HDInsight 的 Azure 安全基线Azure Security Baseline for HDInsight

HDInsight 的 Azure 安全基线包含可帮助你改善部署安全态势的建议。The Azure Security Baseline for HDInsight contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this services is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全Network Security

有关详细信息,请参阅安全控制: 网络安全性For more information, see Security Control: Network Security.

1.1:在虚拟网络中使用网络安全组或 Azure 防火墙保护资源1.1: Protect resources using Network Security Groups or Azure Firewall on your Virtual Network

指导:Azure HDInsight 中的外围安全性是通过虚拟网络实现的。Guidance: Perimeter security in Azure HDInsight is achieved through virtual networks. 企业管理员可在虚拟网络中创建群集,并使用网络安全组 (NSG) 限制对虚拟网络的访问。An enterprise administrator can create a cluster inside a virtual network and use a network security group (NSG) to restrict access to the virtual network. 只有入站网络安全组规则中允许的 IP 地址才能与 Azure HDInsight 群集通信。Only the allowed IP addresses in the inbound Network Security Group rules will be able to communicate with the Azure HDInsight cluster. 此配置可实现外围安全性。This configuration provides perimeter security. 部署在虚拟网络中的所有群集还有一个专用终结点,该终结点解析为虚拟网络中的专用 IP 地址,可对群集网关进行专用 HTTP 访问。All clusters deployed in a virtual network will also have a private endpoint that resolves to a private IP address inside the Virtual Network for private HTTP access to the cluster gateways.

如何在虚拟网络中部署 Azure HDInsight 并使用网络安全组进行保护:How to Deploy Azure HDInsight within a Virtual Network and Secure with a Network Security Group:

https://docs.azure.cn/hdinsight/hdinsight-create-virtual-network

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视和记录 VNet、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of Vnets, Subnets, and NICs

指导:使用 Azure 安全中心,并修正有关虚拟网络、子网以及用于保护 Azure HDInsight 群集的网络安全组的网络保护建议。Guidance: Use Azure Security Center and remediate network protection recommendations for the virtual network, subnet, and network security group being used to secure your Azure HDInsight cluster. 启用网络安全组 (NSG) 流日志,并将日志发送到 Azure 存储帐户以进行流量审核。Enable network security group (NSG) flow logs and send logs into a Azure Storage Account to traffic audit. 还可以将 NSG 流日志发送到 Azure Log Analytics 工作区,并使用 Azure 流量分析来洞察 Azure 云中的流量流。You may also send NSG flow logs to a Azure Log Analytics Workspace and use Azure Traffic Analytics to provide insights into traffic flow in your Azure cloud. Azure 流量分析的优势包括能够可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置。Some advantages of Azure Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network mis-configurations.

如何启用 NSG 流日志:How to Enable NSG Flow Logs:

https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal

如何启用和使用 Azure 流量分析:How to Enable and use Azure Traffic Analytics:

https://docs.azure.cn/network-watcher/traffic-analytics

了解 Azure 安全中心提供的网络安全性:Understand Network Security provided by Azure Security Center:

https://docs.azure.cn/security-center/security-center-network-recommendations

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:不适用;基准适用于 Azure 应用服务或托管 Web 应用程序的计算资源。Guidance: Not applicable; benchmark is intended for Azure Apps Service or compute resources hosting web applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.4:拒绝与已知恶意的 IP 地址进行通信1.4: Deny communications with known malicious IP addresses

指导:为了防范 DDoS 攻击,请在部署 Azure HDInsight 的虚拟网络中启用 Azure DDoS 标准防护。Guidance: For protections from DDoS attacks, enable Azure DDoS Standard protection on the virtual network where your Azure HDInsight is deployed. 使用 Azure 安全中心集成的威胁情报来拒绝与已知恶意的或未使用过的 Internet IP 地址进行通信。Use Azure Security Center integrated threat intelligence to deny communications with known malicious or unused Internet IP addresses.

了解 Azure 安全中心集成的威胁情报:Understand Azure Security Center Integrated Threat Intelligence:

https://docs.azure.cn/security-center/security-center-alerts-service-layer

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.5:记录网络数据包和流日志1.5: Record network packets and flow logs

指导:针对附加到子网的、用于保护 Azure HDInsight 群集的网络安全组 (NSG) 启用 NSG 流日志。Guidance: Enable network security group (NSG) flow logs for the NSG attached to the subnet being used to protect your Azure HDInsight cluster. 将 NSG 流日志记录到 Azure 存储帐户中,以生成流记录。Record the NSG flow logs into a Azure Storage Account to generate flow records. 如果需要调查异常活动,请启用 Azure 网络观察程序数据包捕获。If required for investigating anomalous activity, enable Azure Network Watcher packet capture.

如何启用 NSG 流日志:How to Enable NSG Flow Logs:

https://docs.azure.cn/network-watcher/network-watcher-nsg-flow-logging-portal

如何启用网络观察程序:How to enable Network Watcher:

https://docs.azure.cn/network-watcher/network-watcher-create

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:可以满足 Azure 安全控制 ID 1.1 的要求;将 Azure HDInsight 群集部署到虚拟网络中,并使用网络安全组 (NSG) 进行保护。Guidance: Requirement can be met Azure security control ID 1.1; Deploy Azure HDInsight cluster into a virtual network and secure with a network security group (NSG).

Azure HDInsight 有多个依赖项需要入站流量。There are several dependencies for Azure HDInsight that require inbound traffic. 不能通过防火墙设备发送入站管理流量。The inbound management traffic can't be sent through a firewall device. 所需管理流量的源地址是已知且已发布的。The source addresses for required management traffic are known and published. 使用此信息创建网络安全组规则,以便仅允许来自受信任位置的流量,从而保护群集的入站流量。Create Network Security Group rules with this information to allow traffic from only trusted locations, securing inbound traffic to the clusters.

如何在虚拟网络中部署 HDInsight 并使用网络安全组进行保护: https://docs.azure.cn/hdinsight/hdinsight-create-virtual-networkHow to Deploy HDInsight within a Virtual Network and Secure with a Network Security Group: https://docs.azure.cn/hdinsight/hdinsight-create-virtual-network

了解 HDInsight 依赖项和防火墙用法: https://docs.azure.cn/hdinsight/hdinsight-restrict-outbound-trafficUnderstand HDInsight dependencies and firewall usage: https://docs.azure.cn/hdinsight/hdinsight-restrict-outbound-traffic

HDInsight 管理 IP 地址: https://docs.azure.cn/hdinsight/hdinsight-management-ip-addressesHDInsight management IP addresses: https://docs.azure.cn/hdinsight/hdinsight-management-ip-addresses

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:不适用;基准适用于 Azure 应用服务或托管 Web 应用程序的计算资源。Guidance: Not applicable; benchmark is intended for Azure Apps Service or compute resources hosting web applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:不适用Responsibility: Not applicable

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:使用虚拟网络服务标记,在附加到部署 Azure HDInsight 群集的子网的网络安全组 (NSG) 中定义网络访问控制。Guidance: Use Virtual network service tags to define network access controls on network security groups (NSG) that are attached to the subnet your Azure HDInsight cluster is deployed in. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 ApiManagement),可以允许或拒绝相应服务的流量。By specifying the service tag name (e.g., ApiManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

了解和使用 Azure HDInsight 的服务标记:Understand and using Service Tags for Azure HDInsight:

https://docs.azure.cn/virtual-network/security-overview#service-tags

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:定义并实施与 Azure HDInsight 群集相关的网络资源的标准安全配置。Guidance: Define and implement standard security configurations for network resources related to your Azure HDInsight cluster. 在“Microsoft.HDInsight”和“Microsoft.Network”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure HDInsight 群集的网络配置。Use Azure Policy aliases in the "Microsoft.HDInsight" and "Microsoft.Network" namespaces to create custom policies to audit or enforce the network configuration of your Azure HDInsight cluster.

还可以使用 Azure 蓝图,通过在单个蓝图定义中打包关键环境项目(例如 Azure 资源管理器模板、RBAC 控制措施和策略),来简化大规模的 Azure 部署。You may also use Azure Blueprints to simplify large scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, RBAC controls, and policies, in a single blueprint definition. 轻松将蓝图应用到新的订阅和环境,并通过版本控制来微调控制措施和管理。Easily apply the blueprint to new subscriptions and environments, and fine-tune control and management through versioning.

如何查看可用的 Azure Policy 别名:How to view available Azure Policy Aliases:

https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-3.3.0

如何配置和管理 Azure Policy:How to configure and manage Azure Policy:

https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何创建 Azure 蓝图:How to create an Azure Blueprint:

https://docs.azure.cn/governance/blueprints/create-blueprint-portal

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:对与 Azure HDInsight 群集关联的网络安全性和流量流相关的网络安全组 (NSG) 及其他资源使用标记。Guidance: Use Tags for network security group (NSGs) and other resources related to network security and traffic flow that are associated with your Azure HDInsight cluster. 对于单个 NSG 规则,请使用“说明”字段针对允许流量传入/传出网络的任何规则指定业务需求和/或持续时间等。For individual NSG rules, use the "Description" field to specify business need and/or duration (etc.) for any rules that allow traffic to/from a network.

使用标记相关的任何内置 Azure 策略定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在有现有资源不带标记时发出通知。Use any of the built-in Azure policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with Tags and to notify you of existing untagged resources.

可以使用 Azure PowerShell 或 Azure 命令行接口 (CLI) 根据资源的标记查找资源或对其执行操作。You may use Azure PowerShell or Azure command-line interface (CLI) to look-up or perform actions on resources based on their Tags.

如何创建和使用标记:How to create and use Tags:

https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

如何创建虚拟网络:How to create a virtual network:

https://docs.azure.cn/virtual-network/quick-create-portal

如何创建采用安全配置的 NSG:How to create an NSG with a Security Config:

https://docs.azure.cn/virtual-network/tutorial-filter-network-traffic

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测与 Azure HDInsight 部署相关的网络资源的更改。Guidance: Use Azure Activity Log to monitor network resource configurations and detect changes for network resources related to your Azure HDInsight deployments. 在 Azure Monitor 中创建当关键网络资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical network resources take place.

如何查看和检索 Azure 活动日志事件:How to view and retrieve Azure Activity Log events:

https://docs.azure.cn/azure-monitor/platform/activity-log-view

如何在 Azure Monitor 中创建警报: https://docs.azure.cn/azure-monitor/platform/alerts-activity-logHow to create alerts in Azure Monitor: https://docs.azure.cn/azure-monitor/platform/alerts-activity-log

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

标识和访问控制Identity and Access Control

有关详细信息,请参阅安全控制: 标识和访问控制For more information, see Security Control: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:维护预配 Azure HDInsight 群集期间创建的本地管理帐户以及创建的任何其他帐户的记录。Guidance: Maintain record of the local administrative account that is created during cluster provisioning of Azure HDInsight cluster as well as any other accounts you create. 此外,如果使用了 Azure AD 集成,必须显式分配(因此可查询)Azure AD 的内置角色。In addition, if Azure AD integration is used, Azure AD has built-in roles that must be explicitly assigned and are therefore queryable. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组的成员的帐户。Use the Azure AD PowerShell module to perform adhoc queries to discover accounts that are members of administrative groups.

此外,可以使用 Azure 安全中心标识和访问管理建议。In addition, you may use Azure Security Center Identity and Access Management recommendations.

如何使用 PowerShell 获取 Azure AD 中的目录角色:How to get a directory role in Azure AD with PowerShell:

https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrole?view=azureadps-2.0

如何使用 PowerShell 获取 Azure AD 中目录角色的成员:How to get members of a directory role in Azure AD with PowerShell:

https://docs.microsoft.com/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0

如何使用 Azure 安全中心监视标识和访问:How to monitor identity and access with Azure Security Center:

https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:预配群集时,Azure 会要求创建新的密码用于访问 Web 门户和安全外壳 (SSH)。Guidance: When provisioning a cluster, Azure requires you to create new passwords for the web portal and Secure Shell (SSH) access. 没有要更改的默认密码,但是,可以指定不同的密码分别用于访问 SSH 和 Web 门户。There are no default passwords to change, however you can specify different passwords for SSH and web portal access.

预配 Azure HDInsight 群集时如何设置密码:How to set passwords when provisioning an Azure HDInsight cluster:

https://docs.azure.cn/hdinsight/hdinsight-hadoop-linux-use-ssh-unix

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指导:将 Azure HDInsight 群集身份验证与 Azure Active Directory 相集成。Guidance: Integrate Authentication for Azure HDInsight cluster with Azure Active Directory. 围绕专用管理帐户的使用创建策略和过程。Create policies and procedures around the use of dedicated administrative accounts.

此外,可以使用 Azure 安全中心标识和访问管理建议。In addition, you may use Azure Security Center Identity and Access Management recommendations.

如何使用 Azure 安全中心监视标识和访问:How to monitor identity and access with Azure Security Center:

https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Use single sign-on (SSO) with Azure Active Directory

如果已登录到其他 Azure 服务(例如 Azure 门户),可以使用单一登录 (SSO) 体验登录到 Azure HDInsight 群集。If you've already signed in to other Azure services, such as the Azure portal, you can sign in to your Azure HDInsight cluster with a single sign-on (SSO) experience.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure AD MFA,并遵循 Azure 安全中心标识和访问管理建议。Guidance: Enable Azure AD MFA and follow Azure Security Center Identity and Access Management recommendations. 配置有企业安全性套餐的 Azure HDInsight 群集可以连接到域,使域用户能够使用其域凭据对群集进行身份验证和运行大数据作业。Azure HDInsight clusters with the Enterprise Security Package configured can be connected to a domain so that domain users can use their domain credentials to authenticate with the clusters and run big data jobs. 启用通过多重身份验证 (MFA) 进行身份验证的功能后,系统会质询用户,让其提供第二个身份验证因素。When authenticating with multi-factor authentication (MFA) enabled, users will be challenged to provide a second authentication factor.

如何在 Azure 中启用 MFA:How to enable MFA in Azure:

https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

如何在 Azure 安全中心监视标识和访问:How to monitor identity and access within Azure Security Center:

https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:使用配置了多重身份验证 (MFA) 的 PAW(特权访问工作站)来登录和配置 Azure HDInsight 群集与相关资源。Guidance: Use PAWs (privileged access workstations) with multi-factor authentication (MFA) configured to log into and configure your Azure HDInsight clusters and related resources.

了解特权访问工作站:Learn about Privileged Access Workstations:

https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations

如何在 Azure 中启用 MFA:How to enable MFA in Azure:

https://docs.azure.cn/active-directory/authentication/howto-mfa-getstarted

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activity from administrative accounts

指导:配置有企业安全性套餐的 Azure HDInsight 群集可以连接到域,使域用户能够使用其域凭据进行身份验证。Guidance: Azure HDInsight clusters with the Enterprise Security Package configured can be connected to a domain so that domain users can use their domain credentials to authenticate. 当 AAD 环境中发生可疑或不安全的活动时,可以使用 Azure Active Directory (AAD) 安全报告来生成日志和警报。You may use Azure Active Directory (AAD) security reports for generation of logs and alerts when suspicious or unsafe activity occurs in the AAD environment. 使用 Azure 安全中心监视标识和访问活动。Use Azure Security Center to monitor identity and access activity.

如何识别标为有风险活动的 AAD 用户:How to identify AAD users flagged for risky activity:

https://docs.azure.cn/active-directory/reports-monitoring/concept-user-at-risk

如何在 Azure 安全中心监视用户标识和访问活动:How to monitor users identity and access activity in Azure Security Center:

https://docs.azure.cn/security-center/security-center-identity-access

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导:配置有企业安全性套餐的 Azure HDInsight 群集可以连接到域,使域用户能够使用其域凭据进行身份验证。Guidance: Azure HDInsight clusters with the Enterprise Security Package configured can be connected to a domain so that domain users can use their domain credentials to authenticate. 使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Use Conditional Access Named Locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

了解如何在 Azure 中配置命名位置:How to configure Named Locations in Azure:

https://docs.azure.cn/active-directory/reports-monitoring/quickstart-configure-named-locations

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (AAD) 作为中心身份验证和授权系统。Guidance: Use Azure Active Directory (AAD) as the central authentication and authorization system. AAD 通过对静态数据和传输中数据使用强加密来保护数据。AAD protects data by using strong encryption for data at rest and in transit. AAD 还会对用户凭据进行加盐、哈希处理和安全存储。AAD also salts, hashes, and securely stores user credentials.

配置有企业安全性套餐 () 的 Azure HDInsight 群集可以连接到域,使域用户能够使用其域凭据对群集进行身份验证。Azure HDInsight clusters with Enterprise Security Package () configured can be connected to a domain so that domain users can use their domain credentials to authenticate with the clusters.

如何创建和配置 AAD 实例:How to create and configure an AAD instance:

https://docs.azure.cn/active-directory/fundamentals/active-directory-access-create-new-tenant

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:对 Azure HDInsight 群集使用 Azure Active Directory (AAD) 身份验证。Guidance: Use Azure Active Directory (AAD) authentication with your Azure HDInsight cluster. AAD 提供日志来帮助发现过时的帐户。AAD provides logs to help discover stale accounts. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User's access can be reviewed on a regular basis to make sure only the right Users have continued access.

如何使用 Azure 标识访问评审:How to use Azure Identity Access Reviews:

https://docs.azure.cn/active-directory/governance/access-reviews-overview

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.11:监视访问已停用帐户的企图3.11: Monitor attempts to access deactivated accounts

指导:使用 Azure Active Directory (AAD) 登录和审核日志来监视访问已停用帐户的企图;可将这些日志集成到任何第三方 SIEM/监视工具中。Guidance: Use Azure Active Directory (AAD) Sign-in and Audit logs to monitor for attempts to access deactivated accounts; these logs can be integrated into any third-party SIEM/monitoring tool.

可以通过为 AAD 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Azure Log Analytics 工作区,来简化此过程。You can streamline this process by creating Diagnostic Settings for AAD user accounts, sending the audit logs and sign-in logs to a Azure Log Analytics workspace. 在 Azure Log Analytics 工作区中配置所需的警报。Configure desired Alerts within Azure Log Analytics workspace.

如何将 Azure 活动日志集成到 Azure Monitor 中:How to integrate Azure Activity Logs into Azure Monitor:

https://docs.azure.cn/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.12:针对帐户登录行为偏差发出警报3.12: Alert on account login behavior deviation

指导:配置有企业安全性套餐 () 的 Azure HDInsight 群集可以连接到域,使域用户能够使用其域凭据对群集进行身份验证。Guidance: Azure HDInsight clusters with Enterprise Security Package () configured can be connected to a domain so that domain users can use their domain credentials to authenticate with the clusters. 使用 Azure Active Directory (AAD) 风险检测和标识保护功能配置对检测到的与用户标识相关的可疑操作的自动响应。Use Azure Active Directory (AAD) Risk Detections and Identity Protection feature to configure automated responses to detected suspicious actions related to user identities. 此外,可将数据引入 Azure Sentinel 以做进一步调查。Additionally, you can ingest data into Azure Sentinel for further investigation.

如何查看 AAD 风险登录:How to view AAD risky sign-ins:

https://docs.azure.cn/active-directory/reports-monitoring/concept-risky-sign-ins

如何配置和启用标识保护风险策略:How to configure and enable Identity Protection risk policies:

https://docs.azure.cn/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.13:在支持场合下为 Microsoft 提供对相关客户数据的访问权限3.13: Provide Microsoft with access to relevant customer data during support scenarios

指导:不可用;Azure HDInsight 尚不支持客户密码箱。Guidance: Not available; Customer Lockbox not yet supported for Azure HDInsight.

支持客户密码箱的服务列表: https://docs.azure.cn/security/fundamentals/customer-lockbox-overview#supported-services-and-scenarios-in-general-availabilityList of Customer Lockbox supported services: https://docs.azure.cn/security/fundamentals/customer-lockbox-overview#supported-services-and-scenarios-in-general-availability

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅安全控制: 数据保护For more information, see Security Control: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:对与 Azure HDInsight 部署相关的资源使用标记,以帮助跟踪存储或处理敏感信息的 Azure 资源。Guidance: Use tags on resources related to your Azure HDInsight deployments to assist in tracking Azure resources that store or process sensitive information.

如何创建和使用标记:How to create and use tags:

https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:为开发、测试和生产实施单独的订阅和/或管理组。Guidance: Implement separate subscriptions and/or management groups for development, test, and production. 应按虚拟网络/子网隔离 Azure HDInsight 群集和任何关联的存储帐户,适当地为其添加标记,并在网络安全组 (NSG) 或 Azure 防火墙中对其进行保护。Azure HDInsight clusters and any associated storage accounts should be separated by virtual network/subnet, tagged appropriately, and secured within an network security group (NSG) or Azure Firewall. 群集数据应包含在受保护的 Azure 存储帐户或 Azure Data Lake Storage(Gen1 或 Gen2)中。Cluster data should be contained within a secured Azure Storage Account or Azure Data Lake Storage (Gen1 or Gen2).

选择 Azure HDInsight 群集的存储选项:Choose storage options for your Azure HDInsight cluster:

https://docs.azure.cn/hdinsight/hdinsight-hadoop-compare-storage-options

如何保护 Azure 存储帐户:How to secure Azure Storage Accounts:

https://docs.azure.cn/storage/common/storage-security-guide

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:对于存储或处理敏感信息的 Azure HDInsight 群集,请使用标记将该群集和相关资源标记为敏感。Guidance: For Azure HDInsight clusters storing or processing sensitive information, mark the cluster and related resources as sensitive using tags. 为了减少通过渗透丢失数据的风险,请使用 Azure 防火墙限制 Azure HDInsight 群集的出站网络流量。To reduce the risk of data loss via exfiltration, restrict outbound network traffic for Azure HDInsight clusters using Azure Firewall.

对于 Microsoft 管理的底层平台,Microsoft 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和遭到透露。For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

如何使用 Azure 防火墙限制 Azure HDInsight 群集的出站流量:How to restrict outbound traffic for Azure HDInsight Clusters with Azure Firewall:

https://docs.azure.cn/hdinsight/hdinsight-restrict-outbound-traffic

了解 Azure 中的客户数据保护:Understand customer data protection in Azure:

https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:加密传输中的所有敏感信息。Guidance: Encrypt all sensitive information in transit. 确保连接到 Azure HDInsight 群集或群集数据存储(Azure 存储帐户或 Azure Data Lake Storage Gen1/Gen2)的任何客户端能够协商 TLS 1.2 或更高版本。Ensure that any clients connecting to your Azure HDInsight cluster or cluster data stores (Azure Storage Accounts or Azure Data Lake Storage Gen1/Gen2) are able to negotiate TLS 1.2 or greater. 默认情况下,Microsoft Azure 资源将协商 TLS 1.2。Microsoft Azure resources will negotiate TLS 1.2 by default.

了解 Azure 存储帐户的传输中加密:Understand Azure Storage Account encryption in transit:

https://docs.azure.cn/storage/blobs/security-recommendations

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:数据标识、分类和丢失防护功能尚不适用于 Azure 存储或计算资源。Guidance: Data identification, classification, and loss prevention features are not yet available for Azure Storage or compute resources. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

对于 Microsoft 管理的底层平台,Microsoft 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和遭到透露。For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

了解 Azure 中的客户数据保护:Understand customer data protection in Azure:

https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:借助 Azure HDInsight 企业安全性套餐 (),可以使用 Apache Ranger 针对文件、文件夹、数据库、表和行/列中存储的数据创建和管理精细访问控制与数据模糊化策略。Guidance: With Azure HDInsight Enterprise Security Package (), you can use Apache Ranger to create and manage fine-grained access control and data obfuscation policies for your data stored in files, folders, databases, tables and rows/columns. Hadoop 管理员可以使用 Apache Ranger 中的这些插件配置基于角色的访问控制 (RBAC) 来保护 Apache Hive、HBase、Kafka 和 Spark。The hadoop admin can configure role-based access control (RBAC) to secure Apache Hive, HBase, Kafka and Spark using those plugins in Apache Ranger.

使用 Apache Ranger 配置 RBAC 策略可将权限与组织中的角色相关联。Configuring RBAC policies with Apache Ranger allows you to associate permissions with a role in the organization. 此层抽象可以更轻松地确保用户仅仅有履行工作责任所需的权限。This layer of abstraction makes it easier to ensure that people have only the permissions needed to perform their work responsibilities.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导:对于存储或处理敏感信息的 Azure HDInsight 群集,请使用标记将该群集和相关资源标记为敏感。Guidance: For Azure HDInsight clusters storing or processing sensitive information, mark the cluster and related resources as sensitive using tags. 数据标识、分类和丢失防护功能尚不适用于 Azure 存储或计算资源。Data identification, classification, and loss prevention features are not yet available for Azure Storage or compute resources. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

对于 Microsoft 管理的底层平台,Microsoft 会将所有客户内容视为敏感数据,并会全方位地防范客户数据丢失和遭到透露。For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

了解 Azure 中的客户数据保护:Understand customer data protection in Azure:

https://docs.azure.cn/security/fundamentals/protection-customer-data

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:如果使用 Azure SQL 数据库来存储 Apache Hive 和 Apache Oozie 元数据,请确保 SQL 数据始终保持加密状态。Guidance: If using Azure SQL Database to store Apache Hive and Apache Oozie metadata, ensure SQL data remains encrypted at all times. 对于 Azure 存储帐户和 Data Lake Storage(Gen1 或 Gen2),建议允许 Microsoft 管理你的加密密钥,但是,你可以选择管理自己的密钥。For Azure Storage Accounts and Data Lake Storage (Gen1 or Gen2), it is recommended to allow Microsoft to manage your encryption keys, however, you have the option to manage your own keys.

如何管理 Azure 存储帐户的加密密钥:How to manage encryption keys for Azure Storage Accounts:

https://docs.azure.cn/storage/common/storage-encryption-keys-portal

了解 Azure SQL 数据库的加密:Understand encryption for Azure SQL Database:

https://docs.azure.cn/sql-database/sql-database-technical-overview#data-encryption

如何使用客户管理的密钥为 SQL 数据库配置透明数据加密:How to configure Transparent Data Encryption for SQL Database using customer managed keys:

https://docs.azure.cn/sql-database/transparent-data-encryption-azure-sql?tabs=azure-portal

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:为关联到 Azure HDInsight 群集的 Azure 存储帐户配置诊断设置,以监视并记录针对群集数据执行的所有 CRUD 操作。Guidance: Configure Diagnostic Settings for Azure Storage Accounts associated with Azure HDInsight clusters to monitor and log all CRUD operations against cluster data. 为关联到 Azure HDInsight 群集的任何存储帐户或 Data Lake Store 启用审核。Enable Auditing for any Storage Accounts or Data Lake Stores associated with the Azure HDInsight cluster.

如何为 Azure 存储帐户启用其他日志记录/审核:How to enable additional logging/auditing for an Azure Storage Account:

https://docs.azure.cn/storage/common/storage-monitor-storage-account

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

漏洞管理Vulnerability Management

有关详细信息,请参阅安全控制: 漏洞管理。For more information, see Security Control: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:实施第三方漏洞管理解决方案。Guidance: Implement a third-party vulnerability management solution.

(可选)如果你有 Rapid7、Qualys 或任何其他漏洞管理平台订阅,可以使用脚本操作在 Azure HDInsight 群集节点上安装漏洞评估代理,并通过相应的门户管理这些节点。Optionally, if you have a Rapid7, Qualys, or any other vulnerability management platform subscription, you may use script actions to install vulnerability assessment agents on your Azure HDInsight cluster nodes and manage the nodes through the respective portal.

如何手动安装 Rapid7 代理:How to Install Rapid7 Agent Manually:

https://insightvm.help.rapid7.com/docs/azure-security-center

如何手动安装 Qualys 代理:How to install Qualys Agent Manually:

https://www.qualys.com/docs/qualys-cloud-agent-linux-install-guide.pdf

如何使用脚本操作:How to use script actions:

https://docs.azure.cn/hdinsight/hdinsight-hadoop-customize-cluster-linux

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指导:系统已经为群集节点映像启用了自动系统更新,但是,必须定期重新启动群集节点才能确保应用更新。Guidance: Automatic system updates have been enabled for cluster node images, however you must periodically reboot cluster nodes to ensure updates are applied.

Microsoft 将维护并更新 Azure HDInsight 的基础节点映像。Microsoft to maintain and update base Azure HDInsight node images.

如何为 HDInsight 群集配置 OS 修补计划:How to configure the OS patching schedule for HDInsight clusters:

https://docs.azure.cn/hdinsight/hdinsight-os-patching

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

5.3:部署第三方自动软件修补管理解决方案5.3: Deploy automated third-party software patch management solution

指导:使用脚本操作或其他机制修补 Azure HDInsight 群集。Guidance: Use script actions or other mechanisms to patch your Azure HDInsight clusters. 新创建的群集将始终包含最新的可用更新,其中包括最新的安全修补程序。Newly created clusters will always have the latest available updates, including the most recent security patches.

如何为基于 Linux 的 Azure HDInsight 群集配置 OS 修补计划:How to configure the OS patching schedule for Linux-based Azure HDInsight clusters:

https://docs.azure.cn/hdinsight/hdinsight-os-patching

如何使用脚本操作:How to use script actions:

https://docs.azure.cn/hdinsight/hdinsight-hadoop-customize-cluster-linux

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指导:实施能够比较一段时间内的漏洞扫描的第三方漏洞管理解决方案。Guidance: Implement a third-party vulnerability management solution which has the ability to compare vulnerability scans over time. 如果你有 Rapid7 或 Qualys 订阅,可以使用该供应商的门户来查看和比较连续进行的漏洞扫描。If you have a Rapid7 or Qualys subscription, you may use that vendor's portal to view and compare back-to-back vulnerability scans.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:使用常用的风险评分程序(例如通用漏洞评分系统)或第三方扫描工具提供的默认风险评级。Guidance: Use a common risk scoring program (e.g. Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅安全控制: 清单和资产管理For more information, see Security Control: Inventory and Asset Management.

6.1:使用 Azure 资产发现6.1: Use Azure Asset Discovery

指导:使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等),包括 Azure HDInsight 群集。Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.), including Azure HDInsight clusters, within your subscription(s). 确保你在租户中拥有适当的(读取)权限,并且可以枚举所有 Azure 订阅,以及订阅中的资源。Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Azure Resource Graph 发现经典 Azure 资源,但我们强烈建议今后创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Azure Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

如何使用 Azure Resource Graph 创建查询:How to create queries with Azure Resource Graph:

https://docs.azure.cn/governance/resource-graph/first-query-portal

如何查看 Azure 订阅:How to view your Azure Subscriptions:

https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0

了解 Azure RBAC:Understand Azure RBAC:

https://docs.azure.cn/role-based-access-control/overview

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

如何创建和使用标记:How to create and use tags:

https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪资产。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track assets. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

如何创建其他 Azure 订阅:How to create additional Azure subscriptions:

https://docs.azure.cn/billing/billing-create-subscription

如何创建管理组:How to create Management Groups:

https://docs.azure.cn/governance/management-groups/create

如何创建和使用标记:How to create and use tags:

https://docs.azure.cn/azure-resource-manager/resource-group-using-tags

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.4:维护已批准的 Azure 资源和软件标题的清单6.4: Maintain an inventory of approved Azure resources and software titles

指导:定义已批准的 Azure 资源以及计算资源的已批准软件的列表Guidance: Define list of approved Azure resources and approved software for your compute resources

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:在 Azure 策略中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

使用 Azure Resource Graph 查询/发现订阅中的资源。Use Azure Resource Graph to query/discover resources within your subscription(s). 确保环境中存在的所有 Azure 资源已获得批准。Ensure that all Azure resources present in the environment are approved.

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用 Azure Resource Graph 创建查询: https://docs.azure.cn/governance/resource-graph/first-query-portalHow to create queries with Azure Resource Graph: https://docs.azure.cn/governance/resource-graph/first-query-portal

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指导:实施第三方解决方案以监视群集节点中未批准的软件应用程序。Guidance: Implement a third-party solution to monitor cluster nodes for unapproved software applications.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指导:使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等),包括 Azure HDInsight 群集。Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.), including Azure HDInsight clusters, within your subscription(s). 删除发现的任何未批准 Azure 资源。Remove any unapproved Azure resources that you discover. 对于 Azure HDInsight 群集节点,请实施第三方解决方案来删除未批准的软件或对其发出警报。For Azure HDInsight cluster nodes, implement a third-party solution to remove or alert on unapproved software.

如何使用 Azure Resource Graph 创建查询:How to create queries with Azure Resource Graph:

https://docs.azure.cn/governance/resource-graph/first-query-portal

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指导:对于 Azure HDInsight 群集节点,请实施第三方解决方案,以防止执行未经授权的软件。Guidance: For Azure HDInsight cluster nodes, implement a third-party solution to prevent unauthorized software from executing.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导:在 Azure 策略中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

如何配置和管理 Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manageHow to configure and manage Azure Policy: https://docs.azure.cn/governance/policy/tutorials/create-and-manage

如何使用 Azure Policy 拒绝特定的资源类型: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-typesHow to deny a specific resource type with Azure Policy: https://docs.azure.cn/governance/policy/samples/not-allowed-resource-types

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.10:实施已批准的应用程序列表6.10: Implement approved application list

指导:对于 Azure HDInsight 群集节点,请实施第三方解决方案,以防止执行未经授权的文件类型。Guidance: For Azure HDInsight cluster nodes, implement a third-party solution to prevent unauthorized file types from executing.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.11:限制用户通过脚本来与 Azure 资源管理器交互的功能6.11: Limit users' ability to interact with Azure Resources Manager via scripts

指导:通过对“Microsoft Azure 管理”应用配置“阻止访问”,使用 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance: Use Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.

如何配置条件访问以阻止访问 Azure 资源管理器: https://docs.azure.cn/role-based-access-control/conditional-access-azure-managementHow to configure Conditional Access to block access to Azure Resource Manager: https://docs.azure.cn/role-based-access-control/conditional-access-azure-management

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指导:不适用;此功能不适用于 Azure HDInsight,因为群集的用户(非管理员)不需要访问单个节点即可运行作业。Guidance: Not applicable; This is not applicable to Azure HDInsight as users (non-administrators) of the cluster do not need access to the individual nodes to run jobs. 群集管理员对所有群集节点拥有 root 访问权限。The cluster administrator has root access to all cluster nodes.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:不适用Responsibility: Not applicable

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:不适用;基准适用于 Azure 应用服务或托管 Web 应用程序的计算资源。Guidance: Not applicable; benchmark is intended for Azure Apps Service or compute resources hosting web applications.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:不适用Responsibility: Not applicable

安全配置Secure Configuration

有关详细信息,请参阅安全控制: 安全配置For more information, see Security Control: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:在“Microsoft.HDInsight”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施 HDInsight 群集的网络配置。Guidance: Use Azure Policy aliases in the "Microsoft.HDInsight" namespace to create custom policies to audit or enforce the network configuration of your HDInsight cluster.

如何查看可用的 Azure Policy 别名:How to view available Azure Policy Aliases:

https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-3.3.0

如何配置和管理 Azure Policy:How to configure and manage Azure Policy:

https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指导:Microsoft 管理和维护的 Azure HDInsight 操作系统映像。Guidance: Azure HDInsight Operating System Images managed and maintained by Microsoft. 客户负责为群集节点的操作系统实施安全配置。Customer responsible for implementing secure configurations for your cluster nodes' operating system.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导:使用 Azure 策略“[拒绝]”和“[不存在则部署]”来对 Azure HDInsight 群集和相关资源强制实施安全设置。Guidance: Use Azure policy [deny] and [deploy if not exist] to enforce secure settings for your Azure HDInsight clusters and related resources.

如何配置和管理 Azure Policy:How to configure and manage Azure Policy:

https://docs.azure.cn/governance/policy/tutorials/create-and-manage

了解 Azure Policy 效应:Understand Azure Policy Effects:

https://docs.azure.cn/governance/policy/concepts/effects

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指导:Microsoft 管理和维护的 Azure HDInsight 操作系统映像。Guidance: Azure HDInsight Operating System Images managed and maintained by Microsoft. 客户负责实施 OS 级别的状态配置。Customer responsible for implementing OS-level state configuration.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:如果使用自定义的 Azure 策略定义,请使用 Azure DevOps 或 Azure Repos 来安全存储和管理代码。Guidance: If using custom Azure policy definitions, use Azure DevOps or Azure Repos to securely store and manage your code.

如何在 Azure DevOps 中存储代码:How to store code in Azure DevOps:

https://docs.azure.cn/devops/repos/git/gitworkflow?view=azure-devops

Azure Repos 文档:Azure Repos Documentation:

https://docs.azure.cn/devops/repos/index?view=azure-devops

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指导:不适用;自定义映像不适用于 Azure HDInsight。Guidance: Not applicable; custom images not applicable to Azure HDInsight.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:不适用Responsibility: Not applicable

7.7:部署系统配置管理工具7.7: Deploy system configuration management tools

指导:在“Microsoft.HDInsight”命名空间中使用 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并对其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.HDInsight" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

如何配置和管理 Azure Policy:How to configure and manage Azure Policy:

https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.8:为操作系统部署系统配置管理工具7.8: Deploy system configuration management tools for operating systems

指导:实施第三方解决方案,以维护群集节点操作系统的所需状态。Guidance: Implement a third-party solution to maintain desired state for your cluster node operating systems.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.9:为 Azure 服务实施自动配置监视7.9: Implement automated configuration monitoring for Azure services

指导:在“Microsoft.HDInsight”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施 HDInsight 群集的配置。Guidance: Use Azure Policy aliases in the "Microsoft.HDInsight" namespace to create custom policies to audit or enforce the configuration of your HDInsight cluster.

如何查看可用的 Azure Policy 别名:How to view available Azure Policy Aliases:

https://docs.microsoft.com/powershell/module/az.resources/get-azpolicyalias?view=azps-3.3.0

如何配置和管理 Azure Policy:How to configure and manage Azure Policy:

https://docs.azure.cn/governance/policy/tutorials/create-and-manage

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指导:实施第三方解决方案,以监视群集节点操作系统的状态。Guidance: Implement a third-party solution to monitor the state of your cluster node operating systems.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:Azure HDInsight 包括为 Apache Kafka 提供创建自己的密钥 (BYOK) 支持。Guidance: Azure HDInsight includes Bring Your Own Key (BYOK) support for Apache Kafka. 借助此功能,你可以拥有和管理用于加密静态数据的密钥。This capability lets you own and manage the keys used to encrypt data at rest.

使用 Azure 存储服务加密 (SSE) 保护 Azure HDInsight 中的所有托管磁盘。All managed disks in Azure HDInsight are protected with Azure Storage Service Encryption (SSE). 默认情况下,这些磁盘上的数据使用 Microsoft 托管密钥进行加密。By default, the data on those disks is encrypted using Microsoft-managed keys. 如果启用 BYOK,请提供 Azure HDInsight 要使用的加密密钥,并通过 Azure Key Vault 管理该密钥。If you enable BYOK, you provide the encryption key for Azure HDInsight to use and manage it using Azure Key Vault.

还可将 Key Vault 用于 Azure HDInsight 部署,以管理群集存储(Azure 存储帐户和 Azure Data Lake Storage)的密钥Key Vault may also be use with Azure HDInsight deployments to manage keys for cluster storage (Azure Storage Accounts, and Azure Data Lake Storage)

如何为 Azure HDInsight 上的 Apache Kafka 提供你自己的密钥:How to bring your own key for Apache Kafka on Azure HDInsight:

https://docs.azure.cn/hdinsight/kafka/apache-kafka-byok

如何管理 Azure 存储帐户的加密密钥:How to manage encryption keys for Azure Storage Accounts:

https://docs.azure.cn/storage/common/storage-encryption-keys-portal

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导:可以在 Azure HDInsight 中使用托管标识,使群集能够访问 Azure Active Directory 域服务、访问 Azure Key Vault,或访问 Azure Data Lake Storage Gen2 中的文件。Guidance: Managed identities can be used in Azure HDInsight to allow your clusters to access Azure Active Directory domain services, access Azure Key Vault, or access files in Azure Data Lake Storage Gen2.

了解 Azure HDInsight 的托管标识:Understand Managed Identities with Azure HDInsight:

https://docs.azure.cn/hdinsight/hdinsight-managed-identities

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指导:如果使用与 Azure HDInsight 部署相关的任何代码,可以实施凭据扫描程序来识别代码中的凭据。Guidance: If using any code related to your Azure HDInsight deployment, you may implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

如何设置凭据扫描程序:How to setup Credential Scanner:

https://secdevtools.azurewebsites.net/helpcredscan.html

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware Defense

有关详细信息,请参阅安全控制: 恶意软件防护For more information, see Security Control: Malware Defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指导:Azure HDInsight 中预装了 Clamscan,并且已针对群集节点映像启用了 Clamscan,但是,必须管理 Clamscan,并手动聚合/监视该软件生成的任何日志。Guidance: Azure HDInsight comes with Clamscan pre-installed and enabled for the cluster node images, however you must manage the software and manually aggregate/monitor any logs Clamscan produces.

了解适用于 Azure HDInsight 的 Clamscan:Understand Clamscan for Azure HDInsight:

https://docs.azure.cn/hdinsight/hdinsight-faq#security-and-certificates

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:在支持 Azure 服务的底层主机上已启用 Microsoft Antimalware,但是,该软件不会针对客户内容运行。Guidance: Microsoft Antimalware is enabled on the underlying host that supports Azure services, however it does not run on customer content.

请预先扫描要上传到与 Azure HDInsight 群集部署相关的 Azure 资源(例如 Data Lake Storage、Blob 存储等)的任何文件。在这种情况下,Microsoft 无法访问客户数据。Pre-scan any files being uploaded to any Azure resources related to your Azure HDInsight cluster deployment, such as Data Lake Storage, Blob Storage, etc. Microsoft cannot access customer data in these instances.

了解适用于 Azure 云服务和虚拟机的 Microsoft AntimalwareUnderstand Microsoft Antimalware for Azure Cloud Services and Virtual Machines:

https://docs.azure.cn/security/fundamentals/antimalware

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:共享Responsibility: Shared

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指导:Azure HDInsight 中预装了 Clamscan,并且为群集节点映像启用了 Clamscan。Guidance: Azure HDInsight comes with Clamscan pre-installed and enabled for the cluster node images. Clamscan 将自动执行引擎和定义更新,但是,日志的聚合和管理需要手动执行。Clamscan will perform engine and definition updates automatically, however, aggregation and management of logs will need to be performed manually.

了解适用于 Azure HDInsight 的 Clamscan:Understand Clamscan for Azure Azure HDInsight:

https://docs.azure.cn/hdinsight/hdinsight-faq#security-and-certificates

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

数据恢复Data Recovery

有关详细信息,请参阅安全控制: 数据恢复For more information, see Security Control: Data Recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导:将 Azure 存储帐户用于 HDInsight 群集数据存储时,请选择适当的冗余选项(LRS、ZRS、GRS、RA-GRS)。Guidance: When using an Azure Storage Account for the HDInsight cluster data store, choose the appropriate redundancy option (LRS,ZRS, GRS, RA-GRS). 将 Azure SQL 数据库用于 Azure HDInsight 群集数据存储时,请配置活动异地复制。When using an Azure SQL Database for the Azure HDInsight cluster data store, configure Active Geo-replication.

如何为 Azure 存储帐户配置存储冗余:How to configure storage redundancy for Azure Storage Accounts:

https://docs.azure.cn/storage/common/storage-redundancy

如何为 Azure SQL 数据库配置冗余:How to configure redundancy for Azure SQL Databases:

https://docs.azure.cn/sql-database/sql-database-active-geo-replication

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer managed keys

指导:将 Azure 存储帐户用于 Azure HDInsight 群集数据存储时,请选择适当的冗余选项(LRS、ZRS、GRS、RA-GRS)。Guidance: When using an Azure Storage Account for the Azure HDInsight cluster data store, choose the appropriate redundancy option (LRS,ZRS, GRS, RA-GRS). 如果在任何 Azure HDInsight 部署环节中使用 Azure Key Vault,请确保备份密钥。If using Azure Key Vault for any part of your Azure HDInsight deployment, ensure your keys are backed up.

选择 Azure HDInsight 群集的存储选项:Choose storage options for your Azure HDInsight cluster:

https://docs.azure.cn/hdinsight/hdinsight-hadoop-compare-storage-options

如何为 Azure 存储帐户配置存储冗余:How to configure storage redundancy for Azure Storage Accounts:

https://docs.azure.cn/storage/common/storage-redundancy

如何在 Azure 中备份 Key Vault 密钥:How to backup Key Vault keys in Azure:

https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer managed keys

指导:如果将 Azure Key Vault 用于 Azure HDInsight 部署,请测试已备份的客户管理密钥的还原。Guidance: If Azure Key Vault is being used with your Azure HDInsight deployment, test restoration of backed up customer managed keys.

如何为 Azure HDInsight 上的 Apache Kafka 提供你自己的密钥:How to bring your own key for Apache Kafka on Azure HDInsight:

https://docs.azure.cn/hdinsight/kafka/apache-kafka-byok

如何在 Azure 中还原 Key Vault 密钥:How to restore key vault keys in Azure:

https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer managed keys

指导:如果将 Azure Key Vault 用于 Azure HDInsight 部署,请在 Key Vault 中启用“软删除”,以防止意外删除或恶意删除密钥。Guidance: If Azure Key Vault is being used with your Azure HDInsight deployment, enable Soft-Delete in Key Vault to protect keys against accidental or malicious deletion.

如何在 Azure Key Vault 中启用“软删除”:How to enable Soft-Delete in Azure Key Vault:

https://docs.azure.cn/storage/blobs/storage-blob-soft-delete?tabs=azure-portal

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

事件响应Incident Response

有关详细信息,请参阅安全控制: 事件响应For more information, see Security Control: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指导:确保在书面的事件响应计划中定义人员职责,以及事件处理/管理的各个阶段。Guidance: Ensure that there are written incident response plans that defines roles of personnel as well as phases of incident handling/management.

如何在 Azure 安全中心配置工作流自动化:How to configure Workflow Automations within Azure Security Center:

https://docs.azure.cn/security-center/security-center-planning-and-operations-guide

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:安全中心将为警报分配严重性来帮助你确定每条警报的处理优先顺序,以便在资源泄密时可以立即采取措施。Guidance: Security Center assigns a severity to alerts, to help you prioritize the order in which you attend to each alert, so that when a resource is compromised, you can get to it right away. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems’ incident response capabilities on a regular cadence. 识别弱点和差距,并按需修改计划。请参阅 NIST 的刊物:Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf (IT 规划和功能的测试、培训与演练计划指南):Identify weak points and gaps and revise plan as needed.Refer to NIST's publication: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities:https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的一方访问了你的数据,Microsoft 将使用安全事件联系人信息来与你取得联系。Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party.

如何设置 Azure 安全中心安全联系人:How to set the Azure Security Center Security Contact:

https://docs.azure.cn/security-center/security-center-provide-security-contact-details

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. 可以使用 Azure 安全中心数据连接器将警报流式传输到 Sentinel。You may use the Azure Security Center data connector to stream the alerts Sentinel.

如何配置连续导出:How to configure continuous export:

https://docs.azure.cn/security-center/continuous-export

如何将警报流式传输到 Azure Sentinel:How to stream alerts into Azure Sentinel:

https://docs.azure.cn/sentinel/connect-azure-security-center

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能可以通过“逻辑应用”针对安全警报和建议自动触发响应。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

如何配置工作流自动化和逻辑应用:How to configure Workflow Automation and Logic Apps:

https://docs.azure.cn/security-center/workflow-automation

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅安全控制: 渗透测试和红队演练For more information, see Security Control: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保在 60 天内修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings within 60 days

指导:请遵循 Microsoft 互动规则,确保你的渗透测试不违反 Microsoft 政策:Guidance: Please follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies:

https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1 。https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1.

在以下网页中可以找到有关 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序执行现场渗透测试的详细信息: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392eYou can find more information on Microsoft’s strategy and execution of Red Teaming and live site penetration testing against Microsoft managed cloud infrastructure, services and applications, here: https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392e

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps