Azure 安全中心的新增功能存档Archive for what's new in Azure Security Center?

Azure 安全中心的新增功能发行说明主页包含过去六个月的更新,而本页包含更早以前的项目。The primary What's new in Azure Security Center? release notes page contains updates for the last six months, while this page contains older items.

本页提供以下方面的信息:This page provides you with information about:

  • 新增功能New features
  • Bug 修复Bug fixes
  • 已弃用的功能Deprecated functionality

2020 年 3 月March 2020

3 月的更新包括:Updates in March include:

工作流自动化现已正式发布Workflow automation is now generally available

Azure 安全中心现已正式发布工作流自动化功能。The workflow automation feature of Azure Security Center is now generally available. 它可用于在安全警报和建议上自动触发逻辑应用。Use it to automatically trigger Logic Apps on security alerts and recommendations. 此外,也可对提供了快速修复选项的警报和所有建议执行手动触发。In addition, manual triggers are available for alerts and all recommendations that have the quick fix option available.

每个安全计划都包含事件响应的多个工作流。Every security program includes multiple workflows for incident response. 这些流程可能包含通知相关利益干系人、启动更改管理进程,以及应用特定的修正步骤。These processes might include notifying relevant stakeholders, launching a change management process, and applying specific remediation steps. 安全专家建议你尽可能多地将这些流程自动化。Security experts recommend that you automate as many steps of those procedures as you can. 自动化可减少开销,还可确保根据你预定义的要求快速、一致地执行处理步骤,从而增强安全性。Automation reduces overhead and can improve your security by ensuring the process steps are done quickly, consistently, and according to your predefined requirements.

若要详细了解用于运行工作流的自动和手动安全中心功能,请参阅工作流自动化For more information about the automatic and manual Security Center capabilities for running your workflows, see workflow automation.

详细了解如何创建逻辑应用Learn more about creating Logic Apps.

Azure 安全中心与 Windows Admin Center 的集成Integration of Azure Security Center with Windows Admin Center

现可将本地 Windows 服务器从 Windows Admin Center 直接移动到 Azure 安全中心。It’s now possible to move your on-premises Windows servers from the Windows Admin Center directly to the Azure Security Center. 安全中心然后变成你的单一管理界面,可在这里查看 Windows Admin Center 各项资源(包括本地服务器、虚拟机和其他 PaaS 工作负载)的安全信息。Security Center then becomes your single pane of glass to view security information for all your Windows Admin Center resources, including on-premises servers, virtual machines, and additional PaaS workloads.

在将服务器从 Windows Admin Center 直接移动到 Azure 安全中心后,你将能够:After moving a server from Windows Admin Center to Azure Security Center, you’ll be able to:

  • 在 Windows Admin Center 的安全中心扩展中查看安全警报和建议。View security alerts and recommendations in the Security Center extension of the Windows Admin Center.
  • 在 Azure 门户的安全中心内(或通过 API)查看安全状态和检索 Windows Admin Center 托管服务器的其他详细信息。View the security posture and retrieve additional detailed information of your Windows Admin Center managed servers in the Security Center within the Azure portal (or via an API).

Azure Kubernetes 服务保护Protection for Azure Kubernetes Service

Azure 安全中心正在扩展其容器安全功能,现可保护 Azure Kubernetes 服务 (AKS)。Azure Security Center is expanding its container security features to protect Azure Kubernetes Service (AKS).

常见的开源平台 Kubernetes 已被广泛采用,现在已成为容器业务流程方面的行业标准。The popular, open-source platform Kubernetes has been adopted so widely that it’s now an industry standard for container orchestration. 尽管得到了广泛实施,但在如何保护 Kubernetes 环境方面,人们仍然缺少了解。Despite this widespread implementation, there’s still a lack of understanding regarding how to secure a Kubernetes environment. 要抵御容器化应用程序的攻击面,需要具备专业知识来确保基础结构已安全配置且受到持续监视,防范潜在威胁。Defending the attack surfaces of a containerized application requires expertise to ensuring the infrastructure is configured securely and constantly monitored for potential threats.

安全中心的防范包括:The Security Center defense includes:

  • 发现和可见性 - 在安全中心内注册的订阅中持续发现托管的 AKS 实例。Discovery and visibility - Continuous discovery of managed AKS instances within the subscriptions registered to Security Center.
  • 安全建议 - 帮助你遵守 AKS 安全最佳做法的可操作建议。Security recommendations - Actionable recommendations to help you comply with security best-practices for AKS. 这些建议包含在安全功能分数中,确保被视为组织的安全状态的一部分。These recommendations are included in your secure score to ensure they’re viewed as a part of your organization’s security posture. 你可能会看到的一个与 AKS 相关的建议示例是,“应使用基于角色的访问控制来限制对 Kubernetes 服务群集的访问”。An example of an AKS-related recommendation you might see is "Role-based access control should be used to restrict access to a Kubernetes service cluster".
  • 威胁防护 - 通过对 AKS 部署的持续分析,Azure 安全中心会提醒你注意在主机和 AKS 群集级别检测到的威胁和恶意活动。Threat protection - Through continuous analysis of your AKS deployment, Security Center alerts you to threats and malicious activity detected at the host and AKS cluster level.

详细了解 Azure Kubernetes 服务与安全中心的集成Learn more about Azure Kubernetes Services' integration with Security Center.

详细了解安全中心内的容器安全功能Learn more about the container security features in Security Center.

改进了实时体验Improved just-in-time experience

增强了 Azure 安全中心内保护管理端口的实时工具的功能、操作和 UI,如下所示:The features, operation, and UI for Azure Security Center’s just-in-time tools that secure your management ports have been enhanced as follows:

  • “理由”字段 - 通过 Azure 门户的实时页面请求对虚拟机 (VM) 的访问时,现有一个新的可选字段可用来输入请求原因。Justification field - When requesting access to a virtual machine (VM) through the just-in-time page of the Azure portal, a new optional field is available to enter a justification for the request. 可在活动日志中跟踪在此字段中输入的信息。Information entered into this field can be tracked in the activity log.
  • 自动清除冗余实时 (JIT) 规则 - 无论何时更新 JIT 策略,都会自动运行清理工具来检查整个规则集的有效性。Automatic cleanup of redundant just-in-time (JIT) rules - Whenever you update a JIT policy, a cleanup tool automatically runs to check the validity of your entire ruleset. 该工具还将查看你策略中的规则与 NSG 中的规则之间是否存在不匹配的情况。The tool looks for mismatches between rules in your policy and rules in the NSG. 如果清理工具发现不匹配的情况,它将确定原因,并在确定可安全操作的情况下,删除不再需要的内置规则。If the cleanup tool finds a mismatch, it determines the cause and, when it's safe to do so, removes built-in rules that aren't needed anymore. 清理工具绝不会删除你创建的规则。The cleaner never deletes rules that you've created.

详细了解 JIT 访问功能Learn more about the JIT access feature.

弃用了两项针对 Web 应用的安全建议Two security recommendations for web applications deprecated

即将弃用下面两项与 Web 应用相关的安全建议:Two security recommendations related to web applications are being deprecated:

  • 应加强 IaaS NSG 上 Web 应用的规则。The rules for web applications on IaaS NSGs should be hardened. (相关策略:应该强化 IaaS 上 Web 应用程序的 NSG 规则)(Related policy: The NSGs rules for web applications on IaaS should be hardened)

  • 应限制对应用服务的访问。Access to App Services should be restricted. (相关策略:应限制对应用服务的访问 [预览版])(Related policy: Access to App Services should be restricted [preview])

这些建议将不再在安全中心的建议列表中显示。These recommendations will no longer appear in the Security Center list of recommendations. 相关策略将不再包含在名为“安全中心默认设置”的计划中。The related policies will no longer be included in the initiative named "Security Center Default".

详细了解安全建议Learn more about security recommendations.

2020 年 2 月February 2020

面向 Linux 的无文件攻击检测(预览版)Fileless attack detection for Linux (preview)

随着攻击者越来越多地采用更隐蔽的方法来避免被发现,除了 Windows 之外,Azure 安全中心还扩大了无文件攻击检测范围,现涵盖 Linux。As attackers increasing employ stealthier methods to avoid detection, Azure Security Center is extending fileless attack detection for Linux, in addition to Windows. 无文件攻击利用软件漏洞、将恶意有效负载注入良性系统进程,并隐藏在内存中。Fileless attacks exploit software vulnerabilities, inject malicious payloads into benign system processes, and hide in memory. 这些技术:These techniques:

  • 最大程度地减少或消除了磁盘上恶意软件的痕迹minimize or eliminate traces of malware on disk
  • 大大降低了基于磁盘的恶意软件扫描解决方案的检测机会greatly reduce the chances of detection by disk-based malware scanning solutions

为了应对这种威胁,Azure 安全中心于 2018 年 10 月发布了面向 Windows 的无文件攻击检测,现在还将该检测扩展到了 Linux 上。To counter this threat, Azure Security Center released fileless attack detection for Windows in October 2018, and has now extended fileless attack detection on Linux as well.

2020 年 1 月January 2020

安全功能分数增强版(预览版)Enhanced secure score (preview)

Azure 安全中心的安全功能分数增强版现提供预览版。An enhanced version of the secure score feature of Azure Security Center is now available in preview. 在此版本中,多个建议被组合到安全控件中,可更好地反映出你易受攻击的攻击面(例如限制对管理端口的访问)。In this version, multiple recommendations are grouped into Security Controls that better reflect your vulnerable attack surfaces (for example, restrict access to management ports).

请在预览阶段熟悉安全功能分数的更改之处,确定可帮助你进一步保护环境的其他修正措施。Familiarize yourself with the secure score changes during the preview phase and determine other remediations that will help you to further secure your environment.

详细了解安全功能分数增强版(预览版)Learn more about enhanced secure score (preview).

2019 年 11 月November 2019

11 月的更新包括:Updates in November include:

针对北美区域 Azure Key Vault 的威胁防护(预览版)Threat Protection for Azure Key Vault in North America Regions (preview)

Azure Key Vault 是一个基本服务,它通过提供集中管理云中密钥、机密、加密密钥和策略的功能,来保护数据和提高云应用程序的性能。Azure Key Vault is an essential service for protecting data and improving performance of cloud applications by offering the ability to centrally manage keys, secrets, cryptographic keys and policies in the cloud. 由于 Azure Key Vault 存储敏感数据和业务关键数据,因此必须保证密钥保管库及其存储的数据的最高安全性。Since Azure Key Vault stores sensitive and business critical data, it requires maximum security for the key vaults and the data stored in them.

Azure 安全中心对 Azure Key Vault 的威胁防护的支持提供额外的安全情报层,用于检测以非寻常和可能有害的方式访问或恶意利用密钥保管库的企图。Azure Security Center’s support for Threat Protection for Azure Key Vault provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit key vaults. 此新保护层使得客户无需成为安全专家或管理安全监视系统,就能应对其密钥保管库受到的威胁。This new layer of protection allows customers to address threats against their key vaults without being a security expert or manage security monitoring systems. 此功能在北美区域推出了公共预览版。The feature is in public preview in North America Regions.

针对 Azure 存储的威胁防护包括恶意软件信誉屏蔽Threat Protection for Azure Storage includes Malware Reputation Screening

针对 Azure 存储的威胁防护提供由 Microsoft 威胁情报支持的新检测,可以使用哈希信誉分析来检测将恶意软件上传到 Azure 存储的行为,并可以检测从活动的 Tor 出口节点(一个匿名代理)进行的可疑访问。Threat protection for Azure Storage offers new detections powered by Microsoft Threat Intelligence for detecting malware uploads to Azure Storage using hash reputation analysis and suspicious access from an active Tor exit node (an anonymizing proxy). 现在,你可以使用 Azure 安全中心查看在各个存储帐户中检测到的恶意软件。You can now view detected malware across storage accounts using Azure Security Center.

使用逻辑应用实现工作流自动化(预览版)Workflow automation with Logic Apps (preview)

在集中管理安全性和 IT/运营的组织的环境中发现差异时,这些组织可以实施内部工作流程来驱动所需的操作。Organizations with centrally managed security and IT/operations implement internal workflow processes to drive required action within the organization when discrepancies are discovered in their environments. 在许多情况下,这些工作流是可重复的流程,而自动化可以在组织内部大幅简化流程。In many cases, these workflows are repeatable processes and automation can greatly streamline processes within the organization.

目前我们正在安全中心内引入一项新功能,它可以让客户创建利用 Azure 逻辑应用的自动化配置,并创建可根据具体 ASC 发现结果自动触发这些配置的策略(例如“建议”或“警报”)。Today we are introducing a new capability in Security Center that allows customers to create automation configurations leveraging Azure Logic Apps and to create policies that will automatically trigger them based on specific ASC findings such as Recommendations or Alerts. 可将 Azure 逻辑应用配置为执行逻辑应用连接器大型社区所支持的任何自定义操作,或使用安全中心提供的某个模板,例如,发送电子邮件或开具 ServiceNow™ 票证。Azure Logic App can be configured to do any custom action supported by the vast community of Logic App connectors, or use one of the templates provided by Security Center such as sending an email or opening a ServiceNow™ ticket.

若要详细了解用于运行工作流的自动和手动安全中心功能,请参阅工作流自动化For more information about the automatic and manual Security Center capabilities for running your workflows, see workflow automation.

若要了解如何创建逻辑应用,请参阅 Azure 逻辑应用To learn about creating Logic Apps, see Azure Logic Apps.

批量资源快速修复功能已推出正式版Quick Fix for bulk resources generally available

由于用户在安全评分中要执行许多任务,有效修正大型机群中的问题可能会变得困难。With the many tasks that a user is given as part of Secure Score, the ability to effectively remediate issues across a large fleet can become challenging.

为了简化对安全错误配置的修正,快速修正针对批量资源的建议并提高安全评分,请使用“快速修复”修正措施。To simplify remediation of security misconfigurations and to be able to quickly remediate recommendations on a bulk of resources and improve your secure score, use Quick Fix remediation.

此操作可让你选择要对其应用修正措施的资源,并启动一个修正措施来让系统代你配置设置。This operation will allow you to select the resources you want to apply the remediation to and launch a remediation action that will configure the setting on your behalf.

现在,安全中心建议页上已向客户推出了快速修复正式版。Quick fix is generally available today customers as part of the Security Center recommendations page.

安全建议参考指南中了解哪些建议启用了快速修复。See which recommendations have quick fix enabled in the reference guide to security recommendations.

扫描容器映像的漏洞(预览版)Scan container images for vulnerabilities (preview)

Azure 安全中心现在可以扫描 Azure 容器注册表中容器映像的漏洞。Azure Security Center can now scan container images in Azure Container Registry for vulnerabilities.

映像扫描的工作原理是分析容器映像文件,然后查看是否存在任何已知漏洞(由 Qualys 提供支持)。The image scanning works by parsing the container image file, then checking to see whether there are any known vulnerabilities (powered by Qualys).

将新容器映像推送到 Azure 容器注册表时,会自动触发扫描本身。The scan itself is automatically triggered when pushing new container images to Azure Container Registry. 发现的漏洞将以安全中心建议的形式显示,其中包括 Azure 安全评分,以及有关如何修补这些漏洞以减小允许的受攻击面的信息。Found vulnerabilities will surface as Security Center recommendations and included in the Azure Secure Score together with information on how to patch them to reduce the attack surface they allowed.

其他监管合规标准(预览版)Additional regulatory compliance standards (preview)

“监管合规”仪表板基于安全中心评估结果提供合规态势的见解。The Regulatory Compliance dashboard provides insights into your compliance posture based on Security Center assessments. 该仪表板会显示你的环境是否符合特定法规标准和行业基准指定的控制措施与要求,并提供有关如何符合这些要求的规范性建议。The dashboard shows how your environment complies with controls and requirements designated by specific regulatory standards and industry benchmarks and provides prescriptive recommendations for how to address these requirements.

目前,监管合规仪表板支持四项内置标准:Azure CIS 1.1.0、PCI-DSS、ISO 27001 和 SOC-TSP。The regulatory compliance dashboard has thus far supported four built-in standards: Azure CIS 1.1.0, PCI-DSS, ISO 27001, and SOC-TSP. 我们现在宣布推出其他受支持标准的公共预览版:NIST SP 800-53 R4、SWIFT CSP CSCF v2020、加拿大联邦 PBMM、UK Official 和 UK NHS。We are now announcing the public preview release of additional supported standards: NIST SP 800-53 R4, SWIFT CSP CSCF v2020, Canada Federal PBMM and UK Official together with UK NHS. 此外,我们正在发布 Azure CIS 1.1.0 的更新版本,其中涵盖了标准中的更多控制措施,并增强了扩展性。We are also releasing an updated version of Azure CIS 1.1.0, covering more controls from the standard and enhancing extensibility.

针对 Azure Kubernetes 服务的威胁防护(预览版)Threat Protection for Azure Kubernetes Service (preview)

Kubernetes 很快就成了在云中部署和管理软件的新标准。Kubernetes is quickly becoming the new standard for deploying and managing software in the cloud. 只有少量的用户对 Kubernetes 拥有丰富的经验;很多用户只是注重一般的工程和管理,而忽略了安全方面。Few people have extensive experience with Kubernetes and many only focuses on general engineering and administration and overlook the security aspect. 需要精心配置 Kubernetes 环境以使其保持安全,确保不会公开任何以容器为中心的受攻击面,避免为攻击者打开后门。Kubernetes environment needs to be configured carefully to be secure, making sure no container focused attack surface doors are not left open is exposed for attackers. 安全中心正在将其在容器领域的支持扩展到 Azure 中发展速度最快的服务之一 - Azure Kubernetes 服务 (AKS)。Security Center is expanding its support in the container space to one of the fastest growing services in Azure - Azure Kubernetes Service (AKS).

此公共预览版中的新功能包括:The new capabilities in this public preview release include:

  • 发现和可见性 - 在安全中心的已注册订阅中持续发现 AKS 托管实例。Discovery & Visibility - Continuous discovery of managed AKS instances within Security Center’s registered subscriptions.
  • 安全评分建议 - 提供可操作的项来帮助客户遵循 AKS 中的安全最佳做法(以客户安全评分提供评估结果),例如“应使用基于角色的访问控制来限制对 Kubernetes 服务群集的访问”。Secure Score recommendations - Actionable items to help customers comply to security best practices in AKS as part of the customer’s Secure Score, such as "Role-Based Access Control should be used to restrict access to a Kubernetes Service Cluster".
  • 威胁检测 - 基于主机和群集的分析,例如“检测到特权容器”。Threat Detection - Host and cluster-based analytics, such as “A privileged container detected”.

支持自定义策略(预览版)Support for custom policies (preview)

Azure 安全中心现在支持自定义策略(预览版)。Azure Security Center now supports custom policies (in preview).

我们的客户一直希望在安全中心内扩大其当前安全评估的涵盖范围,以便能够基于他们在 Azure Policy 中创建的策略执行自己的安全评估。Our customers have been wanting to extend their current security assessments coverage in Security Center with their own security assessments based on policies that they create in Azure Policy. 由于支持自定义策略,这种愿望已得到实现。With support for custom policies, this is now possible.

安全中心建议体验、安全评分和监管合规标准仪表板中将会包含这些新策略。These new policies will be part of the Security Center recommendations experience, Secure Score, and the regulatory compliance standards dashboard. 由于支持自定义策略,现在可以在 Azure Policy 中创建一个自定义计划,然后将其作为策略添加到安全中心,并将其作为建议可视化。With the support for custom policies, you’re now able to create a custom initiative in Azure Policy, then add it as a policy in Security Center and visualize it as a recommendation.

在面向社区和合作伙伴的平台中扩大 Azure 安全中心的涵盖范围Extending Azure Security Center coverage with platform for community and partners

使用安全中心不仅可以从 Microsoft 接收建议,而且还能从 Check Point、Tenable 和 CyberArk 等合作伙伴提供的现有解决方案以及不断推出的其他许多集成中接收建议。Use Security Center to receive recommendations not only from Microsoft but also from existing solutions from partners such as Check Point, Tenable, and CyberArk with many more integrations coming. 安全中心的简单加入流程可将你的现有解决方案连接到安全中心,使你可以在一个位置查看安全态势建议、运行统一报告,以及针对内置建议和合作伙伴建议利用安全中心的所有功能。Security Center’s simple onboarding flow can connect your existing solutions to Security Center, enabling you to view your security posture recommendations in a single place, run unified reports and leverage all of Security Center's capabilities against both built-in and partner recommendations. 还可以将安全中心建议导出到合作伙伴产品。You can also export Security Center recommendations to partner products.

详细了解 Microsoft 智能安全关联Learn more about Microsoft Intelligent Security Association.

支持导出建议和警报的高级集成(预览版)Advanced integrations with export of recommendations and alerts (preview)

若要在安全中心的顶层实现企业级方案,现在可以在除 Azure 门户或 API 以外的其他位置使用安全中心警报和建议。In order to enable enterprise level scenarios on top of Security Center, it’s now possible to consume Security Center alerts and recommendations in additional places except the Azure portal or API. 可直接将这些警报和建议导出到事件中心与 Log Analytics 工作区。These can be directly exported to an Event Hub and to Log Analytics workspaces. 下面是可以围绕这些新功能创建的一些工作流:Here are a few workflows you can create around these new capabilities:

  • 借助导出到 Log Analytics 工作区的功能,可以使用 Power BI 创建自定义仪表板。With export to Log Analytics workspace, you can create custom dashboards with Power BI.
  • 借助导出到事件中心的功能,可将安全中心警报和建议导出到第三方 SIEM、实时导出到第三方解决方案,或导出到 Azure 数据资源管理器。With export to Event Hub, you’ll be able to export Security Center alerts and recommendations to your third-party SIEMs, to a third-party solution in real time, or Azure Data Explorer.

从 Windows 管理中心将本地服务器加入安全中心(预览版)Onboard on-prem servers to Security Center from Windows Admin Center (preview)

Windows 管理中心是一个管理门户,适用于未在 Azure 中部署的 Windows Server,为它们提供多项 Azure 管理功能(例如备份和系统更新)。Windows Admin Center is a management portal for Windows Servers who are not deployed in Azure offering them several Azure management capabilities such as backup and system updates. 我们最近添加了一项功能,允许直接从 Windows 管理中心体验加入这些非 Azure 服务器,使其受 ASC 保护。We have recently added an ability to onboard these non-Azure servers to be protected by ASC directly from the Windows Admin Center experience.

使用此新体验,用户可以直接在 Windows 管理中心体验中将 WAC 服务器加入 Azure 安全中心,并查看其安全警报和建议。With this new experience users will be to onboard a WAC server to Azure Security Center and enable viewing its security alerts and recommendations directly in the Windows Admin Center experience.

2019 年 9 月September 2019

9 月的更新包括:Updates in September include:

使用自适应应用程序控制管理规则的功能已改进Managing rules with adaptive application controls improvements

使用自适应应用程序控制管理虚拟机规则的体验已得到改进。The experience of managing rules for virtual machines using adaptive application controls has improved. Azure 安全中心的自适应应用程序控制可帮助你控制哪些应用程序能够在你的虚拟机上运行。Azure Security Center's adaptive application controls help you control which applications can run on your virtual machines. 除了对规则管理做出了一般性的改进外,在添加新规则时,你还可以通过一个新功能来控制要保护哪些文件类型。In addition to a general improvement to rule management, a new benefit enables you to control which file types will be protected when you add a new rule.

详细了解自适应应用程序控制Learn more about adaptive application controls.

使用 Azure Policy 控制容器安全建议Control container security recommendation using Azure Policy

现在,可以通过 Azure Policy 启用或禁用 Azure 安全中心提供的有关修正容器安全性中的漏洞的建议。Azure Security Center’s recommendation to remediate vulnerabilities in container security can now be enabled or disabled via Azure Policy.

若要查看已启用的安全策略,请在安全中心内打开“安全策略”页。To view your enabled security policies, from Security Center open the Security Policy page.

2019 年 8 月August 2019

8 月的更新包括:Updates in August include:

Azure 防火墙的实时 (JIT) VM 访问Just-in-time (JIT) VM access for Azure Firewall

Azure 防火墙的实时 (JIT) VM 访问现已推出正式版。Just-in-time (JIT) VM access for Azure Firewall is now generally available. 使用此功能可以确保 Azure 防火墙保护的环境以及 NSG 保护的环境的安全。Use it to secure your Azure Firewall protected environments in addition to your NSG protected environments.

JIT VM 访问使用 NSG 和 Azure 防火墙规则,仅在需要时才提供对 VM 的受控访问,以此减少受到网络容量耗尽攻击的风险。JIT VM access reduces exposure to network volumetric attacks by providing controlled access to VMs only when needed, using your NSG and Azure Firewall rules.

为 VM 启用 JIT 时,可创建一个策略来确定要保护的端口、端口保持打开状态的时间,以及可从哪些已批准的 IP 地址访问这些端口。When you enable JIT for your VMs, you create a policy that determines the ports to be protected, how long the ports are to remain open, and approved IP addresses from where these ports can be accessed. 此策略可帮助你控制用户在请求访问权限时可执行哪些操作。This policy helps you stay in control of what users can do when they request access.

请求将记录在 Azure 活动日志中,因此你可以轻松监视和审核访问。Requests are logged in the Azure Activity Log, so you can easily monitor and audit access. 此实时页面还可帮助你快速识别已启用 JIT 的现有 VM,以及建议启用 JIT 的 VM。The just-in-time page also helps you quickly identify existing VMs that have JIT enabled and VMs where JIT is recommended.

详细了解 Azure 防火墙Learn more about Azure Firewall.

提升安全态势的一键式修正(预览版)Single click remediation to boost your security posture (preview)

安全评分是一个可帮助你评估工作负荷安全状况的工具。Secure score is a tool that helps you assess your workload security posture. 它会评审你的安全建议并确定其优先级,以便你知道要首先执行哪些建议。It reviews your security recommendations and prioritizes them for you, so you know which recommendations to perform first. 这可帮助你找到最严重的安全漏洞,以确定调查优先级。This helps you find the most serious security vulnerabilities to prioritize investigation.

为了简化安全配置错误的修正并帮助你快速提高安全评分,我们添加了一项新功能,让你一键式修正针对批量资源的建议。In order to simplify remediation of security misconfigurations and help you to quickly improve your secure score, we’ve added a new capability that allows you to remediate a recommendation on a bulk of resources in a single click.

此操作可让你选择要对其应用修正措施的资源,并启动一个修正措施来让系统代你配置设置。This operation will allow you to select the resources you want to apply the remediation to and launch a remediation action that will configure the setting on your behalf.

请在安全建议参考指南中查看哪些建议启用了快速修复。See which recommendations have quick fix enabled in the reference guide to security recommendations.

2019 年 7 月July 2019

网络建议的更新Updates to network recommendations

Azure 安全中心 (ASC) 已推出新的网络建议,并改进了一些现有的建议。Azure Security Center (ASC) has launched new networking recommendations and improved some existing ones. 现在,使用安全中心可以确保进一步为资源提供更好的网络保护。Now, using Security Center ensures even greater networking protection for your resources.

详细了解网络建议Learn more about network recommendations.

2019 年 6 月June 2019

自适应网络强化 - 正式版Adaptive Network Hardening - generally available

公有云中运行的工作负荷面对的最大受攻击面之一是与公共 Internet 之间的连接。One of the biggest attack surfaces for workloads running in the public cloud are connections to and from the public Internet. 我们的客户发现,他们很难知道要部署哪些网络安全组 (NSG) 规则来确保仅在所需的源范围内提供 Azure 工作负荷。Our customers find it hard to know which Network Security Group (NSG) rules should be in place to make sure that Azure workloads are only available to required source ranges. 使用此功能,安全中心可以了解 Azure 工作负荷的网络流量和连接模式,并为面向 Internet 的虚拟机提供 NSG 规则建议。With this feature, Security Center learns the network traffic and connectivity patterns of Azure workloads and provides NSG rule recommendations, for Internet facing virtual machines. 这有助于我们的客户更好地配置其网络访问策略,并限制受到攻击的风险。This helps our customer better configure their network access policies and limit their exposure to attacks.