-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
Media_audit.json
1200 lines (1200 loc) · 57.1 KB
/
Media_audit.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"properties": {
"displayName": "[Preview]: Motion Picture Association of America (MPAA)",
"policyType": "BuiltIn",
"description": "This initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/mpaa-init.",
"metadata": {
"version": "4.2.0-preview",
"category": "Regulatory Compliance",
"preview": true
},
"version": "4.2.0-preview",
"parameters": {
"IncludeArcMachines": {
"type": "string",
"metadata": {
"displayName": "Include Arc connected servers for Guest Configuration policies",
"description": "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "false"
},
"certificateThumbprints": {
"type": "string",
"metadata": {
"displayName": "Certificate thumbprints that should exist under the Trusted Root",
"description": "A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
}
},
"applicationName": {
"type": "string",
"metadata": {
"displayName": "Application names to be installed on VMs",
"description": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'python; powershell'"
}
},
"storagePrefix": {
"type": "string",
"metadata": {
"displayName": "Storage Account Prefix for Regional Storage Account to deploy diagnostic settings for Network Security Groups",
"description": "This prefix will be combined with the network security group location to form the created storage account name."
}
},
"rgName": {
"type": "string",
"metadata": {
"displayName": "Resource Group Name for Storage Account (must exist) to deploy diagnostic settings for Network Security Groups",
"description": "The resource group that the storage account will be created in. This resource group must already exist.",
"strongType": "ExistingResourceGroups"
}
},
"diskEncryptionMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
"description": "Enable or disable the monitoring for VM disk encryption",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect": {
"type": "string",
"metadata": {
"displayName": "Monitor unencrypted SQL database in Azure Security Center",
"description": "Enable or disable monitoring of unencrypted SQL databases in Azure Security Center"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"metricName": {
"type": "string",
"metadata": {
"displayName": "Metric name on which alert rules should be configured in Batch accounts",
"description": "The metric name that an alert rule must be enabled on"
}
},
"metricAlertsInBatchAccountPoolDeleteStartEffect": {
"type": "string",
"metadata": {
"displayName": "Metric alert rules should be configured on Batch accounts",
"description": "Enable or disable monitoring of metric alert rules on Batch account to enable the required metric"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"disableUnrestrictedNetworkToStorageAccountMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "Audit unrestricted network access to storage accounts",
"description": "Enable or disable the monitoring of network access to storage account"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"diagnosticsLogsInLogicAppsMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "Resource logs in Logic Apps should be enabled",
"description": "Enable or disable the monitoring of resource logs in Logic Apps workflows"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"requiredRetentionDays": {
"type": "string",
"metadata": {
"displayName": "Required retention (in days) of resource logs in Logic Apps workflows",
"description": "The required resource logs retention period in days"
},
"defaultValue": "365"
},
"vmssOsVulnerabilitiesMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
"description": "Enable or disable monitoring of virtual machine scale sets OS vulnerabilities "
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
"type": "string",
"metadata": {
"displayName": "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies",
"description": "Specifies whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). For certificate rules to take effect in software restriction policies, you must enable this policy setting."
},
"defaultValue": "1"
},
"vulnerabilityAssessmentMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "Vulnerabilities should be remediated by a Vulnerability Assessment solution",
"description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"serverVulnerabilityAssessmentEffect": {
"type": "string",
"defaultValue": "AuditIfNotExists",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "A vulnerability assessment solution should be enabled on your virtual machines",
"description": "Enable or disable the detection of virtual machine vulnerabilities by Azure Security Center vulnerability assessment"
}
},
"usersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
"type": "string",
"metadata": {
"displayName": "Users or groups that may access this computer from the network",
"description": "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection."
},
"defaultValue": "Administrators, Authenticated Users"
},
"usersOrGroupsThatMayLogOnLocally": {
"type": "string",
"metadata": {
"displayName": "Users or groups that may log on locally",
"description": "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right."
},
"defaultValue": "Administrators"
},
"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
"type": "string",
"metadata": {
"displayName": "Users or groups that may log on through Remote Desktop Services",
"description": "Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance."
},
"defaultValue": "Administrators, Remote Desktop Users"
},
"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
"type": "string",
"metadata": {
"displayName": "Users and groups that are denied access from the network",
"description": "Specifies which users or groups are explicitly prohibited from connecting across the network."
},
"defaultValue": "Guests"
},
"usersOrGroupsThatMayManageAuditingAndSecurityLog": {
"type": "string",
"metadata": {
"displayName": "Users or groups that may manage auditing and security log",
"description": "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log."
},
"defaultValue": "Administrators"
},
"usersOrGroupsThatMayBackUpFilesAndDirectories": {
"type": "string",
"metadata": {
"displayName": "Users or groups that may back up files and directories",
"description": "Specifies users and groups allowed to circumvent file and directory permissions to back up the system."
},
"defaultValue": "Administrators, Backup Operators"
},
"usersOrGroupsThatMayChangeTheSystemTime": {
"type": "string",
"metadata": {
"displayName": "Users or groups that may change the system time",
"description": "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer."
},
"defaultValue": "Administrators, LOCAL SERVICE"
},
"usersOrGroupsThatMayChangeTheTimeZone": {
"type": "string",
"metadata": {
"displayName": "Users or groups that may change the time zone",
"description": "Specifies which users and groups are permitted to change the time zone of the computer."
},
"defaultValue": "Administrators, LOCAL SERVICE"
},
"usersOrGroupsThatMayCreateATokenObject": {
"type": "string",
"metadata": {
"displayName": "Users or groups that may create a token object",
"description": "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data."
},
"defaultValue": "No One"
},
"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
"type": "string",
"metadata": {
"displayName": "Users and groups that are denied logging on as a batch job",
"description": "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)."
},
"defaultValue": "Guests"
},
"usersAndGroupsThatAreDeniedLoggingOnAsAService": {
"type": "string",
"metadata": {
"displayName": "Users and groups that are denied logging on as a service",
"description": "Specifies which service accounts are explicitly not permitted to register a process as a service."
},
"defaultValue": "Guests"
},
"usersAndGroupsThatAreDeniedLocalLogon": {
"type": "string",
"metadata": {
"displayName": "Users and groups that are denied local logon",
"description": "Specifies which users and groups are explicitly not permitted to log on to the computer."
},
"defaultValue": "Guests"
},
"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
"type": "string",
"metadata": {
"displayName": "Users and groups that are denied log on through Remote Desktop Services",
"description": "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client."
},
"defaultValue": "Guests"
},
"userAndGroupsThatMayForceShutdownFromARemoteSystem": {
"type": "string",
"metadata": {
"displayName": "User and groups that may force shutdown from a remote system",
"description": "Specifies which users and groups are permitted to shut down the computer from a remote location on the network."
},
"defaultValue": "Administrators"
},
"usersAndGroupsThatMayRestoreFilesAndDirectories": {
"type": "string",
"metadata": {
"displayName": "Users and groups that may restore files and directories",
"description": "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories."
},
"defaultValue": "Administrators, Backup Operators"
},
"usersAndGroupsThatMayShutDownTheSystem": {
"type": "string",
"metadata": {
"displayName": "Users and groups that may shut down the system",
"description": "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command."
},
"defaultValue": "Administrators"
},
"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
"type": "string",
"metadata": {
"displayName": "Users or groups that may take ownership of files or other objects",
"description": "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user."
},
"defaultValue": "Administrators"
},
"systemUpdatesMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "System updates should be installed on your machines",
"description": "Enable or disable reporting of system updates"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlServerAuditingRetentionDaysMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "SQL servers should be configured with auditing retention days greater than 90 days",
"description": "Enable or disable the monitoring of SQL servers with auditing retention period less than 90"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"windowsFirewallDomainUseProfileSettings": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Domain): Use profile settings",
"description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Domain profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
},
"defaultValue": "1"
},
"windowsFirewallDomainBehaviorForOutboundConnections": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Domain): Behavior for outbound connections",
"description": "Specifies the behavior for outbound connections for the Domain profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
},
"defaultValue": "0"
},
"windowsFirewallDomainApplyLocalConnectionSecurityRules": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Domain): Apply local connection security rules",
"description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Domain profile."
},
"defaultValue": "1"
},
"windowsFirewallDomainApplyLocalFirewallRules": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Domain): Apply local firewall rules",
"description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Domain profile."
},
"defaultValue": "1"
},
"windowsFirewallDomainDisplayNotifications": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Domain): Display notifications",
"description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Domain profile."
},
"defaultValue": "1"
},
"windowsFirewallPrivateUseProfileSettings": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Private): Use profile settings",
"description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Private profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
},
"defaultValue": "1"
},
"windowsFirewallPrivateBehaviorForOutboundConnections": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Private): Behavior for outbound connections",
"description": "Specifies the behavior for outbound connections for the Private profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
},
"defaultValue": "0"
},
"windowsFirewallPrivateApplyLocalConnectionSecurityRules": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Private): Apply local connection security rules",
"description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Private profile."
},
"defaultValue": "1"
},
"windowsFirewallPrivateApplyLocalFirewallRules": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Private): Apply local firewall rules",
"description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Private profile."
},
"defaultValue": "1"
},
"windowsFirewallPrivateDisplayNotifications": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Private): Display notifications",
"description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Private profile."
},
"defaultValue": "1"
},
"windowsFirewallPublicUseProfileSettings": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Public): Use profile settings",
"description": "Specifies whether Windows Firewall with Advanced Security uses the settings for the Public profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile."
},
"defaultValue": "1"
},
"windowsFirewallPublicBehaviorForOutboundConnections": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Public): Behavior for outbound connections",
"description": "Specifies the behavior for outbound connections for the Public profile that do not match an outbound firewall rule. The default value of 0 means to allow connections, and a value of 1 means to block connections."
},
"defaultValue": "0"
},
"windowsFirewallPublicApplyLocalConnectionSecurityRules": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Public): Apply local connection security rules",
"description": "Specifies whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy for the Public profile."
},
"defaultValue": "1"
},
"windowsFirewallPublicApplyLocalFirewallRules": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Public): Apply local firewall rules",
"description": "Specifies whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy for the Public profile."
},
"defaultValue": "1"
},
"windowsFirewallPublicDisplayNotifications": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall (Public): Display notifications",
"description": "Specifies whether Windows Firewall with Advanced Security displays notifications to the user when a program is blocked from receiving inbound connections, for the Public profile."
},
"defaultValue": "1"
},
"windowsFirewallDomainAllowUnicastResponse": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall: Domain: Allow unicast response",
"description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Domain profile."
},
"defaultValue": "0"
},
"windowsFirewallPrivateAllowUnicastResponse": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall: Private: Allow unicast response",
"description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Private profile."
},
"defaultValue": "0"
},
"windowsFirewallPublicAllowUnicastResponse": {
"type": "string",
"metadata": {
"displayName": "Windows Firewall: Public: Allow unicast response",
"description": "Specifies whether Windows Firewall with Advanced Security permits the local computer to receive unicast responses to its outgoing multicast or broadcast messages; for the Public profile."
},
"defaultValue": "1"
},
"identityEnableMFAForWritePermissionsMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "MFA should be enabled on accounts with write permissions in your subscription",
"description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"namespaceAuthorizationRulesInServiceBusMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace",
"description": "Enable or disable the monitoring of Service Bus namespace authorization rules"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"kubernetesServiceRbacEnabledMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "Role-Based Access Control (RBAC) should be used on Kubernetes Services",
"description": "Enable or disable the monitoring of Kubernetes Services without RBAC enabled"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"diagnosticsLogsInSearchServiceMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "Resource logs in Search services should be enabled",
"description": "Enable or disable the monitoring of resource logs in Azure Search service"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"microsoftNetworkClientDigitallySignCommunicationsAlways": {
"type": "string",
"metadata": {
"displayName": "Microsoft network client: Digitally sign communications (always)",
"description": "Specifies whether packet signing is required by the SMB client component."
},
"defaultValue": "1"
},
"microsoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers": {
"type": "string",
"metadata": {
"displayName": "Microsoft network client: Send unencrypted password to third-party SMB servers",
"description": "Specifies whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it."
},
"defaultValue": "0"
},
"microsoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession": {
"type": "string",
"metadata": {
"displayName": "Microsoft network server: Amount of idle time required before suspending session",
"description": "Specifies the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. The format of the value is two integers separated by a comma, denoting an inclusive range."
},
"defaultValue": "1,15"
},
"microsoftNetworkServerDigitallySignCommunicationsAlways": {
"type": "string",
"metadata": {
"displayName": "Microsoft network server: Digitally sign communications (always)",
"description": "Specifies whether packet signing is required by the SMB server component."
},
"defaultValue": "1"
},
"microsoftNetworkServerDisconnectClientsWhenLogonHoursExpire": {
"type": "string",
"metadata": {
"displayName": "Microsoft network server: Disconnect clients when logon hours expire",
"description": "Specifies whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable 'Network security: Force logoff when logon hours expire'"
},
"defaultValue": "1"
},
"disableIPForwardingMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "IP Forwarding on your virtual machine should be disabled",
"description": "Enable or disable the monitoring of IP forwarding on virtual machines"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"threatDetectionTypesOnManagedInstanceMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings",
"description": "It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"certificateStorePath": {
"type": "string",
"metadata": {
"displayName": "Certificate store path containing the certificates to be checked for expiration",
"description": "The path to the certificate store containing the certificates to check the expiration dates of. Default value is 'Cert:' which is the root certificate store path, so all certificates on the machine will be checked. Other example paths: 'Cert:\\LocalMachine', 'Cert:\\LocalMachine\\TrustedPublisher', 'Cert:\\CurrentUser'"
},
"defaultValue": "Cert:"
},
"expirationLimitInDays": {
"type": "string",
"metadata": {
"displayName": "Expiration limit in days for certificates that are expiring under specified certificate store path",
"description": "An integer indicating the number of days within which to check for certificates that are expiring. For example, if this value is 30, any certificate expiring within the next 30 days will cause this policy to be non-compliant."
},
"defaultValue": "30"
},
"certificateThumbprintsToInclude": {
"type": "string",
"metadata": {
"displayName": "Certificate thumbprints to include while checking for expired certificates under specified certificate store path",
"description": "A semicolon-separated list of certificate thumbprints to check under the specified path. If a value is not specified, all certificates under the certificate store path will be checked. If a value is specified, no certificates other than those with the thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
},
"defaultValue": ""
},
"certificateThumbprintsToExclude": {
"type": "string",
"metadata": {
"displayName": "Certificate thumbprints to exclude while checking for expired certificates under specified certificate store path",
"description": "A semicolon-separated list of certificate thumbprints to ignore while checking expired certificates. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3"
},
"defaultValue": ""
},
"includeExpiredCertificates": {
"type": "string",
"metadata": {
"displayName": "Include already expired certificates while checking for expired certificates under specified certificate store path",
"description": "Must be 'true' or 'false'. True indicates that any found certificates that have already expired will also make this policy non-compliant. False indicates that certificates that have expired will be be ignored under specified certificate store path."
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "false"
},
"recoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders": {
"type": "string",
"metadata": {
"displayName": "Recovery console: Allow floppy copy and access to all drives and all folders",
"description": "Specifies whether to make the Recovery Console SET command available, which allows setting of recovery console environment variables."
},
"defaultValue": "0"
},
"accountsGuestAccountStatus": {
"type": "string",
"metadata": {
"displayName": "Accounts: Guest account status",
"description": "Specifies whether the local Guest account is disabled."
},
"defaultValue": "0"
},
"networkAccessRemotelyAccessibleRegistryPaths": {
"type": "string",
"metadata": {
"displayName": "Network access: Remotely accessible registry paths",
"description": "Specifies which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
},
"defaultValue": "System\\CurrentControlSet\\Control\\ProductOptions|#|System\\CurrentControlSet\\Control\\Server Applications|#|Software\\Microsoft\\Windows NT\\CurrentVersion"
},
"networkAccessRemotelyAccessibleRegistryPathsAndSubpaths": {
"type": "string",
"metadata": {
"displayName": "Network access: Remotely accessible registry paths and sub-paths",
"description": "Specifies which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the `winreg` registry key."
},
"defaultValue": "System\\CurrentControlSet\\Control\\Print\\Printers|#|System\\CurrentControlSet\\Services\\Eventlog|#|Software\\Microsoft\\OLAP Server|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|#|System\\CurrentControlSet\\Control\\ContentIndex|#|System\\CurrentControlSet\\Control\\Terminal Server|#|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|#|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|#|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|#|System\\CurrentControlSet\\Services\\SysmonLog"
},
"networkAccessSharesThatCanBeAccessedAnonymously": {
"type": "string",
"metadata": {
"displayName": "Network access: Shares that can be accessed anonymously",
"description": "Specifies which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server."
},
"defaultValue": "0"
},
"externalAccountsWithOwnerPermissionsShouldBeRemovedFromYourSubscriptionEffect": {
"type": "string",
"metadata": {
"displayName": "External accounts with owner permissions should be removed from your subscription",
"description": "Enable or disable the monitoring of external acounts with owner permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlDbVulnerabilityAssesmentMonitoringEffect": {
"type": "string",
"metadata": {
"displayName": "SQL databases should have vulnerability findings resolved",
"description": "Enable or disable the monitoring of Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "auditWindowsCertificateInTrustedRoot",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/934345e1-4dfb-4c70-90d7-41990dc9608b",
"definitionVersion": "3.*.*",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
},
"certificateThumbprints": {
"value": "[parameters('CertificateThumbprints')]"
}
}
},
{
"policyDefinitionReferenceId": "previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenter",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
"definitionVersion": "2.*.*",
"parameters": {
"effect": {
"value": "[parameters('previewMonitorUnencryptedSQLDatabaseInAzureSecurityCenterEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "previewAuditWindowsVMsThatDoNotRestrictTheMinimumPasswordLengthTo14Characters",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2d0e922-65d0-40c4-8f87-ea6da2d307a2",
"definitionVersion": "2.*.*",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
}
}
},
{
"policyDefinitionReferenceId": "metricAlertsInBatchAccountPoolDeleteStart",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7",
"definitionVersion": "1.*.*",
"parameters": {
"effect": {
"value": "[parameters('metricAlertsInBatchAccountPoolDeleteStartEffect')]"
},
"metricName": {
"value": "[parameters('MetricName')]"
}
}
},
{
"policyDefinitionReferenceId": "deploydefaultMicrosoftIaaSAntimalwareextensionforWindowsServer",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc",
"definitionVersion": "1.*.*",
"parameters": {}
},
{
"policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenNone",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
"definitionVersion": "4.*.*"
},
{
"policyDefinitionReferenceId": "Prerequisite_AddSystemIdentityWhenUser",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6",
"definitionVersion": "4.*.*"
},
{
"policyDefinitionReferenceId": "Prerequisite_DeployExtensionWindows",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
"definitionVersion": "1.*.*"
},
{
"policyDefinitionReferenceId": "Prerequisite_DeployExtensionLinux",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
"definitionVersion": "3.*.*"
},
{
"policyDefinitionReferenceId": "disableUnrestrictedNetworkToStorageAccountMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
"definitionVersion": "1.*.*",
"parameters": {
"effect": {
"value": "[parameters('disableUnrestrictedNetworkToStorageAccountMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInLogicAppsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
"definitionVersion": "5.*.*",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInLogicAppsMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('RequiredRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "deployThreatDetectionOnSqlServers",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5",
"definitionVersion": "2.*.*",
"parameters": {}
},
{
"policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
"definitionVersion": "3.*.*",
"parameters": {
"effect": {
"value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "AzureBaselineSecurityOptionsSystemsettings",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12017595-5a75-4bb1-9d97-4c2c939ea3c3",
"definitionVersion": "3.*.*",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
},
"systemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies": {
"value": "[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]"
}
}
},
{
"policyDefinitionReferenceId": "InstalledApplicationLinux",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d3b823c9-e0fc-4453-9fb2-8213b7338523",
"definitionVersion": "4.*.*",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
},
"applicationName": {
"value": "[parameters('ApplicationName')]"
}
}
},
{
"policyDefinitionReferenceId": "serverVulnerabilityAssessment",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
"definitionVersion": "3.*.*",
"parameters": {
"effect": {
"value": "[parameters('serverVulnerabilityAssessmentEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "AzureBaselineUserRightsAssignment",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e068b215-0026-4354-b347-8fb2766f73a2",
"definitionVersion": "3.*.*",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
},
"usersOrGroupsThatMayAccessThisComputerFromTheNetwork": {
"value": "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]"
},
"usersOrGroupsThatMayLogOnLocally": {
"value": "[parameters('UsersOrGroupsThatMayLogOnLocally')]"
},
"usersOrGroupsThatMayLogOnThroughRemoteDesktopServices": {
"value": "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]"
},
"usersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork": {
"value": "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]"
},
"usersOrGroupsThatMayManageAuditingAndSecurityLog": {
"value": "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]"
},
"usersOrGroupsThatMayBackUpFilesAndDirectories": {
"value": "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]"
},
"usersOrGroupsThatMayChangeTheSystemTime": {
"value": "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]"
},
"usersOrGroupsThatMayChangeTheTimeZone": {
"value": "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]"
},
"usersOrGroupsThatMayCreateATokenObject": {
"value": "[parameters('UsersOrGroupsThatMayCreateATokenObject')]"
},
"usersAndGroupsThatAreDeniedLoggingOnAsABatchJob": {
"value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]"
},
"usersAndGroupsThatAreDeniedLoggingOnAsAService": {
"value": "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]"
},
"usersAndGroupsThatAreDeniedLocalLogon": {
"value": "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]"
},
"usersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices": {
"value": "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]"
},
"userAndGroupsThatMayForceShutdownFromARemoteSystem": {
"value": "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]"
},
"usersAndGroupsThatMayRestoreFilesAndDirectories": {
"value": "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]"
},
"usersAndGroupsThatMayShutDownTheSystem": {
"value": "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]"
},
"usersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects": {
"value": "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]"
}
}
},
{
"policyDefinitionReferenceId": "systemUpdatesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
"definitionVersion": "4.*.*",
"parameters": {
"effect": {
"value": "[parameters('systemUpdatesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "disableIPForwardingForNetworkInterfaces",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900",
"definitionVersion": "1.*.*",
"parameters": {}
},
{
"policyDefinitionReferenceId": "sqlServerAuditingRetentionDaysMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
"definitionVersion": "3.*.*",
"parameters": {
"effect": {
"value": "[parameters('sqlServerAuditingRetentionDaysMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "AzureBaselineWindowsFirewallProperties",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35d9882c-993d-44e6-87d2-db66ce21b636",
"definitionVersion": "3.*.*",
"parameters": {
"IncludeArcMachines": {
"value": "[parameters('IncludeArcMachines')]"
},
"windowsFirewallDomainUseProfileSettings": {
"value": "[parameters('WindowsFirewallDomainUseProfileSettings')]"
},
"windowsFirewallDomainBehaviorForOutboundConnections": {
"value": "[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]"
},
"windowsFirewallDomainApplyLocalConnectionSecurityRules": {
"value": "[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]"
},
"windowsFirewallDomainApplyLocalFirewallRules": {
"value": "[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]"
},
"windowsFirewallDomainDisplayNotifications": {
"value": "[parameters('WindowsFirewallDomainDisplayNotifications')]"
},
"windowsFirewallPrivateUseProfileSettings": {
"value": "[parameters('WindowsFirewallPrivateUseProfileSettings')]"
},
"windowsFirewallPrivateBehaviorForOutboundConnections": {
"value": "[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]"
},
"windowsFirewallPrivateApplyLocalConnectionSecurityRules": {
"value": "[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]"
},
"windowsFirewallPrivateApplyLocalFirewallRules": {
"value": "[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]"
},
"windowsFirewallPrivateDisplayNotifications": {
"value": "[parameters('WindowsFirewallPrivateDisplayNotifications')]"
},
"windowsFirewallPublicUseProfileSettings": {
"value": "[parameters('WindowsFirewallPublicUseProfileSettings')]"
},
"windowsFirewallPublicBehaviorForOutboundConnections": {
"value": "[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]"
},
"windowsFirewallPublicApplyLocalConnectionSecurityRules": {
"value": "[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]"
},
"windowsFirewallPublicApplyLocalFirewallRules": {
"value": "[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]"
},
"windowsFirewallPublicDisplayNotifications": {
"value": "[parameters('WindowsFirewallPublicDisplayNotifications')]"
},
"windowsFirewallDomainAllowUnicastResponse": {
"value": "[parameters('WindowsFirewallDomainAllowUnicastResponse')]"
},
"windowsFirewallPrivateAllowUnicastResponse": {
"value": "[parameters('WindowsFirewallPrivateAllowUnicastResponse')]"
},
"windowsFirewallPublicAllowUnicastResponse": {
"value": "[parameters('WindowsFirewallPublicAllowUnicastResponse')]"
}
}
},