AzPolicyAdvertizer

last sync: 2024-Sep-18 17:50:24 UTC

[Preview]: Azure Stack HCI servers should have consistently enforced application control policies

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Preview]: Azure Stack HCI servers should have consistently enforced application control policies
Id dad3a6b9-4451-492f-a95c-69efc6f3fada
Version 1.0.0-preview
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0-preview
Built-in Versioning [Preview]
Category Stack HCI
Microsoft Learn
Description At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster.
Mode Indexed
Type BuiltIn
Preview True
Deprecated False
Effect Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.AzureStackHCI/clusters/reportedProperties.clusterVersion Microsoft.AzureStackHCI clusters properties.reportedProperties.clusterVersion True False
THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.AzureStackHCI/clusters/securitySettings/securityComplianceStatus.wdacCompliance Microsoft.AzureStackHCI clusters/securitySettings properties.securityComplianceStatus.wdacCompliance True False
Rule resource types IF (1)
Microsoft.AzureStackHCI/clusters
Compliance
The following 1 compliance controls are associated with this Policy definition '[Preview]: Azure Stack HCI servers should have consistently enforced application control policies' (dad3a6b9-4451-492f-a95c-69efc6f3fada)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 PV-4 Azure_Security_Benchmark_v3.0_PV-4 Microsoft cloud security benchmark PV-4 Posture and Vulnerability Management Audit and enforce secure configurations for compute resources Shared **Security Principle:** Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration in compute resources. **Azure Guidance:** Use Microsoft Defender for Cloud and Azure Policy guest configuration agent to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. **Implementation and additional context:** How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations How to create an Azure virtual machine from an ARM template: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template Azure Automation State Configuration overview: https://docs.microsoft.com/azure/automation/automation-dsc-overview Create a Windows virtual machine in the Azure portal: https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal Container security in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/container-security n/a link 13
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-03-01 17:50:27 add dad3a6b9-4451-492f-a95c-69efc6f3fada
JSON compare n/a
JSON
api-version=2021-06-01
EPAC