安全建议 - 参考指南Security recommendations - a reference guide

本文列出了 Azure 安全中心可能会显示的建议。This article lists the recommendations you might see in Azure Security Center. 环境中显示的建议取决于要保护的资源和自定义的配置。The recommendations shown in your environment depend on the resources you're protecting and your customized configuration.

安全中心的建议基于最佳做法给出。Security Center's recommendations are based on best practices. 其中一些符合 Azure 安全基准,它是由 Microsoft 创作的特定于 Azure 的准则,适用于基于常见合规框架的安全与合规最佳做法。Some are aligned with the Azure Security Benchmark, the Microsoft-authored, Azure-specific guidelines for security and compliance best practices based on common compliance frameworks. 详细了解 Azure 安全基准Learn more about Azure Security Benchmark.

若要了解如何响应这些建议,请参阅 Azure 安全中心的修正建议To learn about how to respond to these recommendations, see Remediate recommendations in Azure Security Center.

安全分数基于已完成的安全中心建议的数量。Your Secure Score is based on the number of Security Center recommendations you've completed. 若要确定首先要解决的建议,请查看每个建议的严重级别,及其对安全分数的潜在影响。To decide which recommendations to resolve first, look at the severity of each one and its potential impact on your Secure Score.

提示

如果建议的描述中显示“无相关策略”,通常是因为该建议依赖于另一个建议及其策略。If a recommendation's description says "No related policy", it's usually because that recommendation is dependent on a different recommendation and its policy. 例如,建议“应修正 Endpoint Protection 运行状况失败...”依赖于建议“应安装 Endpoint Protection 解决方案...”,后者检查 Endpoint Protection 解决方案是否已安装。For example, the recommendation "Endpoint protection health failures should be remediated...", relies on the recommendation that checks whether an endpoint protection solution is even installed ("Endpoint protection solution should be installed..."). 基础建议确实具有一个策略。The underlying recommendation does have a policy. 将策略限制为仅限基础建议可简化策略管理。Limiting the policies to only the foundational recommendation simplifies policy management.

网络建议Network recommendations

建议Recommendation 说明及相关策略Description & related policy 严重性Severity 已启用快速修复?(了解详细信息Quick fix enabled?(Learn more) 资源类型Resource type
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive Network Hardening recommendations should be applied on internet facing virtual machines 当自适应网络强化功能发现了过于宽松的 NSG 规则时,标准定价层上的客户会看到此建议。Customers on the standard pricing tier will see this recommendation when the Adaptive Network Hardening feature finds an overly-permissive NSG rule.
(相关策略:应在面向 Internet 的虚拟机上应用自适应网络强化建议)(Related policy: Adaptive Network Hardening recommendations should be applied on internet facing virtual machines)
High NN 虚拟机Virtual machine
应在与 VM 关联的 NSG 上限制所有网络端口All network ports should be restricted on NSG associated to your VM 通过限制现有允许规则的访问来增强面向 Internet 的 VM 的网络安全组。Harden the network security groups of your Internet-facing VMs by restricting the access of your existing allow rules.
当向所有源开放任何端口(端口 22、3389、5985、5986、80 和 1443 除外)时,将触发此建议。This recommendation is triggered when any port is opened to all sources (except for ports 22, 3389, 5985, 5986, 80, and 1443).
(相关策略:应该限制通过面向 Internet 的终结点进行访问)(Related policy: Access through internet facing endpoint should be restricted)
High NN 虚拟机Virtual machine
应启用 DDoS 防护标准版DDoS Protection Standard should be enabled 通过启用 DDoS 防护服务标准,保护包含具有公共 IP 的应用程序的虚拟网络。Protect virtual networks containing applications with public IPs by enabling DDoS protection service standard. DDoS 防护可缓解网络容量和协议攻击。DDoS protection enables mitigation of network volumetric and protocol attacks.
(相关策略:应启用 DDoS 防护标准)(Related policy: DDoS Protection Standard should be enabled)
High NN 虚拟网络Virtual network
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 为函数应用启用“仅 HTTPS”访问权限。Enable "HTTPS only" access for function apps. 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(相关策略:应只能通过 HTTPS 访问函数应用)(Related policy: Function App should only be accessible over HTTPS)
中型Medium Y 函数应用Function app
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with Network Security Groups 启用网络安全组以控制虚拟机的网络访问。Enable Network Security Groups to control network access of your virtual machines.
(相关策略:面向 Internet 的虚拟机应使用网络安全组进行保护)(Related policy: Internet-facing virtual machines should be protected with Network Security Groups)
高/中High/ Medium NN 虚拟机Virtual machine
应使用网络安全组来保护非面向 Internet 的虚拟机Non-internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对非面向 Internet 的虚拟机的访问,以此防范它们遭受潜在威胁。Protect your non-internet-facing virtual machines from potential threats by restricting access to them with network security groups (NSG).
NSG 包含访问控制列表 (ACL),可以分配到 VM 的 NIC 或子网。NSGs contain access-control lists (ACL) and can be assigned to the VM's NIC or subnet. ACL 规则允许或拒绝流向已分配资源的流量。The ACL rules allow or deny network traffic to the assigned resource.
(相关策略:应使用网络安全组来保护非面向 Internet 的虚拟机)(Related policy: Non-internet-facing virtual machines should be protected with network security groups)
Low NN 虚拟机Virtual machine
应禁用虚拟机上的 IP 转发IP forwarding on your virtual machine should be disabled 禁用 IP 转发。Disable IP forwarding. 当在虚拟机的 NIC 上启用 IP 转发后,该计算机可接收发往其他目标的流量。When IP forwarding is enabled on a virtual machine's NIC, the machine can receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (for example, when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.
(相关策略:[预览]:应禁用虚拟机上的 IP 转发)(Related policy: [Preview]: IP Forwarding on your virtual machine should be disabled)
中型Medium NN 虚拟机Virtual machine
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 应用恰时 (JIT) 虚拟机 (VM) 访问控制来永久锁定对所选端口的访问,并使经授权的用户能够通过 JIT 将其打开有限的时间量。Apply just-in-time (JIT) virtual machine (VM) access control to permanently lock down access to selected ports, and enable authorized users to open them, via JIT, for a limited amount of time only.
(相关策略:应通过即时网络访问控制来保护虚拟机的管理端口)(Related policy: Management ports of virtual machines should be protected with just-in-time network access control)
High NN 虚拟机Virtual machine
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 强化虚拟机的网络安全组,以限制对管理端口的访问。Harden the network security group of your virtual machines to restrict access to management ports.
(相关策略:应关闭虚拟机上的管理端口)(Related policy: Management ports should be closed on your virtual machines)
High NN 虚拟机Virtual machine
应启用安全传输到存储帐户Secure transfer to storage accounts should be enabled 启用到存储帐户的安全传输。Enable secure transfer to storage accounts. 安全传输选项会强制存储帐户仅接受来自安全连接 (HTTPS) 的请求。Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). 使用 HTTPS 可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听和会话劫持等网络层攻击。Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks, such as man-in-the-middle, eavesdropping, and session-hijacking.
(相关策略:应启用到存储帐户的安全传输)(Related policy: Secure transfer to storage accounts should be enabled)
High Y 存储帐户Storage account
子网应与网络安全组关联Subnets should be associated with a Network Security Group 启用网络安全组以控制子网中部署的资源的网络访问。Enable network security groups to control network access of resources deployed in your subnets.
(相关策略:子网应与网络安全组关联。(Related policy: Subnets should be associated with a Network Security Group.
默认情况下禁用此策略)This policy is disabled by default)
高/中High/ Medium NN 子网Subnet
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 为 Web 应用启用“仅 HTTPS”访问权限。Enable "HTTPS only" access for web applications. 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(相关策略:应只能通过 HTTPS 访问 Web 应用程序)(Related policy: Web Application should only be accessible over HTTPS)
中型Medium Y Web 应用程序Web application

容器建议Container recommendations

建议Recommendation 说明及相关策略Description & related policy 严重性Severity 已启用快速修复?(了解详细信息Quick fix enabled?(Learn more) 资源类型Resource type
应对 Azure Kubernetes 服务的群集启用高级威胁防护Advanced threat protection should be enabled on Azure Kubernetes Service clusters 安全中心为容器化环境提供实时威胁防护,并针对可疑活动生成警报。Security Center provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. 可以使用此信息快速补救安全问题,并提高容器的安全性。You can use this information to quickly remediate security issues and improve the security of your containers.
重要说明:修正此建议将产生 AKS 群集保护费用。Important: Remediating this recommendation will result in charges for protecting your AKS clusters. 如果此订阅中没有任何 AKS 群集,则不会产生任何费用。If you don't have any AKS clusters in this subscription, no charges will be incurred. 如果以后在此订阅中创建任何 AKS 群集,它们将自动受到保护,并从该时间点开始计费。If you create any AKS clusters on this subscription in the future, they will automatically be protected and charges will begin at that time.
(相关策略:应对 Azure Kubernetes 服务的群集启用高级威胁防护)(Related policy: Advanced threat protection should be enabled on Azure Kubernetes Service clusters)
High Y 订阅Subscription
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes service management API by granting API access only to IP addresses in specific ranges. 建议配置已获授权的 IP 范围,以便只有受允许网络中的应用程序可以访问群集。It is recommended to configure authorized IP ranges so only applications from allowed networks can access the cluster.
(相关策略:[预览]:应在 Kubernetes 服务上定义经授权的 IP 范围)(Related policy: [Preview]: Authorized IP ranges should be defined on Kubernetes Services)
High NN 计算资源(容器)Compute resources (Containers)
应使用基于角色的访问控制来限制对 Kubernetes 服务群集的访问权限Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster 若要提供对用户可以执行的操作的粒度筛选,请使用基于角色的访问控制 (RBAC) 来管理 Kubernetes 服务群集中的权限并配置相关授权策略。To provide granular filtering of the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. 有关详细信息,请参阅 Azure 基于角色的访问控制For more information see Azure role-based access control.
(相关策略:[预览]:应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC))(Related policy: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services)
中型Medium NN 计算资源(容器)Compute resources (Containers)
Kubernetes 服务应升级到最新的 Kubernetes 版本The Kubernetes Service should be upgraded to the latest Kubernetes version 将 Azure Kubernetes Service 群集升级到最新的 Kubernetes 版本,以便从最新的漏洞修补程序中获益。Upgrade Azure Kubernetes Service clusters to the latest Kubernetes version in order to benefit from up-to-date vulnerability patches. 有关特定 Kubernetes 漏洞的详细信息,请参阅 Kubernetes CVEFor details regarding specific Kubernetes vulnerabilities see Kubernetes CVEs.
(相关策略:[预览]:Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本)(Related policy: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version)
High NN 计算资源(容器)Compute resources (Containers)
应对 Azure 容器注册表的注册表启用高级威胁防护Advanced threat protection should be enabled on Azure Container Registry registries 若要生成安全的容器化工作负载,请确保它们所基于的映像不存在已知漏洞。To build secure containerized workloads, ensure the images that they're based on are free of known vulnerabilities. 安全中心会扫描注册表中每个推送的容器映像的安全漏洞,并显示每个映像的详细相关扫描结果。Security Center scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image.
重要说明:修正此建议将产生 ACR 注册表保护费用。Important: Remediating this recommendation will result in charges for protecting your ACR registries. 如果此订阅中没有任何 ACR 注册表,则不会产生任何费用。If you don't have any ACR registries in this subscription, no charges will be incurred. 如果以后在此订阅中创建任何 ACR 注册表,它们将自动受到保护,并从该时间点开始计费。If you create any ACR registries on this subscription in the future, they will automatically be protected and charges will begin at that time.
(相关策略:应对 Azure 容器注册表的注册表启用高级威胁防护)(Related policy: Advanced threat protection should be enabled on Azure Container Registry registries)
High Y 订阅Subscription
应修正 Azure 容器注册表映像中的漏洞(由 Qualys 提供技术支持)Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) 容器映像漏洞评估功能会扫描注册表中每个推送的容器映像上的安全漏洞,并按映像显示详细的发现结果。Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. 修复这些漏洞可以极大改善容器的安全状况,并保护其不受攻击影响。Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.
(无相关策略)(No related policy)
High NN 计算资源(容器)Compute resources (Containers)

应用服务建议App Service recommendations

建议Recommendation 说明及相关策略Description & related policy 严重性Severity 已启用快速修复?(了解详细信息Quick fix enabled?(Learn more) 资源类型Resource type
应在 Azure 应用服务计划上启用高级威胁防护Advanced threat protection should be enabled on Azure App Service plans 安全中心利用云的规模和 Azure 作为云提供商拥有的可见性来监视常见的 Web 应用攻击。Security Center leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.
重要说明:修正此建议将产生应用服务计划保护费用。Important: Remediating this recommendation will result in charges for protecting your App Service plans. 如果此订阅中没有任何应用服务计划,则不会产生任何费用。If you don't have any App Service plans in this subscription, no charges will be incurred. 如果以后在此订阅中创建任何应用服务计划,它们将自动受到保护,并从该时间点开始计费。If you create any App Service plans on this subscription in the future, they will automatically be protected and charges will begin at that time.
(相关策略:应对 Azure 应用服务计划启用高级威胁防护)(Related policy: Advanced threat protection should be enabled on Azure App Service plans)
High Y 订阅Subscription
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 为 Web 应用启用“仅 HTTPS”访问权限。Enable "HTTPS only" access for web applications. 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(相关策略:应只能通过 HTTPS 访问 Web 应用程序)(Related policy: Web Application should only be accessible over HTTPS)
中型Medium Y 应用服务App service
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 为函数应用启用“仅 HTTPS”访问权限。Enable "HTTPS only" access for function apps. 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
(相关策略:应只能通过 HTTPS 访问函数应用)(Related policy: Function App should only be accessible over HTTPS)
中型Medium Y 应用服务App service
只能通过 HTTPS 访问 API 应用API App should only be accessible over HTTPS 仅限通过 HTTPS 访问 API 应用。Limit access of API Apps over HTTPS only.
(相关策略:应只能通过 HTTPS 访问 API 应用)(Related policy: API App should only be accessible over HTTPS)
中型Medium NN 应用服务App service
应禁用 Web 应用程序的远程调试Remote debugging should be turned off for Web Applications 如果不再需要使用 Web 应用程序的调试,请将其禁用。Turn off debugging for Web Applications if you no longer need to use it. 远程调试需要在 Web 应用上打开入站端口。Remote debugging requires inbound ports to be opened on a Web App.
(相关策略:应为 Web 应用程序禁用远程调试)(Related policy: Remote debugging should be turned off for Web Application)
Low Y 应用服务App service
应为函数应用禁用远程调试Remote debugging should be turned off for Function App 如果不再需要使用函数应用的调试,请将其禁用。Turn off debugging for Function App if you no longer need to use it. 远程调试需要在函数应用上打开入站端口。Remote debugging requires inbound ports to be opened on a Function App.
(相关策略:应为函数应用禁用远程调试)(Related policy: Remote debugging should be turned off for Function App)
Low Y 应用服务App service
应为 API 应用禁用远程调试Remote debugging should be turned off for API App 如果不再需要针对 API 应用的调试,请将其禁用。Turn off debugging for API App if you no longer need to use it. 远程调试需要在 API 应用上打开入站端口。Remote debugging requires inbound ports to be opened on an API App.
(相关策略:应为 API 应用禁用远程调试)(Related policy: Remote debugging should be turned off for API App)
Low Y 应用服务App service
CORS 不应允许所有资源都能访问你的 Web 应用程序CORS should not allow every resource to access your Web Applications 仅允许所需的域与 Web 应用程序交互。Allow only required domains to interact with your web application. 跨源资源共享 (CORS) 不应允许所有域都能访问你的 Web 应用程序。Cross origin resource sharing (CORS) should not allow all domains to access your web application.
(相关策略:CORS 不应允许所有资源都能访问 Web 应用程序)(Related policy: CORS should not allow every resource to access your Web Application)
Low Y 应用服务App service
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function App 仅允许所需的域与函数应用程序交互。Allow only required domains to interact with your function application. 跨源资源共享 (CORS) 不应允许所有域都能访问你的函数应用程序。Cross origin resource sharing (CORS) should not allow all domains to access your function application.
(相关策略:CORS 不应允许所有资源都能访问函数应用)(Related policy: CORS should not allow every resource to access your Function App)
Low Y 应用服务App service
CORS 不应允许所有资源都能访问 API 应用CORS should not allow every resource to access your API App 仅允许所需的域与 API 应用程序交互。Allow only required domains to interact with your API application. 跨源资源共享 (CORS) 不应允许所有域都能访问你的 API 应用程序。Cross origin resource sharing (CORS) should not allow all domains to access your API application.
(相关策略:CORS 不应允许所有资源都能访问 API 应用)(Related policy: CORS should not allow every resource to access your API App)
Low Y 应用服务App service
应启用应用程序服务中的诊断日志Diagnostic logs in App Services should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用应用服务的诊断日志)(Related policy: Diagnostic logs in App Services should be enabled)
Low NN 应用服务App service

计算和应用建议Compute and app recommendations

建议Recommendation 说明及相关策略Description & related policy 严重性Severity 已启用快速修复?(了解详细信息Quick fix enabled?(Learn more) 资源类型Resource type
应对虚拟机启用高级威胁防护Advanced threat protection should be enabled on virtual machines 安全中心可为虚拟机工作负载提供实时威胁防护,并生成强化建议以及有关可疑活动的警报。Security Center provides real-time threat protection for your virtual machine workloads and generates hardening recommendations as well as alerts about suspicious activities.
可以使用此信息快速补救安全问题,并提高虚拟机的安全性。You can use this information to quickly remediate security issues and improve the security of your virtual machines.
重要说明:修正此建议将产生虚拟机保护费用。Important: Remediating this recommendation will result in charges for protecting your virtual machines. 如果此订阅中没有任何虚拟机,则不会产生任何费用。If you don't have any virtual machines in this subscription, no charges will be incurred. 如果以后在此订阅中创建任何虚拟机,它们将自动受到保护,并从该时间点开始计费。If you create any virtual machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
(相关策略:应对虚拟机启用高级威胁防护(Related policy: Advanced threat protection should be enabled on virtual machines)
High Y 订阅Subscription
应启用 Azure 流分析的诊断日志Diagnostic logs in Azure Stream Analytics should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用 Azure 流分析的诊断日志)(Related policy: Diagnostic logs in Azure Stream Analytics should be enabled)
Low Y 计算资源(流分析)Compute resources (stream analytics)
应启用 Batch 帐户的诊断日志Diagnostic logs in Batch accounts should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用 Batch 帐户的诊断日志)(Related policy: Diagnostic logs in Batch accounts should be enabled)
Low Y 计算资源 (Batch)Compute resources (batch)
应启用事件中心的诊断日志Diagnostic logs in Event Hub should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用事件中心的诊断日志)(Related policy: Diagnostic logs in Event Hub should be enabled)
Low Y 计算资源(事件中心)Compute resources (event hub)
应启用逻辑应用的诊断日志Diagnostic logs in Logic Apps should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用逻辑应用的诊断日志)(Related policy: Diagnostic logs in Logic Apps should be enabled)
Low Y 计算资源(逻辑应用)Compute resources (logic apps)
应启用搜索服务的诊断日志Diagnostic logs in Search services should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用搜索服务的诊断日志)(Related policy: Diagnostic logs in Search services should be enabled)
Low Y 计算资源(搜索)Compute resources (search)
应启用服务总线的诊断日志Diagnostic logs in Service Bus should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用服务总线的诊断日志)(Related policy: Diagnostic logs in Service Bus should be enabled)
Low Y 计算资源(服务总线)Compute resources (service bus)
Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证Service Fabric clusters should only use Azure Active Directory for client authentication 在 Service Fabric 中仅通过 Azure Active Directory 执行客户端身份验证。Perform Client authentication only via Azure Active Directory in Service Fabric.
(相关策略:Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证)(Related policy: Service Fabric clusters should only use Azure Active Directory for client authentication)
High NN 计算资源 (Service Fabric)Compute resources (service fabric)
Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSignService Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric 使用主要群集证书为节点之间的通信提供三个保护级别(None、Sign 和 EncryptAndSign)。Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication using a primary cluster certificate. 请设置保护级别,确保节点到节点的所有消息经过加密和数字签名。Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.
(相关策略:应将 Service Fabric 中的 ClusterProtectionLevel 属性设置为 EncryptAndSign)(Related policy: The ClusterProtectionLevel property to EncryptAndSign in Service Fabric should be set)
High NN 计算资源 (Service Fabric)Compute resources (service fabric)
应从服务总线命名空间中删除 RootManageSharedAccessKey 以外的所有授权规则All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace 服务总线客户端不应使用提供对命名空间中所有队列和主题的访问的命名空间级访问策略。Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. 若要符合最低特权安全模型,应在实体级别针对队列和主题创建访问策略,以便仅提供对特定实体的访问。To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.
(相关策略:应从服务总线命名空间中删除 RootManageSharedAccessKey 以外的所有授权规则)(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace)
Low NN 计算资源(服务总线)Compute resources (service bus)
应从事件中心命名空间中删除 RootManageSharedAccessKey 以外的所有授权规则All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace 服务中心客户端不应使用提供对命名空间中所有队列和主题的访问的命名空间级访问策略。Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. 若要符合最低特权安全模型,应在实体级别针对队列和主题创建访问策略,以便仅提供对特定实体的访问。To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.
(相关策略:应从事件中心命名空间中删除 RootManageSharedAccessKey 以外的所有授权规则)(Related policy: All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace)
Low NN 计算资源(事件中心)Compute resources (event hub)
应定义事件中心实体上的授权规则Authorization rules on the Event Hub entity should be defined 审核事件中心实体的授权规则以授予最低访问权限。Audit authorization rules on the Event Hub entity to grant least-privileged access.
(相关策略:应定义事件中心实体上的授权规则)(Related policy: Authorization rules on the Event Hub entity should be defined)
Low NN 计算资源(事件中心)Compute resources (event hub)
应在虚拟机上安装 Log Analytics 代理Log Analytics agent should be installed on your virtual machines 安全中心从 Azure 虚拟机 (VM) 收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. 数据是使用 Log Analytics 代理(以前称为 Microsoft Monitoring Agent,MMA)收集的,它从计算机中读取各种安全相关的配置和事件日志,然后将数据复制到 Log Analytics 工作区以进行分析。Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis.
如果你的 VM 由 Azure 托管服务(例如 Azure Kubernetes 服务或 Azure Service Fabric)使用,也需要此代理。This agent is also is required if your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.
建议配置自动预配以自动部署代理。We recommend configuring auto-provisioning to automatically deploy the agent.
如果你选择不使用自动预配,请使用修正步骤中的说明将代理手动部署到 VM。If you choose not to use auto-provisioning, manually deploy the agent to your VMs using the instructions in the remediation steps.
(无相关策略)(No related policy)
High Y 计算机Machine
Log Analytics 代理应安装在基于 Windows 的 Azure Arc 计算机上(预览)Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview) 安全中心使用 Log Analytics 代理(也称为 MMA)从 Azure Arc 计算机收集安全事件。Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines.
(相关策略:[预览]:Log Analytics 代理应安装在 Azure Arc 计算机中)(Related policy: [Preview]: Log Analytics agent should be installed on your Azure Arc machines)
High Y Azure Arc 计算机Azure Arc Machine
Log Analytics 代理应安装在基于 Linux 的 Azure Arc 计算机上(预览)Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview) 安全中心使用 Log Analytics 代理(也称为 MMA)从 Azure Arc 计算机收集安全事件。Security Center uses the Log Analytics agent (also known as MMA) to collect security events from your Azure Arc machines.
(相关策略:[预览]:Log Analytics 代理应安装在 Linux Azure Arc 计算机中)(Related policy: [Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines)
High Y Azure Arc 计算机Azure Arc Machine
应在 Windows 虚拟机上安装来宾配置扩展(预览)Guest configuration extension should be installed on Windows virtual machines (Preview) 安装来宾配置代理以启用计算机内部的审核设置(例如:操作系统的配置、应用程序配置或状态、环境设置)。Install the guest configuration agent to enable auditing settings inside a machine such as: the configuration of the operating system, application configuration or presence, environment settings. 安装后,来宾内策略将可用,如“应启用 Windows 攻击防护”。Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.
(相关策略:审核必备组件以对 Windows VM 启用来宾配置策略。)(Related policy: Audit prerequisites to enable Guest Configuration policies on Windows VMs)
High Y 计算机Machine
应在虚拟机上启用 Windows Defender 攻击防护(预览)Windows Defender Exploit Guard should be enabled on your machines (Preview) Windows Defender 攻击防护采用 Azure Policy 来宾配置代理。Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. 攻击防护服务具有 4 个组件,旨在锁定设备来阻隔各种攻击途径,并阻止恶意软件攻击中常用的行为,同时让企业能够平衡其安全风险和生产力要求(仅限 Windows)。Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).
(相关策略:审核未启用 Windows Defender 攻击防护的 Windows VM)(Related policy: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled)
中型Medium NN 计算机Machine
应在计算机上解决 Log Analytics 代理运行状况问题Log Analytics agent health issues should be resolved on your machines 安全中心使用 Log Analytics 代理,它之前被称为 Microsoft Monitoring Agent (MMA)。Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). 为了确保成功监视虚拟机,需要确保此代理安装在虚拟机上,并能正确地将安全事件收集到配置的工作区中。To make sure your virtual machines are successfully monitored, you need to make sure the agent is both installed on the virtual machines and properly collects security events to the configured workspace. 在某些情况下,由于多种原因,代理可能未能正确报告安全事件。In some cases, the agent may fail to properly report security events, due to multiple reasons. 在这些情况下,覆盖范围可能并不全面,因此安全事件无法得到正确处理,进而对受影响 VM 的威胁检测可能无法工作。In these cases, coverage may be partial - security events won't be properly processed, and in turn threat detection for the affected VMs may fail to function. 查看修正步骤,详细了解如何解决每个问题。View remediation steps for more information on how to resolve each issue.
(无相关策略 - 依赖于“应在计算机上解决 Log Analytics 代理运行状况问题”)(No related policy - dependent upon "Log Analytics agent health issues should be resolved on your machines")
中型Medium NN 计算机Machine
应在虚拟机上启用自适应应用程序控制Adaptive Application Controls should be enabled on virtual machines 启用应用程序控制,以控制哪些应用程序可在 Azure 中的 VM 上运行。Enable application control to control which applications can run on your VMs located in Azure. 这有助于强化 VM 防范恶意软件的能力。This will help harden your VMs against malware. 安全中心使用机器学习来分析每个 VM 上运行的应用程序,帮助你运用此智能来应用允许规则。Security Center uses machine learning to analyze the applications running on each VM and helps you apply allow rules using this intelligence. 此功能简化了配置和维护应用程序允许规则的过程。This capability simplifies the process of configuring and maintaining application allow rules.
(相关策略:应对虚拟机启用自适应应用程序控制)(Related policy: Adaptive Application Controls should be enabled on virtual machines)
High NN 计算机Machine
在计算机上安装 Endpoint Protection 解决方案Install endpoint protection solution on your machines 在 Windows 和 Linux 计算机上安装 Endpoint Protection 解决方案,以保护其免受威胁和漏洞的侵害。Install an endpoint protection solution on your Windows and Linux machines, to protect them from threats and vulnerabilities.
(相关策略:监视 Azure 安全中心 Endpoint Protection 的缺失情况)(Related policy: Monitor missing Endpoint Protection in Azure Security Center)
中型Medium NN 计算机Machine
在虚拟机上安装 Endpoint Protection 解决方案Install endpoint protection solution on virtual machines 在虚拟机上安装终结点保护解决方案,以保护其免受威胁和漏洞的侵害。Install an endpoint protection solution on your virtual machines, to protect them from threats and vulnerabilities.
(无相关策略)(No related policy)
中型Medium NN 计算机Machine
应为云服务角色更新 OS 版本OS version should be updated for your cloud service roles 将云服务角色的操作系统(OS)版本更新为适用于 OS 系列的最新版本。Update the operating system (OS) version for your cloud service roles to the most recent version available for your OS family.
(无相关策略)(No related policy)
High NN 计算机Machine
应在计算机上安装系统更新System updates should be installed on your machines 安装缺少的系统安全和关键更新,以保护 Windows 和 Linux 虚拟机与计算机Install missing system security and critical updates to secure your Windows and Linux virtual machines and computers
(相关策略:应在计算机上安装系统更新)(Related policy: System updates should be installed on your machines)
High NN 计算机Machine
应在 Linux 虚拟机上安装网络流量数据收集代理(预览版)Network traffic data collection agent should be installed on Linux virtual machines (Preview) 安全中心使用 Microsoft Monitoring Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,例如网络映射上的流量可视化效果、网络强化建议和特定网络威胁。Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(相关策略:[预览]:应在 Linux 虚拟机上安装网络流量数据收集代理)(Related policy: [Preview]: Network traffic data collection agent should be installed on Linux virtual machines)
中型Medium Y 计算机Machine
应在 Windows 虚拟机上安装网络流量数据收集代理(预览版)Network traffic data collection agent should be installed on Windows virtual machines (Preview) 安全中心使用 Microsoft Monitoring Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,例如网络映射上的流量可视化效果、网络强化建议和特定网络威胁。Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
(相关策略:[预览]:应在 Windows 虚拟机上安装网络流量数据收集代理)(Related policy: [Preview]: Network traffic data collection agent should be installed on Windows virtual machines)
中型Medium Y 计算机Machine
在虚拟机上启用内置漏洞评估解决方案Enable the built-in vulnerability assessment solution on virtual machines 安装 Qualys 代理(内置 Azure 安全中心标准层产品),以在虚拟机上启用同类最佳的漏洞评估解决方案。Install the Qualys agent (built-in the Azure Security Center standard tier offering) to enable a best of breed vulnerability assessment solution on your virtual machines.
(相关策略:应对虚拟机启用漏洞评估)(Related policy: Vulnerability assessment should be enabled on virtual machines)
中型Medium Y 计算机Machine
修正虚拟机上发现的漏洞(由 Qualys 提供支持)Remediate vulnerabilities found on your virtual machines (powered by Qualys) 监视由 Azure 安全中心的内置漏洞评估解决方案(由 Qualys 提供支持)所发现的虚拟机上的漏洞发现。Monitors for vulnerability findings on your virtual machines as were discovered by the built-in vulnerability assessment solution of Azure Security Center (powered by Qualys).
(相关策略:应对虚拟机启用漏洞评估)(Related policy: Vulnerability Assessment should be enabled on Virtual Machines)
Low NN 计算机Machine
应重启计算机来应用系统更新Your machines should be restarted to apply system updates 重启计算机以应用系统更新并保护计算机免受漏洞攻击。Restart your machines to apply the system updates and secure the machine from vulnerabilities.
(无相关策略 - 依赖于“应在计算机上安装系统更新”)(No related policy - dependent upon "System updates should be installed on your machines")
中型Medium NN 计算机Machine
自动化帐户变量应加密Automation account variables should be encrypted 存储敏感数据时,请启用自动化帐户变量资产加密。Enable encryption of Automation account variable assets when storing sensitive data.
(相关策略:应对自动化帐户变量启用加密)(Related policy: Encryption should be enabled on Automation account variables)
High NN 计算资源(自动化帐户)Compute resources (automation account)
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines 使用适用于 Windows 和 Linux 虚拟机的 Azure 磁盘加密来加密虚拟机磁盘。Encrypt your virtual machine disks using Azure Disk Encryption both for Windows and Linux virtual machines. Azure 磁盘加密 (ADE) 利用行业标准 Windows 的 BitLocker 功能和 Linux 的 DM-Crypt 功能提供 OS 磁盘和数据磁盘加密,以帮助保护数据,并实现组织在客户 Azure Key Vault 方面作出的安全性与合规性承诺。Azure Disk Encryption (ADE) leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data and help meet your organizational security and compliance commitments in customer Azure key vault. 当合规性与安全性政策要求使用加密密钥对数据进行端到端加密(包括加密临时磁盘,即本地附加的临时磁盘)时,请使用 Azure 磁盘加密。When your compliance and security requirement requires you to encrypt the data end to end using your encryption keys, including encryption of the ephemeral (locally attached temporary) disk, use Azure disk encryption. 或者,系统默认会使用 Azure 存储服务加密对托管磁盘进行静态加密,其中,加密密钥是 Azure 中的 Microsoft 托管密钥。Alternatively, by default, Managed Disks are encrypted at rest by default using Azure Storage Service Encryption where the encryption keys are Microsoft-managed keys in Azure. 如果这符合你的合规性与安全性要求,则可以利用默认托管磁盘加密来满足要求。If this meets your compliance and security requirements, you can leverage the default Managed disk encryption to meet your requirements.
(相关策略:应对虚拟机应用磁盘加密)(Related policy: Disk encryption should be applied on virtual machines)
High NN 计算机Machine
应将虚拟机迁移到新的 Azure 资源管理器资源Virtual machines should be migrated to new Azure Resource Manager resources 对虚拟机使用 Azure 资源管理器以提供安全增强功能,例如:更强的访问控制 (RBAC)、更好的审核、基于资源管理器的部署和治理、托管标识访问权限、用于存储机密的密钥保管库的访问权限、基于 Azure AD 的身份验证以及可实现更轻松安全管理的标记和资源组支持。Use Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.
(相关策略:应将虚拟机迁移到新的 Azure 资源管理器资源)(Related policy: Virtual machines should be migrated to new Azure Resource Manager resources)
Low NN 计算机Machine
应在虚拟机上安装漏洞评估解决方案Vulnerability assessment solution should be installed on your virtual machines 在虚拟机上安装漏洞评估解决方案Install a vulnerability assessment solution on your virtual machines
(相关策略:应通过漏洞评估解决方案修正漏洞)(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)
中型Medium NN 计算机Machine
应通过漏洞评估解决方案修复漏洞Vulnerabilities should be remediated by a Vulnerability Assessment solution 会持续评估为其部署了漏洞评估第三方解决方案的虚拟机的应用程序和 OS 漏洞。Virtual machines for which a vulnerability assessment 3rd party solution is deployed are being continuously assessed against application and OS vulnerabilities. 只要发现此类漏洞,就会在建议中提供详细信息。Whenever such vulnerabilities are found, these are available for more information as part of the recommendation.
(相关策略:应通过漏洞评估解决方案修正漏洞)(Related policy: Vulnerabilities should be remediated by a Vulnerability Assessment solution)
High NN 计算机Machine
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 修复计算机上安全配置的漏洞,以保护其免受攻击。Remediate vulnerabilities in security configuration on your machines to protect them from attacks.
(相关策略:应修正计算机上安全配置中的漏洞)(Related policy: Vulnerabilities in security configuration on your machines should be remediated)
Low NN 计算机Machine
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 修复安装了 Docker 的计算机上安全配置中的漏洞,使它们免受攻击。Remediate vulnerabilities in security configuration on machines with Docker installed to protect them from attacks.
(相关策略:应修正容器安全配置中的漏洞)(Related policy: Vulnerabilities in container security configurations should be remediated)
High NN 计算机Machine
应在计算机上解决 Endpoint Protection 运行状况问题Endpoint protection health issues should be resolved on your machines 若要实现全面的安全中心保护,请遵照故障排除指南中的说明,解决计算机上的监视代理问题。For full Security Center protection, resolve monitoring agent issues on your machines by following the instructions in the Troubleshooting guide.
(此建议依赖于建议“在计算机上安装 Endpoint Protection 解决方案”和其策略)(This recommendation is dependent upon the recommendation "Install endpoint protection solution on your machines" and its policy)
中型Medium NN 计算机Machine

虚拟机规模集建议Virtual machine scale set recommendations

建议Recommendation 说明及相关策略Description & related policy 严重性Severity 已启用快速修复?(了解详细信息Quick fix enabled?(Learn more) 资源类型Resource type
应当启用虚拟机规模集中的诊断日志Diagnostic logs in Virtual Machine Scale Sets should be enabled 启用日志并将其保留长达一年的时间。Enable logs and retain them for up to a year. 这样可以重新创建用于调查的活动线索。This enables you to recreate activity trails for investigation purposes. 这适用于发生安全事件或网络受到危害的情况。This is useful when a security incident occurs, or your network is compromised.
(相关策略:应启用虚拟机规模集的诊断日志)(Related policy: Diagnostic logs in Virtual Machine Scale Sets should be enabled)
Low NN 虚拟机规模集Virtual machine scale set
应在虚拟机规模集上修正 Endpoint Protection 运行状况故障Endpoint protection health failures should be remediated on virtual machine scale sets 修复虚拟机规模集上的 Endpoint Protection 运行状况故障,使其免受威胁和漏洞的侵害。Remediate endpoint protection health failures on your virtual machine scale sets to protect them from threats and vulnerabilities.
(无相关策略 - 依赖于“应在虚拟机规模集上安装 Endpoint Protection 解决方案”)(No related policy - dependent upon "Endpoint protection solution should be installed on virtual machine scale sets")
Low NN 虚拟机规模集Virtual machine scale set
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 在虚拟机规模集上安装 Endpoint Protection 解决方案,使其免受威胁和漏洞的侵害。Install an endpoint protection solution on your virtual machine scale sets, to protect them from threats and vulnerabilities.
(相关策略:应在虚拟机规模集上安装 Endpoint Protection 解决方案)(Related policy: Endpoint protection solution should be installed on virtual machine scale sets)
High NN 虚拟机规模集Virtual machine scale set
应在虚拟机规模集上安装 Log Analytics 代理Log Analytics agent should be installed on your virtual machine scale sets 安全中心从 Azure 虚拟机 (VM) 收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. 数据是使用 Log Analytics 代理(以前称为 Microsoft Monitoring Agent,MMA)收集的,它从计算机中读取各种安全相关的配置和事件日志,然后将数据复制到工作区以进行分析。Data is collected using the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA) , which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. 如果你的 VM 由 Azure 托管服务(例如 Azure Kubernetes 服务或 Azure Service Fabric)使用,也需要遵循该过程。You’ll also need to follow that procedure i f your VMs are used by an Azure managed service such as Azure Kubernetes Service or Azure Service Fabric.
无法为 Azure 虚拟机规模集配置代理的自动预配。You cannot configure auto-provisioning of the agent for Azure virtual machine scale sets.
若要在虚拟机规模集(包括 Azure Kubernetes 服务和 Azure Service Fabric 等 Azure 托管服务使用的规模集)上部署代理,请按照修正步骤中的过程操作。To deploy the agent on virtual machine scale sets (including those used by Azure managed services such as Azure Kubernetes Service and Azure Service Fabric), follow the procedure in the remediation steps.
High Y 虚拟机规模集Virtual machine scale set
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 安装缺少的系统安全更新和关键更新,保护 Windows 和 Linux 虚拟机规模集。Install missing system security and critical updates to secure your Windows and Linux virtual machine scale sets.
(相关策略:应在虚拟机规模集上安装系统更新)(Related policy: System updates on virtual machine scale sets should be installed)
High NN 虚拟机规模集Virtual machine scale set
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 修复虚拟机规模集上安全配置中的漏洞,使其免受攻击。Remediate vulnerabilities in security configuration on your virtual machine scale sets to protect them from attacks.
(相关策略:应修正虚拟机规模集上安全配置中的漏洞)(Related policy: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated)
High NN 虚拟机规模集Virtual machine scale set

数据和存储建议Data and storage recommendations

建议Recommendation 说明及相关策略Description & related policy 严重性Severity 已启用快速修复?(了解详细信息Quick fix enabled?(Learn more) 资源类型Resource type
应在 Azure SQL 数据库服务器上启用高级数据安全Advanced data security should be enabled on Azure SQL Database servers 高级数据安全是一个提供高级 SQL 安全功能的统一包。Advanced data security is a unified package that provides advanced SQL security capabilities. 它包括以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对数据库产生威胁的异常活动以及发现敏感数据并对其进行分类。It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
重要说明:修正此建议将产生 Azure SQL Database 服务器保护费用。Important: Remediating this recommendation will result in charges for protecting your Azure SQL Database servers. 如果此订阅中没有任何 Azure SQL Database 服务器,则不会产生任何费用。If you don't have any Azure SQL Database servers in this subscription, no charges will be incurred. 如果以后在此订阅中创建任何 Azure SQL Database 服务器,它们将自动受到保护,并从该时间点开始计费。If you create any Azure SQL Database servers on this subscription in the future, they will automatically be protected and charges will begin at that time.
(相关策略:应在 Azure SQL 数据库服务器上启用高级数据安全(Related policy: Advanced data security should be enabled on Azure SQL Database servers)
High Y 订阅Subscription
应在计算机的 SQL 服务器上启用高级数据安全Advanced data security should be enabled on SQL servers on machines 高级数据安全是一个提供高级 SQL 安全功能的统一包。Advanced data security is a unified package that provides advanced SQL security capabilities. 它包括以下功能:呈现和缓解潜在数据库漏洞、检测可能指示对数据库产生威胁的异常活动以及发现敏感数据并对其进行分类。It includes functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat to your database, and discovering and classifying sensitive data.
重要说明:修正此建议将对计算机上的 SQL Server 产生保护费用。Important: Remediating this recommendation will result in charges for protecting your SQL servers on machines. 如果此订阅中没有任何计算机 SQL Server,则不会产生任何费用。If you don't have any SQL servers on machines in this subscription, no charges will be incurred. 如果以后在此订阅中创建任何计算机上的 SQL Server,它们将自动受到保护,并从该时间点开始计费。If you create any SQL servers on machines on this subscription in the future, they will automatically be protected and charges will begin at that time.
(相关策略:应对计算机上的 SQL Server 启用高级数据安全)(Related policy: Advanced data security should be enabled on SQL servers on machines)
High Y 订阅Subscription
应对 Azure 存储帐户启用高级威胁防护Advanced threat protection should be enabled on Azure Storage accounts 适用于存储的高级威胁防护可检测到异常的或可能有害的访问或利用存储帐户的尝试。Advanced threat protection for storage detects unusual and potentially harmful attempts to access or exploit storage accounts.
重要说明:修正此建议将产生 Azure 存储帐户保护费用。Important: Remediating this recommendation will result in charges for protecting your Azure Storage accounts. 如果此订阅中没有任何 Azure 存储帐户,则不会产生任何费用。If you don't have any Azure Storage accounts in this subscription, no charges will be incurred. 如果以后在此订阅中创建任何 Azure 存储帐户,它们将自动受到保护,并从该时间点开始计费。If you create any Azure Storage accounts on this subscription in the future, they will automatically be protected and charges will begin at that time.
(相关策略:应对 Azure 存储帐户启用高级威胁防护)(Related policy: Advanced threat protection should be enabled on Azure Storage accounts)
High Y 订阅Subscription
应限制对具有防火墙和虚拟网络配置的存储帐户的访问Access to storage accounts with firewall and virtual network configurations should be restricted 在存储帐户防火墙设置中审核无限制的网络访问权限。Audit unrestricted network access in your storage account firewall settings. 应该配置网络规则,以便只有来自许可网络的应用程序才能访问存储帐户。Instead, configure network rules so only applications from allowed networks can access the storage account. 若要允许来自特定 Internet 或本地客户端的连接,可以向来自特定 Azure 虚拟网络或到公共 Internet IP 地址范围的流量授予访问权限。To allow connections from specific Internet or on-premises clients, you can grant access to traffic from specific Azure virtual networks or to public Internet IP address ranges.
(相关策略:审核对存储帐户的无限制网络访问)(Related policy: Audit unrestricted network access to storage accounts)
Low NN 存储帐户Storage account
应对托管实例启用高级数据安全Advanced data security should be enabled on your managed instances 高级数据安全 (ADS) 是一个提供高级 SQL 安全功能的统一包。Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. 它可发现和分类敏感数据、呈现和减少潜在数据库漏洞,以及检测可能表明数据库有威胁的异常活动。It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. 每个托管实例的 ADS 费用为 $15。ADS is charged at $15 per managed instance.
(相关策略:应对 SQL 托管实例启用高级数据安全)(Related policy: Advanced data security should be enabled on SQL Managed Instance)
High Y SQLSQL
应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 高级数据安全 (ADS) 是一个提供高级 SQL 安全功能的统一包。Advanced data security (ADS) is a unified package that provides advanced SQL security capabilities. 它可发现和分类敏感数据、呈现和减少潜在数据库漏洞,以及检测可能表明数据库有威胁的异常活动。It discovers and classifies sensitive data, surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database. ADS 费用为每个 SQL server 15 美元。ADS is charged at $15 per SQL server.
(相关策略:应对 SQL Server 启用高级数据安全)(Related policy: Advanced data security should be enabled on your SQL servers)
High Y SQLSQL
应该为 SQL 数据库预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL Database 预配 SQL 数据库的 Azure AD 管理员以启用 Azure AD 身份验证。Provision an Azure AD administrator for your SQL Database to enable Azure AD authentication. 使用 Azure AD 身份验证可以简化权限管理,以及集中化数据库用户和其他 Microsoft 服务的标识管理。Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.
(相关策略:审核确认已为 SQL Server 预配了 Azure Active Directory 管理员)(Related policy: Audit provisioning of an Azure Active Directory administrator for SQL server)
High NN SQLSQL
应对 SQL 数据库启用审核Auditing on SQL Database should be enabled 对 SQL 数据库启用审核。Enable auditing for SQL Database.
(相关策略:应在服务器的高级数据安全设置上启用 SQL 数据库的审核)(Related policy: Auditing should be enabled for SQL Database on advanced data security settings for your server)
Low Y SQLSQL
应启用 Azure Data Lake Store 的诊断日志Diagnostic logs in Azure Data Lake Store should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用 Azure Data Lake Store 的诊断日志)(Related policy: Diagnostic logs in Azure Data Lake Store should be enabled)
Low Y Data Lake StoreData lake store
应启用 Data Lake Analytics 的诊断日志Diagnostic logs in Data Lake Analytics should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用 Data Lake Analytics 的诊断日志)(Related policy: Diagnostic logs in Data Lake Analytics should be enabled)
Low Y Data Lake AnalyticsData lake analytics
只应启用与 Redis 缓存的安全连接Only secure connections to your Redis Cache should be enabled 仅启用通过 SSL 来与 Azure Redis 缓存建立连接。Enable only connections via SSL to Azure Cache for Redis. 使用安全连接可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听攻击和会话劫持等网络层攻击。Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
(相关策略:应仅启用与 Redis 缓存的安全连接)(Related policy: Only secure connections to your Redis Cache should be enabled)
High NN RedisRedis
应启用安全传输到存储帐户Secure transfer to storage accounts should be enabled 安全传输选项会强制存储帐户仅接受来自安全连接 (HTTPS) 的请求。Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). HTTPS 可确保服务器和服务之间的身份验证并保护传输中的数据免受中间人攻击、窃听和会话劫持等网络层攻击。HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.
(相关策略:应启用到存储帐户的安全传输)(Related policy: Secure transfer to storage accounts should be enabled)
High NN 存储帐户Storage account
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure SQL 数据库的“数据发现和分类”提供了用于发现、标记和保护数据库中的敏感数据并对其进行分类的功能。Azure SQL Database Data discovery & classification provides capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. 数据分类后,可以使用 Azure SQL 数据库审核来审核访问并监视敏感数据。Once your data is classified, you can use Azure SQL Database auditing to audit access and monitor the sensitive data. Azure SQL 数据库还启用了高级威胁防护功能,此类功能基于敏感数据访问模式的变化来创建智能警报。Azure SQL Database also enables Advanced Threat Protection features which creates intelligent alerts based on changes in the access patterns to the sensitive data.
(相关策略:[预览]:应对 SQL 数据库中的敏感数据进行分类)(Related policy: [Preview]: Sensitive data in your SQL databases should be classified)
High NN SQLSQL
存储帐户应迁移到新的 Azure 资源管理器资源Storage accounts should be migrated to new Azure Resource Manager resources 为存储帐户使用新的 Azure 资源管理器以提供安全增强功能,例如:更强的访问控制(RBAC)、更好地审核、基于资源管理器的部署和治理、托管标识访问权限、用于提供机密的 Key Vault 的访问权限、基于 Azure AD 的身份验证以及可实现更轻松安全管理的标记和资源组支持。Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Resource Manager-based deployment and governance, access to managed identities, access to key vault for secrets, and Azure AD-based authentication and support for tags and resource groups for easier security management.
(相关策略:应将存储帐户迁移到新的 Azure 资源管理器资源)(Related policy: Storage accounts should be migrated to new Azure Resource Manager resources)
Low NN 存储帐户Storage account
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 启用透明数据加密以保护静态数据并满足合规性要求。Enable transparent data encryption to protect data-at-rest and meet compliance requirements.
(相关策略:应对 SQL 数据库启用透明数据加密)(Related policy: Transparent Data Encryption on SQL databases should be enabled)
Low Y SQLSQL
应对 SQL 数据库启用漏洞评估Vulnerability assessment should be enabled on SQL Database 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
(相关策略:应对 SQL Server 启用漏洞评估)(Related policy: Vulnerability assessment should be enabled on your SQL servers)
High Y SQLSQL
应在 SQL 托管实例上启用漏洞评估Vulnerability assessment should be enabled on SQL Managed Instance 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
(相关策略:应对 SQL 托管实例启用漏洞评估)(Related policy: Vulnerability assessment should be enabled on SQL Managed Instance)
High Y SQLSQL
应修正关于计算机上 SQL Server 的漏洞评估结果(预览)Vulnerability assessment findings on your SQL servers on machines should be remediated (Preview) SQL 漏洞评估会扫描数据库中的安全漏洞,并显示与最佳实践之间的任何偏差,如配置错误、权限过多和敏感数据未受保护。SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. 解决发现的漏洞可以极大地改善数据库安全态势。Resolving the vulnerabilities found can greatly improve your database security stature. High NN SQLSQL
应修正关于 SQL 数据库的漏洞评估结果Vulnerability assessment findings on your SQL databases should be remediated SQL 漏洞评估会扫描数据库中的安全漏洞,并显示与最佳实践之间的任何偏差,如配置错误、权限过多和敏感数据未受保护。SQL Vulnerability assessment scans your database for security vulnerabilities and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. 解决发现的漏洞可以极大地改善数据库安全态势。Resolving the vulnerabilities found can greatly improve your database security stature.
(相关策略:应修正 SQL 数据库中的漏洞)(Related policy: Vulnerabilities on your SQL databases should be remediated)
High NN SQLSQL

标识和访问建议Identity and access recommendations

建议Recommendation 说明及相关策略Description & related policy 严重性Severity 已启用快速修复?(了解详细信息Quick fix enabled?(Learn more) 资源类型Resource type
应在对订阅拥有读取权限的帐户上启用 MFAMFA should be enabled on accounts with read permissions on your subscription 为具有读取特权的所有订阅帐户启用多重身份验证 (MFA),以防止破坏帐户或资源。Enable Multi-Factor Authentication (MFA) for all subscription accounts with read privileges to prevent a breach of accounts or resources.
(相关策略:应在对订阅拥有读取权限的帐户上启用 MFA)(Related policy: MFA should be enabled on accounts with read permissions on your subscription)
High NN 订阅Subscription
应在对订阅拥有写入权限的帐户上启用 MFAMFA should be enabled on accounts with write permissions on your subscription 为具有写入特权的所有订阅帐户启用多重身份验证 (MFA),以防止破坏帐户或资源。Enable Multi-Factor Authentication (MFA) for all subscription accounts with write privileges to prevent a breach of accounts or resources.
(相关策略:应在对订阅拥有写入权限的帐户上启用 MFA)(Related policy: MFA should be enabled on accounts with write permissions on your subscription)
High NN 订阅Subscription
应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription 为具有所有者特权的所有订阅帐户启用多重身份验证 (MFA),以防止破坏帐户或资源。Enable Multi-Factor Authentication (MFA) for all subscription accounts with owner privileges to prevent a breach of accounts or resources.
(相关策略:应在对订阅拥有所有者权限的帐户上启用 MFA)(Related policy: MFA should be enabled on accounts with owner permissions on your subscription)
High NN 订阅Subscription
应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription 从订阅中删除具有读取特权的外部帐户,以防止发生未受监视的访问。Remove external accounts with read privileges from your subscription in order to prevent unmonitored access.
(相关策略:应从订阅中删除拥有读取权限的外部帐户)(Related policy: External accounts with read permissions should be removed from your subscription)
High NN 订阅Subscription
应从订阅中删除具有写入权限的外部帐户External accounts with write permissions should be removed from your subscription 从订阅中删除具有写入特权的外部帐户,以防止发生未受监视的访问。Remove external accounts with write privileges from your subscription in order to prevent unmonitored access.
(相关策略:应从订阅中删除具有写入权限的外部帐户)(Related policy: External accounts with write permissions should be removed from your subscription)
High NN 订阅Subscription
应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription 从订阅中删除具有所有者特权的外部帐户,以防止发生未受监视的访问。Remove external accounts with owner privileges from your subscription in order to prevent unmonitored access.
(相关策略:应从订阅中删除拥有所有者权限的外部帐户)(Related policy: External accounts with owner permissions should be removed from your subscription)
High NN 订阅Subscription
应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription 从订阅中删除拥有所有者权限的已弃用帐户。Remove deprecated accounts with owner permissions from your subscriptions.
(相关策略:应从订阅中删除拥有所有者权限的已弃用帐户)(Related policy: Deprecated accounts with owner permissions should be removed from your subscription)
High NN 订阅Subscription
应从订阅中删除弃用的帐户Deprecated accounts should be removed from your subscription 从订阅中删除已弃用的帐户,以便只允许当前用户访问。Remove deprecated accounts from your subscriptions to enable access to only current users.
(相关策略:应从订阅中删除弃用的帐户)(Related policy: Deprecated accounts should be removed from your subscription)
High NN 订阅Subscription
应为订阅分配了多个所有者There should be more than one owner assigned to your subscription 指定多个订阅所有者,以实现管理员访问权限冗余。Designate more than one subscription owner in order to have administrator access redundancy.
(相关策略:应向订阅分配多个所有者)(Related policy: There should be more than one owner assigned to your subscription)
High NN 订阅Subscription
只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription 指定少于 3 个订阅所有者,以减少已遭入侵的所有者做出违规行为的可能性。Designate fewer than three subscription owners in order to reduce the potential for breach by a compromised owner.
(相关策略:最多只能为订阅指定 3 个所有者)(Related policy: A maximum of 3 owners should be designated for your subscription)
High NN 订阅Subscription
应对 Azure Key Vault 的保管库启用高级威胁防护Advanced threat protection should be enabled on Azure Key Vault vaults Azure 安全中心包含针对 Azure Key Vault 的 Azure 原生高级威胁防护,提供额外的安全情报层。Azure Security Center includes Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence.
重要说明:修正此建议将产生 AKV 保管库保护费用。Important: Remediating this recommendation will result in charges for protecting your AKV vaults. 如果此订阅中没有任何 AKV 保管库,则不会产生任何费用。If you don't have any AKV vaults in this subscription, no charges will be incurred. 如果以后在此订阅中创建任何 AKV 保管库,它们将自动受到保护,并从该时间点开始计费。If you create any AKV vaults on this subscription in the future, they will automatically be protected and charges will begin at that time.
(相关策略:应对 Azure Key Vault 的保管库启用高级威胁防护)(Related policy: Advanced threat protection should be enabled on Azure Key Vault vaults)
High Y 订阅Subscription
应启用 Key Vault 的诊断日志Diagnostic logs in Key Vault should be enabled 启用日志并将其保留长达一年。Enable logs and retain them up to a year. 这样便可以在发生安全事件或网络遭泄露时,重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
(相关策略:应启用密钥保管库的诊断日志)(Related policy: Diagnostic logs in Key Vault should be enabled)
Low Y 密钥保管库Key Vault
应使用服务主体(而不是管理证书)来保护你的订阅Service principals should be used to protect your subscriptions instead of Management Certificates 通过管理证书,任何使用它们进行身份验证的人员都可管理与它们关联的订阅。Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. 为了更安全地管理订阅,建议将服务主体和资源管理器结合使用来限制证书泄露所造成的影响范围。To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. 这也可以使资源管理自动进行。It also automates resource management. Medium No 订阅Subscription

弃用的建议Deprecated recommendations

建议Recommendation 说明及相关策略Description & related policy 严重性Severity 已启用快速修复?(了解详细信息Quick fix enabled?(Learn more) 资源类型Resource type
应限制对应用服务的访问Access to App Services should be restricted 通过更改网络配置来限制对应用服务的访问,以拒绝来自过大范围的入站流量。Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad.
(相关策略:[预览]:应限制对应用服务的访问)(Related policy: [Preview]: Access to App Services should be restricted)
High NN 应用服务App service
应强化 IaaS NSG 上 Web 应用的规则The rules for web applications on IaaS NSGs should be hardened 如果运行 web 应用程序的虚拟机的网络安全组 (NSG) 所包含的 NSG 规则对于 web 应用程序端口而言过于宽松,应强化这些安全组。Harden the network security group (NSG) of your virtual machines that are running web applications, with NSG rules that are overly permissive with regards to web application ports.
(相关策略:应该强化 IaaS 上 Web 应用程序的 NSG 规则)(Related policy: The NSGs rules for web applications on IaaS should be hardened)
High NN 虚拟机Virtual machine
应定义 Pod 安全策略,通过删除不必要的应用程序特权来减少攻击途径。Pod Security Policies should be defined to reduce the attack vector by removing unnecessary application privileges (Preview) 通过删除不必要的应用程序特权,来定义 Pod 安全策略以减少攻击途径。Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. 建议配置 pod 安全策略,以便 pod 只能访问其有权访问的资源。It is recommended to configure pod security policies so pods can only access resources which they are allowed to access.
(相关策略:[预览]:应在 Kubernetes 服务上定义 Pod 安全策略)(Related policy: [Preview]: Pod Security Policies should be defined on Kubernetes Services)
中型Medium NN 计算资源(容器)Compute resources (Containers)
安装适用于 IoT 的 Azure 安全中心安全模块,以更深入地了解 IoT 设备Install Azure Security Center for IoT security module to get more visibility into your IoT devices 安装适用于 IoT 的 Azure 安全中心安全模块,以更深入地了解 IoT 设备。Install Azure Security Center for IoT security module to get more visibility into your IoT devices. Low NN IoT 设备IoT device

后续步骤Next steps

若要详细了解建议,请参阅以下内容:To learn more about recommendations, see the following: