Kristian Nese
GitHub
Родитель
daf3fdd277
Коммит
512db5da5c
|
|
@ -2814,6 +2814,120 @@
|
|||
},
|
||||
"name": "Deploy-Diagnostics-AA"
|
||||
},
|
||||
{
|
||||
"properties": {
|
||||
"displayName": "RDP access from the Internet should be blocked",
|
||||
"description": "This policy denies any network security rule that allows RDP access from Internet",
|
||||
"mode": "All",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"category": "Network"
|
||||
},
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"displayName": "Effect",
|
||||
"description": "Enable or disable the execution of the policy"
|
||||
},
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Deny",
|
||||
"Disabled"
|
||||
],
|
||||
"defaultValue": "Deny"
|
||||
}
|
||||
},
|
||||
"policyRule": {
|
||||
"if": {
|
||||
"allOf": [
|
||||
{
|
||||
"field": "type",
|
||||
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
|
||||
},
|
||||
{
|
||||
"allOf": [
|
||||
{
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
|
||||
"equals": "Allow"
|
||||
},
|
||||
{
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
|
||||
"equals": "Inbound"
|
||||
},
|
||||
{
|
||||
"anyOf": [
|
||||
{
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
|
||||
"equals": "*"
|
||||
},
|
||||
{
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
|
||||
"equals": "3389"
|
||||
},
|
||||
{
|
||||
"value": "[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]",
|
||||
"equals": "true"
|
||||
},
|
||||
{
|
||||
"count": {
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
|
||||
"where": {
|
||||
"value": "[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]",
|
||||
"equals": "true"
|
||||
}
|
||||
},
|
||||
"greater": 0
|
||||
},
|
||||
{
|
||||
"not": {
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
|
||||
"notEquals": "*"
|
||||
}
|
||||
},
|
||||
{
|
||||
"not": {
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
|
||||
"notEquals": "3389"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"anyOf": [
|
||||
{
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
|
||||
"equals": "*"
|
||||
},
|
||||
{
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
|
||||
"equals": "Internet"
|
||||
},
|
||||
{
|
||||
"not": {
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
|
||||
"notEquals": "*"
|
||||
}
|
||||
},
|
||||
{
|
||||
"not": {
|
||||
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
|
||||
"notEquals": "Internet"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"then": {
|
||||
"effect": "[[parameters('effect')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": "Deny-RDP-From-Internet"
|
||||
},
|
||||
{
|
||||
"properties": {
|
||||
"Description": "Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled",
|
||||
|
|
@ -17153,4 +17267,4 @@
|
|||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -17267,4 +17267,4 @@
|
|||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче