Add Entra Domain Service rules #2837 (#2838)

.vscode/settings.json

@@ -95,6 +95,7 @@
     "NOTEQUALS",
     "NOTIN",
     "NSGs",
+    "NTLM",
     "OWASP",
     "Peerings",
     "POLICYDEFINITIONID",

docs/CHANGELOG-v1.md

@@ -35,6 +35,14 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 What's changed since pre-release v1.36.0-B0046:
 
+- New rules:
+  - Entra Domain Services:
+    - Check that instances use a minimum version of NTLM by @BernieWhite.
+      [#2837](https://github.com/Azure/PSRule.Rules.Azure/issues/2837)
+    - Check that instances use a minimum version of TLS by @BernieWhite.
+      [#2837](https://github.com/Azure/PSRule.Rules.Azure/issues/2837)
+    - Check that instances do not use RC4 encryption by @BernieWhite.
+      [#2837](https://github.com/Azure/PSRule.Rules.Azure/issues/2837)
 - General improvements:
   - **Important change**: Deprecated rules with no clear WAF alignment by @BernieWhite.
     [#2493](https://github.com/Azure/PSRule.Rules.Azure/issues/2493)

docs/en/rules/Azure.EntraDS.NTLM.md

@@ -0,0 +1,83 @@
+---
+reviewed: 2024-04-27
+severity: Critical
+pillar: Security
+category: SE:07 Encryption
+resource: Entra Domain Services
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.EntraDS.NTLM/
+---
+
+# Disable NTLM v1
+
+## SYNOPSIS
+
+Disable NTLM v1 for Microsoft Entra Domain Services.
+
+## DESCRIPTION
+
+By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as NTLM v1.
+These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.
+
+## RECOMMENDATION
+
+Consider disabling NTLM v1 which is considered weak and can be disabled if not required.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy domains that pass this rule:
+
+- Set the `properties.domainSecuritySettings.ntlmV1` property to `Disabled`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.AAD/domainServices",
+  "apiVersion": "2022-12-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "ldapsSettings": {
+      "ldaps": "Enabled"
+    },
+    "domainSecuritySettings": {
+      "ntlmV1": "Disabled",
+      "tlsV1": "Disabled",
+      "kerberosRc4Encryption": "Disabled"
+    }
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy domains that pass this rule:
+
+- Set the `properties.domainSecuritySettings.ntlmV1` property to `Disabled`.
+
+For example:
+
+```bicep
+resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
+  name: name
+  location: location
+  properties: {
+    ldapsSettings: {
+      ldaps: 'Enabled'
+    }
+    domainSecuritySettings: {
+      ntlmV1: 'Disabled'
+      tlsV1: 'Disabled'
+      kerberosRc4Encryption: 'Disabled'
+    }
+  }
+}
+```
+
+## LINKS
+
+- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption)
+- [Harden a Microsoft Entra Domain Services managed domain](https://learn.microsoft.com/entra/identity/domain-services/secure-your-domain)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.aad/domainservices)

docs/en/rules/Azure.EntraDS.RC4.md

@@ -0,0 +1,83 @@
+---
+reviewed: 2024-04-27
+severity: Critical
+pillar: Security
+category: SE:07 Encryption
+resource: Entra Domain Services
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.EntraDS.RC4/
+---
+
+# Disable RC4 encryption
+
+## SYNOPSIS
+
+Disable RC4 encryption for Microsoft Entra Domain Services.
+
+## DESCRIPTION
+
+By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as RC4.
+These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.
+
+## RECOMMENDATION
+
+Consider disabling RC4 encryption which is considered weak and can be disabled if not required.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy domains that pass this rule:
+
+- Set the `properties.domainSecuritySettings.kerberosRc4Encryption` property to `Disabled`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.AAD/domainServices",
+  "apiVersion": "2022-12-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "ldapsSettings": {
+      "ldaps": "Enabled"
+    },
+    "domainSecuritySettings": {
+      "ntlmV1": "Disabled",
+      "tlsV1": "Disabled",
+      "kerberosRc4Encryption": "Disabled"
+    }
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy domains that pass this rule:
+
+- Set the `properties.domainSecuritySettings.kerberosRc4Encryption` property to `Disabled`.
+
+For example:
+
+```bicep
+resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
+  name: name
+  location: location
+  properties: {
+    ldapsSettings: {
+      ldaps: 'Enabled'
+    }
+    domainSecuritySettings: {
+      ntlmV1: 'Disabled'
+      tlsV1: 'Disabled'
+      kerberosRc4Encryption: 'Disabled'
+    }
+  }
+}
+```
+
+## LINKS
+
+- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption)
+- [Harden a Microsoft Entra Domain Services managed domain](https://learn.microsoft.com/entra/identity/domain-services/secure-your-domain)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.aad/domainservices)

docs/en/rules/Azure.EntraDS.TLS.md

@@ -0,0 +1,86 @@
+---
+reviewed: 2024-04-27
+severity: Critical
+pillar: Security
+category: SE:07 Encryption
+resource: Entra Domain Services
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.EntraDS.TLS/
+---
+
+# Disable TLS v1
+
+## SYNOPSIS
+
+Disable TLS v1 for Microsoft Entra Domain Services.
+
+## DESCRIPTION
+
+By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as TLS v1.
+These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.
+
+Older TLS versions such as 1.0 and 1.1 are no longer considered secure by industry standards, such as PCI DSS.
+
+## RECOMMENDATION
+
+Consider disabling TLS v1 which is considered weak and can be disabled if not required.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy domains that pass this rule:
+
+- Set the `properties.domainSecuritySettings.tlsV1` property to `Disabled`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.AAD/domainServices",
+  "apiVersion": "2022-12-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "ldapsSettings": {
+      "ldaps": "Enabled"
+    },
+    "domainSecuritySettings": {
+      "ntlmV1": "Disabled",
+      "tlsV1": "Disabled",
+      "kerberosRc4Encryption": "Disabled"
+    }
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy domains that pass this rule:
+
+- Set the `properties.domainSecuritySettings.tlsV1` property to `Disabled`.
+
+For example:
+
+```bicep
+resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
+  name: name
+  location: location
+  properties: {
+    ldapsSettings: {
+      ldaps: 'Enabled'
+    }
+    domainSecuritySettings: {
+      ntlmV1: 'Disabled'
+      tlsV1: 'Disabled'
+      kerberosRc4Encryption: 'Disabled'
+    }
+  }
+}
+```
+
+## LINKS
+
+- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption)
+- [Harden a Microsoft Entra Domain Services managed domain](https://learn.microsoft.com/entra/identity/domain-services/secure-your-domain)
+- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-active-directory-domain-services-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.aad/domainservices)

docs/examples-entrads.bicep

@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+targetScope = 'resourceGroup'
+
+@sys.description('The name of the resource.')
+param name string
+
+@sys.description('The location resources will be deployed.')
+param location string = resourceGroup().location
+
+// Bicep documentation examples
+
+// Configure a hardened Entra Domain Services instance.
+resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
+  name: name
+  location: location
+  properties: {
+    ldapsSettings: {
+      ldaps: 'Enabled'
+    }
+    domainSecuritySettings: {
+      ntlmV1: 'Disabled'
+      tlsV1: 'Disabled'
+      kerberosRc4Encryption: 'Disabled'
+    }
+  }
+}

docs/examples-entrads.json

@@ -0,0 +1,44 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.26.170.59819",
+      "templateHash": "11147541802368036352"
+    }
+  },
+  "parameters": {
+    "name": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location resources will be deployed."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.AAD/domainServices",
+      "apiVersion": "2022-12-01",
+      "name": "[parameters('name')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "ldapsSettings": {
+          "ldaps": "Enabled"
+        },
+        "domainSecuritySettings": {
+          "ntlmV1": "Disabled",
+          "tlsV1": "Disabled",
+          "kerberosRc4Encryption": "Disabled"
+        }
+      }
+    }
+  ]
+}