Applying azure PCI DSS4 regulatory complaince policy for passwords

Ishan Saxena 20 Reputation points
2024-04-16T20:23:01.5533333+00:00

Hi, I am trying to assign PCI DSS4 Defender for cloud regulatory compliance policy for passwords -

  1. Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords- where count is 24
  2. Audit Windows machines that do not restrict the minimum password length to specified number of characters - length is 14

In policy definition it is stating these will apply on user accounts but i did not find a Micrsoft document stating these will not affect the system identities or service account in the Virtual Machine.

Could someone clarify that would be really helpful and also is there a way to find the system identities or service accounts in a VM?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
795 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,196 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 10,755 Reputation points MVP
    2024-04-16T22:21:08.8033333+00:00

    Aside from the built-in system accounts (LocalSystem, NetworkService, and LocalService), there are no "service accounts". Those that you configure to run services are no different from regular accounts (at least from the password management standpoint) with exception of the extra privilege to log on as a service). Effectively, I don't see why they wouldn't be in scope. The passwords of the built-in system accounts are managed by the OS - so their complexity is not something you can control.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

  2. Marcin Policht 10,755 Reputation points MVP
    2024-04-18T20:45:02.7166667+00:00

    In short, you cannot view passwords. They are processed by one-way hash - there is not way to determine their complexity once they are set.

    The only way you can control them is at the point when they are actually changed or reset.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments