Azure 安全中心的 Azure Policy 内置定义Azure Policy built-in definitions for Azure Security Center

该页面是与 Azure 安全中心相关的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions related to the Azure Security Center. 策略定义进行下列分组:The following groupings of policy definitions are available:

  • 计划组在“安全中心”类别中列出 Azure Policy 计划定义。The initiatives group lists the Azure Policy initiative definitions in the 'Security Center' category.
  • 默认计划组列出属于 Azure 安全中心默认计划的所有 Azure Policy 定义。The default initiative group lists all the Azure Policy definitions that are part of the Azure Security Center default initiative.
  • 类别组列出“安全中心”类别中的所有 Azure Policy 定义。The category group lists all the Azure Policy definitions in the 'Security Center' category.

有关安全策略的详细信息,请参阅使用安全策略For more information about security policies, see Working with security policies. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure 安全中心计划Azure Security Center initiatives

若要了解通过安全中心监视的内置计划,请参阅下表:To learn about the built-in initiatives that are monitored by Security Center, see the following table:

名称Name 说明Description 策略Policies 版本Version
[预览版]:启用数据保护套件[Preview]: Enable Data Protection Suite 为 SQL 服务器启用数据保护。Enable data protection for SQL servers. 此计划由 Azure 安全中心标准层自动分配。This initiative is assigned automatically by Azure Security Center Standard Tier. 11 1.0.0-preview1.0.0-preview
在 Azure 安全中心启用监视Enable Monitoring in Azure Security Center 监视 Azure 安全中心中的所有可用安全建议。Monitor all the available security recommendations in Azure Security Center. 这是 Azure 安全中心的默认策略。This is the default policy for Azure Security Center. 118118 13.0.113.0.1

Azure 安全中心默认计划Azure Security Center default initiative

若要了解通过安全中心监视的内置策略,请参阅下表:To learn about the built-in policies that are monitored by Security Center, see the following table:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
[预览版]:应在 Kubernetes 服务上定义 Pod 安全策略[Preview]: Pod Security Policies should be defined on Kubernetes Services 通过删除不必要的应用程序特权,来定义 Pod 安全策略以减少攻击途径。Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. 建议将 Pod 安全策略配置为仅允许 Pod 访问它们有权访问的资源。It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在虚拟机上启用漏洞评估解决方案A vulnerability assessment solution should be enabled on your virtual machines 审核虚拟机以检测其是否正在运行受支持的漏洞评估解决方案。Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. 每个网络风险和安全计划的核心部分都是识别和分析漏洞。A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure 安全中心的标准定价层包括对虚拟机进行漏洞扫描,无需额外付费。Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. 此外,安全中心可以自动为你部署此工具。Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该限制通过面向 Internet 的终结点进行访问Access through Internet facing endpoint should be restricted Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security center has identified some of your Network Security Groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够轻松地将你的资源定为攻击目标。This can potentially enable attackers to easily target your resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure 安全中心会分析面向虚拟机的 Internet 的流量模式,并提供可减小潜在攻击面的网络安全组规则建议Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Azure SQL 数据库服务器上启用高级数据安全Advanced data security should be enabled on Azure SQL Database servers 高级数据安全提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat on SQL database and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在计算机的 SQL 服务器上启用高级数据安全Advanced data security should be enabled on SQL servers on machines 高级数据安全提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to SQL database and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 审核没有高级数据安全的 SQL 服务器Audit SQL servers without Advanced Data Security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Azure 应用服务计划上启用高级威胁防护Advanced threat protection should be enabled on Azure App Service plans 高级威胁防护利用云的规模以及 Azure 作为云提供商的可见性,来监视常见的 Web 应用攻击。Advanced threat protection leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应对 Azure 容器注册表的注册表启用高级威胁防护Advanced threat protection should be enabled on Azure Container Registry registries 高级威胁防护可对容器注册表进行扫描,以查找每个已推送容器映像上的安全漏洞,并显示每个映像的详细结果。Advanced threat protection provides scanning of container registries for security vulnerabilities on each pushed container image and exposes detailed findings per image. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应对 Azure Key Vault 的保管库启用高级威胁防护Advanced threat protection should be enabled on Azure Key Vault vaults 高级威胁防护通过检测旨在访问或利用密钥保管库帐户的不寻常和可能有害的尝试,为安全情报提供额外的保护层。Advanced threat protection provides an additional layer of protection of security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应对 Azure Kubernetes 服务的群集启用高级威胁防护Advanced threat protection should be enabled on Azure Kubernetes Service clusters 高级威胁防护可为容器化的环境提供实时威胁防护,并可针对可疑活动生成警报。Advanced threat protection provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应对 Azure 存储帐户启用高级威胁防护Advanced threat protection should be enabled on Azure Storage accounts 高级威胁防护可检测旨在访问或利用存储帐户的不寻常和可能有害的尝试。Advanced threat protection provides detections of unusual and potentially harmful attempts to access or exploit Storage accounts. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应在虚拟机上启用高级威胁防护Advanced threat protection should be enabled on Virtual Machines 高级威胁防护可为虚拟机工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Advanced threat protection provides real-time threat protection for virtual machine workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
所有 Internet 流量都应通过所部署的 Azure 防火墙进行路由All Internet traffic should be routed via your deployed Azure Firewall Azure 安全中心已确认,你的某些子网未使用下一代防火墙进行保护。Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. 通过使用 Azure 防火墙或受支持的下一代防火墙限制对子网的访问,保护子网免受潜在威胁的危害Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.0-preview3.0.0-preview
应更新自适应应用程序控制策略中的允许列表规则Allowlist rules in your adaptive application control policy should be updated 监视配置为供 Azure 安全中心的自适应应用程序控制进行审核的计算机组是否有行为变化。Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. 安全中心使用机器学习来分析计算机上的运行过程,并建议已知安全应用程序的列表。Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. 这些应用程序作为推荐的应用显示,在自适应应用程序控制策略中允许使用。These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 审核确认已为 SQL Server 预配了 Azure Active Directory 管理员以启用 Azure AD 身份验证。Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. 使用 Azure AD 身份验证可以简化权限管理,以及集中化数据库用户和其他 Microsoft 服务的标识管理Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
只能通过 HTTPS 访问 API 应用API App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
审核自定义 RBAC 规则的使用情况Audit usage of custom RBAC rules 审核“所有者、参与者、读者”等内置角色而不是容易出错的自定义 RBAC 角色。Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. 使用自定义角色被视为例外,需要进行严格的审查和威胁建模Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit、DisabledAudit, Disabled 1.0.01.0.0
审核未启用 Windows Defender 攻击防护的 Windows 计算机Audit Windows machines on which Windows Defender Exploit Guard is not enabled 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 PowerShell 命令 Get-MPPreference 返回的配置详细信息与预期的值不匹配,则计算机不符合要求。Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender 攻击防护可帮助防范利用漏洞感染设备和进行传播的恶意软件。Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. 攻击防护保护包含多项可应用于操作系统或单个应用的缓解操作。Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.1.0-preview1.1.0-preview
审核未启用 Windows 来宾配置扩展的 Windows 虚拟机Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled 此策略审核托管在 Azure 中的 Windows 虚拟机,这些虚拟机受来宾配置支持但未启用来宾配置扩展。This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. 有关来宾配置的详细信息,请访问 https://aka.ms/gcpolFor more information on Guest Configuration, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 应在 SQL 服务器上启用审核以跟踪服务器上所有数据库的数据库活动,并将其保存在审核日志中。Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit、DisabledAudit, Disabled 2.0.12.0.1
自动化帐户变量应加密Automation account variables should be encrypted 存储敏感数据时,请务必启用自动化帐户变量资产加密It is important to enable encryption of Automation account variable assets when storing sensitive data Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
应启用 Azure DDoS 防护标准Azure DDoS Protection Standard should be enabled 应为属于应用程序网关且具有公共 IP 子网的所有虚拟网络启用 DDoS 保护标准。DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在群集上安装并启用用于 Kubernetes 服务 (AKS) 的 Azure Policy 加载项Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters 用于 Kubernetes 服务 (AKS) 的 Azure Policy 加载项扩展了 Gatekeeper v3(用于开放策略代理 (OPA) 的许可控制器 Webhook),以集中、一致的方式在群集上应用大规模强制措施和安全措施。Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Audit、DisabledAudit, Disabled 1.0.1-preview1.0.1-preview
证书应具有指定的最长有效期Certificates should have the specified maximum validity period 通过指定证书在密钥保管库中的最长有效时间,管理组织的符合性要求。Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. 审核、拒绝、已禁用audit, deny, disabled 2.0.0-preview2.0.0-preview
CORS 不应允许所有资源都能访问 API 应用CORS should not allow every resource to access your API App 跨源资源共享 (CORS) 不应允许所有域都能访问你的 API 应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. 仅允许所需的域与 API 应用交互。Allow only required domains to interact with your API app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function Apps 跨源资源共享 (CORS) 不应允许所有域都能访问你的函数应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. 仅允许所需的域与函数应用交互。Allow only required domains to interact with your Function app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问你的 Web 应用程序CORS should not allow every resource to access your Web Applications 跨源资源共享 (CORS) 不应允许所有域都能访问你的 Web 应用程序。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. 仅允许所需的域与 Web 应用交互。Allow only required domains to interact with your web app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应从订阅中删除弃用的帐户Deprecated accounts should be removed from your subscription 应从订阅中删除弃用的帐户。Deprecated accounts should be removed from your subscriptions. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的已弃用帐户。Deprecated accounts with owner permissions should be removed from your subscription. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应启用应用程序服务中的诊断日志Diagnostic logs in App Services should be enabled 审核确认已在应用上启用诊断日志。Audit enabling of diagnostic logs on the app. 如果发生安全事件或网络遭泄露,这样便可以重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应启用 Azure Data Lake Store 的诊断日志Diagnostic logs in Azure Data Lake Store should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用 Azure 流分析的诊断日志Diagnostic logs in Azure Stream Analytics should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用 Batch 帐户的诊断日志Diagnostic logs in Batch accounts should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用 Data Lake Analytics 的诊断日志Diagnostic logs in Data Lake Analytics should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用事件中心的诊断日志Diagnostic logs in Event Hub should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用 IoT 中心的诊断日志Diagnostic logs in IoT Hub should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 2.0.02.0.0
应启用 Key Vault 的诊断日志Diagnostic logs in Key Vault should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 使用此策略可在发生安全事件或网络受到安全威胁时重新创建用于调查的活动线索This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用逻辑应用的诊断日志Diagnostic logs in Logic Apps should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用搜索服务的诊断日志Diagnostic logs in Search services should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应启用服务总线的诊断日志Diagnostic logs in Service Bus should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应当启用虚拟机规模集中的诊断日志Diagnostic logs in Virtual Machine Scale Sets should be enabled 建议启用日志,以便在出现某个事件或遭到入侵后需要进行调查时可以重新创建活动线索。It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines Azure 安全中心建议对未启用磁盘加密的虚拟机进行监视。Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
不允许 Kubernetes 群集中有特权容器Do not allow privileged containers in Kubernetes cluster 此策略不允许在 Kubernetes 群集中创建特权容器。This policy does not allow privileged containers creation in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 4.0.0-preview4.0.0-preview
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
确保容器 CPU 和内存资源限制不超过 Kubernetes 群集中指定的限制Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster 此策略确保在 Kubernetes 群集中定义容器 CPU 和内存资源限制,且不超过指定的限制。This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 4.0.0-preview4.0.0-preview
确保容器仅侦听 Kubernetes 群集中允许的端口Ensure containers listen only on allowed ports in Kubernetes cluster 此策略强制要求容器仅侦听 Kubernetes 群集中允许的端口。This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 4.0.0-preview4.0.0-preview
确保只有允许使用的容器映像才在 Kubernetes 群集中运行Ensure only allowed container images in Kubernetes cluster 此策略确保只在 Kubernetes 群集中运行允许的容器映像。This policy ensures only allowed container images are running in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 4.0.0-preview4.0.0-preview
确保服务只在 Kubernetes 群集中侦听允许使用的端口Ensure services listen only on allowed ports in Kubernetes cluster 此策略强制要求服务仅侦听 Kubernetes 群集中允许的端口。This policy enforces services to listen only on allowed ports in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 4.0.0-preview4.0.0-preview
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 为了防止发生未受监视的访问,应从订阅中删除拥有所有者权限的外部帐户。External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription 应从订阅中删除拥有读取特权的外部帐户,以防发生未受监视的访问。External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除具有写入权限的外部帐户External accounts with write permissions should be removed from your subscription 应从订阅中删除拥有写入特权的外部帐户,以防发生未受监视的访问。External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在 API 应用中需要 FTPSFTPS only should be required in your API App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在函数应用中要求使用 FTPSFTPS only should be required in your Function App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在 Web 应用中要求使用 FTPSFTPS should be required in your Web App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范 VM 遭受潜在威胁。Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应禁用虚拟机上的 IP 转发IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
Kubernetes 群集容器不得共享主机进程 ID 命名空间或主机 IPC 命名空间Kubernetes cluster containers should not share host process ID or host IPC namespace 此策略阻止 Pod 容器在 Kubernetes 群集中共享主机进程 ID 命名空间和主机 IPC 命名空间。This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydoc/For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. 审核、拒绝、已禁用audit, deny, disabled 1.0.0-preview1.0.0-preview
Kubernetes 群集容器只应使用允许的 AppArmor 配置文件Kubernetes cluster containers should only use allowed AppArmor profiles 此策略可确保容器在 Kubernetes 群集中只使用允许的 AppArmor 配置文件。This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 1.0.0-preview1.0.0-preview
Kubernetes 群集容器只应使用允许的功能Kubernetes cluster containers should only use allowed capabilities 此策略可确保容器在 Kubernetes 群集中只使用允许的功能。This policy ensures containers only use allowed capabilities in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 1.0.0-preview1.0.0-preview
Kubernetes 群集容器应使用只读根文件系统运行Kubernetes cluster containers should run with a read only root file system 此策略可确保在 Kubernetes 群集中使用只读根文件系统运行容器。This policy ensures containers run with a read only root file system in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydoc/For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. 审核、拒绝、已禁用audit, deny, disabled 1.0.0-preview1.0.0-preview
Kubernetes 群集 Pod hostPath 卷只应使用允许的主机路径Kubernetes cluster pod hostPath volumes should only use allowed host paths 此策略可确保 Pod hostPath 卷在 Kubernetes 群集中只使用允许的主机路径。This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 1.0.0-preview1.0.0-preview
Kubernetes 群集 Pod 和容器只应使用批准的用户 ID 和组 ID 运行Kubernetes cluster pods and containers should only run with approved user and group IDs 此策略控制 Pod 和容器可用于在 Kubernetes 群集中运行的用户、主要组、补充组和文件系统组 ID。This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 1.0.0-preview1.0.0-preview
Kubernetes 群集 Pod 只应使用批准的主机网络和端口范围Kubernetes cluster pods should only use approved host network and port range 此策略控制 Pod 在 Kubernetes 群集中对主机网络和允许的主机端口范围的访问。This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 1.0.0-preview1.0.0-preview
Kubernetes 群集不得允许容器特权提升Kubernetes clusters should not allow container privilege escalation 此策略不允许容器在 Kubernetes 群集中使用特权提升。This policy does not allow containers to use privilege escalation in a Kubernetes cluster. 有关使用此策略的说明,请访问 https://aka.ms/kubepolicydocFor instructions on using this policy, visit https://aka.ms/kubepolicydoc. 审核、拒绝、已禁用audit, deny, disabled 1.0.0-preview1.0.0-preview
Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 将 Kubernetes 服务群集升级到更高 Kubernetes 版本,以抵御当前 Kubernetes 版本中的已知漏洞。Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Kubernetes 版本 1.11.9+、1.12.7+、1.13.5+ 和 1.14.0+ 中已修补漏洞 CVE-2019-9946Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit、DisabledAudit, Disabled 1.0.21.0.2
应在 API 应用中使用最新的 TLS 版本Latest TLS version should be used in your API App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在函数应用中使用最新的 TLS 版本Latest TLS version should be used in your Function App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Web 应用中使用最新的 TLS 版本Latest TLS version should be used in your Web App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在 Linux Azure Arc 计算机中Log Analytics agent should be installed on your Linux Azure Arc machines 如果 Log Analytics 代理未安装,此策略审核 Linux Azure Arc 计算机。This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview
Log Analytics 代理应安装在 Azure Arc 计算机中Log Analytics agent should be installed on your Azure Arc machines 如果 Log Analytics 代理未安装,此策略审核 Azure Arc 计算机。This policy audits Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview
应在 API 应用中使用的托管标识Managed identity should be used in your API App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在函数应用中使用的托管标识Managed identity should be used in your Function App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Web 应用中使用的托管标识Managed identity should be used in your Web App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应对订阅中拥有写入权限的帐户启用 MFAMFA should be enabled accounts with write permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有写入特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有所有者权限的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有读取特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Linux 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Linux virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
应在 Windows 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Windows virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
应使用网络安全组来保护非面向 Internet 的虚拟机Non-internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范非面向 Internet 的 VM 遭受潜在威胁。Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
只能与 Azure Cache for Redis 建立安全连接Only secure connections to your Azure Cache for Redis should be enabled 审核是否仅启用通过 SSL 来与 Azure Redis 缓存建立连接。Audit enabling of only connections via SSL to Azure Cache for Redis. 使用安全连接可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听攻击和会话劫持等网络层攻击Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应为 API 应用禁用远程调试Remote debugging should be turned off for API Apps 远程调试需要在 API 应用上打开入站端口。Remote debugging requires inbound ports to be opened on API apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应对函数应用禁用远程调试Remote debugging should be turned off for Function Apps 远程调试需要在函数应用上打开入站端口。Remote debugging requires inbound ports to be opened on function apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应禁用 Web 应用程序的远程调试Remote debugging should be turned off for Web Applications 远程调试需要在 Web 应用程序上打开入站端口。Remote debugging requires inbound ports to be opened on a web application. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC) should be used on Kubernetes Services 若要对用户可以执行的操作提供粒度筛选,请使用基于角色的访问控制 (RBAC) 来管理 Kubernetes 服务群集中的权限并配置相关授权策略。To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit、DisabledAudit, Disabled 1.0.21.0.2
应启用安全传输到存储帐户Secure transfer to storage accounts should be enabled 审核存储帐户中安全传输的要求。Audit requirement of Secure transfer in your storage account. 安全传输选项会强制存储帐户仅接受来自安全连接 (HTTPS) 的请求。Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). 使用 HTTPS 可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听和会话劫持等网络层攻击Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit、Deny、DisabledAudit, Deny, Disabled 2.0.02.0.0
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview
Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSignService Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric 使用主要群集证书为节点之间的通信提供三个保护级别(None、Sign 和 EncryptAndSign)。Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. 设置保护级别以确保所有节点到节点消息均已进行加密和数字签名Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证Service Fabric clusters should only use Azure Active Directory for client authentication 审核 Service Fabric 中仅通过 Azure Active Directory 进行客户端身份验证Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
应使用自己的密钥加密 SQL 托管实例的 TDE 保护程序SQL Managed Instance TDE protector should be encrypted with your own key 使用你自己的密钥支持的透明数据加密(TDE)增加了透明度和对 TDE 保护器的控制,增强了由 HSM 提供支持的外部服务的安全性,并促进了职责划分。Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应使用自己的密钥加密 SQL 服务器的 TDE 保护器SQL server TDE protector should be encrypted with your own key 使用你自己的密钥支持的透明数据加密(TDE)增加了透明度和对 TDE 保护器的控制,增强了由 HSM 提供支持的外部服务的安全性,并促进了职责划分。Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应将 SQL 服务器的审核保留期配置为大于 90 天SQL servers should be configured with auditing retention days greater than 90 days. 审核配置的审核保持期少于 90 天的 SQL 服务器。Audit SQL servers configured with an auditing retention period of less than 90 days. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应禁止存储帐户公共访问Storage account public access should be disallowed 对 Azure 存储中的容器和 blob 进行匿名公共读取访问虽然是共享数据的一种简便方法,但可能会带来安全风险。Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. 为了防止不希望的匿名访问导致数据泄露,Microsoft 建议禁止对存储帐户的公共访问,除非你的方案需要。To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. 审核、拒绝、已禁用audit, deny, disabled 1.0.1-preview1.0.1-preview
存储帐户应迁移到新的 Azure 资源管理器资源Storage accounts should be migrated to new Azure Resource Manager resources 使用新的 Azure 资源管理器为存储帐户提供安全增强功能,例如:更强大的访问控制 (RBAC)、更好的审核、基于 Azure 资源管理器的部署和监管、对托管标识的访问权限、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及对标记和资源组的支持,以简化安全管理Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应限制对存储帐户的网络访问Storage accounts should restrict network access 应限制对存储帐户的网络访问。Network access to storage accounts should be restricted. 配置网络规则,以便只允许来自允许的网络的应用程序访问存储帐户。Configure network rules so only applications from allowed networks can access the storage account. 若要允许来自特定 Internet 或本地客户端的连接,可以向来自特定 Azure 虚拟网络或到公共 Internet IP 地址范围的流量授予访问权限To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit、Deny、DisabledAudit, Deny, Disabled 1.1.01.1.0
子网应与网络安全组关联Subnets should be associated with a Network Security Group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 审核是否缺少系统安全更新和关键更新,为了确保 Windows 和 Linux 虚拟机规模集的安全,应安装这些更新。Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在计算机上安装系统更新System updates should be installed on your machines 建议通过 Azure 安全中心监视服务器上缺失的安全系统更新Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 应启用透明数据加密以保护静态数据并满足符合性要求Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应将虚拟机迁移到新的 Azure 资源管理器资源Virtual machines should be migrated to new Azure Resource Manager resources 对虚拟机使用新的 Azure 资源管理器以提供安全增强功能,例如:更强的访问控制 (RBAC)、更佳审核功能、基于 Azure 资源管理器的部署和治理、对托管标识的访问、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及支持使用标记和资源组简化安全管理Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应修正 Azure 容器注册表映像中的漏洞Vulnerabilities in Azure Container Registry images should be remediated 容器映像漏洞评估功能会扫描注册表中每个推送的容器映像上的安全漏洞,并显示每个映像的详细发现结果(由 Qualys 支持)。Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). 修复这些漏洞可以极大改善容器的安全状况,并保护其不受攻击影响。Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 监视漏洞评估扫描结果并提供如何补救数据库漏洞的相关建议。Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应通过漏洞评估解决方案修复漏洞Vulnerabilities should be remediated by a Vulnerability Assessment solution 建议在 Azure 安全中心监视漏洞评估解决方案检测到的漏洞和没有漏洞评估解决方案的 VM。Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 SQL 托管实例上启用漏洞评估Vulnerability assessment should be enabled on SQL Managed Instance 审核未启用定期漏洞评估扫描的每个 SQL 托管实例。Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应对 SQL 服务器启用漏洞评估Vulnerability assessment should be enabled on your SQL servers 审核未启用定期漏洞评估扫描的 Azure SQL 服务器。Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0

Azure 安全中心类别Azure Security Center category

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
[预览版]:应在 Kubernetes 服务上定义 Pod 安全策略[Preview]: Pod Security Policies should be defined on Kubernetes Services 通过删除不必要的应用程序特权,来定义 Pod 安全策略以减少攻击途径。Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. 建议将 Pod 安全策略配置为仅允许 Pod 访问它们有权访问的资源。It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 建议最多指定 3 个订阅所有者,以减少可能出现的已遭入侵的所有者做出的违规行为。It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应为订阅提供安全联系人电子邮件地址A security contact email address should be provided for your subscription 输入电子邮件地址,以便在 Azure 安全中心检测到资源泄露时接收通知Enter an email address to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应为订阅提供安全联系人电话号码A security contact phone number should be provided for your subscription 输入电话号码,以便在 Azure 安全中心检测到资源泄露情况时收到通知Enter a phone number to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应该限制通过面向 Internet 的终结点进行访问Access through Internet facing endpoint should be restricted Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security center has identified some of your Network Security Groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够轻松地将你的资源定为攻击目标。This can potentially enable attackers to easily target your resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure 安全中心会分析面向虚拟机的 Internet 的流量模式,并提供可减小潜在攻击面的网络安全组规则建议Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Azure SQL 数据库服务器上启用高级数据安全Advanced data security should be enabled on Azure SQL Database servers 高级数据安全提供了以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对 SQL 数据库产生威胁的异常活动,以及发现敏感数据并对其进行分类。Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat on SQL database and discovering and classifying sensitive data. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在虚拟机上启用高级威胁防护Advanced threat protection should be enabled on Virtual Machines 高级威胁防护可为虚拟机工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Advanced threat protection provides real-time threat protection for virtual machine workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.21.0.2
应更新自适应应用程序控制策略中的允许列表规则Allowlist rules in your adaptive application control policy should be updated 监视配置为供 Azure 安全中心的自适应应用程序控制进行审核的计算机组是否有行为变化。Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. 安全中心使用机器学习来分析计算机上的运行过程,并建议已知安全应用程序的列表。Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. 这些应用程序作为推荐的应用显示,在自适应应用程序控制策略中允许使用。These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit、DisabledAudit, Disabled 2.0.12.0.1
应该对订阅启用 Log Analytics 监视代理的自动预配Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription 启用 Log Analytics 监视代理的自动预配,以便收集安全数据Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security data AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用 Azure DDoS 防护标准Azure DDoS Protection Standard should be enabled 应为属于应用程序网关且具有公共 IP 子网的所有虚拟网络启用 DDoS 保护标准。DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除弃用的帐户Deprecated accounts should be removed from your subscription 应从订阅中删除弃用的帐户。Deprecated accounts should be removed from your subscriptions. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的已弃用帐户。Deprecated accounts with owner permissions should be removed from your subscription. 已弃用帐户是已阻止登录的帐户。Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines Azure 安全中心建议对未启用磁盘加密的虚拟机进行监视。Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应启用高严重性警报的电子邮件通知Email notification for high severity alerts should be enabled 启用向安全联系人发送电子邮件安全警报,使他们能够收到来自 Microsoft 的安全警报电子邮件。Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Microsoft. 这可以确保适当的人员能够意识到任何潜在安全问题,并降低风险This ensures that the right people are aware of any potential security issues and are able to mitigate the risks AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用向订阅所有者发送高严重性警报的电子邮件通知Email notification to subscription owner for high severity alerts should be enabled 启用向订阅所有者发送电子邮件安全警报,使他们能够收到来自 Microsoft 的安全警报电子邮件。Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Microsoft. 这可以确保他们意识到任何潜在安全问题,并及时降低风险This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
在订阅中启用 Azure 安全中心Enable Azure Security Center on your subscription 识别不受 Azure 安全中心 (ASC) 监视的现有订阅。Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). 不受 ASC 监视的订阅将注册到免费定价层。Subscriptions not monitored by ASC will be registered to the free pricing tier. 已由 ASC 监视的订阅(免费或标准层)被视为合规。Subscriptions already monitored by ASC (free or standard), will be considered compliant. 若要注册新建的订阅,请打开合规性选项卡,选择相关的不合规分配,并创建修正任务。To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. 需要使用安全中心监视一个或多个新订阅时,请重复此步骤。Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. deployIfNotExistsdeployIfNotExists 1.0.01.0.0
允许安全中心在你的订阅上自动预配包含自定义工作区的 Log Analytics 代理。Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. 允许安全中心在你的订阅上自动预配 Log Analytics 代理,以使用自定义工作区来监视和收集安全数据。Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
允许安全中心在你的订阅上自动预配包含默认工作区的 Log Analytics 代理。Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. 允许安全中心在你的订阅上自动预配 Log Analytics 代理,以使用 ASC 默认工作区来监视和收集安全数据。Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 为了防止发生未受监视的访问,应从订阅中删除拥有所有者权限的外部帐户。External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription 应从订阅中删除拥有读取特权的外部帐户,以防发生未受监视的访问。External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应从订阅中删除具有写入权限的外部帐户External accounts with write permissions should be removed from your subscription 应从订阅中删除拥有写入特权的外部帐户,以防发生未受监视的访问。External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应禁用虚拟机上的 IP 转发IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 将 Kubernetes 服务群集升级到更高 Kubernetes 版本,以抵御当前 Kubernetes 版本中的已知漏洞。Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Kubernetes 版本 1.11.9+、1.12.7+、1.13.5+ 和 1.14.0+ 中已修补漏洞 CVE-2019-9946Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit、DisabledAudit, Disabled 1.0.21.0.2
应在计算机上解决 Log Analytics 代理运行状况问题Log Analytics agent health issues should be resolved on your machines 安全中心使用 Log Analytics 代理,它之前被称为 Microsoft Monitoring Agent (MMA)。Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). 为了确保成功监视虚拟机,需要确保此代理安装在虚拟机上,并能正确地将安全事件收集到配置的工作区中。To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 此策略审核是否有任何 Windows/Linux 虚拟机 (VM) 没有安装安全中心用于监视安全漏洞和威胁的 Log Analytics 代理This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机规模集上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 安全中心从 Azure 虚拟机 (VM) 收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应对订阅中拥有写入权限的帐户启用 MFAMFA should be enabled accounts with write permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有写入特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有所有者权限的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有读取特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
操作系统版本应为云服务角色支持的最新版本Operating system version should be the most current version for your cloud service roles 通过将操作系统 (OS) 保持为云服务角色支持的最新版本,可增强系统安全态势。Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC) should be used on Kubernetes Services 若要对用户可以执行的操作提供粒度筛选,请使用基于角色的访问控制 (RBAC) 来管理 Kubernetes 服务群集中的权限并配置相关授权策略。To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit、DisabledAudit, Disabled 1.0.21.0.2
应选择安全中心标准定价层Security Center standard pricing tier should be selected 标准定价层为网络和虚拟机启用威胁检测,在 Azure 安全中心提供威胁情报、异常检测和行为分析The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Audit、DisabledAudit, Disabled 1.0.01.0.0
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview
应使用服务主体(而不是管理证书)来保护你的订阅Service principals should be used to protect your subscriptions instead of management certificates 通过管理证书,任何使用它们进行身份验证的人员都可管理与它们关联的订阅。Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. 为了更安全地管理订阅,建议将服务主体和资源管理器结合使用来限制证书泄露所造成的影响。To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
子网应与网络安全组关联Subnets should be associated with a Network Security Group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 审核是否缺少系统安全更新和关键更新,为了确保 Windows 和 Linux 虚拟机规模集的安全,应安装这些更新。Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在计算机上安装系统更新System updates should be installed on your machines 建议通过 Azure 安全中心监视服务器上缺失的安全系统更新Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 建议指定多个订阅所有者,这样才会有管理员访问冗余。It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修正 Azure 容器注册表映像中的漏洞Vulnerabilities in Azure Container Registry images should be remediated 容器映像漏洞评估功能会扫描注册表中每个推送的容器映像上的安全漏洞,并显示每个映像的详细发现结果(由 Qualys 支持)。Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). 修复这些漏洞可以极大改善容器的安全状况,并保护其不受攻击影响。Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 监视漏洞评估扫描结果并提供如何补救数据库漏洞的相关建议。Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应通过漏洞评估解决方案修复漏洞Vulnerabilities should be remediated by a Vulnerability Assessment solution 建议在 Azure 安全中心监视漏洞评估解决方案检测到的漏洞和没有漏洞评估解决方案的 VM。Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

后续步骤Next steps

本文介绍了安全中心的 Azure Policy 安全策略定义。In this article, you learned about Azure Policy security policy definitions in Security Center. 若要了解详细信息,请参阅以下文章。To learn more, see the following articles.