You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/blueprints/samples/canada-federal-pbmm/control-mapping.md
+18-19Lines changed: 18 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Canada Federal PBMM blueprint sample controls
3
3
description: Control mapping of the Canada Federal PBMM blueprint samples. Each control is mapped to one or more Azure Policies that assist with assessment.
4
-
ms.date: 09/04/2019
4
+
ms.date: 05/08/2020
5
5
ms.topic: sample
6
6
---
7
7
# Control mapping of the Canada Federal PBMM blueprint sample
@@ -91,8 +91,8 @@ separation of duties.
91
91
92
92
- A maximum of 3 owners should be designated for your subscription
93
93
- There should be more than one owner assigned to your subscription
94
-
-Audit Windows VMs in which the Administrators group contains any of the specified members
95
-
-Audit Windows VMs in which the Administrators group does not contain all of the specified members
94
+
-Show audit results from Windows VMs in which the Administrators group contains any of the specified members
95
+
-Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members
96
96
- Deploy requirements to audit Windows VMs in which the Administrators group contains any of the specified members
97
97
- Deploy requirements to audit Windows VMs in which the Administrators group does not contain all of the specified members
98
98
@@ -106,8 +106,8 @@ indicators can help you ensure least privilege controls are implemented.
106
106
107
107
- A maximum of 3 owners should be designated for your subscription
108
108
- There should be more than one owner assigned to your subscription
109
-
-Audit Windows VMs in which the Administrators group contains any of the specified members
110
-
-Audit Windows VMs in which the Administrators group does not contain all of the specified members
109
+
-Show audit results from Windows VMs in which the Administrators group contains any of the specified members
110
+
-Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members
111
111
- Deploy requirements to audit Windows VMs in which the Administrators group contains any of the specified members
112
112
- Deploy requirements to audit Windows VMs in which the Administrators group does not contain all of the specified members
113
113
@@ -134,7 +134,7 @@ connections from accounts without passwords. Additionally, the blueprint assigns
134
134
definition that helps you monitor unrestricted access to storage accounts. Monitoring these
135
135
indicators can help you ensure remote access methods comply with your security policy.
136
136
137
-
-\[Preview\]: Audit Linux VMs that allow remote connections from accounts without passwords
137
+
-\[Preview\]: Show audit results from Linux VMs that allow remote connections from accounts without passwords
138
138
-\[Preview\]: Deploy requirements to audit Linux VMs that allow remote connections from accounts without passwords
139
139
- Audit unrestricted network access to storage accounts
140
140
- Remote debugging should be turned off for API App
@@ -160,7 +160,7 @@ audit and event logging configurations. Monitoring these configurations can prov
160
160
an audit system failure or misconfiguration and help you take corrective action.
161
161
162
162
- Audit diagnostic setting
163
-
-Audit SQL server level Auditing settings
163
+
-Auditing on SQL server should be enabled
164
164
- Advanced data security should be enabled on your managed instances
165
165
- Advanced data security should be enabled on your SQL servers
166
166
@@ -191,7 +191,7 @@ and Advanced Data Security are configured on SQL servers.
191
191
-\[Preview\]: Deploy Log Analytics Agent for Linux VMs
192
192
-\[Preview\]: Deploy Log Analytics Agent for Windows VMs
193
193
- Audit diagnostic setting
194
-
-Audit SQL server level Auditing settings
194
+
-Auditing on SQL server should be enabled
195
195
- Advanced data security should be enabled on your managed instances
196
196
- Advanced data security should be enabled on your SQL servers
197
197
- Deploy Advanced Data Security on SQL servers
@@ -250,8 +250,8 @@ configuration of the password encryption type for Windows virtual machines. Moni
250
250
indicators helps you ensure that system authenticators comply with your organization's
251
251
identification and authentication policy.
252
252
253
-
-\[Preview\]: Audit Linux VMs that do not have the passwd file permissions set to 0644
254
-
-\[Preview\]: Audit Linux VMs that have accounts without passwords
253
+
-\[Preview\]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644
254
+
-\[Preview\]: Show audit results from Linux VMs that have accounts without passwords
255
255
-\[Preview\]: Deploy requirements to audit Linux VMs that do not have the passwd file permissions set to 0644
256
256
-\[Preview\]: Deploy requirements to audit Linux VMs that have accounts without passwords
257
257
@@ -263,11 +263,11 @@ password requirements. Awareness of virtual machines in violation of the passwor
263
263
helps you take corrective actions to ensure passwords for all virtual machine user accounts comply
264
264
with your organization's password policy.
265
265
266
-
-\[Preview\]: Audit Windows VMs that allow re-use of the previous 24 passwords
267
-
-\[Preview\]: Audit Windows VMs that do not have a maximum password age of 70 days
268
-
-\[Preview\]: Audit Windows VMs that do not have a minimum password age of 1 day
269
-
-\[Preview\]: Audit Windows VMs that do not have the password complexity setting enabled
270
-
-\[Preview\]: Audit Windows VMs that do not restrict the minimum password length to 14 characters
266
+
-\[Preview\]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords
267
+
-\[Preview\]: Show audit results from Windows VMs that do not have a maximum password age of 70 days
268
+
-\[Preview\]: Show audit results from Windows VMs that do not have a minimum password age of 1 day
269
+
-\[Preview\]: Show audit results from Windows VMs that do not have the password complexity setting enabled
270
+
-\[Preview\]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters
271
271
-\[Preview\]: Deploy requirements to audit Windows VMs that allow re-use of the previous 24 passwords
272
272
-\[Preview\]: Deploy requirements to audit Windows VMs that do not have a maximum password age of 70 days
273
273
-\[Preview\]: Deploy requirements to audit Windows VMs that do not have a minimum password age of 1 day
@@ -325,10 +325,9 @@ endpoints, applications, and storage accounts. Endpoints and applications that a
325
325
firewall, and storage accounts with unrestricted access can allow unintended access to information
326
326
contained within the information system.
327
327
328
-
- Network Security Group Rules for Internet facing virtual machines should be hardened
328
+
-Adaptive Network Hardening recommendations should be applied on internet facing virtual machines
329
329
- Access through Internet facing endpoint should be restricted
330
330
- Audit unrestricted network access to storage accounts
331
-
- The NSGs rules for web applications on IaaS should be hardened
332
331
333
332
## SC-7 (3) Boundary Protection | Access Points
334
333
@@ -360,7 +359,7 @@ properly encrypted can help you meet your organization's requirements or protect
360
359
from unauthorized disclosure and modification.
361
360
362
361
- API App should only be accessible over HTTPS
363
-
-Audit Windows web servers that are not using secure communication protocols
362
+
-Show audit results from Windows web servers that are not using secure communication protocols
364
363
- Deploy requirements to audit Windows web servers that are not using secure communication protocols
365
364
- Function App should only be accessible over HTTPS
366
365
- Only secure connections to your Redis Cache should be enabled
@@ -465,4 +464,4 @@ Additional articles about blueprints and how to use them:
465
464
- Understand how to use [static and dynamic parameters](../../concepts/parameters.md).
466
465
- Learn to customize the [blueprint sequencing order](../../concepts/sequencing-order.md).
467
466
- Find out how to make use of [blueprint resource locking](../../concepts/resource-locking.md).
468
-
- Learn how to [update existing assignments](../../how-to/update-existing-assignments.md).
467
+
- Learn how to [update existing assignments](../../how-to/update-existing-assignments.md).
Copy file name to clipboardExpand all lines: articles/governance/blueprints/samples/ukofficial/control-mapping.md
+6-11Lines changed: 6 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: UK OFFICIAL & UK NHS blueprint sample controls
3
3
description: Control mapping of the UK OFFICIAL and UK NHS blueprint samples. Each control is mapped to one or more Azure Policies that assist with assessment.
4
-
ms.date: 12/04/2019
4
+
ms.date: 05/08/2020
5
5
ms.topic: sample
6
6
---
7
7
# Control mapping of the UK OFFICIAL and UK NHS blueprint samples
@@ -37,9 +37,6 @@ definitions that audit insecure connections to storage accounts and Redis Cache.
37
37
- Secure transfer to storage accounts should be enabled
38
38
- Show audit results from Windows web servers that are not using secure communication protocols
39
39
- Deploy prerequisites to audit Windows web servers that are not using secure communication protocols
40
-
- Latest TLS version should be used in your API App
41
-
- Latest TLS version should be used in your Web App
42
-
- Latest TLS version should be used in your Function App
43
40
44
41
## 2.3 Data at rest protection
45
42
@@ -172,8 +169,8 @@ help you take corrective actions to ensure access Azure resources is restricted
172
169
173
170
-\[Preview\]: Deploy requirements to audit Linux VMs that have accounts without passwords
174
171
-\[Preview\]: Deploy requirements to audit Linux VMs that allow remote connections from accounts without passwords
175
-
-\[Preview\]: Audit Linux VMs that have accounts without passwords
176
-
-\[Preview\]: Audit Linux VMs that allow remote connections from accounts without passwords
172
+
-\[Preview\]: Show audit results from Linux VMs that have accounts without passwords
173
+
-\[Preview\]: Show audit results from Linux VMs that allow remote connections from accounts without passwords
177
174
- Storage accounts should be migrated to new Azure Resource Manager resources
178
175
- Virtual machines should be migrated to new Azure Resource Manager resources
179
176
- Audit VMs that do not use managed disks
@@ -188,12 +185,10 @@ also assigns a policy that enables adaptive application controls on virtual mach
188
185
189
186
- Audit unrestricted network access to storage accounts
190
187
- Adaptive Application Controls should be enabled on virtual machines
191
-
- The NSGs rules for web applications on IaaS should be hardened
192
188
- Access through Internet facing endpoint should be restricted
193
-
- Network Security Group Rules for Internet facing virtual machines should be hardened
189
+
-Adaptive Network Hardening recommendations should be applied on internet facing virtual machines
194
190
- Endpoint protection solution should be installed on virtual machine scale sets
195
191
- Just-In-Time network access control should be applied on virtual machines
196
-
- Audit unrestricted network access to storage accounts
197
192
- Remote debugging should be turned off for Function App
198
193
- Remote debugging should be turned off for Web Application
199
194
- Remote debugging should be turned off for API App
@@ -246,15 +241,15 @@ This blueprint also assigns an Azure Policy definition that audits Linux VM pass
246
241
permissions to alert if they're set incorrectly. This design enables you to take corrective action
247
242
to ensure authenticators aren't compromised.
248
243
249
-
-\[Preview\]: Audit Linux VM /etc/passwd file permissions are set to 0644
244
+
-\[Preview\]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644
250
245
251
246
## 13 Audit Information for Users
252
247
253
248
This blueprint helps you ensure system events are logged by assigning [Azure Policy](../../../policy/overview.md)
254
249
definitions that audit log settings on Azure resources. An assigned policy also audits if virtual
255
250
machines aren't sending logs to a specified log analytics workspace.
256
251
257
-
-Auditing should be enabled on advanced data security settings on SQL Server
252
+
-Advanced data security should be enabled on your SQL servers
258
253
- Audit diagnostic setting
259
254
-\[Preview\]: Deploy Log Analytics Agent for Linux VMs
260
255
-\[Preview\]: Deploy Log Analytics Agent for Windows VMs
Copy file name to clipboardExpand all lines: articles/governance/blueprints/samples/ukofficial/index.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: UK OFFICIAL & UK NHS blueprint sample overview
3
3
description: Overview and architecture of the UK OFFICIAL and UK NHS blueprint samples. This blueprint sample helps customers assess specific controls.
4
-
ms.date: 06/26/2019
4
+
ms.date: 05/08/2020
5
5
ms.topic: sample
6
6
---
7
7
# Overview of the UK OFFICIAL and UK NHS blueprint samples
@@ -33,4 +33,4 @@ Additional articles about blueprints and how to use them:
33
33
- Understand how to use [static and dynamic parameters](../../concepts/parameters.md).
34
34
- Learn to customize the [blueprint sequencing order](../../concepts/sequencing-order.md).
35
35
- Find out how to make use of [blueprint resource locking](../../concepts/resource-locking.md).
36
-
- Learn how to [update existing assignments](../../how-to/update-existing-assignments.md).
36
+
- Learn how to [update existing assignments](../../how-to/update-existing-assignments.md).
0 commit comments