Framework/Configurations/SVT/ADO/ADO.Organization.json
{
"FeatureName": "Organization", "Reference": "aka.ms/azsktcp/Organization", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "ADO_Organization_AuthN_Use_AAD_Auth", "Description": "Organization must be configured to authenticate users using Azure Active Directory backed credentials.", "Id": "Organization110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAADConfiguration", "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All enterprise organizations are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise organizations.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops#connect-your-organization-to-azure-ad", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthN_Disable_Guest_Users", "Description": "Do not enable access for external users in your organization.", "Id": "Organization120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckExternalUserPolicy", "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a organization subject your assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled.", "Recommendation": "1. Go to Organization Settings --> 2. Security --> 3. Policies --> 4. User Policies --> 5. Turn 'Off' external guest access", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_DP_Dont_Allow_Public_Projects", "Description": "Public projects should be turned off for your organization.", "Id": "Organization130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicProjectPolicy", "Rationale": "Data/content in projects that have anonymous access can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data/assets.", "Recommendation": "1. Go to Organization Settings --> 2. Security --> 3. Policies --> 4. Security Policies --> 5. Turn 'Off' allow public projects", "Tags": [ "SDL", "TCP", "Automated", "DP", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Review_Guest_Members", "Description": "Justify all guest members that have been granted access to your organization.", "Id": "Organization140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckGuestIdentities", "Rationale": "Guest user accounts are not carefully managed and governed. If these accounts have admin access then a compromised account can be easily leveraged to access arbitrary resources in the organization.", "Recommendation": "1. Go to Organization Settings --> 2. Users --> 3. Apply Guest filter under 'AAD User Type' filter --> 4. Validate and remove all unintended guest users present.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Organization_SI_Review_Installed_Extensions", "Description": "Carefully review all extensions enabled for your organization.", "Id": "Organization150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ValidateInstalledExtensions", "Rationale": "Running extensions from untrusted source can lead to all type of attacks and loss of sensitive enterprise data/assets.", "Recommendation": "1. Go to Organization Settings --> 2. Extensions --> 3. Review all installed extensions in organization. (You can use '-DetailedScan' switch to scan this control to get more info about each extension to support your review. e.g., GADS -oz '<org-name>' -cids 'ADO_Organization_SI_Review_Installed_Extensions' -DetailedScan)", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "ADO_Organization_SI_Review_Shared_Extensions", "Description": "Exercise due care when installing (private) shared extensions for your organization.", "Id": "Organization160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ValidateSharedExtensions", "Rationale": "Shared extensions can be risky because they might undergo even lesser scrutiny from a security standpoint.", "Recommendation": "1. Go to Organization Settings --> 2. Extensions --> 3. Review all shared extensions in organization. (You can use '-DetailedScan' switch to scan this control to get more info about each extension to support your review. e.g., GADS -oz '<org-name>' -cids 'ADO_Organization_SI_Review_Shared_Extensions' -DetailedScan)", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Review_Extension_Managers", "Description": "Review the set of users who have permission to manage extensions.", "Id": "Organization170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckExtensionManagers", "Rationale": "Users with extension manager role can install/manage extensions for the organization. By carefully reviewing and removing users that shouldn't be in this role, you can avoid attacks if those user accounts are compromised.", "Recommendation": "1. Go to Organization Settings --> 2. Extensions --> 3. Security --> 4. Review indentities with manager role assigned.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Review_Inactive_Users", "Description": "Consider revoking access for inactive users in your organization.", "Id": "Organization180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckInactiveUsers", "Rationale": "Each additional person having access at organization level increases the attack surface for the entire resources. To minimize this risk ensure that critical resources present in organization are accessed only by the legitimate users when required.", "Recommendation": "Go to Organization Settings --> Users --> Filter last access column with never accessed users or not accessed over long period", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Remove_Disconnected_Accounts", "Description": "Remove access for users whose accounts have been deleted/disconnected from Azure Active Directory.", "Id": "Organization190", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDisconnectedIdentities", "Rationale": "Cleaning up/removing RBAC entries for users who have left the organization is a good security hygiene practice.", "Recommendation": "1. Go to Organization Settings --> 2. Azure Active Directory --> 3. If you are an org admin, you will see a notification for disconnected users on AD --> 4. If the disconnected users are no longer needed, delete them. Otherwise click on 'Resolve' and follow the instructions to map the disconnected users to existing identities.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Review_Group_Members", "Description": "Review membership of all organization level privileged groups and teams.", "Id": "Organization210", "ControlSeverity": "High", "Automated": "No", "MethodName": "JustifyGroupMember", "Rationale": "Accounts that are a member of these groups without a legitimate business reason increase the risk for your Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place, you can avoid attacks if those accounts are compromised.", "Recommendation": "Go to Organization Settings --> Permissions --> Groups --> Validate members of each group", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "ADO_Organization_Audit_Configure_Critical_Alerts", "Description": "Alerts must be configured for critical actions on Organization", "Id": "Organization220", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Alerts notify the configured security point of contact about various sensitive activities on the Organization and its resources (for instance, external Extensions have been installed/modified etc.)", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/notifications/concepts-events-and-notifications?view=vsts", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Dont_Use_Svc_Accounts", "Description": "Service accounts cannot support MFA and should not be used for organization activity.", "Id": "Organization230", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Service accounts are typically not multi-factor authentication capable. Quite often, teams who own these accounts don't exercise due care (e.g., someone may login interactively on servers using a service account exposing their credentials to attacks such as pass-the-hash, phishing, etc.) As a result, using service accounts in any privileged role in ADO exposes the Organization data to 'credential theft'-related attack vectors. (In effect, the Organization data becomes accessible after just one factor (password) is compromised...this defeats the whole purpose of imposing the MFA requirement for Organizations.)", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/notifications/concepts-events-and-notifications?view=vsts", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthN_Use_ALT_Accounts", "Description": "Alternate (ALT) accounts should be used from Secure Admin Workstation (SAW) for privileged organization roles.", "Id": "Organization240", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Corporate accounts are subject to a lot of credential theft attacks due to various activities that a user conducts using such accounts (e.g., browsing the web, clicking on email links, etc.). A user account that gets compromised (say via a phishing attack) immediately subjects the entire Azure DevOps organization to risk if it is privileged with critical roles in the organization. Use of smartcard-backed alternate (SC-ALT) accounts instead protects the organization from this risk.", "Recommendation": "Go to Organization Settings --> Users --> Review whether each user is added via SC-ALT account.", "Tags": [ "SDL", "TCP", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthN_Use_ALT_Accounts_For_Admin", "Description": "Alternate (ALT) accounts must be used for administrative activity at organization scope.", "Id": "Organization250", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSCALTForAdminMembers", "Rationale": "Corporate accounts are subject to a lot of credential theft attacks due to various activities that a user conducts using such accounts (e.g., browsing the web, clicking on email links, etc.). A user account that gets compromised (say via a phishing attack) immediately subjects the entire Azure DevOps organization to risk if it is privileged with critical roles in the organization. Use of smartcard-backed alternate (SC-ALT) accounts instead protects the organization from this risk.", "Recommendation": "1. Go to Organization Settings --> 2. Security --> 3. Review whether each user in administrator groups is added via SC-ALT account.", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Review_Project_Collection_Service_Accounts", "Description": "Review and minimize accounts that are members of the Project Collection Service Accounts group.", "Id": "Organization260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPrjCollSvcAcc", "Rationale": "Any accounts that are members of Project Collection Service Accounts are effectively Project Collection Administrators. If an adversary compromises one of these accounts they can take over the entire ADO organization.", "Recommendation": "1. Go to Organization Settings --> 2. Security --> 3. Permissions --> 4. Project Collection Service Accounts --> 5. Validate all the members.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Organization_SI_Review_Auto_Injected_Extensions", "Description": "Set of auto-injected pipeline tasks should be carefully scrutinized.", "Id": "Organization270", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAutoInjectedExtensions", "Rationale": "Auto-injected pipeline tasks will run in every pipeline. If an attacker can change/influence the task logic/code, it can have catastrophic consequences for the entire organization.", "Recommendation": "1. Go to Organization Settings --> 2. Extensions --> 3. Review the list of auto-injected extensions. (You can use '-DetailedScan' switch to scan this control to get more info about each extension to support your review. e.g., GADS -oz '<org-name>' -cids 'ADO_Organization_SI_Review_Auto_Injected_Extensions' -DetailedScan)", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Verify_Enterprise_Access_To_Projects", "Description": "Consider disabling enterprise access to projects in your organization.", "Id": "Organization280", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckEnterpriseAccess", "Rationale": "If enterprise access to projects is enabled, data/content in enterprise projects can be viewed/downloaded by anyone within the organization. This can lead to a compromise of sensitive corporate data.", "Recommendation": "Go to Organization Settings --> Security --> Policies --> Security policies --> Disable 'Enterprise access to projects'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Enable_AAD_Conditional_Access_Policy", "Description": "Consider enabling AAD conditional access policy for your organization.", "Id": "Organization290", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckCAP", "Rationale": "Enabling AAD conditional access policy helps manage organization restrictions on security group membership, location and network identity, specific operating system and enabled device in a management system.", "Recommendation": "Go to Organization Settings --> Security --> Policies --> Security policies --> Enable 'Azure Active Directory Conditional Access Policy Validation'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Organization_DP_Disable_Anonymous_Access_To_Badges", "Description": "Disable anonymous access to status badge API for parallel pipelines.", "Id": "Organization300", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckBadgeAnonAccess", "Rationale": "Information that appears in the status badge API response should be hidden from external users.", "Recommendation": "Go to Organization Settings --> Pipelines --> Settings --> Turn on 'Disable anonymous access to badges'.", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "ADO_Organization_SI_Limit_Variables_Settable_At_Queue_Time", "Description": "Allow queue time changes only to pipeline variables explicitly marked as settable.", "Id": "Organization310", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSettableQueueTime", "Rationale": "By default a pipeline user can set any variables at queue time unless this option is enabled. Enabling this setting enforces that variables must be explicitly marked settable at queue-time as needed.", "Recommendation": "1. Go to Organization Settings --> 2. Pipelines --> 3. Settings --> 4. Enable 'Limit variables that can be set at queue time'.", "Tags": [ "SDL", "TCP", "Automated", "SI", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Limit_Non_Release_Pipeline_Scope", "Description": "Limit scope of access for non-release pipelines to the current project.", "Id": "Organization320", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckJobAuthZScope", "Rationale": "If the authorization scope of non-release pipelines is not limited to current project, an attacker can build a pipeline from a different (less sensitive project) to access resources in a target (more sensitive) project. This also in keeping with the principle of least privilege.", "Recommendation": "1. Go to Organization Settings -->2. Pipelines -->3. Settings -->4. Enable 'Limit job authorization scope to current project for non-release pipelines'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Limit_Release_Pipeline_Scope", "Description": "Limit scope of access for release pipelines to the current project.", "Id": "Organization330", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckJobAuthZReleaseScope", "Rationale": "If the authorization scope of release pipelines is not limited to current project, an attacker can build a pipeline from a different (less sensitive project) to access resources in a target (more sensitive) project. This also in keeping with the principle of least privilege.", "Recommendation": "1. Go to Organization Settings --> 2. Pipelines --> 3. Settings --> 4. Enable 'Limit job authorization scope to current project for release pipelines'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Limit_Pipeline_Scope_To_Referenced_Repos", "Description": "Limit scope of access for pipelines to explicitly referenced Azure DevOps repositories.", "Id": "Organization340", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAuthZRepoScope", "Rationale": "If the authorization scope of pipelines is not limited to referenced repos, an attacker can create a pipeline that can access sensitive repos within the project. This is in keeping with the principle of least privilege.", "Recommendation": "1. Go to Organization Settings --> 2. Pipeline Settings --> 3. Enable 'Protect access to repositories in YAML pipelines'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Review_Invite_Users_Setting", "Description": "Review if project and team admins should be allowed to invite new users.", "Id": "Organization350", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckPolicyProjectTeamAdminUserInvitation", "Rationale": "By default, all administrators can invite new users to Azure DevOps. In some environments, you may want to restrict this setting so that new users can be invited only by organization admins.", "Recommendation": "Go to Organization Settings --> Policy --> User Policy --> Disable 'Allow team and project administrators to invite new users'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Organization_Backup_Audit_Logs", "Description": "Backup audit logs to an external location periodically.", "Id": "Organization360", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "By default, ADO keeps audit logs for 90 days. Most sensitive operation logs should be retained for 365 days (Auditing contains many changes that occur throughout an Azure DevOps organization. Changes occur when a user or service identity within the organization edits the state of an artifact. In some limited cases, it can also include accessing an artifact. Think permissions changes, resource deletion, branch policy changes, accessing the auditing feature, and much more.).", "Recommendation": "Go to Organization Settings --> Auditing --> Export log", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "ADO_Organization_Enable_Audit_Stream", "Description": "Enable audit streaming to support alerting, monitoring and analysis of audit logs over longer periods.", "Id": "Organization370", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAuditStream", "Rationale": "Enabling audit streaming sends data to other locations for further processing. Sending auditing data to other Security Incident and Event Management (SIEM) tools opens possibilities, such as alerting on specific auditing events, creating views on auditing data, and performing anomaly detection. It also allows you to store more than 90 days of auditing data.", "Recommendation": "1. Go to Organization Settings --> 2. Auditing --> 3. Streams -> 4. New Stream -> 5. Configure at least one of the streaming service. (If at least one stream is already configured, ensure it is enabled.)", "Tags": [ "SDL", "TCP", "Automated", "Audit", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Limit_Admin_Count", "Description": "Ensure that there are at most $($this.ControlSettings.Organization.MaxPCAMembersPermissible) project collection administrators in your organization.", "Id": "Organization380", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMaxPCACount", "Rationale": "Each additional person in the administrator role increases the attack surface for the entire organization (if an admin's account is compromised via phishing attack). The number of members in these roles should be kept to as low as possible.", "Recommendation": "1. Go to Organization settings --> 2. Security --> 3. Permissions --> 4. Groups --> 5. Select the group : Project Collection Administrators --> 6. Remove redundant/unwanted members from the group.", "Tags": [ "SDL", "AuthZ", "Automated", "Best Practice" ], "Enabled": true }, { "ControlID": "ADO_Organization_BCDR_Min_Admin_Count", "Description": "Ensure that there are at least $($this.ControlSettings.Organization.MinPCAMembersPermissible) project collection administrators in your organization.", "Id": "Organization390", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMinPCACount", "Rationale": "Having at least the minimum required number of administrators reduces the risk of losing admin access. This is useful in case of breakglass scenarios.", "Recommendation": "1. Go to Organization settings --> 2. Security --> 3. Permissions --> 4. Groups --> 5. Select the group : Project Collection Administrators --> 6. Add additional members to this group", "Tags": [ "SDL", "BCDR", "Automated", "Best Practice" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Disable_OAuth_App_Access", "Description": "Third-party application access via OAuth should be disabled.", "Id": "Organization400", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckOAuthAppAccess", "Rationale": "Malicious ADO OAuth applications can be used to phish ADO admins or users. OAuth app access should be disabled if your organization does not use any third-party OAuth application.", "Recommendation": "Go to Organization Settings --> Security --> Policies --> Application connection policies --> Disable 'Third-party application access via OAuth'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_SI_Review_Requested_Extensions", "Description": "Carefully review requested extensions for your organization.", "Id": "Organization410", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ValidateRequestedExtensions", "Rationale": "Approving and running extensions from untrusted source can lead to all type of attacks and loss of sensitive enterprise data.", "Recommendation": "1. Go to Organization Settings --> 2. Extensions --> 3. Review all the pending requested extensions in organization.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthN_Disable_SSH_Access", "Description": "Connecting to Git repos via SSH should be disabled.", "Id": "Organization420", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSSHAuthN", "Rationale": "Malicious SSH connections to ADO repos can be used to extract sensitive code/content leading to compromise of corporate data.", "Recommendation": "Go to Organization Settings --> Security --> Policies --> Application connection policies --> Disable 'SSH Authentication'.", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Remove_Inactive_Guest_Users", "Description": "Remove access for inactive guest users from your organization.", "Id": "Organization430", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckInactiveGuestUsers", "Rationale": "Guest accounts present at any scope within an organization subject your assets to undue risk. These accounts are not managed to the same standards as native enterprise identities. They don't have multi-factor authentication enabled, etc. Even where needed for business purposes, such accounts should be promptly removed if they have not been active for a specified period.", "Recommendation": "1. Go to Organization Settings --> 2. Users --> 3. Filter 'AAD User Type' as 'Guest' --> 4. Remove users with 'last access column' showing not accessed over specific number of days.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Revoke_Admin_Access_for_Guest_Users", "Description": "Remove guest users from administrative roles in your organization.", "Id": "Organization440", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckGuestUsersAccessInAdminRoles", "Rationale": "Guest user accounts are not carefully managed and governed. If these accounts have admin access then a compromised account can be easily leveraged to access arbitrary resources in the organization.", "Recommendation": "1. Go to Organization Settings --> 2. Permissions --> 3. Search for Collection group of the guest user --> 4. Go to members tab --> 5. Remove its access by clicking on three dots against its row.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Revoke_Admin_Access_for_Inactive_Users", "Description": "Remove inactive users from administrative roles in your organization.", "Id": "Organization450", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckInactiveUsersInAdminRoles", "Rationale": "Inactive users in administrative roles provide opportunities for hackers to leverage credential harvesting attacks to gain admin access. It is best to restrict critical roles in the organization to active members only.", "Recommendation": "1. Go to Organization Settings --> 2. Permissions --> 3. Search for Collection group of the inactive user --> 4. Go to members tab --> 5. Remove its access by clicking on three dots against its row.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Disable_Request_Access", "Description": "Disable request access policy in your organization.", "Id": "Organization460", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRequestAccessPolicy", "Rationale": "Access to the ADO instance should be allowed by only joining standard groups set up the respective teams while onboarding. If the setting is on, an admin may hurriedly grant access to a potentially a malicious user who can use this to access the instance and laterally move around groups, bypassing the designed security model.", "Recommendation": "1. Go to Organization Settings --> 2. Security --> 3. Policies --> 4. Under 'User Policies' disable 'Request Access'", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Restrict_Broader_Group_Access_on_Feed", "Description": "Do not allow feeds to inherit excessive permissions for a broad group of users at organization level.", "Id": "Organization470", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupInheritanceSettingsForFeed", "Rationale": "If a broad group (e.g., Contributors) is configured with excessive permissions at a organization level, they are inherited by individual feeds and can not be removed at individual feed level regardless of role. The integrity of feeds can be compromised by a malicious user from such groups.", "Recommendation": "1. Go to Artifacts --> 2. Azure artifacts settings --> 3. Ensure broader groups do not have access to administer feeds. Refer to detailed scan log (Organization.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_AuthZ_Restrict_Feed_Create_Permission", "Description": "Allow only limited group of users permission to create feeds in the organization.", "Id": "Organization480", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCreatePermissionsForFeed", "Rationale": "If everyone in the organization is granted permission to create feeds, it leads to poor governance and high possibility of attacks that leverage tampering with feeds to impact downstream consumers.", "Recommendation": "1. Go to Artifacts --> 2. Azure artifacts settings --> 3. Ensure 'Who can create feeds' is not set to 'Everyone in this organization can create feeds', instead grant this permission to specific/limited set of users/groups.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_SI_Protect_Private_Feeds_Impersonation", "Description": "Enable protection from externally sourced packages in Azure Artifacts feeds.", "Id": "Organization490", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckExtPkgProtectionPolicy", "Rationale": "Enabling this setting provides an additional layer of security by preventing malicious packages from a public registry being inadvertently consumed. This secures your private feed by limiting access to externally sourced packages. If not set, an attacker can publish a malicious (newer) version of an internal feed package and get it to be consumed by unsuspecting users/pipelines.", "Recommendation": "1. Go to Organization Settings --> 2. Security --> 3. Policies --> 4. Under 'Security Policies' enable 'Additional protections when using public package registries'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Organization_DP_Disable_Creation_Of_Classic_Pipeline", "Description": "Disable the creation of classic build and classic release pipelines.", "Id": "Organization500", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDisableCreationOfClassicPipelines", "Rationale": "Classic pipelines have been deprecated. YAML pipelines provide better pipeline security with their ability to allow developers to review pipeline code, better resource access management through approvals and checks and support for runtime parameters to avoid multiple security issues. Disabling creation of classic pipelines ensure that developers get to work with most secure options in the environment without worrying about security of their classic pipelines.", "Recommendation": "1.Go to Organization Settings --> 2.Pipelines --> 3.Settings --> 4.Enable 'Disable creation of classic build and classic release pipelines.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "Baseline", "DP" ], "Enabled": true } ] } |