| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration | ||
| Id | 292a7c44-37fa-4c68-af7c-9d836955ded2 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Communications Protection control | ||
| Additional metadata |
Name/Id: ACF1634 / Microsoft Managed Control 1634 Category: System and Communications Protection Title: Boundary Protection | Prevent Unauthorized Exfiltration Ownership: Customer, Microsoft Description: The organization prevents the unauthorized exfiltration of information across managed interfaces. Requirements: For Azure services, onboarding to Azure Security Pack (AzSecPack) enables monitoring of network communication correlated with network logs and in-memory lateral movement during post exploitation for all deployment types via Process Investigation, which is available externally via Azure Security Center via Fileless Attack detections, and via the Network Risk Management (NRM) Service. The NRM service assesses the resultant set of open ports and protocols based on data provided by the VM agent. Additionally, for VMs hosted on Azure, the Network Security Group (NSG) settings are considered and the resultant set of the settings is calculated. Additionally, for the assets running in Bare Metal, Azure assesses the Surface Area Manager configuration settings. For Linux VMs hosted in Azure, Azure uses the NSG settings to validate that the configuration meets the network baseline requirements. For all deployment types, if there is a network baseline violation that exposes a management port to the internet, an alert is generated and provided to the service team. For internal services, there is monitoring and alerting for unusual behavior of key security features including, but not limited to, if a user accesses an asset without using Azure Just In Time (JIT) access, if a dSTS account has an unusual access pattern, if the Geneva Actions have unusual activity, if the Azure Fabric is accessed without using Azure JIT, or if a service owner has unexpected changes to permissions in the service team subscription. Additionally, service teams regardless of deployment type must monitor their own network connections for unexpected network activities at the application layer. However, to protect customer end user identifiable information, Azure does not monitor the customer traffic in the security monitoring solutions. Azure does not inspect or monitor customer traffic. By default, Microsoft is unaware of what data is outbound from the environment by the customer. In the event of customer data spillage, upon customer request, Microsoft may assist with the incident including accessing customer data according to the Azure Incident Management SOP. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|