Azure 网络服务的 Azure Policy 法规遵从性控制措施Azure Policy Regulatory Compliance controls for Azure networking services

Azure Policy 中的法规符合性为与不同符合性标准相关的“符合域”和“安全控件”提供 Microsoft 创建和管理的计划定义,称为“内置” 。Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. 此页列出 Azure 网络服务的“合规域”和“安全控制措施” 。This page lists the compliance domains and security controls for Azure networking services. 可以分别为“安全控件”分配内置项,以帮助 Azure 资源符合特定的标准。You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的标题。The title of each built-in policy definition links to the policy definition in the Azure portal. 使用“策略版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

重要

下面的每个控件都与一个或多个 Azure Policy 定义关联。Each control below is associated with one or more Azure Policy definitions. 这些策略有助于评估控制的合规性;但是,控制与一个或多个策略之间通常不是一对一或完全匹配。These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. 因此,Azure Policy 中的符合性仅引用策略本身;这不确保你完全符合控件的所有要求。As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. 此外,符合性标准包含目前未由任何 Azure Policy 定义处理的控件。In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. 因此,Azure Policy 中的符合性只是整体符合性状态的部分视图。Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. 这些符合性标准的控制措施和 Azure Policy 法规符合性定义之间的关联可能会随着时间的推移而发生变化。The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Azure 安全基准 v1Azure Security Benchmark v1

Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 若要查看此服务如何完全映射到 Azure 安全基准,请参阅 Azure 安全基准映射文件To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files. 若要查看所有 Azure 服务的可用 Azure Policy 内置项如何映射到此合规性标准,请参阅 Azure Policy 法规遵从性 - Azure 安全基准。To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
网络安全Network Security 1.11.1 在虚拟网络上使用网络安全组或 Azure 防火墙来保护资源Protect resources using Network Security Groups or Azure Firewall on your Virtual Network 所有 Internet 流量都应通过所部署的 Azure 防火墙进行路由All Internet traffic should be routed via your deployed Azure Firewall 3.0.0-preview3.0.0-preview
网络安全Network Security 1.11.1 在虚拟网络上使用网络安全组或 Azure 防火墙来保护资源Protect resources using Network Security Groups or Azure Firewall on your Virtual Network 子网应与网络安全组关联Subnets should be associated with a Network Security Group 3.0.03.0.0
网络安全Network Security 1.11.1 在虚拟网络上使用网络安全组或 Azure 防火墙来保护资源Protect resources using Network Security Groups or Azure Firewall on your Virtual Network 虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 1.0.01.0.0
网络安全Network Security 1.11.1 在虚拟网络上使用网络安全组或 Azure 防火墙来保护资源Protect resources using Network Security Groups or Azure Firewall on your Virtual Network 虚拟网络应使用指定的虚拟网络网关Virtual networks should use specified virtual network gateway 1.0.01.0.0
网络安全Network Security 1.21.2 监视和记录 VNet、子网和 NIC 的配置和流量Monitor and log the configuration and traffic of Vnets, Subnets, and NICs 应启用网络观察程序Network Watcher should be enabled 1.1.01.1.0
网络安全Network Security 1.41.4 拒绝与已知的恶意 IP 地址通信Deny communications with known malicious IP addresses 所有 Internet 流量都应通过所部署的 Azure 防火墙进行路由All Internet traffic should be routed via your deployed Azure Firewall 3.0.0-preview3.0.0-preview
网络安全Network Security 1.41.4 拒绝与已知的恶意 IP 地址通信Deny communications with known malicious IP addresses 应启用 Azure DDoS 防护标准Azure DDoS Protection Standard should be enabled 3.0.03.0.0
网络安全Network Security 1.51.5 记录网络数据包和流日志Record network packets and flow logs 应启用网络观察程序Network Watcher should be enabled 1.1.01.1.0

CIS Azure 基础基准检验CIS Azure Foundations Benchmark

若要查看所有 Azure 服务的可用 Azure Policy 内置项如何映射到此合规性标准,请参阅 Azure Policy 法规遵从性 - CIS Microsoft Azure 基础基准 1.1.0。To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0.

有关此符合性标准的详细信息,请参阅 CIS Azure 基础基准检验For more information about this compliance standard, see CIS Azure Foundations Benchmark.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
安全中心Security Center 2.92.9 确保 ASC 默认策略设置“启用下一代防火墙(NGFW)监视”不是处于“已禁用”状态Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" 子网应与网络安全组关联Subnets should be associated with a Network Security Group 3.0.03.0.0
网络Networking 6.16.1 确保限制从 Internet 进行的 RDP 访问Ensure that RDP access is restricted from the internet 应阻止来自 Internet 的 RDP 访问RDP access from the Internet should be blocked 2.0.02.0.0
网络Networking 6.26.2 确保限制从 Internet 进行的 SSH 访问Ensure that SSH access is restricted from the internet 应阻止来自 Internet 的 SSH 访问SSH access from the Internet should be blocked 2.0.02.0.0
网络Networking 6.56.5 确保网络观察程序设置为“已启用”Ensure that Network Watcher is 'Enabled' 应启用网络观察程序Network Watcher should be enabled 1.1.01.1.0

HIPAA HITRUST 9.2HIPAA HITRUST 9.2

若要查看所有 Azure 服务的可用 Azure Policy 内置项如何映射到此合规性标准,请参阅 Azure Policy 法规合规性 - HIPAA HITRUST 9.2。To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2.

有关此合规性标准的详细信息,请参阅 HIPAA HITRUST 9.2For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
网络隔离Segregation in Networks 0805.01m1Organizational.12 - 01.m0805.01m1Organizational.12 - 01.m 组织的安全网关(例如防火墙)强制执行安全策略,并配置为筛选域之间的流量、阻止未经授权的访问。它用于维护内部有线、内部无线和外部网络段(如 Internet,包括 DMZ)之间的隔离,并对每个域强制执行访问控制策略。The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. 不应在网关子网中配置网络安全组Gateway subnets should not be configured with a network security group 1.0.01.0.0
网络隔离Segregation in Networks 0805.01m1Organizational.12 - 01.m0805.01m1Organizational.12 - 01.m 组织的安全网关(例如防火墙)强制执行安全策略,并配置为筛选域之间的流量、阻止未经授权的访问。它用于维护内部有线、内部无线和外部网络段(如 Internet,包括 DMZ)之间的隔离,并对每个域强制执行访问控制策略。The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. 子网应与网络安全组关联Subnets should be associated with a Network Security Group 3.0.03.0.0
网络隔离Segregation in Networks 0805.01m1Organizational.12 - 01.m0805.01m1Organizational.12 - 01.m 组织的安全网关(例如防火墙)强制执行安全策略,并配置为筛选域之间的流量、阻止未经授权的访问。它用于维护内部有线、内部无线和外部网络段(如 Internet,包括 DMZ)之间的隔离,并对每个域强制执行访问控制策略。The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. 虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 1.0.01.0.0
网络隔离Segregation in Networks 0806.01m2Organizational.12356 - 01.m0806.01m2Organizational.12356 - 01.m 组织网络根据组织要求使用定义的安全外围和一组分级的控制以逻辑方式和物理方式进行分段,包括在逻辑上与内部网络分离的可公开访问的系统组件子网;流量控制基于所需的功能,而数据/系统的分类控制则基于风险评估及其各自的安全要求。The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. 不应在网关子网中配置网络安全组Gateway subnets should not be configured with a network security group 1.0.01.0.0
网络隔离Segregation in Networks 0806.01m2Organizational.12356 - 01.m0806.01m2Organizational.12356 - 01.m 组织网络根据组织要求使用定义的安全外围和一组分级的控制以逻辑方式和物理方式进行分段,包括在逻辑上与内部网络分离的可公开访问的系统组件子网;流量控制基于所需的功能,而数据/系统的分类控制则基于风险评估及其各自的安全要求。The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. 子网应与网络安全组关联Subnets should be associated with a Network Security Group 3.0.03.0.0
网络隔离Segregation in Networks 0806.01m2Organizational.12356 - 01.m0806.01m2Organizational.12356 - 01.m 组织网络根据组织要求使用定义的安全外围和一组分级的控制以逻辑方式和物理方式进行分段,包括在逻辑上与内部网络分离的可公开访问的系统组件子网;流量控制基于所需的功能,而数据/系统的分类控制则基于风险评估及其各自的安全要求。The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. 虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 1.0.01.0.0
网络隔离Segregation in Networks 0894.01m2Organizational.7 - 01.m0894.01m2Organizational.7 - 01.m 将物理服务器、应用程序或数据迁移到虚拟化服务器时,网络会与生产级网络分离。Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. 创建虚拟网络时部署网络观察程序Deploy network watcher when virtual networks are created 1.0.01.0.0
网络隔离Segregation in Networks 0894.01m2Organizational.7 - 01.m0894.01m2Organizational.7 - 01.m 将物理服务器、应用程序或数据迁移到虚拟化服务器时,网络会与生产级网络分离。Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. 不应在网关子网中配置网络安全组Gateway subnets should not be configured with a network security group 1.0.01.0.0
网络隔离Segregation in Networks 0894.01m2Organizational.7 - 01.m0894.01m2Organizational.7 - 01.m 将物理服务器、应用程序或数据迁移到虚拟化服务器时,网络会与生产级网络分离。Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. 子网应与网络安全组关联Subnets should be associated with a Network Security Group 3.0.03.0.0
网络隔离Segregation in Networks 0894.01m2Organizational.7 - 01.m0894.01m2Organizational.7 - 01.m 将物理服务器、应用程序或数据迁移到虚拟化服务器时,网络会与生产级网络分离。Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. 虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 1.0.01.0.0
网络连接控制Network Connection Control 0809.01n2Organizational.1234 - 01.n0809.01n2Organizational.1234 - 01.n 通过每个网络访问点或外部电信服务托管接口的防火墙和其他网络相关限制,根据组织的访问控制策略来控制网络流量。Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. 子网应与网络安全组关联Subnets should be associated with a Network Security Group 3.0.03.0.0
网络连接控制Network Connection Control 0809.01n2Organizational.1234 - 01.n0809.01n2Organizational.1234 - 01.n 通过每个网络访问点或外部电信服务托管接口的防火墙和其他网络相关限制,根据组织的访问控制策略来控制网络流量。Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. 虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 1.0.01.0.0
网络连接控制Network Connection Control 0810.01n2Organizational.5 - 01.n0810.01n2Organizational.5 - 01.n 传输的信息是安全的,并且至少在开放的公用网络上已加密。Transmitted information is secured and, at a minimum, encrypted over open, public networks. 子网应与网络安全组关联Subnets should be associated with a Network Security Group 3.0.03.0.0
网络连接控制Network Connection Control 0810.01n2Organizational.5 - 01.n0810.01n2Organizational.5 - 01.n 传输的信息是安全的,并且至少在开放的公用网络上已加密。Transmitted information is secured and, at a minimum, encrypted over open, public networks. 虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 1.0.01.0.0
网络连接控制Network Connection Control 0811.01n2Organizational.6 - 01.n0811.01n2Organizational.6 - 01.n 记录流量流策略的例外情况(包括支持性任务/业务需求、例外情况持续时间),并至少每年审查一次;当明确的任务/业务需求不再支持流量流策略例外情况时,该项例外会被删除。Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. 子网应与网络安全组关联Subnets should be associated with a Network Security Group 3.0.03.0.0
网络连接控制Network Connection Control 0811.01n2Organizational.6 - 01.n0811.01n2Organizational.6 - 01.n 记录流量流策略的例外情况(包括支持性任务/业务需求、例外情况持续时间),并至少每年审查一次;当明确的任务/业务需求不再支持流量流策略例外情况时,该项例外会被删除。Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. 虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 1.0.01.0.0
网络连接控制Network Connection Control 0812.01n2Organizational.8 - 01.n0812.01n2Organizational.8 - 01.n 不允许建立非远程连接的远程设备与外部(远程)资源进行通信。Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. 子网应与网络安全组关联Subnets should be associated with a Network Security Group 3.0.03.0.0
网络连接控制Network Connection Control 0812.01n2Organizational.8 - 01.n0812.01n2Organizational.8 - 01.n 不允许建立非远程连接的远程设备与外部(远程)资源进行通信。Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. 虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 1.0.01.0.0
网络连接控制Network Connection Control 0814.01n1Organizational.12 - 01.n0814.01n1Organizational.12 - 01.n 根据访问控制策略以及临床和商业应用程序的要求,使用托管接口上的“默认拒绝,出现例外情况时允许”策略来限制用户连接到内部网络的能力。The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. 子网应与网络安全组关联Subnets should be associated with a Network Security Group 3.0.03.0.0
网络连接控制Network Connection Control 0814.01n1Organizational.12 - 01.n0814.01n1Organizational.12 - 01.n 根据访问控制策略以及临床和商业应用程序的要求,使用托管接口上的“默认拒绝,出现例外情况时允许”策略来限制用户连接到内部网络的能力。The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. 虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 1.0.01.0.0
网络控制Network Controls 0860.09m1Organizational.9 - 09.m0860.09m1Organizational.9 - 09.m 组织正式管理网络上的设备,包括用户区域中的设备。The organization formally manages equipment on the network, including equipment in user areas. 为网络安全组部署诊断设置Deploy Diagnostic Settings for Network Security Groups 1.0.01.0.0
网络服务安全Security of Network Services 0837.09.n2Organizational.2 - 09.n0837.09.n2Organizational.2 - 09.n 与外部信息系统提供商签署的正式协议包括对安全性和隐私的特定义务。Formal agreements with external information system providers include specific obligations for security and privacy. 应启用网络观察程序Network Watcher should be enabled 1.1.01.1.0
网络服务安全Security of Network Services 0886.09n2Organizational.4 - 09.n0886.09n2Organizational.4 - 09.n 组织在正式协议或其他文档中采用并记录 i) “全部允许,出现例外情况时拒绝”,或 ii)“全部拒绝,出现例外情况时允许”(首选)策略,以允许特定信息系统连接到外部信息系统。The organization employs and documents in a formal agreement or other document, either i) allow-all, deny-by-exception, or, ii) deny-all, permit-by-exception (preferred), policy for allowing specific information systems to connect to external information systems. 应启用网络观察程序Network Watcher should be enabled 1.1.01.1.0
网络服务安全Security of Network Services 0888.09n2Organizational.6 - 09.n0888.09n2Organizational.6 - 09.n 与外部/外包服务提供商的合同包括要求服务提供商负责保护共享的涵盖信息这一规定。The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. 应启用网络观察程序Network Watcher should be enabled 1.1.01.1.0

NIST SP 800-171 R2NIST SP 800-171 R2

若要查看所有 Azure 服务的可用 Azure Policy 内置项如何映射到此合规性标准,请参阅 Azure Policy 法规遵从性 - NIST SP 800-171 R2。To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2.

有关此符合性标准的详细信息,请参阅 NIST SP 800-171 R2For more information about this compliance standard, see NIST SP 800-171 R2.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
系统和信息完整性System and Information Integrity 3.14.63.14.6 监视组织系统(包括入站和出站通信流量),检测攻击和潜在攻击的指示。Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. 应启用网络观察程序Network Watcher should be enabled 1.1.01.1.0

NIST SP 800-53 R4NIST SP 800-53 R4

若要查看所有 Azure 服务的可用 Azure Policy 内置项如何映射到此合规性标准,请参阅 Azure Policy 法规遵从性 - NIST SP 800-53 R4。To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 R4.

有关此符合性标准的详细信息,请参阅 NIST SP 800-53 R4For more information about this compliance standard, see NIST SP 800-53 R4.

Domain 控制 IDControl ID 控制标题Control title 策略Policy
(Azure 门户)(Azure portal)
策略版本Policy version
(GitHub)(GitHub)
系统和通信保护System and Communications Protection SC-5SC-5 拒绝服务保护Denial of Service Protection 应启用 Azure DDoS 防护标准Azure DDoS Protection Standard should be enabled 3.0.03.0.0

后续步骤Next steps