modify
1 Contributor GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 497dff13-db2a-4c0f-8603-28fa3b331ab6 Guest Configuration Fixed
modify
1 Contributor GA
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace a1817ec0-a368-432a-8057-8371e17ac6ee Service Bus Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Audit Linux machines that allow remote connections from accounts without passwords ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Linux machines that don't have the specified applications installed d3b823c9-e0fc-4453-9fb2-8213b7338523 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Audit Windows machines that contain certificates expiring within the specified number of days 1417908b-4bff-46ee-a2a6-4acc899320ab Guest Configuration Fixed
auditIfNotExists
0 GA
Audit Windows machines that do not contain the specified certificates in Trusted Root 934345e1-4dfb-4c70-90d7-41990dc9608b Guest Configuration Fixed
auditIfNotExists
0 GA
Audit Windows machines that do not restrict the minimum password length to 14 characters a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Configure Azure Defender to be enabled on SQL servers 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 SQL Fixed
DeployIfNotExists
1 SQL Security Manager GA
Deploy default Microsoft IaaSAntimalware extension for Windows Server 2835b622-407b-4114-9198-6f7064cbe0dc Compute Fixed
deployIfNotExists
1 Virtual Machine Contributor GA
Deploy Diagnostic Settings for Network Security Groups c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 Monitoring Fixed
deployIfNotExists
2 Monitoring Contributor, Storage Account Contributor GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 331e8ea8-378a-410f-a2e5-ae22f38bb0da Guest Configuration Fixed
deployIfNotExists
1 Contributor GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 385f5831-96d4-41db-9a3c-cd3af78aaae6 Guest Configuration Fixed
deployIfNotExists
1 Contributor GA
External accounts with owner permissions should be removed from your subscription f8456c1c-aa66-4dfb-861a-25d127b775c9 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
IP Forwarding on your virtual machine should be disabled bd352bd5-2853-4985-bf0d-73806b4a5744 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Metric alert rules should be configured on Batch accounts 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 Batch Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
MFA should be enabled for accounts with write permissions on your subscription 9297c21d-2ed6-4474-b48f-163f75654ce3 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Network interfaces should disable IP forwarding 88c0b9da-ce96-4b03-9635-f29a937e2900 Network Fixed
deny
0 GA
Resource logs in Logic Apps should be enabled 34f95f76-5386-4de7-b824-0d8478470c9d Logic Apps Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Resource logs in Search services should be enabled b4330a05-a843-4bc8-bf9a-cacce50c67f4 Search Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Role-Based Access Control (RBAC) should be used on Kubernetes Services ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Security Center Default
Audit
Allowed
Audit, Disabled
0 GA
SQL databases should have vulnerability findings resolved feedbf84-6b99-488c-acc2-71c829aa5ffc Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 89099bee-89e0-4b26-a5f4-165451757743 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Storage accounts should restrict network access 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
System updates should be installed on your machines 86b3d65f-7626-441e-b690-81a8b71cff60 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Transparent Data Encryption on SQL databases should be enabled 17k78e20-9358-41c9-923c-fb736d382a12 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 0961003e-5a0a-4549-abde-af6a37f2724d Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'Security Options - Accounts' ee984370-154a-4ee8-9726-19d900e56fc0 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'Security Options - Microsoft Network Client' d6c69680-54f0-4349-af10-94dd05f4225e Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'Security Options - Network Access' 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'Security Options - Recovery console' f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'Security Options - System settings' 12017595-5a75-4bb1-9d97-4c2c939ea3c3 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'User Rights Assignment' e068b215-0026-4354-b347-8fb2766f73a2 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Windows machines should meet requirements for 'Windows Firewall Properties' 35d9882c-993d-44e6-87d2-db66ce21b636 Guest Configuration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
0 GA
Roles used Total Roles usage: 8
Total Roles unique usage: 5
Role Role Id Policies count Policies
Monitoring Contributor 749f88d5-cbae-40b8-bcfc-e573ddc772fa 1 Deploy Diagnostic Settings for Network Security Groups
SQL Security Manager 056cd41c-7e88-42e1-933e-88ba6a50c9c3 1 Configure Azure Defender to be enabled on SQL servers
Virtual Machine Contributor 9980e02c-c2be-4d73-94e8-173b1dc7cf3c 1 Deploy default Microsoft IaaSAntimalware extension for Windows Server
Storage Account Contributor 17d1049b-9a84-46fb-8f53-869881c3d3ab 1 Deploy Diagnostic Settings for Network Security Groups
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c 4 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
JSON