| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components | ||
| Id | 5b070cab-0fb8-4e48-ad29-fc90b4c2797c | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Configuration Management control | ||
| Additional metadata |
Name/Id: ACF1205 / Microsoft Managed Control 1205 Category: Configuration Management Title: Access Restrictions For Change | Signed Components Ownership: Customer, Microsoft Description: The information system prevents the installation of All software without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. Requirements: In accordance with Microsoft Security Program Policy (MSPP), all software installed within Azure must have a valid signature. The Azure System Lockdown (AzSysLock) team uses AzSecPack to monitor for unexpected running software. This is defined as any software that is not signed per the appropriate signing certificates. AzSysLock sends alerts for service teams that are not properly using AppLocker and Code Integrity. Additionally, for services running with AzSysLock in enforcement mode, which is currently an opt-in feature of AzSecPack, the binary does not run if it is not signed. Alerts for unsigned binaries running are created to service owners as a Severity 2 incident. AzSecPack also monitors the server and network device security configuration settings for baseline violations, which are then reported to service owners through Incident Management (IcM) or Service 360 (S360) depending on the severity of the violation. Near real-time alerts include alerts for audit processing failures, such as system time changes or audit policy changes. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|