Framework/Configurations/SVT/ADO/ADO.User.json

{
  "FeatureName": "User",
  "Reference": "aka.ms/azsktcp/user",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "ADO_User_AuthZ_PAT_Min_Access",
      "Description": "Personal access tokens (PAT) must be defined with minimum required permissions to resources",
      "Id": "User110",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckPATAccessLevel",
      "Rationale": "Granting minimum access ensures that PAT is granted with just enough permissions to perform required tasks. This minimizes exposure of the resources in case of PAT compromise.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=vsts#revoke-personal-access-tokens-to-remove-access",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_User_AuthZ_Minimal_Token_Validity",
      "Description": "Personal access tokens (PAT) must have a shortest possible validity period",
      "Id": "User120",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "ValidatePATExpiryPeriod",
      "Rationale": "If a personal access token (PAT) gets compromised, the Azure DevOps assets accessible to the user can be accessed/manipulated by unauthorized users. Minimizing the validity period of the PAT ensures that the window of time available to an attacker in the event of compromise is small.",
      "Recommendation": "Go to User Profile --> Security --> Personal Access Token --> Validate expiry periods of PAT",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_User_AuthZ_Review_Token_Expiration",
      "Description": "Personal access tokens (PAT) near expiry should be renewed.",
      "Id": "User130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckPATExpiration",
      "Rationale": "Personal access tokens (PAT) near expiry should be renewed.",
      "Recommendation": "Go to User Profile --> Security --> Personal Access Token --> Edit",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_User_AuthN_Disable_Alternate_Credentials",
      "Description": "Alternate credentials must be disabled",
      "Id": "User140",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "CheckAltCred",
      "Rationale": "Alternate credential allows user to create username and password to access your Git repository.Login with these credentials doesn't expire and can't be scoped to limit access to your Azure DevOps Services data.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/repos/git/auth-overview?view=vsts#alternate-credentials",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthN"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_User_AuthZ_Dont_Use_All_Orgs_PAT",
      "Description": "Do not use personal access tokens (PATs) that are scoped across multiple organizations.",
      "Id": "User150",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckPATOrgAccess",
      "Rationale": "If a personal access token (PAT) gets compromised, the Azure DevOps assets accessible to the user can be accessed/manipulated by unauthorized users. Restricting the access to individual organizations reduces the exposure of resources to just the organization in an event of compromise.",
      "Recommendation": "Go to User Profile --> Security --> Personal Access Token --> Revoke PATs that have access to all organizations.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_User_AuthZ_Dont_Grant_Critical_Permissions_To_PAT",
      "Description": "Do not use personal access tokens (PATs) that have critical permissions on the organization unless required.",
      "Id": "User160",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckPATCriticalPermissions",
      "Rationale": "Granting minimum access ensures that PAT is granted with just enough permissions to perform required tasks. This minimizes exposure of the resources in case of PAT compromise.",
      "Recommendation": "Go to User Profile --> Security --> Personal Access Token --> click Edit -> Select only required access scopes.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    }
  ]
}