网络观察程序的 Azure 安全基线Azure security baseline for Network Watcher

此安全基线将 Azure 安全基准版本 1.0 中的指南应用于网络观察程序。This security baseline applies guidance from the Azure Security Benchmark version 1.0 to Network Watcher. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控制”分组,这些控制根据适用于网络观察程序的 Azure 安全基准和相关指南进行定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Network Watcher. 排除了不适用于网络观察程序或属于 Azure 职责范围的控制。Controls not applicable to Network Watcher, or for which the responsibility is Azure's, have been excluded.

若要查看网络观察程序如何完全映射到 Azure 安全基准,请参阅完整的网络观察程序安全基线映射文件To see how Network Watcher completely maps to the Azure Security Benchmark, see the full Network Watcher security baseline mapping file.

日志记录和监视Logging and Monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and Monitoring.

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:使用 Azure 活动日志监视 Azure 网络观察程序实例的配置并检测更改。Guidance: Use Azure Activity Log to monitor configurations and detect changes for your Azure Network Watcher instances. 除了在控制平面(例如 Azure 门户)中以外,网络观察程序本身不会生成与网络流量相关的日志。Other than at the control plane (e.g. Azure portal), Network Watcher itself does not generate logs related to network traffic. 网络观察程序提供所需的工具来监视、诊断 Azure 虚拟网络中的资源并查看其指标,以及为其启用或禁用日志。Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:使用 Azure 活动日志监视 Azure 网络观察程序实例的配置并检测更改。Guidance: Use Azure Activity Log to monitor configurations and detect changes for your Azure Network Watcher instances. 除了在控制平面(例如 Azure 门户)以外,网络观察程序本身不会生成审核日志。Other than at the control plane (e.g. Azure portal), Network Watcher itself does not generate audit logs. 网络观察程序提供所需的工具来监视、诊断 Azure 虚拟网络中的资源并查看其指标,以及为其启用或禁用日志。Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:在 Azure Monitor 中,根据组织的合规性规定,为与 Azure 网络观察程序关联的 Log Analytics 工作区设置日志保留期。Guidance: In Azure Monitor, set log retention period for Log Analytics workspaces associated with Azure Network Watcher according to your organization's compliance regulations.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.6:监视和查看日志2.6: Monitor and review logs

指导:使用 Azure 活动日志监视 Azure 网络观察程序实例的配置并检测更改。Guidance: Use Azure Activity Log to monitor configurations and detect changes for your Azure Network Watcher instances. 除了在控制平面(例如 Azure 门户)中以外,网络观察程序本身不会生成与网络流量相关的日志。Other than at the control plane (e.g. Azure portal), Network Watcher itself does not generate logs related to network traffic. 网络观察程序提供所需的工具来监视、诊断 Azure 虚拟网络中的资源并查看其指标,以及为其启用或禁用日志。Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导:你可以进行配置,以便基于活动日志(与 Azure 网络观察程序相关)接收警报。Guidance: You can configure to receive alerts based on activity logs related to Azure Network Watcher. 通过使用 Azure Monitor,你可以配置警报以发送电子邮件通知、调用 Webhook 或调用 Azure 逻辑应用。Azure Monitor allows you to configure an alert to send an email notification, call a webhook, or invoke an Azure Logic App.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

标识和访问控制Identity and Access Control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:维护对 Azure 网络观察程序的控制平面(例如 Azure 门户)拥有管理访问权限的用户帐户的清单。Guidance: Maintain an inventory of the user accounts that have administrative access to the control plane (e.g. Azure portal) of Azure Network Watcher. 若要使用网络观察程序功能,登录 Azure 时所使用的帐户必须分配给所有者、参与者或网络参与者内置角色,或分配给某个自定义角色(已向该角色分配了为特定网络观察程序功能列出的操作)。To use Network Watcher capabilities, the account you log into Azure with, must be assigned to the Owner, Contributor, or Network contributor built-in roles, or assigned to a custom role that is assigned the actions listed for specific Network Watcher capabilities.

可以在 Azure 门户中为你的订阅使用“标识和访问控制(IAM)”窗格来配置 Azure 基于角色的访问控制 (Azure RBAC)。You can use the Identity and Access control (IAM) pane in the Azure portal for your subscription to configure Azure role-based access control (Azure RBAC). 角色将应用到 Active Directory 中的用户、组、服务主体和托管标识。The roles are applied to users, groups, service principals, and managed identities in Active Directory.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:Azure Active Directory (Azure AD) 没有默认密码的概念。Guidance: Azure Active Directory (Azure AD) does not have the concept of default passwords. 其他需要密码的 Azure 资源会强制创建具有复杂性要求和最小密码长度的密码,该长度因服务而异。Other Azure resources requiring a password forces a password to be created with complexity requirements and a minimum password length, which differs depending on the service. 你对可能使用默认密码的第三方应用程序和市场服务负责。You are responsible for third-party applications and marketplace services that may use default passwords.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用安全中心标识和访问管理来监视管理帐户的数量。Use Security Center Identity and Access Management to monitor the number of administrative accounts.

跟踪专用管理帐户,并使用安全中心或内置的 Azure 策略提供的建议,例如:Keep track of dedicated administrative accounts and use recommendations from Security Center or built-in Azure Policies, such as:

  • 应该为你的订阅分配了多个所有者There should be more than one owner assigned to your subscription

  • 应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription

  • 应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription

有关详细信息,请参阅以下资源:For more information, see the following references:

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory-based access

指导:启用 Azure Active Directory (Azure AD) 多重身份验证,并遵循 Azure 安全中心标识和访问管理的建议。Guidance: Enable Azure Active Directory (Azure AD) multifactor authentication and follow Azure Security Center Identity and Access Management recommendations.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.6:使用由 Azure 管理的安全工作站执行管理任务3.6: Use secure, Azure-managed workstations for administrative tasks

指导:使用启用了 Azure AD 多重身份验证的特权访问工作站 (PAW) 来登录和配置 Azure Sentinel 相关的资源。Guidance: Use a Privileged Access Workstation (PAW) with Azure AD multifactor authentication enabled to log into and configure your Azure Sentinel-related resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导:当环境中出现可疑或不安全的活动时,可使用 Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 生成日志和警报。Guidance: Use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) for generation of logs and alerts when suspicious or unsafe activity occurs in the environment.

此外,还可使用 Azure AD 风险检测来查看警报和报告有风险的用户行为。In addition, use Azure AD risk detections to view alerts and reports on risky user behavior.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指南:使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组访问 Azure 门户。Guidance: Use Conditional Access Named Locations to allow access to the Azure portal from only specific logical groupings of IP address ranges or countries/regions.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (Azure AD) 作为 Azure Sentinel 实例的中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system for your Azure Sentinel instances. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会对用户凭据进行加盐、哈希处理和安全存储操作。Azure AD also salts, hashes, and securely stores user credentials.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:Azure Active Directory (Azure AD) 提供了日志来帮助你发现过时的帐户。Guidance: Azure Active Directory (Azure AD) provides logs to help you discover stale accounts. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right Users have continued access.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导:使用 Azure Active Directory (Azure AD) 作为 Azure 网络观察程序的中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system for Azure Network Watcher. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会对用户凭据进行加盐、哈希处理和安全存储操作。Azure AD also salts, hashes, and securely stores user credentials.

你可以访问 Azure AD 登录活动、审核和风险事件日志源,以便与 Azure Sentinel 或第三方 SIEM 集成。You have access to Azure AD sign-in activity, audit and risk event log sources, which allow you to integrate with Azure Sentinel or a third-party SIEM.

可以通过为 Azure AD 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. 可以在 Log Analytics 中配置所需的日志警报。You can configure desired log alerts within Log Analytics.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

数据保护Data Protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data Protection.

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:如果使用 Azure VPN 网关在本地网络与 Azure 虚拟网络之间创建安全连接,请确保已为本地网关配置兼容的 IPsec 通信和加密参数。Guidance: If you are using Azure VPN Gateway to create a secure connection between your on-premises network and your Azure virtual networks, ensure that your on-premises local network gateway has been configured with compatible IPsec communication and encryption parameters. 任何错误配置都将导致本地网络与 Azure 之间的连接丢失。Any misconfiguration will lead to loss of connectivity between the on-premises network and Azure.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:可以在 Azure 门户中为你的订阅使用“标识和访问控制(IAM)”窗格来配置 Azure 基于角色的访问控制 (Azure RBAC)。Guidance: You can use the Identity and Access control (IAM) pane in the Azure portal for your subscription to configure Azure role-based access control (Azure RBAC). 角色将应用到 Active Directory 中的用户、组、服务主体和托管标识。The roles are applied to users, groups, service principals, and managed identities in Active Directory. 对于个人和组,可使用内置角色或自定义角色。You can use built-in roles or custom roles for individuals and groups.

若要使用网络观察程序功能,登录 Azure 时所使用的帐户必须分配给所有者、参与者或网络参与者内置角色,或分配给某个自定义角色(已向该角色分配了为特定网络观察程序功能列出的操作)。To use Network Watcher capabilities, the account you log into Azure with, must be assigned to the Owner, Contributor, or Network contributor built-in roles, or assigned to a custom role that is assigned the actions listed for specific Network Watcher capabilities.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以便在 Azure 网络观察程序以及其他关键的或相关的资源发生更改时创建警报。Guidance: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to Azure Network Watcher and other critical or related resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and Asset Management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等)。Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended that you create and use Azure Resource Manager resources going forward.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指南:在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪 Azure 资产。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

此外,在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:In addition, use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

有关详细信息,请参阅以下资源:For more information, see the following references:

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions.

使用 Azure Resource Graph 查询和发现订阅中的资源。Use Azure Resource Graph to query for and discover resources within their subscriptions. 确保环境中的所有 Azure 资源均已获得批准。Ensure that all Azure resources present in the environment are approved.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

有关详细信息,请参阅以下资源:For more information, see the following references:

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导:通过对“Azure 管理”应用配置“阻止访问”,配置 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

安全配置Secure Configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure Configuration.

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

恶意软件防护Malware Defense

有关详细信息,请参阅 Azure 安全基线: 恶意软件防护For more information, see the Azure Security Benchmark: Malware Defense.

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:不适用;网络观察程序不能对用户上传的数据进行操作。Guidance: Not applicable; Azure Network Watcher does not operate on user uploaded data.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

事件响应Incident Response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指南:安全中心向每个警报分配一个严重性,帮助你优先处理应首先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心对调查结果或用于发出警报的分析的确信程度,以及对导致警报的活动背后存在恶意意图的确信程度。The severity is based on how confident Security Center is in the finding or the analytics used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产),并创建命名系统来对 Azure 资源进行明确标识和分类。production, non-prod) and create a naming system to clearly identify and categorize Azure resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了客户的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. 可以使用 Azure 安全中心数据连接器将警报流式传输到 Azure Sentinel。You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能可以通过“逻辑应用”针对安全警报和建议自动触发响应。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Azure 政策。Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Azure policies. 使用 Azure 红队演练策略和执行,并针对 Azure 托管云基础结构、服务和应用程序执行现场渗透测试。Use Azure's strategy and execution of Red Teaming and live site penetration testing against Azure-managed cloud infrastructure, services, and applications.

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

后续步骤Next steps