Azure 负载均衡器的 Azure 安全基线Azure security baseline for Azure Load Balancer

Azure 负载均衡器的 Azure 安全基线包含有助于改进部署安全状况的建议。The Azure Security Baseline for Azure Load Balancer contains recommendations that will help you improve the security posture of your deployment. 此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance. 有关详细信息,请参阅 Azure 安全基线概述For more information, see Azure Security Baselines overview.

网络安全性Network security

有关详细信息,请参阅 Azure 安全基线: 网络安全For more information, see the Azure Security Benchmark: Network security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指导:使用内部 Azure 负载均衡器,仅允许从特定虚拟网络或对等互连虚拟网络内部到后端资源的流量,不会将内容暴露到 Internet。Guidance: Use internal Azure Load Balancers to only allow traffic to backend resources from within certain virtual networks or peered virtual networks without exposure to the internet. 实现采用源网络地址转换 (SNAT) 的外部负载均衡器,以伪装后端资源的 IP 地址,防止直接暴露到 Internet。Implement an external Load Balancer with Source Network Address Translation (SNAT) to masquerade the IP addresses of backend resources for protection from direct internet exposure.

Azure 提供了两种类型的负载均衡器产品/服务:“标准”类型和“基本”类型。Azure offers two types of Load Balancer offerings, Standard and Basic. 请为所有生产工作负荷使用标准负载均衡器。Use the Standard Load Balancer for all production workloads. 实现网络安全组,只允许访问应用程序的受信任端口和 IP 地址范围。Implement network security groups and only allow access to your application's trusted ports and IP address ranges. 如果没有为后端虚拟机的后端子网或 NIC 分配网络安全组,则不允许流量从负载均衡器发送到这些资源。In cases where there is no network security group assigned to the backend subnet or NIC of the backend virtual machines, traffic will not be not allowed to these resources from the load balancer. 使用标准负载均衡器,提供出站规则以使用网络安全组定义出站 NAT。With Standard Load Balancers, provide outbound rules to define outbound NAT with a network security group. 查看这些出站规则以优化出站连接的行为。Review these outbound rules to tune the behavior of your outbound connections.

建议为生产工作负荷使用标准负载均衡器。通常,基本负载均衡器仅用于测试,因为基本类型在默认情况下对来自 Internet 的连接开放,不需要网络安全组便可进行操作。Using a Standard Load Balancer is recommended for your production workloads and typically the Basic Load Balancer is only used for testing since the basic type is open to connections from the internet by default, and doesn't require network security groups for operation.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.2:监视和记录虚拟网络、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs

指导:负载均衡器是一项直通服务,因为它依赖于应用于后端资源的网络安全组规则和所配置的出站规则来控制 Internet 访问。Guidance: The Load Balancer is a pass through service as it relies on the network security groups rules applied to backend resources and the configured outbound rules to control internet access.

通过负载均衡器的“出站规则”边栏选项卡和“负载均衡规则”边栏选项卡(你可能已在其中启用了隐式出站规则),查看为标准负载均衡器配置的出站规则。Review the outbound rules configured for your Standard Load Balancer through the Outbound Rules blade of your Load Balancer and the Load Balancing Rules blade where you may have Implicit outbound rules enabled.

监视出站连接数,以跟踪资源到达 Internet 的频率。Monitor the count of your outbound connections to track how often your resources are reaching out to the internet.

使用安全中心并遵循网络保护建议来帮助保护 Azure 网络资源。Use Security Center and follow the network protection recommendations to help secure your Azure network resources.

遵循针对后端资源的安全建议,启用网络安全组流日志,并将日志发送到 Azure 存储帐户进行审核。Follow security recommendations for your backend resources and enable network security group flow logs and send the logs to an Azure Storage account for auditing.

另外,请将流日志发送到 Log Analytics 工作区,然后使用流量分析来提供有关 Azure 云中流量模式的见解。Also send the flow logs to a Log Analytics workspace and then use Traffic Analytics to provide insights into traffic patterns in your Azure cloud. 流量分析的优势包括能够可视化网络活动、识别热点和安全威胁、了解通信流模式,以及查明网络不当配置。Advantages of Traffic Analytics include the ability to visualize network activity, identify hot spots and security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:通过出站规则和网络安全组以及负载均衡器显式定义 Internet 连接和有效的源 IP,以使用 Azure 的威胁情报来保护你的 Web 应用程序。Guidance: Explicitly define internet connectivity and valid source IPs through outbound rules and network security groups with your Load Balancer to use Azure's threat intelligence for protecting your web applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.5:记录网络数据包1.5: Record network packets

指导:启用网络观察程序数据包捕获来调查异常活动。Guidance: Enable Network Watcher packet capture to investigate anomalous activities.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:实现 Azure 市场中的一种产品/服务,该产品/服务应支持包含有效负载检查功能的 ID/IPS 功能,以支持负载均衡器的环境。Guidance: Implement an offer from the Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities to the environment of your Load Balancer.

如果不需要进行有效负载检查,请使用 Azure 防火墙威胁情报。Use Azure Firewall threat intelligence If payload inspection is not a requirement. 使用基于 Azure 防火墙威胁情报的筛选功能,针对进出已知恶意 IP 地址和域的流量发出警报并/或阻止该流量。Azure Firewall threat intelligence-based filtering is used to alert on and/or block traffic to and from known malicious IP addresses and domains. IP 地址和域源自 Azure 威胁智能源。The IP addresses and domains are sourced from the Azure Threat Intelligence feed.

在组织的每个网络边界上部署所选的防火墙解决方案,以检测并/或阻止恶意流量。Deploy the firewall solution of your choice at each of your organization's network boundaries to detect and/or block malicious traffic.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:通过出站规则和网络安全组以及负载均衡器显式定义 Internet 连接和有效的源 IP,以使用 Microsoft 的威胁情报功能来保护你的 Web 应用程序。Guidance: Explicitly define internet connectivity and valid source IPs through outbound rules and network security groups with your Load Balancer to use Microsoft's threat intelligence features to protect your web applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:创建安全规则时,使用服务标记代替特定的 IP 地址。Guidance: Use service tags in place of specific IP addresses when creating security rules. 在规则的源或目标字段中指定服务标记名称,以允许或拒绝相应服务的流量。Specify the service tag name in the source or destination field of a rule to allow or deny the traffic for the corresponding service.

Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

默认情况下,每个网络安全组都包含服务标记 AzureLoadBalancer,以允许运行状况探测流量。By default, every network security group includes the service tag AzureLoadBalancer to permit health probe traffic.

有关可在网络安全组规则中使用的所有服务标记,请参阅 Azure 文档。Refer to Azure documentation for all the service tags available for use in network security group rules.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:为网络安全组以及与网络安全和通信流相关的其他资源使用资源标记。Guidance: Use resource tags for network security groups and other resources related to network security and traffic flow.

对于单独的网络安全组规则,请使用“说明”字段来记录允许流入/流出网络的流量的规则。Use the "Description" field to document the rules that allow traffic to/from a network for individual network security group rules.

实施与标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”),这将确保使用标记创建所有资源,并在现有资源不带标记时发出通知。Implement any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value", which ensures that all resources are created with tags and to notify of any existing untagged resources.

使用 Azure PowerShell 或 Azure CLI,基于资源的标记查找资源或对其执行操作。Use Azure PowerShell or Azure CLI to look up or perform actions on resources based on their tags.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测 Azure 资源的更改。Guidance: Use Azure Activity log to monitor resource configurations and detect changes to your Azure resources.

在 Azure Monitor 中创建警报,以便在关键资源发生更改时通知你。Create alerts in Azure Monitor to notify you when critical resources are changed.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

日志记录和监视Logging and monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and monitoring.

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:通过查看订阅中的活动日志,查看对负载均衡器的出站规则和网络安全组的更改。Guidance: Review changes to your outbound rules and network security groups for your Load Balancers by viewing the Activity Log in your subscriptions.

查看内部主机日志,以确保后端资源是安全的。View the internal host logs to ensure your backend resources are secure.

将这些日志导出到 Log Analytics 或其他存储平台。Export these logs to Log Analytics or another storage platform. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期存档存储。In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.

根据组织的业务需求,启用第三方 SIEM 并将此数据上传到其中。Enable and on-board this data to a third-party SIEM based on your organizational business requirements.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:查看在基本负载均衡器的活动日志中捕获的控制和管理平面日志记录和审核信息。Guidance: Review the Control and Management Plane logging and audit information captured with Activity logs for the Basic Load Balancer. 这些捕获设置是默认启用的。These capture settings are enabled by default.

使用活动日志监视资源上的操作,以查看所有活动及其状态。Use Activity logs to monitor actions on resources to view all activity and their status.

使用活动日志确定对订阅中的资源执行的操作:Determine what operations were taken on the resources in your subscription with activity logs:

  • 谁启动了该操作who started the operation

  • 操作何时发生when the operation occurred

  • 操作的状态the status of the operation

  • 其他可能有助于研究操作的属性的值the values of other properties that might help you research the operation

通过 Azure PowerShell、Azure 命令行接口 (CLI)、Azure REST API 或 Azure 门户检索活动日志中的信息。Retrieve information from the activity log through Azure PowerShell, the Azure Command Line Interface (CLI), the Azure REST API, or the Azure portal.

通过 Azure Monitor 针对标准负载均衡器配置功能实施多维诊断。Implement Multi-dimensional diagnostic for the Standard Load Balancer configurations capabilities with Azure Monitor. 这包括适用于安全性的指标,包括有关源网络地址转换 (SNAT) 连接、端口的信息。These include available metrics for security include information on Source Network Address Translation (SNAT) connections, ports. 同时还提供了有关 SYN(同步)数据包和数据包计数器的其他指标。Additional metrics on SYN (synchronize) packets and packet counters are also available.

通过 API 以编程方式检索多维指标,并通过“所有指标”选项将它们写入到存储帐户。Retrieve multi-dimensional metrics programmatically via APIs and write them to a storage account via the 'All Metrics' option.

将 Azure 审核日志内容包与 Microsoft Power BI 配合使用以借助预配置的仪表板分析你的数据,或者根据你的要求来自定义视图。Use the Azure Audit Logs content pack with Microsoft Power BI to analyze your data with pre-configured dashboards, or to customize the views based on your requirements.

将日志流式传输到事件中心或 Log Analytics 工作区。Stream logs to an event hub or a Log Analytics workspace. 还可以从 Azure Blob 存储中提取它们并在 Excel 和 Power BI 等各种工具中查看。They can also be extracted from Azure blob storage, and viewed in different tools, such as Excel and Power BI.

根据你的业务需求,启用第三方 SIEM 并将数据上传到其中。Enable and on-board data to a third-party SIEM based on your business requirements.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:活动日志是默认启用的,在 Azure 的事件日志存储中保留 90 天。Guidance: The Activity log is enabled by default and is preserved for 90 days in Azure's Event Logs store. 在 Azure Monitor 中,根据组织的合规性规则设置 Log Analytics 工作区保留期。Set your Log Analytics workspace retention period according to your organization's compliance regulations in Azure Monitor. 将 Azure 存储帐户用于长期存储和存档存储。Use Azure Storage accounts for long-term and archival storage.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:使用 Azure 门户中的“负载均衡器”页面和 Azure Monitor 下的“资源运行状况”页面监视、管理标准负载均衡器资源并对其进行故障排除。Guidance: Monitor, manage, and troubleshoot Standard Load Balancer resources using the Load Balancer page in the Azure portal and the Resource Health page under Azure Monitor. 适用于安全性的指标包括有关源网络地址转换 (SNAT) 连接、端口的信息。Available metrics for security include information on Source Network Address Translation (SNAT) connections, ports. 同时还提供了有关 SYN(同步)数据包和数据包计数器的其他指标。Additionally metrics on SYN (synchronize) packets and packet counters are also available.

使用 Azure Monitor 通过标准、外部和内部负载均衡器的多维指标来查看终结点运行状况探测状态。Use Azure Monitor to review endpoint health probe status with multi-dimensional metrics for Standard, external and internal, Load Balancers. 通过 API 以编程方式收集这些指标,并通过“所有指标”选项将它们写入到存储帐户。Gather these metrics programmatically via APIs and written to a storage account via the 'All Metrics' option.

Azure Monitor 日志不适用于内部基本负载均衡器。Azure Monitor logs are not available for Internal Basic Load Balancers.

使用 Azure Monitor 查看基本外部负载均衡器的每个后端池的汇总运行状况探测状态,例如,后端池中由于运行状况探测失败而未收到负载均衡器发出的请求的实例数。Use Azure Monitor to see health probe status summarized per backend pool for the Basic External Load Balancer, such as, the number of instances in your backend-pool not receiving requests from the Load Balancer due to health probe failures.

通过 Azure Operational Insights 实施日志记录,以提供有关负载均衡器运行状况的统计信息。Implement Logging with Azure Operational Insights to provide statistics about load balancer health status.

使用活动日志查看有关 Azure 订阅中的资源及其状态的警报并监视针对它们的操作。Use the Activity Logs to view alerts and monitor actions on resources and their status in your Azure subscriptions. 活动日志默认情况下启用,并且可以在 Azure 门户中查看。Activity logs are enabled by default, and can be viewed in the Azure portal.

将 Microsoft Power BI 与 Azure 审核日志内容包一起使用,并使用预配置的仪表板来分析数据。Use Microsoft Power BI with the Azure Audit Logs content pack and analyze your data with pre-configured dashboards. 根据业务需求自定义视图,使之满足你的要求。Customize views to suit your requirements based on business need.

将日志流式传输到事件中心或 Log Analytics 工作区。Stream logs to an event hub or a Log Analytics workspace. 还可以从 Azure Blob 存储中提取它们并在 Excel 和 Power BI 等各种工具中查看。They can also be extracted from Azure blob storage, and viewed in different tools, such as Excel and Power BI. 你可以启用第三方 SIEM 并将数据上传到其中。You can enable and on-board data to a third-party SIEM.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导:使用安全中心和 Log Analytics 工作区监视安全日志和事件中与负载均衡器相关的异常活动并对其发出警报。Guidance: Use Security Center with Log Analytics workspace for monitoring and alerting on anomalous activity related to Load Balancer in security logs and events.

启用第三方 SIEM 工具并将数据上传到其中。Enable and on-board data to a third-party SIEM tool.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:不适用于 Azure 负载均衡器。Guidance: Not applicable to Azure Load Balancer. 此建议适用于计算资源。This recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:不适用,因为 Azure 负载均衡器是一种核心网络服务,不会进行 DNS 查询。Guidance: Not applicable as Azure Load Balancer is a core networking service that does not make DNS queries.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指导:不适用于 Azure 负载均衡器,因为此建议适用于计算资源。Guidance: Not applicable to Azure Load Balancer as this recommendation applies to compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

标识和访问控制Identity and access control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:借助 Azure 基于角色的访问控制 (Azure RBAC),可以通过角色分配管理对 Azure 资源(例如负载均衡器)的访问。Guidance: Azure role-based access control (Azure RBAC) allows you to manage access to Azure resources such as your Load Balancer through role assignments. 可将这些角色分配给用户、组、服务主体和托管标识。Assign these roles to users, groups service principals, and managed identities.

某些资源具有预定义的内置角色,可以通过工具(例如 Azure CLI、Azure PowerShell 或 Azure 门户)来清点这些角色。Inventory Pre-defined and built-in roles for certain resources with tools like Azure CLI, Azure PowerShell or the Azure portal.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

数据保护Data protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data protection.

4.6:使用 Azure RBAC 管理对资源的访问4.6: Use Azure RBAC to manage access to resources

指导:使用 Azure RBAC 控制对负载均衡器资源的访问。Guidance: Use Azure RBAC to control access to your Load Balancer resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指导:负载均衡器是一种直通服务,不会存储客户数据。Guidance: Load Balancer is a pass through service that does not store customer data. 它是由 Azure 管理的底层平台的一部分。It is a part of the underlying platform that is managed by Azure.

Azure 将所有客户内容视为敏感数据,竭尽全力防范客户数据丢失和泄露。Azure treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure.

为了确保 Azure 中的客户数据保持安全,Azure 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data in Azure remains secure, Azure has implemented and maintains a suite of robust data protection controls and capabilities.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以创建在关键 Azure 资源(例如,用于重要生产工作负荷的负载均衡器)发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity log to create alerts when changes take place to critical Azure resources, such as Load Balancers used for important production workloads.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

库存和资产管理Inventory and asset management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 来查询和发现订阅中的所有资源(例如计算、存储、网络、端口、协议等)。Guidance: Use Azure Resource Graph to query for and discover all resources (such as compute, storage, network, ports, protocols, and so on) in your subscriptions. 建议使用 Azure 资源管理器来创建和使用当前资源。Azure Resource Manager is recommended to create and use current resources.

确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions and resources in your subscriptions.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用于 Azure资源,以便有条理地将元数据组织成某个分类。Guidance: Apply tags to Azure resources with metadata to logically organize according to a taxonomy.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪资产。Guidance: Use tagging, management groups, and separate subscriptions where appropriate, to organize and track assets.

定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from your subscriptions in a timely manner.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

6.4:定义并维护已批准 Azure 资源的清单6.4: Define and maintain an inventory of approved Azure resources

指导:根据你的组织需求创建已批准的 Azure 资源的列表,你可以将该列表用作允许列表机制。Guidance: Create a list of approved Azure resources per your organizational needs which you can leverage as a allow list mechanism. 这样便可以在任何新提供的 Azure 服务经过组织的典型安全评估流程的正式审核和批准后将其载入。This will allow your organization to onboard any newly available Azure services after they are formally reviewed and approved by your organization's typical security evaluation processes.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions.

使用 Azure Resource Graph 在所拥有的订阅中查询和发现资源。Query for and discover resources with Azure Resource Graph within owned subscriptions.

确保环境中存在的所有 Azure 资源已获得批准。Ensure all Azure resources present in the environment are approved.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指南:通过为“Microsoft Azure 管理”应用配置“阻止访问”,使用 Azure AD 条件访问来限制用户与 Azure 资源管理器交互的能力。Guidance: Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:对于业务运营所需的但可能会给组织带来更高风险的软件,应将其隔离在其自己的虚拟机和/或虚拟网络中,并通过 Azure 防火墙或网络安全组进行充分的保护。Guidance: Software that is required for business operations, but may incur higher risk for the organization, should be isolated within its own virtual machine and/or virtual network and sufficiently secured with either an Azure Firewall or a network security group.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

安全配置Secure configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用 Azure Policy 别名创建自定义策略,审核或强制实施 Azure 资源的配置。Guidance: Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure resources. 使用内置的 Azure Policy 定义。Use Built-in Azure Policy definitions.

Azure 资源管理器能够以 JavaScript 对象表示法 (JSON) 导出模板,应该对其进行检查,以确保配置满足组织的安全要求。Azure Resource Manager has the ability to export the template in JavaScript Object Notation (JSON), which should be reviewed to ensure that the configurations meet the security requirements for your organization.

将 Azure 资源管理器模板导出为 JavaScript 对象表示法 (JSON) 格式,并定期对其进行检查,以确保这些配置符合组织的安全要求。Export Azure Resource Manager templates into JavaScript Object Notation (JSON) formats, and periodically review them to ensure that the configurations meet your organizational security requirements.

将安全中心的建议作为 Azure 资源的安全配置基线来实施。Implement recommendations from Security Center as a secure configuration baseline for your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources. 此外,你还可以使用 Azure 资源管理器模板来维护组织所需的 Azure 资源的安全配置。Also, you can use Azure Resource Manager templates to maintain the security configuration of your Azure resources required by your organization.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:使用 Azure DevOps 安全地存储和管理代码,例如自定义 Azure Policy 定义、Azure 资源管理器模板和 Desired State Configuration 脚本。Guidance: Use Azure DevOps to securely store and manage your code like custom Azure Policy definitions, Azure Resource Manager templates, and desired state configuration scripts.

向特定用户、内置安全组或者在 Azure Active Directory (Azure AD)(如果与 Azure DevOps 集成)或 Active Directory(如果与 TFS 集成)中定义的组授予权限,或拒绝向其授予权限。Grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if it is integrated with Azure DevOps, or in Active Directory if integrated with TFS.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导:使用 Azure Policy 为 Azure 资源定义和实施标准安全配置。Guidance: Define and implement standard security configurations for Azure resources using Azure Policy. 使用 Azure Policy 别名创建自定义策略,审核或强制实施 Azure 资源的网络配置。Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure resources. 实现与特定的 Azure 负载均衡器资源相关的内置策略定义。Implement built-in policy definitions related to your specific Azure Load Balancer resources. 此外,请使用 Azure 自动化将配置更改Also, use Azure Automation to deploy configuration changes. 部署到 Azure 负载均衡器资源。to your Azure Load Balancer resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导:使用安全中心对 Azure 资源和 Azure Policy 执行基线扫描,以发出警报并审核资源配置。Guidance: Use Security Center to perform baseline scans for your Azure Resources and Azure Policy to alert and audit resource configurations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

事件响应Incident response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident response.

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指南:安全中心向每个警报分配一个严重性,帮助你优先处理应首先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first.

严重性取决于安全中心对调查结果或用于发出警报的分析的确信程度,以及对导致警报的活动背后存在恶意意图的确信程度。The severity is based on how confident Security Center is in the finding or the analytics used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

使用标记来标记订阅,并创建命名系统来对 Azure 资源进行标识和分类,特别是处理敏感数据的资源。Mark subscriptions using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data.

你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出安全中心警报和建议,以便确定给 Azure 资源带来的风险。Guidance: Export your Security Center alerts and recommendations using the continuous export feature to help identify risks to Azure resources.

使用安全中心的连续导出功能手动导出或者持续导出警报和建议。Use Continuous export feature in Security Center that allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用安全中心的工作流自动化功能,针对安全警报和建议自动触发响应,以保护 Azure 资源。Guidance: Use the Workflow Automation feature in Security Center to automatically trigger responses to security alerts and recommendations to protect your Azure resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Azure 政策。Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Azure policies. 使用 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序执行现场渗透测试。Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps