JSON
api-version=2021-06-01 Copy definition Copy definition 4 EPAC EPAC
{ 7 items displayName: "[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'" , policyType: "BuiltIn" , mode: "Indexed" , description: "This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol" , metadata: { 4 items version: "1.2.0-deprecated" , category: "Guest Configuration" , requiredProviders: [ 1 item "Microsoft.GuestConfiguration" ] , deprecated: true } , parameters: { 17 items UsersOrGroupsThatMayAccessThisComputerFromTheNetwork: { 3 items type: "String" , metadata: { 2 items displayName: "Users or groups that may access this computer from the network" , description: "Specifies which remote users on the network are permitted to connect to the computer. This does not include Remote Desktop Connection." } , defaultValue: "Administrators, Authenticated Users" } , UsersOrGroupsThatMayLogOnLocally: { 3 items type: "String" , metadata: { 2 items displayName: "Users or groups that may log on locally" , description: "Specifies which users or groups can interactively log on to the computer. Users who attempt to log on via Remote Desktop Connection or IIS also require this user right." } , defaultValue: "Administrators" } , UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices: { 3 items type: "String" , metadata: { 2 items displayName: "Users or groups that may log on through Remote Desktop Services" , description: "Specifies which users or groups are permitted to log on as a Terminal Services client, Remote Desktop, or for Remote Assistance." } , defaultValue: "Administrators, Remote Desktop Users" } , UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork: { 3 items type: "String" , metadata: { 2 items displayName: "Users and groups that are denied access to this computer from the network" , description: "Specifies which users or groups are explicitly prohibited from connecting to the computer across the network." } , defaultValue: "Guests" } , UsersOrGroupsThatMayManageAuditingAndSecurityLog: { 3 items type: "String" , metadata: { 2 items displayName: "Users or groups that may manage auditing and security log" , description: "Specifies users and groups permitted to change the auditing options for files and directories and clear the Security log." } , defaultValue: "Administrators" } , UsersOrGroupsThatMayBackUpFilesAndDirectories: { 3 items type: "String" , metadata: { 2 items displayName: "Users or groups that may back up files and directories" , description: "Specifies users and groups allowed to circumvent file and directory permissions to back up the system." } , defaultValue: "Administrators, Backup Operators" } , UsersOrGroupsThatMayChangeTheSystemTime: { 3 items type: "String" , metadata: { 2 items displayName: "Users or groups that may change the system time" , description: "Specifies which users and groups are permitted to change the time and date on the internal clock of the computer." } , defaultValue: "Administrators, LOCAL SERVICE" } , UsersOrGroupsThatMayChangeTheTimeZone: { 3 items type: "String" , metadata: { 2 items displayName: "Users or groups that may change the time zone" , description: "Specifies which users and groups are permitted to change the time zone of the computer." } , defaultValue: "Administrators, LOCAL SERVICE" } , UsersOrGroupsThatMayCreateATokenObject: { 3 items type: "String" , metadata: { 2 items displayName: "Users or groups that may create a token object" , description: "Specifies which users and groups are permitted to create an access token, which may provide elevated rights to access sensitive data." } , defaultValue: "No One" } , UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob: { 3 items type: "String" , metadata: { 2 items displayName: "Users and groups that are denied logging on as a batch job" , description: "Specifies which users and groups are explicitly not permitted to log on to the computer as a batch job (i.e. scheduled task)." } , defaultValue: "Guests" } , UsersAndGroupsThatAreDeniedLoggingOnAsAService: { 3 items type: "String" , metadata: { 2 items displayName: "Users and groups that are denied logging on as a service" , description: "Specifies which service accounts are explicitly not permitted to register a process as a service." } , defaultValue: "Guests" } , UsersAndGroupsThatAreDeniedLocalLogon: { 3 items type: "String" , metadata: { 2 items displayName: "Users and groups that are denied local logon" , description: "Specifies which users and groups are explicitly not permitted to log on to the computer." } , defaultValue: "Guests" } , UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices: { 3 items type: "String" , metadata: { 2 items displayName: "Users and groups that are denied log on through Remote Desktop Services" , description: "Specifies which users and groups are explicitly not permitted to log on to the computer via Terminal Services/Remote Desktop Client." } , defaultValue: "Guests" } , UserAndGroupsThatMayForceShutdownFromARemoteSystem: { 3 items type: "String" , metadata: { 2 items displayName: "User and groups that may force shutdown from a remote system" , description: "Specifies which users and groups are permitted to shut down the computer from a remote location on the network." } , defaultValue: "Administrators" } , UsersAndGroupsThatMayRestoreFilesAndDirectories: { 3 items type: "String" , metadata: { 2 items displayName: "Users and groups that may restore files and directories" , description: "Specifies which users and groups are permitted to bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories." } , defaultValue: "Administrators, Backup Operators" } , UsersAndGroupsThatMayShutDownTheSystem: { 3 items type: "String" , metadata: { 2 items displayName: "Users and groups that may shut down the system" , description: "Specifies which users and groups who are logged on locally to the computers in your environment are permitted to shut down the operating system with the Shut Down command." } , defaultValue: "Administrators" } , UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects: { 3 items type: "String" , metadata: { 2 items displayName: "Users or groups that may take ownership of files or other objects" , description: "Specifies which users and groups are permitted to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user." } , defaultValue: "Administrators" } } , policyRule: { 2 items if: { 1 item anyOf: [ 2 items { 1 item allOf: [ 2 items { 2 items field: "type" , equals: "Microsoft.Compute/virtualMachines" } , { 1 item anyOf: [ 10 items { 2 items field: "Microsoft.Compute/imagePublisher" , in: [ 7 items "esri" , "incredibuild" , "MicrosoftDynamicsAX" , "MicrosoftSharepoint" , "MicrosoftVisualStudio" , "MicrosoftWindowsDesktop" , "MicrosoftWindowsServerHPCPack" ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Compute/imagePublisher" , equals: "MicrosoftWindowsServer" } , { 2 items field: "Microsoft.Compute/imageSKU" , notLike: "2008*" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Compute/imagePublisher" , equals: "MicrosoftSQLServer" } , { 2 items field: "Microsoft.Compute/imageOffer" , notLike: "SQL2008*" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Compute/imagePublisher" , equals: "microsoft-dsvm" } , { 2 items field: "Microsoft.Compute/imageOffer" , equals: "dsvm-windows" } ] } , { 1 item } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Compute/imagePublisher" , equals: "batch" } , { 2 items field: "Microsoft.Compute/imageOffer" , equals: "rendering-windows2016" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Compute/imagePublisher" , equals: "center-for-internet-security-inc" } , { 2 items field: "Microsoft.Compute/imageOffer" , like: "cis-windows-server-201*" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Compute/imagePublisher" , equals: "pivotal" } , { 2 items field: "Microsoft.Compute/imageOffer" , like: "bosh-windows-server*" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Compute/imagePublisher" , equals: "cloud-infrastructure-services" } , { 2 items field: "Microsoft.Compute/imageOffer" , like: "ad*" } ] } , { 1 item } ] } ] } , { 1 item } ] } , then: { 2 items effect: "deployIfNotExists" , details: { 5 items roleDefinitionIds: [ 1 item "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" Contributor ] , type: "Microsoft.GuestConfiguration/guestConfigurationAssignments" , name: "AzureBaseline_UserRightsAssignment" , existenceCondition: { 2 items field: "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash" , equals: 🔍 "[
base64(
concat(
'Access this computer from the network;ExpectedValue',
'=',
parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'),
',
',
'Allow log on locally;ExpectedValue',
'=',
parameters('UsersOrGroupsThatMayLogOnLocally'),
',
',
'Allow log on through Remote Desktop Services;ExpectedValue',
'=',
parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'),
',
',
'Deny access to this computer from the network;ExpectedValue',
'=',
parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'),
',
',
'Manage auditing and security log;ExpectedValue',
'=',
parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog'),
',
',
'Back up files and directories;ExpectedValue',
'=',
parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories'),
',
',
'Change the system time;ExpectedValue',
'=',
parameters('UsersOrGroupsThatMayChangeTheSystemTime'),
',
',
'Change the time zone;ExpectedValue',
'=',
parameters('UsersOrGroupsThatMayChangeTheTimeZone'),
',
',
'Create a token object;ExpectedValue',
'=',
parameters('UsersOrGroupsThatMayCreateATokenObject'),
',
',
'Deny log on as a batch job;ExpectedValue',
'=',
parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'),
',
',
'Deny log on as a service;ExpectedValue',
'=',
parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService'),
',
',
'Deny log on locally;ExpectedValue',
'=',
parameters('UsersAndGroupsThatAreDeniedLocalLogon'),
',
',
'Deny log on through Remote Desktop Services;ExpectedValue',
'=',
parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'),
',
',
'Force shutdown from a remote system;ExpectedValue',
'=',
parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem'),
',
',
'Restore files and directories;ExpectedValue',
'=',
parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories'),
',
',
'Shut down the system;ExpectedValue',
'=',
parameters('UsersAndGroupsThatMayShutDownTheSystem'),
',
',
'Take ownership of files or other objects;ExpectedValue',
'=',
parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')
)
)
]" } , deployment: { 1 item properties: { 3 items mode: "incremental" , parameters: { 21 items vmName: { 1 item } , location: { 1 item value: "[field('location')]" } , type: { 1 item } , configurationName: { 1 item value: "AzureBaseline_UserRightsAssignment" } , UsersOrGroupsThatMayAccessThisComputerFromTheNetwork: { 1 item value: "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]" } , UsersOrGroupsThatMayLogOnLocally: { 1 item value: "[parameters('UsersOrGroupsThatMayLogOnLocally')]" } , UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices: { 1 item value: "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]" } , UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork: { 1 item value: "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]" } , UsersOrGroupsThatMayManageAuditingAndSecurityLog: { 1 item value: "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]" } , UsersOrGroupsThatMayBackUpFilesAndDirectories: { 1 item value: "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]" } , UsersOrGroupsThatMayChangeTheSystemTime: { 1 item value: "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]" } , UsersOrGroupsThatMayChangeTheTimeZone: { 1 item value: "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]" } , UsersOrGroupsThatMayCreateATokenObject: { 1 item value: "[parameters('UsersOrGroupsThatMayCreateATokenObject')]" } , UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob: { 1 item value: "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]" } , UsersAndGroupsThatAreDeniedLoggingOnAsAService: { 1 item value: "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]" } , UsersAndGroupsThatAreDeniedLocalLogon: { 1 item value: "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]" } , UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices: { 1 item value: "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]" } , UserAndGroupsThatMayForceShutdownFromARemoteSystem: { 1 item value: "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]" } , UsersAndGroupsThatMayRestoreFilesAndDirectories: { 1 item value: "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]" } , UsersAndGroupsThatMayShutDownTheSystem: { 1 item value: "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]" } , UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects: { 1 item value: "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]" } } , template: { 4 items $schema: "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#" , contentVersion: "1.0.0.0" , parameters: { 21 items vmName: { 1 item } , location: { 1 item } , type: { 1 item } , configurationName: { 1 item } , UsersOrGroupsThatMayAccessThisComputerFromTheNetwork: { 1 item } , UsersOrGroupsThatMayLogOnLocally: { 1 item } , UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices: { 1 item } , UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork: { 1 item } , UsersOrGroupsThatMayManageAuditingAndSecurityLog: { 1 item } , UsersOrGroupsThatMayBackUpFilesAndDirectories: { 1 item } , UsersOrGroupsThatMayChangeTheSystemTime: { 1 item } , UsersOrGroupsThatMayChangeTheTimeZone: { 1 item } , UsersOrGroupsThatMayCreateATokenObject: { 1 item } , UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob: { 1 item } , UsersAndGroupsThatAreDeniedLoggingOnAsAService: { 1 item } , UsersAndGroupsThatAreDeniedLocalLogon: { 1 item } , UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices: { 1 item } , UserAndGroupsThatMayForceShutdownFromARemoteSystem: { 1 item } , UsersAndGroupsThatMayRestoreFilesAndDirectories: { 1 item } , UsersAndGroupsThatMayShutDownTheSystem: { 1 item } , UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects: { 1 item } } , resources: [ 4 items { 6 items condition: 🔍 "[
equals(
toLower(
parameters('type')
),
toLower(
'microsoft.hybridcompute/machines'
)
)
]", apiVersion: "2018-11-20" , type: "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments" , name: 🔍 "[
concat(
parameters('vmName'),
'/Microsoft.GuestConfiguration/',
parameters('configurationName')
)
]", location: "[parameters('location')]" , properties: { 1 item guestConfiguration: { 3 items name: "[parameters('configurationName')]" , version: "1.*" , configurationParameter: [ 17 items { 2 items name: "Access this computer from the network;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]" } , { 2 items name: "Allow log on locally;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayLogOnLocally')]" } , { 2 items name: "Allow log on through Remote Desktop Services;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]" } , { 2 items name: "Deny access to this computer from the network;ExpectedValue" , value: "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]" } , { 2 items name: "Manage auditing and security log;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]" } , { 2 items name: "Back up files and directories;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]" } , { 2 items name: "Change the system time;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]" } , { 2 items name: "Change the time zone;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]" } , { 2 items name: "Create a token object;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayCreateATokenObject')]" } , { 2 items name: "Deny log on as a batch job;ExpectedValue" , value: "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]" } , { 2 items name: "Deny log on as a service;ExpectedValue" , value: "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]" } , { 2 items name: "Deny log on locally;ExpectedValue" , value: "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]" } , { 2 items name: "Deny log on through Remote Desktop Services;ExpectedValue" , value: "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]" } , { 2 items name: "Force shutdown from a remote system;ExpectedValue" , value: "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]" } , { 2 items name: "Restore files and directories;ExpectedValue" , value: "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]" } , { 2 items name: "Shut down the system;ExpectedValue" , value: "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]" } , { 2 items name: "Take ownership of files or other objects;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]" } ] } } } , { 6 items condition: 🔍 "[
equals(
toLower(
parameters('type')
),
toLower(
'Microsoft.Compute/virtualMachines'
)
)
]", apiVersion: "2018-11-20" , type: "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments" , name: 🔍 "[
concat(
parameters('vmName'),
'/Microsoft.GuestConfiguration/',
parameters('configurationName')
)
]", location: "[parameters('location')]" , properties: { 1 item guestConfiguration: { 3 items name: "[parameters('configurationName')]" , version: "1.*" , configurationParameter: [ 17 items { 2 items name: "Access this computer from the network;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]" } , { 2 items name: "Allow log on locally;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayLogOnLocally')]" } , { 2 items name: "Allow log on through Remote Desktop Services;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]" } , { 2 items name: "Deny access to this computer from the network;ExpectedValue" , value: "[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]" } , { 2 items name: "Manage auditing and security log;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]" } , { 2 items name: "Back up files and directories;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]" } , { 2 items name: "Change the system time;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]" } , { 2 items name: "Change the time zone;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]" } , { 2 items name: "Create a token object;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayCreateATokenObject')]" } , { 2 items name: "Deny log on as a batch job;ExpectedValue" , value: "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]" } , { 2 items name: "Deny log on as a service;ExpectedValue" , value: "[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]" } , { 2 items name: "Deny log on locally;ExpectedValue" , value: "[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]" } , { 2 items name: "Deny log on through Remote Desktop Services;ExpectedValue" , value: "[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]" } , { 2 items name: "Force shutdown from a remote system;ExpectedValue" , value: "[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]" } , { 2 items name: "Restore files and directories;ExpectedValue" , value: "[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]" } , { 2 items name: "Shut down the system;ExpectedValue" , value: "[parameters('UsersAndGroupsThatMayShutDownTheSystem')]" } , { 2 items name: "Take ownership of files or other objects;ExpectedValue" , value: "[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]" } ] } } } , { 6 items condition: 🔍 "[
equals(
toLower(
parameters('type')
),
toLower(
'Microsoft.Compute/virtualMachines'
)
)
]", apiVersion: "2019-07-01" , type: "Microsoft.Compute/virtualMachines" , identity: { 1 item } , name: "[parameters('vmName')]" , location: "[parameters('location')]" } , { 7 items condition: 🔍 "[
equals(
toLower(
parameters('type')
),
toLower(
'Microsoft.Compute/virtualMachines'
)
)
]", apiVersion: "2019-07-01" , name: 🔍 "[
concat(
parameters('vmName'),
'/AzurePolicyforWindows'
)
]", type: "Microsoft.Compute/virtualMachines/extensions" , location: "[parameters('location')]" , properties: { 6 items publisher: "Microsoft.GuestConfiguration" , type: "ConfigurationforWindows" , typeHandlerVersion: "1.1" , autoUpgradeMinorVersion: true , settings : {} , protectedSettings : {} } , dependsOn: [ 1 item 🔍 "[
concat(
'Microsoft.Compute/virtualMachines/',
parameters('vmName'),
'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',
parameters('configurationName')
)
]"] } ] } } } } } } }
