Azure 安全中心的 Azure Policy 内置定义Azure Policy built-in definitions for Azure Security Center

此页是与 Azure 安全中心相关的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions related to Azure Security Center. 策略定义进行下列分组:The following groupings of policy definitions are available:

有关安全策略的详细信息,请参阅使用安全策略For more information about security policies, see Working with security policies. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure 安全中心计划Azure Security Center initiatives

若要了解通过安全中心监视的内置计划,请参阅下表:To learn about the built-in initiatives that are monitored by Security Center, see the following table:

名称Name 说明Description 策略Policies 版本Version
[预览版]:启用数据保护套件[Preview]: Enable Data Protection Suite 为 SQL 服务器启用数据保护。Enable data protection for SQL servers. 此计划由 Azure 安全中心标准层自动分配。This initiative is assigned automatically by Azure Security Center Standard Tier. 11 1.0.0-preview1.0.0-preview
Azure 安全基准Azure Security Benchmark Azure 安全基准计划代表实施 Azure 安全基准 v2 中定义的安全建议的策略和控制,请参阅 https://aka.ms/azsecbmThe Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. 该计划也充当 Azure 安全中心默认策略计划。This also serves as the Azure Security Center default policy initiative. 你可以直接分配此计划,也可以在 Azure 安全中心内管理其策略和合规性结果。You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. 176176 24.2.124.2.1

安全中心的默认计划(Azure 安全基准)Security Center's default initiative (Azure Security Benchmark)

若要了解通过安全中心监视的内置策略,请参阅下表:To learn about the built-in policies that are monitored by Security Center, see the following table:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在虚拟机上启用漏洞评估解决方案A vulnerability assessment solution should be enabled on your virtual machines 审核虚拟机以检测其是否正在运行受支持的漏洞评估解决方案。Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. 每个网络风险和安全计划的核心部分都是识别和分析漏洞。A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure 安全中心的标准定价层包括对虚拟机进行漏洞扫描,无需额外付费。Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. 此外,安全中心可以自动为你部署此工具。Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure 安全中心会分析面向虚拟机的 Internet 的流量模式,并提供可减小潜在攻击面的网络安全组规则建议Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 审核没有高级数据安全的 SQL 服务器Audit SQL servers without Advanced Data Security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
所有 Internet 流量都应通过所部署的 Azure 防火墙进行路由All Internet traffic should be routed via your deployed Azure Firewall Azure 安全中心已确认,你的某些子网未使用下一代防火墙进行保护。Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. 通过使用 Azure 防火墙或受支持的下一代防火墙限制对子网的访问,保护子网免受潜在威胁的危害Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.0-preview3.0.0-preview
应限制在与虚拟机关联的网络安全组上使用所有网络端口All network ports should be restricted on network security groups associated to your virtual machine Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够将你的资源定为攻击目标。This can potentially enable attackers to target your resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应更新自适应应用程序控制策略中的允许列表规则Allowlist rules in your adaptive application control policy should be updated 监视配置为供 Azure 安全中心的自适应应用程序控制进行审核的计算机组是否有行为变化。Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. 安全中心使用机器学习来分析计算机上的运行过程,并建议已知安全应用程序的列表。Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. 这些应用程序作为推荐的应用显示,在自适应应用程序控制策略中允许使用。These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 审核确认已为 SQL Server 预配了 Azure Active Directory 管理员以启用 Azure AD 身份验证。Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. 使用 Azure AD 身份验证可以简化权限管理,以及集中化数据库用户和其他 Microsoft 服务的标识管理Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
只能通过 HTTPS 访问 API 应用API App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
应用程序配置应使用专用链接App Configuration should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The private link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到应用配置实例(而不是整个服务),还可以防范数据泄露风险。By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/appconfig/private-endpointLearn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
审核自定义 RBAC 规则的使用情况Audit usage of custom RBAC rules 审核“所有者、参与者、读者”等内置角色而不是容易出错的自定义 RBAC 角色。Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. 使用自定义角色被视为例外,需要进行严格的审查和威胁建模Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit、DisabledAudit, Disabled 1.0.01.0.0
应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 应在 SQL 服务器上启用审核以跟踪服务器上所有数据库的数据库活动,并将其保存在审核日志中。Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit、DisabledAudit, Disabled 2.0.12.0.1
你的订阅应启用 Log Analytics 代理自动预配Auto provisioning of the Log Analytics agent should be enabled on your subscription 为了监视安全漏洞和威胁,Azure 安全中心会从 Azure 虚拟机收集数据。To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. 数据是使用 Log Analytics 代理收集的,该代理以前称为 Microsoft Monitoring Agent (MMA),它从计算机中读取各种安全相关的配置和事件日志,然后将数据复制到 Log Analytics 工作区以用于分析。Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. 建议启用自动预配,将代理自动部署到所有受支持的 Azure VM 和任何新创建的 VM。We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
自动化帐户变量应加密Automation account variables should be encrypted 存储敏感数据时,请务必启用自动化帐户变量资产加密It is important to enable encryption of Automation account variable assets when storing sensitive data Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
应为虚拟机启用 Azure 备份Azure Backup should be enabled for Virtual Machines 启用 Azure 备份,确保对 Azure 虚拟机提供保护。Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure 备份是一种安全且经济高效的 Azure 数据保护解决方案。Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
Azure Cache for Redis 应驻留在虚拟网络中Azure Cache for Redis should reside within a virtual network Azure 虚拟网络部署为 Azure Cache for Redis 提供了增强的安全性和隔离,以及子网、访问控制策略和其他功能,以进一步限制访问。配置了虚拟网络的 Azure Cache for Redis 实例是不可公开寻址的,只能从虚拟网络中的虚拟机和应用程序访问。Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.31.0.3
Azure Cosmos DB 帐户应使用客户管理的密钥来加密静态数据Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest 使用客户管理的密钥来管理 Azure Cosmos DB 的静态加密。Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. 默认情况下,使用服务管理的密钥对数据进行静态加密,但为了满足法规合规性标准,通常需要使用客户管理的密钥。By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. 客户管理的密钥允许使用由你创建并拥有的 Azure Key Vault 密钥对数据进行加密。Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. 你可以完全控制并负责关键生命周期,包括轮换和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 更多信息请访问 https://aka.ms/cosmosdb-cmkLearn more at https://aka.ms/cosmosdb-cmk. 审核、拒绝、已禁用audit, deny, disabled 1.0.21.0.2
应启用 Azure DDoS 防护标准Azure DDoS Protection Standard should be enabled 应为属于应用程序网关且具有公共 IP 子网的所有虚拟网络启用 DDoS 保护标准。DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用适用于 Azure SQL 数据库服务器的 Azure DefenderAzure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL 提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应启用适用于服务器的 Azure DefenderAzure Defender for servers should be enabled 适用于服务器的 Azure Defender 可为服务器工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.31.0.3
Azure 事件网格域应使用专用链接Azure Event Grid domains should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。通过将专用终结点映射到事件网格域(而不是整个服务),还可以防范数据泄露风险。有关更多信息,请参阅:https://aka.ms/privateendpointsThe private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks.Learn more at: https://aka.ms/privateendpoints. Audit、DisabledAudit, Disabled 1.0.11.0.1
Azure 事件网格主题应使用专用链接Azure Event Grid topics should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The private link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到主题(而不是整个服务),还可以防范数据泄露风险。By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/privateendpointsLearn more at: https://aka.ms/privateendpoints. Audit、DisabledAudit, Disabled 1.0.11.0.1
应使用客户管理的密钥对 Azure 机器学习工作区进行加密Azure Machine Learning workspaces should be encrypted with a customer-managed key 使用客户管理的密钥管理 Azure 机器学习工作区数据的静态加密。Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. 默认情况下,使用服务管理的密钥对客户数据进行加密,但为了满足法规符合性标准,通常需要使用客户管理的密钥。By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. 客户管理的密钥允许使用由你创建并拥有的 Azure Key Vault 密钥对数据进行加密。Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. 你可以完全控制并负责关键生命周期,包括轮换和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 更多信息请访问 https://aka.ms/azureml-workspaces-cmkLearn more at https://aka.ms/azureml-workspaces-cmk. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.31.0.3
Azure 机器学习工作区应使用专用链接Azure Machine Learning workspaces should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The private link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到 Azure 机器学习工作区(而不是整个服务),还可以防范数据泄露风险。By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/azureml-workspaces-privatelinkLearn more at: https://aka.ms/azureml-workspaces-privatelink. Audit、DisabledAudit, Disabled 1.0.11.0.1
应在群集上安装并启用用于 Kubernetes 服务 (AKS) 的 Azure Policy 加载项Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters 用于 Kubernetes 服务 (AKS) 的 Azure Policy 加载项扩展了 Gatekeeper v3(用于开放策略代理 (OPA) 的许可控制器 Webhook),以集中、一致的方式在群集上应用大规模强制措施和安全措施。Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Audit、DisabledAudit, Disabled 1.0.21.0.2
Azure SignalR 服务应使用专用链接Azure SignalR Service should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。The private link platform handles the connectivity between the consumer and services over the Azure backbone network. 通过将专用终结点映射到 SignalR 资源(而不是整个服务),还可以防范数据泄露风险。有关详细信息,请访问:https://aka.ms/asrs/privatelinkBy mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks .Learn more at: https://aka.ms/asrs/privatelink. Audit、DisabledAudit, Disabled 1.0.11.0.1
认知服务帐户应启用使用客户管理的密钥进行数据加密的功能Cognitive Services accounts should enable data encryption with a customer-managed key 为了满足法规符合性标准,通常需要使用客户管理的密钥。Customer-managed keys are commonly required to meet regulatory compliance standards. 利用客户管理的密钥,可以使用由你创建并拥有的 Azure Key Vault 密钥对存储在认知服务中的数据进行加密。Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. 你可以完全控制并负责关键生命周期,包括轮换和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 若要详细了解客户管理的密钥的加密,请访问 https://aka.ms/cosmosdb-cmkLearn more about customer-managed key encryption at https://aka.ms/cosmosdb-cmk. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.31.0.3
应使用客户管理的密钥对容器注册表进行加密Container registries should be encrypted with a customer-managed key 使用客户管理的密钥来管理注册表内容的静态加密。Use customer-managed keys to manage the encryption at rest of the contents of your registries. 默认情况下,使用服务管理的密钥对数据进行静态加密,但为了满足法规符合性标准,通常需要使用客户管理的密钥。By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. 客户管理的密钥允许使用由你创建并拥有的 Azure Key Vault 密钥对数据进行加密。Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. 你可以完全控制并负责关键生命周期,包括轮换和管理。You have full control and responsibility for the key lifecycle, including rotation and management. 更多信息请访问 https://aka.ms/acr/CMKLearn more at https://aka.ms/acr/CMK. Audit、Deny、DisabledAudit, Deny, Disabled 1.1.21.1.2
容器注册表不得允许无限制的网络访问Container registries should not allow unrestricted network access 默认情况下,Azure 容器注册表接受来自任何网络上的主机的 Internet 连接。Azure container registries by default accept connections over the internet from hosts on any network. 为了防止注册表受到潜在的威胁,只允许来自特定的公共 IP 地址或地址范围的访问。To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. 如果注册表没有 IP/防火墙规则或配置的虚拟网络,它将出现在不正常资源中。If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. 有关容器注册表网络规则的详细信息,请访问 https://aka.ms/acr/portal/public-networkhttps://aka.ms/acr/vnetLearn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Audit、DisabledAudit, Disabled 1.0.11.0.1
容器注册表应使用专用链接Container registries should use private link 通过 Azure 专用链接,在没有源位置或目标位置的公共 IP 地址的情况下,也可以将虚拟网络连接到 Azure 服务。Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. 专用链接平台处理使用者与服务之间通过 Azure 主干网络进行的连接。通过将专用终结点映射到容器注册表,而不是整个服务,还可以防范数据泄露风险。The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. 有关详细信息,请访问:https://aka.ms/acr/private-linkLearn more at: https://aka.ms/acr/private-link. Audit、DisabledAudit, Disabled 1.0.11.0.1
CORS 不应允许所有资源都能访问 API 应用CORS should not allow every resource to access your API App 跨源资源共享 (CORS) 不应允许所有域都能访问你的 API 应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. 仅允许所需的域与 API 应用交互。Allow only required domains to interact with your API app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function Apps 跨源资源共享 (CORS) 不应允许所有域都能访问你的函数应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. 仅允许所需的域与函数应用交互。Allow only required domains to interact with your Function app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问你的 Web 应用程序CORS should not allow every resource to access your Web Applications 跨源资源共享 (CORS) 不应允许所有域都能访问你的 Web 应用程序。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. 仅允许所需的域与 Web 应用交互。Allow only required domains to interact with your web app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应从订阅中删除弃用的帐户Deprecated accounts should be removed from your subscription 应从订阅中删除弃用的帐户。Deprecated accounts should be removed from your subscriptions. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的已弃用帐户。Deprecated accounts with owner permissions should be removed from your subscription. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用应用程序服务中的诊断日志Diagnostic logs in App Services should be enabled 审核确认已在应用上启用诊断日志。Audit enabling of diagnostic logs on the app. 如果发生安全事件或网络遭泄露,这样便可以重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines Azure 安全中心建议对未启用磁盘加密的虚拟机进行监视。Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
不允许 Kubernetes 群集中有特权容器Do not allow privileged containers in Kubernetes cluster 此策略不允许在 Kubernetes 群集中创建特权容器。This policy does not allow privileged containers creation in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 5.0.15.0.1
应启用高严重性警报的电子邮件通知Email notification for high severity alerts should be enabled 当某个订阅中存在潜在的安全漏洞时,若要确保组织中的相关人员收到通知,请在安全中心为高严重性警报启用电子邮件通知。To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应启用向订阅所有者发送高严重性警报的电子邮件通知Email notification to subscription owner for high severity alerts should be enabled 当订阅中存在潜在的安全漏洞时,若要确保订阅所有者收到通知,请在安全中心设置向订阅所有者发送高严重性警报的电子邮件通知。To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应为 MySQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. 此配置强制始终启用 SSL 以访问数据库服务器。This configuration enforces that SSL is always enabled for accessing your database server. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. 此配置强制始终启用 SSL 以访问数据库服务器。This configuration enforces that SSL is always enabled for accessing your database server. Audit、DisabledAudit, Disabled 1.0.11.0.1
确保容器 CPU 和内存资源限制不超过 Kubernetes 群集中指定的限制Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster 此策略确保在 Kubernetes 群集中定义容器 CPU 和内存资源限制,且不超过指定的限制。This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 5.0.15.0.1
确保容器仅侦听 Kubernetes 群集中允许的端口Ensure containers listen only on allowed ports in Kubernetes cluster 此策略强制要求容器仅侦听 Kubernetes 群集中允许的端口。This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 5.0.15.0.1
确保只有允许使用的容器映像才在 Kubernetes 群集中运行Ensure only allowed container images in Kubernetes cluster 此策略确保只在 Kubernetes 群集中运行允许的容器映像。This policy ensures only allowed container images are running in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 5.0.15.0.1
确保服务只在 Kubernetes 群集中侦听允许使用的端口Ensure services listen only on allowed ports in Kubernetes cluster 此策略强制要求服务仅侦听 Kubernetes 群集中允许的端口。This policy enforces services to listen only on allowed ports in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 5.0.15.0.1
确保用作 API 应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the API app 我们定期发布适用于 Java 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作函数应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Function app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. 建议使用函数应用的最新 Java 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 Web 应用一部分的“Java 版本”是最新的Ensure that 'Java version' is the latest, if used as a part of the Web app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 Java 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 API 应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the API app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 WEB 应用一部分的“PHP 版本”是最新的Ensure that 'PHP version' is the latest, if used as a part of the WEB app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 PHP 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 API 应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the API app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用 API 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作函数应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Function app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用函数应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保用作 Web 应用一部分的“Python 版本”是最新的Ensure that 'Python version' is the latest, if used as a part of the Web app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. 建议使用 Web 应用的最新 Python 版本,以充分利用最新版本的安全修复(如果有)和/或新功能。Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. 目前,此策略仅适用于 Linux Web 应用。Currently, this policy only applies to Linux web apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保 WEB 应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit、DisabledAudit, Disabled 1.0.01.0.0
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 为了防止发生未受监视的访问,应从订阅中删除拥有所有者权限的外部帐户。External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription 应从订阅中删除拥有读取特权的外部帐户,以防发生未受监视的访问。External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除具有写入权限的外部帐户External accounts with write permissions should be removed from your subscription 应从订阅中删除拥有写入特权的外部帐户,以防发生未受监视的访问。External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应仅在 API 应用中需要 FTPSFTPS only should be required in your API App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在函数应用中要求使用 FTPSFTPS only should be required in your Function App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在 Web 应用中要求使用 FTPSFTPS should be required in your Web App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
确保函数应用已启用“客户端证书(传入客户端证书)”Function apps should have 'Client Certificates (Incoming client certificates)' enabled 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients with valid certificates will be able to reach the app. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for MariaDB 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MariaDB 通过 Azure Database for MariaDB,你可以为数据库服务器选择冗余选项。Azure Database for MariaDB allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for MySQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MySQL 通过 Azure Database for MySQL,你可以为数据库服务器选择冗余选项。Azure Database for MySQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 通过 Azure Database for PostgreSQL,你可以为数据库服务器选择冗余选项。Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. 它可以设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可以复制到配对区域,以便在区域发生故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. 只能在服务器创建期间为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed during server create. Audit、DisabledAudit, Disabled 1.0.11.0.1
应在计算机上安装来宾配置扩展Guest Configuration extension should be installed on your machines 若要确保安全配置计算机的来宾内设置,请安装来宾配置扩展。To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. 该扩展监视的来宾内设置包括操作系统的配置、应用程序配置或状态以及环境设置。In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. 安装后,来宾内策略将可用,如“应启用 Windows 攻击防护”。Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. 更多信息请访问 https://aka.ms/gcpolLearn more at https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范 VM 遭受潜在威胁。Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应禁用虚拟机上的 IP 转发IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
密钥保管库应启用清除保护Key vaults should have purge protection enabled 恶意删除密钥保管库可能会导致永久丢失数据。Malicious deletion of a key vault can lead to permanent data loss. 你组织中的恶意内部人员可能会删除和清除密钥保管库。A malicious insider in your organization can potentially delete and purge key vaults. 清除保护通过强制实施软删除密钥保管库的强制保留期来保护你免受内部攻击。Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. 你的组织内的任何人都无法在软删除保留期内清除你的密钥保管库。No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Audit、Deny、DisabledAudit, Deny, Disabled 1.1.11.1.1
密钥保管库应启用软删除Key vaults should have soft delete enabled 在未启用软删除的情况下删除密钥保管库,将永久删除密钥保管库中存储的所有机密、密钥和证书。Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. 意外删除密钥保管库可能会导致永久丢失数据。Accidental deletion of a key vault can lead to permanent data loss. 软删除允许在可配置的保持期内恢复意外删除的密钥保管库。Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.21.0.2
Kubernetes 群集容器不得共享主机进程 ID 命名空间或主机 IPC 命名空间Kubernetes cluster containers should not share host process ID or host IPC namespace 此策略阻止 Pod 容器在 Kubernetes 群集中共享主机进程 ID 命名空间和主机 IPC 命名空间。This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydoc/For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. 审核、拒绝、已禁用audit, deny, disabled 2.0.12.0.1
Kubernetes 群集容器只应使用允许的 AppArmor 配置文件Kubernetes cluster containers should only use allowed AppArmor profiles 此策略可确保容器在 Kubernetes 群集中只使用允许的 AppArmor 配置文件。This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 2.0.12.0.1
Kubernetes 群集容器只应使用允许的功能Kubernetes cluster containers should only use allowed capabilities 此策略可确保容器在 Kubernetes 群集中只使用允许的功能。This policy ensures containers only use allowed capabilities in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 2.0.12.0.1
Kubernetes 群集容器应使用只读根文件系统运行Kubernetes cluster containers should run with a read only root file system 此策略可确保在 Kubernetes 群集中使用只读根文件系统运行容器。This policy ensures containers run with a read only root file system in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydoc/For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. 审核、拒绝、已禁用audit, deny, disabled 2.0.12.0.1
Kubernetes 群集 Pod hostPath 卷只应使用允许的主机路径Kubernetes cluster pod hostPath volumes should only use allowed host paths 此策略可确保 Pod hostPath 卷在 Kubernetes 群集中只使用允许的主机路径。This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 2.0.12.0.1
Kubernetes 群集 Pod 和容器只应使用批准的用户 ID 和组 ID 运行Kubernetes cluster pods and containers should only run with approved user and group IDs 此策略控制 Pod 和容器可用于在 Kubernetes 群集中运行的用户、主要组、补充组和文件系统组 ID。This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 2.0.12.0.1
Kubernetes 群集 Pod 只应使用批准的主机网络和端口范围Kubernetes cluster pods should only use approved host network and port range 此策略控制 Pod 在 Kubernetes 群集中对主机网络和允许的主机端口范围的访问。This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 2.0.12.0.1
Kubernetes 群集不得允许容器特权提升Kubernetes clusters should not allow container privilege escalation 此策略不允许容器在 Kubernetes 群集中使用特权提升。This policy does not allow containers to use privilege escalation in a Kubernetes cluster. 此策略通常适用于 Kubernetes 服务 (AKS) 以及 AKS 引擎和已启用 Azure Arc 的 Kubernetes 的预览版。This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 2.0.12.0.1
Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 将 Kubernetes 服务群集升级到更高 Kubernetes 版本,以抵御当前 Kubernetes 版本中的已知漏洞。Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Kubernetes 版本 1.11.9+、1.12.7+、1.13.5+ 和 1.14.0+ 中已修补漏洞 CVE-2019-9946Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit、DisabledAudit, Disabled 1.0.21.0.2
应在 API 应用中使用最新的 TLS 版本Latest TLS version should be used in your API App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在函数应用中使用最新的 TLS 版本Latest TLS version should be used in your Function App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Web 应用中使用最新的 TLS 版本Latest TLS version should be used in your Web App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在计算机上解决 Log Analytics 代理运行状况问题Log Analytics agent health issues should be resolved on your machines 安全中心使用 Log Analytics 代理,它之前被称为 Microsoft Monitoring Agent (MMA)。Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). 为了确保成功监视虚拟机,需要确保此代理安装在虚拟机上,并能正确地将安全事件收集到配置的工作区中。To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在 Linux Azure Arc 计算机中Log Analytics agent should be installed on your Linux Azure Arc machines 如果 Log Analytics 代理未安装,此策略审核 Linux Azure Arc 计算机。This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview
Log Analytics 代理应安装在虚拟机上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 此策略审核是否有任何 Windows/Linux 虚拟机 (VM) 没有安装安全中心用于监视安全漏洞和威胁的 Log Analytics 代理This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机规模集上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 安全中心从 Azure 虚拟机 (VM) 收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在 Azure Arc 计算机中Log Analytics agent should be installed on your Azure Arc machines 如果 Log Analytics 代理未安装,此策略审核 Azure Arc 计算机。This policy audits Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview
应在 API 应用中使用的托管标识Managed identity should be used in your API App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在函数应用中使用的托管标识Managed identity should be used in your Function App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Web 应用中使用的托管标识Managed identity should be used in your Web App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应对订阅中拥有写入权限的帐户启用 MFAMFA should be enabled accounts with write permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有写入特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有所有者权限的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有读取特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在 Linux 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Linux virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
应在 Windows 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Windows virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
应使用网络安全组来保护非面向 Internet 的虚拟机Non-internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范非面向 Internet 的 VM 遭受潜在威胁。Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
只能与 Azure Cache for Redis 建立安全连接Only secure connections to your Azure Cache for Redis should be enabled 审核是否仅启用通过 SSL 来与 Azure Redis 缓存建立连接。Audit enabling of only connections via SSL to Azure Cache for Redis. 使用安全连接可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听攻击和会话劫持等网络层攻击Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
操作系统版本应为云服务角色支持的最新版本Operating system version should be the most current version for your cloud service roles 通过将操作系统 (OS) 保持为云服务角色支持的最新版本,可增强系统安全态势。Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为 MariaDB 服务器启用专用终结点Private endpoint should be enabled for MariaDB servers 专用终结点连接通过启用到 Azure Database for MariaDB 的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. 配置专用终结点连接,以启用对仅来自已知网络的流量的访问,并防止访问所有其他 IP 地址,包括 Azure 内的地址。Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应为 MySQL 服务器启用专用终结点Private endpoint should be enabled for MySQL servers 专用终结点连接通过启用到 Azure Database for MySQL 的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. 配置专用终结点连接,以启用对仅来自已知网络的流量的访问,并防止访问所有其他 IP 地址,包括 Azure 内的地址。Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应为 PostgreSQL 服务器启用专用终结点Private endpoint should be enabled for PostgreSQL servers 专用终结点连接通过启用到 Azure Database for PostgreSQL 的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. 配置专用终结点连接,以启用对仅来自已知网络的流量的访问,并防止访问所有其他 IP 地址,包括 Azure 内的地址。Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应为 MariaDB 服务器禁用公用网络访问Public network access should be disabled for MariaDB servers 禁用公用网络访问属性以提高安全性,并确保只能从专用终结点访问 Azure Database for MariaDB。Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. 此配置严格禁止访问 Azure IP 范围之外的任何公共地址空间,并拒绝与 IP 或基于虚拟网络的防火墙规则匹配的所有登录。This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit、DisabledAudit, Disabled 1.0.21.0.2
应为 MySQL 服务器禁用公用网络访问Public network access should be disabled for MySQL servers 禁用公用网络访问属性以提高安全性,并确保只能从专用终结点访问 Azure Database for MySQL。Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. 此配置严格禁止访问 Azure IP 范围之外的任何公共地址空间,并拒绝与 IP 或基于虚拟网络的防火墙规则匹配的所有登录。This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit、DisabledAudit, Disabled 1.0.21.0.2
应为 PostgreSQL 服务器禁用公用网络访问Public network access should be disabled for PostgreSQL servers 禁用公用网络访问属性以提高安全性,并确保只能从专用终结点访问 Azure Database for PostgreSQL。Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. 此配置禁止访问 Azure IP 范围之外的任何公共地址空间,并拒绝与 IP 或基于虚拟网络的防火墙规则匹配的所有登录。This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit、DisabledAudit, Disabled 1.0.21.0.2
应为 API 应用禁用远程调试Remote debugging should be turned off for API Apps 远程调试需要在 API 应用上打开入站端口。Remote debugging requires inbound ports to be opened on API apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应对函数应用禁用远程调试Remote debugging should be turned off for Function Apps 远程调试需要在函数应用上打开入站端口。Remote debugging requires inbound ports to be opened on function apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应禁用 Web 应用程序的远程调试Remote debugging should be turned off for Web Applications 远程调试需要在 Web 应用程序上打开入站端口。Remote debugging requires inbound ports to be opened on a web application. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用 Azure Data Lake Store 中的资源日志Resource logs in Azure Data Lake Store should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Azure 流分析中的资源日志Resource logs in Azure Stream Analytics should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Batch 帐户中的资源日志Resource logs in Batch accounts should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Data Lake Analytics 中的资源日志Resource logs in Data Lake Analytics should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用事件中心内的资源日志Resource logs in Event Hub should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用 Key Vault 中的资源日志Resource logs in Key Vault should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 使用此策略可在发生安全事件或网络受到安全威胁时重新创建用于调查的活动线索This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用逻辑应用中的资源日志Resource logs in Logic Apps should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用搜索服务中的资源日志Resource logs in Search services should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用服务总线中的资源日志Resource logs in Service Bus should be enabled 对启用资源日志进行审核。Audit enabling of resource logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.14.0.1
应启用虚拟机规模集中的资源日志Resource logs in Virtual Machine Scale Sets should be enabled 建议启用日志,以便在出现某个事件或遭到入侵后需要进行调查时可以重新创建活动线索。It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.12.0.1
应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC) should be used on Kubernetes Services 若要对用户可以执行的操作提供粒度筛选,请使用基于角色的访问控制 (RBAC) 来管理 Kubernetes 服务群集中的权限并配置相关授权策略。To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit、DisabledAudit, Disabled 1.0.21.0.2
应启用安全传输到存储帐户Secure transfer to storage accounts should be enabled 审核存储帐户中安全传输的要求。Audit requirement of Secure transfer in your storage account. 安全传输选项会强制存储帐户仅接受来自安全连接 (HTTPS) 的请求。Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). 使用 HTTPS 可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听和会话劫持等网络层攻击Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 2.0.02.0.0
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.0-preview3.0.0-preview
Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSignService Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric 使用主要群集证书为节点之间的通信提供三个保护级别(None、Sign 和 EncryptAndSign)。Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. 设置保护级别以确保所有节点到节点消息均已进行加密和数字签名Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证Service Fabric clusters should only use Azure Active Directory for client authentication 审核 Service Fabric 中仅通过 Azure Active Directory 进行客户端身份验证Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
应使用服务主体(而不是管理证书)来保护你的订阅Service principals should be used to protect your subscriptions instead of management certificates 通过管理证书,任何使用它们进行身份验证的人员都可管理与它们关联的订阅。Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. 为了更安全地管理订阅,建议将服务主体和资源管理器结合使用来限制证书泄露所造成的影响。To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
SQL 托管实例应使用客户管理的密钥进行静态数据加密SQL managed instances should use customer-managed keys to encrypt data at rest 使用你自己的密钥实现透明数据加密 (TDE) 可增加透明度和对 TDE 保护器的控制,增强由 HSM 提供支持的外部服务的安全性,并促进职责划分。Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. 此建议适用于具有相关合规性要求的组织。This recommendation applies to organizations with a related compliance requirement. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
SQL Server 应配置有 90 天或更长时间的审核保留期SQL servers should be configured with 90 days auditing retention or higher SQL Server 应配置有 90 天或更长时间的审核保留期。SQL servers should be configured with 90 days auditing retention or higher. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.12.0.1
SQL Server 应使用客户管理的密钥进行静态数据加密SQL servers should use customer-managed keys to encrypt data at rest 使用你自己的密钥实现透明数据加密 (TDE) 可增加透明度和对 TDE 保护器的控制,增强由 HSM 提供支持的外部服务的安全性,并促进职责划分。Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. 此建议适用于具有相关合规性要求的组织。This recommendation applies to organizations with a related compliance requirement. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.12.0.1
应禁止存储帐户公共访问Storage account public access should be disallowed 对 Azure 存储中的容器和 blob 进行匿名公共读取访问虽然是共享数据的一种简便方法,但可能会带来安全风险。Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. 为了防止不希望的匿名访问导致数据泄露,Microsoft 建议禁止对存储帐户的公共访问,除非你的方案需要。To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. 审核、拒绝、已禁用audit, deny, disabled 2.0.1-preview2.0.1-preview
存储帐户应使用专用链接连接Storage account should use a private link connection 专用链接通过与存储帐户建立专用连接来强制实施安全通信Private links enforce secure communication, by providing private connectivity to the storage account AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
存储帐户应迁移到新的 Azure 资源管理器资源Storage accounts should be migrated to new Azure Resource Manager resources 使用新的 Azure 资源管理器为存储帐户提供安全增强功能,例如:更强大的访问控制 (RBAC)、更好的审核、基于 Azure 资源管理器的部署和监管、对托管标识的访问权限、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及对标记和资源组的支持,以简化安全管理Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应限制对存储帐户的网络访问Storage accounts should restrict network access 应限制对存储帐户的网络访问。Network access to storage accounts should be restricted. 配置网络规则,以便只允许来自允许的网络的应用程序访问存储帐户。Configure network rules so only applications from allowed networks can access the storage account. 若要允许来自特定 Internet 或本地客户端的连接,可以向来自特定 Azure 虚拟网络的流量或公共 Internet IP 地址范围授予访问权限To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit、Deny、DisabledAudit, Deny, Disabled 1.1.11.1.1
存储帐户应使用虚拟网络规则来限制网络访问Storage accounts should restrict network access using virtual network rules 使用虚拟网络规则作为首选方法(而不使用基于 IP 的筛选),保护存储帐户免受潜在威胁危害。Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. 禁用基于 IP 的筛选可以阻止公共 IP 访问你的存储帐户。Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.11.0.1
存储帐户应使用客户管理的密钥进行加密Storage accounts should use customer-managed key for encryption 使用客户管理的密钥更灵活地保护存储帐户。Secure your storage account with greater flexibility using customer-managed keys. 指定客户托管密钥时,该密钥用于保护和控制对数据加密密钥的访问。When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. 使用客户管理的密钥可提供附加功能来控制密钥加密密钥的轮换或以加密方式擦除数据。Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit、DisabledAudit, Disabled 1.0.21.0.2
子网应与网络安全组关联Subnets should be associated with a Network Security Group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
订阅应有一个联系人电子邮件地址,用于接收安全问题通知Subscriptions should have a contact email address for security issues 当某个订阅中存在潜在的安全漏洞时,若要确保组织中的相关人员收到通知,请设置一个安全联系人,以接收来自安全中心的电子邮件通知。To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 审核是否缺少系统安全更新和关键更新,为了确保 Windows 和 Linux 虚拟机规模集的安全,应安装这些更新。Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在计算机上安装系统更新System updates should be installed on your machines 建议通过 Azure 安全中心监视服务器上缺失的安全系统更新Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 应启用透明数据加密以保护静态数据并满足符合性要求Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应将虚拟机迁移到新的 Azure 资源管理器资源Virtual machines should be migrated to new Azure Resource Manager resources 对虚拟机使用新的 Azure 资源管理器以提供安全增强功能,例如:更强的访问控制 (RBAC)、更佳审核功能、基于 Azure 资源管理器的部署和治理、对托管标识的访问、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及支持使用标记和资源组简化安全管理Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应使用系统分配的托管标识来部署虚拟机的来宾配置扩展Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 来宾配置扩展需要系统分配的托管标识。The Guest Configuration extension requires a system assigned managed identity. 如果安装了来宾配置扩展,但没有系统分配的托管标识,则此策略作用域内的 Azure 虚拟机是不合规的。Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. 有关详细信息,请访问 https://aka.ms/gcpolLearn more at https://aka.ms/gcpol AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 监视漏洞评估扫描结果并提供如何补救数据库漏洞的相关建议。Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.04.0.0
应修正计算机上 SQL 服务器的漏洞Vulnerabilities on your SQL servers on machine should be remediated SQL 漏洞评估会扫描数据库中的安全漏洞,并显示与最佳实践之间的任何偏差,如配置错误、权限过多和敏感数据未受保护。SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. 解决发现的漏洞可以极大地改善数据库安全态势。Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 SQL 托管实例上启用漏洞评估Vulnerability assessment should be enabled on SQL Managed Instance 审核未启用定期漏洞评估扫描的每个 SQL 托管实例。Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应对 SQL 服务器启用漏洞评估Vulnerability assessment should be enabled on your SQL servers 审核未启用定期漏洞评估扫描的 Azure SQL 服务器。Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0

Azure 安全中心类别Azure Security Center category

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure 安全中心会分析面向虚拟机的 Internet 的流量模式,并提供可减小潜在攻击面的网络安全组规则建议Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应限制在与虚拟机关联的网络安全组上使用所有网络端口All network ports should be restricted on network security groups associated to your virtual machine Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够将你的资源定为攻击目标。This can potentially enable attackers to target your resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应更新自适应应用程序控制策略中的允许列表规则Allowlist rules in your adaptive application control policy should be updated 监视配置为供 Azure 安全中心的自适应应用程序控制进行审核的计算机组是否有行为变化。Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. 安全中心使用机器学习来分析计算机上的运行过程,并建议已知安全应用程序的列表。Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. 这些应用程序作为推荐的应用显示,在自适应应用程序控制策略中允许使用。These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit、DisabledAudit, Disabled 2.0.12.0.1
你的订阅应启用 Log Analytics 代理自动预配Auto provisioning of the Log Analytics agent should be enabled on your subscription 为了监视安全漏洞和威胁,Azure 安全中心会从 Azure 虚拟机收集数据。To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. 数据是使用 Log Analytics 代理收集的,该代理以前称为 Microsoft Monitoring Agent (MMA),它从计算机中读取各种安全相关的配置和事件日志,然后将数据复制到 Log Analytics 工作区以用于分析。Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. 建议启用自动预配,将代理自动部署到所有受支持的 Azure VM 和任何新创建的 VM。We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应启用 Azure DDoS 防护标准Azure DDoS Protection Standard should be enabled 应为属于应用程序网关且具有公共 IP 子网的所有虚拟网络启用 DDoS 保护标准。DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用适用于 Azure SQL 数据库服务器的 Azure DefenderAzure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL 提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应启用适用于服务器的 Azure DefenderAzure Defender for servers should be enabled 适用于服务器的 Azure Defender 可为服务器工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.31.0.3
部署“将 Azure 安全中心数据导出到事件中心”Deploy export to Event Hub for Azure Security Center data 启用“将 Azure 安全中心数据导出到事件中心”。Enable export to Event Hub of Azure Security Center data. 此策略会在分配的作用域上使用所设定的条件和目标事件中心来部署“导出到事件中心”配置。This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. 若要在新建的订阅上部署此策略,请打开“合规性”选项卡,选择相关的不合规分配,并创建修正任务。To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. deployIfNotExistsdeployIfNotExists 3.0.03.0.0
为 Azure 安全中心警报部署工作流自动化Deploy Workflow Automation for Azure Security Center alerts 启用 Azure 安全中心警报的自动化。Enable automation of Azure Security Center alerts. 此策略会在分配的作用域上使用所设定的条件和触发器来部署工作流自动化。This policy deploys a workflow automation with your conditions and triggers on the assigned scope. 若要在新建的订阅上部署此策略,请打开“合规性”选项卡,选择相关的不合规分配,并创建修正任务。To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. deployIfNotExistsdeployIfNotExists 2.0.02.0.0
为 Azure 安全中心建议部署工作流自动化Deploy Workflow Automation for Azure Security Center recommendations 启用 Azure 安全中心建议的自动化。Enable automation of Azure Security Center recommendations. 此策略会在分配的作用域上使用所设定的条件和触发器来部署工作流自动化。This policy deploys a workflow automation with your conditions and triggers on the assigned scope. 若要在新建的订阅上部署此策略,请打开“合规性”选项卡,选择相关的不合规分配,并创建修正任务。To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. deployIfNotExistsdeployIfNotExists 2.0.02.0.0
部署 Azure 安全中心合规工作流自动化Deploy Workflow Automation for Azure Security Center regulatory compliance 启用 Azure 安全中心合规自动化。Enable automation of Azure Security Center regulatory compliance. 此策略会在分配的作用域上使用所设定的条件和触发器来部署工作流自动化。This policy deploys a workflow automation with your conditions and triggers on the assigned scope. 若要在新建的订阅上部署此策略,请打开“合规性”选项卡,选择相关的不合规分配,并创建修正任务。To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. deployIfNotExistsdeployIfNotExists 2.0.02.0.0
应从订阅中删除弃用的帐户Deprecated accounts should be removed from your subscription 应从订阅中删除弃用的帐户。Deprecated accounts should be removed from your subscriptions. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的已弃用帐户。Deprecated accounts with owner permissions should be removed from your subscription. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines Azure 安全中心建议对未启用磁盘加密的虚拟机进行监视。Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应启用高严重性警报的电子邮件通知Email notification for high severity alerts should be enabled 当某个订阅中存在潜在的安全漏洞时,若要确保组织中的相关人员收到通知,请在安全中心为高严重性警报启用电子邮件通知。To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应启用向订阅所有者发送高严重性警报的电子邮件通知Email notification to subscription owner for high severity alerts should be enabled 当订阅中存在潜在的安全漏洞时,若要确保订阅所有者收到通知,请在安全中心设置向订阅所有者发送高严重性警报的电子邮件通知。To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
在订阅中启用 Azure 安全中心Enable Azure Security Center on your subscription 识别不受 Azure 安全中心 (ASC) 监视的现有订阅。Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). 不受 ASC 监视的订阅将注册到免费定价层。Subscriptions not monitored by ASC will be registered to the free pricing tier. 已由 ASC 监视的订阅(免费或标准层)被视为合规。Subscriptions already monitored by ASC (free or standard), will be considered compliant. 若要注册新建的订阅,请打开合规性选项卡,选择相关的不合规分配,并创建修正任务。To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. 需要使用安全中心监视一个或多个新订阅时,请重复此步骤。Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. deployIfNotExistsdeployIfNotExists 1.0.01.0.0
允许安全中心在你的订阅上自动预配包含自定义工作区的 Log Analytics 代理。Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. 允许安全中心在你的订阅上自动预配 Log Analytics 代理,以使用自定义工作区来监视和收集安全数据。Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
允许安全中心在你的订阅上自动预配包含默认工作区的 Log Analytics 代理。Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. 允许安全中心在你的订阅上自动预配 Log Analytics 代理,以使用 ASC 默认工作区来监视和收集安全数据。Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 为了防止发生未受监视的访问,应从订阅中删除拥有所有者权限的外部帐户。External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription 应从订阅中删除拥有读取特权的外部帐户,以防发生未受监视的访问。External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应从订阅中删除具有写入权限的外部帐户External accounts with write permissions should be removed from your subscription 应从订阅中删除拥有写入特权的外部帐户,以防发生未受监视的访问。External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在计算机上安装来宾配置扩展Guest Configuration extension should be installed on your machines 若要确保安全配置计算机的来宾内设置,请安装来宾配置扩展。To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. 该扩展监视的来宾内设置包括操作系统的配置、应用程序配置或状态以及环境设置。In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. 安装后,来宾内策略将可用,如“应启用 Windows 攻击防护”。Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. 更多信息请访问 https://aka.ms/gcpolLearn more at https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范 VM 遭受潜在威胁。Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应禁用虚拟机上的 IP 转发IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 将 Kubernetes 服务群集升级到更高 Kubernetes 版本,以抵御当前 Kubernetes 版本中的已知漏洞。Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Kubernetes 版本 1.11.9+、1.12.7+、1.13.5+ 和 1.14.0+ 中已修补漏洞 CVE-2019-9946Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit、DisabledAudit, Disabled 1.0.21.0.2
应在计算机上解决 Log Analytics 代理运行状况问题Log Analytics agent health issues should be resolved on your machines 安全中心使用 Log Analytics 代理,它之前被称为 Microsoft Monitoring Agent (MMA)。Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). 为了确保成功监视虚拟机,需要确保此代理安装在虚拟机上,并能正确地将安全事件收集到配置的工作区中。To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 此策略审核是否有任何 Windows/Linux 虚拟机 (VM) 没有安装安全中心用于监视安全漏洞和威胁的 Log Analytics 代理This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机规模集上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 安全中心从 Azure 虚拟机 (VM) 收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应对订阅中拥有写入权限的帐户启用 MFAMFA should be enabled accounts with write permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有写入特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有所有者权限的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有读取特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应使用网络安全组来保护非面向 Internet 的虚拟机Non-internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范非面向 Internet 的 VM 遭受潜在威胁。Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
操作系统版本应为云服务角色支持的最新版本Operating system version should be the most current version for your cloud service roles 通过将操作系统 (OS) 保持为云服务角色支持的最新版本,可增强系统安全态势。Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC) should be used on Kubernetes Services 若要对用户可以执行的操作提供粒度筛选,请使用基于角色的访问控制 (RBAC) 来管理 Kubernetes 服务群集中的权限并配置相关授权策略。To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit、DisabledAudit, Disabled 1.0.21.0.2
应选择安全中心标准定价层Security Center standard pricing tier should be selected 标准定价层为网络和虚拟机启用威胁检测,在 Azure 安全中心提供威胁情报、异常检测和行为分析The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Audit、DisabledAudit, Disabled 1.0.01.0.0
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.0-preview3.0.0-preview
应使用服务主体(而不是管理证书)来保护你的订阅Service principals should be used to protect your subscriptions instead of management certificates 通过管理证书,任何使用它们进行身份验证的人员都可管理与它们关联的订阅。Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. 为了更安全地管理订阅,建议将服务主体和资源管理器结合使用来限制证书泄露所造成的影响。To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
子网应与网络安全组关联Subnets should be associated with a Network Security Group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
订阅应有一个联系人电子邮件地址,用于接收安全问题通知Subscriptions should have a contact email address for security issues 当某个订阅中存在潜在的安全漏洞时,若要确保组织中的相关人员收到通知,请设置一个安全联系人,以接收来自安全中心的电子邮件通知。To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 审核是否缺少系统安全更新和关键更新,为了确保 Windows 和 Linux 虚拟机规模集的安全,应安装这些更新。Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在计算机上安装系统更新System updates should be installed on your machines 建议通过 Azure 安全中心监视服务器上缺失的安全系统更新Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应使用系统分配的托管标识来部署虚拟机的来宾配置扩展Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 来宾配置扩展需要系统分配的托管标识。The Guest Configuration extension requires a system assigned managed identity. 如果安装了来宾配置扩展,但没有系统分配的托管标识,则此策略作用域内的 Azure 虚拟机是不合规的。Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. 有关详细信息,请访问 https://aka.ms/gcpolLearn more at https://aka.ms/gcpol AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 监视漏洞评估扫描结果并提供如何补救数据库漏洞的相关建议。Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 4.0.04.0.0
应修正计算机上 SQL 服务器的漏洞Vulnerabilities on your SQL servers on machine should be remediated SQL 漏洞评估会扫描数据库中的安全漏洞,并显示与最佳实践之间的任何偏差,如配置错误、权限过多和敏感数据未受保护。SQL Vulnerability Assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. 解决发现的漏洞可以极大地改善数据库安全态势。Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

后续步骤Next steps

本文介绍了安全中心的 Azure Policy 安全策略定义。In this article, you learned about Azure Policy security policy definitions in Security Center. 若要了解有关计划、策略及其与安全中心建议的关系的详细信息,请参阅什么是安全策略、计划和建议?To learn more about initiatives, policies, and how they relate to Security Center's recommendations, see What are security policies, initiatives, and recommendations?.