| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1176 - Baseline Configuration | ||
| Id | c30690a5-7bf3-467f-b0cd-ef5c7c7449cd | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Configuration Management control | ||
| Additional metadata |
Name/Id: ACF1176 / Microsoft Managed Control 1176 Category: Configuration Management Title: Baseline Configuration Ownership: Customer, Microsoft Description: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Requirements: Azure establishes and maintains configuration baselines using multiple sources, including: * Existing, updated, and new industry and regulator requirements * New software releases and configuration updates * Customer demand signals * External research findings and internal findings from incident management, penetration testing, security reviews, and other teams who are constantly learning about the operating environment * Compliance team requirements Azure reviews and updates required configuration baselines at least annually. In all cases, changes to the configuration baselines are developed, tested, and approved prior to entering the production environment from a development or test environment. Configuration baselines are maintained under configuration control using Liquid, the Microsoft document repository. Functionally, configuration baselines are reviewed and updated more often as a result of regular updates, reviews, and investigations. Logical images of the baselines are maintained in Azure DevOps. Azure applies configuration baselines differently for hardware and software: for hardware, using the bootstrap configuration process; for software, using the change and release process. Depending on the type of asset, there are different configuration baselines and processes. Servers Server configurationbaselines are released and implemented internally via Azure Security Pack (AzSecPack). These configuration baselines are monitored by Azure Security Monitoring (ASM) and SCUBA using the baseline scanning component of AzSecPack. Supported versions of AzSecPack monitor both Windows and Linux operating systems. Additional supported operating systems versions and distributions are evaluated by the ASM team as part of semester planning twice a year and are then added based on business priority and resources. # Azure Host, Azure Native, and Azure Guest Servers The RDOS team updates the server configuration baseline for Azure Host, Azure Native, and Azure Guest assets. The server base image is a version in which the kernel and many other core components have been modified to optimize them for the Azure environment. For service teams using Cloud Services, Windows server images are in the form of Virtual Hard Disks (VHDs) that are deployed as Guest VMs in the production environment. For Linux images, service teams use the Secure Base Image (SBI) that has been customized for secure configuration baselines relevant to Azure. # Bare Metal and Pilotfish Servers The services running on Bare Metal and Pilotfish servers, including, but not limited to, Jumpboxes, Active Directory, Azure DNS, and other service teams, run standard Windows Server. The configuration baseline image for these assets is provided by the IPAK Engineering Team. IPAK incorporates the security configuration baselines established by the Azure Security Monitoring (ASM) team into the server images and makes those images available for consumption and deployment by engineering teams. Updated IPAK images are released monthly. IPAK documentation is made available to Microsoft personnel on the IPAK internal website, including release notes, install locations, and general IPAK information. Development changes to the IPAK are recorded, tested, and approved prior to implementation, as defined by the standardized change management process. The server is then configured per the role deployment specification by each service team, including the required validation steps prior to the server being released to production. The IPAK engineering team also manages deprecation of old baselines, notifying service team personnel at least twelve (12) months prior to end of life. Changes to the IPAK configurations are made only by appropriate personnel. Network Devices For network devices, the Azure Networking team sets the configuration baseline using recommended configurations specific to each hardware vendor, and makes updates periodically based upon recommendations from the vendor and internal analysis and investigation. For each type of network device, Azure Networking maintains configuration baseline documentation on the Azure Networking Standards and Architecture SharePoint site or in Azure DevOps. The networking configuration baselines are stored in Network Graph Database (NGS). Deployment methods, including reimaging, automated configlet update, scripted configuration change, and manual Method of Procedure (MOP) steps, call data from NGS. NGS provides a code-defined, source-controlled schema with the content to define the configuration baseline for each network device, meaning that the configuration on the device is generated from source regardless of the deployment method used. The network device configuration baseline itself is therefore stateless but the configuration generated from NGS data is, at any point in time, the Gold Configuration of that device. Only the Azure Networking team can make changes to configuration baselines for network devices in Azure. When Azure Networking deploys network devices, the team runs the Config Policy Verifier (CPV) tool before the device goes live on the Azure production environment. CPV verifies the configuration of the device against the Gold Configuration of the appropriate device type. In addition, CPV runs ongoing daily monitoring of all network devices for conformance to the Gold Configuration. Azure Services Azure service teams maintain software assets running on the baselines described above. Each software asset has an established configuration baseline documented in code in a configuration file associated with the asset that is maintained under change control as part of the Change and Release Management processes. Service teams develop, document, and maintain the baselines for each asset in the approved software baseline repository, Azure DevOps. This ensures the baselines remain under configuration control. Changes to the code configuration baselines go through the Security Development Lifecycle (SDL) process, which requires multipl signoffs prior to production deployment. The configuration baseline for ports and protocols allowed for Azure services are monitored by the C+AI Security team via Network Isolation (NetIso). C+AI Security monitors network configurations of Windows and Linux services for internet-exposed management endpoints and high-risk ports and protocols as defined per the C+AI Platform security baseline process. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|