有助于保护使用 Azure 备份的混合备份的安全功能Security features to help protect hybrid backups that use Azure Backup

对安全问题(例如恶意软件、勒索软件、入侵)的关注在逐渐上升。Concerns about security issues, like malware, ransomware, and intrusion, are increasing. 这些安全问题可能会代价高昂(就金钱和数据来说)。These security issues can be costly, in terms of both money and data. 为了防止此类攻击,Azure 备份现提供可保护混合备份的安全功能。To guard against such attacks, Azure Backup now provides security features to help protect hybrid backups. 本文介绍如何通过 Azure 恢复服务代理和 Azure 备份服务器来启用和使用这些功能。This article covers how to enable and use these features, by using an Azure Recovery Services agent and Azure Backup Server. 这些功能包括:These features include:

  • 防护Prevention. 执行关键操作(例如更改密码)时,会添加额外的身份验证层。An additional layer of authentication is added whenever a critical operation like changing a passphrase is performed. 使用此验证,确保只有具有有效 Azure 凭据的用户才可执行此类操作。This validation is to ensure that such operations can be performed only by users who have valid Azure credentials.
  • 警报Alerting. 执行关键操作(例如删除备份数据)时,会向订阅管理员发送电子邮件通知。An email notification is sent to the subscription admin whenever a critical operation like deleting backup data is performed. 此电子邮件可确保用户快速收到有关此类操作的通知。This email ensures that the user is notified quickly about such actions.
  • 恢复Recovery. 删除的备份数据自删除之日起将另外保留 14 天。Deleted backup data is retained for an additional 14 days from the date of the deletion. 这可确保能够在给定的时间段内恢复数据,因此即使受到攻击,也不会丢失数据。This ensures recoverability of the data within a given time period, so there is no data loss even if an attack happens. 此外,还保留了更多的最小恢复点,以防止数据损坏。Also, a greater number of minimum recovery points are maintained to guard against corrupt data.

备注

如果使用基础结构即服务 (IaaS) VM 备份,则不应启用安全功能。Security features should not be enabled if you are using infrastructure as a service (IaaS) VM backup. 这些功能对于 IaaS VM 备份尚不可用,因此启用这些功能没有任何影响。These features are not yet available for IaaS VM backup, so enabling them will not have any impact. 只有使用以下项才应启用安全功能:Security features should be enabled only if you are using:

  • Azure 备份代理Azure Backup agent. 最小代理版本 2.0.9052。Minimum agent version 2.0.9052. 启用这些功能后,应升级到此代理版本,以执行关键操作。After you have enabled these features, you should upgrade to this agent version to perform critical operations.
  • Azure 备份服务器Azure Backup Server. Azure 备份服务器 Update 1 的最低 Azure 备份代理版本为 2.0.9052。Minimum Azure Backup agent version 2.0.9052 with Azure Backup Server update 1.
  • System Center Data Protection ManagerSystem Center Data Protection Manager. Data Protection Manager 2012 R2 UR12 或 Data Protection Manager 2016 UR2 的最低 Azure 备份代理版本为 2.0.9052。Minimum Azure Backup agent version 2.0.9052 with Data Protection Manager 2012 R2 UR12 or Data Protection Manager 2016 UR2.

备注

这些功能仅可用于恢复服务保管库。These features are available only for Recovery Services vault. 默认情况下,所有新创建的恢复服务保管库均具有这些功能。All the newly created Recovery Services vaults have these features enabled by default. 对于现有的恢复服务保管库,用户可以使用以下部分所述步骤启用这些功能。For existing Recovery Services vaults, users enable these features by using the steps mentioned in the following section. 这些功能在启用后,会应用到所有注册到保管库的恢复服务代理计算机、Azure 备份服务器实例以及 Data Protection Manager 服务器。After the features are enabled, they apply to all the Recovery Services agent computers, Azure Backup Server instances, and Data Protection Manager servers registered with the vault. 启用此设置是一次性操作,启用这些功能后不能禁用它们。Enabling this setting is a one-time action, and you cannot disable these features after enabling them.

启用安全功能Enable security features

如果创建恢复服务保管库,则可使用所有安全功能。If you are creating a Recovery Services vault, you can use all the security features. 如果使用现有的保管库,则可通过以下步骤启用安全功能:If you are working with an existing vault, enable security features by following these steps:

  1. 使用 Azure 凭据登录到 Azure 门户。Sign in to the Azure portal by using your Azure credentials.

  2. 选择“浏览” ,并键入“恢复服务” 。Select Browse, and type Recovery Services.

    Azure 门户“浏览”选项的屏幕截图

    此时会显示恢复服务保管库列表。The list of recovery services vaults appears. 从此列表中,选择一个保管库。From this list, select a vault. 此时会打开选定的保管库仪表板。The selected vault dashboard opens.

  3. 从保管库下显示的项目列表中,单击“设置”下的“属性” 。From the list of items that appears under the vault, under Settings, click Properties.

    恢复服务保管库选项的屏幕截图

  4. 单击“安全设置”下的“更新” 。Under Security Settings, click Update.

    恢复服务保管库属性的屏幕截图

    更新链接将打开“安全设置”边栏选项卡,其中提供功能摘要,并允许启用它们。 The update link opens the Security Settings blade, which provides a summary of the features and lets you enable them.

  5. 从下拉列表“是否已配置 Azure 多重身份验证?” 中选择一个值,确认是否已启用 Azure 多重身份验证From the drop-down list Have you configured Azure Multi-Factor Authentication?, select a value to confirm if you have enabled Azure Multi-Factor Authentication. 如果已启用,则在登录到 Azure 门户时,系统会要求从另一设备(例如移动电话)进行身份验证。If it is enabled, you are asked to authenticate from another device (for example, a mobile phone) while signing in to the Azure portal.

    在备份中执行关键操作时,必须输入 Azure 门户中提供的安全 PIN。When you perform critical operations in Backup, you have to enter a security PIN, available on the Azure portal. 启用多重身份验证相当于增加了一个安全层。Enabling Azure Multi-Factor Authentication adds a layer of security. 只有获得授权、具有有效 Azure 凭据且通过第二台设备进行身份验证的用户能够访问 Azure 门户。Only authorized users with valid Azure credentials, and authenticated from a second device, can access the Azure portal.

  6. 要保存安全设置,请选择“启用”, 并单击“保存” 。To save security settings, select Enable and click Save. 只有从上一步的“是否已配置 Azure 多重身份验证?”列表中选择值后,才可选择“启用”。 You can select Enable only after you select a value from the Have you configured Azure Multi-Factor Authentication? list in the previous step.

    安全设置的屏幕截图

恢复已删除的备份数据Recover deleted backup data

如果执行停止备份并删除备份数据操作,备份会将已删除的备份数据另外再保留 14 天,不会立即删除数据。Backup retains deleted backup data for an additional 14 days, and does not delete it immediately if the Stop backup with delete backup data operation is performed. 若要在 14 天的期限内还原该数据,请根据所用软件执行以下步骤:To restore this data in the 14-day period, take the following steps, depending on what you are using:

对于 Azure 恢复服务代理用户:For Azure Recovery Services agent users:

  1. 如果发生备份的计算机仍可用,则重新保护已删除的数据源,并在 Azure 恢复服务中使用将数据恢复到同一计算机功能,从所有旧的恢复点恢复。If the computer where backups were happening is still available, re-protect the deleted data sources, and use the Recover data to the same machine in Azure Recovery Services, to recover from all the old recovery points.
  2. 如果该计算机不可用,则使用恢复到备用计算机功能,使用另一台 Azure 恢复服务计算机获取此数据。If this computer is not available, use Recover to an alternate machine to use another Azure Recovery Services computer to get this data.

对于 Azure 备份服务器用户:For Azure Backup Server users:

  1. 如果发生备份的服务器仍可用,则重新保护已删除的数据源,并使用恢复数据功能从所有旧的恢复点恢复。If the server where backups were happening is still available, re-protect the deleted data sources, and use the Recover Data feature to recover from all the old recovery points.
  2. 如果该服务器不可用,则使用从另一 Azure 备份服务器恢复数据功能,通过另一 Azure 备份服务器实例获取此数据。If this server is not available, use Recover data from another Azure Backup Server to use another Azure Backup Server instance to get this data.

对于 Data Protection Manager 用户:For Data Protection Manager users:

  1. 如果发生备份的服务器仍可用,则重新保护已删除的数据源,并使用恢复数据功能从所有旧的恢复点恢复。If the server where backups were happening is still available, re-protect the deleted data sources, and use the Recover Data feature to recover from all the old recovery points.
  2. 如果该服务器不可用,则通过添加外部 DPM 来使用另一个 Data Protection Manager 服务器获取此数据。If this server is not available, use Add External DPM to use another Data Protection Manager server to get this data.

防止攻击Prevent attacks

已添加检查,确保只有效用户才可执行各种操作。Checks have been added to make sure only valid users can perform various operations. 这些检查包括:添加额外的身份验证层,以及为恢复目的而保持一个最小的保留期时间范围。These include adding an extra layer of authentication, and maintaining a minimum retention range for recovery purposes.

执行关键操作的身份验证Authentication to perform critical operations

在为关键操作添加额外身份验证层的过程中,在执行停止保护并删除数据更改密码操作时,系统会提示输入安全 PIN。As part of adding an extra layer of authentication for critical operations, you are prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations.

备注

目前,对于 DPM 和 MABS,停止保护并删除数据不支持安全 PIN。Currently, security pin is not supported for Stop Protection with Delete data for DPM and MABS.

若要接收此 PIN,请执行以下操作:To receive this PIN:

  1. 登录到 Azure 门户。Sign in to the Azure portal.
  2. 浏览到“恢复服务保管库” > “设置” > “属性”。Browse to Recovery Services vault > Settings > Properties.
  3. 单击“安全 PIN”下的“生成” 。Under Security PIN, click Generate. 此时会打开一个边栏选项卡,其中包含的 PIN 将输入到 Azure 恢复服务代理用户界面中。This opens a blade that contains the PIN to be entered in the Azure Recovery Services agent user interface. 此 PIN 的有效时间仅为五分钟,并在五分钟后自动生成。This PIN is valid for only five minutes, and it gets generated automatically after that period.

维持最短的保持期Maintain a minimum retention range

为确保始终存在大量可用的有效恢复点,已添加以下检查:To ensure that there are always a valid number of recovery points available, the following checks have been added:

  • 对于日保留期,应设置最少天的保留期。For daily retention, a minimum of seven days of retention should be done.
  • 对于周保留期,应设置最少周的保留期。For weekly retention, a minimum of four weeks of retention should be done.
  • 对于月保留期,应设置最少个月的保留期。For monthly retention, a minimum of three months of retention should be done.
  • 对于年保留期,应设置最少年的保留期。For yearly retention, a minimum of one year of retention should be done.

关键操作的通知Notifications for critical operations

通常情况下,执行关键操作时,将向订阅管理员发送包含该操作详细信息的电子邮件通知。Typically, when a critical operation is performed, the subscription admin is sent an email notification with details about the operation. 可以通过 Azure 门户为这些通知配置更多的电子邮件收件人。You can configure additional email recipients for these notifications by using the Azure portal.

此文章中提到的安全功能提供对针对性攻击的防御机制。The security features mentioned in this article provide defense mechanisms against targeted attacks. 更重要的是,在发生攻击的情况下,这些功能提供恢复数据的能力。More importantly, if an attack happens, these features give you the ability to recover your data.

排查错误Troubleshooting errors

OperationOperation 错误详细信息Error details 解决方法Resolution
策略更改Policy change 无法修改备份策略。The backup policy could not be modified. 错误:由于内部服务错误 [0x29834],当前操作失败。Error: The current operation failed due to an internal service error [0x29834]. 请稍后重试操作。Please retry the operation after sometime. 如果该问题仍然存在,请联系 Microsoft 支持部门。If the issue persists, please contact Microsoft support. 原因: Cause:
当启用安全设置、尝试缩短保留期范围至低于以上指定的最小值和使用不受支持的版本时,将出现此错误(本文第一条注释已指定所支持的版本)。This error comes when security settings are enabled, you try to reduce retention range below the minimum values specified above and you are on unsupported version (supported versions are specified in first note of this article).
建议的操作 Recommended Action:
在这种情况下,应将保留期时段设置为高于指定保留期时段的最小值(以日计为七天、以周记为四周、以月计为三个月或以年计为一年),以进行策略相关的更新。In this case, you should set retention period above the minimum retention period specified (seven days for daily, four weeks for weekly, three weeks for monthly or one year for yearly) to proceed with policy-related updates. (可选)首选更新备份代理、Azure 备份服务器和/或 DPM UR 来利用所有的安全性更新。Optionally, preferred approach would be to update backup agent, Azure Backup Server and/or DPM UR to leverage all the security updates.
更改通行短语Change Passphrase 输入的安全 PIN 不正确。Security PIN entered is incorrect. (ID: 100130) 请提供正确的安全 PIN 来完成此操作。(ID: 100130) Provide the correct Security PIN to complete this operation. 原因: Cause:
当执行关键操作(如更改通行短语)时输入无效或已过期的安全 PIN 将出现此错误。This error comes when you enter invalid or expired Security PIN while performing critical operation (like change passphrase).
建议的操作 Recommended Action:
若要完成该操作,必须输入有效的安全 PIN。To complete the operation, you must enter valid Security PIN. 若要获取 PIN,请登录到 Azure 门户并导航到“恢复服务保管库”>“设置”>“属性”>“生成安全 PIN”。To get the PIN, sign in to Azure portal and navigate to Recovery Services vault > Settings > Properties > Generate Security PIN. 使用此 PIN 更改通行短语。Use this PIN to change passphrase.
更改通行短语Change Passphrase 操作失败。Operation failed. ID:120002ID: 120002 原因: Cause:
当启用安全设置、尝试更改通行短语和使用不受支持的版本时,将出现此错误(本文第一条注释已指定有效版本)。This error comes when security settings are enabled, you try to change passphrase and you are on unsupported version (valid versions specified in first note of this article).
建议的操作 Recommended Action:
若要更改通行短语,必须首先更新备份代理至最低版本 minimum 2.0.9052、更新Azure 备份服务器至最低更新 1 和/或更新 DPM 至最低 DPM 2012 R2 UR12 或 DPM 2016 UR2 (下载链接如下),然后输入有效的安全 PIN。To change passphrase, you must first update backup agent to minimum version minimum 2.0.9052, Azure Backup server to minimum update 1, and/or DPM to minimum DPM 2012 R2 UR12 or DPM 2016 UR2 (download links below), then enter valid Security PIN. 若要获取 PIN,请登录到 Azure 门户并导航到“恢复服务保管库”>“设置”>“属性”>“生成安全 PIN”。To get the PIN, sign in to Azure portal and navigate to Recovery Services vault > Settings > Properties > Generate Security PIN. 使用此 PIN 更改通行短语。Use this PIN to change passphrase.

后续步骤Next steps