Azure Stack Hub 基础结构安全控制Azure Stack Hub infrastructure security controls

安全考虑因素与合规性是使用混合云的主要推动因素。Security considerations and compliance regulations are among the main drivers for using hybrid clouds. Azure Stack Hub 是针对这些方案设计的。Azure Stack Hub is designed for these scenarios. 本文介绍了针对 Azure Stack Hub 实施的安全控制措施。This article explains the security controls in place for Azure Stack Hub.

两个安全态势层在 Azure Stack Hub 中共存。Two security posture layers coexist in Azure Stack Hub. 第一层是 Azure Stack Hub 基础结构,其中包括 Azure 资源管理器之前的硬件组件。The first layer is the Azure Stack Hub infrastructure, which includes the hardware components up to the Azure Resource Manager. 第一层包括管理员门户和用户门户。The first layer includes the administrator and the user portals. 第二层由租户创建、部署和管理的工作负荷组成。The second layer consists of the workloads created, deployed, and managed by tenants. 第二层包括虚拟机和应用程序服务网站等项。The second layer includes items like virtual machines and App Services web sites.

安全方法Security approach

Azure Stack Hub 的安全态势功能旨在防范新式威胁,为符合主要合规标准的要求而构建。The security posture for Azure Stack Hub is designed to defend against modern threats and was built to meet the requirements from the major compliance standards. 因此,Azure Stack Hub 基础结构的安全态势构建在两个支柱之上:As a result, the security posture of the Azure Stack Hub infrastructure is built on two pillars:

  • 假想入侵Assume Breach
    我们从假设系统已被入侵的情况出发,将重点放在检测入侵并限制其影响上,而不只是尽量防止攻击。Starting from the assumption that the system has already been breached, focus on detecting and limiting the impact of breaches versus only trying to prevent attacks.

  • 默认强化Hardened by Default
    由于基础结构在妥善定义的硬件和软件中运行,因此 Azure Stack Hub 会在默认情况下启用、配置和验证所有安全功能。Since the infrastructure runs on well-defined hardware and software, Azure Stack Hub enables, configures, and validates all the security features by default.

由于 Azure Stack Hub 是以集成系统的形式交付的,因此 Azure Stack Hub 基础结构的安全态势由 Azure 定义。Because Azure Stack Hub is delivered as an integrated system, the security posture of the Azure Stack Hub infrastructure is defined by Azure. 如同在 Azure 中一样,租户需负责定义其租户工作负荷的安全局势。Just like in Azure, tenants are responsible for defining the security posture of their tenant workloads. 本文档提供有关 Azure Stack Hub 基础结构安全态势的基础知识。This document provides foundational knowledge on the security posture of the Azure Stack Hub infrastructure.

静态数据加密Data at rest encryption

所有 Azure Stack Hub 基础结构和租户数据都使用 BitLocker 进行静态加密。All Azure Stack Hub infrastructure and tenant data are encrypted at rest using BitLocker. 这种加密可以防范 Azure Stack Hub 存储组件的实物遗失或失窃。This encryption protects against physical loss or theft of Azure Stack Hub storage components. 有关详细信息,请参阅 Azure Stack Hub 中的静态数据加密For more information, see data at rest encryption in Azure Stack Hub.

传输中数据加密Data in transit encryption

Azure Stack Hub 基础结构组件使用以 TLS 1.2 加密的通道进行通信。The Azure Stack Hub infrastructure components communicate using channels encrypted with TLS 1.2. 加密证书由基础结构自行管理。Encryption certificates are self-managed by the infrastructure.

所有外部基础结构终结点(例如 REST 终结点或 Azure Stack Hub 门户)都支持使用 TLS 1.2 进行安全通信。All external infrastructure endpoints, like the REST endpoints or the Azure Stack Hub portal, support TLS 1.2 for secure communications. 对于这些终结点,必须提供来自第三方或企业证书颁发机构的加密证书。Encryption certificates, either from a third party or your enterprise Certificate Authority, must be provided for those endpoints.

尽管可对这些外部终结点使用自签名证书,但 Azure 强烈建议不要使用此类证书。While self-signed certificates can be used for these external endpoints, Azure strongly advises against using them. 有关如何在 Azure Stack Hub 的外部终结点上强制实施 TLS 1.2 的详细信息,请参阅配置 Azure Stack Hub 安全控制For more information on how to enforce TLS 1.2 on the external endpoints of Azure Stack Hub, see Configure Azure Stack Hub security controls.

机密管理Secret management

Azure Stack Hub 基础结构使用许多机密(例如密码和证书)来运行。Azure Stack Hub infrastructure uses a multitude of secrets, like passwords and certificates, to function. 大多数与内部服务帐户关联的密码每 24 小时自动轮换一次,因为这些帐户是组托管服务帐户 (gMSA)(一种由内部域控制器直接托管的域帐户)。Most of the passwords associated with the internal service accounts are automatically rotated every 24 hours because they're group Managed Service Accounts (gMSA), a type of domain account managed directly by the internal domain controller.

Azure Stack Hub 基础结构对其所有内部证书使用 4096 位 RSA 密钥。Azure Stack Hub infrastructure uses 4096-bit RSA keys for all its internal certificates. 相同密钥长度的证书还可用于外部终结点。Same key-length certificates can also be used for the external endpoints. 有关机密和证书轮换的详细信息,请参阅在 Azure Stack Hub 中轮换机密For more information on secrets and certificate rotation, please refer to Rotate secrets in Azure Stack Hub.

Windows Defender 应用程序控制Windows Defender Application Control

Azure Stack Hub 使用最新的 Windows Server 安全功能。Azure Stack Hub makes use of the latest Windows Server security features. 其中的一项功能是 Windows Defender 应用程序控制(WDAC,前称为“代码完整性”)。此功能提供可执行文件允许列表,确保只有已授权的代码可在 Azure Stack Hub 基础结构中运行。One of them is Windows Defender Application Control (WDAC, formerly known as Code Integrity), which provides executables whitelisting and ensures that only authorized code runs within the Azure Stack Hub infrastructure.

经授权的代码是由 Azure 或 OEM 合作伙伴签名的。Authorized code is signed by either Azure or the OEM partner. 已签名的经授权代码包括在由 Azure 定义的策略中指定的允许软件列表中。The signed authorized code is included in the list of allowed software specified in a policy defined by Azure. 换而言之,只能执行已批准在 Azure Stack Hub 基础结构中运行的软件。In other words, only software that has been approved to run in the Azure Stack Hub infrastructure can be executed. 系统会阻止任何执行未经授权代码的企图并生成警报。Any attempt to execute unauthorized code is blocked and an alert is generated. Azure Stack Hub 强制实施用户模式代码完整性 (UMCI) 和虚拟机监控程序代码完整性 (HVCI)。Azure Stack Hub enforces both User Mode Code Integrity (UMCI) and Hypervisor Code Integrity (HVCI).

WDAC 策略也会阻止第三方代理或软件在 Azure Stack Hub 基础结构中运行。The WDAC policy also prevents third-party agents or software from running in the Azure Stack Hub infrastructure. 有关 WDAC 的详细信息,请参阅 Windows Defender 应用程序控制和基于虚拟化的代码完整性保护For more information on WDAC, please refer to Windows Defender Application Control and virtualization-based protection of code integrity.

Credential GuardCredential Guard

Azure Stack Hub 中的另一项 Windows Server 安全功能是 Windows Defender Credential Guard,它可用于防止 Azure Stack Hub 基础结构凭据遭到“传递哈希”和“传递票证”攻击。Another Windows Server security feature in Azure Stack Hub is Windows Defender Credential Guard, which is used to protect Azure Stack Hub infrastructure credentials from Pass-the-Hash and Pass-the-Ticket attacks.


Azure Stack Hub 中的每个组件(Hyper-V 主机和虚拟机)受到 Windows Defender Antivirus 的保护。Every component in Azure Stack Hub (both Hyper-V hosts and virtual machines) is protected with Windows Defender Antivirus.

在联网场景中,防病毒定义和引擎更新每天应用多次。In connected scenarios, antivirus definition and engine updates are applied multiple times a day. 在离线场景中,反恶意软件更新作为 Azure Stack Hub 的每月更新的一部分应用。In disconnected scenarios, antimalware updates are applied as part of monthly Azure Stack Hub updates. 在离线场景中,如果需要更频繁地更新 Windows Defender 的定义,Azure Stack Hub 还支持导入 Windows Defender 更新。In case a more frequent update to the Windows Defender's definitions is required in disconnected scenarios, Azure Stack Hub also support importing Windows Defender updates. 有关详细信息,请参阅更新 Azure Stack Hub 上的 Windows Defender AntivirusFor more information, see update Windows Defender Antivirus on Azure Stack Hub.

安全启动Secure Boot

Azure Stack Hub 在所有 Hyper-V 主机和基础结构虚拟机上强制实施安全启动。Azure Stack Hub enforces Secure Boot on all the Hyper-V hosts and infrastructure virtual machines.

受约束的管理模型Constrained administration model

Azure Stack Hub 中的管理通过三个入口点进行控制,每个入口点都有特定的用途:Administration in Azure Stack Hub is controlled through three entry points, each with a specific purpose:

  • 管理员门户针对日常管理操作提供点击式体验。The administrator portal provides a point-and-click experience for daily management operations.
  • Azure 资源管理器通过 PowerShell 和 Azure CLI 使用的 REST API 公开管理员门户的所有管理操作。Azure Resource Manager exposes all the management operations of the administrator portal via a REST API, used by PowerShell and Azure CLI.
  • 对于特定的低级操作(例如数据中心集成或支持方案),Azure Stack Hub 公开一个称作特权终结点的 PowerShell 终结点。For specific low-level operations (for example, datacenter integration or support scenarios), Azure Stack Hub exposes a PowerShell endpoint called privileged endpoint. 此终结点只公开一组已添加到允许列表的 cmdlet,并且经常接受审核。This endpoint exposes only a whitelisted set of cmdlets and it's heavily audited.

网络控制措施Network controls

Azure Stack Hub 基础结构附带了多个网络访问控制列表 (ACL) 层。Azure Stack Hub infrastructure comes with multiple layers of network Access Control List (ACL). ACL 可防止用户对基础结构组件进行未经授权的访问,并将基础结构通信限制为基础结构在运行时需要访问的路径。The ACLs prevent unauthorized access to the infrastructure components and limit infrastructure communications to only the paths that are required for its functioning.

在三个层中实施网络 ACL:Network ACLs are enforced in three layers:

  • 第 1 层:机架顶部交换机Layer 1: Top of Rack switches
  • 第 2 层:软件定义的网络Layer 2: Software Defined Network
  • 第 3 层:主机和 VM 操作系统防火墙Layer 3: Host and VM operating system firewalls

法规符合性Regulatory compliance

Azure Stack Hub 已通过了由第三方独立审核公司执行的正式功能评估。Azure Stack Hub has gone through a formal capability assessment by a third party-independent auditing firm. 因此,我们提供了介绍 Azure Stack Hub 基础结构如何满足多个主要合规标准的适用控制措施的文档。As a result, documentation on how the Azure Stack Hub infrastructure meets the applicable controls from several major compliance standards is available. 此文档不是 Azure Stack Hub 的认证,因为标准包括多个与人员相关的和多个与流程相关的控制措施。The documentation isn't a certification of Azure Stack Hub because the standards include several personnel-related and process-related controls. 但是,客户可以使用此文档来启动其认证流程。Rather, customers can use this documentation to jump-start their certification process.

评估包括以下标准:The assessments include the following standards:

  • PCI-DSS 适用于支付卡行业。PCI-DSS addresses the payment card industry.
  • CSA Cloud Control Matrix 是跨多个标准的综合性映射,这些标准包括 FedRAMP Moderate、ISO27001、HIPAA、HITRUST、ITAR、NIST SP800-53 和其他标准。CSA Cloud Control Matrix is a comprehensive mapping across multiple standards, including FedRAMP Moderate, ISO27001, HIPAA, HITRUST, ITAR, NIST SP800-53, and others.
  • FedRAMP High 适用于政府客户。FedRAMP High for government customers.

后续步骤Next steps