last sync: 2024-Sep-18 17:50:24 UTC

Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection | Regulatory Compliance - Configuration Management

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection
Id c158eb1c-ae7e-4081-8057-d527140c4e0c
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Configuration Management control
Additional metadata Name/Id: ACF1226 / Microsoft Managed Control 1226
Category: Configuration Management
Title: Information System Component Inventory | Automated Unauthorized Component Detection - Detect
Ownership: Customer, Microsoft
Description: The organization: doesn't employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system. Azure Infrastructure does not wait to disable network access for unauthorized components/devices into the IS. Ports are turned off by default. Unassigned ports are put into a VLAN that is not configured at Layer 3 (L3) and has no provisioned servers in it. Azure uses ACLs on the L3 to deny packets sourced by the subnet from entering that subnet
Requirements: As a primary protection, Azure employs strict physical access controls in the datacenters to mitigate the unauthorized addition of new devices into the environment. Physical access to the devices to add additional ports is also disabled within the environment. Servers In addition to the standard release processes as part of OneBranch processes which includes build release verification steps such as virus scanning, services running AzSecPack are monitored by the Azure System Lockdown (AzSysLock) team for unexpected running software. This is defined as any software that is not signed per the appropriate signing certificates. AzSysLock sends alerts for service teams that are not properly using AppLocker and Code Integrity. Additionally, for services running with AzSysLock in enforcement mode, which is currently an opt-in feature of AzSecPack, the binary does not run if it is not signed. Alerts for unsigned binaries running are created to service owners as a Severity 2 incident. AzSecPack also monitors the server security configuration baseline for baseline violations, which are then reported to service owners through Incident Management (IcM) and/or Service 360 (S360) depending on the severity of the violation. Near real-time alerts include alerts for audit processing failures, such as system time changes or audit policy changes. Additionally, virtual components within Azure are managed by the Fabric Controller (FC), which is the component that is used to create, monitor, restart, and destroy virtual machines. Overall VM and Azure Host/Native management coverage of AzSecPack is maintained by AzSecPack. Network Devices All network devices managed by Azure Networking go through the Configuration Policy Verifier (CPV) tool. This tool is executed on all devices which are in buildout to run a series of acceptance tests on devices before they are marked ready for production.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance
The following 1 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection' (c158eb1c-ae7e-4081-8057-d527140c4e0c)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
op.exp.1 Asset inventory op.exp.1 Asset inventory 404 not found n/a n/a 40
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC