Azure 容器注册表的 Azure 安全基线Azure Security Baseline for Azure Container Registry

Azure 容器注册表的 Azure 安全基线包含可帮助你改善部署安全状况的建议。The Azure Security Baseline for Azure Container Registry contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全Network Security

有关详细信息,请参阅安全控制:网络安全性For more information, see Security Control: Network Security.

1.1:在虚拟网络中使用网络安全组或 Azure 防火墙保护资源1.1: Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

指导:Azure 虚拟网络为 Azure 资源和本地资源提供安全的专用网络。Guidance: Azure Virtual Network provides secure, private networking for your Azure and on-premises resources. 通过施加限制措施,只允许从 Azure 虚拟网络访问专用 Azure 容器注册表,可以确保只有该虚拟网络中的资源可以访问该注册表。By limiting access to your private Azure container registry from an Azure virtual network, you ensure that only resources in the virtual network access the registry. 对于跨界方案,你还可以配置防火墙规则,只允许从特定 IP 地址访问注册表。For cross-premises scenarios, you can also configure firewall rules to allow registry access only from specific IP addresses. 配置防火墙访问规则和服务标记,以便从防火墙后面访问你的容器注册表。From behind a firewall, configure firewall access rules and service tags to access your container registry.

配置规则以访问防火墙后面的 Azure 容器注册表: https://docs.azure.cn/container-registry/container-registry-firewall-access-rulesConfigure rules to access an Azure container registry behind a firewall: https://docs.azure.cn/container-registry/container-registry-firewall-access-rules

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视和记录 VNet、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of Vnets, Subnets, and NICs

指导:使用 Azure 安全中心并修正网络保护建议来帮助保护 Azure 中的网络资源。Guidance: Use Azure Security Center and remediate network protection recommendations to help protect your network resources in Azure. 启用 NSG 流日志,并将日志发送到存储帐户中进行流量审核。Enable NSG flow logs and send logs into a Storage Account for traffic audit.

如何启用 NSG 流日志: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portalHow to enable NSG Flow Logs: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal

保护你的网络资源: https://docs.azure.cn/security-center/security-center-network-recommendationsProtect your network resources: https://docs.azure.cn/security-center/security-center-network-recommendations

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:不适用。Guidance: Not applicable. 基准适用于 Azure 应用服务或托管 Web 应用程序的计算资源。Benchmark is intended for Azure App Service or compute resources hosting web applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.4:拒绝与已知恶意的 IP 地址进行通信1.4: Deny communications with known malicious IP addresses

指导:在虚拟网络上启用 DDoS 标准保护,以防范 DDoS 攻击。Guidance: Enable DDoS Standard protection on your virtual networks for protections from DDoS attacks. 根据 Azure 安全中心集成的威胁情报进行判断,拒绝与已知恶意的或未使用过的 Internet IP 地址通信。Use Azure Security Center Integrated Threat Intelligence to deny communications with known malicious or unused Internet IP addresses. 在组织的每个网络边界上部署 Azure 防火墙,启用威胁情报并将其配置为针对恶意网络流量执行“发出警报并拒绝”操作。Deploy Azure Firewall at each of the organization's network boundaries with Threat Intelligence enabled and configured to "Alert and deny" for malicious network traffic.

可以使用 Azure 安全中心实时网络访问,将 NSG 配置为只能在有限时间内将终结点公开给已批准的 IP 地址。You may use Azure Security Center Just In Time Network access to configure NSGs to limit exposure of endpoints to approved IP addresses for a limited period. 另请使用 Azure 安全中心自适应网络强化,推荐基于实际流量和威胁情报限制端口和源 IP 的 NSG 配置。Also , use Azure Security Center Adaptive Network Hardening to recommend NSG configurations that limit Ports and Source IPs based on actual traffic and threat intelligence.

如何部署 Azure 防火墙: https://docs.azure.cn/firewall/tutorial-firewall-deploy-portalHow to deploy Azure Firewall: https://docs.azure.cn/firewall/tutorial-firewall-deploy-portal

了解 Azure 安全中心集成的威胁情报: https://docs.azure.cn/security-center/security-center-alerts-service-layerUnderstand Azure Security Center Integrated Threat Intelligence: https://docs.azure.cn/security-center/security-center-alerts-service-layer

了解 Azure 安全中心自适应网络强化: https://docs.azure.cn/security-center/security-center-adaptive-network-hardeningUnderstand Azure Security Center Adaptive Network Hardening: https://docs.azure.cn/security-center/security-center-adaptive-network-hardening

Azure 安全中心实时网络访问控制: https://docs.azure.cn/security-center/security-center-just-in-timeAzure Security Center Just In Time Network Access Control: https://docs.azure.cn/security-center/security-center-just-in-time

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.5:记录网络数据包和流日志1.5: Record network packets and flow logs

指导:为附加到子网的、用于保护 Azure 容器注册表的网络安全组 (NSG) 启用 NSG 流日志。Guidance: Enable network security group (NSG) flow logs for the NSG attached to the subnet being used to protect your Azure container registry. 你可以将 NSG 流日志记录到 Azure 存储帐户中,以生成流记录。You can record the NSG flow logs into a Azure Storage Account to generate flow records. 如果需要调查异常活动,请启用 Azure 网络观察程序数据包捕获。If required for investigating anomalous activity, enable Azure Network Watcher packet capture.

如何启用 NSG 流日志: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portalHow to enable NSG Flow Logs: https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal

如何启用网络观察程序: https://docs.azure.cn/network-watcher/network-watcher-createHow to enable Network Watcher: https://docs.azure.cn/network-watcher/network-watcher-create

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:从 Azure 市场中选择一种产品/服务,该产品/服务应支持包含有效负载检查功能的 ID/IPS 功能。Guidance: Select an offer from the Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities. 如果不需要基于有效负载检查的入侵检测和/或防护,则可以使用包含威胁情报功能的 Azure 防火墙。If intrusion detection and/or prevention based on payload inspection is not a requirement, Azure Firewall with Threat Intelligence can be used. 基于 Azure 防火墙威胁情报的筛选功能可以发出警报,并拒绝传入和传出已知恶意 IP 地址和域的流量。Azure Firewall Threat intelligence-based filtering can alert and deny traffic to and from known malicious IP addresses and domains. IP 地址和域源自 Microsoft 威胁智能源。The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.

在组织的每个网络边界上部署所选的防火墙解决方案,以检测和/或拒绝恶意流量。Deploy the firewall solution of your choice at each of your organization's network boundaries to detect and/or deny malicious traffic.

Azure 市场: https://market.azure.cn/marketplace/apps/filter?search=FirewallAzure Marketplace: https://market.azure.cn/marketplace/apps/filter?search=Firewall

如何部署 Azure 防火墙: https://docs.azure.cn/firewall/tutorial-firewall-deploy-portalHow to deploy Azure Firewall: https://docs.azure.cn/firewall/tutorial-firewall-deploy-portal

如何使用 Azure 防火墙配置警报: https://docs.azure.cn/firewall/threat-intelHow to configure alerts with Azure Firewall: https://docs.azure.cn/firewall/threat-intel

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:不适用。Guidance: Not applicable. 基准适用于在 Azure 应用服务或计算资源上运行的 Web 应用程序。Benchmark is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:对于需要访问容器注册表的资源,请在网络安全组或 Azure 防火墙中使用 Azure 容器注册表服务的虚拟网络服务标记来定义网络访问控制。Guidance: For resources that need access to your container registry, use virtual network service tags for the Azure Container Registry service to define network access controls on Network Security Groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 在规则的相应源或目标字段中指定服务标记名称“AzureContainerRegistry”,可以允许或拒绝相应服务的流量。By specifying the service tag name "AzureContainerRegistry" in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

按服务标记允许访问: https://docs.azure.cn/container-registry/container-registry-firewall-access-rules#allow-access-by-service-tagAllow access by service tag: https://docs.azure.cn/container-registry/container-registry-firewall-access-rules#allow-access-by-service-tag

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:使用 Azure Policy 为与 Azure 容器注册表关联的网络资源定义和实施标准安全配置。Guidance: Define and implement standard security configurations for network resources associated with your Azure container registries with Azure Policy. 在“Microsoft.ContainerRegistry”和“Microsoft.Network”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施你的容器注册表的网络配置。Use Azure Policy aliases in the "Microsoft.ContainerRegistry" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your container registries.

你可以使用 Azure 蓝图,通过在单个蓝图定义中打包关键环境项目(例如 Azure 资源管理器模板、Azure RBAC 控制措施和策略),来简化大规模的 Azure 部署。You may use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, Azure RBAC controls, and policies, in a single blueprint definition. 轻松将蓝图应用到新的订阅,并通过版本控制来微调控制措施和管理。Easily apply the blueprint to new subscriptions and fine-tune control and management through versioning.

使用 Azure Policy 审核 Azure 容器注册表的合规性: https://docs.azure.cn/container-registry/container-registry-azure-policyAudit compliance of Azure container registries using Azure Policy: https://docs.azure.cn/container-registry/container-registry-azure-policy

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:客户可以使用 Azure 蓝图,通过在单个蓝图定义中打包关键环境项目(例如 Azure 资源管理器模板、Azure RBAC 控制措施和策略),来简化大规模的 Azure 部署。Guidance: Customer may use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, Azure RBAC controls, and policies, in a single blueprint definition. 轻松将蓝图应用到新的订阅,并通过版本控制来微调控制措施和管理。Easily apply the blueprint to new subscriptions and fine-tune control and management through versioning.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测与容器注册表相关的网络资源的更改。Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your container registries. 在 Azure Monitor 中创建当关键网络资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

如何查看和检索 Azure 活动日志事件: https://docs.azure.cn/azure-monitor/platform/activity-log-viewHow to view and retrieve Azure Activity Log events: https://docs.azure.cn/azure-monitor/platform/activity-log-view

如何在 Azure Monitor 中创建警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logHow to create alerts in Azure Monitor: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

日志记录和监视Logging and Monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security Control: Logging and Monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:Azure 维护 Azure 资源的时间源,但是,你可以选择管理计算资源的时间同步设置。Guidance: Azure maintains time sources for Azure resources, however, you have the option to manage the time synchronization settings for your compute resources.

如何为 Azure 计算资源配置时间同步: https://docs.azure.cn/virtual-machines/windows/time-syncHow to configure time synchronization for Azure compute resources: https://docs.azure.cn/virtual-machines/windows/time-sync

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:AzureResponsibility: Azure

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:通过 Azure Monitor 引入日志来聚合由 Azure 容器注册表生成的安全数据。Guidance: Ingest logs via Azure Monitor to aggregate security data generated by an Azure container registry. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期/存档存储。Within Azure Monitor, use Log Analytics Workspace(s) to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage.

用于诊断评估和审核的 Azure 容器注册表日志: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logsAzure Container Registry logs for diagnostic evaluation and auditing: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logs

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:Azure Monitor 针对注册表中的用户驱动事件收集资源日志(前称为诊断日志)。Guidance: Azure Monitor collects resource logs (formerly called diagnostic logs) for user-driven events in your registry. 收集并使用这些数据来审核注册表身份验证事件,并提供有关注册表项目(例如拉取和推送事件)的完整活动跟踪,以便诊断注册表的安全问题。Collect and consume this data to audit registry authentication events and provide a complete activity trail on registry artifacts such as pull and push events so you can diagnose security issues with your registry.

用于诊断评估和审核的 Azure 容器注册表日志: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logsAzure Container Registry logs for diagnostic evaluation and auditing: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logs

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指导:不适用。Guidance: Not applicable. 基准适用于计算资源。Benchmark is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指南:在 Azure Monitor 中,根据组织的合规性规章设置 Log Analytics 工作区保留期。Guidance: Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. 使用 Azure 存储帐户进行长期/存档存储。Use Azure Storage Accounts for long-term/archival storage.

如何为 Log Analytics 工作区设置日志保留参数: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-periodHow to set log retention parameters for Log Analytics Workspaces: https://docs.azure.cn/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:分析和监视 Azure 容器注册表日志,看其是否存在异常行为,可以定期查看结果。Guidance: Analyze and monitor Azure Container Registry logs for anomalous behavior and regularly review results. 使用 Azure Monitor 的 Log Analytics 工作区来查看日志并执行针对日志数据的查询。Use Azure Monitor's Log Analytics Workspace to review logs and perform queries on log data.

用于诊断评估和审核的 Azure 容器注册表日志: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logsAzure Container Registry logs for diagnostic evaluation and auditing: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logs

了解 Log Analytics 工作区: https://docs.azure.cn/azure-monitor/log-query/get-started-portalUnderstand Log Analytics Workspace: https://docs.azure.cn/azure-monitor/log-query/get-started-portal

如何在 Azure Monitor 中执行自定义查询: https://docs.azure.cn/azure-monitor/log-query/get-started-queriesHow to perform custom queries in Azure Monitor: https://docs.azure.cn/azure-monitor/log-query/get-started-queries

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activity

指导:使用 Azure Log Analytics 工作区在与 Azure 容器注册表相关的安全日志和事件中监视异常活动并对其发出警报。Guidance: Use Azure Log Analytics workspace for monitoring and alerting on anomalous activities in security logs and events related to your Azure container registry.

用于诊断评估和审核的 Azure 容器注册表日志: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logsAzure Container Registry logs for diagnostic evaluation and auditing: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logs

如何针对 Log Analytics 日志数据发出警报: https://docs.azure.cn/azure-monitor/learn/tutorial-responseHow to alert on log analytics log data: https://docs.azure.cn/azure-monitor/learn/tutorial-response

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:不适用。Guidance: Not applicable. Azure 容器注册表不会处理或生成与反恶意软件相关的日志。Azure Container Registry does not process or produce anti-malware related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:不适用。Guidance: Not applicable. Azure 容器注册表是一个终结点,不会启动通信,并且该服务不查询 DNS。Azure Container Registry is an endpoint and does not initiate communication, and the service does not query DNS.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指导:不适用。Guidance: Not applicable. 基准适用于计算资源。Benchmark is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

标识和访问控制Identity and Access Control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security Control: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:Azure Active Directory (Azure AD) 具有必须显式分配且可查询的内置角色。Guidance: Azure Active Directory (Azure AD) has built-in roles that must be explicitly assigned and are queryable. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

对于每个 Azure 容器注册表,请对是已启用还是已禁用内置管理员帐户进行跟踪。For each Azure container registry, track whether the built-in admin account is enabled or disabled. 不使用该帐户时请将其禁用。Disable the account when not in use.

如何使用 PowerShell 获取 Azure AD 中的目录角色: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0How to get a directory role in Azure AD with PowerShell: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0

如何使用 PowerShell 获取 Azure AD 中目录角色的成员: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0How to get members of a directory role in Azure AD with PowerShell: https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0

Azure 容器注册表管理员帐户: https://docs.azure.cn/container-registry/container-registry-authentication#admin-accountAzure Container Registry admin account: https://docs.azure.cn/container-registry/container-registry-authentication#admin-account

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:Azure Active Directory (Azure AD) 没有默认密码的概念。Guidance: Azure Active Directory (Azure AD) does not have the concept of default passwords. 其他需要密码的 Azure 资源会强制创建具有复杂性要求和最小密码长度要求的密码,这些要求因服务而异。Other Azure resources requiring a password force a password to be created with complexity requirements and a minimum password length, which differ depending on the service. 你对可能使用默认密码的第三方应用程序和市场服务负责。You are responsible for third-party applications and Marketplace services that may use default passwords.

如果启用了 Azure 容器注册表的默认管理员帐户,则会自动创建复杂密码并对其进行轮换。If the default admin account of an Azure container registry is enabled, complex passwords are automatically created and should be rotated. 不使用该帐户时请将其禁用。Disable the account when not in use.

Azure 容器注册表管理员帐户: https://docs.azure.cn/container-registry/container-registry-authentication#admin-accountAzure Container Registry admin account: https://docs.azure.cn/container-registry/container-registry-authentication#admin-account

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

另外,请创建相关过程来启用容器注册表的内置管理员帐户。Also, create procedures to enable the built-in admin account of a container registry. 不使用该帐户时请将其禁用。Disable the account when not in use.

了解 Azure 安全中心标识和访问: https://docs.azure.cn/security-center/security-center-identity-accessUnderstand Azure Security Center Identity and Access: https://docs.azure.cn/security-center/security-center-identity-access

Azure 容器注册表管理员帐户: https://docs.azure.cn/container-registry/container-registry-authentication#admin-accountAzure Container Registry admin account: https://docs.azure.cn/container-registry/container-registry-authentication#admin-account

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Use single sign-on (SSO) with Azure Active Directory

指导:请尽可能使用 Azure Active Directory SSO,而不是为每个服务配置单个独立凭据。Guidance: Wherever possible, use Azure Active Directory SSO instead of configuring individual stand-alone credentials per-service. 请使用 Azure 安全中心标识和访问管理建议。Use Azure Security Center Identity and Access Management recommendations.

若要单独访问容器注册表,请使用与 Azure Active Directory 集成的单个登录名。For individual access to the container registry, use individual login integrated with Azure Active Directory.

到容器注册表的单独登录: https://docs.azure.cn/container-registry/container-registry-authentication#individual-login-with-azure-adIndividual login to a container registry: https://docs.azure.cn/container-registry/container-registry-authentication#individual-login-with-azure-ad

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure Active Directory (Azure AD) 多重身份验证 (MFA),并遵循 Azure 安全中心标识和访问管理的建议。Guidance: Enable Azure Active Directory (Azure AD) multi-factor authentication (MFA) and follow Azure Security Center Identity and Access Management recommendations.

如何在 Azure 中启用 MFA: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedHow to enable MFA in Azure: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

如何在 Azure 安全中心监视标识和访问: https://docs.azure.cn/security-center/security-center-identity-accessHow to monitor identity and access within Azure Security Center: https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:使用配置了 MFA 的 PAW(特权访问工作站)来登录并配置 Azure 资源。Guidance: Use PAWs (privileged access workstations) with MFA configured to log into and configure Azure resources.

了解特权访问工作站: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstationsLearn about Privileged Access Workstations: https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations

如何在 Azure 中启用 MFA: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstartedHow to enable MFA in Azure: https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

Azure 安全中心监视:空值Azure Security Center monitoring: N/A

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activity from administrative accounts

指导:当环境中出现可疑或不安全的活动时,请使用 Azure Active Directory (Azure AD) 安全报告来生成日志和警报。Guidance: Use Azure Active Directory (Azure AD) security reports for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. 使用 Azure 安全中心监视标识和访问活动。Use Azure Security Center to monitor identity and access activity.

如何在 Azure 安全中心监视用户的标识和访问活动: https://docs.azure.cn/security-center/security-center-identity-accessHow to monitor users' identity and access activity in Azure Security Center: https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导:使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance: Use Conditional Access Named Locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (Azure AD) 作为中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会对用户凭据进行加盐、哈希处理和安全存储操作。Azure AD also salts, hashes, and securely stores user credentials.

如何创建和配置 Azure AD 实例: https://docs.azure.cn/active-directory/fundamentals/active-directory-access-create-new-tenantHow to create and configure an Azure AD instance: https://docs.azure.cn/active-directory/fundamentals/active-directory-access-create-new-tenant

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:Azure Active Directory (Azure AD) 提供日志来帮助发现过时的帐户。Guidance: Azure Active Directory (Azure AD) provides logs to help discover stale accounts. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right Users have continued access.

了解 Azure AD 报告: https://docs.azure.cn/active-directory/reports-monitoring/Understand Azure AD reporting: https://docs.azure.cn/active-directory/reports-monitoring/

如何使用 Azure 标识访问评审: https://docs.azure.cn/active-directory/governance/access-reviews-overviewHow to use Azure identity access reviews: https://docs.azure.cn/active-directory/governance/access-reviews-overview

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.11:监视访问已停用帐户的企图3.11: Monitor attempts to access deactivated accounts

指导:你有权访问 Azure Active Directory (Azure AD) 登录活动、审核和风险事件日志源,因此可以与任何安全信息和事件管理 (SIEM) /监视工具集成。Guidance: You have access to Azure Active Directory (Azure AD) Sign-in Activity, Audit and Risk Event log sources, which allow you to integrate with any Security Information and Event Management (SIEM) /Monitoring tool.

可以通过为 Azure Active Directory 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating Diagnostic Settings for Azure Active Directory user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. 你可以在 Log Analytics 工作区中配置所需的警报。You can configure desired Alerts within Log Analytics Workspace.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.12:针对帐户登录行为偏差发出警报3.12: Alert on account login behavior deviation

指导:使用 Azure Active Directory (Azure AD) 风险和标识保护功能配置对检测到的与用户标识相关的可疑操作的自动响应。Guidance: Use Azure Active Directory (Azure AD) Risk and Identity Protection features to configure automated responses to detected suspicious actions related to user identities.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.13:在支持场合下为 Azure 提供对相关客户数据的访问权限3.13: Provide Azure with access to relevant customer data during support scenarios

指导:不可用;Azure 容器注册表当前不支持客户密码箱。Guidance: Not available; Customer Lockbox not currently supported for Azure Container Registry.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security Control: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用资源标记可以帮助跟踪用于存储或处理敏感信息的 Azure 容器注册表。Guidance: Use resource tags to assist in tracking Azure container registries that store or process sensitive information.

在注册表中对容器映像或其他项目进行标记和版本控制并锁定映像或存储库,以便跟踪可存储或处理敏感信息的映像。Tag and version container images or other artifacts in a registry, and lock images or repositories, to assist in tracking images that store or process sensitive information.

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

有关对容器映像进行标记和版本控制的建议: https://docs.azure.cn/container-registry/container-registry-image-tag-versionRecommendations for tagging and versioning container images: https://docs.azure.cn/container-registry/container-registry-image-tag-version

锁定 Azure 容器注册表中的容器映像: https://docs.azure.cn/container-registry/container-registry-image-lockLock a container image in an Azure container registry: https://docs.azure.cn/container-registry/container-registry-image-lock

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:为开发、测试和生产实现单独的容器注册表、订阅和/或管理组。Guidance: Implement separate container registries, subscriptions, and/or management groups for development, test, and production. 存储或处理敏感数据的资源应当充分隔离。Resources storing or processing sensitive data should be sufficiently isolated.

资源应当按虚拟网络或子网进行分隔,相应地进行标记,并由网络安全组 (NSG) 或 Azure 防火墙提供保护。Resources should be separated by virtual network or subnet, tagged appropriately, and secured by an network security group (NSG) or Azure Firewall.

如何创建管理组: https://docs.azure.cn/governance/management-groups/createHow to create management groups: https://docs.azure.cn/governance/management-groups/create

如何创建和使用标记: https://docs.azure.cn/azure-resource-manager/resource-group-using-tagsHow to create and use tags: https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

如何创建采用某个安全配置的 NSG: https://docs.azure.cn/virtual-network/tutorial-filter-network-trafficHow to create an NSG with a security config: https://docs.azure.cn/virtual-network/tutorial-filter-network-traffic

如何部署 Azure 防火墙:How to deploy Azure Firewall:

https://docs.azure.cn/firewall/tutorial-firewall-deploy-portal

如何通过 Azure 防火墙配置“警报”或“发出警报并拒绝”:How to configure alert or alert and deny with Azure Firewall:

https://docs.azure.cn/firewall/threat-intel

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:在网络外围部署一个自动化工具,用于监视敏感信息的未授权传输,并阻止此类传输,同时提醒信息安全专业人员。Guidance: Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.

对于 Microsoft 管理的底层平台,Azure 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和泄露。For the underlying platform which is managed by Microsoft, Azure treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:确保连接到 Azure 容器注册表的任何客户端能够协商 TLS 1.2 或更高版本。Guidance: Ensure that any clients connecting to your Azure Container Registry are able to negotiate TLS 1.2 or greater. 默认情况下,Azure 资源会协商 TLS 1.2。Azure resources negotiate TLS 1.2 by default.

请按照 Azure 安全中心的建议,了解静态加密和传输中加密(如果适用)。Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.

了解 Azure 的传输中加密: https://docs.azure.cn/security/fundamentals/encryption-overview#encryption-of-data-in-transitUnderstand encryption in transit with Azure: https://docs.azure.cn/security/fundamentals/encryption-overview#encryption-of-data-in-transit

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:数据标识、分类和丢失防护功能尚不适用于 Azure 容器注册表。Guidance: Data identification, classification, and loss prevention features are not yet available for Azure Container Registry. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

对于 Microsoft 管理的底层平台,Azure 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和泄露。For the underlying platform which is managed by Microsoft, Azure treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:使用 Azure 基于角色的访问控制 (Azure RBAC) 来控制对 Azure 容器注册表中的数据和资源的访问。Guidance: Use Azure role-based access control (Azure RBAC) to control access to data and resources in an Azure container registry.

如何配置 Azure RBAC: https://docs.azure.cn/role-based-access-control/role-assignments-portalHow to configure Azure RBAC: https://docs.azure.cn/role-based-access-control/role-assignments-portal

Azure 容器注册表角色和权限: https://docs.azure.cn/container-registry/container-registry-rolesAzure Container Registry roles and permissions: https://docs.azure.cn/container-registry/container-registry-roles

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导:如果需要在计算资源上确保符合性,则实施第三方工具(如基于主机的自动数据丢失防护解决方案),以便对数据强制实施访问控制,即使数据从系统复制也是如此。Guidance: If required for compliance on compute resources, implement a third-party tool, such as an automated host-based data loss prevention solution, to enforce access controls to data even when data is copied off a system.

对于 Microsoft 管理的底层平台,Azure 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和泄露。For the underlying platform which is managed by Microsoft, Azure treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

了解 Azure 中的客户数据保护: https://docs.azure.cn/security/fundamentals/protection-customer-dataUnderstand customer data protection in Azure: https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:在所有 Azure 资源上使用静态加密。Guidance: Use encryption at rest on all Azure resources. 默认情况下,Azure 容器注册表中的所有数据都使用 Azure 托管密钥进行静态加密。By default, all data in an Azure container registry is encrypted at rest using Azure-managed keys.

了解 Azure 中的静态加密: https://docs.azure.cn/security/fundamentals/encryption-atrestUnderstand encryption at rest in Azure: https://docs.azure.cn/security/fundamentals/encryption-atrest

Azure 容器注册表中客户管理的密钥: https://aka.ms/acr/cmkCustomer-managed keys in Azure Container Registry: https://aka.ms/acr/cmk

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:Azure Monitor 针对注册表中的用户驱动事件收集资源日志(前称为诊断日志)。Guidance: Azure Monitor collects resource logs (formerly called diagnostic logs) for user-driven events in your registry. 收集并使用这些数据来审核注册表身份验证事件,并提供有关注册表项目(例如拉取和推送事件)的完整活动跟踪,以便诊断注册表的操作问题。Collect and consume this data to audit registry authentication events and provide a complete activity trail on registry artifacts such as pull and pull events so you can diagnose operational issues with your registry.

用于诊断评估和审核的 Azure 容器注册表日志: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logsAzure Container Registry logs for diagnostic evaluation and auditing: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logs

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

漏洞管理Vulnerability Management

有关详细信息,请参阅安全控制:漏洞管理。For more information, see Security Control: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:遵循 Azure 安全中心的在容器映像上执行漏洞评估的建议。Guidance: Follow recommendations from Azure Security Center on performing vulnerability assessments on your container images. (可选)从 Azure 市场部署第三方解决方案,用于执行映像漏洞评估。Optionally deploy third-party solutions from Azure Marketplace to perform image vulnerability assessments.

如何实施 Azure 安全中心漏洞评估建议: https://docs.azure.cn/security-center/security-center-vulnerability-assessment-recommendationsHow to implement Azure Security Center vulnerability assessment recommendations: https://docs.azure.cn/security-center/security-center-vulnerability-assessment-recommendations

Azure 容器注册表与安全中心的集成(预览版): https://docs.azure.cn/security-center/azure-container-registry-integrationAzure Container Registry integration with Security Center (Preview): https://docs.azure.cn/security-center/azure-container-registry-integration

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指导:Azure 在支持 Azure 容器注册表的基础系统上执行修补管理。Guidance: Azure performs patch management on the underlying systems that support Azure Container Registry.

当检测到来自操作系统和其他修补程序的基础映像更新时,将自动执行容器映像更新。Automate container image updates when updates to base images from operating system and other patches are detected.

关于 Azure 容器注册表任务的基础映像更新: https://docs.azure.cn/container-registry/container-registry-tasks-base-imagesAbout base image updates for Azure Container Registry tasks: https://docs.azure.cn/container-registry/container-registry-tasks-base-images

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

5.3:部署第三方自动软件修补管理解决方案5.3: Deploy automated third-party software patch management solution

指导:可以使用第三方解决方案来修补应用程序映像。Guidance: You can use third party solution to patch application images. 此外,还可以运行 Azure 容器注册表任务,根据基础映像中的安全修补程序或其他更新自动更新容器注册表中的应用程序映像。Also, you can run Azure Container Registry tasks to automate updates to application images in a container registry based on security patches or other updates in base images.

关于 ACR 任务的基础映像更新: https://docs.azure.cn/container-registry/container-registry-tasks-base-imagesAbout base image updates for ACR Tasks: https://docs.azure.cn/container-registry/container-registry-tasks-base-images

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指导:将 Azure 容器注册表 (ACR) 与 Azure 安全中心集成,以便定期扫描容器映像中的漏洞。Guidance: Integrate Azure Container Registry (ACR) with Azure Security Center to enable periodic scanning of container images for vulnerabilities. (可选)从 Azure 市场部署第三方解决方案,用于执行定期的映像漏洞扫描。Optionally deploy third-party solutions from Azure Marketplace to perform periodic image vulnerability scans.

Azure 容器注册表与安全中心的集成(预览版): https://docs.azure.cn/security-center/azure-container-registry-integrationAzure Container Registry integration with Security Center (Preview): https://docs.azure.cn/security-center/azure-container-registry-integration

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:将 Azure 容器注册表 (ACR) 与 Azure 安全中心集成,以便定期扫描容器映像中的漏洞并对风险进行分类。Guidance: Integrate Azure Container Registry (ACR) with Azure Security Center to enable periodic scanning of container images for vulnerabilities and to classify risks. (可选)从 Azure 市场部署第三方解决方案,用于执行定期的映像漏洞扫描和风险分类。Optionally deploy third-party solutions from Azure Marketplace to perform periodic image vulnerability scans and risk classification.

Azure 容器注册表与安全中心的集成(预览版): https://docs.azure.cn/security-center/azure-container-registry-integrationAzure Container Registry integration with Security Center (Preview): https://docs.azure.cn/security-center/azure-container-registry-integration

Azure 安全中心监视:空值Azure Security Center monitoring: N/A

责任:客户Responsibility: Customer

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security Control: Inventory and Asset Management.

6.1:使用 Azure 资产发现6.1: Use Azure Asset Discovery

指导:使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等)。Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

如何使用 Azure Resource Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Resource Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

如何查看 Azure 订阅: https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0How to view your Azure Subscriptions: https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0

了解 Azure RBAC: https://docs.azure.cn/role-based-access-control/overviewUnderstand Azure RBAC: https://docs.azure.cn/role-based-access-control/overview

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:Azure 容器注册表为注册表中的映像维护元数据(包括标记和清单)。Guidance: Azure Container Registry maintains metadata including tags and manifests for images in a registry. 请遵循用于标记项目的建议做法。Follow recommended practices for tagging artifacts.

关于注册表、存储库和映像: https://docs.azure.cn/container-registry/container-registry-conceptsAbout registries, repositories, and images: https://docs.azure.cn/container-registry/container-registry-concepts

有关对容器映像进行标记和版本控制的建议: https://docs.azure.cn/container-registry/container-registry-image-tag-versionRecommendations for tagging and versioning container images: https://docs.azure.cn/container-registry/container-registry-image-tag-version

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:Azure 容器注册表为注册表中的映像维护元数据(包括标记和清单)。Guidance: Azure Container Registry maintains metadata including tags and manifests for images in a registry. 请遵循用于标记项目的建议做法。Follow recommended practices for tagging artifacts.

关于注册表、存储库和映像: https://docs.azure.cn/container-registry/container-registry-conceptsAbout registries, repositories, and images: https://docs.azure.cn/container-registry/container-registry-concepts

有关对容器映像进行标记和版本控制的建议: https://docs.azure.cn/container-registry/container-registry-image-tag-versionRecommendations for tagging and versioning container images: https://docs.azure.cn/container-registry/container-registry-image-tag-version

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:维护已批准的 Azure 资源和软件标题的清单6.4: Maintain an inventory of approved Azure resources and software titles

指导:你需要根据组织需求创建已批准的 Azure 资源的清单。Guidance: You will need to create an inventory of approved Azure resources as per your organizational needs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscription(s).

使用 Azure Resource Graph 查询/发现订阅中的资源。Use Azure Resource Graph to query/discover resources within their subscription(s). 确保环境中存在的所有 Azure 资源已获得批准。Ensure that all Azure resources present in the environment are approved.

使用 Azure Policy 审核 Azure 容器注册表的合规性: https://docs.azure.cn/container-registry/container-registry-azure-policyAudit compliance of Azure container registries using Azure Policy: https://docs.azure.cn/container-registry/container-registry-azure-policy

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用 Azure Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指导:分析和监视 Azure 容器注册表日志,看其是否存在异常行为,可以定期查看结果。Guidance: Analyze and monitor Azure Container Registry logs for anomalous behavior and regularly review results. 使用 Azure Monitor Log Analytics 工作区查看日志并对日志数据执行查询。Use Azure Monitors Log Analytics Workspace to review logs and perform queries on log data.

用于诊断评估和审核的 Azure 容器注册表日志: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logsAzure Container Registry logs for diagnostic evaluation and auditing: https://docs.azure.cn/container-registry/container-registry-diagnostics-audit-logs

了解 Log Analytics 工作区: https://docs.azure.cn/azure-monitor/log-query/get-started-portalUnderstand Log Analytics Workspace: https://docs.azure.cn/azure-monitor/log-query/get-started-portal

如何在 Azure Monitor 中执行自定义查询: https://docs.azure.cn/azure-monitor/log-query/get-started-queriesHow to perform custom queries in Azure Monitor: https://docs.azure.cn/azure-monitor/log-query/get-started-queries

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指导:可以通过 Azure 自动化在工作负荷和资源的部署、操作和解除授权过程中进行完全的控制。Guidance: Azure Automation provides complete control during deployment, operations, and decommissioning of workloads and resources. 你可以实施自己的解决方案来删除未经授权的 Azure 资源。You can implement your own solution for removing unauthorized Azure resources. Azure 自动化简介: https://docs.azure.cn/automation/automation-introAn introduction to Azure Automation: https://docs.azure.cn/automation/automation-intro

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指导:不适用。Guidance: Not applicable. 基准设计用于计算资源。Benchmark is designed for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导:利用 Azure Policy 限制可在环境中预配的服务。Guidance: Leverage Azure Policy to restrict which services you can provision in your environment.

使用 Azure Policy 审核 Azure 容器注册表的合规性: https://docs.azure.cn/container-registry/container-registry-azure-policyAudit compliance of Azure container registries using Azure Policy: https://docs.azure.cn/container-registry/container-registry-azure-policy

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用 Azure Policy 拒绝特定的资源类型: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-typesHow to deny a specific resource type with Azure Policy: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.10:实施已批准的应用程序列表6.10: Implement approved application list

指导:不适用。Guidance: Not applicable. 基准设计用于计算资源。Benchmark is designed for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.11:限制用户通过脚本与 Azure 资源管理器进行交互的功能6.11: Limit users' ability to interact with AzureResources Manager via scripts

指导:使用特定于操作系统的配置或第三方资源来限制用户在 Azure 计算资源中执行脚本的能力。Guidance: Use operating system-specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources.

如何配置条件访问以阻止访问 Azure 资源管理器: https://docs.azure.cn/role-based-access-control/conditional-access-azure-managementHow to configure Conditional Access to block access to Azure Resources Manager: https://docs.azure.cn/role-based-access-control/conditional-access-azure-management

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指导:使用特定于操作系统的配置或第三方资源来限制用户在 Azure 计算资源中执行脚本的能力。Guidance: Use operating system specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources.

例如,如何在 Windows 环境中控制 PowerShell 脚本执行: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6For example, how to control PowerShell script execution in Windows Environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:业务运营所需的软件可能会给组织带来更高的风险,应将其隔离在自己的虚拟机和/或虚拟网络中,并通过 Azure 防火墙或网络安全组进行充分的保护。Guidance: Software that is required for business operations, but may incur higher risk for the organization, should be isolated within its own virtual machine and/or virtual network and sufficiently secured with either an Azure Firewall or Network Security Group.

如何创建虚拟网络: https://docs.azure.cn/virtual-network/quick-create-portalHow to create a virtual network: https://docs.azure.cn/virtual-network/quick-create-portal

如何创建采用安全配置的 NSG: https://docs.azure.cn/virtual-network/tutorial-filter-network-trafficHow to create an NSG with a security config: https://docs.azure.cn/virtual-network/tutorial-filter-network-traffic

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

安全配置Secure Configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security Control: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用 Azure Policy 或 Azure 安全中心来维护所有 Azure 资源的安全配置。Guidance: Use Azure Policy or Azure Security Center to maintain security configurations for all Azure Resources.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

使用 Azure Policy 审核 Azure 容器注册表的合规性: https://docs.azure.cn/container-registry/container-registry-azure-policyAudit compliance of Azure container registries using Azure Policy: https://docs.azure.cn/container-registry/container-registry-azure-policy

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指导:利用 Azure 安全中心建议“修复虚拟机上安全配置中的漏洞”,维护所有计算资源上的安全配置。Guidance: Utilize Azure Security Center recommendation "Remediate Vulnerabilities in Security Configurations on your Virtual Machines" to maintain security configurations on all compute resources.

如何监视 Azure 安全中心建议: https://docs.azure.cn/security-center/security-center-recommendationsHow to monitor Azure Security Center recommendations: https://docs.azure.cn/security-center/security-center-recommendations

如何修正 Azure 安全中心建议: https://docs.azure.cn/security-center/security-center-remediate-recommendationsHow to remediate Azure Security Center recommendations: https://docs.azure.cn/security-center/security-center-remediate-recommendations

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

使用 Azure Policy 审核 Azure 容器注册表的合规性: https://docs.azure.cn/container-registry/container-registry-azure-policyAudit compliance of Azure container registries using Azure Policy: https://docs.azure.cn/container-registry/container-registry-azure-policy

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

了解 Azure Policy 效果: https://docs.azure.cn/governance/policy/concepts/effectsUnderstand Azure Policy effects: https://docs.azure.cn/governance/policy/concepts/effects

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指导:不适用。Guidance: Not applicable. 基准适用于计算资源。Benchmark is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指导:不适用。Guidance: Not applicable. 基准适用于计算资源。Benchmark applies to compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.7:部署系统配置管理工具7.7: Deploy system configuration management tools

指导:使用 Azure 策略针对系统配置发出警报,以及审核和强制实施系统配置。Guidance: Use Azure Policy to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

使用 Azure Policy 审核 Azure 容器注册表的合规性: https://docs.azure.cn/container-registry/container-registry-azure-policyAudit compliance of Azure container registries using Azure Policy: https://docs.azure.cn/container-registry/container-registry-azure-policy

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:为操作系统部署系统配置管理工具7.8: Deploy system configuration management tools for operating systems

指导:不适用。Guidance: Not applicable. 基准适用于计算资源。Benchmark applies to compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.9:为 Azure 服务实施自动配置监视7.9: Implement automated configuration monitoring for Azure services

指导:使用 Azure 安全中心对 Azure 资源执行基线扫描。Guidance: Use Azure Security Center to perform baseline scans for your Azure Resources.

使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Use Azure Policy to put restrictions on the type of resources that can be created in your subscription(s).

如何在 Azure 安全中心修正建议: https://docs.azure.cn/security-center/security-center-remediate-recommendationsHow to remediate recommendations in Azure Security Center: https://docs.azure.cn/security-center/security-center-remediate-recommendations

使用 Azure Policy 审核 Azure 容器注册表的合规性: https://docs.azure.cn/container-registry/container-registry-azure-policyAudit compliance of Azure container registries using Azure Policy: https://docs.azure.cn/container-registry/container-registry-azure-policy

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指导:不适用。Guidance: Not applicable. 基准适用于计算资源。Benchmark applies to compute resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:将托管服务标识与 Azure Key Vault 结合使用,以便简化和保护云应用程序的机密管理。Guidance: Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your cloud applications.

如何对 Key Vault 进行身份验证: https://docs.azure.cn/key-vault/general/authenticationHow to authenticate to Key Vault: https://docs.azure.cn/key-vault/general/authentication

在 Azure 容器注册表任务中使用 Azure 托管标识: https://docs.azure.cn/container-registry/container-registry-tasks-authentication-managed-identityUse an Azure-managed identity in Azure Container Registry tasks: https://docs.azure.cn/container-registry/container-registry-tasks-authentication-managed-identity

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导:使用托管标识在 Azure AD 中为 Azure 服务提供自动托管标识。Guidance: Use Managed Identities to provide Azure services with an automatically managed identity in Azure AD. 使用托管标识可以向支持 Azure AD 身份验证的任何服务(包括 Key Vault)进行身份验证,无需在代码中放入任何凭据。Managed Identities allows you to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

如何配置托管标识: https://docs.azure.cn/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmHow to configure Managed Identities: https://docs.azure.cn/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm

使用托管标识向 Azure 容器注册表进行身份验证: https://docs.azure.cn/container-registry/container-registry-authentication-managed-identityUse a managed identity to authenticate to an Azure container registry: https://docs.azure.cn/container-registry/container-registry-authentication-managed-identity

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

如何设置凭据扫描程序: https://secdevtools.azurewebsites.net/helpcredscan.htmlHow to setup Credential Scanner: https://secdevtools.azurewebsites.net/helpcredscan.html

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware Defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security Control: Malware Defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指导:使用适用于 Azure 云服务和虚拟机的 Microsoft Antimalware 来持续监视和保护资源。Guidance: Use Microsoft Antimalware for Azure Cloud Services and Virtual Machines to continuously monitor and defend your resources. 对于 Linux,请使用第三方反恶意软件解决方案。For Linux, use third party antimalware solution.

如何为云服务和虚拟机配置 Microsoft Antimalware: https://docs.azure.cn/security/fundamentals/antimalwareHow to configure Microsoft Antimalware for Cloud Services and Virtual Machines: https://docs.azure.cn/security/fundamentals/antimalware

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:在支持 Azure 服务(例如 Azure 容器注册表)的底层主机上已启用 Microsoft Antimalware,但是,该软件不会针对客户内容运行。Guidance: Microsoft Antimalware is enabled on the underlying host that supports Azure services (for example, Azure Container Registry), however it does not run on customer content.

预扫描任何上传到非计算 Azure 资源(例如应用服务、Data Lake Storage、Blob 存储等)的文件。Pre-scan any files being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, Blob Storage, etc.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指导:不适用。Guidance: Not applicable. 基准适用于计算资源。Benchmark is intended for compute resources. Azure 会处理基础平台的反恶意软件。Azure handles anti-malware for underlying platform.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

数据恢复Data Recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security Control: Data Recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导:始终自动复制 Azure 容器注册表中的数据,确保持久性和高可用性。Guidance: The data in your Azure container registry is always automatically replicated to ensure durability and high availability. Azure 容器注册表会复制你的数据,以便在发生计划内和计划外事件时保护你的数据Azure Container Registry copies your data so that it is protected from planned and unplanned events

(可选)异地复制容器注册表,以在多个 Azure 区域中维护注册表副本。Optionally geo-replicate a container registry to maintain registry replicas in multiple Azure regions.

Azure 容器注册表中的异地复制: https://docs.azure.cn/container-registry/container-registry-geo-replicationGeo-replication in Azure Container Registry: https://docs.azure.cn/container-registry/container-registry-geo-replication

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer managed keys

指导:(可选)通过将容器映像从一个注册表导入到另一个注册表来备份它们。Guidance: Optionally back up container images by importing from one registry to another.

使用 Azure 命令行工具或 SDK 在 Azure Key Vault 中备份客户管理的密钥。Back up customer-managed keys in Azure Key Vault using Azure command-line tools or SDKs.

将容器映像导入到容器注册表: https://docs.azure.cn/container-registry/container-registry-import-imagesImport container images to a container registry: https://docs.azure.cn/container-registry/container-registry-import-images

如何在 Azure 中备份密钥保管库密钥: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0How to backup key vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer managed keys

指导:使用 Azure 命令行工具或 SDK 在 Azure Key Vault 中测试已备份的客户管理的密钥的还原。Guidance: Test restoration of backed up customer managed keys in Azure Key Vault using Azure command-line tools or SDKs.

如何在 Azure 中还原 Azure Key Vault 密钥: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0How to restore Azure Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer managed keys

指导:你可以在 Azure Key Vault 中启用“软删除”,以防止意外删除或恶意删除密钥。Guidance: You may enable Soft-Delete in Azure Key Vault to protect keys against accidental or malicious deletion.

如何在 Key Vault 中启用“软删除”: https://docs.azure.cn/storage/blobs/storage-blob-soft-delete?tabs=azure-portalHow to enable Soft-Delete in Key Vault: https://docs.azure.cn/storage/blobs/storage-blob-soft-delete?tabs=azure-portal

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

事件响应Incident Response

有关详细信息,请参阅安全控制:事件响应For more information, see Security Control: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员的所有职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

如何在 Azure 安全中心配置工作流自动化: https://docs.azure.cn/security-center/security-center-planning-and-operations-guideHow to configure Workflow Automations within Azure Security Center: https://docs.azure.cn/security-center/security-center-planning-and-operations-guide

关于建立自己的安全事件响应流程的指南: https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/Guidance on building your own security incident response process: https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/

Microsoft 安全响应中心的事件剖析: https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/Microsoft Security Response Center's Anatomy of an Incident: https://msrc-blog.microsoft.com/2019/07/01/inside-the-msrc-building-your-own-security-incident-response-process/

客户还可以利用 NIST 的“计算机安全事件处理指南”来制定他们自己的事件响应计划: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdfCustomer may also leverage NIST's Computer Security Incident Handling Guide to aid in the creation of their own incident response plan: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:Azure 安全中心为每条警报分配严重性,方便你根据优先级来确定应该最先调查的警报。Guidance: Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产),并创建命名系统来对 Azure 资源进行明确标识和分类。production, non-prod) and create a naming system to clearly identify and categorize Azure resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

请参阅 NIST 的刊物:Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities(IT 规划和功能的测试、培训与演练计划指南): https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdfRefer to NIST's publication: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了客户的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

如何设置 Azure 安全中心安全联系人: https://docs.azure.cn/security-center/security-center-provide-security-contact-detailsHow to set the Azure Security Center security contact: https://docs.azure.cn/security-center/security-center-provide-security-contact-details

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security Control: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保在 60 天内修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings within 60 days

指导:遵循 Azure 互动规则,确保你的渗透测试不违反 Azure 政策: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1Guidance: Follow the Azure Rules of Engagement to ensure your Penetration Tests are not in violation of Azure policies: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1

在以下网页中可以找到有关 Azure 红队演练策略和执行的详细信息,以及有关针对 Azure 托管云基础结构、服务和应用程序执行现场渗透测试的详细信息: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392eYou can find more information on Azure's strategy and execution of Red Teaming and live site penetration testing against Azure-managed cloud infrastructure, services, and applications, here: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392e

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps