Azure Policy Regulatory Compliance controls for Azure Arc enabled servers

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Arc enabled servers. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Identity Management IM-4 Use strong authentication controls for all Azure Active Directory based access Authentication to Linux machines should require SSH keys 2.0.1
Data Protection DP-4 Encrypt sensitive information in transit Windows web servers should be configured to use secure communication protocols 2.0.0
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent should be installed on your Linux Azure Arc machines 1.0.0-preview
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent should be installed on your Windows Azure Arc machines 1.0.0-preview
Posture and Vulnerability Management PV-4 Sustain secure configurations for compute resources Linux machines should meet requirements for the Azure security baseline 1.1.0-preview
Posture and Vulnerability Management PV-4 Sustain secure configurations for compute resources Windows machines should meet requirements of the Azure Security Center baseline 1.0.0-preview
Posture and Vulnerability Management PV-6 Perform software vulnerability assessments Vulnerabilities on your SQL servers on machine should be remediated 1.0.0
Endpoint Security ES-2 Use centrally managed modern anti-malware software Windows Defender Exploit Guard should be enabled on your machines 1.1.1

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Administrative Templates - Network' 2.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Microsoft Network Server' 2.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Logging and Monitoring 2.2 Configure central security log management Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Logging and Monitoring 2.4 Collect security logs from operating systems Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines that have extra accounts in the Administrators group 1.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines that have the specified members in the Administrators group 1.0.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows web servers should be configured to use secure communication protocols 2.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'User Rights Assignment' 2.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 2.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'User Rights Assignment' 2.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Linux machines should meet requirements for the Azure security baseline 1.1.0-preview
Configuration Management CM.2.062 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 2.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. Windows machines should meet requirements for 'System Audit Policies - Policy Change' 2.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Windows web servers should be configured to use secure communication protocols 2.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows web servers should be configured to use secure communication protocols 2.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Audit Windows machines that do not store passwords using reversible encryption 1.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. Audit Windows machines that have the specified members in the Administrators group 1.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows web servers should be configured to use secure communication protocols 2.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Windows web servers should be configured to use secure communication protocols 2.0.0

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Privilege Management 1148.01c2System.78 - 01.c The organization restricts access to privileged functions and all security-relevant information. Windows machines should meet requirements for 'Security Options - Accounts' 2.0.0
User Identification and Authentication 11210.01q2Organizational.10 - 01.q Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. Audit Windows machines that have the specified members in the Administrators group 1.0.0
User Identification and Authentication 11211.01q2Organizational.11 - 01.q Signed electronic records shall contain information associated with the signing in human-readable format. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
User Identification and Authentication 1123.01q1System.2 - 01.q Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions. Audit Windows machines that have extra accounts in the Administrators group 1.0.0
User Identification and Authentication 1125.01q2System.1 - 01.q Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access). Audit Windows machines that have the specified members in the Administrators group 1.0.0
User Identification and Authentication 1127.01q2System.3 - 01.q Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Monitoring System Use 12102.09ab1Organizational.4 - 09.ab The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes. Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Monitoring System Use 1217.09ab3System.3 - 09.ab Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations. Audit Windows machines on which the Log Analytics agent is not connected as expected 1.0.0
Segregation of Duties 1232.09c3Organizational.12 - 09.c Access for individuals responsible for administering  access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. Windows machines should meet requirements for 'User Rights Assignment' 2.0.0
Segregation of Duties 1277.09c2Organizational.4 - 09.c The initiation of an event is separated from its authorization to reduce the possibility of collusion. Windows machines should meet requirements for 'Security Options - User Account Control' 2.0.0
Network Controls 0858.09m1Organizational.4 - 09.m The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. Windows machines should meet requirements for 'Windows Firewall Properties' 2.0.0
Network Controls 0861.09m2Organizational.67 - 09.m To identify and authenticate devices on local and/or wide area networks, including wireless networks,  the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. Windows machines should meet requirements for 'Security Options - Network Access' 2.0.0
On-line Transactions 0945.09y1Organizational.3 - 09.y Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). Audit Windows machines that do not contain the specified certificates in Trusted Root 1.0.1
Control of Operational Software 0605.10h1System.12 - 10.h Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. Windows machines should meet requirements for 'Security Options - Audit' 2.0.0
Control of Operational Software 0605.10h1System.12 - 10.h Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. Windows machines should meet requirements for 'System Audit Policies - Account Management' 2.0.0
Change Control Procedures 0635.10k1Organizational.12 - 10.k Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0636.10k2Organizational.1 - 10.k The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management (e.g., through policies, standards, processes). Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0637.10k2Organizational.2 - 10.k The organization has developed, documented, and implemented a configuration management plan for the information system. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0638.10k2Organizational.34569 - 10.k Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0639.10k2Organizational.78 - 10.k Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0640.10k2Organizational.1012 - 10.k Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0641.10k2Organizational.11 - 10.k The organization does not use automated updates on critical systems. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0642.10k3Organizational.12 - 10.k The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0643.10k3Organizational.3 - 10.k The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Change Control Procedures 0644.10k3Organizational.4 - 10.k The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 2.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Windows machines should meet requirements for 'Security Options - Microsoft Network Server' 2.0.0
Business Continuity and Risk Assessment 1637.12b2Organizational.2 - 12.b Business impact analysis are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. Windows machines should meet requirements for 'Security Options - Recovery console' 2.0.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access control 9.1.2 Access to networks and network services Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access control 9.1.2 Access to networks and network services Audit Linux machines that have accounts without passwords 1.0.0
Access control 9.2.4 Management of secret authentication information of users Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Audit Windows machines that do not store passwords using reversible encryption 1.0.0

New Zealand ISM Restricted

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - New Zealand ISM Restricted. For more information about this compliance standard, see New Zealand ISM Restricted.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control and Passwords AC-2 16.1.32 System User Identification Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Audit Linux machines that have accounts without passwords 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Audit Windows machines that have extra accounts in the Administrators group 1.0.0
Access Control and Passwords AC-2 16.1.32 System User Identification Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control and Passwords AC-4 16.1.40 Password selection policy Windows machines should meet requirements for 'Security Settings - Account Policies' 2.0.0
Access Control and Passwords AC-9 16.3.5 Use of Privileged Accounts Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control and Passwords AC-9 16.3.5 Use of Privileged Accounts Audit Windows machines that have extra accounts in the Administrators group 1.0.0
Access Control and Passwords AC-9 16.3.5 Use of Privileged Accounts Audit Windows machines that have the specified members in the Administrators group 1.0.0
Cryptography CR-6 17.4.16 Using TLS Windows web servers should be configured to use secure communication protocols 2.0.0
Data management DM-4 20.3.10 Antivirus scans Windows Defender Exploit Guard should be enabled on your machines 1.1.1
Data management DM-6 20.4.4 Database files Windows web servers should be configured to use secure communication protocols 2.0.0

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 2.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows web servers should be configured to use secure communication protocols 2.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows web servers should be configured to use secure communication protocols 2.0.0

NIST SP 800-53 R4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 R4. For more information about this compliance standard, see NIST SP 800-53 R4.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-5 Separation of Duties Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control AC-5 Separation of Duties Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control AC-6 (7) Least Privilege | Review of User Privileges Audit Windows machines missing any of specified members in the Administrators group 1.0.0
Access Control AC-6 (7) Least Privilege | Review of User Privileges Audit Windows machines that have the specified members in the Administrators group 1.0.0
Access Control AC-17 (1) Remote Access | Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that have accounts without passwords 1.0.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have a maximum password age of 70 days 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have a minimum password age of 1 day 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 1.0.0
Identification and Authentication IA-5 (1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not store passwords using reversible encryption 1.0.0
System and Communications Protection SC-8 (1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Windows web servers should be configured to use secure communication protocols 2.0.0

Next steps