什么是安全默认值?What are security defaults?

随着常见的与标识相关的攻击(如密码喷射、重放和网络钓鱼)越来越普遍,可能会使安全管理变得更困难。Managing security can be difficult with common identity-related attacks like password spray, replay, and phishing becoming more and more popular. 利用安全默认值,可以更轻松地通过预配置的安全设置来保护组织免受这些攻击:Security defaults make it easier to help protect your organization from these attacks with preconfigured security settings:

  • 要求所有用户注册 Azure AD 多重身份验证。Requiring all users to register for Azure AD Multi-Factor Authentication.
  • 要求管理员执行多重身份验证。Requiring administrators to perform multi-factor authentication.
  • 阻止旧身份验证协议。Blocking legacy authentication protocols.
  • 要求用户在必要时执行多重身份验证。Requiring users to perform multi-factor authentication when necessary.
  • 保护特权活动,如访问 Azure 门户。Protecting privileged activities like access to the Azure portal.

带有启用安全默认设置切换的 Azure 门户的屏幕截图

有关为何要提供安全默认值的详细信息,请参阅 Alex Weinert 的博客文章安全默认值简介More details on why security defaults are being made available can be found in Alex Weinert's blog post, Introducing security defaults.

可用性Availability

Microsoft 正在向所有用户提供安全默认值。Microsoft is making security defaults available to everyone. 目标是确保所有组织能在不增加费用的情况下实现基本级别的安全防护。The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. 你可以在 Azure 门户中打开安全默认值。You turn on security defaults in the Azure portal. 如果你的租户是在 2019 年 10 月 22 日或之后创建的,则可能已在租户中启用了安全默认值。If your tenant was created on or after October 22, 2019, it is possible security defaults are already enabled in your tenant. 为了保护所有用户,将向所有新创建的租户推出安全默认值。In an effort to protect all of our users, security defaults is being rolled out to all new tenants created.

目标用户Who's it for?

  • 如果贵组织想要提高安全状况,但不知道如何或在何处着手,那么安全默认值就是理想之选。If you are an organization that wants to increase your security posture but you don't know how or where to start, security defaults are for you.
  • 如果贵组织使用的是 Azure Active Directory 许可的免费层,则安全默认值适合你。If you are an organization utilizing the free tier of Azure Active Directory licensing, security defaults are for you.

谁应使用条件访问?Who should use Conditional Access?

  • 如果贵组织当前使用条件访问策略将信号组合在一起,以进行决策和实施组织策略,那么安全默认值可能不适用。If you are an organization currently using Conditional Access policies to bring signals together, to make decisions, and enforce organizational policies, security defaults are probably not right for you.
  • 如果贵组织具有 Azure Active Directory Premium 许可证,则安全默认值可能不适用。If you are an organization with Azure Active Directory Premium licenses, security defaults are probably not right for you.
  • 如果贵组织有复杂的安全要求,则应考虑条件访问。If your organization has complex security requirements you should consider Conditional Access.

执行策略Policies enforced

统一的多重身份验证注册Unified Multi-Factor Authentication registration

租户中的所有用户都必须以 Azure AD 多重身份验证的形式注册多重身份验证 (MFA)。All users in your tenant must register for multi-factor authentication (MFA) in the form of the Azure AD Multi-Factor Authentication. 用户可以在 14 天内使用 Microsoft Authenticator 应用注册 Azure AD 多重身份验证。Users have 14 days to register for Azure AD Multi-Factor Authentication by using the Microsoft Authenticator app. 14 天后,在完成注册之前用户将无法登录。After the 14 days have passed, the user won't be able to sign in until registration is completed. 用户的 14 天周期从启用安全默认值后首次成功进行交互式登录算起。A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.

保护管理员Protecting administrators

具有特权访问权限的用户可以增加对你环境的访问权限。Users with privileged access have increased access to your environment. 鉴于这些帐户具有的权利,应当特别小心地对待它们。Due to the power these accounts have, you should treat them with special care. 增强对特权帐户保护的一种常用方法是,要求在登录时进行更强的帐户验证。One common method to improve the protection of privileged accounts is to require a stronger form of account verification for sign-in. 在 Azure AD 中,可以通过要求进行多重身份验证来实现更强的帐户验证。In Azure AD, you can get a stronger account verification by requiring multi-factor authentication.

完成 Azure AD 多重身份验证注册后,以下 9 个 Azure AD 管理员角色在每次登录时都需要执行额外的身份验证:After registration with Azure AD Multi-Factor Authentication is finished, the following nine Azure AD administrator roles will be required to perform additional authentication every time they sign in:

  • 全局管理员Global administrator
  • SharePoint 管理员SharePoint administrator
  • Exchange 管理员Exchange administrator
  • 条件访问管理员Conditional Access administrator
  • 安全管理员Security administrator
  • 支持管理员Helpdesk administrator
  • 计费管理员Billing administrator
  • 用户管理员User administrator
  • 身份验证管理员Authentication administrator

保护所有用户Protecting all users

我们通常认为管理员帐户是唯一需要额外身份验证层的帐户。We tend to think that administrator accounts are the only accounts that need extra layers of authentication. 管理员对敏感信息具有广泛的访问权限,并且可以更改订阅范围的设置,Administrators have broad access to sensitive information and can make changes to subscription-wide settings. 但攻击者经常以最终用户为目标。But attackers frequently target end users.

这些攻击者获得访问权限后,可以代表原始帐户持有者请求对特权信息的访问权限。After these attackers gain access, they can request access to privileged information on behalf of the original account holder. 他们甚至可以下载整个目录,对整个组织进行网络钓鱼攻击。They can even download the entire directory to perform a phishing attack on your whole organization.

提高对所有用户保护的一种常用方法是,要求对所有用户进行更强形式的帐户验证,如多重身份验证。One common method to improve protection for all users is to require a stronger form of account verification, such as Multi-Factor Authentication, for everyone. 用户完成多重身份验证注册后,将在必要时提示用户进行其他身份验证。After users complete Multi-Factor Authentication registration, they'll be prompted for additional authentication whenever necessary. 系统主要在用户使用新设备或应用程序进行身份验证时,或者在用户执行关键角色和任务时提示用户。Users will be prompted primarily when they authenticate using a new device or application, or when performing critical roles and tasks. 此功能可保护注册到 Azure AD 的所有应用程序,包括 SaaS 应用程序。This functionality protects all applications registered with Azure AD including SaaS applications.

阻止旧式身份验证Blocking legacy authentication

为使用户轻松访问云应用程序,Azure AD 支持各种身份验证协议,包括旧身份验证。To give your users easy access to your cloud apps, Azure AD supports a variety of authentication protocols, including legacy authentication. 术语“旧式身份验证”是指通过以下方式发出的身份验证请求:Legacy authentication is a term that refers to an authentication request made by:

  • 不使用新式身份验证的客户端(例如 Office 2010 客户端)。Clients that don't use modern authentication (for example, an Office 2010 client).
  • 使用 IMAP、SMTP 或 POP3 等旧式邮件协议的任何客户端。Any client that uses older mail protocols such as IMAP, SMTP, or POP3.

当今,大部分存在危害性的登录企图都来自旧式身份验证。Today, the majority of compromising sign-in attempts come from legacy authentication. 旧式身份验证不支持多重身份验证。Legacy authentication does not support Multi-Factor Authentication. 即使在目录中启用了多重身份验证策略,攻击者仍可使用旧协议进行身份验证,并绕过多重身份验证。Even if you have a Multi-Factor Authentication policy enabled on your directory, an attacker can authenticate by using an older protocol and bypass Multi-Factor Authentication.

在租户中启用安全默认值后,旧协议发出的所有身份验证请求都将被阻止。After security defaults are enabled in your tenant, all authentication requests made by an older protocol will be blocked. 安全默认值会阻止 Exchange Active Sync 基本身份验证。Security defaults blocks Exchange Active Sync basic authentication.

警告

启用安全默认值之前,请确保管理员没有使用旧身份验证协议。Before you enable security defaults, make sure your administrators aren't using older authentication protocols. 有关详细信息,请参阅如何弃用旧身份验证For more information, see How to move away from legacy authentication.

保护特权操作Protecting privileged actions

组织会使用各种通过 Azure 资源管理器 API 管理的 Azure 服务,包括:Organizations use a variety of Azure services managed through the Azure Resource Manager API, including:

  • Azure 门户Azure portal
  • Azure PowerShellAzure PowerShell
  • Azure CLIAzure CLI

使用 Azure 资源管理器来管理服务是一种高度特权操作。Using Azure Resource Manager to manage your services is a highly privileged action. Azure 资源管理器可以改变租户范围的配置,例如服务设置和订阅计费。Azure Resource Manager can alter tenant-wide configurations, such as service settings and subscription billing. 单因素身份验证容易受到各种攻击,如网络钓鱼和密码喷射。Single-factor authentication is vulnerable to a variety of attacks like phishing and password spray.

务必要对希望访问 Azure 资源管理器和更新配置的用户的标识进行验证。It's important to verify the identity of users who want to access Azure Resource Manager and update configurations. 在允许访问之前,通过要求额外的身份验证来验证其标识。You verify their identity by requiring additional authentication before you allow access.

启用租户中的安全默认值后,访问 Azure 门户、Azure PowerShell 或 Azure CLI 的任何用户都需要完成额外的身份验证。After you enable security defaults in your tenant, any user who's accessing the Azure portal, Azure PowerShell, or the Azure CLI will need to complete additional authentication. 此策略适用于访问 Azure 资源管理器的所有用户,无论他们是管理员还是用户。This policy applies to all users who are accessing Azure Resource Manager, whether they're an administrator or a user.

备注

默认情况下,2017 之前的 Exchange Online 租户已禁用新式身份验证。Pre-2017 Exchange Online tenants have modern authentication disabled by default. 为了避免在对这些租户进行身份验证时出现登录循环,必须启用新式身份验证In order to avoid the possibility of a login loop while authenticating through these tenants, you must enable modern authentication.

备注

Azure AD Connect 同步帐户将从安全默认值中排除,系统不会提示该帐户注册或执行多重身份验证。The Azure AD Connect synchronization account is excluded from security defaults and will not be prompted to register for or perform multi-factor authentication. 组织不应出于其他目的使用此帐户。Organizations should not be using this account for other purposes.

部署注意事项Deployment considerations

下面是与安全默认值的部署相关的其他注意事项。The following additional considerations are related to deployment of security defaults.

身份验证方法Authentication methods

这些免费的安全默认值允许仅通过使用通知的 Microsoft Authenticator 应用注册和使用 Azure AD 多重身份验证。These free security defaults allow registration and use of Azure AD Multi-Factor Authentication using only the Microsoft Authenticator app using notifications. 条件访问允许使用管理员选择启用的任何身份验证方法。Conditional Access allows the use of any authentication method the administrator chooses to enable.

方法Method 安全默认值Security defaults 条件性访问Conditional Access
通过移动应用发送通知Notification through mobile app XX XX
移动应用或硬件标志提供的验证码Verification code from mobile app or hardware token X**X** XX
向手机发送短信Text message to phone XX
拨打电话Call to phone XX
应用密码App passwords X***X***
  • ** 用户可以使用来自 Microsoft Authenticator 应用的验证码,但只能使用通知选项进行注册。** Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option.
  • *** 仅当管理员启用了应用密码时,应用密码才可在旧身份验证场景中的每用户 MFA 中使用。*** App passwords are only available in per-user MFA with legacy authentication scenarios only if enabled by administrators.

禁用的 MFA 状态Disabled MFA status

如果贵组织以前是基于每用户的 Azure AD 多重身份验证的用户,则在你查看多重身份验证状态页时,若没有看到处于“已启用”或“已强制实施”状态的用户,请不必担心。If your organization is a previous user of per-user based Azure AD Multi-Factor Authentication, do not be alarmed to not see users in an Enabled or Enforced status if you look at the Multi-Factor Auth status page. “已禁用”是使用安全默认值或基于条件访问的 Azure AD 多重身份验证的用户的相应状态。Disabled is the appropriate status for users who are using security defaults or Conditional Access based Azure AD Multi-Factor Authentication.

条件性访问Conditional Access

你可以使用条件访问来配置类似于安全默认值的策略,但要具有更细的粒度,包括在安全默认值中不可用的用户排除。You can use Conditional Access to configure policies similar to security defaults, but with more granularity including user exclusions, which are not available in security defaults. 如果使用的是条件访问,并且在环境中启用了条件访问策略,则不能使用安全默认值。If you're using Conditional Access and have Conditional Access policies enabled in your environment, security defaults won't be available to you. 如果你的许可证提供条件访问,但在环境中未启用任何条件访问策略,则欢迎使用安全默认值,直至你启用条件访问策略。If you have a license that provides Conditional Access but don't have any Conditional Access policies enabled in your environment, you are welcome to use security defaults until you enable Conditional Access policies. 有关 Azure AD 许可的更多信息,请参阅 Azure AD 定价页More information about Azure AD licensing can be found on the Azure AD pricing page.

不能同时具有安全默认值或条件访问的警告消息

下面是分步指南,介绍如何使用条件访问来配置与安全默认值所启用的策略相同的策略:Here are step-by-step guides on how you can use Conditional Access to configure equivalent policies to those policies enabled by security defaults:

启用安全默认值Enabling security defaults

若要在目录中启用安全默认值:To enable security defaults in your directory:

  1. 以安全管理员、条件访问管理员或全局管理员身份登录  Azure 门户 。Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
  2. 浏览到“Azure Active Directory”   >“属性”  。Browse to Azure Active Directory > Properties.
  3. 选择“管理安全默认值”。Select Manage security defaults.
  4. 将“启用安全默认值”切换键设置为“是”。Set the Enable security defaults toggle to Yes.
  5. 选择“保存”。Select Save.

禁用安全默认值Disabling security defaults

选择实施条件访问策略来取代安全默认值的组织必须禁用安全默认值。Organizations that choose to implement Conditional Access policies that replace security defaults must disable security defaults.

警告消息禁用安全默认值以启用条件访问

若要在目录中禁用安全默认值:To disable security defaults in your directory:

  1. 以安全管理员、条件访问管理员或全局管理员身份登录  Azure 门户 。Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
  2. 浏览到“Azure Active Directory”   >“属性”  。Browse to Azure Active Directory > Properties.
  3. 选择“管理安全默认值”。Select Manage security defaults.
  4. 将“启用安全默认值”切换键设置为“否”。Set the Enable security defaults toggle to No.
  5. 选择“保存”。Select Save.

后续步骤Next steps

常见条件访问策略Common Conditional Access policies