Azure Policy Regulatory Compliance controls for Azure Arc-enabled servers
Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Arc-enabled servers. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.
The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.
Important
Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.
Australian Government ISM PROTECTED
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Guidelines for Personnel Security - Access to systems and their resources | 415 | User identification - 415 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for System Hardening - Authentication hardening | 421 | Single-factor authentication - 421 | Windows machines should meet requirements for 'Security Settings - Account Policies' | 3.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 445 | Privileged access to systems - 445 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Cryptography - Transport Layer Security | 1139 | Using Transport Layer Security - 1139 | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
| Guidelines for Database Systems - Database servers | 1277 | Communications between database servers and web servers - 1277 | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1503 | Standard access to systems - 1503 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1507 | Privileged access to systems - 1507 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1508 | Privileged access to systems - 1508 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for System Hardening - Authentication hardening | 1546 | Authenticating to systems - 1546 | Audit Linux machines that allow remote connections from accounts without passwords | 3.0.0 |
| Guidelines for System Hardening - Authentication hardening | 1546 | Authenticating to systems - 1546 | Audit Linux machines that have accounts without passwords | 3.0.0 |
Azure Security Benchmark
The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Identity Management | IM-6 | Use strong authentication controls | Authentication to Linux machines should require SSH keys | 3.0.0 |
| Data Protection | DP-3 | Encrypt sensitive data in transit | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Logging and Threat Detection | LT-5 | Centralize security log management and analysis | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview |
| Logging and Threat Detection | LT-5 | Centralize security log management and analysis | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview |
| Logging and Threat Detection | LT-5 | Centralize security log management and analysis | Linux machines should have Log Analytics agent installed on Azure Arc | 1.1.0 |
| Logging and Threat Detection | LT-5 | Centralize security log management and analysis | Windows machines should have Log Analytics agent installed on Azure Arc | 2.0.0 |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | Linux machines should meet requirements for the Azure compute security baseline | 2.0.0 |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | [Preview]: Machines should be configured to periodically check for missing system updates | 3.0.0-preview |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | [Preview]: System updates should be installed on your machines (powered by Update Center) | 1.0.0-preview |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
| Endpoint Security | ES-2 | Use modern anti-malware software | Endpoint protection health issues should be resolved on your machines | 1.0.0 |
| Endpoint Security | ES-2 | Use modern anti-malware software | Endpoint protection should be installed on your machines | 1.0.0 |
| Endpoint Security | ES-2 | Use modern anti-malware software | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Endpoint Security | ES-3 | Ensure anti-malware software and signatures are updated | Endpoint protection health issues should be resolved on your machines | 1.0.0 |
Azure Security Benchmark v1
The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Network Security | 1.11 | Use automated tools to monitor network resource configurations and detect changes | Windows machines should meet requirements for 'Administrative Templates - Network' | 3.0.0 |
| Network Security | 1.11 | Use automated tools to monitor network resource configurations and detect changes | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | 3.0.0 |
| Network Security | 1.11 | Use automated tools to monitor network resource configurations and detect changes | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| Network Security | 1.11 | Use automated tools to monitor network resource configurations and detect changes | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Logging and Monitoring | 2.2 | Configure central security log management | Audit Windows machines on which the Log Analytics agent is not connected as expected | 2.0.0 |
| Logging and Monitoring | 2.4 | Collect security logs from operating systems | Audit Windows machines on which the Log Analytics agent is not connected as expected | 2.0.0 |
| Identity and Access Control | 3.3 | Use dedicated administrative accounts | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| Identity and Access Control | 3.3 | Use dedicated administrative accounts | Audit Windows machines that have extra accounts in the Administrators group | 2.0.0 |
| Identity and Access Control | 3.3 | Use dedicated administrative accounts | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
Canada Federal PBMM
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC-5 | Separation of Duties | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| Access Control | AC-5 | Separation of Duties | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Access Control | AC-6 | Least Privilege | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| Access Control | AC-6 | Least Privilege | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Access Control | AC-17(1) | Remote Access | Automated Monitoring / Control | Audit Linux machines that allow remote connections from accounts without passwords | 3.0.0 |
| Identification and Authentication | IA-5 | Authenticator Management | Audit Linux machines that do not have the passwd file permissions set to 0644 | 3.0.0 |
| Identification and Authentication | IA-5 | Authenticator Management | Audit Linux machines that have accounts without passwords | 3.0.0 |
| Identification and Authentication | IA-5(1) | Authenticator Management | Password-Based Authentication | Audit Windows machines that allow re-use of the previous 24 passwords | 2.0.0 |
| Identification and Authentication | IA-5(1) | Authenticator Management | Password-Based Authentication | Audit Windows machines that do not have a maximum password age of 70 days | 2.0.0 |
| Identification and Authentication | IA-5(1) | Authenticator Management | Password-Based Authentication | Audit Windows machines that do not have a minimum password age of 1 day | 2.0.0 |
| Identification and Authentication | IA-5(1) | Authenticator Management | Password-Based Authentication | Audit Windows machines that do not have the password complexity setting enabled | 2.0.0 |
| Identification and Authentication | IA-5(1) | Authenticator Management | Password-Based Authentication | Audit Windows machines that do not restrict the minimum password length to 14 characters | 2.0.0 |
| System and Communications Protection | SC-8(1) | Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
CMMC Level 3
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Audit Linux machines that allow remote connections from accounts without passwords | 3.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Audit Linux machines that allow remote connections from accounts without passwords | 3.0.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
| Access Control | AC.2.008 | Use non-privileged accounts or roles when accessing nonsecurity functions. | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| Access Control | AC.2.008 | Use non-privileged accounts or roles when accessing nonsecurity functions. | Windows machines should meet requirements for 'User Rights Assignment' | 3.0.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Audit Linux machines that allow remote connections from accounts without passwords | 3.0.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Access Control | AC.2.016 | Control the flow of CUI in accordance with approved authorizations. | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| Access Control | AC.3.017 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| Access Control | AC.3.017 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Access Control | AC.3.018 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | 3.0.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Windows machines should meet requirements for 'User Rights Assignment' | 3.0.0 |
| Configuration Management | CM.2.061 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Linux machines should meet requirements for the Azure compute security baseline | 2.0.0 |
| Configuration Management | CM.2.062 | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | 3.0.0 |
| Configuration Management | CM.2.063 | Control and monitor user-installed software. | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| Configuration Management | CM.2.064 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Configuration Management | CM.2.065 | Track, review, approve or disapprove, and log changes to organizational systems. | Windows machines should meet requirements for 'System Audit Policies - Policy Change' | 3.0.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Audit Linux machines that do not have the passwd file permissions set to 0644 | 3.0.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Audit Linux machines that have accounts without passwords | 3.0.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Linux machines that have accounts without passwords | 3.0.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Windows machines that do not have the password complexity setting enabled | 2.0.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Windows machines that do not restrict the minimum password length to 14 characters | 2.0.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.2.079 | Prohibit password reuse for a specified number of generations. | Audit Windows machines that allow re-use of the previous 24 passwords | 2.0.0 |
| Identification and Authentication | IA.2.079 | Prohibit password reuse for a specified number of generations. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.2.081 | Store and transmit only cryptographically-protected passwords. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| Identification and Authentication | IA.2.081 | Store and transmit only cryptographically-protected passwords. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
| System and Communications Protection | SC.3.177 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| System and Communications Protection | SC.3.181 | Separate user functionality from system management functionality. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| System and Communications Protection | SC.3.185 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
| System and Communications Protection | SC.3.190 | Protect the authenticity of communications sessions. | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
FedRAMP High
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.
FedRAMP Moderate
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.
HIPAA HITRUST 9.2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| User Identification and Authentication | 11210.01q2Organizational.10 - 01.q | Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| User Identification and Authentication | 11211.01q2Organizational.11 - 01.q | Signed electronic records shall contain information associated with the signing in human-readable format. | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| 06 Configuration Management | 0605.10h1System.12-10.h | 0605.10h1System.12-10.h 10.04 Security of System Files | Windows machines should meet requirements for 'Security Options - Audit' | 3.0.0 |
| 06 Configuration Management | 0605.10h1System.12-10.h | 0605.10h1System.12-10.h 10.04 Security of System Files | Windows machines should meet requirements for 'System Audit Policies - Account Management' | 3.0.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0636.10k2Organizational.1-10.k | 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0637.10k2Organizational.2-10.k | 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0639.10k2Organizational.78-10.k | 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0642.10k3Organizational.12-10.k | 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | 3.0.0 |
| 08 Network Protection | 0858.09m1Organizational.4-09.m | 0858.09m1Organizational.4-09.m 09.06 Network Security Management | Windows machines should meet requirements for 'Windows Firewall Properties' | 3.0.0 |
| 08 Network Protection | 0861.09m2Organizational.67-09.m | 0861.09m2Organizational.67-09.m 09.06 Network Security Management | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| 09 Transmission Protection | 0945.09y1Organizational.3-09.y | 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services | Audit Windows machines that do not contain the specified certificates in Trusted Root | 3.0.0 |
| 11 Access Control | 1123.01q1System.2-01.q | 1123.01q1System.2-01.q 01.05 Operating System Access Control | Audit Windows machines that have extra accounts in the Administrators group | 2.0.0 |
| 11 Access Control | 1125.01q2System.1-01.q | 1125.01q2System.1-01.q 01.05 Operating System Access Control | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| 11 Access Control | 1127.01q2System.3-01.q | 1127.01q2System.3-01.q 01.05 Operating System Access Control | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| 11 Access Control | 1148.01c2System.78-01.c | 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems | Windows machines should meet requirements for 'Security Options - Accounts' | 3.0.0 |
| 12 Audit Logging & Monitoring | 12102.09ab1Organizational.4-09.ab | 12102.09ab1Organizational.4-09.ab 09.10 Monitoring | Audit Windows machines on which the Log Analytics agent is not connected as expected | 2.0.0 |
| 12 Audit Logging & Monitoring | 1217.09ab3System.3-09.ab | 1217.09ab3System.3-09.ab 09.10 Monitoring | Audit Windows machines on which the Log Analytics agent is not connected as expected | 2.0.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Windows machines should meet requirements for 'User Rights Assignment' | 3.0.0 |
| 12 Audit Logging & Monitoring | 1277.09c2Organizational.4-09.c | 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| 16 Business Continuity & Disaster Recovery | 1637.12b2Organizational.2-12.b | 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Windows machines should meet requirements for 'Security Options - Recovery console' | 3.0.0 |
IRS 1075 September 2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.
ISO 27001:2013
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.
New Zealand ISM Restricted
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - New Zealand ISM Restricted. For more information about this compliance standard, see New Zealand ISM Restricted.
NIST SP 800-53 Rev. 5
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.
NZ ISM Restricted v3.5
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NZ ISM Restricted v3.5. For more information about this compliance standard, see NZ ISM Restricted v3.5.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control and Passwords | NZISM Security Benchmark AC-13 | 16.5.10 Authentication | Audit Linux machines that allow remote connections from accounts without passwords | 3.0.0 |
| Cryptography | NZISM Security Benchmark CR-10 | 17.5.7 Authentication mechanisms | Authentication to Linux machines should require SSH keys | 3.0.0 |
| Cryptography | NZISM Security Benchmark CR-8 | 17.4.16 Using TLS | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
| Information security monitoring | NZISM Security Benchmark ISM-4 | 6.2.6 Resolving vulnerabilities | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
| Software security | NZISM Security Benchmark SS-3 | 14.1.9 Maintaining hardened SOEs | Endpoint protection health issues should be resolved on your machines | 1.0.0 |
| Software security | NZISM Security Benchmark SS-3 | 14.1.9 Maintaining hardened SOEs | Endpoint protection should be installed on your machines | 1.0.0 |
| Software security | NZISM Security Benchmark SS-3 | 14.1.9 Maintaining hardened SOEs | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
PCI DSS 3.2.1
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Requirement 8 | PCI DSS v3.2.1 8.2.3 | PCI DSS requirement 8.2.3 | Audit Windows machines that allow re-use of the previous 24 passwords | 2.0.0 |
| Requirement 8 | PCI DSS v3.2.1 8.2.3 | PCI DSS requirement 8.2.3 | Audit Windows machines that do not have a maximum password age of 70 days | 2.0.0 |
| Requirement 8 | PCI DSS v3.2.1 8.2.3 | PCI DSS requirement 8.2.3 | Audit Windows machines that do not restrict the minimum password length to 14 characters | 2.0.0 |
| Requirement 8 | PCI DSS v3.2.1 8.2.5 | PCI DSS requirement 8.2.5 | Audit Windows machines that allow re-use of the previous 24 passwords | 2.0.0 |
| Requirement 8 | PCI DSS v3.2.1 8.2.5 | PCI DSS requirement 8.2.5 | Audit Windows machines that do not have a maximum password age of 70 days | 2.0.0 |
| Requirement 8 | PCI DSS v3.2.1 8.2.5 | PCI DSS requirement 8.2.5 | Audit Windows machines that do not restrict the minimum password length to 14 characters | 2.0.0 |
PCI v3.2.1:2018
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI v3.2.1:2018. For more information about this compliance standard, see PCI v3.2.1 2018.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Requirement 8 | PCI DSS v3.2.1 8.2.3 | PCI DSS requirement 8.2.3 | Audit Windows machines that allow re-use of the previous 24 passwords | 2.0.0 |
| Requirement 8 | PCI DSS v3.2.1 8.2.3 | PCI DSS requirement 8.2.3 | Audit Windows machines that do not have a maximum password age of 70 days | 2.0.0 |
| Requirement 8 | PCI DSS v3.2.1 8.2.3 | PCI DSS requirement 8.2.3 | Audit Windows machines that do not restrict the minimum password length to 14 characters | 2.0.0 |
| Requirement 8 | PCI DSS v3.2.1 8.2.5 | PCI DSS requirement 8.2.5 | Audit Windows machines that allow re-use of the previous 24 passwords | 2.0.0 |
| Requirement 8 | PCI DSS v3.2.1 8.2.5 | PCI DSS requirement 8.2.5 | Audit Windows machines that do not have a maximum password age of 70 days | 2.0.0 |
| Requirement 8 | PCI DSS v3.2.1 8.2.5 | PCI DSS requirement 8.2.5 | Audit Windows machines that do not restrict the minimum password length to 14 characters | 2.0.0 |
Reserve Bank of India - IT Framework for NBFC
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| IT Governance | RBI IT Framework 1 | IT Governance-1 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
| Information and Cyber Security | RBI IT Framework 3.3 | Vulnerability Management-3.3 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
Reserve Bank of India IT Framework for Banks v2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview | |
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview | |
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview | |
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview | |
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview | |
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.1 | Authentication to Linux machines should require SSH keys | 3.0.0 | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.3 | Authentication to Linux machines should require SSH keys | 3.0.0 | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.3 | Authentication to Linux machines should require SSH keys | 3.0.0 | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.1 | Authentication to Linux machines should require SSH keys | 3.0.0 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.7 | Authentication to Linux machines should require SSH keys | 3.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.4 | Authentication to Linux machines should require SSH keys | 3.0.0 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.7 | Authentication to Linux machines should require SSH keys | 3.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.2 | Endpoint protection health issues should be resolved on your machines | 1.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.1 | Endpoint protection health issues should be resolved on your machines | 1.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.1 | Endpoint protection health issues should be resolved on your machines | 1.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.3 | Endpoint protection health issues should be resolved on your machines | 1.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.1 | Endpoint protection health issues should be resolved on your machines | 1.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.3 | Endpoint protection health issues should be resolved on your machines | 1.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.3 | Endpoint protection should be installed on your machines | 1.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.1 | Endpoint protection should be installed on your machines | 1.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.3 | Endpoint protection should be installed on your machines | 1.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.2 | Endpoint protection should be installed on your machines | 1.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.1 | Endpoint protection should be installed on your machines | 1.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.1 | Endpoint protection should be installed on your machines | 1.0.0 | |
| Audit Log Settings | Audit Log Settings-17.1 | Linux machines should meet requirements for the Azure compute security baseline | 2.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.1 | Linux machines should meet requirements for the Azure compute security baseline | 2.0.0 | |
| Vulnerability Assessment And Penetration Test And Red Team Exercises | Vulnerability Assessment And Penetration Test And Red Team Exercises-18.4 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Preventing Execution Of Unauthorised Software | Security Update Management-2.3 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Vulnerability Assessment And Penetration Test And Red Team Exercises | Vulnerability Assessment And Penetration Test And Red Team Exercises-18.4 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.1 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Vulnerability Assessment And Penetration Test And Red Team Exercises | Vulnerability Assessment And Penetration Test And Red Team Exercises-18.4 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.2 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.6 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.6 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.1 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.2 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.3 | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.1 | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.3 | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 | |
| Data Leak Prevention Strategy | Data Leak Prevention Strategy-15.1 | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 | |
| Secure Configuration | Secure Configuration-5.1 | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.2 | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.1 | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 | |
| Audit Log Settings | Audit Log Settings-17.1 | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.1 | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 | |
| Secure Mail And Messaging Systems | Secure Mail And Messaging Systems-10.1 | Windows web servers should be configured to use secure communication protocols | 4.0.0 | |
| Secure Mail And Messaging Systems | Secure Mail And Messaging Systems-10.2 | Windows web servers should be configured to use secure communication protocols | 4.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.4 | Windows web servers should be configured to use secure communication protocols | 4.0.0 |
UK OFFICIAL and UK NHS
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.
Next steps
- Learn more about Azure Policy Regulatory Compliance.
- See the built-ins on the Azure Policy GitHub repo.
Feedback
Submit and view feedback for