24 KiB
24 KiB
ISM guideline mapping (October 2020)
Use the following table to understand how features of the CloudSOE prototype relate to ISM guidelines. "N/A" means that no measure or feature of the CloudSOE was implemented specifically to address the guideline.
| Identifier | Description | Measures |
|---|---|---|
| 1163 | Systems have a continuous monitoring plan that includes: • conducting vulnerability scans for systems at least monthly • conducting vulnerability assessments or penetration tests for systems at least annually • analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls • using a risk-based approach to prioritise the implementation of identified mitigations. |
1. Azure Defender for Servers is enabled, providing proactive configuration recommendations. 2. Assigns the Azure Policy: Deploy Qualys vulnerability assessment solution on virtual machines |
| 0810 | Any facility containing a system, including a deployable system, is certified and accredited to at least the sensitivity or classification of the system. | User can select which regions the Shared Image Gallery replicates to. By default, this is Australia Central, Australia Central 2, Australia East, and Australia Southeast. |
| 0341 | Any automatic execution features for media are disabled in the operating system of systems. | Windows All 1. Azure Image Builder customisation disables autorun in the OS. 2. Guest Configuration policy is used to verify autorun is disabled (audit only) |
| 1406 | SOEs are used for workstations and servers. | This prototype is intended to bootstrap this requirement. |
| 1608 | SOEs provided by third parties are scanned for malicious content and configurations before being used. | This prototype is provided as in the form of Infrastructure-as-Code to simplify inspection. |
| 1407 | The latest version (N), or N-1 version, of an operating system is used for SOEs. | Windows - All Azure Image Builder produces a Windows Server 2022 image. |
| 1408 | When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used. | Windows - All Source images used by Azure Image Builder are all 64-bit. |
| 1409 | ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems. | Windows - Server 2016 1. Windows Server 2016 SCT baseline settings partially implemented in Azure Image Builder customisation 2. Windows Server 2016 SCT baseline settings partially implemented in Guest Configuration policy (audit only) Windows - Server 2019 1. Windows Server 2019 SCT baseline settings partially implemented in Azure Image Builder customisation 2. Windows Server 2019 SCT baseline settings partially implemented in Guest Configuration policy (audit only) Windows - Server 2022 1. Windows Server 2022 SCT baseline settings partially implemented in Azure Image Builder customisation 2. Windows Server 2022 SCT baseline settings partially implemented in Guest Configuration policy (audit only) |
| 1491 | Standard users are prevented from running script execution engines in Microsoft Windows, including: • Windows Script Host (cscript.exe and wscript.exe) • PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe) • Command Prompt (cmd.exe) • Windows Management Instrumentation (wmic.exe) • Microsoft HTML Application Host (mshta.exe). |
Windows - All: Azure Image Builder customisation includes AppLocker configuration to block these script execution engines for standard users |
| 0843 | Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set. | Windows - All: 1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled. 2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs. 3. Surface WDAC block events in Azure Monitor Workbooks |
| 1490 | Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. | Windows - All: 1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled. 2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs. 3. Surface WDAC block events in Azure Monitor Workbooks |
| 0955 | Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules. | Windows - All: 1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled. 2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs. 3. Surface WDAC block events in Azure Monitor Workbooks |
| 1471 | When implementing application control using publisher certificate rules, both publisher names and product names are used. | Windows - All: 1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled. 2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs. 3. Surface WDAC block events in Azure Monitor Workbooks |
| 1392 | When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute. | Windows - All: 1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled. 2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs. 3. Surface WDAC block events in Azure Monitor Workbooks |
| 1544 | Microsoft’s latest recommended block rules are implemented to prevent application control bypasses. | Windows - All: 1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled. 2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs. 3. Surface WDAC block events in Azure Monitor Workbooks |
| 0846 | All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control. | Windows - All: 1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled. 2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs. 3. Surface WDAC block events in Azure Monitor Workbooks |
| 0957 | Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file. | Windows - All: 1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled. 2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs. 3. Surface WDAC block events in Azure Monitor Workbooks |
| 1414 | If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures. | Windows All Azure Image Builder customisation enables Exploit Protection with sample rule set. |
| 1492 | If supported, Microsoft's exploit protection functionality is implemented on workstations and servers. | Windows All Azure Image Builder customisation enables Exploit Protection with sample rule set. |
| 1621 | PowerShell 2.0 and below is removed from operating systems. | Windows Server Implements Guest Configuration policy to validate PowerShell 2 is not installed (audit only) Note: This functionality currently does not work due to upstream bug. |
| 1622 | PowerShell is configured to use Constrained Language Mode. | Windows - All: Azure Image Builder customisation includes enablement of WDAC in Audit mode. |
| 1623 | PowerShell is configured to use module logging, script block logging and transcription functionality. | Windows All 1. Azure Image Builder customisation enabled Script Block Logging, Module Logging, and Transcripting. 2. Use Guest Configuration policy to validate logging enablement (audit only) |
| 1416 | A software firewall is implemented on workstations and servers to limit both inbound and outbound network connections. | Windows All 1. Assigns built-in Azure Policy: Windows machines should meet requirements for 'Windows Firewall Properties' 2. Azure Image Builder customisation assigns firewall delta settings to match above policy. |
| 1417 | Antivirus software is implemented on workstations and servers and configured with: • signature-based detection enabled and set to a high level • heuristic-based detection enabled and set to a high level • detection signatures checked for currency and updated on at least a daily basis • automatic and regular scanning configured for all fixed disks and removable media. |
Prototype enables Azure Defender for Servers. |
| 1390 | Antivirus software has reputation rating functionality enabled. | Prototype enables Azure Defender for Servers. |
| 0938 | Applications are chosen from vendors that have made a commitment to secure development and maintenance practices. | Prototype uses Windows Server OS. |
| 1412 | ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers. | Windows All 1. Use Azure Image Builder to set the Internet Explorer SCT baseline settings. 2. Creates a Guest Configuration policy to audit compliance with Internet Explorer SCT baseline. Important: Microsoft Office and PDF viewers not considered. |
| 1484 | Web browsers are configured to block or disable support for Flash content. | Windows All 1. Use Azure Image Builder to set the Internet Explorer SCT baseline settings. 2. Creates a Guest Configuration policy to audit compliance with Internet Explorer SCT baseline. |
| 1486 | Web browsers are configured to block Java from the internet. | Windows All 1. Use Azure Image Builder to set the Internet Explorer SCT baseline settings. 2. Creates a Guest Configuration policy to audit compliance with Internet Explorer SCT baseline. |
| 1601 | If supported, Microsoft’s Attack Surface Reduction rules are implemented. | Windows Server 2022 & Windows Server 2019 All Microsoft ASR rules are enabled in in Azure Image Builder customisation. |
| 0421 | Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words. | All Windows 1. Azure Image Builder customisation sets minimum password length to 14 2. A Guest Configuration policy validates that the minimum password length has been configured to 14 characters (audit only) |
| 1403 | Accounts are locked out after a maximum of five failed logon attempts. | Windows All Use Azure Image Builder to set account lockout threshold value. |
| 0431 | Repeated account lockouts are investigated before reauthorising access. | Windows All 1. Use Azure Image Builder to enable Windows advanced audit logging, and enable advanced audit subcategories User Account Management (success) and Logon (failure). 2. Set Azure Monitor Logs to collect common Security event logs. 3. Surface failed logins and account lockout events in Azure Monitor Workbooks |
| 1055 | LAN Manager and NT LAN Manager authentication methods are disabled. | All Windows 1. Azure Image Builder customisation enables NTLM audit logging. 2. A Guest Configuration policy is assigned that verifies NTLM audit logging is enabled (audit only) Windows Server 2016 A subset of the Windows Server 2016 SCT baseline is configured by Azure Image Builder customisation. As part of that configuration LmCompatibilityLevel is set to 5. (Send NTLMv2 responses only. Refuse LM & NTLM) Windows Server 2019 A subset of the Windows Server 2019 SCT baseline is configured by Azure Image Builder customisation. As part of that configuration LmCompatibilityLevel is set to 5. (Send NTLMv2 responses only. Refuse LM & NTLM) Windows Server 2022 A subset of the Windows Server 2022 SCT baseline is configured by Azure Image Builder customisation. As part of that configuration LmCompatibilityLevel is set to 5. (Send NTLMv2 responses only. Refuse LM & NTLM) |
| 0428 | Systems are configured with a session or screen lock that: • activates after a maximum of 15 minutes of user inactivity or if manually activated by the user • completely conceals all information on the screen • ensures that the screen does not enter a power saving state before the screen or session lock is activated • requires the user to reauthenticate to unlock the system • denies users the ability to disable the session or screen locking mechanism. |
Windows All 1. Azure Image Builder customisation sets an RDP timeout value. 2. Guest Configuration Policy validates (audit only) that RDP timeout value is configured. |
| 0408 | Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted. | Windows All 1. Azure Image Builder customisation sets a logon banner via static registry entry. 2. Azure Guest Configuration policy (audit only) validates a specific logon banner is used. |
| 1493 | A software register, including versions and patch histories of applications, drivers, operating systems and firmware for workstations, servers, mobile devices, network devices and all other ICT equipment, is maintained and regularly audited. | Windows All Azure Monitor Workbook surfaces a summary report of install count of software by title and version. |
| 1494 | Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. | Windows All 1. Update Management solution is enabled. Automatic update is enabled with two configured schedules, which each schedule being conditional on the AutoUpdateGroup tag of the VM. 2. Multiple views are configured in Azure Monitor Workbooks to show update compliance state. |
| 1495 | Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users. | Windows All 1. Update Management solution is enabled. Automatic update is enabled with two configured schedules, which each schedule being conditional on the AutoUpdateGroup tag of the VM. 2. Multiple views are configured in Azure Monitor Workbooks to show update compliance state. |
| 1496 | Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users. | Windows All 1. Update Management solution is enabled. Automatic update is enabled with two configured schedules, which each schedule being conditional on the AutoUpdateGroup tag of the VM. 2. Multiple views are configured in Azure Monitor Workbooks to show update compliance state. |
| 1498 | A centralised and managed approach is used to patch or update operating systems and firmware. | Windows All 1. Update Management solution is enabled. Automatic update is enabled with two configured schedules, which each schedule being conditional on the AutoUpdateGroup tag of the VM. 2. Multiple views are configured in Azure Monitor Workbooks to show update compliance state. |
| 1499 | An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used. | Windows All 1. Update Management solution is enabled. Automatic update is enabled with two configured schedules, which each schedule being conditional on the AutoUpdateGroup tag of the VM. 2. Multiple views are configured in Azure Monitor Workbooks to show update compliance state. |
| 1500 | An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place. | Windows All 1. Update Management solution is enabled. Automatic update is enabled with two configured schedules, which each schedule being conditional on the AutoUpdateGroup tag of the VM. 2. Multiple views are configured in Azure Monitor Workbooks to show update compliance state. |
| 0304 | Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions. | Windows All Azure Monitor Workbook surfaces a summary report of install count of software by title and version. |
| 1501 | Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions. | Windows All Azure Monitor Workbook surfaces a summary report of all VM instances and the OS version they use. |
| 1405 | A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs. | Deployed virtual machines send logs to Azure Monitor Logs workspace. |
| 0584 | For any system requiring authentication, logon, failed logon and logoff events are logged. | Windows All 1. Azure Image Builder customisation enables advanced audit logging with Logon subcategory. 2. Azure Monitor Logs is configured to collect common security logs. |
| 0582 | The following events are logged for operating systems: • access to important data and processes • application crashes and any error messages • attempts to use special privileges • changes to accounts • changes to security policy • changes to system configurations • Domain Name System (DNS) and Hypertext Transfer Protocol requests • failed attempts to access data and system resources • service failures and restarts • system startup and shutdown • transfer of data to and from external media • user or group management • use of special privileges. |
Windows All Azure Defender is configured to collect Common security logs. Note: Setting Azure Defender to "Common" may not all Events IDs necessary to identify the events described in the guideline. Consider Azure Defender event collection setting and adding additional Azure Monitor Data Collection Rules as necessary. |
| 0521 | IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used. | Windows All Azure Monitor Workbook surfaces all Windows systems which are attached to IPv4-only virtual networks, but do not have IPv6 disabled. |
| 1428 | Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment. | Windows All 1. Azure Monitor Logs Change Tracking solution is enabled. Change tracking is enabled for HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters. Azure Monitor Workbook surfaces Windows systems without IPv6 tunnel protocols disabled. |
| 1311 | SNMP version 1 and 2 are not used on networks. | Windows All Azure Image Builder customisation disables the snmptrap service. |
| 1312 | All default SNMP community strings on network devices are changed and have write access disabled. | Windows All Azure Image Builder customisation disables the snmptrap service. |
| 0459 | Encryption software used for data at rest implements full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition. | Assigns Azure Policy: Disk encryption should be applied on virtual machines |
| 1446 | When using elliptic curve cryptography, a curve from FIPS 186-4 is used. | Azure Image Builder produces a Windows Server 2019 image. |
| 1139 | Only the latest version of TLS is used. | Windows All 1. Azure Image Builder disables all previous versions of SSL/TLS before 1.2. .NET applications are configured to use the version stipulated in the registry and not to allow downgrade. Enables SCHANNEL auditing. 2. Enables Guest Configuration policy to validate TLS versions are disabled and SCHANNEL auditing is enabled (audit only) 3. Azure Monitor Workbooks surfaces TLS handshake protocol and ciphers. |
| 1369 | AES in Galois Counter Mode is used for symmetric encryption. | Windows All Azure Monitor Workbooks surfaces TLS handshake protocol and ciphers. |
| 1372 | DH or ECDH is used for key establishment. | Windows All Azure Monitor Workbooks surfaces TLS handshake protocol and ciphers. |
| 1373 | Anonymous DH is not used. | Windows All Azure Monitor Workbooks surfaces TLS handshake protocol and ciphers. |
| 0494 | Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used. | Windows - All 1. Enable advanced audit policy and enable auditing for IPsec Quick Mode and Ipsec Main Mode subcategories 2. Implement Ipsec Audit Logging Guest Configuration policy (audit mode) 3. Surface IPsec SAs that use transport mode in Azure Monitor Logs |
| 0496 | The ESP protocol is used for IPsec connections. | Windows - All 1. Enable advanced audit policy and enable auditing for IPsec Quick Mode and Ipsec Main Mode subcategories 2. Implement Ipsec Audit Logging Guest Configuration policy (audit mode) 3. Surface IPsec SAs that do not apply ESP in Azure Monitor Logs |
| 1233 | IKE is used for key exchange when establishing an IPsec connection. | Windows - All 1. Enable advanced audit policy and enable auditing for IPsec Quick Mode and Ipsec Main Mode subcategories 2. Implement Ipsec Audit Logging Guest Configuration policy (audit mode) 3. Surface IPsec SAs with no IKE in Azure Monitor Logs |
| 0498 | A security association lifetime of less than four hours, or 14400 seconds, is used. | Windows - All 1. Enable advanced audit policy and enable auditing for IPsec Quick Mode and Ipsec Main Mode subcategories 2. Implement Ipsec Audit Logging Guest Configuration policy (audit mode) 3. Surface IPsec Main Mode SAs with long lifetime in Azure Monitor Logs |
| 0998 | HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 is used as a HMAC algorithm. | Windows - All 1. Enable advanced audit policy and enable auditing for IPsec Quick Mode and Ipsec Main Mode subcategories 2. Implement Ipsec Audit Logging Guest Configuration policy (audit mode) 3. Surface IPsec Main Mode SAs with HMAC not SHA-256 or SHA-384 in Azure Monitor Logs |
| 0999 | The largest modulus size possible for all relevant components in the network is used when conducting a key exchange. | Windows - All 1. Enable advanced audit policy and enable auditing for IPsec Quick Mode and Ipsec Main Mode subcategories 2. Implement Ipsec Audit Logging Guest Configuration policy (audit mode) 3. Surface use of low modulus DH groups for IPsec SAs in Azure Monitor Logs |