| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1184 - Configuration Change Control | ||
| Id | 13579d0e-0ab0-4b26-b0fb-d586f6d7ed20 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Configuration Management control | ||
| Additional metadata |
Name/Id: ACF1184 / Microsoft Managed Control 1184 Category: Configuration Management Title: Configuration Change Control - Types of Changes Ownership: Customer, Microsoft Description: The organization: Determines the types of changes to the information system that are configuration-controlled; Requirements: Configuration baselines are established based on industry standards, including CIS Benchmarks, DISA STIGs, NSA, various vulnerability library knowledgebases that are configuration related, and vendor recommendations. Configuration baselines undergo through review by security settings baseline experts within Azure, including the Security Assurance team and Microsoft Security Response Center, and other baseline experts across other Microsoft divisions who participate in a Shared Baselines working group. The industry standards and input from baseline experts across Microsoft along with the environment-specific considerations and some role- or instance-specific settings are used to establish the configuration settings. Changes to configuration baselines are handled through the update process at least annually, but also when new asset types are added to the inventory. Changes to operational services can only be made when there is a valid business reason such as a planned upgrade to the service. Changes implemented within the production environment are categorized into Request for Change (RFC) types to appropriately schedule, align resources, and provide change metrics back into the change process for continuous improvement. Azure service teams use the following RFC types: Major Release, Minor Release, and Revision Release. Naming convention for build releases varies by service teams and the specific processes required for the release are specified in the service team specific change management process documents. Changes to configuration settings on Azure assets are handled in two ways. Code changes, image updates, and network device gold images follow the Microsoft Security Development Lifecycle (SDL) process, which requires security signoffs prior to production deployment. Changes to the configuration settings are deployed to the production environment using the change and release management process, including mandatory Safe Deployment Practices (SDP). These processes validate that the configuration setting changes move from one environment to the other with designated signoffs by appropriate Azure service team personnel. Access to migrate changes to production is restricted to the appropriate users via OneIdentity security groups. Changes to configuration settings on running assets made through interactive means, such as logging into and changing a configuration setting of a Windows server, must be made through the standard access elevation process. Different assets have different protections in place, depending on the impact of the change. Servers Azure Security Monitoring (ASM) monitors for configuration setting changes. Service teams are able to make certain changes that not security relevant without response or alerting, but if critical configuration settings, such as audit and log settings, are changed, the action generates an IcM ticket for remediation. Network Devices Any network device change not correlated with a work ticket will generate an IcM ticket for investigation and potential remediation. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|