在 Azure Active Directory B2C 中管理对资源和数据的威胁Manage threats to resources and data in Azure Active Directory B2C

Azure Active Directory B2C (Azure AD B2C) 具有内置功能,可以帮助你防御对资源和数据的威胁。Azure Active Directory B2C (Azure AD B2C) has built-in features that can help you protect against threats to your resources and data. 这些威胁包括拒绝服务攻击和密码攻击。These threats include denial-of-service attacks and password attacks. 拒绝服务攻击可能会使目标用户无法使用资源。Denial-of-service attacks might make resources unavailable to intended users. 密码攻击会导致未经授权的资源访问。Password attacks lead to unauthorized access to resources.

拒绝服务攻击Denial-of-service attacks

Azure AD B2C 使用 SYN cookie 防御 SYN 洪流攻击。Azure AD B2C defends against SYN flood attacks using a SYN cookie. Azure AD B2C 还使用速率和连接限制防止拒绝服务攻击。Azure AD B2C also protects against denial-of-service attacks by using limits for rates and connections.

密码攻击Password attacks

要求用户所设密码的复杂性合理。Passwords that are set by users are required to be reasonably complex. Azure AD B2C 针对密码攻击实施了缓解技术。Azure AD B2C has mitigation techniques in place for password attacks. 缓解措施包括检测暴力破解密码攻击和字典密码攻击。Mitigation includes detection of brute-force password attacks and dictionary password attacks. Azure AD B2C 使用各种信号分析请求的完整性。By using various signals, Azure AD B2C analyzes the integrity of requests. Azure AD B2C 旨在智能地将目标用户与黑客和僵尸网络区分开来。Azure AD B2C is designed to intelligently differentiate intended users from hackers and botnets.

Azure AD B2C 使用复杂策略来锁定帐户。Azure AD B2C uses a sophisticated strategy to lock accounts. 将根据请求的 IP 和输入的密码锁定帐户。The accounts are locked based on the IP of the request and the passwords entered. 锁定的持续时间也会根据存在攻击的可能性而延长。The duration of the lockout also increases based on the likelihood that it's an attack. 密码尝试 10 次失败后(默认尝试阈值),会进行一分钟锁定。After a password is tried 10 times unsuccessfully (the default attempt threshold), a one-minute lockout occurs. 在帐户解锁后(即在锁定期限到期后由服务自动解锁帐户后)下一次登录失败时,将再次进行一分钟锁定,每次登录失败都将继续锁定。The next time a login is unsuccessful after the account is unlocked (that is, after the account has been automatically unlocked by the service once the lockout period expires), another one-minute lockout occurs and continues for each unsuccessful login. 重复输入相同的密码不会计为多次不成功登录。Entering the same password repeatedly doesn't count as multiple unsuccessful logins.

前 10 个锁定期限的长度为一分钟。The first 10 lockout periods are one minute long. 接下来的 10 个锁定期限时间稍长,并且每 10 个锁定期限后都会增加持续时间。The next 10 lockout periods are slightly longer and increase in duration after every 10 lockout periods. 当帐户未锁定时,锁定计数器在成功登录后重置为零。The lockout counter resets to zero after a successful login when the account isn’t locked. 锁定期限可以持续长达五个小时。Lockout periods can last up to five hours.

管理密码保护设置Manage password protection settings

若要管理密码保护设置(包括锁定阈值),请执行以下操作:To manage password protection settings, including the lockout threshold:

  1. 登录到 Azure 门户Sign in to the Azure portal

  2. 使用顶部菜单中的“目录 + 订阅” 筛选器来选择包含 Azure AD B2C 租户的目录。Use the Directory + subscription filter in the top menu to select the directory that contains your Azure AD B2C tenant.

  3. 在左侧菜单中,选择“Azure AD B2C” 。In the left menu, select Azure AD B2C. 或者,选择“所有服务” 并搜索并选择“Azure AD B2C” 。Or, select All services and search for and select Azure AD B2C.

  4. 在“安全性”下,选择“身份验证方法(预览版)”,然后选择“密码保护”。 Under Security, select Authentication methods (Preview), then select Password protection.

  5. 输入所需的密码保护设置,然后选择“保存” 。Enter your desired password protection settings, then select Save.

    Azure AD 设置中的 Azure 门户密码保护页 Azure portal Password protection page in Azure AD settings
    在“密码保护”设置中,将锁定阈值设置为 5。 **Setting the lockout threshold to 5 in Password protection settings.

查看锁定的帐户View locked-out accounts

若要获取有关已锁定帐户的信息,可以检查 Active Directory 登录活动报表To obtain information about locked-out accounts, you can check the Active Directory sign-in activity report. 在“状态” 下,选择“失败” 。Under Status, select Failure. 登录尝试失败,“登录错误代码” 为 50053,表示帐户已锁定:Failed sign-in attempts with a Sign-in error code of 50053 indicate a locked account:

Azure AD 登录报表部分,显示锁定的帐户

若要了解如何在 Azure Active Directory 中查看登录活动报表,请参阅登录活动报表错误代码To learn about viewing the sign-in activity report in Azure Active Directory, see Sign-in activity report error codes.