Azure 安全基准 v1 法规合规性内置计划的详细信息Details of the Azure Security Benchmark v1 Regulatory Compliance built-in initiative

下文详细说明了 Azure Policy 法规合规性内置计划定义如何映射到 Azure 安全基准 v1 的合规性域和控制措施 。The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in Azure Security Benchmark v1. 有关此合规性标准的详细信息,请参阅 Azure 安全基准 v1For more information about this compliance standard, see Azure Security Benchmark v1. 如需了解所有权,请参阅 Azure Policy 策略定义云中责任分担To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

以下映射是到 Azure 安全基准 v1 控制的映射。The following mappings are to the Azure Security Benchmark v1 controls. 使用右侧的导航栏可直接跳转到特定的符合性域。Use the navigation on the right to jump directly to a specific compliance domain. 许多控制措施都是使用 Azure Policy 计划定义实现的。Many of the controls are implemented with an Azure Policy initiative definition. 若要查看完整计划定义,请在 Azure 门户中打开“策略”,并选择“定义”页 。To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. 然后,找到并选择 Azure 安全基准 v1 法规合规性内置计划定义。Then, find and select the Azure Security Benchmark v1 Regulatory Compliance built-in initiative definition.

重要

下面的每个控件都与一个或多个 Azure Policy 定义关联。Each control below is associated with one or more Azure Policy definitions. 这些策略有助于评估控制的合规性;但是,控制与一个或多个策略之间通常不是一对一或完全匹配。These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. 因此,Azure Policy 中的符合性仅引用策略定义本身;这并不能确保你完全符合某个控制措施的所有要求。As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. 此外,符合性标准包含目前未由任何 Azure Policy 定义处理的控件。In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. 因此,Azure Policy 中的符合性只是整体符合性状态的部分视图。Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. 此符合性标准的符合性域、控制措施和 Azure Policy 定义之间的关联可能会随着时间的推移而发生变化。The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. 若要查看更改历史记录,请参阅 GitHub 提交历史记录To view the change history, see the GitHub Commit History.

网络安全Network Security

在虚拟网络上使用网络安全组或 Azure 防火墙来保护资源Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

ID:Azure 安全基准 1.1 所有权:客户ID: Azure Security Benchmark 1.1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure 安全中心会分析面向虚拟机的 Internet 的流量模式,并提供可减小潜在攻击面的网络安全组规则建议Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应用服务应使用虚拟网络服务终结点App Service should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的应用服务。This policy audits any App Service not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit、DisabledAudit, Disabled 2.0.12.0.1
容器注册表应使用虚拟网络服务终结点Container Registry should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的容器注册表。This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview
Cosmos DB 应使用虚拟网络服务终结点Cosmos DB should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Cosmos DB。This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0
事件中心应使用虚拟网络服务终结点Event Hub should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的事件中心。This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范 VM 遭受潜在威胁。Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应禁用虚拟机上的 IP 转发IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
Key Vault 应使用虚拟网络服务终结点Key Vault should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Key Vault。This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应为 MariaDB 服务器启用专用终结点Private endpoint should be enabled for MariaDB servers 专用终结点连接通过启用到 Azure Database for MariaDB 的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. 配置专用终结点连接,以启用对仅来自已知网络的流量的访问,并防止访问所有其他 IP 地址,包括 Azure 内的地址。Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应为 MySQL 服务器启用专用终结点Private endpoint should be enabled for MySQL servers 专用终结点连接通过启用到 Azure Database for MySQL 的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. 配置专用终结点连接,以启用对仅来自已知网络的流量的访问,并防止访问所有其他 IP 地址,包括 Azure 内的地址。Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应为 PostgreSQL 服务器启用专用终结点Private endpoint should be enabled for PostgreSQL servers 专用终结点连接通过启用到 Azure Database for PostgreSQL 的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. 配置专用终结点连接,以启用对仅来自已知网络的流量的访问,并防止访问所有其他 IP 地址,包括 Azure 内的地址。Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的服务总线。This policy audits any Service Bus not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
SQL Server 应使用虚拟网络服务终结点SQL Server should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 SQL Server。This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应限制对存储帐户的网络访问Storage accounts should restrict network access 应限制对存储帐户的网络访问。Network access to storage accounts should be restricted. 配置网络规则,以便只允许来自允许的网络的应用程序访问存储帐户。Configure network rules so only applications from allowed networks can access the storage account. 若要允许来自特定 Internet 或本地客户端的连接,可以向来自特定 Azure 虚拟网络的流量或公共 Internet IP 地址范围授予访问权限To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit、Deny、DisabledAudit, Deny, Disabled 1.1.11.1.1
存储帐户应使用虚拟网络服务终结点Storage Accounts should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的存储帐户。This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0
子网应与网络安全组关联Subnets should be associated with a Network Security Group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 此策略审核任何已连接到未批准的虚拟网络的虚拟机。This policy audits any virtual machine connected to a virtual network that is not approved. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
虚拟网络应使用指定的虚拟网络网关Virtual networks should use specified virtual network gateway 如果默认路由未指向指定的虚拟网络网关,则此策略会审核任何虚拟网络。This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

监视和记录 VNet、子网和 NIC 的配置和流量Monitor and log the configuration and traffic of Vnets, Subnets, and NICs

ID:Azure 安全基准 1.2 所有权:客户ID: Azure Security Benchmark 1.2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用网络观察程序Network Watcher should be enabled 网络观察程序是一个区域性服务,可用于在网络方案级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. 使用方案级别监视可以诊断端到端网络级别视图的问题。Scenario level monitoring enables you to diagnose problems at an end to end network level view. 借助网络观察程序随附的网络诊断和可视化工具,可以了解、诊断和洞察 Azure 中的网络。Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

保护关键的 Web 应用程序Protect critical web applications

ID:Azure 安全基准 1.3 所有权:客户ID: Azure Security Benchmark 1.3 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
CORS 不应允许所有资源都能访问 API 应用CORS should not allow every resource to access your API App 跨源资源共享 (CORS) 不应允许所有域都能访问你的 API 应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. 仅允许所需的域与 API 应用交互。Allow only required domains to interact with your API app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function Apps 跨源资源共享 (CORS) 不应允许所有域都能访问你的函数应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. 仅允许所需的域与函数应用交互。Allow only required domains to interact with your Function app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问你的 Web 应用程序CORS should not allow every resource to access your Web Applications 跨源资源共享 (CORS) 不应允许所有域都能访问你的 Web 应用程序。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. 仅允许所需的域与 Web 应用交互。Allow only required domains to interact with your web app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保 WEB 应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit、DisabledAudit, Disabled 1.0.01.0.0
应为 API 应用禁用远程调试Remote debugging should be turned off for API Apps 远程调试需要在 API 应用上打开入站端口。Remote debugging requires inbound ports to be opened on API apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应对函数应用禁用远程调试Remote debugging should be turned off for Function Apps 远程调试需要在函数应用上打开入站端口。Remote debugging requires inbound ports to be opened on function apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应禁用 Web 应用程序的远程调试Remote debugging should be turned off for Web Applications 远程调试需要在 Web 应用程序上打开入站端口。Remote debugging requires inbound ports to be opened on a web application. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

拒绝与已知的恶意 IP 地址通信Deny communications with known malicious IP addresses

ID:Azure 安全基准 1.4 所有权:客户ID: Azure Security Benchmark 1.4 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure 安全中心会分析面向虚拟机的 Internet 的流量模式,并提供可减小潜在攻击面的网络安全组规则建议Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用 Azure DDoS 防护标准Azure DDoS Protection Standard should be enabled 应为属于应用程序网关且具有公共 IP 子网的所有虚拟网络启用 DDoS 保护标准。DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

记录网络数据包和流日志Record network packets and flow logs

ID:Azure 安全基准 1.5 所有权:客户ID: Azure Security Benchmark 1.5 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用网络观察程序Network Watcher should be enabled 网络观察程序是一个区域性服务,可用于在网络方案级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. 使用方案级别监视可以诊断端到端网络级别视图的问题。Scenario level monitoring enables you to diagnose problems at an end to end network level view. 借助网络观察程序随附的网络诊断和可视化工具,可以了解、诊断和洞察 Azure 中的网络。Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

日志记录和监视Logging and Monitoring

配置安全日志集中管理Configure central security log management

ID:Azure 安全基准 2.2 所有权:客户ID: Azure Security Benchmark 2.2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
你的订阅应启用 Log Analytics 代理自动预配Auto provisioning of the Log Analytics agent should be enabled on your subscription 为了监视安全漏洞和威胁,Azure 安全中心会从 Azure 虚拟机收集数据。To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. 数据是使用 Log Analytics 代理收集的,该代理以前称为 Microsoft Monitoring Agent (MMA),它从计算机中读取各种安全相关的配置和事件日志,然后将数据复制到 Log Analytics 工作区以用于分析。Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. 建议启用自动预配,将代理自动部署到所有受支持的 Azure VM 和任何新创建的 VM。We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
Azure Monitor 日志配置文件应收集“写入”、“删除”和“操作”类别的日志Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 此策略可确保日志配置文件收集类别为 "write"、"delete" 和 "action" 的日志This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 此策略审核不从所有 Azure 支持区域(包括全局)导出活动的 Azure Monitor 日志配置文件。This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在虚拟机规模集上安装 Log Analytics 代理The Log Analytics agent should be installed on Virtual Machine Scale Sets 此策略审核是否有任何 Windows/Linux 虚拟机规模集未安装 Log Analytics 代理。This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在虚拟机上安装 Log Analytics 代理The Log Analytics agent should be installed on virtual machines 此策略审核是否有任何 Windows/Linux 虚拟机未安装 Log Analytics 代理。This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

为 Azure 资源启用审核日志记录Enable audit logging for Azure resources

ID:Azure 安全基准 2.3 所有权:客户ID: Azure Security Benchmark 2.3 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
审核诊断设置Audit diagnostic setting 审核所选资源类型的诊断设置。Audit diagnostic setting for selected resource types AuditIfNotExistsAuditIfNotExists 1.0.01.0.0
应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 应在 SQL 服务器上启用审核以跟踪服务器上所有数据库的数据库活动,并将其保存在审核日志中。Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应启用应用程序服务中的诊断日志Diagnostic logs in App Services should be enabled 审核确认已在应用上启用诊断日志。Audit enabling of diagnostic logs on the app. 如果发生安全事件或网络遭泄露,这样便可以重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应启用 Azure Data Lake Store 中的资源日志Resource logs in Azure Data Lake Store should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Azure 流分析中的资源日志Resource logs in Azure Stream Analytics should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Batch 帐户中的资源日志Resource logs in Batch accounts should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Data Lake Analytics 中的资源日志Resource logs in Data Lake Analytics should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用事件中心内的资源日志Resource logs in Event Hub should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Key Vault 中的资源日志Resource logs in Key Vault should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 使用此策略可在发生安全事件或网络受到安全威胁时重新创建用于调查的活动线索This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用逻辑应用中的资源日志Resource logs in Logic Apps should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用搜索服务中的资源日志Resource logs in Search services should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用服务总线中的资源日志Resource logs in Service Bus should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用虚拟机规模集中的资源日志Resource logs in Virtual Machine Scale Sets should be enabled 建议启用日志,以便在出现某个事件或遭到入侵后需要进行调查时可以重新创建活动线索。It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.12.0.1
SQL 审核设置中应包含配置为捕获关键活动的操作组SQL Auditing settings should have Action-Groups configured to capture critical activities AuditActionsAndGroups 属性应至少包含 SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP、BATCH_COMPLETED_GROUP 以确保全面审核日志记录The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

从操作系统收集安全日志Collect security logs from operating systems

ID:Azure 安全基准 2.4 所有权:客户ID: Azure Security Benchmark 2.4 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
你的订阅应启用 Log Analytics 代理自动预配Auto provisioning of the Log Analytics agent should be enabled on your subscription 为了监视安全漏洞和威胁,Azure 安全中心会从 Azure 虚拟机收集数据。To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. 数据是使用 Log Analytics 代理收集的,该代理以前称为 Microsoft Monitoring Agent (MMA),它从计算机中读取各种安全相关的配置和事件日志,然后将数据复制到 Log Analytics 工作区以用于分析。Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. 建议启用自动预配,将代理自动部署到所有受支持的 Azure VM 和任何新创建的 VM。We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在虚拟机规模集上安装 Log Analytics 代理The Log Analytics agent should be installed on Virtual Machine Scale Sets 此策略审核是否有任何 Windows/Linux 虚拟机规模集未安装 Log Analytics 代理。This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在虚拟机上安装 Log Analytics 代理The Log Analytics agent should be installed on virtual machines 此策略审核是否有任何 Windows/Linux 虚拟机未安装 Log Analytics 代理。This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

配置安全日志存储保留期Configure security log storage retention

ID:Azure 安全基准 2.5 所有权:客户ID: Azure Security Benchmark 2.5 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
对存储帐户目标进行审核的 SQL Server 应配置至少 90 天的保留期SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 为便于调查事件,建议将 SQL Server 审核数据在存储帐户目标中的数据保留期设置为至少 90 天。For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. 确认你遵守所运营区域的必要保留规则。Confirm that you are meeting the necessary retention rules for the regions in which you are operating. 为了符合监管标准,有时需要这样做。This is sometimes required for compliance with regulatory standards. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

启用针对异常活动的警报Enable alerts for anomalous activity

ID:Azure 安全基准 2.7 所有权:客户ID: Azure Security Benchmark 2.7 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 审核没有高级数据安全的 SQL 服务器Audit SQL servers without Advanced Data Security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

集中进行反恶意软件日志记录Centralize anti-malware logging

ID:Azure 安全基准 2.8 所有权:客户ID: Azure Security Benchmark 2.8 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
Microsoft Antimalware for Azure 应配置为自动更新保护签名Microsoft Antimalware for Azure should be configured to automatically update protection signatures 此策略会审核所有未配置自动更新 Microsoft Antimalware 保护签名的 Windows 虚拟机。This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

标识和访问控制Identity and Access Control

维护管理帐户的清单Maintain an inventory of administrative accounts

ID:Azure 安全基准 3.1 所有权:客户ID: Azure Security Benchmark 3.1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的已弃用帐户。Deprecated accounts with owner permissions should be removed from your subscription. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 为了防止发生未受监视的访问,应从订阅中删除拥有所有者权限的外部帐户。External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

使用专用管理帐户Use dedicated administrative accounts

ID:Azure 安全基准 3.3 所有权:客户ID: Azure Security Benchmark 3.3 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

对所有基于 Azure Active Directory 的访问使用多重身份验证Use multi-factor authentication for all Azure Active Directory based access

ID:Azure 安全基准 3.5 所有权:客户ID: Azure Security Benchmark 3.5 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应对订阅中拥有写入权限的帐户启用 MFAMFA should be enabled accounts with write permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有写入特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有所有者权限的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有读取特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

使用 Azure Active DirectoryUse Azure Active Directory

ID:Azure 安全基准 3.9 所有权:客户ID: Azure Security Benchmark 3.9 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 审核确认已为 SQL Server 预配了 Azure Active Directory 管理员以启用 Azure AD 身份验证。Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. 使用 Azure AD 身份验证可以简化权限管理,以及集中化数据库用户和其他 Azure 服务的标识管理Azure AD authentication enables simplified permission management and centralized identity management of database users and other Azure services AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证Service Fabric clusters should only use Azure Active Directory for client authentication 审核 Service Fabric 中仅通过 Azure Active Directory 进行客户端身份验证Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0

定期评审和协调用户访问权限Regularly review and reconcile user access

ID:Azure 安全基准 3.10 所有权:客户ID: Azure Security Benchmark 3.10 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应从订阅中删除弃用的帐户Deprecated accounts should be removed from your subscription 应从订阅中删除弃用的帐户。Deprecated accounts should be removed from your subscriptions. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的已弃用帐户。Deprecated accounts with owner permissions should be removed from your subscription. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 为了防止发生未受监视的访问,应从订阅中删除拥有所有者权限的外部帐户。External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription 应从订阅中删除拥有读取特权的外部帐户,以防发生未受监视的访问。External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除具有写入权限的外部帐户External accounts with write permissions should be removed from your subscription 应从订阅中删除拥有写入特权的外部帐户,以防发生未受监视的访问。External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

数据保护Data Protection

维护敏感信息清单Maintain an inventory of sensitive Information

ID:Azure 安全基准 4.1 所有权:客户ID: Azure Security Benchmark 4.1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.0-preview3.0.0-preview

加密传输中的所有敏感信息Encrypt all sensitive information in transit

ID:Azure 安全基准 4.4 所有权:共享ID: Azure Security Benchmark 4.4 Ownership: Shared

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只能通过 HTTPS 访问 API 应用API App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
应为 MySQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. 此配置强制始终启用 SSL 以访问数据库服务器。This configuration enforces that SSL is always enabled for accessing your database server. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. 此配置强制始终启用 SSL 以访问数据库服务器。This configuration enforces that SSL is always enabled for accessing your database server. Audit、DisabledAudit, Disabled 1.0.11.0.1
应仅在 API 应用中需要 FTPSFTPS only should be required in your API App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在函数应用中要求使用 FTPSFTPS only should be required in your Function App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在 Web 应用中要求使用 FTPSFTPS should be required in your Web App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
应在 API 应用中使用最新的 TLS 版本Latest TLS version should be used in your API App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在函数应用中使用最新的 TLS 版本Latest TLS version should be used in your Function App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Web 应用中使用最新的 TLS 版本Latest TLS version should be used in your Web App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
只能与 Azure Cache for Redis 建立安全连接Only secure connections to your Azure Cache for Redis should be enabled 审核是否仅启用通过 SSL 来与 Azure Redis 缓存建立连接。Audit enabling of only connections via SSL to Azure Cache for Redis. 使用安全连接可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听攻击和会话劫持等网络层攻击Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应启用安全传输到存储帐户Secure transfer to storage accounts should be enabled 审核存储帐户中安全传输的要求。Audit requirement of Secure transfer in your storage account. 安全传输选项会强制存储帐户仅接受来自安全连接 (HTTPS) 的请求。Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). 使用 HTTPS 可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听和会话劫持等网络层攻击Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 2.0.02.0.0
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0

使用有效的发现工具识别敏感数据Use an active discovery tool to identify sensitive data

ID:Azure 安全基准 4.5 所有权:客户ID: Azure Security Benchmark 4.5 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 审核没有高级数据安全的 SQL 服务器Audit SQL servers without Advanced Data Security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.0-preview3.0.0-preview

使用 Azure RBAC 控制对资源的访问Use Azure RBAC to control access to resources

ID:Azure 安全基准 4.6 所有权:客户ID: Azure Security Benchmark 4.6 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
审核自定义 RBAC 规则的使用情况Audit usage of custom RBAC rules 审核“所有者、参与者、读者”等内置角色而不是容易出错的自定义 RBAC 角色。Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. 使用自定义角色被视为例外,需要进行严格的审查和威胁建模Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit、DisabledAudit, Disabled 1.0.01.0.0
应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC) should be used on Kubernetes Services 若要对用户可以执行的操作提供粒度筛选,请使用基于角色的访问控制 (RBAC) 来管理 Kubernetes 服务群集中的权限并配置相关授权策略。To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit、DisabledAudit, Disabled 1.0.21.0.2

加密静态的敏感信息Encrypt sensitive information at rest

ID:Azure 安全基准 4.8 所有权:客户ID: Azure Security Benchmark 4.8 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
自动化帐户变量应加密Automation account variables should be encrypted 存储敏感数据时,请务必启用自动化帐户变量资产加密It is important to enable encryption of Automation account variable assets when storing sensitive data Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines Azure 安全中心建议对未启用磁盘加密的虚拟机进行监视。Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSignService Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric 使用主要群集证书为节点之间的通信提供三个保护级别(None、Sign 和 EncryptAndSign)。Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. 设置保护级别以确保所有节点到节点消息均已进行加密和数字签名Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
SQL 托管实例应使用客户管理的密钥进行静态数据加密SQL managed instances should use customer-managed keys to encrypt data at rest 使用你自己的密钥实现透明数据加密 (TDE) 可增加透明度和对 TDE 保护器的控制,增强由 HSM 提供支持的外部服务的安全性,并促进职责划分。Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. 此建议适用于具有相关合规性要求的组织。This recommendation applies to organizations with a related compliance requirement. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
SQL Server 应使用客户管理的密钥进行静态数据加密SQL servers should use customer-managed keys to encrypt data at rest 使用你自己的密钥实现透明数据加密 (TDE) 可增加透明度和对 TDE 保护器的控制,增强由 HSM 提供支持的外部服务的安全性,并促进职责划分。Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. 此建议适用于具有相关合规性要求的组织。This recommendation applies to organizations with a related compliance requirement. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.12.0.1
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 应启用透明数据加密以保护静态数据并满足符合性要求Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应当加密未附加的磁盘Unattached disks should be encrypted 此策略会审核未启用加密的所有未附加磁盘。This policy audits any unattached disk without encryption enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0

记录对关键 Azure 资源的更改并发出警报Log and alert on changes to critical Azure resources

ID:Azure 安全基准 4.9 所有权:客户ID: Azure Security Benchmark 4.9 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 此策略审核不从所有 Azure 支持区域(包括全局)导出活动的 Azure Monitor 日志配置文件。This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

漏洞管理Vulnerability Management

运行自动化漏洞扫描工具Run automated vulnerability scanning tools

ID:Azure 安全基准 5.1 所有权:客户ID: Azure Security Benchmark 5.1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用漏洞评估Vulnerability assessment should be enabled on SQL Managed Instance 审核未启用定期漏洞评估扫描的每个 SQL 托管实例。Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应对 SQL 服务器启用漏洞评估Vulnerability assessment should be enabled on your SQL servers 审核未启用定期漏洞评估扫描的 Azure SQL 服务器。Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

部署操作系统修补程序自动化管理解决方案Deploy automated operating system patch management solution

ID:Azure 安全基准 5.2 所有权:客户ID: Azure Security Benchmark 5.2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 审核是否缺少系统安全更新和关键更新,为了确保 Windows 和 Linux 虚拟机规模集的安全,应安装这些更新。Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在计算机上安装系统更新System updates should be installed on your machines 建议通过 Azure 安全中心监视服务器上缺失的安全系统更新Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.04.0.0

部署第三方软件修补程序自动化管理解决方案Deploy automated third-party software patch management solution

ID:Azure 安全基准 5.3 所有权:客户ID: Azure Security Benchmark 5.3 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
确保用作 API 应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the API app 我们定期发布适用于 Java 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作函数应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Function app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. 建议使用函数应用的最新 Java 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 Web 应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Web app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 Java 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 API 应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the API app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 WEB 应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the WEB app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 API 应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the API app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
确保用作函数应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Function app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用函数应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
确保用作 Web 应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Web app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 将 Kubernetes 服务群集升级到更高 Kubernetes 版本,以抵御当前 Kubernetes 版本中的已知漏洞。Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Kubernetes 版本 1.11.9+、1.12.7+、1.13.5+ 和 1.14.0+ 中已修补漏洞 CVE-2019-9946Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit、DisabledAudit, Disabled 1.0.21.0.2

使用风险评分流程确定所发现漏洞的修正优先级Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

ID:Azure 安全基准 5.5 所有权:客户ID: Azure Security Benchmark 5.5 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 监视漏洞评估扫描结果并提供如何补救数据库漏洞的相关建议。Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.04.0.0

清单和资产管理Inventory and Asset Management

只使用已批准的应用程序Use only approved applications

ID:Azure 安全基准 6.8 所有权:客户ID: Azure Security Benchmark 6.8 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

只使用已批准的 Azure 服务Use only approved Azure services

ID:Azure 安全基准 6.9 所有权:客户ID: Azure Security Benchmark 6.9 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
存储帐户应迁移到新的 Azure 资源管理器资源Storage accounts should be migrated to new Azure Resource Manager resources 使用新的 Azure 资源管理器为存储帐户提供安全增强功能,例如:更强大的访问控制 (RBAC)、更好的审核、基于 Azure 资源管理器的部署和监管、对托管标识的访问权限、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及对标记和资源组的支持,以简化安全管理Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应将虚拟机迁移到新的 Azure 资源管理器资源Virtual machines should be migrated to new Azure Resource Manager resources 对虚拟机使用新的 Azure 资源管理器以提供安全增强功能,例如:更强的访问控制 (RBAC)、更佳审核功能、基于 Azure 资源管理器的部署和治理、对托管标识的访问、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及支持使用标记和资源组简化安全管理Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0

实现已批准的应用程序列表Implement approved application list

ID:Azure 安全基准 6.10 所有权:客户ID: Azure Security Benchmark 6.10 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

安全配置Secure Configuration

维护安全的操作系统配置Maintain secure operating system configurations

ID:Azure 安全基准 7.4 所有权:共享ID: Azure Security Benchmark 7.4 Ownership: Shared

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

针对操作系统实现自动化配置监视Implement automated configuration monitoring for operating systems

ID:Azure 安全基准 7.10 所有权:客户ID: Azure Security Benchmark 7.10 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

安全地管理 Azure 机密Manage Azure secrets securely

ID:Azure 安全基准 7.11 所有权:客户ID: Azure Security Benchmark 7.11 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
密钥保管库应启用清除保护Key vaults should have purge protection enabled 恶意删除密钥保管库可能会导致永久丢失数据。Malicious deletion of a key vault can lead to permanent data loss. 你组织中的恶意内部人员可能会删除和清除密钥保管库。A malicious insider in your organization can potentially delete and purge key vaults. 清除保护通过强制实施软删除密钥保管库的强制保留期来保护你免受内部攻击。Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. 你的组织或 Azure 内的任何人都无法在软删除保持期内清除你的密钥保管库。No one inside your organization or Azure will be able to purge your key vaults during the soft delete retention period. Audit、Deny、DisabledAudit, Deny, Disabled 1.1.11.1.1

安全且自动地管理标识Manage identities securely and automatically

ID:Azure 安全基准 7.12 所有权:客户ID: Azure Security Benchmark 7.12 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 API 应用中使用的托管标识Managed identity should be used in your API App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在函数应用中使用的托管标识Managed identity should be used in your Function App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Web 应用中使用的托管标识Managed identity should be used in your Web App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

恶意软件防护Malware Defense

使用集中管理的反恶意软件Use centrally managed anti-malware software

ID:Azure 安全基准 8.1 所有权:客户ID: Azure Security Benchmark 8.1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

确保反恶意软件和签名已更新Ensure anti-malware software and signatures are updated

ID:Azure 安全基准 8.3 所有权:客户ID: Azure Security Benchmark 8.3 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
Microsoft Antimalware for Azure 应配置为自动更新保护签名Microsoft Antimalware for Azure should be configured to automatically update protection signatures 此策略会审核所有未配置自动更新 Microsoft Antimalware 保护签名的 Windows 虚拟机。This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

数据恢复Data Recovery

确保定期执行自动备份Ensure regular automated back ups

ID:Azure 安全基准 9.1 所有权:客户ID: Azure Security Benchmark 9.1 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应为虚拟机启用 Azure 备份Azure Backup should be enabled for Virtual Machines 启用 Azure 备份,确保对 Azure 虚拟机提供保护。Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure 备份是一种安全且经济高效的 Azure 数据保护解决方案。Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应为 Azure Database for MariaDB 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MariaDB 通过 Azure Database for MariaDB,你可以为数据库服务器选择冗余选项。Azure Database for MariaDB allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for MySQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MySQL 通过 Azure Database for MySQL,你可以为数据库服务器选择冗余选项。Azure Database for MySQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 通过 Azure Database for PostgreSQL,你可以为数据库服务器选择冗余选项。Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure SQL 数据库启用长期异地冗余备份Long-term geo-redundant backup should be enabled for Azure SQL Databases 此策略将审核未启用长期异地冗余备份的任何 Azure SQL 数据库。This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

执行完整的系统备份并备份所有客户托管密钥Perform complete system backups and backup any customer managed keys

ID:Azure 安全基准 9.2 所有权:客户ID: Azure Security Benchmark 9.2 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应为虚拟机启用 Azure 备份Azure Backup should be enabled for Virtual Machines 启用 Azure 备份,确保对 Azure 虚拟机提供保护。Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure 备份是一种安全且经济高效的 Azure 数据保护解决方案。Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应为 Azure Database for MariaDB 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MariaDB 通过 Azure Database for MariaDB,你可以为数据库服务器选择冗余选项。Azure Database for MariaDB allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for MySQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MySQL 通过 Azure Database for MySQL,你可以为数据库服务器选择冗余选项。Azure Database for MySQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 通过 Azure Database for PostgreSQL,你可以为数据库服务器选择冗余选项。Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure SQL 数据库启用长期异地冗余备份Long-term geo-redundant backup should be enabled for Azure SQL Databases 此策略将审核未启用长期异地冗余备份的任何 Azure SQL 数据库。This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

确保保护备份和客户管理的密钥Ensure protection of backups and customer managed keys

ID:Azure 安全基准 9.4 所有权:客户ID: Azure Security Benchmark 9.4 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
密钥保管库应启用清除保护Key vaults should have purge protection enabled 恶意删除密钥保管库可能会导致永久丢失数据。Malicious deletion of a key vault can lead to permanent data loss. 你组织中的恶意内部人员可能会删除和清除密钥保管库。A malicious insider in your organization can potentially delete and purge key vaults. 清除保护通过强制实施软删除密钥保管库的强制保留期来保护你免受内部攻击。Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. 你的组织或 Azure 内的任何人都无法在软删除保持期内清除你的密钥保管库。No one inside your organization or Azure will be able to purge your key vaults during the soft delete retention period. Audit、Deny、DisabledAudit, Deny, Disabled 1.1.11.1.1

事件响应Incident Response

提供安全事件联系人详细信息并针对安全事件配置警报通知Provide security incident contact details and configure alert notifications for security incidents

ID:Azure 安全基准 10.4 所有权:客户ID: Azure Security Benchmark 10.4 Ownership: Customer

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
订阅应有一个联系人电子邮件地址,用于接收安全问题通知Subscriptions should have a contact email address for security issues 当某个订阅中存在潜在的安全漏洞时,若要确保组织中的相关人员收到通知,请设置一个安全联系人,以接收来自安全中心的电子邮件通知。To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1

备注

特定 Azure Policy 定义的可用性在 Azure 中国云和其他国家云中可能会有所不同。Availability of specific Azure Policy definitions may vary in Azure China Cloud and other national clouds.

后续步骤Next steps

有关 Azure Policy 的其他文章:Additional articles about Azure Policy: