| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes | ||
| Id | 0f4f6750-d1ab-4a4c-8dfd-af3237682665 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Configuration Management control | ||
| Additional metadata |
Name/Id: ACF1204 / Microsoft Managed Control 1204 Category: Configuration Management Title: Access Restrictions For Change | Review System Changes Ownership: Customer, Microsoft Description: The organization reviews information system changes Every 30 days; Continuous and during post-implementation Review process defined in the Microsoft Change Management Standard and After any change that affects the defined security posture to determine whether unauthorized changes have occurred. Requirements: The Microsoft Change Management Standard specifies that all substantial changes must be reassessed and require review by the change review committee. Where appropriate, a Post-Implementation Review (PIR) may confirm that the change has met its objectives and that there have been no unexpected side-effects. Post-implementation actions should include: * Assessing the implementation process * Validating success * Identifying lessons learned * Finalizing the change documentation Azure also maintains a dedicated security incident monitoring team that investigates if indications so warrant to determine whether unauthorized changes have occurred in the environment. All Microsoft personnel have a responsibility to report events that they believe indicate a security incident has occurred. Servers Azure develops, applies, and controls configuration settings and changes to configuration settings following the change and release process. This process ensures that no unauthorized changes are made to settings. When a change is made to a configuration setting, all servers with that configuration setting are redeployed. This ensures that all servers of a particular role are deployed identically. If an attacker were to compromise and change the configuration of an individual server, any anomalous behavior is detected using Azure’s auditing and monitoring processes. Additionally, any changes made by the attacker are overwritten upon the next deployment. Microsoft develops new code bases every thirty (30) days and as part of the continuous monitoring and patching process and pushed out to the servers. Network Devices All configuration changes performed on network devices are captured in syslog events, and multiple high-level monitoring tools which conducts continuous daily monitoring of all network devices for conformance to Azure Networking standards. The Config Policy Verifier (CPV) tool conducts continuous daily monitoring of all network devices for conformance to Azure Networking standards. The tool checks for any policy violations and alerts appropriate personnel of findings. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|