适用于自动化的 Azure 安全基线Azure security baseline for Automation

适用于自动化的 Azure 安全基线包含可帮助你改善部署安全状况的建议。The Azure Security Baseline for Automation contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see the Azure security baselines overview.

网络安全性Network security

有关详细信息,请参阅安全控制:网络安全For more information, see Security control: Network security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指导 :Azure·自动化帐户尚不支持使用 Azure 专用链接来限制通过专用终结点访问服务的操作。Guidance : Azure Automation account does not yet support Azure Private Link for restricting access to the service through private endpoints. 针对 Azure 中的资源进行身份验证和运行的 runbook 在 Azure 沙盒上运行,并利用共享的后端资源,Azure 负责将这些资源彼此隔离;它们的网络不受限制,可以访问公共资源。Runbooks that authenticate and run against resources in Azure run on an Azure sandbox, and leverage shared backend resources, which Azure is responsible for isolating from each other; their networking is unrestricted and can access public resources. 除了支持混合 Runbook 辅助角色之外,Azure 自动化目前不具备专用网络的虚拟网络集成。Azure Automation does not currently have virtual network integration for private networking beyond the support for Hybrid Runbook Workers. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

若要进一步隔离 runbook,可以使用在 Azure 虚拟机上运行的混合 Runbook 辅助角色。To get further isolation for your runbooks you can use Hybrid Runbook Workers running on Azure virtual machines. 创建 Azure 虚拟机时,必须创建虚拟网络 (VNet) 或使用现有 VNet,并为 VM 配置子网。When you create an Azure virtual machine, you must create a virtual network (VNet) or use an existing VNet and configure your VMs with a subnet. 确保所有部署的子网都应用了网络安全组,且具有特定于应用程序受信任端口和源的网络访问控制。Ensure that all deployed subnets have a Network Security Group applied with network access controls specific to your applications trusted ports and sources. 有关特定于服务的要求,请参阅该特定服务的安全建议。For service-specific requirements, refer to the security recommendation for that specific service.

或者,如果你有特定的要求,还可以使用 Azure 防火墙来满足该要求。Alternatively, if you have a specific requirement, Azure Firewall may also be used to meet it.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

1.2:监视和记录虚拟网络、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs

指导 :除了支持混合 Runbook 辅助角色之外,Azure 自动化目前不具备专用网络的虚拟网络集成。Guidance : Azure Automation currently does not have virtual network integration for private networking beyond the support for Hybrid Runbook Workers. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

如果你使用的是由 Azure 虚拟机提供支持的混合 Runbook 辅助角色,请确保为包含这些辅助角色的子网启用网络安全组 (NSG),并将流日志配置为将日志转发到存储帐户以进行流量审核。If you are using Hybrid Runbook Workers backed by Azure virtual machines, ensure the subnet containing those workers are enabled with a Network Security Group (NSG) and configure flow logs to forward logs to a Storage Account for traffic audit. 你还可以将 NSG 流日志转发到 Log Analytics 工作区,并使用流量分析来提供有关 Azure 云中通信流的见解。You may also forward NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

尽管 NSG 规则和用户定义的路由不适用于专用终结点,但针对出站连接的 NSG 流日志和监视信息仍受支持,并且可供使用。While NSG rules and user defined routes do not apply to private endpoint, NSG flow logs and monitoring information for outbound connections are still supported and can be used.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导 :不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance : Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

1.5:记录网络数据包1.5: Record network packets

指导 :除了支持混合 Runbook 辅助角色之外,Azure 自动化目前不具备专用网络的虚拟网络集成。如果你使用的是无混合辅助角色的现成服务,则此控制不适用。Guidance : Azure Automation does not currently have virtual network integration for private networking beyond the support for Hybrid Runbook Workers, this control is not applicable if you are using the out-of-the box service without Hybrid Workers.

如果你使用的是由 Azure 虚拟机提供支持的混合 Runbook 辅助角色,则可以将 NSG 流日志记录到存储帐户中,以便为充当 Runbook 辅助角色的 Azure 虚拟机生成流记录。If you are using Hybrid Runbook Workers backed by Azure virtual machines, then you can record NSG flow logs into a storage account to generate flow records for your Azure Virtual Machines that are acting as runbook workers. 调查异常活动时,可以启用网络观察程序数据包捕获,以便可以检查网络流量中是否存在异常活动和意外活动。When investigating anomalous activity, you could enable Network Watcher packet capture so that network traffic can be reviewed for unusual and unexpected activity.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)

指导 :除了支持混合 Runbook 辅助角色之外,Azure 自动化目前不具备专用网络的虚拟网络集成。Guidance : Azure Automation does not currently have virtual network integration for private networking beyond the support for Hybrid Runbook Workers. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

如果你使用在 Azure 虚拟机上承载的混合 Runbook 辅助角色,则可以将网络观察程序提供的数据包捕获信息与开源 IDS 工具组合使用,以针对大范围的威胁为这些辅助角色计算机执行网络入侵检测。If you are using Hybrid Runbook Workers hosted on Azure virtual machines, you can combine packet captures provided by Network Watcher and open source IDS tools to perform network intrusion detection for a wide range of threats to those worker machines. 此外,还可以根据情况将 Azure 防火墙部署到虚拟网络段,启用威胁情报并将其配置为针对恶意网络流量执行“发出警报并拒绝”操作。Also, you can deploy Azure Firewall to the Virtual Network segments as appropriate, with Threat Intelligence enabled and configured to "Alert and deny" for malicious network traffic.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导 :不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance : Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导 :使用虚拟网络服务标记在 Azure 中配置的网络安全组或 Azure 防火墙上定义网络访问控制,这需要访问自动化资源。Guidance : Use Virtual Network service tags to define network access controls on Network Security Groups or Azure Firewall configured in Azure which require access to your Automation Resources. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 GuestAndHybridManagement),你可以允许或拒绝相应服务的流量。By specifying the service tag name (for example, GuestAndHybridManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导 :将标记用于 NSG 以及其他与网络安全和流量流有关的资源。Guidance : Use Tags for NSGs and other resources related to network security and traffic flow. 对于单个 NSG 规则,请使用“说明”字段针对允许流量传入/传出网络的任何规则指定业务需求和/或持续时间等。For individual NSG rules, use the "Description" field to specify business need and/or duration (etc.) for any rules that allow traffic to/from a network.

使用标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在有现有资源不带标记时发出通知。Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with Tags and to notify you of existing untagged resources.

可以使用 Azure PowerShell 或 Azure CLI 根据资源的标记查找资源或对其执行操作。You may use Azure PowerShell or Azure CLI to look-up or perform actions on resources based on their Tags.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导 :使用 Azure 活动日志监视资源配置,并检测网络资源的更改。Guidance : Use Azure Activity Log to monitor resource configurations and detect changes to your network resources. 在 Azure Monitor 中创建当关键资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical resources take place.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

日志记录和监视Logging and monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security control: Logging and monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导 :由 Microsoft 维护 Azure 资源的时间源。Guidance : Microsoft maintains time sources for Azure resources. 但是,你可以选择管理在 Windows 虚拟机上运行的任何混合 Runbook 辅助角色的时间同步设置。However, you have the option to manage the time synchronization settings for any Hybrid Runbook Workers running on Windows virtual machines.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :AzureResponsibility : Azure

2.2:配置中心安全日志管理2.2: Configure central security log management

指导 :将日志数据转发到 Azure Monitor 日志以聚合由 Azure 自动化资源生成的安全数据。Guidance : Forward log data to Azure Monitor Logs to aggregate security data generated by Azure Automation resources. 在 Azure Monitor 中,使用日志查询来搜索和执行分析,并使用 Azure 存储帐户进行长期/存档存储。Within Azure Monitor, use log queries to search and perform analytics, and use Azure Storage Accounts for long-term/archival storage. Azure 自动化可以将 runbook 作业状态、作业流、自动化状态配置数据和更新管理日志发送到 Log Analytics 工作区。Azure Automation can send runbook job status, job streams, Automation state configuration data, and update management logs to your Log Analytics workspace. 此信息可从 Azure 门户、Azure PowerShell 和 Azure Monitor 日志 API 中查看,因此你可以进行简单的调查。This information is visible from the Azure portal, Azure PowerShell, and Azure Monitor Logs API, which enables you to perform simple investigations.

或者,可以启用数据并将其加入第三方 SIEM。Alternatively, you may enable and on-board data to a third-party SIEM.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导 :使 Azure Monitor 可以访问审核和活动日志,其中包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用元素。Guidance : Enable Azure Monitor for access to your audit and activity logs which includes event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指导 :将 Azure 自动化与多租户 runbook 辅助角色一起使用时,此控制不适用,将由平台处理底层虚拟机。Guidance : When using Azure Automation with the multi-tenant runbook workers this control is not applicable, and the platform handles the underlying virtual machines.

当使用混合 Runbook 辅助角色功能时,Azure 安全中心为 Windows 虚拟机提供安全事件日志监视。When using the Hybrid Runbook Worker feature, Azure Security Center provides Security Event log monitoring for Windows virtual machines. 如果你的组织想要保留安全事件日志数据,则可将其存储在某个数据集合层中,然后即可在 Log Analytics 中对其进行查询。If your organization would like to retain the security event log data, it can be stored within a Data Collection tier, at which point it can be queried in Log Analytics. 存在不同的层:“最小”、“常用”和“全部”,详见以下链接。There are different tiers: Minimal, Common and All, which are detailed in the following link.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导 :在 Azure Monitor 中,根据组织的合规性规章设置 Log Analytics 工作区保留期。Guidance : Within Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations. 使用 Azure 存储帐户进行长期/存档存储。Use Azure Storage Accounts for long-term/archival storage.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导 :分析和监视日志中的异常行为,并定期查看结果。Guidance : Analyze and monitor logs for anomalous behavior and regularly review results. 使用 Azure Monitor 日志查询来查看日志并对日志数据执行查询。Use Azure Monitor log queries to review logs and perform queries on log data.

或者,可以启用数据并将其加入第三方 SIEM。Alternatively, you may enable and on-board data to a third-party SIEM.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导 :将 Azure 安全中心与 Azure Monitor 配合使用来监视安全日志和事件中的异常活动并发出警报。Guidance : Use Azure Security Center with Azure Monitor for monitoring and alerting on anomalous activity found in security logs and events.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导 :将 Azure 自动化与多租户 runbook 辅助角色一起使用时,此控制不适用,将由平台处理底层虚拟机。Guidance : When using Azure Automation with multi-tenant runbook workers, this control is not applicable, and the platform handles the underlying virtual machines.

但是,在使用混合 Runbook 辅助角色功能时,可以将 Microsoft Antimalware 用于 Azure 云服务和虚拟机。However when using the Hybrid Runbook Worker feature, you may use Microsoft Anti-malware for Azure Cloud Services and virtual machines. 将虚拟机配置为将事件记录到 Azure 存储帐户。Configure your virtual machines to log events to an Azure Storage Account. 配置 Log Analytics 工作区以从存储帐户中引入事件,并视具体情况创建警报。Configure a Log Analytics workspace to ingest the events from the Storage Accounts and create alerts where appropriate. 请遵循 Azure 安全中心中的建议:“计算和应用”。&Follow recommendations in Azure Security Center: "Compute & Apps".

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导 :根据组织的需求,从 Azure 市场实现 DNS 日志记录解决方案的第三方解决方案。Guidance : Implement a third-party solution from Azure Marketplace for DNS logging solution as per your organizations need.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指导 :将 Azure 自动化与多租户 runbook 辅助角色一起使用时,此控制不适用,将由平台处理底层虚拟机。Guidance : When using Azure Automation with the multi-tenant runbook workers this control is not applicable, and the platform handles the underlying virtual machines.

但是,当使用混合 Runbook 辅助角色功能时,Azure 安全中心为 Azure 虚拟机提供安全事件日志监视。However, when using the Hybrid Runbook Worker feature, Azure Security Center provides Security event log monitoring for Azure virtual machines. 如果启用了自动预配,则安全中心会在所有受支持的 Azure VM 以及任何新建的 Azure VM 中预配 Log Analytics 代理。Security Center provisions the Log Analytics agent on all supported Azure VMs, and any new ones that are created if automatic provisioning is enabled. 你也可以手动安装代理。Or you can install the agent manually. 该代理可启用进程创建事件 4688 和事件 4688 内的 CommandLine 字段。The agent enables the process creation event 4688 and the commandline field inside event 4688. VM 上创建的新进程由事件日志记录,由安全中心的检测服务监视。New processes created on the VM are recorded by event log and monitored by Security Center's detection services.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

标识和访问控制Identity and access control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security control: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导 :使用可显式分配并可查询的 Azure Active Directory 内置管理员角色。Guidance : Use Azure Active Directory built-in administrator roles which can be explicitly assigned and can be queried. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组的成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups. 每次将自动化帐户运行方式帐户用于 runbook 时,请确保还会在你的清单中跟踪这些服务主体,因为它们常常具有提升的权限。Whenever using Automation Account Run As accounts for your runbooks, ensure these service principals are also tracked in your inventory since they often time have elevated permissions. 删除任何未使用的运行方式帐户,以最大程度地降低暴露的受攻击面。Delete any unused Run As accounts to minimize your exposed attack surface.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导 :Azure 自动化帐户没有默认密码的概念。Guidance : Azure Automation Account does not have the concept of default passwords. 客户负责第三方应用程序和市场服务,该服务可以使用在服务或其混合 Runbook 辅助角色上运行的默认密码。Customers are responsible for third-party applications and marketplace services that may use default passwords that run on top on the service or its Hybrid Runbook Workers.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南 :围绕专用管理帐户的使用创建标准操作程序。Guidance : Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts. 每次将自动化帐户运行方式帐户用于 runbook 时,请确保还会在你的清单中跟踪这些服务主体,因为它们常常具有提升的权限。Whenever using Automation Account Run As accounts for your runbooks, ensure these service principals are also tracked in your inventory since they often time have elevated permissions. 将这些标识的权限范围限定为它们让你的 runbook 成功执行其自动化过程所需的最低特权权限。Scope these identities with the least privileged permissions they need in order for your runbooks to successfully perform their automated process. 删除任何未使用的运行方式帐户,以最大程度地降低暴露的受攻击面。Delete any unused Run As accounts to minimize your exposed attack surface.

还可以通过使用 Microsoft 服务的 Azure AD Privileged Identity Management 特权角色和 Azure 资源管理器来启用实时/足够访问权限。You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导 :启用 Azure AD 多重身份验证 (MFA),并遵循 Azure 安全中心标识和访问管理建议。Guidance : Enable Azure AD multi-factor authentication(MFA) and follow Azure Security Center Identity and Access Management recommendations.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.6:为所有管理任务使用专用计算机3.6: Use dedicated machines for all administrative tasks

指导 :使用配置了多重身份验证的 PAW 来登录并配置生产环境中的 Azure 自动化帐户资源。Guidance : Use PAWs with multi-factor authentication configured to log into and configure Azure Automation Account resources in production environments.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导 :建议使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance : It is recommended to use Conditional Access named locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导 :请使用 Azure AD 作为中心身份验证和授权系统。Guidance : Use Azure AD as the central authentication and authorization system. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会对用户凭据进行加盐、哈希处理和安全存储操作。Azure AD also salts, hashes, and securely stores user credentials. 如果你使用混合 Runbook 辅助角色,则可以利用托管标识(而非运行方式帐户)来实现更无缝的安全权限。If using Hybrid Runbook Workers you may leverage managed identities instead of Run As Accounts to enable more seamless secure permissions.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指南 :Azure AD 提供有助于发现陈旧帐户的日志。Guidance : Azure AD provides logs to help discover stale accounts. 此外,使用 Azure 标识访问评审还可有效管理组成员身份、对企业应用程序的访问权限以及角色分配。In addition, use Azure identity access reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right users have continued access. 每次将自动化帐户运行方式帐户用于 runbook 时,请确保还会在你的清单中跟踪这些服务主体,因为它们常常具有提升的权限。Whenever using Automation Account Run As accounts for your runbooks ensure these service principals are also tracked in your inventory since they often time have elevated permissions. 删除任何未使用的运行方式帐户,以最大程度地降低暴露的受攻击面。Delete any unused Run As accounts to minimize your exposed attack surface.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导 :你有权访问 Azure AD 登录活动、审核和风险事件日志源,以便与任何 SIEM/监视工具集成。Guidance : You have access to Azure AD Sign-in Activity, Audit and Risk Event log sources, which allow you to integrate with any SIEM/Monitoring tool.

可以通过为 Azure Active Directory 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating Diagnostic Settings for Azure Active Directory user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. 你可以在 Log Analytics 工作区中配置所需的警报。You can configure desired Alerts within Log Analytics Workspace.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

数据保护Data protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security control: Data protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导 :使用标记有助于跟踪存储或处理敏感信息的 Azure 自动化资源。Guidance : Use tags to assist in tracking Azure Automation resources which store or process sensitive information.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导 :为开发、测试和生产实施单独的订阅和/或管理组。Guidance : Implement separate subscriptions and/or management groups for development, test, and production. 使用独立的自动化帐户资源来隔离环境。Isolate environments by using separate Automation Account resources. 混合 Runbook 辅助角色之类的资源应当按虚拟网络/子网进行分隔,相应地进行标记,并在网络安全组 (NSG) 或 Azure 防火墙中进行保护。Resources like Hybrid Runbook Workers should be separated by virtual network/subnet, tagged appropriately, and secured within a network security group (NSG) or Azure Firewall. 对于存储或处理敏感数据的虚拟机,请实施相应的策略和过程,以便在不使用的时候将其关闭。For virtual machines storing or processing sensitive data, implement policy and procedure(s) to turn them off when not in use.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导 :使用混合 Runbook 辅助角色功能时,请利用 Azure 市场中有关网络外围的第三方解决方案,该解决方案可监视并阻止敏感信息的未授权传输,同时提醒信息安全专业人员。Guidance : When using the Hybrid Runbook Worker feature, leverage a third-party solution from Azure Marketplace on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.

对于 Azure 管理的基础平台,Azure 会将所有客户内容视为敏感数据,并会防范客户数据丢失和泄露。For the underlying platform which is managed by Azure, Azure treats all customer content as sensitive and guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导 :加密传输中的所有敏感信息。Guidance : Encrypt all sensitive information in transit. 确保连接到 Azure 虚拟网络中的 Azure 资源的任何客户端能够协商 TLS 1.2 或更高版本。Ensure that any clients connecting to your Azure resources in Azure virtual networks are able to negotiate TLS 1.2 or higher. 对于所有外部 HTTPS 终结点,Azure 自动化完全支持并强制实施传输层 (TLS) 1.2 或更高版本和所有客户端调用(通过 Webhook、DSC 节点、混合 Runbook 辅助角色来进行)。Azure Automation fully supports and enforces transport layer (TLS) 1.2 and all client calls or later versions for all external HTPS endpoints (through webhooks, DSC nodes, hybrid runbook worker).

请按照 Azure 安全中心的建议,了解静态加密和传输中的加密(如果适用)。Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :共享Responsibility : Shared

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导 :使用第三方主动发现工具来确定组织的技术系统(包括现场或远程服务提供商处的技术系统)存储、处理或传输的所有敏感信息,并更新组织的敏感信息清单。Guidance : Use a third-party active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located onsite or at a remote service provider and update the organization's sensitive information inventory.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导 :使用 Azure 基于角色的访问控制 (Azure RBAC) 通过内置角色定义来控制对 Azure 自动化资源的访问,并遵循最小权限访问模型或“权限刚好足够”访问模型为访问自动化资源的用户分配访问权限。Guidance : Use Azure role-based access control (Azure RBAC) to control access to Azure Automation resources using the built-in role definitions, assign access for users accessing your automation resources following a least privileged or 'just-enough' access model. 使用混合 Runbook 辅助角色时,请利用这些虚拟机的托管标识以避免使用服务主体。在同时使用多租户或混合 Runbook 辅助角色时,请确保对 Runbook 辅助角色的标识应用适当范围的 Azure RBAC 权限。When using Hybrid Runbook Workers, leverage managed identities for those virtual machines to avoid using service principals, when using both the multi-tenant or Hybrid Runbook Workers make sure to apply properly scoped Azure RBAC permissions on the identity of the runbook workers.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导 :Azure 自动化目前没有公开基础多租户 runbook 辅助角色的虚拟机,这由平台进行处理。Guidance : Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines, and this is handled by the platform. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

如果你使用由 Azure 虚拟机提供支持的混合 Runbook 辅助角色,则需要使用第三方基于主机的数据丢失防护解决方案来对托管的混合 Runbook 辅助角色虚拟机强制实施访问控制。If you are using Hybrid Runbook Workers backed by Azure virtual machines, then you need to use a third-party host-based data loss prevention solution to enforce access controls to your hosted Hybrid Runbook Worker virtual machines.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导 :为 Azure 自动化使用客户管理的密钥。Guidance : Use customer-managed keys with Azure Automation. Azure 自动化支持使用客户管理的密钥来加密使用的所有“安全资产”,例如凭据、证书、连接和加密的变量。Azure Automation supports the use of customer-managed keys to encrypt all 'Secure assets' used such as : credentials, certificates, connections, and encrypted variables. 将加密的变量用于 runbook 来满足所有持久变量查找需求,以防止意外暴露。Leverage encrypted variables with your runbooks for all of your persistent variable lookup needs to prevent unintended exposure.

使用混合 Runbook 辅助角色时,将使用服务器端加密或 Azure 磁盘加密 (ADE) 对虚拟机上的虚拟磁盘进行静态加密。When using Hybrid Runbook Workers, the virtual disks on the virtual machines are encrypted at rest using either server-side encryption or Azure disk encryption (ADE). Azure 磁盘加密利用 Windows 的 BitLocker 功能,通过来宾 VM 中的客户管理的密钥来加密托管磁盘。Azure disk encryption leverages the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. 使用客户托管密钥的服务器端加密改进了 ADE,它通过加密存储服务中的数据使你可以为 VM 使用任何 OS 类型和映像。Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导 :当关键 Azure 资源(例如网络组件、Azure 自动化帐户和 runbook)发生更改时,请将 Azure Monitor 与 Azure 活动日志结合使用来创建警报。Guidance : Use Azure Monitor with Azure Activity Log to create alerts for when changes take place to critical Azure resources like networking components, Azure Automation accounts, and runbooks.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

漏洞管理Vulnerability management

有关详细信息,请参阅安全控制:漏洞管理For more information, see Security control: Vulnerability management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导 :遵循 Azure 安全中心内关于在 Azure 资源上执行漏洞评估的建议。Guidance : Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure resources

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指导 :Azure 自动化目前没有公开基础多租户 runbook 辅助角色的虚拟机,这由平台进行处理。Guidance : Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines, and this is handled by the platform. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

如果你使用由 Azure 虚拟机提供支持的混合 Runbook 辅助角色,请使用 Azure 更新管理来管理虚拟机的更新和修补程序。If you are using Hybrid Runbook Workers backed by Azure virtual machines, then use Azure Update Management to manage updates and patches for your virtual machines. 更新管理依赖于本地配置的更新存储库来修补受支持的 Windows 系统。Update Management relies on the locally configured update repository to patch supported Windows systems. 可以使用 System Center Updates Publisher (Updates Publisher) 之类的工具将自定义更新发布到 Windows Server Update Services (WSUS) 中。Tools like System Center Updates Publisher (Updates Publisher) allow you to publish custom updates into Windows Server Update Services (WSUS). 在这种情况下,允许更新管理使用第三方软件来修补使用 Configuration Manager 作为其更新存储库的计算机。This scenario allows Update Management to patch machines that use Configuration Manager as their update repository with third-party software.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

5.3:为第三方软件部署自动修补程序管理解决方案5.3: Deploy automated patch management solution for third-party software titles

指导 :Azure 自动化目前没有公开基础多租户 runbook 辅助角色的虚拟机,这由平台进行处理。Guidance : Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines and this is handled by the platform. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

如果你使用由 Azure 虚拟机提供支持的混合 Runbook 辅助角色,则可以使用 Azure 更新管理来管理虚拟机的更新和修补程序。If you are using Hybrid Runbook Workers backed by Azure virtual machines, then you can use Azure Update Management to manage updates and patches for your virtual machines. 更新管理依赖于本地配置的更新存储库来修补受支持的 Windows 系统。Update Management relies on the locally configured update repository to patch supported Windows systems. 可以使用 System Center Updates Publisher (Updates Publisher) 之类的工具将自定义更新发布到 Windows Server Update Services (WSUS) 中。Tools like System Center Updates Publisher (Updates Publisher) allows you to publish custom updates into Windows Server Update Services (WSUS). 这种情况使得更新管理可以通过第三方软件来修补使用 Configuration Manager 作为其更新存储库的计算机。This scenario enables Update Management to patch machines that use Configuration Manager as their update repository with third-party software.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指导 :以一致的间隔导出扫描结果,并比较结果以验证漏洞是否已修复。Guidance : Export scan results at consistent intervals and compare the results to verify that vulnerabilities have been remediated. 使用 Azure 安全中心建议的漏洞管理建议时,客户可以转到所选解决方案的门户查看历史扫描数据。When using vulnerability management recommendation suggested by Azure Security Center, customer may pivot into the selected solution's portal to view historical scan data.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导 :使用 Azure 安全中心提供的默认风险等级(安全分数)来帮助确定发现的漏洞的修正优先级。Guidance : Use the default risk ratings (Secure Score) provided by Azure Security Center to help prioritize the remediation of discovered vulnerabilities.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

库存和资产管理Inventory and asset management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security control: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated Asset Discovery solution

指导 :使用 Azure Resource Graph 查询并发现订阅中的所有 Azure 自动化资源。Guidance : Use Azure Resource Graph to query and discover all Azure Automation resources within your subscriptions. 确保你在租户中拥有适当的(读取)权限,并且可以枚举所有 Azure 订阅,以及订阅中的资源。Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导 :将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Guidance : Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导 :在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪 Azure 自动化资源。Guidance : Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Automation resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner. 删除任何未使用的运行方式帐户,以最大程度地降低暴露的受攻击面。Delete any unused Run As accounts to minimize your exposed attack surface.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.4:定义并维护已获批 Azure 资源的清单6.4: Define and Maintain an inventory of approved Azure resources

指导 :你将需要根据组织需求,创建已获批 Azure 资源以及已获批用于计算资源的软件的清单。Guidance : You will need to create an inventory of approved Azure resources and approved software for compute resources as per your organizational needs.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导 :在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance : Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

此外,请使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, use the Azure Resource Graph to query/discover resources within subscriptions. 这可以在基于高安全性的环境(例如具有存储帐户的环境)中提供帮助。This can help in high security based environments, such as those with Storage accounts.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指导 :Azure 自动化产品/服务目前没有公开基础多租户 runbook 辅助角色的虚拟机,这由平台进行处理。Guidance : The Azure Automation offering does not currently expose the underlying multi-tenant runbook worker's virtual machines and this is handled by the platform. 如果你使用的是无混合辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Workers. 但是,可以安装、删除和管理允许 runbook 通过门户或 cmdlet 访问的 PowerShell 或 Python 模块。However, it is possible to install, remove, and manage the PowerShell, or Python modules that runbooks can access via the portal or cmdlets. 应当为 runbook 删除或更新未批准的或旧的模块。Unapproved or old module should be removed or updated for the runbooks.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指导 :根据客户的公司准则,客户可以阻止通过 Azure Policy 来创建或使用资源的操作。Guidance : Customer may prevent resource creation or usage with Azure Policy as required by the customer's company guidelines. 你可以实施自己的流程来删除未经授权的资源。You can implement your own process for removing unauthorized resources. 在 Azure 自动化产品/服务中,可以安装、删除和管理允许 runbook 通过门户或 cmdlet 访问的 PowerShell 或 Python 模块。Within the Azure Automation offering it is possible to install, remove, and manage the PowerShell, or Python modules that runbooks can access via the Portal or cmdlets. 应当为 runbook 删除或更新未批准的或旧的模块。Unapproved or old module should be removed or updated for the runbooks.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指导 :使用混合 Runbook 辅助角色功能时,你可以利用 Azure 安全中心自适应应用程序控制来确保仅执行已授权软件,并阻止所有未授权软件在 Azure 虚拟机上执行。Guidance : When using the Hybrid Runbook Worker feature, you may use Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导 :在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance : Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

6.10:维护已获批软件的清单6.10: Maintain an inventory of approved software titles

指导 :使用混合 Runbook 辅助角色功能时,可以将 Azure 安全中心自适应应用程序控制功能与混合辅助角色虚拟机一起使用。Guidance : When using the Hybrid Runbook Worker feature, you may use the Azure Security Center Adaptive Application Controls feature with your hybrid worker virtual machines.

自适应应用程序控制是 Azure 安全中心提供的智能、自动化、端到端的解决方案,有助于控制可在 Azure 和非 Azure 计算机(Windows 和 Linux)上运行的应用程序。Adaptive application control is an intelligent, automated, end-to-end solution from Azure Security Center which helps you control which applications can run on your Azure and non-Azure machines (Windows and Linux). 如果此方案不满足组织的要求,则实现第三方解决方案。Implement third-party solution if this does not meet your organization's requirement.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导 :通过将“Microsoft Azure 管理”应用配置为阻止来自不安全的或未经批准的位置或设备的访问,使用 Azure 条件访问策略来限制用户与 Azure 资源管理器交互的功能。Guidance : Use Azure Conditional Access policies to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App from unsecured or unapproved locations, or devices.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指导 :使用混合 Runbook 辅助角色功能时,根据脚本的类型,可以使用特定于操作系统的配置或第三方资源来限制用户在 Azure 计算资源中执行脚本的能力。Guidance : When using the Hybrid Runbook Worker feature, and depending on the type of scripts, you may use operating system specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources. 还可以利用 Azure 安全中心自适应应用程序控制来确保仅执行已授权软件,并阻止所有未授权软件在 Azure 虚拟机上执行。You can also leverage Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导 :可通过虚拟网络、子网、订阅、管理组等构造使用单独的网络和资源容器来隔离你的 Azure 环境中部署的高风险应用程序,并可使用 Azure 防火墙、Web 应用程序防火墙 (WAF) 或网络安全组 (NSG) 对其进行充分保护。Guidance : High risk applications deployed in your Azure environment may be isolated using separate network and resource containers using constructs like virtual networks, subnet, subscriptions, management groups, they can be sufficiently secured with either an Azure Firewall, Web Application Firewall (WAF) or network security group (NSG).

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

安全配置Secure configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security control: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导 :使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure 自动化和相关资源的配置。Guidance : Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure Automation and related resources. 你还可以使用内置的 Azure Policy 定义。You may also use built-in Azure Policy definitions.

此外,Azure 资源管理器能够以 JavaScript 对象表示法 (JSON) 导出模板,应该对其进行检查,以确保配置满足/超过组织的安全要求。Also, Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet / exceed the security requirements for your organization.

还可以使用来自 Azure 安全中心的建议作为 Azure 资源的安全配置基线。You may also use recommendations from Azure Security Center as a secure configuration baseline for your Azure resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指导 :Azure 自动化目前没有公开基础多租户 runbook 辅助角色的虚拟机或 OS。Guidance : Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS. 这由平台进行处理。This is handled by the platform. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

使用混合 Runbook 辅助角色功能时,请使用 Azure 安全中心建议[修复虚拟机上安全配置中的漏洞]来维护虚拟机上的安全配置。When using the Hybrid Runbook Worker feature, use Azure Security Center recommendation [Remediate Vulnerabilities in Security Configurations on your Virtual Machines] to maintain security configurations on your virtual machines.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导 :使用 Azure 资源管理器模板和 Azure Policy 安全地配置与 Azure 自动化关联的 Azure 资源。Guidance : Use Azure Resource Manager templates and Azure Policy to securely configure Azure resources associated with Azure Automation. Azure 资源管理器模板是基于 JSON 的文件,用来部署 Azure 资源。任何自定义模板都需要在代码存储库中安全地存储和维护。Azure Resource Manager templates are JSON based files used to deploy Azure resources, and any custom templates will need to be stored and maintained securely in a code repository. 使用源代码管理集成功能,可以通过源代码管理存储库中的脚本使自动化帐户中的 Runbook 保持最新。Use the source control integration feature to keep your runbooks in your Automation account up to date with scripts in your source control repository. 使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指导 :Azure 自动化目前没有公开基础多租户 runbook 辅助角色的虚拟机或 OS,这由平台进行处理。Guidance : Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS, and this is handled by the platform. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

使用混合 Runbook 辅助角色功能时,可通过多个选项维护用于部署的 Azure 虚拟机的安全配置:When using the Hybrid Runbook Worker feature, there are several options for maintaining a secure configuration for Azure virtual machines for deployment:

  • Azure 资源管理器模板:这些是基于 JSON 的文件,用于从 Azure 门户部署 VM。自定义模板将需要进行维护。Azure Resource Manager templates: These are JSON based files used to deploy a VM from the Azure portal, and custom template will need to be maintained. Azure 对基本模板进行维护。Azure performs the maintenance on the base templates.
  • 自定义虚拟硬盘 (VHD):在某些情况下,可能需要使用自定义 VHD 文件,例如在处理无法通过其他方式管理的复杂环境时。Custom Virtual hard disk (VHD): In some circumstances it may be required to have custom VHD files used such as when dealing with complex environments that cannot be managed through other means.
  • Azure Automation State Configuration:部署基本 OS 后,可以将其用于更精细的设置控制,并通过自动化框架强制执行。Azure Automation State Configuration: Once the base OS is deployed, this can be used for more granular control of the settings, and enforced through the automation framework.

对于大部分方案,Microsoft 基本 VM 模板与 Azure Automation State Configuration 相结合可以帮助满足和维护安全要求。For most scenarios, the Microsoft base VM templates combined with the Azure Automation State Configuration can assist in meeting and maintaining the security requirements.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导 :使用 Azure DevOps 安全地存储和管理代码,如自定义 Azure 策略、Azure 资源管理器模板和 Desired State Configuration 脚本。Guidance : Use Azure DevOps to securely store and manage your code like custom Azure policies, Azure Resource Manager templates, and Desired State Configuration scripts. 若要访问在 Azure DevOps 中管理的资源,可以向特定用户、内置安全组或 Azure Active Directory(如果与 Azure DevOps 集成)或 Active Directory(如果与 TFS 集成)中定义的组授予或拒绝授予权限。To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory if integrated with Azure DevOps, or Active Directory if integrated with TFS. 使用源代码管理集成功能,可以通过源代码管理存储库中的脚本使自动化帐户中的 Runbook 保持最新。Use the source control integration feature to keep your runbooks in your Automation account up to date with scripts in your source control repository.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指导 :Azure 自动化目前没有公开基础多租户 runbook 辅助角色的虚拟机或 OS,这由平台进行处理。Guidance : Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS, and this is handled by the platform. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

使用混合 Runbook 辅助角色功能时,请确保正确地限制对存储帐户中的自定义 OS 映像的访问,以便只有经过授权的用户才能访问该映像。When using the Hybrid Runbook Worker feature, ensure you are properly limiting access to the custom OS image located in your storage account so only authorized users may access the image.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导 :使用 Azure Policy 为 Azure 资源定义和实施标准安全配置。Guidance : Define and implement standard security configurations for Azure resources using Azure Policy. 使用 Azure Policy 别名创建自定义策略,审核或强制实施 Azure 资源的网络配置。Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure resources. 还可以使用与特定资源相关的内置策略定义。You may also make use of built-in policy definitions related to your specific resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

7.8:部署操作系统的配置管理工具7.8: Deploy configuration management tools for operating systems

指导 :Azure 自动化目前没有公开基础多租户 runbook 辅助角色的虚拟机或 OS,这由平台进行处理。Guidance : Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS, and this is handled by the platform. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

使用混合 Runbook 辅助角色功能时,请在 Runbook 辅助角色上使用 Azure Automation State Configuration,这是一项配置管理服务,适用于任何云或本地数据中心内的 Desired State Configuration (DSC) 节点。When using the Hybrid Runbook Worker feature, use Azure Automation State Configuration on the runbook workers which is a configuration management service for Desired State Configuration (DSC) nodes in any cloud or on-premises datacenter. 它可让你从中心的安全位置快速轻松地扩展到数千台计算机。It enables scalability across thousands of machines quickly and easily from a central, secure location. 可以轻松登记计算机、为其分配声明性配置并查看显示每台计算机是否符合指定的所需状态的报告。You can easily onboard machines, assign them declarative configurations, and view reports showing each machine's compliance to the desired state you specified.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导 :使用 Azure Policy 对 Azure 资源配置发出警报和进行审核。可以使用策略来检测未配置专用终结点的特定资源。Guidance : Use Azure Policy to alert and audit Azure resource configurations, policy can be used to detect certain resource not configured with a private endpoint.

使用混合 Runbook 辅助角色功能时,利用 Azure 安全中心为 Azure 虚拟机执行基线扫描。When using the Hybrid Runbook Worker feature, leverage Azure Security Center to perform baseline scans for your Azure Virtual machines. 其他适用于自动化配置的方法包括 Azure Automation State Configuration。Additional methods for automated configuration includes the Azure Automation State Configuration.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指导 :Azure 自动化产品/服务目前没有公开基础多租户 runbook 辅助角色的虚拟机或 OS,这由平台进行处理。Guidance : The Azure Automation offering does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS and this is handled by the platform. 如果你使用的是无混合辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Workers.

使用混合 Runbook 辅助角色功能时,请为 Runbook 辅助角色使用 Azure Automation State Configuration,这是一项配置管理服务,适用于任何云或本地数据中心内的 Desired State Configuration (DSC) 节点。When using the Hybrid Runbook Worker feature, use Azure Automation State Configuration for the runbook workers which is a configuration management service for Desired State Configuration (DSC) nodes in any cloud or on-premises datacenter. 它可让你从中心的安全位置快速轻松地扩展到数千台计算机。It enables scalability across thousands of machines quickly and easily from a central, secure location. 可以轻松登记计算机、为其分配声明性配置并查看显示每台计算机是否符合指定的所需状态的报告。You can easily onboard machines, assign them declarative configurations, and view reports showing each machine's compliance to the desired state you specified.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导 :将托管服务标识与 Azure Key Vault 结合使用,以便简化和保护云应用程序的机密管理。Guidance : Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导 :使用托管标识在 Azure AD 中为 Azure 服务提供自动托管标识。Guidance : Use Managed Identities to provide Azure services with an automatically managed identity in Azure AD. 使用托管标识可以向支持 Azure AD 身份验证的任何服务(包括 Key Vault)进行身份验证,无需在代码中放入任何凭据。Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南 :实施凭据扫描程序来识别代码中的凭据。Guidance : Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

恶意软件防护Malware defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security control: Malware defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指导 :Azure 自动化产品/服务目前没有公开基础多租户 runbook 辅助角色的虚拟机或 OS,这由平台进行处理。Guidance : The Azure Automation offering does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS and this is handled by the platform. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

使用混合 Runbook 辅助角色功能时,请为 Azure Windows 虚拟机使用 Microsoft Antimalware,以持续监视和保护 runbook 辅助角色资源。When using the Hybrid Runbook Worker feature, use Microsoft Anti-malware for Azure Windows virtual machines to continuously monitor and defend your runbook worker resources.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导 :不适用;Azure 自动化即服务不存储文件。Guidance : Not applicable; Azure Automation as a service does not store files. 在支持 Azure 服务(例如 Azure 自动化)的底层主机上已启用 Microsoft Antimalware,但该软件不会针对你的内容运行。Microsoft Antimalware is enabled on the underlying host that supports Azure services (for example, Azure Automation), however it does not run on your content.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指导 :Azure 自动化目前没有公开基础多租户 runbook 辅助角色的虚拟机或 OS,这由平台进行处理。Guidance : Azure Automation does not currently expose the underlying multi-tenant runbook worker's virtual machines or OS, and this is handled by the platform. 如果你使用的是无混合 Runbook 辅助角色的现成服务,则此控制不适用。This control is not applicable if you are using the out-of-the box service without Hybrid Runbook Workers.

使用混合 Runbook 辅助角色功能时,请使用适用于 Azure 的 Microsoft Antimalware 自动将最新的签名、平台和引擎更新默认安装到 runbook 辅助角色。When using the Hybrid Runbook Worker feature, use Microsoft Antimalware for Azure to automatically install the latest signature, platform, and engine updates by default onto your runbook worker. 请遵循 Azure 安全中心中的建议:“计算和应用”用于确保所有终结点都具有最新的签名。Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. 通过与 Azure 安全中心集成的 Microsoft Defender 高级威胁防护服务,可以使用附加的安全性进一步保护 Windows OS,以限制基于病毒或恶意软件进行攻击的风险。The Windows OS can be further protected with additional security to limit the risk of virus or malware based attacks with the Microsoft Defender Advanced Threat Protection service that integrates with Azure Security Center.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :不适用Responsibility : Not applicable

数据恢复Data recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security control: Data recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导 :使用 Azure 资源管理器部署 Azure 自动化帐户和相关资源。Guidance : Use Azure Resource Manager to deploy Azure Automation accounts, and related resources. Azure 资源管理器提供导出模板的功能,这些模板可用作还原 Azure 自动化帐户和相关资源的备份。Azure Resource Manager provides ability to export templates which can be used as backups to restore Azure Automation accounts and related resources. 使用 Azure 自动化定期调用 Azure 资源管理器模板导出 API。Use Azure Automation to call the Azure Resource Manager template export API on a regular basis.

使用源代码管理集成功能,可以通过源代码管理存储库中的脚本使自动化帐户中的 Runbook 保持最新。Use the source control integration feature to keep your runbooks in your Automation account up to date with scripts in your source control repository.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指导 :使用 Azure 资源管理器部署 Azure 自动化帐户和相关资源。Guidance : Use Azure Resource Manager to deploy Azure Automation accounts, and related resources. Azure 资源管理器提供导出模板的功能,这些模板可用作还原 Azure 自动化帐户和相关资源的备份。Azure Resource Manager provides ability to export templates which can be used as backups to restore Azure Automation accounts and related resources. 使用 Azure 自动化定期调用 Azure 资源管理器模板导出 API。Use Azure Automation to call the Azure Resource Manager template export API on a regular basis. 在 Azure Key Vault 中备份客户管理的密钥。Backup customer-managed keys within Azure Key Vault. 你可以使用 Azure 门户或 PowerShell 将 runbook 导出到脚本文件。You can export your runbooks to script files using either Azure portal or PowerShell.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指导 :确保能够将 Azure 资源管理器模板定期部署到隔离订阅(如果需要)。Guidance : Ensure ability to periodically perform deployment of Azure Resource Manager templates on a regular basis to an isolated subscription if required. 测试对备份的客户管理的密钥进行还原。Test restoration of backed up customer-managed keys.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指导 :使用 Azure DevOps 安全地存储和管理 Azure 资源管理器模板之类的代码。Guidance : Use Azure DevOps to securely store and manage your code like Azure Resource Manager templates. 若要保护在 Azure DevOps 中管理的资源,可以向特定用户、内置安全组或 Azure Active Directory(如果与 Azure DevOps 集成)或 Active Directory(如果与 TFS 集成)中定义的组授予或拒绝授予权限。To protect resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory if integrated with Azure DevOps, or Active Directory if integrated with TFS.

使用源代码管理集成功能,可以通过源代码管理存储库中的脚本使自动化帐户中的 Runbook 保持最新。Use the source control integration feature to keep your runbooks in your Automation account up to date with scripts in your source control repository.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

事件响应Incident response

有关详细信息,请参阅安全控制:事件响应For more information, see Security control: Incident response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南 :为组织制定事件响应指南。Guidance : Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指南 :安全中心向每个警报分配一个严重性,帮助你优先处理应首先调查的警报。Guidance : Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产)并创建命名系统来对 Azure 资源进行明确标识和分类,特别是处理敏感数据的资源。production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导 :定期执行演练来测试系统的事件响应功能,以帮助保护 Azure 资源。Guidance : Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :客户Responsibility : Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导 :如果 Microsoft 安全响应中心 (MSRC) 发现数据被某方非法访问或未经授权访问,Microsoft 会使用安全事件联系信息联系用户。Guidance : Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视 :是Azure Security Center monitoring : Yes

责任 :客户Responsibility : Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指南 :使用连续导出功能导出 Azure 安全中心警报和建议,以帮助确定 Azure 资源的风险。Guidance : Export your Azure Security Center alerts and recommendations using the Continuous Export feature to help identify risks to Azure resources. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导 :使用 Azure 安全中心内的工作流自动化功能,通过“逻辑应用”针对安全警报和建议自动触发响应,以保护 Azure 资源。Guidance : Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations to protect your Azure resources.

Azure 安全中心监视 :目前不可用Azure Security Center monitoring : Currently not available

责任 :客户Responsibility : Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security control: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导 :请遵循 Microsoft 互动规则,确保你的渗透测试不违反 Azure 策略。Guidance : Follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Azure policies. 使用 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序执行现场渗透测试。Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Azure 安全中心监视 :不适用Azure Security Center monitoring : Not applicable

责任 :共享Responsibility : Shared

后续步骤Next steps