安全建议 - 参考指南Security recommendations - a reference guide

本文列出了 Azure 安全中心可能会显示的建议。This article lists the recommendations you might see in Azure Security Center. 环境中显示的建议取决于要保护的资源和自定义的配置。The recommendations shown in your environment depend on the resources you're protecting and your customized configuration.

安全中心的建议基于最佳做法给出。Security Center's recommendations are based on best practices. 其中一些符合 Azure 安全基准,它是由 Microsoft 创作的特定于 Azure 的准则,适用于基于常见合规框架的安全与合规最佳做法。Some are aligned with the Azure Security Benchmark, the Microsoft-authored, Azure-specific guidelines for security and compliance best practices based on common compliance frameworks. 详细了解 Azure 安全基准Learn more about Azure Security Benchmark.

若要了解如何响应这些建议,请参阅 Azure 安全中心的修正建议To learn about how to respond to these recommendations, see Remediate recommendations in Azure Security Center.

安全分数基于已完成的安全中心建议的数量。Your Secure Score is based on the number of Security Center recommendations you've completed. 若要确定首先要解决的建议,请查看每个建议的严重级别及其对安全分数的潜在影响。To decide which recommendations to resolve first, look at the severity of each one and its potential impact on your Secure Score.

提示

如果建议的描述中显示“无相关策略”,通常是因为该建议依赖于另一个建议及其策略。If a recommendation's description says "No related policy", it's usually because that recommendation is dependent on a different recommendation and its policy. 例如,建议“应修正 Endpoint Protection 运行状况失败...”依赖于建议“应安装 Endpoint Protection 解决方案...”,后者检查 Endpoint Protection 解决方案是否已安装。For example, the recommendation "Endpoint protection health failures should be remediated...", relies on the recommendation that checks whether an endpoint protection solution is even installed ("Endpoint protection solution should be installed..."). 基础建议 确实 具有一个策略。The underlying recommendation does have a policy. 将策略限制为仅限基础建议可简化策略管理。Limiting the policies to only the foundational recommendation simplifies policy management.

计算建议Compute recommendations

这一类别有 98 条相关建议。There are 98 recommendations in this category.

建议Recommendation 说明Description 严重性Severity
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.
(相关策略:应在计算机中启用自适应应用程序控制以定义安全应用程序(Related policy: Adaptive application controls for defining safe applications should be enabled on your machines)
High
应更新自适应应用程序控制策略中的允许列表规则Allowlist rules in your adaptive application control policy should be updated 监视配置为供 Azure 安全中心的自适应应用程序控制进行审核的计算机组是否有行为变化。Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. 安全中心使用机器学习来分析计算机上的运行过程,并建议已知安全应用程序的列表。Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. 这些应用程序作为推荐的应用显示,在自适应应用程序控制策略中允许使用。These are presented as recommended apps to allow in adaptive application control policies.
(相关策略:应更新自适应应用程序控制策略中的允许列表规则(Related policy: Allowlist rules in your adaptive application control policy should be updated)
High
只能通过 HTTPS 访问 API 应用API App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(相关策略:应只能通过 HTTPS 访问 API 应用(Related policy: API App should only be accessible over HTTPS)
中型Medium
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.
(相关策略:应在 Kubernetes 服务上定义经授权的 IP 范围(Related policy: Authorized IP ranges should be defined on Kubernetes Services)
High
自动化帐户变量应进行加密Automation account variables should be encrypted 存储敏感数据时,请务必启用自动化帐户变量资产加密。It is important to enable encryption of Automation account variable assets when storing sensitive data.
(相关策略:应加密自动化帐户变量(Related policy: Automation account variables should be encrypted)
High
应为虚拟机启用 Azure 备份Azure Backup should be enabled for virtual machines 使用 Azure 备份来保护 Azure 虚拟机上的数据。Protect the data on your Azure virtual machines with Azure Backup.
Azure 备份是一种 Azure 原生且经济高效的数据保护解决方案。Azure Backup is an Azure-native, cost-effective, data protection solution.
它可创建恢复点,这些恢复点存储在异地冗余的恢复保管库中。It creates recovery points that are stored in geo-redundant recovery vaults.
从恢复点还原时,可以还原整个 VM,也可以仅还原特定的文件。When you restore from a recovery point, you can restore the whole VM or specific files.
(相关策略:应为虚拟机启用 Azure 备份(Related policy: Azure Backup should be enabled for Virtual Machines)
Low
应启用适用于容器注册表的 Azure DefenderAzure Defender for container registries should be enabled 若要生成安全的容器化工作负载,请确保它们所基于的映像不存在已知漏洞。To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities.
适用于容器注册表的 Azure Defender 会扫描注册表中每个推送的容器映像上是否有安全漏洞,并按映像显示详细的发现结果。Azure Defender for container registries scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
若要改进容器的安全状况并保护它们免受攻击,请启用适用于容器注册表的 Azure Defender。To improve your containers' security posture and protect them from attacks, enable Azure Defender for container registries.

重要说明:修正此建议将导致对容器注册表的保护产生费用。Important: Remediating this recommendation will result in charges for protecting your container registries. 如果此订阅中没有任何容器注册表,则不会产生任何费用。If you don't have any container registries in this subscription, no charges will be incurred.
如果将来在此订阅中创建任何容器注册表,它将自动受到保护,届时将开始计费。If you create any container registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
详细了解适用于容器注册表的 Azure Defender。Learn more about Azure Defender for container registries.
(相关策略:应启用适用于容器注册表的 Azure Defender(Related policy: Azure Defender for container registries should be enabled)
High
应启用 Azure Defender for KubernetesAzure Defender for Kubernetes should be enabled Azure Defender for Kubernetes 为容器化环境提供实时威胁防护,并针对可疑活动生成警报。Azure Defender for Kubernetes provides real-time threat protection for your containerized environments and generates alerts for suspicious activities.
可以使用此信息快速补救安全问题,并提高容器的安全性。You can use this information to quickly remediate security issues and improve the security of your containers.

重要说明:修正此建议将导致对 Kubernetes 群集的保护产生费用。Important: Remediating this recommendation will result in charges for protecting your Kubernetes clusters. 如果此订阅中没有任何 Kubernetes 群集,则不会产生任何费用。If you don't have any Kubernetes clusters in this subscription, no charges will be incurred.
如果将来在此订阅中创建任何 Kubernetes 群集,它将自动受到保护,届时将开始计费。If you create any Kubernetes clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
详细了解 Azure Defender for Kubernetes。Learn more about Azure Defender for Kubernetes.
(相关策略:应启用 Azure Defender for Kubernetes(Related policy: Azure Defender for Kubernetes should be enabled)
High
应启用适用于服务器的 Azure DefenderAzure Defender for servers should be enabled 适用于服务器的 Azure Defender 可为服务器工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Azure Defender for servers provides real-time threat protection for your server workloads and generates hardening recommendations as well as alerts about suspicious activities.
可以使用此信息快速修复安全问题,并提高服务器的安全性。You can use this information to quickly remediate security issues and improve the security of your servers.

重要说明:修正此建议将导致对服务器的保护产生费用。Important: Remediating this recommendation will result in charges for protecting your servers. 如果此订阅中没有任何服务器,则不会产生任何费用。If you don't have any servers in this subscription, no charges will be incurred.
如果将来在此订阅中创建任何服务器,它将自动受到保护,届时将开始计费。If you create any servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
详细了解适用于服务器的 Azure Defender。Learn more about Azure Defender for servers.
(相关策略:应启用适用于服务器的 Azure Defender(Related policy: Azure Defender for servers should be enabled)
High
应强制执行容器 CPU 和内存限制Container CPU and memory limits should be enforced 强制执行 CPU 和内存限制可阻止资源耗尽攻击(一种拒绝服务攻击形式)。Enforcing CPU and memory limits prevents resource exhaustion attacks (a form of denial of service attack).

建议为容器设置限制,以确保运行时防止容器使用的资源超过配置的资源限制。We recommend setting limits for containers to ensure the runtime prevents the container from using more than the configured resource limit.


(相关策略:确保容器 CPU 和内存资源限制不超过 Kubernetes 群集中指定的限制(Related policy: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster)
中型Medium
应只从受信任的注册表中部署容器映像Container images should be deployed from trusted registries only 在 Kubernetes 群集上运行的映像应来自已知和监视的容器映像注册表。Images running on your Kubernetes cluster should come from known and monitored container image registries. 受信任的注册表通过限制引入未知漏洞、安全问题和恶意映像的可能性,降低群集暴露风险。Trusted registries reduce your cluster's exposure risk by limiting the potential for the introduction of unknown vulnerabilities, security issues and malicious images.
(相关策略:确保只有允许使用的容器映像才在 Kubernetes 群集中运行(Related policy: Ensure only allowed container images in Kubernetes cluster)
High
应避免使用特权提升的容器Container with privilege escalation should be avoided 容器在 Kubernetes 群集中不得运行到根的特权提升。AllowPrivilegeEscalation 属性控制进程能否获得比它的父进程更多的特权。Containers shouldn't run with privilege escalation to root in your Kubernetes cluster.The AllowPrivilegeEscalation attribute controls whether a process can gain more privileges than its parent process.
(相关策略:Kubernetes 群集不得允许容器特权提升(Related policy: Kubernetes clusters should not allow container privilege escalation)
中型Medium
应避免使用共享敏感主机命名空间的容器Containers sharing sensitive host namespaces should be avoided 若要防止容器外的特权提升,请避免 Pod 访问 Kubernetes 群集中的敏感主机命名空间(主机进程 ID 和主机 IPC)。To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.
(相关策略:Kubernetes 群集容器不得共享主机进程 ID 命名空间或主机 IPC 命名空间(Related policy: Kubernetes cluster containers should not share host process ID or host IPC namespace)
中型Medium
容器应只侦听允许的端口Containers should listen on allowed ports only 要减少 Kubernetes 群集的受攻击面,请限制容器对已配置端口的访问权限,以此限制对群集的访问权限。To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting containers access to the configured ports.
(相关策略:确保容器仅侦听 Kubernetes 群集中允许的端口(Related policy: Ensure containers listen only on allowed ports in Kubernetes cluster)
中型Medium
CORS 不应允许所有资源访问 API 应用CORS should not allow every resource to access your API App 跨源资源共享 (CORS) 不应允许所有域都能访问你的 API 应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. 仅允许所需的域与 API 应用交互。Allow only required domains to interact with your API app.
(相关策略:CORS 不应允许所有资源都能访问 API 应用(Related policy: CORS should not allow every resource to access your API App)
Low
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function App 跨源资源共享 (CORS) 不应允许所有域都能访问你的函数应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. 仅允许所需的域与函数应用交互。Allow only required domains to interact with your Function app.
(相关策略:CORS 不应允许所有资源都能访问函数应用(Related policy: CORS should not allow every resource to access your Function Apps)
Low
CORS 不应允许所有资源访问 Web 应用程序CORS should not allow every resource to access your Web Applications 跨源资源共享 (CORS) 不应允许所有域都能访问你的 Web 应用程序。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. 仅允许所需的域与 Web 应用交互。Allow only required domains to interact with your web app.
(相关策略:CORS 不应允许所有资源都能访问你的 Web 应用程序(Related policy: CORS should not allow every resource to access your Web Applications)
Low
应该在 Azure 流分析中启用诊断日志Diagnostic logs in Azure Stream Analytics should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用 Azure 流分析的诊断日志(Related policy: Diagnostic logs in Azure Stream Analytics should be enabled)
Low
应启用 Batch 帐户中的诊断日志Diagnostic logs in Batch accounts should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用 Batch 帐户的诊断日志(Related policy: Diagnostic logs in Batch accounts should be enabled)
Low
应启用事件中心内的诊断日志Diagnostic logs in Event Hub should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用事件中心的诊断日志(Related policy: Diagnostic logs in Event Hub should be enabled)
Low
应启用逻辑应用的诊断日志Diagnostic logs in Logic Apps should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用逻辑应用的诊断日志(Related policy: Diagnostic logs in Logic Apps should be enabled)
Low
应启用搜索服务的诊断日志Diagnostic logs in Search services should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用搜索服务的诊断日志(Related policy: Diagnostic logs in Search services should be enabled)
Low
应启用服务总线中的诊断日志Diagnostic logs in Service Bus should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用服务总线的诊断日志(Related policy: Diagnostic logs in Service Bus should be enabled)
Low
应启用虚拟机规模集中的诊断日志Diagnostic logs in Virtual Machine Scale Sets should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应当启用虚拟机规模集中的诊断日志(Related policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled)
Low
应在应用服务中启用诊断日志Diagnostic logs should be enabled in App Service 审核确认已在应用上启用诊断日志。Audit enabling of diagnostic logs on the app.
如果发生安全事件或网络遭泄露,这样便可以重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised
(相关策略:应启用应用程序服务中的诊断日志(Related policy: Diagnostic logs in App Services should be enabled)
中型Medium
应在虚拟机上启用磁盘加密Disk encryption should be applied on virtual machines 使用适用于 Windows 和 Linux 虚拟机的 Azure 磁盘加密来加密虚拟机磁盘。Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines. Azure 磁盘加密 (ADE) 利用行业标准 Windows 的 BitLocker 功能和 Linux 的 DM-Crypt 功能提供 OS 磁盘和数据磁盘加密,以帮助保护数据,并实现组织在客户 Azure Key Vault 方面作出的安全性与合规性承诺。Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and compliance commitments in customer Azure key vault. 当合规性与安全性政策要求使用加密密钥对数据进行端到端加密(包括加密临时磁盘,即本地附加的临时磁盘)时,请使用 Azure 磁盘加密。When your compliance and security requirement requires you to encrypt the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use Azure disk encryption. 或者,系统默认会使用 Azure 存储服务加密对托管磁盘进行静态加密,其中,加密密钥是 Azure 中的 Microsoft 托管密钥。Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service Encryption where the encryption keys are Microsoft managed keys in Azure. 如果这符合你的合规性与安全性要求,则可以利用默认托管磁盘加密来满足要求。If this meets your compliance and security requirements, you can leverage the default Managed disk encryption to meet your requirements.
(相关策略:应在虚拟机上应用磁盘加密(Related policy: Disk encryption should be applied on virtual machines)
High
在虚拟机上启用内置漏洞评估解决方案Enable the built-in vulnerability assessment solution on virtual machines 安装 Qualys 扩展(内置到 Azure 安全中心标准层中),以在虚拟机上启用业界领先的漏洞评估解决方案。Install the Qualys extension (built-in to the Azure Security Center standard tier) to enable the industry-leading vulnerability assessment solution on your virtual machines.
(相关策略:应在虚拟机上启用漏洞评估解决方案(Related policy: A vulnerability assessment solution should be enabled on your virtual machines)
中型Medium
应在虚拟机规模集上修正 Endpoint Protection 运行状况故障Endpoint protection health failures should be remediated on virtual machine scale sets 修复虚拟机规模集上的 Endpoint Protection 运行状况故障,使其免受威胁和漏洞的侵害。Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.
(相关策略:应在虚拟机规模集上安装 Endpoint Protection 解决方案(Related policy: Endpoint protection solution should be installed on virtual machine scale sets)
Low
应在计算机上解决 Endpoint Protection 运行状况问题Endpoint protection health issues should be resolved on your machines 若要实现全面的安全中心保护,请遵照故障排除指南中的说明,解决计算机上的监视代理问题。For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.
(相关策略:监视 Azure 安全中心 Endpoint Protection 的缺失情况(Related policy: Monitor missing Endpoint Protection in Azure Security Center)
中型Medium
应在计算机上解决 Endpoint Protection 运行状况问题Endpoint protection health issues should be resolved on your machines 解决虚拟机上的 Endpoint Protection 运行状况问题,以保护其免受最新威胁和漏洞的侵害。Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. 此处介绍了 Azure 安全中心受支持的 Endpoint Protection 解决方案 - https://docs.azure.cn/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- 此处介绍了 Endpoint Protection 评估 - https://docs.azure.cn/security-center/security-center-endpoint-protectionAzure Security Center supported endpoint protection solutions are documented here - https://docs.azure.cn/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- Endpoint protection assessment is documented here - https://docs.azure.cn/security-center/security-center-endpoint-protection
(相关策略:监视 Azure 安全中心 Endpoint Protection 的缺失情况(Related policy: Monitor missing Endpoint Protection in Azure Security Center)
中型Medium
应在计算机上安装 Endpoint ProtectionEndpoint protection should be installed on your machines 若要保护计算机免受威胁和漏洞的侵害,请安装受支持的 Endpoint Protection 解决方案。To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
详细了解如何评估计算机的 Endpoint Protection。Learn more about how Endpoint Protection for machines is evaluated.
(相关策略:监视 Azure 安全中心 Endpoint Protection 的缺失情况(Related policy: Monitor missing Endpoint Protection in Azure Security Center)
High
应在虚拟机规模集上安装 Endpoint Protection 解决方案Endpoint protection solution should be installed on virtual machine scale sets 在虚拟机规模集上安装 Endpoint Protection 解决方案,以保护其免受威胁和漏洞的侵害。Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.
(相关策略:应在虚拟机规模集上安装 Endpoint Protection 解决方案(Related policy: Endpoint protection solution should be installed on virtual machine scale sets)
High
应仅在 API 应用中要求使用 FTPSFTPS should be required in your API App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security
(相关策略:应仅在 API 应用中要求使用 FTPS(Related policy: FTPS only should be required in your API App)
High
应仅在函数应用中要求使用 FTPSFTPS should be required in your function App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security
(相关策略:应仅在函数应用中要求使用 FTPS(Related policy: FTPS only should be required in your Function App)
High
应仅在 Web 应用中要求使用 FTPSFTPS should be required in your web App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security
(相关策略:应仅在 Web 应用中要求使用 FTPS(Related policy: FTPS should be required in your Web App)
High
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(相关策略:应只能通过 HTTPS 访问函数应用(Related policy: Function App should only be accessible over HTTPS)
中型Medium
应强制对容器使用不可变(只读)根文件系统Immutable (read-only) root filesystem should be enforced for containers Kubernetes 群集中的容器应使用只读根文件系统。Containers should run with a read only root file system in your Kubernetes cluster. 不可变文件系统将恶意二进制文件添加到路径,可防止容器在运行时更改。Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.
(相关策略:Kubernetes 群集容器应使用只读根文件系统运行(Related policy: Kubernetes cluster containers should run with a read only root file system)
中型Medium
在虚拟机上安装 Endpoint Protection 解决方案Install endpoint protection solution on virtual machines 在虚拟机上安装终结点保护解决方案,以保护其免受威胁和漏洞的侵害。Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.
(相关策略:监视 Azure 安全中心 Endpoint Protection 的缺失情况(Related policy: Monitor missing Endpoint Protection in Azure Security Center)
High
在计算机上安装终结点保护解决方案Install endpoint protection solution on your machines 在 Windows 和 Linux 计算机上安装 Endpoint Protection 解决方案,以保护其免受威胁和漏洞的侵害。Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.
(无相关策略)(No related policy)
中型Medium
应将 Java 更新为 API 应用的最新版本Java should be updated to the latest version for your API app 我们定期发布适用于 Java 的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java either due to security flaws or to include additional functionality.
建议使用 API 应用的最新 Python 版本,以从最新版本的安全修复(若有)和/或新功能中受益。Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(相关策略:确保用作 API 应用一部分的“Java 版本”是最新的(Related policy: Ensure that 'Java version' is the latest, if used as a part of the API app)
中型Medium
应将 Java 更新为函数应用的最新版本Java should be updated to the latest version for your function app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
建议使用函数应用的最新 Java 版本,以从最新版本的安全修复(若有)和/或新功能中受益。Using the latest Java version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(相关策略:确保用作函数应用一部分的“Java 版本”是最新的(Related policy: Ensure that 'Java version' is the latest, if used as a part of the Function app)
中型Medium
应将 Java 更新为 Web 应用的最新版本Java should be updated to the latest version for your web app 我们定期发布适用于 Java 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality.
建议使用 Web 应用的最新 Java 版本,以从最新版本的安全修复(若有)和/或新功能中受益。Using the latest Java version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(相关策略:确保用作 Web 应用一部分的“Java 版本”是最新的(Related policy: Ensure that 'Java version' is the latest, if used as a part of the Web app)
中型Medium
Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 将 Kubernetes 服务群集升级到更高 Kubernetes 版本,以抵御当前 Kubernetes 版本中的已知漏洞。Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Kubernetes 版本 1.11.9+、1.12.7+、1.13.5+ 和 1.14.0+ 中已修补漏洞 CVE-2019-9946Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+
(相关策略:Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本(Related policy: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version)
High
应强制对容器使用最低权限 Linux 功能Least privileged Linux capabilities should be enforced for containers 为了减少容器的攻击面,请限制 Linux 功能,并向容器授予特定特权,而不授予根用户的所有特权。To reduce attack surface of your container, restrict Linux capabilities and grant specific privileges to containers without granting all the privileges of the root user. 建议先删除所有功能,再添加所需的功能We recommend dropping all capabilities, then adding those that are required
(相关策略:Kubernetes 群集容器只应使用允许的功能(Related policy: Kubernetes cluster containers should only use allowed capabilities)
中型Medium
应在计算机上解决 Log Analytics 代理运行状况问题Log Analytics agent health issues should be resolved on your machines 安全中心使用 Log Analytics 代理,该代理以前称为 Microsoft Monitoring Agent (MMA)。Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). 为了确保成功监视虚拟机,需要确保此代理安装在虚拟机上,并能正确地将安全事件收集到配置的工作区中。To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace.
(相关策略:应在计算机上解决 Log Analytics 代理运行状况问题(Related policy: Log Analytics agent health issues should be resolved on your machines)
中型Medium
Log Analytics 代理应安装在基于 Linux 的 Azure Arc 计算机上Log Analytics agent should be installed on your Linux-based Azure Arc machines 安全中心使用 Log Analytics 代理(也称为 OMS)从 Azure Arc 计算机收集安全事件。Security Center uses the Log Analytics agent (also known as OMS) to collect security events from your Azure Arc machines. 若要在所有 Azure Arc 计算机上部署代理,请遵循修正步骤。To deploy the agent on all your Azure Arc machines, follow the remediation steps.
(相关策略:Log Analytics 代理应安装在 Linux Azure Arc 计算机中(Related policy: Log Analytics agent should be installed on your Linux Azure Arc machines)
High
Log Analytics 代理应安装在虚拟机上Log Analytics agent should be installed on your virtual machine 安全中心从 Azure 虚拟机 (VM) 收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. 数据是使用 Log Analytics 代理收集的,该代理以前称为 Microsoft Monitoring Agent (MMA),它从计算机中读取各种安全相关的配置和事件日志,然后将数据复制到 Log Analytics 工作区以用于分析。Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. 如果 VM 由 Azure 托管服务(如 Azure Kubernetes 服务或 Azure Service Fabric)使用,则也需要此代理。This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. 建议配置自动预配来自动部署代理。We recommend configuring auto-provisioning to automatically deploy the agent. 如果你选择不使用自动预配,请使用修正步骤中的说明将代理手动部署到 VM。If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.
(相关策略:
Log Analytics 代理应安装在虚拟机上,用于 Azure 安全中心监视(Related policy: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring)
High
应在虚拟机规模集上安装 Log Analytics 代理Log Analytics agent should be installed on your virtual machine scale sets 安全中心从 Azure 虚拟机 (VM) 收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. 数据是使用 Log Analytics 代理收集的,该代理以前称为 Microsoft Monitoring Agent (MMA),它从计算机中读取各种安全相关的配置和事件日志,然后将数据复制到工作区以用于分析。Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. 如果 VM 由 Azure 托管服务(如 Azure Kubernetes 服务或 Azure Service Fabric)使用,那么也需要执行该过程。You’ll also need to follow that procedure if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric. 无法为 Azure 虚拟机规模集配置代理的自动预配。You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets. 若要在虚拟机规模集(包括 Azure Kubernetes 服务和 Azure Service Fabric 等 Azure 托管服务使用的规模集)上部署代理,请按照修正步骤中的过程操作。To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.
(相关策略:Log Analytics 代理应安装在虚拟机规模集上,用于 Azure 安全中心监视(Related policy: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring)
High
Log Analytics 代理应安装在基于 Windows 的 Azure Arc 计算机上Log Analytics agent should be installed on your Windows-based Azure Arc machines 安全中心使用 Log Analytics 代理(也称为 MMA)从 Azure Arc 计算机收集安全事件。Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines. 若要在所有 Azure Arc 计算机上部署代理,请遵循修正步骤。To deploy the agent on all your Azure Arc machines, follow the remediation steps.
(相关策略:Log Analytics 代理应安装在 Azure Arc 计算机中(Related policy: Log Analytics agent should be installed on your Azure Arc machines)
High
应在 API 应用中使用托管标识Managed identity should be used in your API app 若要增强身份验证安全性,请使用托管标识。For enhanced authentication security, use a managed identity.
在 Azure 上,托管标识可为 Azure AD 中的 Azure 资源提供标识并用它来获取 Azure Active Directory (Azure AD) 令牌,从而使开发人员无需管理凭据。On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
(相关策略:应在 API 应用中使用的托管标识(Related policy: Managed identity should be used in your API App)
中型Medium
应在函数应用中使用托管标识Managed identity should be used in your function app 若要增强身份验证安全性,请使用托管标识。For enhanced authentication security, use a managed identity.
在 Azure 上,托管标识可为 Azure AD 中的 Azure 资源提供标识并用它来获取 Azure Active Directory (Azure AD) 令牌,从而使开发人员无需管理凭据。On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
(相关策略:应在函数应用中使用托管标识(Related policy: Managed identity should be used in your Function App)
中型Medium
应在 Web 应用中使用托管标识Managed identity should be used in your web app 若要增强身份验证安全性,请使用托管标识。For enhanced authentication security, use a managed identity.
在 Azure 上,托管标识可为 Azure AD 中的 Azure 资源提供标识并用它来获取 Azure Active Directory (Azure AD) 令牌,从而使开发人员无需管理凭据。On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
(相关策略:应在 Web 应用中使用的托管标识(Related policy: Managed identity should be used in your Web App)
中型Medium
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control Azure 安全中心已识别出一些对网络安全组中的管理端口过于宽松的入站规则。Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. 启用实时访问控制,以保护 VM 免受基于 Internet 的暴力攻击。Enable just-in-time access control to protect your VM from internet-based brute-force attacks. 了解详细信息。Learn more.
(相关策略:应通过即时网络访问控制来保护虚拟机的管理端口(Related policy: Management ports of virtual machines should be protected with just-in-time network access control)
High
应在计算机上安装监视代理Monitoring agent should be installed on your machines 此操作在所选虚拟机上安装监视代理。This action installs a monitoring agent on the selected virtual machines. 选择代理要向其报告的工作区。Select a workspace for the agent to report to.
(无相关策略)(No related policy)
High
应在 Linux 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Linux virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(相关策略:应在 Linux 虚拟机上安装网络流量数据收集代理(Related policy: Network traffic data collection agent should be installed on Linux virtual machines)
中型Medium
应在 Windows 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Windows virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(相关策略:应在 Windows 虚拟机上安装网络流量数据收集代理(Related policy: Network traffic data collection agent should be installed on Windows virtual machines)
中型Medium
应为云服务角色更新 OS 版本OS version should be updated for your cloud service roles 将云服务角色的操作系统(OS)版本更新为适用于 OS 系列的最新版本。Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.
(相关策略:操作系统版本应为云服务角色支持的最新版本(Related policy: Operating system version should be the most current version for your cloud service roles)
High
应限制替代或禁用容器 AppArmor 配置文件Overriding or disabling of containers AppArmor profile should be restricted 应将在 Kubernetes 群集上运行的容器限制为只使用允许的 AppArmor 配置文件。AppArmor (Application Armor) 是一个 Linux 安全模块,用于保护操作系统及其应用程序免受安全威胁侵害。Containers running on your Kubernetes cluster should be limited to allowed AppArmor profiles only.AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. 为使用此模块,系统管理员需要将 AppArmor 安全配置文件与每个程序相关联。To use it, a system administrator associates an AppArmor security profile with each program.
(相关策略:Kubernetes 群集容器只应使用允许的 AppArmor 配置文件(Related policy: Kubernetes cluster containers should only use allowed AppArmor profiles)
High
应将 PHP 更新为 API 应用的最新版本PHP should be updated to the latest version for your API app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
建议使用 API 应用的最新 PHP 版本,以从最新版本的安全修复(若有)和/或新功能中受益。Using the latest PHP version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(相关策略:确保用作 API 应用一部分的“PHP 版本”是最新的(Related policy: Ensure that 'PHP version' is the latest, if used as a part of the API app)
中型Medium
应将 PHP 更新为 Web 应用的最新版本PHP should be updated to the latest version for your web app 我们定期发布适用于 PHP 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality.
建议使用 Web 应用的最新 PHP 版本,以从最新版本的安全修复(若有)和/或新功能中受益。Using the latest PHP version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(相关策略:确保用作 WEB 应用一部分的“PHP 版本”是最新的(Related policy: Ensure that 'PHP version' is the latest, if used as a part of the WEB app)
中型Medium
应在 Kubernetes 服务上定义 Pod 安全策略(已弃用)Pod Security Policies should be defined on Kubernetes Services (Deprecated) (已弃用)通过删除不必要的应用程序特权,来定义 Pod 安全策略以减少攻击途径。(Deprecated) Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. 建议将 Pod 安全策略配置为仅允许 Pod 访问它们有权访问的资源。It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.
(无相关策略)(No related policy)
High
应避免特权容器Privileged containers should be avoided 要防止主机访问不受限制,请尽可能避免使用特权容器。To prevent unrestricted host access, avoid privileged containers whenever possible.

特权容器具有主机的所有根功能。Privileged containers have all of the root capabilities of a host machine. 它们可用作攻击的入口点,并将恶意代码或恶意软件传播到受攻击的应用程序、主机和网络。They can be used as entry points for attacks and to spread malicious code or malware to compromised applications, hosts and networks.


(相关策略:不允许 Kubernetes 群集中有特权容器(Related policy: Do not allow privileged containers in Kubernetes cluster)
中型Medium
应将 Python 更新为 API 应用的最新版本Python should be updated to the latest version for your API app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
建议使用 API 应用的最新 Python 版本,以从最新版本的安全修复(若有)和/或新功能中受益。Using the latest Python version for API apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(相关策略:确保用作 API 应用一部分的“Python 版本”是最新的(Related policy: Ensure that 'Python version' is the latest, if used as a part of the API app)
中型Medium
应将 Python 更新为函数应用的最新版本Python should be updated to the latest version for your function app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
建议使用函数应用的最新 Python 版本,以从最新版本的安全修复(若有)和/或新功能中受益。Using the latest Python version for function apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(相关策略:确保用作函数应用一部分的“Python 版本”是最新的(Related policy: Ensure that 'Python version' is the latest, if used as a part of the Function app)
中型Medium
应将 Python 更新为 Web 应用的最新版本Python should be updated to the latest version for your web app 我们定期发布适用于 Python 软件的更高版本来解决安全漏洞或包含更多功能。Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality.
建议使用 Web 应用的最新 Python 版本,以从最新版本的安全修复(若有)和/或新功能中受益。Using the latest Python version for web apps is recommended to benefit from security fixes, if any, and/or new functionalities of the latest version.
(相关策略:确保用作 Web 应用一部分的“Python 版本”是最新的(Related policy: Ensure that 'Python version' is the latest, if used as a part of the Web app)
中型Medium
应为 API 应用禁用远程调试Remote debugging should be turned off for API App 远程调试需要在 API 应用上打开入站端口。Remote debugging requires inbound ports to be opened on an API app. 应禁用远程调试。Remote debugging should be turned off.
(相关策略:应为 API 应用禁用远程调试(Related policy: Remote debugging should be turned off for API Apps)
Low
应对函数应用禁用远程调试Remote debugging should be turned off for Function App 远程调试需要在函数应用上打开入站端口。Remote debugging requires inbound ports to be opened on an function app. 应禁用远程调试。Remote debugging should be turned off.
(相关策略:应对函数应用禁用远程调试(Related policy: Remote debugging should be turned off for Function Apps)
Low
应当为 Web 应用程序禁用远程调试Remote debugging should be turned off for Web Applications 远程调试需要在 Web 应用程序上打开入站端口。Remote debugging requires inbound ports to be opened on a web application. 远程调试当前已启用。Remote debugging is currently enabled. 如果不再需要使用远程调试,则应将其关闭。If you no longer need to use remote debugging, it should be turned off.
(相关策略:应禁用 Web 应用程序的远程调试(Related policy: Remote debugging should be turned off for Web Applications)
Low
应在 Kubernetes 服务上使用基于角色的访问控制Role-Based Access Control should be used on Kubernetes Services 若要对用户可以执行的操作提供粒度筛选,请使用基于角色的访问控制 (RBAC) 来管理 Kubernetes 服务群集中的权限并配置相关授权策略。To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. 有关详细信息,请参阅 Azure 基于角色的访问控制For more information, see Azure role-based access control.
(相关策略:应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)(Related policy: Role-Based Access Control (RBAC) should be used on Kubernetes Services)
High
应避免以根用户身份运行容器Running containers as root user should be avoided 在 Kubernetes 群集中应以非根用户身份运行容器。Containers should run as a non-root users in your Kubernetes cluster. 在容器内以根用户身份运行进程会导致在主机上以根用户身份运行该进程。Running a process as the root user inside a container runs it as root on the host. 如果发生泄漏,攻击者会获得容器中的根权限,任何配置错误都变得更加容易被利用。In case of compromise, an attacker has root in the container, and any mis-configurations become easier to exploit.
(相关策略:Kubernetes 群集 Pod 和容器只应使用批准的用户 ID 和组 ID 运行(Related policy: Kubernetes cluster pods and containers should only run with approved user and group IDs)
High
应在 Linux 虚拟机上启用安全引导Secure Boot should be enabled on your Linux virtual machine 在虚拟机上启用安全引导有助于减少对引导链的恶意和未经授权的更改。Enabling Secure Boot on your virtual machine helps mitigate against malicious and unauthorized changes to the boot chain. 启用后,将只允许签名代码在 VM 或服务器上运行。Once enabled, only signed code will be allowed to run on your VM or server.
(无相关策略)(No related policy)
Low
Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSignService Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric 使用主要群集证书为节点之间的通信提供三个保护级别(None、Sign 和 EncryptAndSign)。Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. 请设置保护级别,确保节点到节点的所有消息经过加密和数字签名。Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.
(相关策略:Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSign(Related policy: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign)
High
Service Fabric 群集只应使用 Azure Active Directory 进行客户端身份验证Service Fabric clusters should only use Azure Active Directory for client authentication 在 Service Fabric 中仅通过 Azure Active Directory 执行客户端身份验证Perform Client authentication only via Azure Active Directory in Service Fabric
(相关策略:Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证(Related policy: Service Fabric clusters should only use Azure Active Directory for client authentication)
High
服务应只侦听允许的端口Services should listen on allowed ports only 要减少 Kubernetes 群集的受攻击面,请限制服务对已配置端口的访问权限,以此限制对群集的访问权限。To reduce the attack surface of your Kubernetes cluster, restrict access to the cluster by limiting services access to the configured ports.
(相关策略:确保服务只在 Kubernetes 群集中侦听允许使用的端口(Related policy: Ensure services listen only on allowed ports in Kubernetes cluster)
中型Medium
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 安装缺少的系统安全更新和关键更新,保护 Windows 和 Linux 虚拟机规模集。Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.
(相关策略:应在虚拟机规模集上安装系统更新(Related policy: System updates on virtual machine scale sets should be installed)
High
应在计算机上安装系统更新System updates should be installed on your machines 安装缺少的系统安全和关键更新,以保护 Windows 和 Linux 虚拟机与计算机Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers
(相关策略:应在计算机上安装系统更新(Related policy: System updates should be installed on your machines)
High
应在虚拟机上安装系统更新(由更新中心提供技术支持)System updates should be installed on your machines (powered by Update Center) 计算机缺少系统、安全和关键更新。Your machines are missing system, security, and critical updates. 软件更新通常包括安全漏洞的关键补丁。Software updates often include critical patches to security holes. 恶意软件攻击中经常会利用这些漏洞,因此保持软件更新至关重要。Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. 若要安装所有重要补丁并保护你的计算机,请遵循修正步骤。To install all outstanding patches and secure your machines, follow the remediation steps.
(无相关策略)(No related policy)
High
应将 TLS 更新为 API 应用的最新版本TLS should be updated to the latest version for your API app 升级到最新的 TLS 版本Upgrade to the latest TLS version
(相关策略:应在 API 应用中使用最新的 TLS 版本(Related policy: Latest TLS version should be used in your API App)
High
应将 TLS 更新为函数应用的最新版本TLS should be updated to the latest version for your function app 升级到最新的 TLS 版本Upgrade to the latest TLS version
(相关策略:应在函数应用中使用最新的 TLS 版本(Related policy: Latest TLS version should be used in your Function App)
High
应将 TLS 更新为 Web 应用的最新版本TLS should be updated to the latest version for your web app 升级到最新的 TLS 版本Upgrade to the latest TLS version
(相关策略:应在 Web 应用中使用最新的 TLS 版本(Related policy: Latest TLS version should be used in your Web App)
High
应限制对主机网络和端口的使用Usage of host networking and ports should be restricted 限制 Pod 在 Kubernetes 群集中对主机网络和允许的主机端口范围的访问。Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. 在启用 hostNetwork 属性的情况下创建的 Pod 将共享该节点的网络空间。Pods created with the hostNetwork attribute enabled will share the node’s network space. 为了避免被泄露的容器侦听网络流量,建议不要将 Pod 置于主机网络上。To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network. 如果需要在节点的网络上公开容器端口,并且使用 Kubernetes 服务节点端口无法满足你的需求,另一个可能的做法是在 Pod 规范中为容器指定 hostPort。If you need to expose a container port on the node’s network, and using a Kubernetes Service node port does not meet your needs, another possibility is to specify a hostPort for the container in the pod spec.
(相关策略:Kubernetes 群集 Pod 只应使用批准的主机网络和端口范围(Related policy: Kubernetes cluster pods should only use approved host network and port range)
中型Medium
应限制为只有已知列表才能使用 Pod HostPath 卷装载,以限制来自遭入侵容器的节点访问Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers 建议将 Kubernetes 群集中的 pod HostPath 卷装载限制为配置的允许主机路径。We recommend limiting pod HostPath volume mounts in your Kubernetes cluster to the configured allowed host paths. 如果遭到入侵,应限制容器的容器节点访问In case of compromise, the container node access from the containers should be restricted
(相关策略:Kubernetes 群集 Pod hostPath 卷只应使用允许的主机路径(Related policy: Kubernetes cluster pod hostPath volumes should only use allowed host paths)
中型Medium
应证明虚拟机的引导完整性运行状况Virtual machines should be attested for boot integrity health 安全中心无法证明你的虚拟机正在运行已签名的受信任代码。Security Center cannot attest that your virtual machine is running signed and trusted code. 这可能表示引导链受损,这可能是永久的 bootkit 或 Rootkit 感染的结果。This could indicate a compromise of the boot chain, which might be the result of a persistent bootkit or rootkit infection. 若要确保 VM 在安全状态下运行,建议调查该计算机,或者从受信任的 OS 映像重新部署它。To ensure your VM is running in a safe state, we recommend investigating the machine, or redeploying it from a trusted OS image.
(无相关策略)(No related policy)
中型Medium
应将虚拟机迁移到新的 Azure 资源管理器资源Virtual machines should be migrated to new Azure Resource Manager resources 不推荐使用虚拟机(经典),这些 VM 应迁移到 Azure 资源管理器。Virtual Machines (classic) was deprecated and these VMs should be migrated to Azure Resource Manager.
由于 Azure 资源管理器现具有完整的 IaaS 功能和其他改进,因此我们在 2020 年 2 月 28 日弃用了通过 Azure Service Manager (ASM) 管理 IaaS 虚拟机 (VM) 的功能。Because Azure Resource Manager now has full IaaS capabilities and other advancements, we deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. 此功能将于 2023 年 3 月 1 日完全停用。This functionality will be fully retired on March 1, 2023.

有关此工具和迁移的可用资源和信息:Available resources and information about this tool & migration:
1.概述虚拟机(经典)弃用、迁移的逐步过程和可用的 Microsoft 资源。1. Overview of Virtual machines (classic) deprecation, step by step process for migration & available microsoft resources.
2.有关迁移到 ARM 迁移工具的详细信息。2. Details about Migrate to ARM migration tool.
3.使用 PowerShell 迁移到 ARM 迁移工具。3. Migrate to ARM migration tool using PowerShell.
(相关策略:应将虚拟机迁移到新的 Azure 资源管理器资源(Related policy: Virtual machines should be migrated to new Azure Resource Manager resources)
High
应修正 Azure 容器注册表映像中的漏洞(由 Qualys 提供技术支持)Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) 容器映像漏洞评估功能会扫描注册表中的安全漏洞,并公开每个映像的详细发现结果。Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. 修复这些漏洞可以极大改善容器的安全状况,并保护其不受攻击影响。Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.
(相关策略:应修正 Azure 容器注册表映像中的漏洞(Related policy: Vulnerabilities in Azure Container Registry images should be remediated)
High
应该修复容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 修复安装了 Docker 的计算机上安全配置中的漏洞,使它们免受攻击。Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.
(相关策略:应修正容器安全配置中的漏洞(Related policy: Vulnerabilities in container security configurations should be remediated)
High
应该修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 修复计算机上安全配置的漏洞,以保护其免受攻击。Remediate vulnerabilities in security configuration on your machines to protect them from attacks.
(相关策略:应修复计算机上安全配置中的漏洞(Related policy: Vulnerabilities in security configuration on your machines should be remediated)
Low
应该修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 修复虚拟机规模集上安全配置中的漏洞,使其免受攻击。Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.
(相关策略:应修复虚拟机规模集上安全配置中的漏洞(Related policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated)
High
应修正虚拟机中的漏洞Vulnerabilities in your virtual machines should be remediated 监视由 Azure 安全中心的内置漏洞评估解决方案(由 Qualys 提供支持)所发现的虚拟机上的漏洞发现。Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).
(相关策略:应在虚拟机上启用漏洞评估解决方案(Related policy: A vulnerability assessment solution should be enabled on your virtual machines)
Low
应该通过漏洞评估解决方案修复漏洞Vulnerabilities should be remediated by a Vulnerability Assessment solution 会持续评估为其部署了漏洞评估第三方解决方案的虚拟机的应用程序和 OS 漏洞。Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. 只要发现此类漏洞,就会在建议中提供详细信息。Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.
(相关策略:应通过漏洞评估解决方案修复漏洞(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)
High
应在虚拟机上安装漏洞评估解决方案Vulnerability assessment solution should be installed on your virtual machines 在虚拟机上安装漏洞评估解决方案Install a vulnerability assessment solution on your virtual machines
(相关策略:应通过漏洞评估解决方案修复漏洞(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)
中型Medium
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(相关策略:只能通过 HTTPS 访问 Web 应用程序(Related policy: Web Application should only be accessible over HTTPS)
中型Medium
Web 应用应请求一个用于所有传入请求的 SSL 证书Web apps should request an SSL certificate for all incoming requests 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests.
只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app.
(相关策略:确保 WEB 应用的“客户端证书(传入客户端证书)”设置为“打开”(Related policy: Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On')
中型Medium
应重启计算机来应用系统更新Your machines should be restarted to apply system updates 重启计算机以应用系统更新并保护计算机免受漏洞攻击。Restart your machines to apply the system updates and secure the machine from vulnerabilities.
(相关策略:应在计算机上安装系统更新(Related policy: System updates should be installed on your machines)
中型Medium

数据建议Data recommendations

这一类别有 28 条相关建议。There are 28 recommendations in this category.

建议Recommendation 说明Description 严重性Severity
应在 SQL 托管实例的高级数据安全设置中启用所有高级威胁防护类型All advanced threat protection types should be enabled in SQL managed instance advanced data security settings 建议在 SQL 托管实例上启用所有高级威胁防护类型。It is recommended to enable all advanced threat protection types on your SQL managed instances. 启用所有类型可以防范 SQL 注入、数据库漏洞和任何其他异常活动。Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.
(无相关策略)(No related policy)
中型Medium
应在 SQL Server 的高级数据安全设置中启用所有高级威胁防护类型All advanced threat protection types should be enabled in SQL server advanced data security settings 建议在 SQL 服务器上启用所有高级威胁防护类型。It is recommended to enable all advanced threat protection types on your SQL servers. 启用所有类型可以防范 SQL 注入、数据库漏洞和任何其他异常活动。Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.
(无相关策略)(No related policy)
中型Medium
应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 预配 SQL Server 的 Azure AD 管理员以启用 Azure AD 身份验证。Provision an Azure AD administrator for your SQL server to enable Azure AD authentication. 使用 Azure AD 身份验证可以简化权限管理,以及集中化数据库用户和其他 Microsoft 服务的标识管理。Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.
(相关策略:应为 SQL Server 预配 Azure Active Directory 管理员(Related policy: An Azure Active Directory administrator should be provisioned for SQL servers)
High
应将 SQL Server 的审核保留设置为至少 90 天Audit retention for SQL servers should be set to at least 90 days 审核配置的审核保持期少于 90 天的 SQL 服务器。Audit SQL servers configured with an auditing retention period of less than 90 days.
(相关策略:SQL Server 应配置有 90 天或更长时间的审核保留期。(Related policy: SQL servers should be configured with 90 days auditing retention or higher.)
Low
应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 在 SQL Server 上启用审核以跟踪服务器上所有数据库的数据库活动,并将其保存在审核日志中。Enable auditing on your SQL Server to track database activities across all databases on the server and save them in an audit log.
(相关策略:应对 SQL Server 启用审核(Related policy: Auditing on SQL server should be enabled)
Low
应启用适用于 Azure SQL 数据库服务器的 Azure DefenderAzure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL 是提供高级 SQL 安全功能的统一包。Azure Defender for SQL is a unified package that provides advanced SQL security capabilities.
它包括以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对数据库产生威胁的异常活动以及发现敏感数据并对其进行分类。It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.

重要说明:修正此建议将产生 Azure SQL Database 服务器保护费用。Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. 如果此订阅中没有任何 Azure SQL Database 服务器,则不会产生任何费用。If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred.
如果以后在此订阅中创建任何 Azure SQL Database 服务器,它们将自动受到保护,并从该时间点开始计费。If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
详细了解适用于 Azure SQL 数据库服务器的 Azure Defender。Learn more about Azure Defender for Azure SQL Database servers.
(相关策略:应启用适用于 Azure SQL 数据库服务器的 Azure Defender(Related policy: Azure Defender for Azure SQL Database servers should be enabled)
High
应启用 Azure Data Lake Store 中的诊断日志Diagnostic logs in Azure Data Lake Store should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用 Azure Data Lake Store 的诊断日志(Related policy: Diagnostic logs in Azure Data Lake Store should be enabled)
Low
应启用 Data Lake Analytics 中的诊断日志Diagnostic logs in Data Lake Analytics should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用 Data Lake Analytics 的诊断日志(Related policy: Diagnostic logs in Data Lake Analytics should be enabled)
Low
应为 MySQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL).
通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
此配置强制始终启用 SSL 以访问数据库服务器。This configuration enforces that SSL is always enabled for accessing your database server.
(相关策略:应为 MySQL 数据库服务器启用“强制 SSL 连接”(Related policy: Enforce SSL connection should be enabled for MySQL database servers)
中型Medium
应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for MySQL 支持使用安全套接字层 (SSL) 将 Azure Database for MySQL 服务器连接到客户端应用程序。Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL).
通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
此配置强制始终启用 SSL 以访问数据库服务器。This configuration enforces that SSL is always enabled for accessing your database server.
(相关策略:应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”(Related policy: Enforce SSL connection should be enabled for PostgreSQL database servers)
中型Medium
应为 Azure Database for MariaDB 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MariaDB 通过 Azure Database for MariaDB,你可以为数据库服务器选择冗余选项。Azure Database for MariaDB allows you to choose the redundancy option for your database server.
它可设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可复制到配对区域,以在发生区域故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
只能在创建服务器时为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed when creating a server.
(相关策略:应为 Azure Database for MariaDB 启用异地冗余备份(Related policy: Geo-redundant backup should be enabled for Azure Database for MariaDB)
Low
应为 Azure Database for MySQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for MySQL 通过 Azure Database for MySQL,你可以为数据库服务器选择冗余选项。Azure Database for MySQL allows you to choose the redundancy option for your database server.
它可设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可复制到配对区域,以在发生区域故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
只能在创建服务器时为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed when creating a server.
(相关策略:应为 Azure Database for MySQL 启用异地冗余备份(Related policy: Geo-redundant backup should be enabled for Azure Database for MySQL)
Low
应为 Azure Database for PostgreSQL 启用异地冗余备份Geo-redundant backup should be enabled for Azure Database for PostgreSQL 通过 Azure Database for PostgreSQL,你可以为数据库服务器选择冗余选项。Azure Database for PostgreSQL allows you to choose the redundancy option for your database server.
它可设置为异地冗余备份存储,其中数据不仅存储在托管服务器的区域内,还可复制到配对区域,以在发生区域故障时提供恢复选项。It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery options in case of a region failure.
只能在创建服务器时为备份配置异地冗余存储。Configuring geo-redundant storage for backup is only allowed when creating a server.
(相关策略:应为 Azure Database for PostgreSQL 启用异地冗余备份(Related policy: Geo-redundant backup should be enabled for Azure Database for PostgreSQL)
Low
应该启用只能通过安全方式连接到 Redis 缓存Only secure connections to your Redis Cache should be enabled 仅启用通过 SSL 来与 Redis 缓存建立连接。Enable only connections via SSL to Redis Cache. 使用安全连接可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听攻击和会话劫持等网络层攻击。Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
(相关策略:应只启用与 Azure Cache for Redis 的安全连接(Related policy: Only secure connections to your Azure Cache for Redis should be enabled)
High
应为 MariaDB 服务器启用专用终结点Private endpoint should be enabled for MariaDB servers 专用终结点连接通过启用到 Azure Database for MariaDB 的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB.
配置专用终结点连接,以启用对仅来自已知网络的流量的访问,并防止访问所有其他 IP 地址,包括 Azure 内的地址。Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.
(相关策略:应为 MariaDB 服务器启用专用终结点(Related policy: Private endpoint should be enabled for MariaDB servers)
中型Medium
应为 MySQL 服务器启用专用终结点Private endpoint should be enabled for MySQL servers 专用终结点连接通过启用到 Azure Database for MySQL 的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL.
配置专用终结点连接,以启用对仅来自已知网络的流量的访问,并防止访问所有其他 IP 地址,包括 Azure 内的地址。Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.
(相关策略:应为 MySQL 服务器启用专用终结点(Related policy: Private endpoint should be enabled for MySQL servers)
中型Medium
应为 PostgreSQL 服务器启用专用终结点Private endpoint should be enabled for PostgreSQL servers 专用终结点连接通过启用到 Azure Database for PostgreSQL 的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL.
配置专用终结点连接,以启用对仅来自已知网络的流量的访问,并防止访问所有其他 IP 地址,包括 Azure 内的地址。Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.
(相关策略:应为 PostgreSQL 服务器启用专用终结点(Related policy: Private endpoint should be enabled for PostgreSQL servers)
中型Medium
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure SQL DB 数据发现和分类功能可用于发现、分类、标记和保护数据库中的敏感数据。Azure SQL DB Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. 将数据进行分类后,可以使用 Azure SQL DB 审核来审核访问和监视敏感数据。Once your data is classified, you can use Azure SQL DB auditing to audit access and monitor the sensitive data. Azure SQL DB 还启用了高级威胁防护功能,这些功能基于对敏感数据的访问模式的改变创建智能警报。Azure SQL DB also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.
(相关策略:应对 SQL 数据库中的敏感数据进行分类(Related policy: Sensitive data in your SQL databases should be classified)
High
应将存储帐户迁移到新 Azure 资源管理器资源Storage accounts should be migrated to new Azure Resource Manager resources 若要充分利用 Azure 资源管理器中的新功能,可将现有部署从经典部署模型中迁移出来。To benefit from new capabilities in Azure Resource Manager, you can migrate existing deployments from the Classic deployment model. Azure 资源管理器启用安全增强功能,例如:更强的访问控制 (RBAC)、更好地审核、基于 ARM 的部署和治理、托管标识访问权限、用于提供机密的密钥保管库的访问权限、基于 Azure AD 的身份验证以及可实现更轻松安全管理的标记和资源组支持。Resource Manager enables security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management. 了解详细信息Learn more
(相关策略:应将存储帐户迁移到新的 Azure 资源管理器资源(Related policy: Storage accounts should be migrated to new Azure Resource Manager resources)
Low
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 启用透明数据加密以保护静态数据并满足合规性要求Enable transparent data encryption to protect data-at-rest and meet compliance requirements
(相关策略:应对 SQL 数据库启用透明数据加密(Related policy: Transparent Data Encryption on SQL databases should be enabled)
Low
应修正关于 SQL 数据库的漏洞评估结果Vulnerability assessment findings on your SQL databases should be remediated SQL 漏洞评估会扫描数据库中的安全漏洞,并显示与最佳实践之间的任何偏差,如配置错误、权限过多和敏感数据未受保护。SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. 解决发现的漏洞可以极大地改善数据库安全态势。Resolving the vulnerabilities found can greatly improve your database security posture. 了解详细信息Learn more
(相关策略:应修正 SQL 数据库中的漏洞(Related policy: Vulnerabilities on your SQL databases should be remediated)
High
应修正关于计算机上 SQL 服务器的漏洞评估结果Vulnerability assessment findings on your SQL servers on machines should be remediated SQL 漏洞评估会扫描数据库中的安全漏洞,并显示与最佳实践之间的任何偏差,如配置错误、权限过多和敏感数据未受保护。SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. 解决发现的漏洞可以极大地改善数据库安全态势。Resolving the vulnerabilities found can greatly improve your database security posture. 了解详细信息Learn more
(无相关策略)(No related policy)
High
应对 SQL 托管实例启用漏洞评估Vulnerability assessment should be enabled on your SQL managed instances 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
(相关策略:应对 SQL 托管实例启用漏洞评估(Related policy: Vulnerability assessment should be enabled on SQL Managed Instance)
High
应对 SQL Server 启用漏洞评估Vulnerability assessment should be enabled on your SQL servers 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
(相关策略:应对 SQL Server 启用漏洞评估(Related policy: Vulnerability assessment should be enabled on your SQL servers)
High

IdentityAndAccess 建议IdentityAndAccess recommendations

这一类别有 15 条相关建议。There are 15 recommendations in this category.

建议Recommendation 说明Description 严重性Severity
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 为了降低所有者帐户遭受泄露的可能性,建议将所有者帐户的数量限制为最多 3 个To reduce the potential for breaches by compromised owner accounts, we recommend limiting the number of owner accounts to a maximum of 3
(相关策略:最多只能为订阅指定 3 个所有者(Related policy: A maximum of 3 owners should be designated for your subscription)
High
应从订阅中删除弃用的帐户Deprecated accounts should be removed from your subscription 应从订阅中删除已被阻止登录的用户帐户。User accounts that have been blocked from signing in, should be removed from your subscriptions.
这些帐户可能会成为攻击者的目标,攻击者会设法在不被发现的情况下访问你的数据。These accounts can be targets for attackers looking to find ways to access your data without being noticed.
(相关策略:应从订阅中删除弃用的帐户(Related policy: Deprecated accounts should be removed from your subscription)
High
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 应从订阅中删除已被阻止登录的用户帐户。User accounts that have been blocked from signing in, should be removed from your subscriptions.
这些帐户可能会成为攻击者的目标,攻击者会设法在不被发现的情况下访问你的数据。These accounts can be targets for attackers looking to find ways to access your data without being noticed.
(相关策略:应从订阅中删除拥有所有者权限的已弃用帐户(Related policy: Deprecated accounts with owner permissions should be removed from your subscription)
High
应启用 Key Vault 中的诊断日志Diagnostic logs in Key Vault should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用 Key Vault 中的诊断日志(Related policy: Diagnostic logs in Key Vault should be enabled)
Low
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 应从订阅中删除拥有所有者权限的具有不同域名的帐户(外部帐户)。Accounts with owner permissions that have different domain names (external accounts), should be removed from your subscription. 这可防止不受监视的访问。This prevents unmonitored access. 这些帐户可能会成为攻击者的目标,攻击者会设法在不被发现的情况下访问你的数据。These accounts can be targets for attackers looking to find ways to access your data without being noticed.
(相关策略:应从订阅中删除拥有所有者权限的外部帐户(Related policy: External accounts with owner permissions should be removed from your subscription)
High
应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription 应从订阅中删除拥有读取权限的具有不同域名的帐户(外部账户)。Accounts with read permissions that have different domain names (external accounts), should be removed from your subscription. 这可防止不受监视的访问。This prevents unmonitored access. 这些帐户可能会成为攻击者的目标,攻击者会设法在不被发现的情况下访问你的数据。These accounts can be targets for attackers looking to find ways to access your data without being noticed.
(相关策略:应从订阅中删除拥有读取权限的外部帐户(Related policy: External accounts with read permissions should be removed from your subscription)
High
应从订阅中删除具有写入权限的外部帐户External accounts with write permissions should be removed from your subscription 应从订阅中删除拥有写入权限的具有不同域名的帐户(外部账户)。Accounts with write permissions that have different domain names (external accounts), should be removed from your subscription. 这可防止不受监视的访问。This prevents unmonitored access. 这些帐户可能会成为攻击者的目标,攻击者会设法在不被发现的情况下访问你的数据。These accounts can be targets for attackers looking to find ways to access your data without being noticed.
(相关策略:应从订阅中删除具有写入权限的外部帐户(Related policy: External accounts with write permissions should be removed from your subscription)
High
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有所有者权限的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.
(相关策略:应在对订阅拥有所有者权限的帐户上启用 MFA(Related policy: MFA should be enabled on accounts with owner permissions on your subscription)
High
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有读取特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.
(相关策略:应在对订阅拥有读取权限的帐户上启用 MFA(Related policy: MFA should be enabled on accounts with read permissions on your subscription)
High
应在对订阅拥有写入权限的帐户上启用 MFAMFA should be enabled on accounts with write permissions on your subscription 为了防止帐户或资源出现违规问题,应为所有拥有写入特权的订阅帐户启用多重身份验证 (MFA)。Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.
(相关策略:应在对订阅拥有写入权限的帐户上启用 MFA(Related policy: MFA should be enabled accounts with write permissions on your subscription)
High
应使用服务主体(而不是管理证书)来保护你的订阅Service principals should be used to protect your subscriptions instead of Management Certificates 通过管理证书,任何使用它们进行身份验证的人员都可管理与它们关联的订阅。Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. 为了更安全地管理订阅,建议将服务主体和资源管理器结合使用来限制证书泄露所造成的影响范围。To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. 这也可以使资源管理自动进行。It also automates resource management.
(相关策略:应使用服务主体(而不是管理证书)来保护你的订阅(Related policy: Service principals should be used to protect your subscriptions instead of management certificates)
中型Medium
应该为你的订阅分配了多个所有者There should be more than one owner assigned to your subscription 指定多个订阅所有者,以实现管理员访问权限冗余。Designate more than one subscription owner in order to have administrator access redundancy.
(相关策略:应向订阅分配多个所有者(Related policy: There should be more than one owner assigned to your subscription)
High

网络建议Networking recommendations

这一类别有 15 条相关建议。There are 15 recommendations in this category.

建议Recommendation 说明Description 严重性Severity
应在面向内部的虚拟机上应用自适应网络强化建议Adaptive Network Hardening recommendations should be applied on internal facing virtual machines Azure 安全中心已分析下面列出的虚拟机的 Internet 流量通信模式,并确定与它们关联的 NSG 中的现有规则过于宽松,导致潜在攻击面增加。Azure Security Center has analyzed the Internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface. 这可能是由于端口/协议元组或特定 IP 上的流量不足,这些 IP 已被安全中心的威胁情报源标记为恶意。This could be due lack of traffic on the port/protocol tuples or specific IPs which have been flagged as malicious by Security Center's threat intelligence sources.
(无相关策略)(No related policy)
中型Medium
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure 安全中心已分析下面列出的虚拟机的 Internet 流量通信模式,并确定与它们关联的 NSG 中的现有规则过于宽容,导致潜在攻击面增加。Azure Security Center has analyzed the internet traffic communication patterns of the virtual machines listed below, and determined that the existing rules in the NSGs associated to them are overly permissive, resulting in an increased potential attack surface.
这通常在此 IP 地址不会定期与此资源通信的情况下发生。This typically occurs when this IP address doesn't communicate regularly with this resource. 或者,该 IP 地址已被安全中心的威胁情报源标记为恶意 IP。Alternatively, the IP address has been flagged as malicious by Security Center's threat intelligence sources. (相关策略:应在面向 Internet 的虚拟机上应用自适应网络强化建议(Related policy: Adaptive network hardening recommendations should be applied on internet facing virtual machines)
High
应限制在与虚拟机关联的网络安全组上使用所有网络端口All network ports should be restricted on network security groups associated to your virtual machine Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够将你的资源定为攻击目标。This can potentially enable attackers to target your resources.
(相关策略:应在与虚拟机关联的网络安全组上限制所有网络端口(Related policy: All network ports should be restricted on network security groups associated to your virtual machine)
High
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范 VM 遭受潜在威胁。Protect your VM from potential threats by restricting access to it with a network security group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则允许或拒绝来自同一子网内外的其他实例到 VM 的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
请注意,为了使计算机尽可能安全,必须限制 VM 对 Internet 的访问权限,并且应在子网上启用 NSG。Please note that to keep your machine as secured as possible, both the VM access to the Internet must be restricted, and an NSG should be enabled on the subnet.
严重性为“高”的 VM 是面向 Internet 的 VM。VMs with 'High' severity are Internet-facing VMs.
(相关策略:面向 Internet 的虚拟机应使用网络安全组进行保护(Related policy: Internet-facing virtual machines should be protected with network security groups)
High
应禁用虚拟机上的 IP 转发IP forwarding on your virtual machine should be disabled Azure 安全中心发现在某些虚拟机上已启用 IP 转发。Azure Security Center has discovered that IP forwarding is enabled on some of your virtual machines. 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.
(相关策略:应禁用虚拟机上的 IP 转发(Related policy: IP Forwarding on your virtual machine should be disabled)
中型Medium
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control Azure 安全中心已识别出一些对网络安全组中的管理端口过于宽松的入站规则。Azure Security Center has identified some overly-permissive inbound rules for management ports in your Network Security Group. 启用实时访问控制,以保护 VM 免受基于 Internet 的暴力攻击。Enable just-in-time access control to protect your VM from internet-based brute-force attacks. 了解详细信息。Learn more.
(相关策略:应通过即时网络访问控制来保护虚拟机的管理端口(Related policy: Management ports of virtual machines should be protected with just-in-time network access control)
High
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine.
(相关策略:应关闭虚拟机上的管理端口(Related policy: Management ports should be closed on your virtual machines)
中型Medium
应在 Linux 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Linux virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(相关策略:应在 Linux 虚拟机上安装网络流量数据收集代理(Related policy: Network traffic data collection agent should be installed on Linux virtual machines)
中型Medium
应在 Windows 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Windows virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(相关策略:应在 Windows 虚拟机上安装网络流量数据收集代理(Related policy: Network traffic data collection agent should be installed on Windows virtual machines)
中型Medium
应使用网络安全组来保护非面向 Internet 的虚拟机Non-internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范非面向 Internet 的 VM 遭受潜在威胁。Protect your non-internet-facing virtual machine from potential threats by restricting access to it with a network security group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则允许或拒绝从其他实例到 VM 的网络流量,无论它们是否位于同一子网中。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, whether or not they're on the same subnet.
请注意,为了使计算机尽可能安全,必须限制 VM 对 Internet 的访问权限,并且应在子网上启用 NSG。Note that to keep your machine as secure as possible, the VM's access to the internet must be restricted and an NSG should be enabled on the subnet.
(相关策略:应使用网络安全组来保护非面向 Internet 的虚拟机(Related policy: Non-internet-facing virtual machines should be protected with network security groups)
Low
应该启用安全传输到存储帐户Secure transfer to storage accounts should be enabled 安全传输选项会强制存储帐户仅接受来自安全连接 (HTTPS) 的请求。Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). 使用 HTTPS 可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听攻击和会话劫持等网络层攻击。Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
(相关策略:应启用到存储帐户的安全传输(Related policy: Secure transfer to storage accounts should be enabled)
High
子网应与网络安全组关联Subnets should be associated with a network security group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a network security group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. 当 NSG 与子网关联时,ACL 规则适用于该子网中的所有 VM 实例和集成服务,但不适用于子网内的内部流量。When an NSG is associated with a subnet, the ACL rules apply to all the VM instances and integrated services in that subnet, but don't apply to internal traffic inside the subnet. 若要确保同一子网中的资源彼此之间的安全,请直接在资源上启用 NSG。To secure resources in the same subnet from one another, enable NSG directly on the resources as well.
(相关策略:子网应与网络安全组关联(Related policy: Subnets should be associated with a Network Security Group)
Low

弃用的建议Deprecated recommendations

建议Recommendation 说明及相关策略Description & related policy 严重性Severity 已启用快速修复?(了解详细信息Quick fix enabled?(Learn more) 资源类型Resource type
应限制对应用服务的访问Access to App Services should be restricted 通过更改网络配置来限制对应用服务的访问,以拒绝来自过大范围的入站流量。Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad.
(相关策略:[预览]:应限制对应用服务的访问)(Related policy: [Preview]: Access to App Services should be restricted)
High NN 应用服务App service
应强化 IaaS NSG 上 Web 应用的规则The rules for web applications on IaaS NSGs should be hardened 如果运行 web 应用程序的虚拟机的网络安全组 (NSG) 所包含的 NSG 规则对于 web 应用程序端口而言过于宽松,应强化这些安全组。Harden the network security group (NSG) of your virtual machines that are running web applications, with NSG rules that are overly permissive with regards to web application ports.
(相关策略:应该强化 IaaS 上 Web 应用程序的 NSG 规则)(Related policy: The NSGs rules for web applications on IaaS should be hardened)
High NN 虚拟机Virtual machine
应定义 Pod 安全策略,通过删除不必要的应用程序特权来减少攻击途径。Pod Security Policies should be defined to reduce the attack vector by removing unnecessary application privileges (Preview) 通过删除不必要的应用程序特权,来定义 Pod 安全策略以减少攻击途径。Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. 建议配置 pod 安全策略,以便 pod 只能访问其有权访问的资源。It is recommended to configure pod security policies so pods can only access resources which they are allowed to access.
(相关策略:[预览]:应在 Kubernetes 服务上定义 Pod 安全策略)(Related policy: [Preview]: Pod Security Policies should be defined on Kubernetes Services)
中型Medium NN 计算资源(容器)Compute resources (Containers)
安装适用于 IoT 的 Azure 安全中心安全模块,以更深入地了解 IoT 设备Install Azure Security Center for IoT security module to get more visibility into your IoT devices 安装适用于 IoT 的 Azure 安全中心安全模块,以更深入地了解 IoT 设备。Install Azure Security Center for IoT security module to get more visibility into your IoT devices. Low NN IoT 设备IoT device

后续步骤Next steps

若要详细了解建议,请参阅以下内容:To learn more about recommendations, see the following: