| Source | Azure Portal | ||||||||||||||||||||||
| Display name | Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection | ||||||||||||||||||||||
| Id | c158eb1c-ae7e-4081-8057-d527140c4e0c | ||||||||||||||||||||||
| Version | 1.0.0 Details on versioning |
||||||||||||||||||||||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||||||||||||||||||||||
| Category | Regulatory Compliance Microsoft Learn |
||||||||||||||||||||||
| Description | Microsoft implements this Configuration Management control | ||||||||||||||||||||||
| Additional metadata |
Name/Id: ACF1226 / Microsoft Managed Control 1226 Category: Configuration Management Title: Information System Component Inventory | Automated Unauthorized Component Detection - Detect Ownership: Customer, Microsoft Description: The organization: doesn't employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system. Azure Infrastructure does not wait to disable network access for unauthorized components/devices into the IS. Ports are turned off by default. Unassigned ports are put into a VLAN that is not configured at Layer 3 (L3) and has no provisioned servers in it. Azure uses ACLs on the L3 to deny packets sourced by the subnet from entering that subnet Requirements: As a primary protection, Azure employs strict physical access controls in the datacenters to mitigate the unauthorized addition of new devices into the environment. Physical access to the devices to add additional ports is also disabled within the environment. Servers In addition to the standard release processes as part of OneBranch processes which includes build release verification steps such as virus scanning, services running AzSecPack are monitored by the Azure System Lockdown (AzSysLock) team for unexpected running software. This is defined as any software that is not signed per the appropriate signing certificates. AzSysLock sends alerts for service teams that are not properly using AppLocker and Code Integrity. Additionally, for services running with AzSysLock in enforcement mode, which is currently an opt-in feature of AzSecPack, the binary does not run if it is not signed. Alerts for unsigned binaries running are created to service owners as a Severity 2 incident. AzSecPack also monitors the server security configuration baseline for baseline violations, which are then reported to service owners through Incident Management (IcM) and/or Service 360 (S360) depending on the severity of the violation. Near real-time alerts include alerts for audit processing failures, such as system time changes or audit policy changes. Additionally, virtual components within Azure are managed by the Fabric Controller (FC), which is the component that is used to create, monitor, restart, and destroy virtual machines. Overall VM and Azure Host/Native management coverage of AzSecPack is maintained by AzSecPack. Network Devices All network devices managed by Azure Networking go through the Configuration Policy Verifier (CPV) tool. This tool is executed on all devices which are in buildout to run a series of acceptance tests on devices before they are marked ready for production. |
||||||||||||||||||||||
| Mode | Indexed | ||||||||||||||||||||||
| Type | Static | ||||||||||||||||||||||
| Preview | False | ||||||||||||||||||||||
| Deprecated | False | ||||||||||||||||||||||
| Effect | Fixed audit |
||||||||||||||||||||||
| RBAC role(s) | none | ||||||||||||||||||||||
| Rule aliases | none | ||||||||||||||||||||||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||||||||||||||||||||||
| Compliance |
The following 1 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection' (c158eb1c-ae7e-4081-8057-d527140c4e0c)
| ||||||||||||||||||||||
| Initiatives usage |
|
||||||||||||||||||||||
| History | none | ||||||||||||||||||||||
| JSON compare | n/a | ||||||||||||||||||||||
| JSON |
|