适用于 Azure SignalR 服务的 Azure 安全基线Azure security baseline for Azure SignalR Service

此安全基线将 Azure 安全基准版本 2.0 中的指南应用于 Azure SignalR。This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure SignalR. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控制”分组,这些控制根据适用于 Azure SignalR 的 Azure 安全基准和相关指南定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure SignalR. 排除了不适用于 Azure SignalR 的“控制”。Controls not applicable to Azure SignalR have been excluded.

若要查看 Azure SignalR 如何完全映射到 Azure 安全基准,请参阅完整的 Azure SignalR 安全基线映射文件To see how Azure SignalR completely maps to the Azure Security Benchmark, see the full Azure SignalR security baseline mapping file.

网络安全Network Security

有关详细信息,请参阅 Azure 安全基线: 网络安全性For more information, see the Azure Security Benchmark: Network Security.

NS-2:将专用网络连接在一起NS-2: - Connect private networks together

指导:使用专用终结点来保护虚拟网络与 Azure SignalR 服务之间的流量。Guidance: Use private endpoints to secure the traffic between your virtual network and Azure SignalR Service. 选择 Azure ExpressRoute 或 Azure 虚拟专用网 (VPN),以便在共置环境中的 Azure 数据中心与本地基础结构之间创建专用连接。Choose Azure ExpressRoute or Azure virtual private network (VPN) to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment.

ExpressRoute 连接并不通过公共 Internet,与典型的 Internet 连接相比,它们的可靠性更高、速度更快且延迟时间更短。ExpressRoute connections do not go over the public internet, and they offer more reliability, faster speeds, and lower latencies than typical internet connections. 对于点到站点 VPN 和站点到站点 VPN,可使用这些 VPN 选项的任意组合以及 Azure ExpressRoute 将本地设备或网络连接到虚拟网络。For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute.

若要将 Azure 中的两个或更多虚拟网络连接在一起,请使用虚拟网络对等互连。To connect two or more virtual networks in Azure together, use virtual network peering. 对等互连虚拟网络之间的网络流量是专用的,且保留在 Azure 主干网络上。Network traffic between peered virtual networks is private and is kept on the Azure backbone network.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

NS-6:简化网络安全规则NS-6: Simplify network security rules

指导:使用 Azure 虚拟网络服务标记,在为 Azure SignalR 服务资源配置的网络安全组或 Azure 防火墙上定义网络访问控制。Guidance: Use Azure Virtual Network Service Tags to define network access controls on network security groups or Azure Firewall configured for your Azure SignalR Service resources. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 通过在规则的相应“源”或“目标”字段中指定服务标记名称(例如:AzureSignalR),可允许或拒绝相应服务的流量。By specifying the service tag name (For example: AzureSignalR) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

标识管理Identity Management

有关详细信息,请参阅 Azure 安全基准:标识管理For more information, see the Azure Security Benchmark: Identity Management.

IM-1:将 Azure Active Directory 标准化为中央标识和身份验证系统IM-1: Standardize Azure Active Directory as the central identity and authentication system

指导:Azure SignalR 服务使用 Azure Active Directory (Azure AD) 作为默认标识和访问管理服务。Guidance: Azure SignalR Service uses Azure Active Directory (Azure AD) as the default identity and access management service. 你应该使 Azure AD 标准化,以便控制组织在以下资源中的标识和访问管理:You should standardize Azure AD to govern your organization’s identity and access management in:

  • Microsoft 云资源,如 Azure 门户、Azure 存储、Azure 虚拟机(Linux 和 Windows)、Azure Key Vault、PaaS 和 SaaS 应用程序。Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
  • 你的组织的资源,例如 Azure 上的应用程序,或公司网络资源。Your organization's resources, such as applications on Azure or your corporate network resources.

Azure SignalR 服务仅对管理平面支持 Azure AD 身份验证;对于数据平面,则不支持 Azure AD 身份验证。Azure SignalR Service only supports Azure AD authentication for the management plane but not for the data plane. 下面是 Azure SignalR 服务中的内置角色列表:Here is the list of built-in roles in Azure SignalR Service:

  • SignalR 参与者SignalR Contributor
  • SignalR AccessKey 读取者SignalR AccessKey Reader

在组织的云安全做法中,应优先处理 Azure AD 保护事宜。Securing Azure AD should be a high priority in your organization’s cloud security practice. Azure AD 提供标识安全分数,帮助你评估与 Microsoft 的最佳做法建议相关的标识安全状况。Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft’s best practice recommendations. 使用评分来估计你的配置与最佳做法建议的匹配程度,并改善你的安全状况。Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Azure AD 支持外部标识,以使没有 Microsoft 帐户的用户可以使用其外部标识登录到其应用程序和资源。Azure AD supports external identities that allows users without a Microsoft account to sign-in to their applications and resources with their external identity.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IM-2:安全且自动地管理应用程序标识IM-2: Manage application identities securely and automatically

指导:Azure SignalR 服务将 Azure 托管标识用于非人为帐户,例如在无服务器方案中调用上游方的帐户。Guidance: Azure SignalR Service uses Azure managed identities for non-human accounts such as the one calling upstream in a serverless scenario. 建议使用 Azure 托管标识功能访问其他 Azure 资源。It is recommended to use Azure managed identity feature to access other Azure resources. Azure SignalR 服务可以通过预定义的访问授权规则以原生方式向支持 Azure Active Directory (Azure AD) 身份验证的 Azure 服务或资源进行身份验证,而无需使用在源代码或配置文件中硬编码的凭据。Azure SignalR Service can natively authenticate to the Azure services or resources that supports Azure Active Directory (Azure AD) authentication through pre-defined access grant rule without using credential hard coded in source code or configuration files.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IM-4:对所有基于 Azure Active Directory 的访问使用强身份验证控制IM-4: Use strong authentication controls for all Azure Active Directory based access

指导:Azure SignalR 服务使用 Azure Active Directory (Azure AD),后者支持通过多重身份验证进行的强身份验证控制,并且支持强无密码方法。Guidance: Azure SignalR Service uses Azure Active Directory (Azure AD) that supports strong authentication controls through multi-factor authentication, and strong passwordless methods.

  • 多重身份验证 - 启用 Azure AD 多重身份验证并遵循 Azure 安全中心标识和访问管理建议,以在多重身份验证设置中执行适用的最佳做法。Multifactor authentication - Enable Azure AD multi-factor authentication and follow Azure Security Center Identity and Access Management recommendations for applicable best practices in your multi-factor authentication setup. 可对所有用户或选定用户强制执行多重身份验证,也可以根据登录条件和风险因素在每个用户级别强制执行多重身份验证。Multifactor authentication can be enforced on all, selected users or at the per-user level based on sign-in conditions and risk factors.

  • 无密码身份验证 - 提供三个无密码身份验证选项:Windows Hello 企业版、Microsoft Authenticator 应用和本地身份验证方法(如智能卡)。Passwordless authentication – Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards.

对于管理员和特权用户,请确保使用最高级别的强身份验证方法,然后向其他用户推出适当的强身份验证策略。For administrator and privileged users, ensure the highest level of the strong authentication method are used, followed by rolling out the appropriate strong authentication policy to other users.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IM-5:监视并提醒帐户异常IM-5: Monitor and alert on account anomalies

指导:Azure SignalR 服务已与提供以下数据源的 Azure Active Directory 集成:Guidance: Azure SignalR Service is integrated with Azure Active Directory in which provides the following data sources:

  • 登录 - 登录报告提供有关托管应用程序使用情况和用户登录活动的信息。Sign in - The sign in report provides information about the usage of managed applications and user sign in activities.

  • 审核日志 - 通过日志为 Azure AD 中的各种功能所做的所有更改提供可跟踪性。Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. 审核日志的示例包括对 Azure AD 中的任何资源(例如添加或删除用户、应用、组、角色和策略)所做的更改。Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.

  • 风险登录 - 风险登录是指可能由并非用户帐户合法拥有者的某人进行的登录尝试。Risky sign in - A risky sign in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.

  • 已标记为存在风险的用户 - 风险用户是指可能已泄露的用户帐户。Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

这些数据源可与 Azure Monitor、Azure Sentinel 或第三方安全事件和信息管理 (SIEM) 系统集成。These data sources can be integrated with Azure Monitor, Azure Sentinel or third party security event and information management (SIEM) systems.

Azure 安全中心还可针对某些可疑活动发出警报,例如,失败的身份验证尝试次数过多,使用了订阅中的已弃用帐户。Azure Security Center can also alert on certain suspicious activities such as excessive number of failed authentication attempts, deprecated accounts in the subscription.

Azure 高级威胁防护 (ATP) 是一种安全解决方案,它可使用 Active Directory 信号来识别、检测和调查高级威胁、泄露的标识以及恶意的内部操作。Azure Advanced Threat Protection (ATP) is a security solution that can use Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IM-6:基于条件限制 Azure 资源访问IM-6: Restrict Azure resource access based on conditions

指导:Azure SignalR 服务支持 Azure Active Directory (Azure AD) 条件访问,以实现基于用户定义的条件进行更精细的访问控制,例如,从特定 IP 范围登录的用户将需要使用 MFA 进行登录。Guidance: Azure SignalR Service supports Azure Active Directory (Azure AD) conditional access for a more granular access control based on user-defined conditions, such as user logins from certain IP ranges will need to use MFA for login. 精细身份验证会话管理策略还可用于不同的用例。Granular authentication session management policy can also be used for different use cases.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

特权访问Privileged Access

有关详细信息,请参阅 Azure 安全基准:特权访问For more information, see the Azure Security Benchmark: Privileged Access.

PA-1:保护和限制具有较高权限的用户PA-1: Protect and limit highly privileged users

指导:Azure Active Directory (Azure AD) 中最重要的内置角色是全局管理员和特权角色管理员,因为分配到这两种角色的用户可以委托管理员角色:Guidance: The most critical built-in roles are Azure Active Directory (Azure AD) are Global Administrator and the Privileged Role Administrator as users assigned to these two roles can delegate administrator roles:

  • 全局管理员/公司管理员:具有此角色的用户可访问 Azure AD 中的所有管理功能,还可访问使用 Azure AD 标识的服务。Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.

  • 特权角色管理员:具有此角色的用户可以管理 Azure Active Directory (Azure AD) 和 Azure AD Privileged Identity Management (PIM) 中的角色分配。Privileged Role Administrator: Users with this role can manage role assignments in Azure Active Directory (Azure AD), as well as within Azure AD Privileged Identity Management (PIM). 此外,该角色可管理 PIM 和管理单元的各个方面。In addition, this role allows management of all aspects of PIM and administrative units.

Azure SignalR 服务具有内置的高特权角色。Azure SignalR Service has built-in highly privileged roles. 请限制高特权帐户或角色的数量并在提升的级别保护这些 Azure AD 帐户,因为具有此特权的用户可以直接或间接地读取和修改 Azure 环境中的每个资源。Limit the number of highly privileged accounts or roles and protect Azure AD these accounts at an elevated level because users with this privilege can directly or indirectly read and modify every resource in your Azure environment.

你可使用Azure AD Privileged Identity Management (PIM) 提供对 Azure 资源和 Azure AD 的实时 (JIT) 特权访问权限。You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT 仅在用户需要执行特权任务时授予临时权限。JIT grants temporary permissions to perform privileged tasks only when users need it. 当 Azure AD 组织中存在可疑或不安全的活动时,PIM 还会生成安全警报。PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-2:限制对关键业务型系统的管理访问权限PA-2: Restrict administrative access to business-critical systems

指导:Azure SignalR 服务使用 Azure 基于角色的访问控制 (Azure RBAC),通过限制向哪些帐户授予对其所属的订阅和管理组的特权访问权限,来隔离对业务关键型系统的访问。Guidance: Azure SignalR Service uses Azure role-based access control (Azure RBAC) to isolate access to business-critical systems by restricting which accounts are granted privileged access to the subscriptions and management groups they are in.

确保还限制了对业务关键型资产具有管理访问权限的管理、标识和安全系统的访问,这些资产包括在业务关键型系统上安装了代理的 Active Directory 域控制器、安全工具和系统管理工具。Ensure that you also restrict access to the management, identity, and security systems that have administrative access to your business critical access such as Active Directory Domain Controllers, security tools, and system management tools with agents installed on business critical systems. 入侵这些管理和安全系统的攻击者可以立即将它们用作损害业务关键型资产的武器。Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.

所有类型的访问控制都应符合企业分段策略,确保访问控制保持一致。All types of access controls should be aligned to your enterprise segmentation strategy to ensure consistent access control.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-3:定期审查和协调用户访问权限PA-3: Review and reconcile user access regularly

指导:定期审查用户帐户和访问权限分配,确保帐户及其访问权限级别均有效。Guidance: Review user accounts and access assignment regularly to ensure the accounts and their level of access are valid.

Azure SignalR 服务使用 Azure Active Directory (Azure AD) 帐户来定期管理其资源、审阅用户帐户和访问权限分配,以确保帐户及其访问权限有效。Azure SignalR Service uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts and access assignment regularly to ensure the accounts and their access are valid. 可使用 Azure AD 访问评审来审查组成员身份、对企业应用程序的访问权限和角色分配。You can use Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD 报告提供日志来帮助发现过时的帐户。Azure AD reporting can provide logs to help discover stale accounts. 你还可使用 Azure AD Privileged Identity Management 来创建访问评审报表工作流以便于执行评审。You can also use Azure AD Privileged Identity Management to create access review report workflow to facilitate the review process.

Azure SignalR 服务中的内置角色包括:Built-in roles in Azure SignalR Service includes:

  • SignalR 参与者SignalR Contributor
  • SignalR AccessKey 读取者SignalR AccessKey Reader

此外,Azure Privileged Identity Management 还可配置为在创建过多管理员帐户时发出警报,并识别过时或配置不正确的管理员帐户。In addition, Azure Privileged Identity Management can also be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-4:在 Azure AD 中设置紧急访问PA-4: Set up emergency access in Azure AD

指导:Azure SignalR 服务使用 Azure Active Directory (Azure AD) 管理其资源。Guidance: Azure SignalR Service uses Azure Active Directory (Azure AD) to manage its resources. 为了防止意外退出 Azure AD 组织,请设置一个紧急访问帐户,以便在正常管理帐户无法使用时进行访问。To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account for access when normal administrative accounts cannot be used. 紧急访问帐户通常拥有较高的权限,因此请不要将其分配给特定的个人。Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. 紧急访问帐户只能用于“不受限”紧急情况,即不能使用正常管理帐户的情况。Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used.

应确保妥善保管紧急访问帐户的凭据(例如密码、证书或智能卡),仅将其告诉只能在紧急情况下有权使用它们的个人。You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-5:将权利管理自动化PA-5: Automate entitlement management

指导:Azure SignalR 服务已与 Azure Active Directory (Azure AD) 集成,以管理其资源。Guidance: Azure SignalR Service is integrated with Azure Active Directory (Azure AD) to manage its resources. 使用 Azure AD 的权利管理功能可自动执行访问请求工作流,包括访问权限分配、审查和过期。Use Azure AD entitlement management features to automate access request workflows, including access assignments, reviews, and expiration. 还支持两阶段或多阶段审批。Dual or multi-stage approval is also supported.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PA-7:遵循 Just Enough Administration(最小特权原则)PA-7: Follow just enough administration (least privilege principle)

指导:SignalR 服务已与 Azure 基于角色的访问控制 (Azure RBAC) 集成,以管理其资源。Guidance: SignalR Service is integrated with Azure role-based access control (Azure RBAC) to manage its resources. 使用 Azure RBAC,可通过角色分配来管理 Azure 资源访问。Azure RBAC allows you to manage Azure resource access through role assignments. 可将这些角色分配给用户、组服务主体和托管标识。Assign these roles to users, groups service principals and managed identities. 某些资源有预定义的内置角色,可以通过工具(例如 Azure CLI、Azure PowerShell 或 Azure 门户)来清点或查询这些角色。Pre-defined built-in roles exist for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell or the Azure portal.

通过 Azure RBAC 分配给资源的特权应始终限制为角色所需的特权。The privileges you assign to resources through the Azure RBAC should be always limited to what is required by the roles. 这是对 Azure AD Privileged Identity Management (PIM) 的实时 (JIT) 方法的补充,应定期进行审查。This complements the just in time (JIT) approach of Azure AD Privileged Identity Management (PIM) and should be reviewed periodically.

SignalR 服务中的内置角色:Built-in roles in SignalR Service:

  • SignalR 参与者SignalR Contributor
  • SignalR AccessKey 读取者SignalR AccessKey Reader

请使用内置角色来分配权限,仅在必要时创建自定义角色。Use built-in roles to allocate permission and only create custom roles when required.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data Protection.

DP-2:保护敏感数据DP-2: Protect sensitive data

指导:使用 Azure 基于角色的访问控制 (Azure RBAC)、基于网络的访问控制以及 Azure 服务中的特定控制(例如 SQL 和其他数据库中的加密)来限制访问,从而保护敏感数据。Guidance: Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases).

为了确保一致的访问控制,所有类型的访问控制都应符合企业分段策略。To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. 企业分段策略还应根据敏感的或业务关键型的数据和系统的位置来确定。The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.

对于 Microsoft 管理的基础平台,Microsoft 会将所有客户内容视为敏感数据,全方位防范客户数据丢失和泄露。For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. 为了确保 Azure 中的客户数据始终安全,Microsoft 实施了一些默认的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

资产管理Asset Management

有关详细信息,请参阅 Azure 安全基准:资产管理For more information, see the Azure Security Benchmark: Asset Management.

AM-1:确保安全团队可以了解与资产相关的风险AM-1: Ensure security team has visibility into risks for assets

指南:确保在 Azure 租户和订阅中向安全团队授予了安全读取者权限,以便他们可以使用 Azure 安全中心监视安全风险。Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Azure Security Center.

根据安全团队责任划分方式的不同,监视安全风险可能是中心安全团队或本地团队的责任。Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. 也就是说,安全见解和风险必须始终在组织内集中聚合。That said, security insights and risks must always be aggregated centrally within an organization.

安全读取者权限可以广泛应用于整个租户(根管理组),也可以限制到管理组或特定订阅。Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

注意:若要了解工作负载和服务,可能需要更多权限。Note: Additional permissions might be required to get visibility into workloads and services.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

AM-2:确保安全团队有权访问资产清单和元数据AM-2: Ensure security team has access to asset inventory and metadata

指导:将标记应用到 Azure 资源、资源组和订阅,以便有条理地将它们组织成分类。Guidance: Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. 每个标记均由名称和值对组成。Each tag consists of a name and a value pair. 例如,可以对生产中的所有资源应用名称“Environment”和值“Production”。For example, you can apply the name "Environment" and the value "Production" to all the resources in production.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

AM-3:仅使用已批准的 Azure 服务AM-3: Use only approved Azure services

指导:请使用 Azure Policy 来审核和限制用户可以在你的环境中预配哪些服务。Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. 使用 Azure Resource Graph 查询和发现订阅中的资源。Use Azure Resource Graph to query for and discover resources within their subscriptions. 你也可以使用 Azure Monitor 来创建规则,以便在检测到未经批准的服务时触发警报。You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

AM-4:确保资产生命周期管理的安全AM-4: Ensure security of asset lifecycle management

指南:建立或更新安全策略,用于应对资产生命周期管理过程的可能具有重大影响的修改。Guidance: Establish or update security policies that address asset lifecycle management processes for potentially high impact modifications. 这些修改包括但不限于对以下内容的更改:标识提供者和访问权限、数据敏感度、网络配置,以及管理特权分配。These modifications include changes, but are not limited to: identity providers and access, data sensitivity, network configuration, and administrative privilege assignment. 在 Azure SignalR 服务中,这些更改包括:重新生成访问密钥、创建/更新专用终结点、管理网络访问控制。In Azure SignalR Service, these changes include: regenerate access key, create/update private endpoint, manage network access control.

如果不再需要 Azure 资源,请将其删除。Remove Azure resources when they are no longer needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

AM-5:限制用户与 Azure 资源管理器进行交互的能力AM-5: Limit users' ability to interact with Azure Resource Manager

指导:通过为“Microsoft Azure 管理”应用配置“阻止访问”,使用 Azure 条件访问来限制用户与 Azure 资源管理器交互的能力。Guidance: Use Azure Conditional Access to limit users' ability to interact with Azure Resources Manager by configuring "Block access" for the "Microsoft Azure Management" App.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

日志记录和威胁检测Logging and Threat Detection

有关详细信息,请参阅 Azure 安全基准:日志记录和威胁检测For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-2:启用 Azure 标识和访问管理的威胁检测LT-2: Enable threat detection for Azure identity and access management

指导:Azure Active Directory (Azure AD) 提供以下用户日志,这些日志可在 Azure AD 报告中查看,也可与 Azure Monitor、Azure Sentinel 或其他 SIEM/监视工具集成,以用于更复杂的监视和分析用例:Guidance: Azure Active Directory (Azure AD) provides the following user logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:

  • 登录 - 登录报告提供有关托管应用程序使用情况和用户登录活动的信息。Sign in – The sign- n report provides information about the usage of managed applications and user sign-in activities.

  • 审核日志 - 通过日志为 Azure AD 中的各种功能所做的所有更改提供可跟踪性。Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. 审核日志的示例包括对 Azure AD 中的任何资源(例如添加或删除用户、应用、组、角色和策略)所做的更改。Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.

  • 风险登录 - 风险登录是指可能由并非用户帐户合法拥有者的某人进行的登录尝试。Risky sign ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.

  • 已标记为存在风险的用户 - 风险用户是指可能已泄露的用户帐户。Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

Azure 安全中心还可针对某些可疑活动发出警报,例如,失败的身份验证尝试次数过多,使用了订阅中的已弃用帐户。Azure Security Center can also alert on certain suspicious activities such as excessive number of failed authentication attempts, deprecated accounts in the subscription. 除了基本的安全机制监视,Azure 安全中心的威胁防护模块还可从各个 Azure 计算资源(虚拟机、容器、应用服务)、数据资源(SQL 数据库和存储)和 Azure 服务层收集更深入的安全警报。In addition to the basic security hygiene monitoring, Azure Security Center’s Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. 通过此功能,可查看各个资源内的帐户异常情况。This capability allows you have visibility on account anomalies inside the individual resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

LT-3:为 Azure 网络活动启用日志记录LT-3: Enable logging for Azure network activities

指导:Azure SignalR 服务不适合部署到虚拟网络中,因此你无法启用网络安全组流日志记录、通过防火墙路由流量或执行数据包捕获。Guidance: Azure SignalR Service is not intended to deploy into virtual networks, because of this you are unable to enable network security group flow logging, route traffic through a firewall or perform packet captures.

但是,Azure SignalR 服务会记录它针对客户访问而处理的网络流量。However, Azure SignalR Service logs network traffic that it processes for customer access. 在已部署的产品/服务资源中启用资源日志,并将这些日志配置为发送到存储帐户,以供长期保留和审核。Enable resource logs within your deployed offering resources and configure these logs to be sent to a storage account for long term retention and auditing.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

LT-4:为 Azure 资源启用日志记录LT-4: Enable logging for Azure resources

指导:自动可用的活动日志包含用于 Azure SignalR 服务资源的所有写入操作(PUT、POST、DELETE),但读取操作 (GET) 除外。Guidance: Activity logs, which are automatically available, contain all write operations (PUT, POST, DELETE) for your Azure SignalR Service resources except read operations (GET). 活动日志可用于在进行故障排除时查找错误,或监视组织中的用户如何对资源进行修改。Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

请为 Azure SignalR 服务启用 Azure 资源日志。Enable Azure resource logs for Azure SignalR Service. 可以使用 Azure 安全中心和 Azure Policy 来启用资源日志和日志数据收集。You can use Azure Security Center and Azure Policy to enable resource logs and log data collecting. 这些日志可能对日后调查安全事件和执行取证演练至关重要。These logs can be critical for later investigating security incidents and performing forensic exercises.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

LT-5:集中管理和分析安全日志LT-5: Centralize security log management and analysis

指导:集中记录存储和分析来实现关联。Guidance: Centralize logging storage and analysis to enable correlation. 对于每个日志源,请确保已分配数据所有者、访问指南、存储位置、用于处理和访问数据的工具以及数据保留要求。For each log source, ensure you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements.

确保正在将 Azure 活动日志集成到中央日志记录。Ensure you are integrating Azure activity logs into your central logging. 通过 Azure Monitor 引入日志,以聚合终结点设备、网络资源和其他安全系统生成的安全数据。Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期存档存储。In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.

另外,请启用 Azure Sentinel 或第三方安全信息和事件管理 (SIEM) 系统并将数据载入其中。In addition, enable and onboard data to Azure Sentinel or a third-party security information and event management (SIEM) system.

许多组织选择将 Azure Sentinel 用于频繁使用的“热”数据,并将 Azure 存储用于不太频繁使用的“冷”数据。Many organizations choose to use Azure Sentinel for “hot” data that is used frequently and Azure Storage for “cold” data that is used less frequently.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

事件响应Incident Response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident Response.

IR-2:准备 - 设置事件通知IR-2: Preparation – setup incident notification

指导:在 Azure 安全中心中设置安全事件联系人信息。Guidance: Set up security incident contact information in Azure Security Center. 如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的一方访问了你的数据,Microsoft 将使用此联系信息来与你取得联系。This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 还可以选择基于事件响应需求在不同的 Azure 服务中自定义事件警报和通知。You also have options to customize incident alert and notification in different Azure services based on your incident response needs.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

IR-3:检测和分析 - 根据高质量警报创建事件IR-3: Detection and analysis – create incidents based on high quality alerts

指南:确保你有创建高质量警报和衡量警报质量的流程。Guidance: Ensure you have a process to create high quality alerts and measure the quality of alerts. 这样,你就可以从过去的事件中吸取经验,并为分析人员确定警报的优先级,这样他们就不会浪费时间来处理误报。This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don’t waste time on false positives.

可以基于从过去的事件中吸取的经验、经过验证的社区来源以及各种工具来生成高质量警报,这些工具旨在通过融合和关联各种信号源来生成和清除警报。High quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.

Azure 安全中心可跨许多 Azure 资产提供高质量的警报。Azure Security Center provides high quality alerts across many Azure assets. 可以使用 ASC 数据连接器将警报流式传输到 Azure Sentinel。You can use the ASC data connector to stream the alerts to Azure Sentinel. 借助 Azure Sentinel,可创建高级警报规则来自动生成事件以进行调查。Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.

使用导出功能导出 Azure 安全中心警报和建议,以帮助识别 Azure 资源的风险。Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. 手动导出或持续导出警报和建议。Export alerts and recommendations either manually or in an ongoing, continuous fashion.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

IR-4:检测和分析 - 调查事件IR-4: Detection and analysis – investigate an incident

指南:确保分析人员在调查潜在事件时可查询和使用不同的数据源,以全面了解所发生的情况。Guidance: Ensure analysts can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. 应收集各种各样的日志,以跟踪整个终止链中潜在攻击者的活动,避免出现盲点。Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. 还应确保收集见解和经验,以供其他分析人员使用和用作将来的历史参考资料。You should also ensure insights and learnings are captured for other analysts and for future historical reference.

用于调查的数据源包括已从作用域内服务和正在运行的系统中收集的集中式日志记录源,但还可以包括以下内容:The data sources for investigation include the centralized logging sources that are already being collected from the in-scope services and running systems, but can also include:

  • 网络数据 - 使用网络安全组的流日志、Azure 网络观察程序和 Azure Monitor 来捕获网络流日志和其他分析信息。Network data – use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information.

  • 正在运行的系统的快照:Snapshots of running systems:

    • 使用 Azure 虚拟机的快照功能创建正在运行的系统磁盘的快照。Use Azure virtual machine's snapshot capability to create a snapshot of the running system's disk.

    • 使用操作系统的本机内存转储功能来创建正在运行的系统内存的快照。Use the operating system's native memory dump capability to create a snapshot of the running system's memory.

    • 使用 Azure 服务的快照功能或软件自带的功能来创建正在运行的系统的快照。Use the snapshot feature of the Azure services or your software's own capability to create snapshots of the running systems.

Azure Sentinel 提供几乎针对任何日志源的广泛数据分析,并提供一个事例管理门户来管理事件的整个生命周期。Azure Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. 调查过程中的情报信息可与事件相关联,以便进行跟踪和报告。Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

IR-5:检测和分析 - 确定事件优先级IR-5: Detection and analysis – prioritize incidents

指南:根据警报严重性和资产敏感度,为分析人员提供上下文来确定应首要关注哪些事件。Guidance: Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.

Azure 安全中心为每条警报分配严重性,方便你根据优先级来确定应该最先调查的警报。Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心对调查结果或用于发出警报的分析的可信度,以及对导致警报的活动背后存在恶意意图的可信度级别。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,使用标记来标记资源,并创建命名系统来对 Azure 资源进行标识和分类,特别是处理敏感数据的资源。Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

IR-6:包含、根除和恢复 - 自动执行事件处理IR-6: Containment, eradication and recovery – automate the incident handling

指导:自动执行手动重复性任务来加快响应时间并减轻分析人员的负担。Guidance: Automate manual repetitive tasks to speed up response time and reduce the burden on analysts. 执行手动任务需要更长的时间,这会导致减慢每个事件的速度,并减少分析人员可以处理的事件数量。Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. 手动任务还会使分析人员更加疲劳,这会增加可导致延迟的人为错误的风险,并降低分析人员专注于复杂任务的工作效率。Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays, and degrades the ability of analysts to focus effectively on complex tasks. 使用 Azure 安全中心和 Azure Sentinel 中的工作流自动化功能,可自动触发操作或运行 playbook,对传入的安全警报作出响应。Use workflow automation features in Azure Security Center and Azure Sentinel to automatically trigger actions or run a playbook to respond to incoming security alerts. playbook 执行多项操作,如发送通知、禁用帐户和隔离有问题的网络。The playbook takes actions, such as sending notifications, disabling accounts, and isolating problematic networks.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

安全状况和漏洞管理Posture and Vulnerability Management

PV-2:为所有 Azure 服务维护安全配置PV-2: Sustain secure configurations for Azure services

指导:使用 Azure 安全中心监视配置基线,并强制使用 Azure Policy 的 [拒绝] 和 [如果不存在便部署] 规则强制实施安全的 Azure SignalR 服务配置。Guidance: Use Azure Security Center to monitor your configuration baseline and enforce using Azure Policy [deny] and [deploy if not exist] to enforce secure configuration for Azure SignalR Service. Azure SignalR 服务策略包括:Azure SignalR Service policy includes:

访问所引用的链接可获得更多信息。Additional information is available at the referenced links.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

PV-3:为计算资源建立安全配置PV-3: Establish secure configurations for compute resources

指导:使用 Azure 安全中心和 Azure Policy 建立 Azure SignalR 服务的安全配置。Guidance: Use Azure Security Center and Azure Policy to establish secure configurations on Azure SignalR Service.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

PV-8:执行定期攻击模拟PV-8: Conduct regular attack simulation

指导:根据需要,对 Azure 资源进行渗透测试或红队活动,并确保修正所有关键安全发现。Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. 请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Microsoft 政策。Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. 使用 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序执行现场渗透测试。Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

备份和恢复Backup and Recovery

有关详细信息,请参阅 Azure 安全基准:备份和恢复For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-4:减少密钥丢失风险BR-4: Mitigate risk of lost keys

指导:确保你有适当的措施来防止和恢复丢失的密钥。Guidance: Ensure you have measures in place to prevent and recover from loss of keys. 在 Azure Key Vault 中启用软删除和清除保护,以防止意外删除或恶意删除密钥。Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

后续步骤Next steps