教程:使用 Azure 信息保护 (AIP) 扫描程序发现敏感内容Tutorial: Discovering your sensitive content with the Azure Information Protection (AIP) scanner

适用范围:Azure 信息保护Applies to: Azure Information Protection

相关内容:**用于 Windows 的 Azure 信息保护统一标记客户端Relevant for: Azure Information Protection unified labeling client for Windows*

Azure 信息保护客户端提供了本地扫描程序,使系统管理员可扫描本地文件存储库来发现敏感内容。The Azure Information Protection client provides an on-premises scanner that enables system administrators to scan on-premises file repositories for sensitive content.

本教程介绍以下操作:In this tutorial, you'll learn how to:

  • 创建网络扫描作业并扫描有风险的存储库Create a network scan job and scan for risky repositories
  • 将找到的任何有风险的存储库添加到内容扫描作业Add any risky repositories found to a content scan job
  • 扫描内容共享以获取敏感内容并理解找到的结果Scan your content shares for sensitive content and understand results found

备注

网络发现仅在统一标记客户端的 2.8.85.0 版本中开始提供,目前为预览版。Network Discovery is available only starting in version 2.8.85.0 of the unified labeling client, and is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

如果未安装此版本的客户端和扫描程序,请查看教程先决条件,然后直接转到定义并运行内容扫描作业If you do not have this version of the client and scanner installed, review the tutorial prerequisites and then go straight to Define and run your content scan job.

所需时间:在 15 分钟内即可完成此配置。Time required: You can finish this configuration in 15 minutes.

教程先决条件Tutorial prerequisites

备注

Azure 中国门户尚不支持 Azure 信息保护,你可以使用 Azure Information Protection PowerShell commands 实现相同的功能。Azure Information Protection is not currently supported on Azure China portal. You can achieve the same functionality using the Azure Information Protection PowerShell commands.

要求Requirement 说明Description
支持订阅A supporting subscription 你需要包含 Azure 信息保护的 Azure 订阅。You'll need an Azure subscription that includes Azure Information Protection.

如果没有上述任一订阅,可以为组织创建一个试用帐户。If you don't have one of these subscriptions, you can create a trial account for your organization.
对 Azure 门户的管理员访问权限Admin access to the Azure portal 请确保可以使用受支持的管理员帐户登录到 Azure 门户,并已启用保护。Make sure that you can sign in to the Azure portal with a supported administrator account, and have protection enabled. 受支持的管理员帐户包括:Supported administrator accounts include:

- 合规性管理员- Compliance administrator
- 合规性数据管理员- Compliance data administrator
- 安全管理员- Security administrator
- 全局管理员- Global administrator
AIP 客户端、扫描程序和网络发现服务AIP client, scanner, and Network Discovery service 若要完全完成本教程,你需要安装 Azure 信息保护统一标记客户端和扫描程序,以及网络发现服务(公共预览版)。To fully complete this tutorial, you'll need to have installed the Azure Information Protection unified labeling client and scanner, as well as the Network Discovery service (public preview).

有关详情,请参阅:For more information, see:

- 快速入门:部署 Azure 信息保护 (AIP) 统一标记客户端- Quickstart: Deploying the Azure Information Protection (AIP) unified labeling client
- 教程:安装 Azure 信息保护 (AIP) 统一标记扫描程序- Tutorial: Installing the Azure Information Protection (AIP) unified labeling scanner
内容扫描作业A content scan job 请确保你有可用于测试的基本内容扫描作业。Make sure you have a basic content scan job that you can use for testing. 安装扫描程序时,可能已创建了这样一个作业。You may have created one when you installed your scanner.

如果需要现在创建,可以使用在 Azure 门户中配置 Azure 信息保护中的说明。If you need to create one now, you can use the instructions in Configure Azure Information Protection in the Azure portal. 当你拥有基本的内容扫描作业时,请返回此处完成本教程。When you have a basic content scan job, return here to complete this tutorial.
SQL ServerSQL Server 若要运行扫描程序,你需要在扫描程序计算机上安装 SQL Server。To run the scanner, you'll need SQL Server installed on the scanner machine.

若要安装,请转到 SQL Server 下载页,然后选择要安装的安装选项下的“立即下载”。To install, go to the SQL Server download page and select Download now under the installation option you want to install. 在安装程序中,选择“基本”安装类型。In the installer, select the Basic installation type.

注意:我们建议为生产环境安装 SQL Server Enterprise,仅为测试安装 Express。Note: We recommend installing SQL Server Enterprise for production environments, and Express only for testing.
Azure Active Directory 帐户Azure Active Directory account 使用标准的云连接环境时,域帐户必须同步到 Azure Active DirectoryWhen working with a standard, cloud-connected environment, your domain account must be synchronized to Azure Active Directory. 如果正在脱机工作,则不需要这样做。This isn't necessary if you're working offline.

如果你不确定你的帐户,请联系你的系统管理员来验证同步状态。If you're not sure about your account, contact one of your system administrators to verify the synch status. 有关详细信息,请参阅使用备用配置部署扫描程序For more information, see Deploying the scanner with alternative configurations.
敏感度标签和已发布的策略Sensitivity labels and a published policy 必须已创建敏感度标签,并将至少有一个标签的策略发布到标记管理中心,用于扫描程序服务帐户。You must have created sensitivity labels, and published a policy with at least one label to your labeling admin center, for the scanner service account.

在标记管理中心(包括 Microsoft 365 合规中心、Microsoft 365 安全中心或 Microsoft 365 安全与合规中心)配置敏感度标签。Configure sensitivity labels in your labeling admin center, including the Microsoft 365 compliance center, the Microsoft 365 security center, or the Microsoft 365 Security & Compliance Center. 有关详细信息,请参阅 Microsoft 365 文档For more information, see the Microsoft 365 documentation.

准备就绪后,请继续创建网络扫描作业When you're ready, continue with Create a network scan job.

创建网络扫描作业Create a network scan job

创建网络扫描作业以扫描指定的 IP 地址或 IP 范围以获取有风险的存储库。Create a network scan job to scan a specified IP address or IP range for risky repositories.

备注

此功能仅从版本 2.8.85.0 开始提供,并且当前处于预览阶段。This feature is available only starting in version 2.8.85.0, and is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

若要创建网络扫描作业,请执行以下操作:To create a network scan job:

  1. 作为受支持的管理员登录到 Azure 门户,然后导航到“Azure 信息保护”区域。Sign in to the Azure portal as a supported administrator, and navigate to the Azure Information Protection area.

  2. 在左侧的“扫描程序”菜单中,选择 “网络扫描作业(预览版)” 。

  3. 选择 “添加”以添加新规则。 在“添加新网络扫描作业”窗格中,输入以下详细信息:In the Add a new network scan job pane, enter the following details:

    选项Option 说明Description
    “网络扫描作业名称”和“说明” Network scan job name and Description 输入有意义的名称(例如 Quickstart)和可选说明。Enter a meaningful name, such as Quickstart, and an optional description.
    选择群集Select the cluster 从下拉列表中选择群集名称。Select your cluster name from the dropdown list.

    例如,如果你已完成教程:安装 Azure 信息保护 (AIP) 统一标记扫描程序,并仍可使用该群集,请选择“快速入门”。For example, if you've completed Tutorial: Installing the Azure Information Protection (AIP) unified labeling scanner, and still have that cluster available, select Quickstart.
    配置要发现的 IP 范围Configure IP ranges to discover 选择打开“选择 IP 范围”窗格的行。Select the row to open the Choose IP ranges pane. 在此处输入要扫描的 IP 地址或 IP 范围。There, enter an IP address or IP range to scan.

    注意:确保输入可从扫描程序计算机访问的 IP 地址。Note: Make sure to enter IP addresses that are accessible from the scanner's machine.
    设置计划Set schedule 保留默认值“一次”。Keep the default value of One Time.
    设置开始时间 (UTC)Set start time (UTC) 计算当前 UTC 时间,考虑当前时区,然后将运行开始时间设置为从现在开始的 5 分钟后。Calculate the current UTC time, considering your current time zone, and set the start time to run within 5 minutes from now.

    例如:For example:

    输入网络扫描作业的详细信息

  4. 选择页面顶部的 “保存”。

  5. 返回到 “网络扫描作业(预览版)”网格,然后等待扫描开始运行。

扫描完成后,将更新网格数据。The grid data is updated as your scan completes. 例如:For example:

已刷新的网络扫描作业

提示

如果网络扫描作业未运行,请检查并确保在扫描程序计算机上已正确安装网络发现服务If your network scan job does not run, check to make sure that the Network Discovery service is installed correctly on the scanner machine.

继续将有风险的存储库添加到内容扫描作业Continue with Add risky repositories to a content scan job.

将有风险的存储库添加到内容扫描作业Add risky repositories to a content scan job

完成网络扫描作业后,可以检查找到的任何有风险的存储库。Once your network scan job is complete, you can check for any risky repositories found.

例如,如果发现存储库同时具有读取和写入公共访问权限,可能需要进一步扫描并确认没有在其中存储敏感数据。For example, if a repository is found to have both read and write public access, you may want to scan further and confirm that no sensitive data is stored there.

备注

此功能仅从版本 2.8.85.0 开始提供,并且当前处于预览阶段。This feature is available only starting in version 2.8.85.0, and is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

将有风险的存储库添加到内容扫描作业:To add risky repositories to your content scan job:

  1. 作为受支持的管理员登录到 Azure 门户,然后导航到“Azure 信息保护”窗格。Sign in to the Azure portal as a supported administrator, and navigate to the Azure Information Protection pane.

  2. 在左侧的“扫描程序”菜单中,选择 “存储库(预览版)” 。

    查看网络扫描作业找到的存储库

  3. 在图表下方的网格中,找到尚未由扫描程序管理的存储库。In the grid below the graphs, locate a repository that is not yet managed by the scanner. 未由扫描程序管理意味着它们不包括在内容扫描作业中,不会扫描其中的敏感内容。Not being managed by the scanner means that they are not included in a content scan job, and are not being scanned for sensitive content.

    提示

    例如,发现为 R(读取)或 RW(读/写)的有效公共访问权限的存储库可供公众使用,并且可能有敏感内容存在风险 。For example, repositories that have Effective Public Access found to be R (read) or RW (read/write) are available to the public and may have sensitive content at risk.

  4. 选择行,然后在网格的上方选择 “分配所选项”。

  5. 在右侧显示的“分配到内容扫描作业”窗格中,从下拉列表中选择内容扫描作业,然后选择 “保存” 。

    例如:For example:

    将有风险的存储库分配到内容扫描作业

下次运行内容扫描作业时,它现在将包括此新发现的存储库,并识别、标记、分类和保护策略中配置的任何敏感内容。The next time your content scan job runs, it will now include this newly discovered repository, and identify, label, classify, and protect any sensitive content found, as configured in your policy.

继续定义并运行内容扫描作业Continue with Define and run your content scan job.

定义并运行内容扫描作业Define and run your content scan job

使用通过教程先决条件准备的内容扫描作业来扫描内容。Use the content scan job you prepared with the tutorial prerequisites to scan your content.

如果还没有内容扫描作业,请执行在 Azure 门户中配置初始设置,然后返回到此处以继续。If you don't have a content scan job yet, perform Configure initial settings in the Azure portal, and then return here to continue.

  1. 作为受支持的管理员登录到 Azure 门户,然后导航到“Azure 信息保护”窗格。Sign in to the Azure portal as a supported administrator, and navigate to the Azure Information Protection pane.

  2. 在左侧的“扫描程序”菜单中,选择 “内容扫描作业”,然后选择你的内容扫描作业 。

  3. 编辑内容扫描作业设置,确保提供有意义的名称和可选说明。Edit your content scan job settings, making sure that you have a meaningful name and optional description.

    保留大多数设置的默认值,但进行以下更改:Keep the default values for most of the settings, except for the following changes:

    • 将推荐标记视为自动。Treat recommended labeling as automatic. 设置为“开”。Set to On.

    • 配置存储库。Configure repositories. 确保至少定义了一个存储库。Ensure that there is at least one repository defined.

      提示

      如果扫描网络后向内容扫描作业添加了其他存储库,如将有风险的存储库添加到内容扫描作业中所述,可以选择立即在这里列出这些存储库。If you've added additional repositories to your content scan job after having scanned your network in Add risky repositories to a content scan job, you can select to see them listed here now.

    • 强制执行。Enforce. 设置为“打开”Set to On

  4. 选择 “保存”,然后返回到 “内容扫描作业”网格 。

  5. 若要扫描内容,请返回到 “内容扫描作业”区域,然后选择你的内容扫描作业。

    在网格上方的工具栏中,选择 “立即扫描”以开始扫描。

    扫描完成后,继续查看扫描结果When the scan is complete, continue with View scan results.

查看扫描结果View scan results

扫描完成后,在 Azure 门户中“Azure 信息保护”>“分析”区域查看报告。When the scan is complete, check the reports in Azure Information Protection > Analytics area in the Azure portal.

例如:For example:

扫描程序结果分析数据发现报告

提示

如果结果为空,并且你想要运行有意义的扫描,请在内容扫描作业包含的其中一个存储库中创建名为“付款信息”的文件。If your results are empty and you would like to run a meaningful scan, create a file named Payment info in one of the repositories included in your content scan job. 保存内容如下的文件:Save the file with the following content:

信用卡:2384 2328 5436 3489Credit card: 2384 2328 5436 3489

再次运行扫描以查看结果中的差异。Run your scan again to see the difference in the results.

有关详细信息,请参阅 Azure 信息保护的中心报告(公共预览版)For more information, see Central reporting for Azure Information Protection (public preview)

本地扫描程序报告Local scanner reports

日志还本地存储在扫描程序计算机上的“%localappdata%\Microsoft\MSIP\Scanner\Reports directory”中,并包括:Logs are also stored locally in the %localappdata%\Microsoft\MSIP\Scanner\Reports directory on the scanner machine, and include:

类型Type 说明Description
.txt 摘要文件.txt summary files 包括扫描所用的时间、扫描的文件数以及匹配信息类型的文件数量。Includes the time taken to scan, the number of scanned files, and how many files had a match for the information types.
.csv 详细信息文件.csv detail files 包含扫描的每个文件的详细说明。Contains detailed descriptions for each file scanned. 对于每个扫描周期,目录最多可容纳 60 个报告。The directory can hold up to 60 reports for each scanning cycle.

后续步骤Next steps

有关更多教程,请参阅:For additional tutorials, see:

另请参阅:See also: