Azure Policy 内置策略定义Azure Policy built-in policy definitions

此页是 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions.

每个内置链接(指向Azure 门户中的策略定义)的名称。The name of each built-in links to the policy definition in Azure portal. 使用“源”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Source column to view the source on the Azure Policy GitHub repo. 这些内置项按元数据中的 category 属性进行分组。The built-ins are grouped by the category property in metadata. 若要跳转到特定的类别,请使用页面右侧的菜单。To jump to a specific category, use the menu on the right side of the page. 否则,请按 Ctrl-F 来使用浏览器的搜索功能。Otherwise, use Ctrl-F to use your browser's search feature.

应用服务App Service

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
只能通过 HTTPS 访问 API 应用API App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link
应在 API 应用上启用身份验证Authentication should be enabled on your API app Azure 应用服务身份验证是一项功能,可以阻止匿名 HTTP 请求访问 API 应用,或在令牌访问 API 应用之前对其进行身份验证Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在函数应用上启用身份验证Authentication should be enabled on your Function app Azure 应用服务身份验证是一项功能,可以阻止匿名 HTTP 请求访问函数应用,或在令牌访问函数应用之前对其进行身份验证Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 Web 应用上启用身份验证Authentication should be enabled on your web app Azure 应用服务身份验证是一项功能,可以阻止匿名 HTTP 请求访问 Web 应用,或在令牌访问 Web 应用之前对其进行身份验证Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
CORS 不应允许所有资源都能访问 API 应用CORS should not allow every resource to access your API App 跨源资源共享 (CORS) 不应允许所有域都能访问你的 API 应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. 仅允许所需的域与 API 应用交互。Allow only required domains to interact with your API app. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function Apps 跨源资源共享 (CORS) 不应允许所有域都能访问你的函数应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. 仅允许所需的域与函数应用交互。Allow only required domains to interact with your Function app. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
CORS 不应允许所有资源都能访问你的 Web 应用程序CORS should not allow every resource to access your Web Applications 跨源资源共享 (CORS) 不应允许所有域都能访问你的 Web 应用程序。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. 仅允许所需的域与 Web 应用交互。Allow only required domains to interact with your web app. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应启用应用程序服务中的诊断日志Diagnostic logs in App Services should be enabled 审核确认已在应用上启用诊断日志。Audit enabling of diagnostic logs on the app. 如果发生安全事件或网络遭泄露,这样便可以重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保 API 应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link
确保函数应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure Function app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link
确保用作 API 应用一部分的“.NET Framework”版本是最新的Ensure that '.NET Framework' version is the latest, if used as a part of the API app 我们定期发布适用于 .NET Framework 软件的更新版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 .NET Framework 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用作函数应用一部分的“.NET Framework”版本是最新的Ensure that '.NET Framework' version is the latest, if used as a part of the Function App 我们定期发布适用于 .NET Framework 软件的更新版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 .NET Framework 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用作 Web 应用一部分的“.NET Framework”版本是最新的Ensure that '.NET Framework' version is the latest, if used as a part of the Web app 我们定期发布适用于 .NET Framework 软件的更新版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for .NET Framework software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 .NET Framework 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest .NET framework version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用于运行 API 应用的“HTTP 版本”是最新的Ensure that 'HTTP Version' is the latest, if used to run the Api app 我们定期发布适用于 HTTP 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. 使用 Web 应用的最新 HTTP 版本可以利用更高版本的安全修复(如果有)和/或新功能。Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用于运行函数应用的“HTTP 版本”是最新的Ensure that 'HTTP Version' is the latest, if used to run the Function app 我们定期发布适用于 HTTP 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. 使用 Web 应用的最新 HTTP 版本可以利用更高版本的安全修复(如果有)和/或新功能。Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用于运行 Web 应用的“HTTP 版本”是最新的Ensure that 'HTTP Version' is the latest, if used to run the Web app 应用服务中的托管服务标识可以让应用更安全,因为不需在应用中存储机密,例如连接字符串中的凭据。Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. 在应用服务中注册到 Azure Active Directory 时,应用将安全连接到其他 Azure 服务,而无需输入用户名和密码When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用作 API 应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Api app 我们定期发布适用于 Java 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用作函数应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Function app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. 建议使用函数应用的最新 Java 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.11.0.1 链接Link
确保用作 Web 应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Web app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 Java 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用作 API 应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the Api app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用作函数应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the Function app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用函数应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用作 WEB 应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the WEB app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用作 API 应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Api app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用作函数应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Function app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用函数应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保用作 Web 应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Web app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保在 API 应用中启用“注册到 Azure Active Directory”Ensure that Register with Azure Active Directory is enabled on API app 应用服务中的托管服务标识可以让应用更安全,因为不需在应用中存储机密,例如连接字符串中的凭据。Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. 在应用服务中注册到 Azure Active Directory 时,应用将安全连接到其他 Azure 服务,而无需输入用户名和密码When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保在函数应用中启用“注册到 Azure Active Directory”Ensure that Register with Azure Active Directory is enabled on Function App 应用服务中的托管服务标识可以让应用更安全,因为不需在应用中存储机密,例如连接字符串中的凭据。Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. 在应用服务中注册到 Azure Active Directory 时,应用将安全连接到其他 Azure 服务,而无需输入用户名和密码When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保在 WEB 应用中启用“注册到 Azure Active Directory”Ensure that Register with Azure Active Directory is enabled on WEB App 应用服务中的托管服务标识可以让应用更安全,因为不需在应用中存储机密,例如连接字符串中的凭据。Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. 在应用服务中注册到 Azure Active Directory 时,应用将安全连接到其他 Azure 服务,而无需输入用户名和密码When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
确保 WEB 应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link
应仅在 API 应用中需要 FTPSFTPS only should be required in your API App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应仅在函数应用中要求使用 FTPSFTPS only should be required in your Function App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应仅在 Web 应用中要求使用 FTPSFTPS should be required in your Web App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link
应在 API 应用中使用最新的 TLS 版本Latest TLS version should be used in your API App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在函数应用中使用最新的 TLS 版本Latest TLS version should be used in your Function App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 Web 应用中使用最新的 TLS 版本Latest TLS version should be used in your Web App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 API 应用中使用的托管标识Managed identity should be used in your API App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在函数应用中使用的托管标识Managed identity should be used in your Function App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 Web 应用中使用的托管标识Managed identity should be used in your Web App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为 API 应用禁用远程调试Remote debugging should be turned off for API Apps 远程调试需要在 API 应用上打开入站端口。Remote debugging requires inbound ports to be opened on API apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应对函数应用禁用远程调试Remote debugging should be turned off for Function Apps 远程调试需要在函数应用上打开入站端口。Remote debugging requires inbound ports to be opened on function apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应禁用 Web 应用程序的远程调试Remote debugging should be turned off for Web Applications 远程调试需要在 Web 应用程序上打开入站端口。Remote debugging requires inbound ports to be opened on a web application. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link

自动化Automation

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
自动化帐户变量应加密Automation account variables should be encrypted 存储敏感数据时,请务必启用自动化帐户变量资产加密It is important to enable encryption of Automation account variable assets when storing sensitive data Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link

BackupBackup

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
应为虚拟机启用 Azure 备份Azure Backup should be enabled for Virtual Machines 此策略可帮助审核是否为所有虚拟机启用了 Azure 备份服务。This policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure 备份是一个经济高效的一键式备份解决方案,可简化数据恢复,并且比其他云备份服务更易于启用。Azure Backup is a cost-effective, one-click backup solution simplifies data recovery and is easier to enable than other cloud backup services. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link

批处理Batch

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
应启用 Batch 帐户的诊断日志Diagnostic logs in Batch accounts should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 2.0.02.0.0 链接Link
应针对 Batch 帐户配置指标警报规则Metric alert rules should be configured on Batch accounts 审核是否已针对 Batch 帐户配置指标警报规则,以启用所需指标Audit configuration of metric alert rules on Batch account to enable the required metric AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link

缓存Cache

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
只应启用与 Redis 缓存的安全连接Only secure connections to your Redis Cache should be enabled 审核确认仅启用了通过 SSL 来与 Redis 缓存建立连接。Audit enabling of only connections via SSL to Redis Cache. 使用安全连接可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听攻击和会话劫持等网络层攻击Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, 已禁用Audit, Deny, Disabled 1.0.01.0.0 链接Link

计算Compute

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
允许的虚拟机 SKUAllowed virtual machine SKUs 使用此策略,你可以指定组织可部署的一组虚拟机 SKU。This policy enables you to specify a set of virtual machine SKUs that your organization can deploy. 拒绝Deny 1.0.01.0.0 链接Link
审核未配置灾难恢复的虚拟机Audit virtual machines without disaster recovery configured 审核未配置灾难恢复的虚拟机。Audit virtual machines which do not have disaster recovery configured. 若要详细了解灾难恢复,请访问站点恢复To learn more about disaster recovery, visit site recovery. auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
审核未使用托管磁盘的 VMAudit VMs that do not use managed disks 此策略审核未使用托管磁盘的 VMThis policy audits VMs that do not use managed disks 审核audit 1.0.01.0.0 链接Link
为 Windows Server 部署默认 Microsoft IaaSAntimalware 扩展Deploy default Microsoft IaaSAntimalware extension for Windows Server 如果 VM 未配置反恶意软件扩展,则此策略部署使用默认配置的 Microsoft IaaSAntimalware 扩展。This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
应当启用虚拟机规模集中的诊断日志Diagnostic logs in Virtual Machine Scale Sets should be enabled 建议启用日志,以便在出现某个事件或遭到入侵后需要进行调查时可以重新创建活动线索。It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
Microsoft Antimalware for Azure 应配置为自动更新保护签名Microsoft Antimalware for Azure should be configured to automatically update protection signatures 此策略会审核所有未配置自动更新 Microsoft Antimalware 保护签名的 Windows 虚拟机。This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 Windows Server 上部署 Microsoft IaaSAntimalware 扩展Microsoft IaaSAntimalware extension should be deployed on Windows servers 此策略会审核所有未部署 Microsoft IaaSAntimalware 扩展的 Windows Server VM。This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应当仅安装已批准的 VM 扩展Only approved VM extensions should be installed 此策略约束未获批准的虚拟机扩展。This policy governs the virtual machine extensions that are not approved. Audit, Deny, 已禁用Audit, Deny, Disabled 1.0.01.0.0 链接Link
要求自动在虚拟机规模集上执行 OS 映像修补Require automatic OS image patching on Virtual Machine Scale Sets 该策略可强制启用虚拟机规模集上的自动 OS 映像修补程序,以便通过应用每月的最新安全修补程序始终确保虚拟机安全。This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. denydeny 1.0.01.0.0 链接Link
应当加密未附加的磁盘Unattached disks should be encrypted 此策略会审核未启用加密的所有未附加磁盘。This policy audits any unattached disk without encryption enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
应将虚拟机迁移到新的 Azure 资源管理器资源Virtual machines should be migrated to new Azure Resource Manager resources 对虚拟机使用新的 Azure 资源管理器以提供安全增强功能,例如:更强的访问控制 (RBAC)、更佳审核功能、基于 Azure 资源管理器的部署和治理、对托管标识的访问、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及支持使用标记和资源组简化安全管理Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0 链接Link

容器注册表Container Registry

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
容器注册表应使用客户托管密钥 (CMK) 进行加密Container Registries should be encrypted with a Customer-Managed Key (CMK) 审核未通过客户托管密钥 (CMK) 启用加密的容器注册表。Audit Container Registries that do not have encryption enabled with Customer-Managed Keys (CMK). 有关 CMK 加密的详细信息,请访问:https://aka.ms/acr/CMKFor more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview 链接Link
容器注册表不得允许无限制的网络访问Container Registries should not allow unrestricted network access 审核容器注册表,这些注册表默认情况下未配置任何网络(IP 或 VNET)规则,因此允许所有网络访问。Audit Container Registries that do not have any Network (IP or VNET) Rules configured and allow all network access by default. 如果容器注册表至少有一个 IP/防火墙规则或配置了虚拟网络,则会将其视为合规。Container Registries with at least one IP / Firewall rule or configured virtual network will be deemed compliant. 有关容器注册表网络规则的详细信息,请访问:https://aka.ms/acr/vnetFor more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview 链接Link

事件中心Event Hub

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
应从事件中心命名空间中删除 RootManageSharedAccessKey 以外的所有授权规则All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace 服务中心客户端不应使用提供对命名空间中所有队列和主题的访问的命名空间级访问策略。Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. 为了与最低权限安全模型保持一致,应在实体级别为队列和主题创建访问策略,以便仅提供对特定实体的访问权限To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Audit, Deny, 已禁用Audit, Deny, Disabled 1.0.11.0.1 链接Link
应针对事件中心实例定义授权规则Authorization rules on the Event Hub instance should be defined 审核是否存在针对事件中心实体的授权规则,以便授予最低权限访问权限Audit existence of authorization rules on Event Hub entities to grant least-privileged access AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应启用事件中心的诊断日志Diagnostic logs in Event Hub should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 2.0.02.0.0 链接Link

常规General

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
允许的位置Allowed locations 通过此策略,可限制组织在部署资源时可指定的位置。This policy enables you to restrict the locations your organization can specify when deploying resources. 用于强制执行异地符合性要求。Use to enforce your geo-compliance requirements. 排除资源组、Microsoft.AzureActiveDirectory/b2cDirectories 以及使用“全局”区域的资源。Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. denydeny 1.0.01.0.0 链接Link
允许的资源组位置Allowed locations for resource groups 通过此策略,可限制组织可以创建资源组的位置。This policy enables you to restrict the locations your organization can create resource groups in. 用于强制执行异地符合性要求。Use to enforce your geo-compliance requirements. denydeny 1.0.01.0.0 链接Link
允许的资源类型Allowed resource types 此策略可用于指定组织可以部署的资源类型。This policy enables you to specify the resource types that your organization can deploy. 只有支持“tags”和“location”的资源类型才会受此策略影响。Only resource types that support 'tags' and 'location' will be affected by this policy. 若要限制所有资源,请复制此策略并将“mode”更改为“All”。To restrict all resources please duplicate this policy and change the 'mode' to 'All'. denydeny 1.0.01.0.0 链接Link
审核资源位置是否匹配资源组位置Audit resource location matches resource group location 审核资源位置是否与其资源组位置匹配。Audit that the resource location matches its resource group location 审核audit 1.0.01.0.0 链接Link
审核自定义 RBAC 规则的使用情况Audit usage of custom RBAC rules 审核“所有者、参与者、读者”等内置角色而不是容易出错的自定义 RBAC 角色。Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. 使用自定义角色被视为例外,需要进行严格的审查和威胁建模Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link
不应存在自定义订阅所有者角色Custom subscription owner roles should not exist 此策略确保不存在自定义订阅所有者角色。This policy ensures that no custom subscription owner roles exist. Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link
不允许的资源类型Not allowed resource types 此策略可用于指定组织无法部署的资源类型。This policy enables you to specify the resource types that your organization cannot deploy. 拒绝Deny 1.0.01.0.0 链接Link

来宾配置Guest Configuration

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
部署必备组件,以审核允许通过没有密码的帐户进行远程连接的 Linux VMDeploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords 此策略创建一个 Guest Configuration 分配用于审核允许通过没有密码的帐户进行远程连接的 Linux 虚拟机。This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.1.0-preview1.1.0-preview 链接Link
部署必备组件用于审核未将密码文件权限设置为 0644 的 Linux VMDeploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 此策略创建一个 Guest Configuration 分配用于审核未将密码文件权限设置为 0644 的 Linux 虚拟机。This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.1.0-preview1.1.0-preview 链接Link
部署必备组件来审核未安装指定应用程序的 Linux VMDeploy prerequisites to audit Linux VMs that do not have the specified applications installed 此策略创建一个 Guest Configuration 分配用于审核未安装指定应用程序的 Linux 虚拟机。This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.1.01.1.0 链接Link
部署必备组件用于审核帐户没有密码的 Linux VMDeploy prerequisites to audit Linux VMs that have accounts without passwords 此策略创建一个 Guest Configuration 分配用于审核帐户没有密码的 Linux 虚拟机。This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.1.0-preview1.1.0-preview 链接Link
部署必备组件来审核安装了指定应用程序的 Linux VMDeploy prerequisites to audit Linux VMs that have the specified applications installed 此策略创建一个 Guest Configuration 分配用于审核安装了指定应用程序的 Linux 虚拟机。This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.1.01.1.0 链接Link
部署必备组件来审核未启用 Windows 串行控制台的 Windows Server VMDeploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled 此策略创建一个 Guest Configuration 分配用于审核未启用 Windows 串行控制台的 Windows Server 虚拟机。This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件用于审核“管理模板 - 控制面板”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“管理模板 - 控制面板”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“管理模板 - MSS (旧版)”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“管理模板 - MSS (旧版)”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.1-preview1.0.1-preview 链接Link
部署必备组件用于审核“管理模板 - 网络”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“管理模板 - 网络”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“管理模板 - 系统”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“管理模板 - 系统”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 帐户”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 帐户”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 审核”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 审核”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 设备”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 设备”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 交互式登录”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 交互式登录”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - Microsoft 网络客户端”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - Microsoft 网络客户端”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - Microsoft 网络服务器”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - Microsoft 网络服务器”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 网络访问”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 网络访问”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 网络安全性”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 网络安全性”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 恢复控制台”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 恢复控制台”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 关机”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 关机”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 系统对象”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 系统对象”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 系统设置”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 系统设置”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全选项 - 用户帐户控制”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全选项 - 用户帐户控制”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“安全设置 - 帐户策略”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“安全设置 - 帐户策略”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“系统审核策略 - 帐户登录”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“系统审核策略 - 帐户登录”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“系统审核策略 - 帐户管理”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“系统审核策略 - 帐户管理”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“系统审核策略 - 详细跟踪”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“系统审核策略 - 详细跟踪”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“系统审核策略 - 登录-注销”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“系统审核策略 - 登录-注销”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“系统审核策略 - 对象访问”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“系统审核策略 - 对象访问”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“系统审核策略 - 策略更改”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“系统审核策略 - 策略更改”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“系统审核策略 - 特权使用”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“系统审核策略 - 特权使用”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“系统审核策略 - 系统”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“系统审核策略 - 系统”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“用户权限分配”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“用户权限分配”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“Windows 组件”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“Windows 组件”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核“Windows 防火墙属性”中的 Windows VM 配置Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' 此策略创建一个 Guest Configuration 分配用于审核以下组策略类别中采用不合规设置的 Windows 虚拟机:“Windows 防火墙属性”。This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件来审核其“管理员”组包含任意指定成员的 Windows VMDeploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members 此策略创建一个 Guest Configuration 分配用于审核其“管理员”组包含任意指定成员的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件以审核其“管理员”组不包含所有指定成员的 Windows VMDeploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members 此策略创建一个 Guest Configuration 分配用于审核其“管理员”组不包含所有指定成员的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件来审核“管理员”组不只包含指定成员的 Windows VMDeploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members 此策略创建一个 Guest Configuration 分配用于审核其“管理员”组不只包含指定成员的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件用于审核 DSC 配置不合规的 Windows VMDeploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant 此策略创建一个 Guest Configuration 分配用于审核 Desired State Configuration (DSC) 配置不合规的 Windows VM。This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. 此策略仅适用于包含 WMF 4 和更高版本的计算机。This policy is only applicable to machines with WMF 4 and above. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核其上 Log Analytics 代理未按预期连接的 Windows VMDeploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected 此策略创建一个 Guest Configuration 分配用于审核其上 Log Analytics 代理未连接到指定工作区的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核远程主机连接状态与指定状态不匹配的 Windows VMDeploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one 此策略创建一个 Guest Configuration 分配用于审核远程主机连接状态与指定状态不匹配的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件来审核未安装指定服务且“正在运行”的 Windows VMDeploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' 此策略创建一个 Guest Configuration 分配用于审核未安装指定服务且“正在运行”的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件用于审核未启用 Windows Defender 攻击防护的 Windows VMDeploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled 此策略创建一个 Guest Configuration 分配用于审核未启用 Windows Defender 攻击防护的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核允许重用之前的 24 个密码的 Windows VMDeploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords 此策略创建一个 Guest Configuration 分配用于审核允许重用之前的 24 个密码的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件来审核未加入指定域的 Windows VMDeploy prerequisites to audit Windows VMs that are not joined to the specified domain 此策略创建一个 Guest Configuration 分配用于审核未加入指定域的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件来审核未设置为指定时区的 Windows VMDeploy prerequisites to audit Windows VMs that are not set to the specified time zone 此策略创建一个 Guest Configuration 分配用于审核未设置为指定时区的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件用于审核包含在指定天数内过期的证书的 Windows VMDeploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days 此策略创建一个 Guest Configuration 分配用于审核包含在指定天数内过期的证书的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核在受信任的根中不包含指定证书的 Windows VMDeploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root 此策略创建一个 Guest Configuration 分配用于审核受信任的根证书颁发机构证书存储 (Cert:\LocalMachine\Root) 中不包含指定证书的 Windows VM。This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核未将最长密码期限设为 70 天的 Windows VMDeploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days 此策略创建一个 Guest Configuration 分配用于审核未将最长密码期限设为 70 天的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核未将最短密码期限设为 1 天的 Windows VMDeploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day 此策略创建一个 Guest Configuration 分配用于审核未将最短密码期限设为 1 天的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核未启用密码复杂性设置的 Windows VMDeploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled 此策略创建一个 Guest Configuration 分配用于审核未启用密码复杂性设置的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件来审核未安装指定应用程序的 Windows VMDeploy prerequisites to audit Windows VMs that do not have the specified applications installed 此策略创建一个 Guest Configuration 分配用于审核未安装指定应用程序的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件来审核没有指定 Windows PowerShell 执行策略的 Windows VMDeploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy 此策略创建一个 Guest Configuration 分配,用于审核未在其中将 Windows PowerShell 配置为使用指定 PowerShell 执行策略的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件来审核未安装指定 Windows PowerShell 模块的 Windows VMDeploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed 此策略创建一个 Guest Configuration 分配用于审核未安装指定 Windows PowerShell 模块的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件用于审核未将最短密码长度限制为 14 个字符的 Windows VMDeploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters 此策略创建一个 Guest Configuration 分配用于审核未将最短密码长度限制为 14 个字符的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核未存储使用可逆加密的密码的 Windows VMDeploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption 此策略创建一个 Guest Configuration 分配用于审核未存储使用可逆加密的密码的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件用于审核未在指定天数内重启的 Windows VMDeploy prerequisites to audit Windows VMs that have not restarted within the specified number of days 此策略创建一个 Guest Configuration 分配用于审核未在指定天数内重启的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview 链接Link
部署必备组件来审核安装了指定应用程序的 Windows VMDeploy prerequisites to audit Windows VMs that have the specified applications installed 此策略创建一个 Guest Configuration 分配用于审核安装了指定应用程序的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件来审核等待重新启动的 Windows VMDeploy prerequisites to audit Windows VMs with a pending reboot 此策略创建一个 Guest Configuration 分配用于审核等待重新启动的 Windows 虚拟机。This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件来审核不使用安全通信协议的 Windows Web 服务器Deploy prerequisites to audit Windows web servers that are not using secure communication protocols 此策略创建一个 Guest Configuration 分配用于审核不使用安全通信协议(TLS 1.1 或 TLS 1.2)的 Windows Web 服务器。This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). 它还会创建系统分配的托管标识,并部署 Guest Configuration 的 VM 扩展。It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. 此策略应结合计划中的相应审核策略一起使用。This policy should only be used along with its corresponding audit policy in an initiative. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
部署必备组件以在 Linux VM 上启用 Guest Configuration 策略Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. 此策略创建系统分配的托管标识,并在 Linux VM 上部署 Guest Configuration 的 VM 扩展。This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. 这是来宾配置策略的先决条件,必须在使用任何来宾配置策略之前将其分配到范围。This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration. deployIfNotExistsdeployIfNotExists 1.1.01.1.0 链接Link
部署必备组件以在 Windows VM 上启用 Guest Configuration 策略Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. 此策略创建系统分配的托管标识,并在 Windows VM 上部署 Guest Configuration 的 VM 扩展。This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. 这是来宾配置策略的先决条件,必须在使用任何来宾配置策略之前将其分配到范围。This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration. deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
显示允许通过没有密码的帐户进行远程连接的 Linux VM 中的审核结果Show audit results from Linux VMs that allow remote connections from accounts without passwords 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义可让 Azure Policy 处理允许来自无密码帐户的远程连接的 Linux 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.1.0-preview1.1.0-preview 链接Link
显示未将密码文件权限设为 0644 的 Linux VM 中的审核结果Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未将密码文件权限设为 0644 的 Linux 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.1.0-preview1.1.0-preview 链接Link
显示未安装指定应用程序的 Linux VM 的审核结果Show audit results from Linux VMs that do not have the specified applications installed 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未安装指定应用程序的 Linux 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.1.01.1.0 链接Link
显示具有无密码帐户的 Linux VM 的审核结果Show audit results from Linux VMs that have accounts without passwords 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理具有无密码帐户的 Linux 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.1.0-preview1.1.0-preview 链接Link
显示安装了指定应用程序的 Linux VM 的审核结果Show audit results from Linux VMs that have the specified applications installed 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理安装了指定应用程序的 Linux 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.1.01.1.0 链接Link
显示未启用 Windows 串行控制台的 Windows Server VM 的审核结果Show audit results from Windows Server VMs on which Windows Serial Console is not enabled 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未启用 Windows 串行控制台的 Windows Server 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示“管理模板 - 控制面板”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“管理模板 - 控制面板”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“管理模板 - MSS (旧版)”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“管理模板 - MSS (旧版)”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.1-preview1.0.1-preview 链接Link
显示“管理模板 - 网络”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Administrative Templates - Network' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“管理模板 - 网络”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“管理模板 - 系统”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Administrative Templates - System' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“管理模板 - 系统”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 帐户”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - Accounts' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 帐户”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 审核”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - Audit' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 审核”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 设备”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - Devices' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 设备”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 交互式登录”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 交互式登录”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - Microsoft 网络客户端”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - Microsoft 网络客户端”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - Microsoft 网络服务器”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - Microsoft 网络服务器”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 网络访问”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - Network Access' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 网络访问”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 网络安全性”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - Network Security' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 网络安全性”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 恢复控制台”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - Recovery console' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 恢复控制台”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 关机”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - Shutdown' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 关机”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 系统对象”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - System objects' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 系统对象”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 系统设置”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - System settings' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 系统设置”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全选项 - 用户帐户控制”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Options - User Account Control' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全选项 - 用户帐户控制”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“安全设置 - 帐户策略”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Security Settings - Account Policies' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“安全设置 - 帐户策略”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“系统审核策略 - 帐户登录”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“系统审核策略 - 帐户登录”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“系统审核策略 - 帐户管理”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“系统审核策略 - 帐户管理”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“系统审核策略 - 详细跟踪”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“系统审核策略 - 详细跟踪”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“系统审核策略 - 登录-注销”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“系统审核策略 - 登录-注销”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“系统审核策略 - 对象访问”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“系统审核策略 - 对象访问”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“系统审核策略 - 策略更改”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“系统审核策略 - 策略更改”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“系统审核策略 - 特权使用”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“系统审核策略 - 特权使用”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“系统审核策略 - 系统”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'System Audit Policies - System' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“系统审核策略 - 系统”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“用户权限分配”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'User Rights Assignment' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“用户权限分配”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“Windows 组件”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Windows Components' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“Windows 组件”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示“Windows 防火墙属性”中 Windows VM 配置的审核结果Show audit results from Windows VMs configurations in 'Windows Firewall Properties' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理以下组策略类别中采用不合规设置的 Windows 虚拟机的审核结果:“Windows 防火墙属性”。This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示其“管理员”组包含任意指定成员的 Windows VM 的审核结果Show audit results from Windows VMs in which the Administrators group contains any of the specified members 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理其“管理员”组包含任意指定成员的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示其“管理员”组不包含所有指定成员的 Windows VM 的审核结果Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理其“管理员”组不包含所有指定成员的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示其“管理员”组不只包含指定成员的 Windows VM 的审核结果Show audit results from Windows VMs in which the Administrators group does not contain only the specified members 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理其“管理员”组不只包含指定成员的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示审核 DSC 配置不符合要求的 Windows VM 的结果Show audit results from Windows VMs on which the DSC configuration is not compliant 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理 Desired State Configuration (DSC) 配置不合规的 Windows VM 的审核结果。This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. 此策略仅适用于包含 WMF 4 和更高版本的计算机。This policy is only applicable to machines with WMF 4 and above. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示其上 Log Analytics 代理未按预期连接的 Windows VM 的审核结果Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理其上 Log Analytics 代理未连接到指定工作区的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示远程主机连接状态与指定状态不匹配的 Windows VM 的审核结果Show audit results from Windows VMs on which the remote host connection status does not match the specified one 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理远程主机连接状态与指定状态不匹配的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示未安装指定服务且“正在运行”的 Windows VM 的审核结果Show audit results from Windows VMs on which the specified services are not installed and 'Running' 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未安装指定服务且“正在运行”的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示未启用 Windows Defender 攻击防护的 Windows VM 的审核结果Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未启用 Windows Defender 攻击防护的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示允许重用之前的 24 个密码的 Windows VM 的审核结果Show audit results from Windows VMs that allow re-use of the previous 24 passwords 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义可让 Azure Policy 处理允许重用之前的 24 个密码的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示未加入指定域的 Windows VM 的审核结果Show audit results from Windows VMs that are not joined to the specified domain 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未加入指定域的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示未设置为指定时区的 Windows VM 的审核结果Show audit results from Windows VMs that are not set to the specified time zone 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未设置为指定时区的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示包含在指定天数内过期的证书的 Windows VM 的审核结果Show audit results from Windows VMs that contain certificates expiring within the specified number of days 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理包含在指定天数内过期的证书的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示在受信任的根中不包含指定证书的 Windows VM 的审核结果Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理在受信任的根证书颁发机构证书存储 (Cert:\LocalMachine\Root) 中不包含指定证书的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示未将最长密码期限设为 70 天的 Windows VM 中的审核结果Show audit results from Windows VMs that do not have a maximum password age of 70 days 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未将最长密码期限设为 70 天的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示未将最短密码期限设为 1 天的 Windows VM 的审核结果Show audit results from Windows VMs that do not have a minimum password age of 1 day 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未将最短密码期限设为 1 天的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示未启用密码复杂性设置的 Windows VM 的审核结果Show audit results from Windows VMs that do not have the password complexity setting enabled 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未启用密码复杂性设置的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示未安装指定应用程序的 Windows VM 的审核结果Show audit results from Windows VMs that do not have the specified applications installed 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未安装指定应用程序的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示不具有指定 Windows PowerShell 执行策略的 Windows VM 的审核结果Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未在其中将 Windows PowerShell 配置为使用指定 PowerShell 执行策略的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示未安装指定 Windows PowerShell 模块的 Windows VM 的审核结果Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未安装指定 Windows PowerShell 模块的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示未将最短密码长度限制为 14 个字符的 Windows VM 的审核结果Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未将最短密码长度限制为 14 个字符的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示未存储使用可逆加密的密码的 Windows VM 的审核结果Show audit results from Windows VMs that do not store passwords using reversible encryption 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未存储使用可逆加密的密码的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示未在指定天数内重启的 Windows VM 的审核结果Show audit results from Windows VMs that have not restarted within the specified number of days 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未在指定天数内重启的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
显示安装了指定应用程序的 Windows VM 的审核结果Show audit results from Windows VMs that have the specified applications installed 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理安装了指定应用程序的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示等待重新启动的 Windows VM 的审核结果Show audit results from Windows VMs with a pending reboot 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理等待重新启动的 Windows 虚拟机的审核结果。This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
显示未使用安全通信协议的 Windows Web 服务器的审核结果Show audit results from Windows web servers that are not using secure communication protocols 此策略应结合计划中的相应部署策略一起使用。This policy should only be used along with its corresponding deploy policy in an initiative. 此定义允许 Azure Policy 处理未使用安全通信协议(TLS 1.1 或 TLS 1.2)的 Windows Web 服务器的审核结果。This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). 有关 Guest Configuration 策略的详细信息,请访问来宾配置For more information on Guest Configuration policies, please visit guest configuration auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link

物联网Internet of Things

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
应启用 IoT 中心的诊断日志Diagnostic logs in IoT Hub should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 2.0.02.0.0 链接Link

密钥保管库Key Vault

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
将 Key Vault 的诊断设置部署到事件中心Deploy Diagnostic Settings for Key Vault to Event Hub 创建或更新缺少此诊断设置的任何 Key Vault 时,部署 Key Vault 的诊断设置,以便流式传输到区域事件中心。Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. deployIfNotExistsdeployIfNotExists 2.0.02.0.0 链接Link
应启用 Key Vault 的诊断日志Diagnostic logs in Key Vault should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
密钥保管库对象应可恢复Key Vault objects should be recoverable 此策略审核密钥保管库对象是否不可恢复。This policy audits if key vault objects are not recoverable. 软删除功能有助于在给定的保留期(90 天)内有效地保留资源,即使在 DELETE 操作之后也是如此,同时提供对象已被删除的外观。Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object is deleted. 启用“清除保护”后,在长达 90 天的保留期到期之前,不能清除处于已删除状态的保管库或对象。When 'Purge protection' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. 这些保管库和对象仍然可以恢复,从而向客户保证将遵循保留策略。These vaults and objects can still be recovered, assuring customers that the retention policy will be followed. Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link
管理允许的证书密钥类型Manage allowed certificate key types 此策略管理证书的允许密钥类型。This policy manages the allowed key types for certificates. 审核、拒绝、已禁用audit, deny, disabled 1.0.0-preview1.0.0-preview 链接Link

逻辑应用Logic Apps

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
应启用逻辑应用的诊断日志Diagnostic logs in Logic Apps should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 2.0.02.0.0 链接Link

监视Monitoring

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
[预览版]:审核 Log Analytics 代理部署 - VM 映像 (OS) 未列出[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则报告 VM 不合规。Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview 链接Link
活动日志至少应保留一年Activity log should be retained for at least one year 此策略审核活动日志的保留期是否未设置为365 天或永久(保留天数设置为 0)。This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 此策略审核未配置任何活动日志警报的特定管理操作。This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
特定策略操作应有活动日志警报An activity log alert should exist for specific Policy operations 此策略审核未配置任何活动日志警报的特定策略操作。This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
特定安全操作应有活动日志警报An activity log alert should exist for specific Security operations 此策略审核未配置任何活动日志警报的特定安全操作。This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
审核 Dependency Agent 部署 - VM 映像 (OS) 未列出Audit Dependency agent deployment - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则报告 VM 不合规。Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1 链接Link
审核虚拟机规模集中的 Dependency Agent 部署 - VM 映像 (OS) 未列出Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则将虚拟机规模集报告为“不合规”。Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1 链接Link
审核诊断设置Audit diagnostic setting 审核所选资源类型的诊断设置。Audit diagnostic setting for selected resource types AuditIfNotExistsAuditIfNotExists 1.0.01.0.0 链接Link
审核虚拟机规模集中的 Log Analytics 代理部署 - VM 映像 (OS) 未列出Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则将虚拟机规模集报告为“不合规”。Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1 链接Link
审核 VM 的 Log Analytics 工作区 — 报告不匹配Audit Log Analytics workspace for VM - Report Mismatch 如果 VM 未记录到策略/计划分配中指定的 Log Analytics 工作区,则将 VM 报告为“不合规”。Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. auditaudit 1.0.11.0.1 链接Link
Azure Monitor 日志配置文件应收集“写入”、“删除”和“操作”类别的日志Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 此策略可确保日志配置文件收集类别为 "write"、"delete" 和 "action" 的日志This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 此策略审核不从所有 Azure 支持区域(包括全局)导出活动的 Azure Monitor 日志配置文件。This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
必须部署 Azure Monitor 解决方案“安全和审核”Azure Monitor solution 'Security and Audit' must be deployed 此策略可确保“安全和审核”已部署。This policy ensures that Security and Audit is deployed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
Azure 订阅应有用于活动日志的日志配置文件Azure subscriptions should have a log profile for Activity Log 此策略确保启用一个日志配置文件来导出活动日志。This policy ensures if a log profile is enabled for exporting activity logs. 它会审核是否未创建日志配置文件将日志导出到存储帐户或事件中心。It audits if there is no log profile created to export the logs either to a storage account or to an event hub. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
为 Linux 虚拟机规模集部署 Dependency AgentDeploy Dependency agent for Linux virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux 虚拟机规模集部署 Dependency Agent。Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. 注意:如果规模集 upgradePolicy 设置为“Manual”,则需要通过对规模集调用升级将扩展应用到集中的所有 VM。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. 在 CLI 中,此命令为 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.0.11.0.1 链接Link
为 Linux VM 部署 Dependency AgentDeploy Dependency agent for Linux VMs 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux VM 部署 Dependency Agent。Deploy Dependency agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExistsdeployIfNotExists 1.0.11.0.1 链接Link
为 Windows 虚拟机规模集部署 Dependency AgentDeploy Dependency agent for Windows virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows 虚拟机规模集部署 Dependency Agent。Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. 注意:如果规模集 upgradePolicy 设置为“手动”,则需要通过对 VM 调用升级将扩展应用到集中的所有 VM。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. 在 CLI 中,此命令为 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.0.11.0.1 链接Link
为 Windows VM 部署 Dependency AgentDeploy Dependency agent for Windows VMs 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows VM 部署 Dependency Agent。Deploy Dependency agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. deployIfNotExistsdeployIfNotExists 1.0.11.0.1 链接Link
将 Batch 帐户的诊断设置部署到事件中心Deploy Diagnostic Settings for Batch Account to Event Hub 在创建或更新缺少 Batch 帐户的诊断设置的任何 Batch 帐户时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0 链接Link
将 Batch 帐户的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Batch Account to Log Analytics workspace 在创建或更新缺少 Batch 帐户的诊断设置的任何 Batch 帐户时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0 链接Link
将 Data Lake Analytics 的诊断设置部署到事件中心Deploy Diagnostic Settings for Data Lake Analytics to Event Hub 在创建或更新缺少 Data Lake Analytics 的诊断设置的任何 Data Lake Analytics 时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0 链接Link
将 Data Lake Analytics 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace 创建或更新缺少此诊断设置的任何 Data Lake Analytics 时,部署 Data Lake Analytics 的诊断设置以流式传输到区域 Log Analytics 工作区。Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0 链接Link
将 Data Lake Storage Gen1 的诊断设置部署到事件中心Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub 在创建或更新缺少 Data Lake Storage Gen1 的诊断设置的任何 Data Lake Storage Gen1 时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0 链接Link
将 Data Lake Storage Gen1 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace 创建或更新缺少此诊断设置的任何 Data Lake Storage Gen1 时,部署 Data Lake Storage Gen1 的诊断设置以流式传输到区域 Log Analytics 工作区。Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0 链接Link
将事件中心的诊断设置部署到事件中心Deploy Diagnostic Settings for Event Hub to Event Hub 在创建或更新缺少事件中心的诊断设置的任何事件中心时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0 链接Link
将事件中心的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Event Hub to Log Analytics workspace 在创建或更新缺少事件中心的诊断设置的任何事件中心时,将此诊断设置流式部署到 Log Analytics 工作区。Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0 链接Link
将 Key Vault 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Key Vault to Log Analytics workspace 在创建或更新缺少 Key Vault 的诊断设置的 Key Vault 时,将此诊断设置流式部署到 Log Analytics 工作区。Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0 链接Link
将逻辑应用的诊断设置部署到事件中心Deploy Diagnostic Settings for Logic Apps to Event Hub 在创建或更新缺少逻辑应用的诊断设置的任何逻辑应用时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0 链接Link
将逻辑应用的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace 在创建或更新缺少逻辑应用的诊断设置的任何逻辑应用时,将此诊断设置流式部署到 Log Analytics 工作区。Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0 链接Link
为网络安全组部署诊断设置Deploy Diagnostic Settings for Network Security Groups 此策略自动将诊断设置部署到网络安全组。This policy automatically deploys diagnostic settings to network security groups. 将自动创建名为“{storagePrefixParameter}{NSGLocation}”的存储帐户。A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
将搜索服务的诊断设置部署到事件中心Deploy Diagnostic Settings for Search Services to Event Hub 在创建或更新缺少搜索服务的诊断设置的任何搜索服务时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0 链接Link
将搜索服务的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Search Services to Log Analytics workspace 在创建或更新缺少搜索服务的诊断设置的任何搜索服务时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0 链接Link
将服务总线的诊断设置部署到事件中心Deploy Diagnostic Settings for Service Bus to Event Hub 在创建或更新缺少服务总线的诊断设置的任何服务总线时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0 链接Link
将服务总线的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Service Bus to Log Analytics workspace 在创建或更新缺少服务总线的诊断设置的任何服务总线时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0 链接Link
将流分析的诊断设置部署到事件中心Deploy Diagnostic Settings for Stream Analytics to Event Hub 在创建或更新缺少流分析的诊断设置的任何流分析时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0 链接Link
将流分析的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace 在创建或更新缺少流分析的诊断设置的任何流分析时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0 链接Link
为 Linux 虚拟机规模集部署 Log Analytics 代理Deploy Log Analytics agent for Linux virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux 虚拟机规模集部署 Log Analytics 代理。Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. 注意:如果规模集 upgradePolicy 设置为“Manual”,则需要通过对规模集调用升级将扩展应用到集中的所有 VM。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. 在 CLI 中,此命令为 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.0.11.0.1 链接Link
为 Linux VM 部署 Log Analytics 代理Deploy Log Analytics agent for Linux VMs 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux VM 部署 Log Analytics 代理。Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExistsdeployIfNotExists 1.0.11.0.1 链接Link
为 Windows 虚拟机规模集部署 Log Analytics 代理Deploy Log Analytics agent for Windows virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows 虚拟机规模集部署 Log Analytics 代理。Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. 注意:如果规模集 upgradePolicy 设置为“手动”,则需要通过对 VM 调用升级将扩展应用到集中的所有 VM。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. 在 CLI 中,此命令为 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.0.11.0.1 链接Link
为 Windows VM 部署 Log Analytics 代理Deploy Log Analytics agent for Windows VMs 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows VM 部署 Log Analytics 代理。Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. deployIfNotExistsdeployIfNotExists 1.0.11.0.1 链接Link
应在 Linux 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Linux virtual machines 安全中心使用 Microsoft Monitoring Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,例如网络映射上的流量可视化效果、网络强化建议和特定网络威胁。Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview 链接Link
应在 Windows 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Windows virtual machines 安全中心使用 Microsoft Monitoring Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,例如网络映射上的流量可视化效果、网络强化建议和特定网络威胁。Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview 链接Link
必须使用 BYOK 对包含具有活动日志的容器的存储帐户进行加密Storage account containing the container with activity logs must be encrypted with BYOK 此策略审核是否已使用 BYOK 对包含具有活动日志的容器的存储帐户进行加密。This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. 仅当存储帐户在设计上依赖于与活动日志相同的订阅时,此策略才起作用。The policy works only if the storage account lies on the same subscription as activity logs by design. 有关 Azure 存储静态加密的详细信息,请参阅存储加密密钥门户More information on Azure Storage encryption at rest can be found here storage encryption keys portal. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在虚拟机规模集上安装 Log Analytics 代理The Log Analytics agent should be installed on Virtual Machine Scale Sets 此策略审核是否有任何 Windows/Linux 虚拟机规模集未安装 Log Analytics 代理。This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在虚拟机上安装 Log Analytics 代理The Log Analytics agent should be installed on virtual machines 此策略审核是否有任何 Windows/Linux 虚拟机未安装 Log Analytics 代理。This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link

网络Network

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
必须将自定义 IPsec/IKE 策略应用到所有 Azure 虚拟网络网关连接A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections 此策略可确保所有 Azure 虚拟网络网关连接均使用自定义 Internet 协议安全 (Ipsec)/Internet 密钥交换 (IKE) 策略。This policy ensures that all Azure virtual network gateway connections use a custom Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. 支持的算法和密钥强度Supported algorithms and key strengths Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
应用服务应使用虚拟网络服务终结点App Service should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的应用服务。This policy audits any App Service not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
Azure VPN 网关不应使用“基本”SKUAzure VPN gateways should not use 'basic' SKU 此策略可确保 VPN 网关不使用“基本”SKU。This policy ensures that VPN gateways do not use 'basic' SKU. Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
容器注册表应使用虚拟网络服务终结点Container Registry should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的容器注册表。This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview 链接Link
Cosmos DB 应使用虚拟网络服务终结点Cosmos DB should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Cosmos DB。This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
创建虚拟网络时部署网络观察程序Deploy network watcher when virtual networks are created 此策略在具有虚拟网络的区域中创建网络观察程序资源。This policy creates a network watcher resource in regions with virtual networks. 需确保存在名为 networkWatcherRG 的资源组,该资源组用于部署网络观察程序实例。You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
事件中心应使用虚拟网络服务终结点Event Hub should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的事件中心。This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
不应在网关子网中配置网络安全组Gateway subnets should not be configured with a network security group 如果在网关子网中配置了网络安全组,则此策略会拒绝此配置。This policy denies if a gateway subnet is configured with a network security group. 将网络安全组分配到网关子网会导致网关停止运行。Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. denydeny 1.0.01.0.0 链接Link
Key Vault 应使用虚拟网络服务终结点Key Vault should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 Key Vault。This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
网络接口应禁用 IP 转发Network interfaces should disable IP forwarding 此策略拒绝启用了 IP 转发的网络接口。This policy denies the network interfaces which enabled IP forwarding. IP 转发设置会禁止 Azure 在源和目标中检查网络接口。The setting of IP forwarding disables Azure's check of the source and destination for a network interface. 网络安全团队应审查此设置。This should be reviewed by the network security team. denydeny 1.0.01.0.0 链接Link
网络接口不应使用公共 IPNetwork interfaces should not have public IPs 此策略拒绝配置了任何公共 IP 的网络接口。This policy denies the network interfaces which are configured with any public IP. 公共 IP 地址允许 Internet 资源以入站方式与 Azure 资源通信,并允许 Azure 资源以出站方式与 Internet 通信。Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. 网络安全团队应审查此设置。This should be reviewed by the network security team. denydeny 1.0.01.0.0 链接Link
应启用网络观察程序Network Watcher should be enabled 网络观察程序是一个区域性服务,可用于在网络方案级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. 使用方案级别监视可以诊断端到端网络级别视图的问题。Scenario level monitoring enables you to diagnose problems at an end to end network level view. 借助网络观察程序随附的网络诊断和可视化工具,可以了解、诊断和洞察 Azure 中的网络。Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. auditIfNotExistsauditIfNotExists 1.0.01.0.0 链接Link
应阻止来自 Internet 的 RDP 访问RDP access from the Internet should be blocked 此策略审核任何允许来自 Internet 的 RDP 访问的网络安全规则This policy audits any network security rule that allows RDP access from Internet Audit、DisabledAudit, Disabled 2.0.02.0.0 链接Link
服务总线应使用虚拟网络服务终结点Service Bus should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的服务总线。This policy audits any Service Bus not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
SQL Server 应使用虚拟网络服务终结点SQL Server should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 SQL Server。This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应阻止来自 Internet 的 SSH 访问SSH access from the Internet should be blocked 此策略审核任何允许来自 Internet 的 SSH 访问的网络安全规则This policy audits any network security rule that allows SSH access from Internet Audit、DisabledAudit, Disabled 2.0.02.0.0 链接Link
存储帐户应使用虚拟网络服务终结点Storage Accounts should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的存储帐户。This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 此策略审核任何已连接到未批准的虚拟网络的虚拟机。This policy audits any virtual machine connected to a virtual network that is not approved. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0 链接Link
虚拟网络应使用指定的虚拟网络网关Virtual networks should use specified virtual network gateway 如果默认路由未指向指定的虚拟网络网关,则此策略会审核任何虚拟网络。This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
应启用搜索服务的诊断日志Diagnostic logs in Search services should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 2.0.02.0.0 链接Link

安全中心Security Center

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
[预览版]:应禁用虚拟机上的 IP 转发[Preview]: IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview 链接Link
[预览版]:应在 Kubernetes 服务上定义 Pod 安全策略[Preview]: Pod Security Policies should be defined on Kubernetes Services 通过删除不必要的应用程序特权,来定义 Pod 安全策略以减少攻击途径。Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. 建议将 Pod 安全策略配置为仅允许 Pod 访问它们有权访问的资源。It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview 链接Link
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为订阅提供安全联系人电子邮件地址A security contact email address should be provided for your subscription 输入电子邮件地址,以便在 Azure 安全中心检测到资源泄露时接收通知Enter an email address to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为订阅提供安全联系人电话号码A security contact phone number should be provided for your subscription 输入电话号码,以便在 Azure 安全中心检测到资源泄露情况时收到通知Enter a phone number to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应该限制通过面向 Internet 的终结点进行访问Access through Internet facing endpoint should be restricted Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security center has identified some of your Network Security Groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够轻松地将你的资源定为攻击目标。This can potentially enable attackers to easily target your resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在虚拟机上启用自适应应用程序控制Adaptive Application Controls should be enabled on virtual machines 通过 Azure 安全中心监视可能的应用程序允许列表配置Possible Application Whitelist configuration will be monitored by Azure Security Center AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure 安全中心会分析面向虚拟机的 Internet 的流量模式,并提供可减小潜在攻击面的网络安全组规则建议Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit、DisabledAudit, Disabled 1.0.1-preview1.0.1-preview 链接Link
应该对订阅启用 Log Analytics 监视代理的自动预配Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription 启用 Log Analytics 监视代理的自动预配,以便收集安全数据Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security data AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应启用 DDoS 防护标准版DDoS Protection Standard should be enabled 应为属于应用程序网关且具有公共 IP 子网的所有虚拟网络启用 DDoS 保护标准。DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应从订阅中删除弃用的帐户Deprecated accounts should be removed from your subscription 应从订阅中删除弃用的帐户。Deprecated accounts should be removed from your subscriptions. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的已弃用帐户。Deprecated accounts with owner permissions should be removed from your subscription. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines 建议通过 Azure 安全中心监视未启用磁盘加密的 VMVMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应启用高严重性警报的电子邮件通知Email notification for high severity alerts should be enabled 启用向安全联系人发送电子邮件安全警报,使他们能够收到来自 Microsoft 的安全警报电子邮件。Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. 这可以确保适当的人员能够意识到任何潜在安全问题,并降低风险This ensures that the right people are aware of any potential security issues and are able to mitigate the risks AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应启用向订阅所有者发送高严重性警报的电子邮件通知Email notification to subscription owner for high severity alerts should be enabled 启用向订阅所有者发送电子邮件安全警报,使他们能够收到来自 Microsoft 的安全警报电子邮件。Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. 这可以确保他们意识到任何潜在安全问题,并及时降低风险This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
在订阅中启用 Azure 安全中心Enable Azure Security Center on your subscription 识别不受 Azure 安全中心 (ASC) 监视的现有订阅。Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). 不受 ASC 监视的订阅将注册到免费定价层。Subscriptions not monitored by ASC will be registered to the free pricing tier. 已由 ASC 监视的订阅(免费或标准层)被视为合规。Subscriptions already monitored by ASC (free or standard), will be considered compliant. 若要注册新建的订阅,请打开合规性选项卡,选择相关的不合规分配,并创建修正任务。To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. 需要使用安全中心监视一个或多个新订阅时,请重复此步骤。Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. deployIfNotExistsdeployIfNotExists 1.0.01.0.0 链接Link
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 为了防止发生未受监视的访问,应从订阅中删除拥有所有者权限的外部帐户。External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription 应从订阅中删除拥有读取特权的外部帐户,以防发生未受监视的访问。External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应从订阅中删除具有写入权限的外部帐户External accounts with write permissions should be removed from your subscription 应从订阅中删除拥有写入特权的外部帐户,以防发生未受监视的访问。External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with Network Security Groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范 VM 遭受潜在威胁。Protect your VM from potential threats by restricting access to it with a Network Security Group (NSG). 若要详细了解如何使用 NSG 控制流量,请访问安全概览To learn more about controlling traffic with NSGs, visit security overview AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在虚拟机上应用实时网络访问控制Just-In-Time network access control should be applied on virtual machines 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应对订阅中拥有写入权限的帐户启用 MFAMFA should be enabled accounts with write permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有写入特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有所有者权限的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有读取特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应选择安全中心标准定价层Security Center standard pricing tier should be selected 标准定价层为网络和虚拟机启用威胁检测,在 Azure 安全中心提供威胁情报、异常检测和行为分析The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview 链接Link
子网应与网络安全组关联Subnets should be associated with a Network Security Group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 审核是否缺少系统安全更新和关键更新,为了确保 Windows 和 Linux 虚拟机规模集的安全,应安装这些更新。Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在计算机上安装系统更新System updates should be installed on your machines 建议通过 Azure 安全中心监视服务器上缺失的安全系统更新Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 监视漏洞评估扫描结果并提供如何补救数据库漏洞的相关建议。Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应通过漏洞评估解决方案修复漏洞Vulnerabilities should be remediated by a Vulnerability Assessment solution 建议在 Azure 安全中心监视漏洞评估解决方案检测到的漏洞和没有漏洞评估解决方案的 VM。Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link

服务总线Service Bus

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
应从服务总线命名空间中删除 RootManageSharedAccessKey 以外的所有授权规则All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace 服务总线客户端不应使用提供对命名空间中所有队列和主题的访问的命名空间级访问策略。Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. 为了与最低权限安全模型保持一致,应在实体级别为队列和主题创建访问策略,以便仅提供对特定实体的访问权限To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Audit, Deny, 已禁用Audit, Deny, Disabled 1.0.11.0.1 链接Link
应启用服务总线的诊断日志Diagnostic logs in Service Bus should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 2.0.02.0.0 链接Link

Service FabricService Fabric

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSignService Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric 使用主要群集证书为节点之间的通信提供三个保护级别(None、Sign 和 EncryptAndSign)。Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. 设置保护级别以确保所有节点到节点消息均已进行加密和数字签名Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证Service Fabric clusters should only use Azure Active Directory for client authentication 审核 Service Fabric 中仅通过 Azure Active Directory 进行客户端身份验证Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link

SQLSQL

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
SQL 托管实例的“高级数据安全性”设置应包含用于接收安全警报的电子邮件地址Advanced data security settings for SQL managed instance should contain an email address to receive security alerts 确保为“高级数据安全性”服务器设置中的“将警报发送到”字段提供电子邮件地址。Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. 在 SQL 托管实例上检测到异常活动时,此电子邮件地址将会收到警报通知。This email address receives alert notifications when anomalous activities are detected on SQL managed instances. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
SQL 服务器的“高级数据安全性”设置应包含用于接收安全警报的电子邮件地址Advanced data security settings for SQL server should contain an email address to receive security alerts 确保为“高级数据安全性”服务器设置中的“将警报发送到”字段提供电子邮件地址。Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. 在 SQL 服务器上检测到异常活动时,此电子邮件地址将会收到警报通知。This email address receives alert notifications when anomalous activities are detected on SQL servers. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 托管实例上启用高级数据安全性Advanced data security should be enabled on your SQL managed instances 审核没有高级数据安全的 SQL 托管实例Audit SQL managed instances without Advanced Data Security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 审核没有高级数据安全的 SQL 服务器Audit SQL servers without Advanced Data Security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 托管实例的“高级数据安全性”设置中将“高级威胁保护类型”设置为“所有”Advanced Threat Protection types should be set to 'All' in SQL managed instance Advanced Data Security settings 建议在 SQL 服务器上启用所有高级威胁防护类型。It is recommended to enable all Advanced Threat Protection types on your SQL servers. 启用所有类型可以防范 SQL 注入、数据库漏洞和任何其他异常活动。Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 服务器的“高级数据安全性”设置中将“高级威胁保护类型”设置为“所有”Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings 建议在 SQL 服务器上启用所有高级威胁防护类型。It is recommended to enable all Advanced Threat Protection types on your SQL servers. 启用所有类型可以防范 SQL 注入、数据库漏洞和任何其他异常活动。Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 审核确认已为 SQL Server 预配了 Azure Active Directory 管理员以启用 Azure AD 身份验证。Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. 使用 Azure AD 身份验证可以简化权限管理,以及集中化数据库用户和其他 Microsoft 服务的标识管理Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 应在 SQL 服务器上启用审核以跟踪服务器上所有数据库的数据库活动,并将其保存在审核日志中。Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为 PostgreSQL 数据库服务器启用连接限制Connection throttling should be enabled for PostgreSQL database servers 此策略帮助审核环境中任何未启用连接限制的 PostgreSQL 数据库。This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. 无效密码登录失败次数过多时,可以使用此设置来按 IP 限制临时连接。This setting enables temporary connection throttling per IP for too many invalid password login failures. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
在 SQL 服务器上部署高级数据安全Deploy Advanced Data Security on SQL servers 此策略在 SQL 服务器上启用高级数据安全性。This policy enables Advanced Data Security on SQL Servers. 这包括启用威胁检测和漏洞评估。This includes turning on Threat Detection and Vulnerability Assessment. 它自动在 SQL 服务器所在的同一区域和资源组中,创建一个带有“sqlva”前缀存储帐户用于存储扫描结果。It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
对 SQL 服务器部署审核Deploy Auditing on SQL servers 此策略确保在 SQL 服务器上启用审核,以增强安全性与合规性。This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. 它自动在 SQL 服务器所在的同一区域中创建一个存储帐户用于存储审核记录。It will automatically create a storage account in the same region as the SQL server to store audit records. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
将 Azure SQL 数据库的诊断设置部署到事件中心Deploy Diagnostic Settings for Azure SQL Database to Event Hub 在创建或更新缺少 Azure SQL 数据库的诊断设置的 Azure SQL 数据库时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
部署 SQL DB 透明数据加密Deploy SQL DB transparent data encryption 在 SQL 数据库上启用透明数据加密Enables transparent data encryption on SQL databases DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
在 SQL 服务器上部署威胁检测Deploy Threat Detection on SQL servers 此策略可确保在 SQL 服务器上启用威胁检测。This policy ensures that Threat Detection is enabled on SQL Servers. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
应为 PostgreSQL 数据库服务器记录断开连接Disconnections should be logged for PostgreSQL database servers. 此策略帮助审核环境中任何未启用 log_disconnections 的 PostgreSQL 数据库。This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 托管实例高级数据安全设置中启用“向管理员和订阅所有者发送电子邮件通知”Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings 审核是否已在 SQL 托管实例高级威胁防护设置中启用“向管理员和订阅所有者发送电子邮件通知”。Audit that 'email notification to admins and subscription owners' is enabled in the SQL managed instance advanced threat protection settings. 这可以确保尽快向管理员报告在 SQL 托管实例上检测到的任何异常活动。This ensures that any detections of anomalous activities on SQL managed instance are reported as soon as possible to the admins. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 服务器高级数据安全设置中为管理员和订阅所有者启用电子邮件通知Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings 审核是否已在 SQL 服务器高级威胁防护设置中启用“向管理员和订阅所有者发送电子邮件通知”。Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. 这可以确保尽快向管理员报告在 SQL 服务器上检测到的任何异常活动。This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为 MySQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for MySQL database servers 此策略审核不强制 SSL 连接的任何 MySQL 服务器。This policy audits any MySQL server that is not enforcing SSL connection. Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers 此策略审核不强制 SSL 连接的任何 PostgreSQL 服务器。This policy audits any PostgreSQL server that is not enforcing SSL connection. Azure Database for PostgreSQL 倾向于使用安全套接字层 (SSL) 将客户端应用程序连接到 PostgreSQL 服务。Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击Enforcing SSL connections between your database server and your client applications helps protect against 'man-in-the-middle' attacks by encrypting the data stream between the server and your application Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
应为 Azure Database for MariaDB 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MariaDB 此策略将审核未启用异地冗余备份的任何 Azure Database for MariaDB。This policy audits any Azure Database for MariaDB with geo-redundant backup not enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
应为 Azure Database for MySQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MySQL 此策略将审核未启用异地冗余备份的任何 Azure Database for MySQL。This policy audits any Azure Database for MySQL with geo-redundant backup not enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 此策略将审核未启用异地冗余备份的任何 Azure Database for PostgreSQL。This policy audits any Azure Database for PostgreSQL with geo-redundant backup not enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
应为 PostgreSQL 数据库服务器启用“记录检查点”Log checkpoints should be enabled for PostgreSQL database servers 此策略帮助审核环境中任何未启用 log_checkpoints 设置的 PostgreSQL 数据库。This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为 PostgreSQL 数据库服务器启用“记录连接”Log connections should be enabled for PostgreSQL database servers 此策略帮助审核环境中任何未启用 log_connections 设置的 PostgreSQL 数据库。This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为 PostgreSQL 数据库服务器启用“记录持续时间”Log duration should be enabled for PostgreSQL database servers 此策略帮助审核环境中任何未启用 log_duration 设置的 PostgreSQL 数据库。This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为 Azure SQL 数据库启用长期异地冗余备份Long-term geo-redundant backup should be enabled for Azure SQL Databases 此策略将审核未启用长期异地冗余备份的任何 Azure SQL 数据库。This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
MariaDB 服务器应使用虚拟网络服务终结点MariaDB server should use a virtual network service endpoint 此策略有助于审核任何未配置为使用虚拟网络服务终结点的 MariaDB 服务器。This policy helps audit any MariaDB server not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
MySQL 服务器应使用虚拟网络服务终结点MySQL server should use a virtual network service endpoint 此策略有助于审核任何未配置为使用虚拟网络服务终结点的 MySQL 服务器。This policy helps audit any MySQL Server not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
PostgreSQL 服务器应使用虚拟网络服务终结点PostgreSQL server should use a virtual network service endpoint 此策略有助于审核任何未配置为使用虚拟网络服务终结点的 PostgreSQL 服务器。This policy helps audit any PostgreSQL server not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为 MariaDB 服务器启用专用终结点Private endpoint should be enabled for MariaDB servers 此策略有助于审核任何未配置为使用专用终结点的 MariaDB 服务器。This policy helps audit any MariaDB server not configured to use a private endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为 MySQL 服务器启用专用终结点Private endpoint should be enabled for MySQL servers 此策略有助于审核任何未配置为使用专用终结点的 MySQL 服务器。This policy helps audit any MySQL server not configured to use a private endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为 PostgreSQL 服务器启用专用终结点Private endpoint should be enabled for PostgreSQL servers 此策略有助于审核任何未配置为使用专用终结点的 PostgreSQL 服务器。This policy helps audit any PostgreSQL server not configured to use a private endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
SQL 审核设置中应包含配置为捕获关键活动的操作组SQL Auditing settings should have Action-Groups configured to capture critical activities AuditActionsAndGroups 属性应至少包含 SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP、BATCH_COMPLETED_GROUP 以确保全面审核日志记录The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应使用自己的密钥加密 SQL 托管实例的 TDE 保护器SQL managed instance TDE protector should be encrypted with your own key 使用你自己的密钥支持的透明数据加密(TDE)增加了透明度和对 TDE 保护器的控制,增强了由 HSM 提供支持的外部服务的安全性,并促进了职责划分。Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应使用自己的密钥加密 SQL 服务器的 TDE 保护器SQL server TDE protector should be encrypted with your own key 使用你自己的密钥支持的透明数据加密(TDE)增加了透明度和对 TDE 保护器的控制,增强了由 HSM 提供支持的外部服务的安全性,并促进了职责划分。Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应将 SQL 服务器的审核保留期配置为大于 90 天SQL servers should be configured with auditing retention days greater than 90 days. 审核配置的审核保持期少于 90 天的 SQL 服务器。Audit SQL servers configured with an auditing retention period of less than 90 days. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 应启用透明数据加密以保护静态数据并满足符合性要求Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
SQL 服务器的漏洞评估设置应包含用来接收扫描报告的电子邮件地址Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 确保为漏洞评估设置中的“将扫描报告发送到”字段提供电子邮件地址。Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. 在 SQL 服务器上运行定期扫描后,此电子邮件地址将收到扫描结果摘要。This email address receives scan result summary after a periodic scan runs on SQL servers. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应对 SQL 托管实例启用漏洞评估Vulnerability assessment should be enabled on your SQL managed instances 审核未启用定期漏洞评估扫描的 SQL 托管实例。Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应对 SQL 服务器启用漏洞评估Vulnerability assessment should be enabled on your SQL servers 审核未启用定期漏洞评估扫描的 Azure SQL 服务器。Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link

存储Storage

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
允许的存储帐户 SKUAllowed storage account SKUs 此策略可用于指定组织可部署的一组存储帐户 SKU。This policy enables you to specify a set of storage account SKUs that your organization can deploy. 拒绝Deny 1.0.01.0.0 链接Link
审核对存储帐户的无限制网络访问Audit unrestricted network access to storage accounts 在存储帐户防火墙设置中审核无限制的网络访问权限。Audit unrestricted network access in your storage account firewall settings. 应该配置网络规则,以便只有来自许可网络的应用程序才能访问存储帐户。Instead, configure network rules so only applications from allowed networks can access the storage account. 若要允许来自特定 Internet 或本地客户端的连接,可以向来自特定 Azure 虚拟网络或到公共 Internet IP 地址范围的流量授予访问权限To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit、DisabledAudit, Disabled 1.0.01.0.0 链接Link
应为存储帐户启用异地冗余存储Geo-redundant storage should be enabled for Storage Accounts 此策略将审核未启用异地冗余存储的任何存储帐户。This policy audits any Storage Account with geo-redundant storage not enabled. Audit, 已禁用Audit, Disabled 1.0.01.0.0 链接Link
应启用安全传输到存储帐户Secure transfer to storage accounts should be enabled 审核存储帐户中安全传输的要求。Audit requirement of Secure transfer in your storage account. 安全传输选项会强制存储帐户仅接受来自安全连接 (HTTPS) 的请求。Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). 使用 HTTPS 可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听和会话劫持等网络层攻击Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1 链接Link
存储帐户应允许从受信任的 Microsoft 服务进行访问Storage accounts should allow access from trusted Microsoft services 某些与存储帐户交互的 Microsoft 服务在网络上运行,但这些网络无法通过网络规则获得访问权限。Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. 若要帮助此类服务按预期方式工作,请允许受信任的 Microsoft 服务集绕过网络规则。To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. 这些服务随后会使用强身份验证访问存储帐户。These services will then use strong authentication to access the storage account. Audit, Deny, 已禁用Audit, Deny, Disabled 1.0.01.0.0 链接Link
存储帐户应迁移到新的 Azure 资源管理器资源Storage accounts should be migrated to new Azure Resource Manager resources 使用新的 Azure 资源管理器为存储帐户提供安全增强功能,例如:更强大的访问控制 (RBAC)、更好的审核、基于 Azure 资源管理器的部署和监管、对托管标识的访问权限、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及对标记和资源组的支持,以简化安全管理Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, 已禁用Audit, Deny, Disabled 1.0.01.0.0 链接Link

流分析Stream Analytics

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
应启用 Azure 流分析的诊断日志Diagnostic logs in Azure Stream Analytics should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 2.0.02.0.0 链接Link

TagsTags

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
追加资源组的标记及其值Append a tag and its value from the resource group 创建或更新任何缺少此标记的资源时,从资源组追加指定的标记及其值。Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. 在更改这些资源之前,请不要修改应用此策略之前创建的资源的标记。Does not modify the tags of resources created before this policy was applied until those resources are changed. 新的“modify”效果策略已可用,这些策略支持对现有资源中的标记进行修正(请参阅 modify)。New 'modify' effect policies are available that support remediation of tags on existing resources (see modify). appendappend 1.0.01.0.0 链接Link
将标记及其值追加到资源组Append a tag and its value to resource groups 创建或更新任何缺少此标记的资源组时追加指定的标记和值。Appends the specified tag and value when any resource group which is missing this tag is created or updated. 在更改这些资源组之前,请不要修改应用此策略之前创建的资源组的标记。Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. 新的“modify”效果策略已可用,这些策略支持对现有资源中的标记进行修正(请参阅 modify)。New 'modify' effect policies are available that support remediation of tags on existing resources (see modify). appendappend 1.0.01.0.0 链接Link
将标记及其值追加到资源Append a tag and its value to resources 创建或更新任何缺少此标记的资源时追加指定的标记和值。Appends the specified tag and value when any resource which is missing this tag is created or updated. 在更改这些资源之前,请不要修改应用此策略之前创建的资源的标记。Does not modify the tags of resources created before this policy was applied until those resources are changed. 不要应用到资源组。Does not apply to resource groups. 新的“modify”效果策略已可用,这些策略支持对现有资源中的标记进行修正(请参阅 modify)。New 'modify' effect policies are available that support remediation of tags on existing resources (see modify). appendappend 1.0.11.0.1 链接Link
从资源组继承标记Inherit a tag from the resource group 创建或更新任何资源时,添加或替换父资源组中指定的标记和值。Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. modifymodify 1.0.01.0.0 链接Link
从资源组继承标记(如果缺少此标记)Inherit a tag from the resource group if missing 创建或更新任何缺少此标记的资源时,从父资源组添加指定的标记及其值。Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. modifymodify 1.0.01.0.0 链接Link
从订阅继承标记Inherit a tag from the subscription 创建或更新任何资源时,添加或替换包含订阅中指定的标记和值。Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. modifymodify 1.0.01.0.0 链接Link
从订阅继承标记(如果缺少)Inherit a tag from the subscription if missing 创建或更新任何缺少此标记的资源时,从包含订阅添加指定的标记及其值。Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. 可以通过触发修正任务来修正现有资源。Existing resources can be remediated by triggering a remediation task. 如果存在具有不同值的标记,则不会更改该资源组。If the tag exists with a different value it will not be changed. modifymodify 1.0.01.0.0 链接Link
需要资源组上的标记及其值Require a tag and its value on resource groups 强制要求资源组中存在所需的标记及其值。Enforces a required tag and its value on resource groups. denydeny 1.0.01.0.0 链接Link
需要资源上的标记及其值Require a tag and its value on resources 强制执行所需的标记及其值。Enforces a required tag and its value. 不要应用到资源组。Does not apply to resource groups. denydeny 1.0.11.0.1 链接Link

后续步骤Next steps