Forum Discussion

Copper Contributor

Apr 06, 2021

Azure CIS policies with ADDS Joined VMs

I'm having problems with 2 specific CIS policies that I can't seems to remediate. The 2 policies are as follows; 1. CCE-37167-4 -- Ensure 'Maximum password age' is set to '70 or fewer days, but ...

Icon for Microsoft rank

Microsoft

Apr 08, 2021

Hi WHendrickson

Dismissing a CCEID changes the status of an item to "dismissed" and hides it from the dashboard.

If you still see it, please make sure your filter set to not display dismissed items:

WHendrickson
Copper Contributor
Apr 12, 2021
StanislavBelov

You are correct that they are hidden if dismissed however they are not removed from your secure score and regulatory compliance scores.

I'm looking at how to be exempt from these policies if I can't control them so they don't reflect negatively against our scores.

Thanks,
- StanislavBelov
  Microsoft
  Apr 12, 2021
  WHendrickson
  
  In this case you can either disable certain rules (disabled findings won't be counted towards your secure score) or exempt the whole recommendation (not recommended):
  https://docs.microsoft.com/en-us/azure/security-center/remediate-vulnerability-findings-vm?WT.mc_id=Portal-Microsoft_Azure_Security#disable-specific-findings-preview
  - WHendrickson
    Copper Contributor
    Apr 20, 2021
    StanislavBelov
    These 2 CIS policies cannot be disabled like findings from a vulnerability assessment. Only way to remediate them is to disable the entire policy in Azure which is not the desired outcome. Microsoft either has to exclude them from ADDS joined VMs or allow users to set the restrictions from within Azure to satisfy them I believe.