From daf3fdd2776baf01fae8351dfdbe6855b1108130 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 14 Dec 2020 08:25:40 +0100 Subject: [PATCH] reverting to custom policy to deny RDP (#350) * reverting to custom policy to deny RDP * update to built-in backup * custom deny RPD for identity --- .../armTemplates/auxiliary/identity.json | 4 +- .../wingtip/armTemplates/auxiliary/lz.json | 14 ++- .../armTemplates/auxiliary/policies.json | 114 ++++++++++++++++++ .../wingtip/armTemplates/es-foundation.json | 2 +- 4 files changed, 130 insertions(+), 4 deletions(-) diff --git a/docs/reference/adventureworks/armTemplates/auxiliary/identity.json b/docs/reference/adventureworks/armTemplates/auxiliary/identity.json index ff208891..328f09bc 100644 --- a/docs/reference/adventureworks/armTemplates/auxiliary/identity.json +++ b/docs/reference/adventureworks/armTemplates/auxiliary/identity.json @@ -44,8 +44,8 @@ "policyDefinitions": { "denySubnetWithoutNsg": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg')]", "denyPip": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP')]", - "denyRdp": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6", - "deployVmBackup": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-AzureBackup-on-VM')]" + "denyRdp": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet')]", + "deployVmBackup": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86" }, "policyAssignmentNames": { "denySubnetWithoutNsg": "Deny-Subnet-Without-Nsg", diff --git a/docs/reference/wingtip/armTemplates/auxiliary/lz.json b/docs/reference/wingtip/armTemplates/auxiliary/lz.json index eef9d30d..0b8f224e 100644 --- a/docs/reference/wingtip/armTemplates/auxiliary/lz.json +++ b/docs/reference/wingtip/armTemplates/auxiliary/lz.json @@ -100,7 +100,7 @@ "policyDefinitions": { "deployVmBackup": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", "denySubnetWithoutNsg": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg')]", - "denyRdp": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6", + "denyRdp": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet')]", "denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", "deploySqlEncryption": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", "deploySqlSecurity": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036", @@ -139,6 +139,18 @@ //"blankTemplateEscaped": "{\"$schema\":\"https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{},\"variables\":{},\"resources\":[],\"outputs\":{}}" }, "resources": [ + { + "condition": "[equals(parameters('denyRdp'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').denyRdp]", + "properties": { + "description": "Deny-RDP-from-Internet", + "displayName": "Deny-RDP-from-Internet", + "policyDefinitionId": "[variables('policyDefinitions').denyRdp]", + "scope": "[variables('scope')]" + } + }, { "condition": "[equals(parameters('enableVmBackup'), 'Yes')]", "type": "Microsoft.Authorization/policyAssignments", diff --git a/docs/reference/wingtip/armTemplates/auxiliary/policies.json b/docs/reference/wingtip/armTemplates/auxiliary/policies.json index 20baa2bc..54c33b4b 100644 --- a/docs/reference/wingtip/armTemplates/auxiliary/policies.json +++ b/docs/reference/wingtip/armTemplates/auxiliary/policies.json @@ -2814,6 +2814,120 @@ }, "name": "Deploy-Diagnostics-AA" }, + { + "properties": { + "displayName": "RDP access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows RDP access from Internet", + "mode": "All", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "3389" + }, + { + "value": "[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "3389" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-RDP-From-Internet" + }, { "properties": { "Description": "Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", diff --git a/docs/reference/wingtip/armTemplates/es-foundation.json b/docs/reference/wingtip/armTemplates/es-foundation.json index c5278fd1..8501f65c 100644 --- a/docs/reference/wingtip/armTemplates/es-foundation.json +++ b/docs/reference/wingtip/armTemplates/es-foundation.json @@ -522,7 +522,7 @@ } }, { - "condition": "[or(or(or(or(or(or(equals(parameters('enableVmBackup'), 'Yes'), equals(parameters('enableSqlAudit'), 'Yes')), equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), equals(parameters('denyHttpIngressForAks'), 'Yes')), equals(parameters('denyAksPrivileged'), 'Yes'), equals(parameters('denyAksPrivileged'), 'Yes')), equals(parameters('denySubnetWithoutNsg'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')), equals(parameters('enableVmMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Yes')), equals(parameters('enableSqlEncryption'), 'Yes'), equals(parameters('enableStorageHttps'), 'Yes'))]", + "condition": "[or(or(or(or(or(or(or(equals(parameters('denyIpForwarding'), 'Yes'), equals(parameters('denyRdp'), 'Yes')), equals(parameters('enableSqlAudit'), 'Yes')), equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), equals(parameters('denyHttpIngressForAks'), 'Yes')), equals(parameters('denyAksPrivileged'), 'Yes'), equals(parameters('denyAksPrivileged'), 'Yes')), equals(parameters('denySubnetWithoutNsg'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')), equals(parameters('enableVmMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Yes')), equals(parameters('enableSqlEncryption'), 'Yes'), equals(parameters('enableStorageHttps'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2019-05-01", "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'), '-landingzones')]",