Azure 安全中心的安全评分Secure score in Azure Security Center

安全评分简介Introduction to secure score

Azure 安全中心有两个主要目标:Azure Security Center has two main goals:

  • 帮助你了解当前的安全状况to help you understand your current security situation
  • 帮助你有效提高安全性to help you efficiently and effectively improve your security

使你能够实现这些目标的安全中心的核心功能是安全功能分数。The central feature in Security Center that enables you to achieve those goals is secure score.

安全中心会持续评估资源、订阅和组织的安全问题。Security Center continually assesses your resources, subscriptions, and organization for security issues. 然后,它将所有调查结果汇总成一个分数,让你可以一目了然地了解当前的安全状况:分数越高,识别出的风险级别就越低。It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.

Azure 门户页面显示的安全功能分数为百分比值,但原值也一目了然:The secure score is shown in the Azure portal pages as a percentage value, but the underlying values are also clearly presented:

门户中显示的总体安全功能分数

若要提高安全性,请查看安全中心的建议页面,了解提高分数需要采取的有效措施。To increase your security, review Security Center's recommendations page for the outstanding actions necessary to raise your score. 每项建议都包含有助于你修正特定问题的说明。Each recommendation includes instructions to help you remediate the specific issue.

建议会被分组到各项安全控件中。Recommendations are grouped into security controls. 每个控件都是相关安全建议的逻辑组,反映易受攻击的攻击面。Each control is a logical group of related security recommendations, and reflects your vulnerable attack surfaces. 只有修正控制中针对单个资源的所有建议后,分数才会提高。Your score only improves when you remediate all of the recommendations for a single resource within a control. 若要查看你的组织对每个单独攻击面的保护力度,请查看每个安全控件的分数。To see how well your organization is securing each individual attack surface, review the scores for each security control.

有关详细信息,请参阅下面的如何计算安全功能分数For more information, see How your secure score is calculated below.

如何计算安全功能分数How your secure score is calculated

建议页面上清楚地显示了每个安全控制对总体安全评分的贡献。The contribution of each security control towards the overall secure score is shown clearly on the recommendations page.

安全评分增强版引入了安全控制The enhanced secure score introduces security controls

若要获得某个安全控制所有可能的分数,你的所有资源都必须符合该安全控制中的所有安全建议。To get all the possible points for a security control, all your resources must comply with all of the security recommendations within the security control. 例如,安全中心针对如何保护管理端口提供了多条建议。For example, Security Center has multiple recommendations regarding how to secure your management ports. 现在必须修正所有建议,才能改变安全评分。You'll need to remediate them all to make a difference to your secure score.

例如,名为“应用系统更新”的安全控制的最高分为 6 分,你可以在该控制可能增加的分数值上的工具提示中看到它:For example, the security control called "Apply system updates" has a maximum score of six points, which you can see in the tooltip on the potential increase value of the control:

安全控制“应用系统更新”The security control "Apply system updates"

此控制(应用系统更新)的最高分始终为 6 分。The maximum score for this control, Apply system updates, is always 6. 此示例中一共有 50 个资源。In this example, there are 50 resources. 因此,我们将最高分除以 50,结果是每个资源贡献 0.12 分。So we divide the max score by 50, and the result is that every resource contributes 0.12 points.

  • 可能增加的分数(0.12 x 8 个运行不正常的资源 = 0.96)- 该控制中剩余可增加的分数。Potential increase (0.12 x 8 unhealthy resources = 0.96) - The remaining points available to you within the control. 如果修正此控制中的所有建议,分数将增加 2%(本例中为 0.96 分,四舍五入为 1 分)。If you remediate all the recommendations in this control, your score will increase by 2% (in this case, 0.96 points rounded up to 1 point).
  • 当前分数(0.12 x 42 个正常运行的资源 = 5.04)- 此控制的当前分数。Current score (0.12 x 42 healthy resources = 5.04) - The current score for this control. 每个控制都为总分贡献分数。Each control contributes towards the total score. 在此示例中,该控制为当前安全总分贡献了 5.04 分。In this example, the control is contributing 5.04 points to current secure total.
  • 最高分 - 完成某个控制中的所有建议后可获得的最高分数。Max score - The maximum number of points you can gain by completing all recommendations within a control. 控制的最高分表明该控制的相对重要性。The maximum score for a control indicates the relative significance of that control. 可使用最高分值来会审要优先处理的问题。Use the max score values to triage the issues to work on first.

计算 - 了解你的分数Calculations - understanding your score

指标Metric 公式和示例Formula and example
安全控制的当前分数Security control's current score
用于计算安全控件分数的公式Equation for calculating a security control's score

每一个安全控制都计入安全评分。Each individual security control contributes towards the Security Score. 受控制中的建议影响的每个资源都计入控制的当前分数。Each resource affected by a recommendation within the control, contributes towards the control's current score. 各个控制的当前分数是对该控制中资源状态的度量。The current score for each control is a measure of the status of the resources within the control.
工具提示显示了计算安全控制的当前分数时使用的值Tooltips showing the values used when calculating the security control's current score
在此示例中,最高分 6 将除以 78,因为这是正常运行的资源和运行不正常的资源的总和。In this example, the max score of 6 would be divided by 78 because that's the sum of the healthy and unhealthy resources.
6/78 = 0.07696 / 78 = 0.0769
将其乘以正常运行的资源数量 (4) 可得出当前分数:Multiplying that by the number of healthy resources (4) results in the current score:
0.0769 * 4 = 0.310.0769 * 4 = 0.31

安全评分Secure score
一个订阅Single subscription

用于计算订阅的安全评分的公式

启用了所有控制的单个订阅的安全评分
在此示例中,单个订阅启用了所有安全控制(可能的最高分为 60 分)。In this example, there is a single subscription with all security controls available (a potential maximum score of 60 points). 该分数显示了可能的最高分 60 分中的 28 分,其余 32 分反映在安全控制的“可能增加的分数”数字中。The score shows 28 points out of a possible 60 and the remaining 32 points are reflected in the "Potential score increase" figures of the security controls.
控制和可能增加的分数的列表
安全评分Secure score
多个订阅Multiple subscriptions

用于计算多个订阅的安全评分的公式Equation for calculating the secure score for multiple subscriptions

在计算多个订阅的综合得分时,安全中心将加入每个订阅的“权重”。When calculating the combined score for multiple subscriptions, Security Center includes a weight for each subscription. 订阅的相对权重由安全中心基于资源数量等因素来决定。The relative weights for your subscriptions are determined by Security Center based on factors such as the number of resources.
每个订阅的当前分数的计算方式与单个订阅的计算方式相同,但会按公式所示应用权重。The current score for each subscription is calculated in the same way as for a single subscription, but then the weight is applied as shown in the equation.
查看多个订阅时,安全评分会计算所有已启用策略中的所有资源,并将其对每个安全控制的最高分的综合影响进行分组。When viewing multiple subscriptions, secure score evaluates all resources within all enabled policies and groups their combined impact on each security control's maximum score.
启用了所有控制的多个订阅的安全评分Secure score for multiple subscriptions with all controls enabled
综合得分不是平均值,而是指所有订阅中所有资源状态的计算状况。The combined score is not an average; rather it's the evaluated posture of the status of all resources across all subscriptions.
同样,在这里,如果转到建议页面并将可能得到的分数相加,你会发现结果是当前分数 (24) 与最高得分 (60) 之差。Here too, if you go to the recommendations page and add up the potential points available, you will find that it's the difference between the current score (24) and the maximum score available (60).

安全功能分数计算中包括哪些建议?Which recommendations are included in the secure score calculations?

只有内置建议才会影响安全评分。Only built-in recommendations have an impact on the secure score.

计算安全分数时不包括标记为“预览”的建议。Recommendations flagged as Preview aren't included in the calculations of your secure score. 仍应尽可能按这些建议修正,以便在预览期结束时,它们会有助于提升评分。They should still be remediated wherever possible, so that when the preview period ends they'll contribute towards your score.

预览建议示例如下:An example of a preview recommendation:

带有预览标志的建议

提高安全分数Improve your secure score

若要提高安全评分,请修正建议列表中的安全建议。To improve your secure score, remediate security recommendations from your recommendations list. 既可以为每个资源手动修正每个建议,也可以使用“快速修复!”You can remediate each recommendation manually for each resource, or by using the Quick Fix! 选项(如果有)对一组资源快速应用建议修正。option (when available) to apply a remediation for a recommendation to a group of resources quickly. 有关详细信息,请参阅修正建议For more information, see Remediate recommendations.

安全控制及其建议Security controls and their recommendations

下表列出了 Azure 安全中心的安全控制。The table below lists the security controls in Azure Security Center. 对于每个控制,可以看到为所有资源修正该控制中列出的所有建议后,安全评分可以增加的最高分数。For each control, you can see the maximum number of points you can add to your secure score if you remediate all of the recommendations listed in the control, for all of your resources.

安全中心提供的安全建议是针对每个组织环境中的可用资源量身定制的。The set of security recommendations provided with Security Center is tailored to the available resources in each organization’s environment. 可以通过禁用策略来进一步自定义建议。The recommendations can be further customized by disabling policies.

建议每个组织仔细检查其分配的 Azure Policy 计划。We recommend every organization carefully review their assigned Azure Policy initiatives.

提示

有关查看和编辑你的计划的详细信息,请参阅使用安全策略For details of reviewing and editing your initiatives, see Working with security policies.

即使安全中心的默认安全计划是基于行业最佳做法和标准的,但在某些情况下,下面列出的内置建议可能并不完全适合你的组织。Even though Security Center's default security initiative is based on industry best practices and standards, there are scenarios in which the built-in recommendations listed below might not completely fit your organization. 因此,有时有必要在不影响安全性的情况下调整默认计划,以确保其与组织自己的策略保持一致。Consequently, it'll sometimes be necessary to adjust the default initiative - without compromising security - to ensure it's aligned with your organization's own policies. 你必须符合的行业标准、法规标准和基准。industry standards, regulatory standards, and benchmarks you're obligated to meet.

安全评分Secure score 安全控制和说明Security control and description 建议Recommendations

10

10

启用 MFA

Enable MFA

如果只使用密码对用户进行身份验证,则会开放攻击途径。
If you only use a password to authenticate a user, it leaves an attack vector open. 如果密码较弱或者已在其他位置公开,那么如何确定是该用户在使用用户名和密码登录?If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password?
启用 MFA 后,帐户将更安全,并且用户仍然可以通过单一登录 (SSO) 向几乎所有应用程序验证身份。With MFA enabled, your accounts are more secure, and users can still authenticate to almost any application with single sign-on (SSO).
- 应在对订阅拥有所有者权限的帐户上启用 MFA- MFA should be enabled on accounts with owner permissions on your subscription
- 应在对订阅拥有写入权限的帐户上启用 MFA- MFA should be enabled on accounts with write permissions on your subscription

8

8

安全管理端口

Secure management ports

暴力攻击以管理端口为目标来获取对 VM 的访问权限。
Brute force attacks target management ports to gain access to a VM. 由于没必要总是打开端口,因此,使用实时网络访问控制、网络安全组和虚拟机端口管理来减少对端口的暴露不失为一种缓解策略。Since the ports don't always need to be open, one mitigation strategy is to reduce exposure to the ports using just-in-time network access controls, network security groups, and virtual machine port management.
由于许多 IT 组织不会阻止从其网络出站的 SSH 通信,因此攻击者可以创建加密隧道,允许受感染系统上的 RDP 端口与攻击者命令通信,以便控制服务器。Since many IT organizations don't block SSH communications outbound from their network, attackers can create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attacker command to control servers. 攻击者可以使用 Windows 远程管理子系统在你的环境中横向移动,并使用盗用的凭据访问网络上的其他资源。Attackers can use the Windows Remote Management subsystem to move laterally across your environment and use stolen credentials to access other resources on a network.
- 面向 Internet 的虚拟机应使用网络安全组进行保护- Internet-facing virtual machines should be protected with network security groups
- 应通过实时网络访问控制来保护虚拟机的管理端口- Management ports of virtual machines should be protected with just-in-time network access control
- 应关闭虚拟机上的管理端口- Management ports should be closed on your virtual machines

6

6

应用系统更新

Apply system updates

系统更新使组织能够保持运营效率、减少安全漏洞,并为最终用户提供更稳定的环境。
System updates provide organizations with the ability to maintain operational efficiency, reduce security vulnerabilities, and provide a more stable environment for end users. 不应用更新会留下未修补的漏洞,使环境容易受到攻击。Not applying updates leaves unpatched vulnerabilities and results in environments that are susceptible to attacks. 这些漏洞可能会被人利用,导致数据丢失、数据泄露、勒索软件和资源滥用。These vulnerabilities can be exploited and lead to data loss, data exfiltration, ransomware, and resource abuse. 若要部署系统更新,可以使用更新管理解决方案来管理虚拟机的修补程序和更新To deploy system updates, you can use the Update Management solution to manage patches and updates for your virtual machines. 更新管理是指控制软件版本的部署和维护的过程。Update management is the process of controlling the deployment and maintenance of software releases.
- Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本- Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
- 应在计算机上解决 Log Analytics 代理运行状况问题- Log Analytics agent health issues should be resolved on your machines
- 应在基于 Linux 的 Azure Arc 计算机上安装 Log Analytics 代理- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- 应在虚拟机上安装 Log Analytics 代理- Log Analytics agent should be installed on your virtual machine
- 应在虚拟机规模集上安装 Log Analytics 代理- Log Analytics agent should be installed on your virtual machine scale sets
- 应在基于 Windows 的 Azure Arc 计算机上安装 Log Analytics 代理- Log Analytics agent should be installed on your Windows-based Azure Arc machines
- 应在计算机上安装监视代理- Monitoring agent should be installed on your machines
- 应为云服务角色更新 OS 版本- OS version should be updated for your cloud service roles
- 应在虚拟机规模集上安装系统更新- System updates on virtual machine scale sets should be installed
- 应在计算机上安装系统更新- System updates should be installed on your machines
- 应在计算机上安装系统更新(由更新中心提供技术支持)- System updates should be installed on your machines (powered by Update Center)
- 应重启计算机来应用系统更新- Your machines should be restarted to apply system updates

6

6

修正漏洞

Remediate vulnerabilities

漏洞是攻击者可用来破坏资源机密性、可用性或完整性的薄弱环节。
A vulnerability is a weakness that a threat actor could leverage, to compromise the confidentiality, availability, or integrity of a resource. 管理漏洞可以减少组织暴露、强化终结点外围应用、提高组织复原能力以及减少资源的受攻击面。Managing vulnerabilities reduces organizational exposure, hardens endpoint surface area, increases organizational resilience, and reduces the attack surface of your resources. 威胁和漏洞管理可显示错误的软件和安全配置,并提供缓解建议。Threat and Vulnerability Management provides visibility into software and security misconfigurations and provide recommendations for mitigations.
- 应在虚拟机上启用漏洞评估解决方案- A vulnerability assessment solution should be enabled on your virtual machines
- 应对托管实例启用 Azure Defender for SQL- Azure Defender for SQL should be enabled on your managed instances
- 应对 SQL 服务器启用 Azure Defender for SQL- Azure Defender for SQL should be enabled on your SQL servers
- 应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- 应只从受信任的注册表中部署容器映像- Container images should be deployed from trusted registries only
- 在虚拟机上启用内置漏洞评估解决方案- Enable the built-in vulnerability assessment solution on virtual machines
- 应修正 Azure 容器注册表映像中的漏洞(由 Qualys 提供支持)- Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)
- 应修正虚拟机中的漏洞- Vulnerabilities in your virtual machines should be remediated
- 应通过漏洞评估解决方案修正漏洞- Vulnerabilities should be remediated by a Vulnerability Assessment solution
- 应修正关于 SQL 数据库的漏洞评估结果- Vulnerability assessment findings on your SQL databases should be remediated
- 应修正关于计算机上 SQL 服务器的漏洞评估结果- Vulnerability assessment findings on your SQL servers on machines should be remediated
- 应对 SQL 托管实例启用漏洞评估- Vulnerability assessment should be enabled on your SQL managed instances
- 应对 SQL Server 启用漏洞评估- Vulnerability assessment should be enabled on your SQL servers
- 应在虚拟机上安装漏洞评估解决方案- Vulnerability assessment solution should be installed on your virtual machines

4

4

加密传输中的数据

Encrypt data in transit

在各组件、位置或程序间传输数据时,数据处于“传输中”状态。
Data is "in transit" when it's transmitted between components, locations, or programs. 无法保护传输中的数据的组织更容易遭受中间人攻击、窃听和会话劫持。Organizations that fail to protect data in transit are susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. 应使用 SSL/TLS 协议交换数据,并建议使用 VPN。SSL/TLS protocols should be used to exchange data and a VPN is recommended. 通过 Internet 在 Azure 虚拟机和本地位置之间发送加密数据时,可以使用虚拟网络网关(例如 Azure VPN 网关)发送加密流量。When sending encrypted data between an Azure virtual machine and an on-premise location, over the internet, you can use a virtual network gateway such as Azure VPN Gateway to send encrypted traffic.
- 只能通过 HTTPS 访问 API 应用- API App should only be accessible over HTTPS
- 应为 MySQL 数据库服务器启用“强制 SSL 连接”- Enforce SSL connection should be enabled for MySQL database servers
- 应为 PostgreSQL 数据库服务器启用“强制 SSL 连接”- Enforce SSL connection should be enabled for PostgreSQL database servers
- 应仅在 API 应用中要求使用 FTPS- FTPS should be required in your API App
- 应仅在函数应用中要求使用 FTPS- FTPS should be required in your function App
- 应仅在 Web 应用中要求使用 FTPS- FTPS should be required in your web App
- 只能通过 HTTPS 访问函数应用- Function App should only be accessible over HTTPS
- IoT 设备 - 需要进行 TLS 加密套件升级- IoT Devices - TLS cipher suite upgrade needed
- 应仅启用与 Redis 缓存的安全连接- Only secure connections to your Redis Cache should be enabled
- 应启用到存储帐户的安全传输- Secure transfer to storage accounts should be enabled
- 应将 TLS 更新为 API 应用的最新版本- TLS should be updated to the latest version for your API app
- 应将 TLS 更新为函数应用的最新版本- TLS should be updated to the latest version for your function app
- 应将 TLS 更新为 Web 应用的最新版本- TLS should be updated to the latest version for your web app
- 只能通过 HTTPS 访问 Web 应用程序- Web Application should only be accessible over HTTPS

4

4

限制未经授权的网络访问

Restrict unauthorized network access

组织内的终结点提供从虚拟网络到受支持的 Azure 服务的直接连接。
Endpoints within an organization provide a direct connection from your virtual network to supported Azure services. 子网中的虚拟机可以与所有资源通信。Virtual machines in a subnet can communicate with all resources. 若要限制与子网内资源的通信,请创建一个网络安全组并将其关联到子网。To limit communication to and from resources within a subnet, create a network security group and associate it to the subnet. 组织可以通过创建入站和出站规则来限制和防范未经授权的流量。Organizations can limit and protect against unauthorized traffic by creating inbound and outbound rules.
- 应在面向 Internet 的虚拟机上应用自适应网络强化建议- Adaptive network hardening recommendations should be applied on internet facing virtual machines
- 应在与虚拟机关联的网络安全组上限制所有网络端口- All network ports should be restricted on network security groups associated to your virtual machine
- 应用程序配置应使用专用链接- App Configuration should use private link
- Azure Cache for Redis 应驻留在虚拟网络中- Azure Cache for Redis should reside within a virtual network
- Azure 事件网格域应使用专用链接- Azure Event Grid domains should use private link
- Azure 事件网格主题应使用专用链接- Azure Event Grid topics should use private link
- Azure 机器学习工作区应使用专用链接- Azure Machine Learning workspaces should use private link
- 应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- Azure SignalR 服务应使用专用链接- Azure SignalR Service should use private link
- Azure Spring Cloud 应使用网络注入- Azure Spring Cloud should use network injection
- 容器注册表不得允许无限制的网络访问- Container registries should not allow unrestricted network access
- 容器注册表应使用专用链接- Container registries should use private link
- 容器应只侦听允许的端口- Containers should listen on allowed ports only
- CORS 不应允许所有资源都能访问 API 应用- CORS should not allow every resource to access your API App
- CORS 不应允许所有资源都能访问函数应用- CORS should not allow every resource to access your Function App
- CORS 不应允许所有资源都能访问你的 Web 应用程序- CORS should not allow every resource to access your Web Applications
- 默认 IP 筛选策略应为“拒绝”- Default IP Filter Policy should be Deny
- 应在 Key Vault 上启用防火墙- Firewall should be enabled on Key Vault
- 面向 Internet 的虚拟机应使用网络安全组进行保护- Internet-facing virtual machines should be protected with network security groups
- IoT 设备 - 打开设备上的端口- IoT Devices - Open Ports On Device
- IoT 设备 - 在其中一个链中找到了宽容防火墙策略- IoT Devices - Permissive firewall policy in one of the chains was found
- IoT 设备 - 在输入链中找到了宽容防火墙规则- IoT Devices - Permissive firewall rule in the input chain was found
- IoT 设备 - 在输出链中找到了宽容防火墙规则- IoT Devices - Permissive firewall rule in the output chain was found
- IP 筛选器规则的 IP 范围大- IP Filter rule large IP range
- 应禁用虚拟机上的 IP 转发- IP forwarding on your virtual machine should be disabled
- Kubernetes 服务管理 API 服务器应配置为受限访问权限- Kubernetes Services Management API server should be configured with restricted access
- 应为 Key Vault 配置专用终结点- Private endpoint should be configured for Key Vault
- 应为 MariaDB 服务器启用专用终结点- Private endpoint should be enabled for MariaDB servers
- 应为 MySQL 服务器启用专用终结点- Private endpoint should be enabled for MySQL servers
- 应为 PostgreSQL 服务器启用专用终结点- Private endpoint should be enabled for PostgreSQL servers
- 应为 MariaDB 服务器禁用公用网络访问- Public network access should be disabled for MariaDB servers
- 应为 MySQL 服务器禁用公用网络访问- Public network access should be disabled for MySQL servers
- 应为 PostgreSQL 服务器禁用公用网络访问- Public network access should be disabled for PostgreSQL servers
- 服务应只侦听允许的端口- Services should listen on allowed ports only
- 存储帐户应使用专用链接连接- Storage account should use a private link connection
- 存储帐户应使用虚拟网络规则来限制网络访问- Storage accounts should restrict network access using virtual network rules
- 应限制对主机网络和端口的使用- Usage of host networking and ports should be restricted
- 虚拟网络应受 Azure 防火墙保护- Virtual networks should be protected by Azure Firewall
- VM 映像生成器模板应使用专用链接- VM Image Builder templates should use private link

4

4

启用静态加密

Enable encryption at rest

静态加密为已存储的数据提供数据保护。
Encryption at rest provides data protection for stored data. 对静态数据进行的攻击包括试图获得对存储数据的硬件的物理访问权限。Attacks against data at rest include attempts to gain physical access to the hardware on which the data is stored. Azure 使用对称加密来加密和解密大量静态数据。Azures use symmetric encryption to encrypt and decrypt large amounts of data at rest. 将使用对称加密密钥在将数据写入到存储时对数据进行加密。A symmetric encryption key is used to encrypt data as it is written to storage. 该加密密钥还用于解密准备在内存中使用的数据。That encryption key is also used to decrypt that data as it is readied for use in memory. 必须将密钥存储在实施了基于标识的访问控制和审核策略的安全位置。Keys must be stored in a secure location with identity-based access control and audit policies. Azure 密钥保管库就是这样的安全位置。One such secure location is Azure Key Vault. 如果攻击者获取了加密数据但未获取加密密钥,则攻击者必须破解加密才能访问数据。If an attacker obtains the encrypted data but not the encryption keys, the attacker can't access the data without breaking the encryption.
- 应加密自动化帐户变量- Automation account variables should be encrypted
- Azure Cosmos DB 帐户应使用客户管理的密钥来加密静态数据- Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
- Azure 机器学习工作区应使用客户管理的密钥 (CMK) 进行加密- Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)
- 应为 MySQL 服务器启用“创建自己的密钥”数据保护- Bring your own key data protection should be enabled for MySQL servers
- 应为 PostgreSQL 服务器启用“创建自己的密钥”数据保护- Bring your own key data protection should be enabled for PostgreSQL servers
- 认知服务帐户应启用使用客户管理的密钥 (CMK) 进行数据加密- Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)
- 容器注册表应使用客户管理的密钥 (CMK) 进行加密- Container registries should be encrypted with a customer-managed key (CMK)
- 应对虚拟机应用磁盘加密- Disk encryption should be applied on virtual machines
- Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSign- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- SQL 托管实例应使用客户管理的密钥进行静态数据加密- SQL managed instances should use customer-managed keys to encrypt data at rest
- SQL Server 应使用客户管理的密钥进行静态数据加密- SQL servers should use customer-managed keys to encrypt data at rest
- 存储帐户应使用客户管理的密钥 (CMK) 进行加密- Storage accounts should use customer-managed key (CMK) for encryption
- 应对 SQL 数据库启用透明数据加密- Transparent Data Encryption on SQL databases should be enabled

4

4

管理访问和权限

Manage access and permissions

安全程序的核心是确保用户具有完成其工作(但仅限于此)所需的访问权限:最小特权访问模型
A core part of a security program is ensuring your users have the necessary access to do their jobs but no more than that: the least privilege access model.
使用 Azure 基于角色的访问控制 (Azure RBAC) 来创建角色分配,以此控制对资源的访问。Control access to your resources by creating role assignments with Azure role-based access control (Azure RBAC). 角色分配由三个元素组成:A role assignment consists of three elements:
- 安全主体:用户请求访问的对象- Security principal: the object the user is requesting access to
- 角色定义:他们的权限- Role definition: their permissions
- 作用域:权限适用于的资源集- Scope: the set of resources to which the permissions apply
- 应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- 应避免使用特权提升的容器- Container with privilege escalation should be avoided
- 应避免使用共享敏感主机命名空间的容器- Containers sharing sensitive host namespaces should be avoided
- 应从订阅中删除弃用的帐户- Deprecated accounts should be removed from your subscription
- 应从订阅中删除拥有所有者权限的已弃用帐户- Deprecated accounts with owner permissions should be removed from your subscription
- 应从订阅中删除拥有所有者权限的外部帐户- External accounts with owner permissions should be removed from your subscription
- 应从订阅中删除具有写入权限的外部帐户- External accounts with write permissions should be removed from your subscription
- 确保函数应用已启用“客户端证书(传入客户端证书)”- Function apps should have Client Certificates (Incoming client certificates) enabled
- 完全相同的身份验证凭据- Identical Authentication Credentials
- 应强制对容器使用不可变(只读)根文件系统- Immutable (read-only) root filesystem should be enforced for containers
- 应强制对容器使用最低权限 Linux 功能- Least privileged Linux capabilities should be enforced for containers
- 应在 API 应用中使用托管标识- Managed identity should be used in your API app
- 应在函数应用中使用托管标识- Managed identity should be used in your function app
- 应在 Web 应用中使用托管标识- Managed identity should be used in your web app
- 应避免特权容器- Privileged containers should be avoided
- 应在 Kubernetes 服务上使用基于角色的访问控制- Role-Based Access Control should be used on Kubernetes Services
- 应避免以根用户身份运行容器- Running containers as root user should be avoided
- Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证- Service Fabric clusters should only use Azure Active Directory for client authentication
- 应使用服务主体(而不是管理证书)来保护你的订阅- Service principals should be used to protect your subscriptions instead of Management Certificates
- 应禁止存储帐户公共访问- Storage account public access should be disallowed
- 应向订阅分配多个所有者- There should be more than one owner assigned to your subscription
- 应限制为只有已知列表才能使用 Pod HostPath 卷装载,以限制来自遭入侵容器的节点访问- Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers

4

4

修正安全配置

Remediate security configurations

配置错误的 IT 资产受到攻击的风险更高。
Misconfigured IT assets have a higher risk of being attacked. 当部署资产并且必须在截止日期之前完成时,通常会忘记基本的强化措施。Basic hardening actions are often forgotten when assets are being deployed and deadlines must be met. 错误的安全配置可能出现在基础结构中的任何级别:从操作系统和网络设备到云资源。Security misconfigurations can be at any level in the infrastructure: from the operating systems and network appliances, to cloud resources.
Azure 安全中心会不断将资源的配置与行业标准、法规和基准中的要求进行比较。Azure Security Center continually compares the configuration of your resources with requirements in industry standards, regulations, and benchmarks. 配置了对组织而言很重要的相关“合规性包”(标准和基线)后,任何差距都会产生安全建议,其中包括 CCEID 以及对潜在安全影响的说明。When you've configured the relevant "compliance packages" (standards and baselines) that matter to your organization, any gaps will result in security recommendations that include the CCEID and an explanation of the potential security impact.
常用包为 Azure 安全基准CIS Azure 基础基准版本 1.1.0Commonly used packages are Azure Security Benchmark and CIS Azure Foundations Benchmark version 1.1.0.
- 应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- IoT 设备 - 经审核的进程已停止发送事件- IoT Devices - Auditd process stopped sending events
- IoT 设备 - 操作系统基线验证失败- IoT Devices - Operating system baseline validation failure
- 应在计算机上解决 Log Analytics 代理运行状况问题- Log Analytics agent health issues should be resolved on your machines
- 应在基于 Linux 的 Azure Arc 计算机上安装 Log Analytics 代理- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- 应在虚拟机上安装 Log Analytics 代理- Log Analytics agent should be installed on your virtual machine
- 应在虚拟机规模集上安装 Log Analytics 代理- Log Analytics agent should be installed on your virtual machine scale sets
- 应在基于 Windows 的 Azure Arc 计算机上安装 Log Analytics 代理- Log Analytics agent should be installed on your Windows-based Azure Arc machines
- 应在计算机上安装监视代理- Monitoring agent should be installed on your machines
- 应限制替代或禁用容器 AppArmor 配置文件- Overriding or disabling of containers AppArmor profile should be restricted
- 应在 Kubernetes 服务上定义 Pod 安全策略(已弃用)- Pod Security Policies should be defined on Kubernetes Services (Deprecated)
- 应在 Linux 虚拟机上启用安全引导- Secure Boot should be enabled on your Linux virtual machine
- 应证明虚拟机的引导完整性运行状况- Virtual machines should be attested for boot integrity health
- 应使用系统分配的托管标识来部署虚拟机的来宾配置扩展- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
- 应修正容器安全配置中的漏洞- Vulnerabilities in container security configurations should be remediated
- 应修正计算机上安全配置中的漏洞- Vulnerabilities in security configuration on your machines should be remediated
- 应修正虚拟机规模集上安全配置中的漏洞- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated

3

3

应用自适应应用程序控制

Apply adaptive application control

自适应应用程序控制 (AAC) 是一种智能的、自动化的端到端解决方案,可用于控制哪些应用程序可以在 Azure 计算机和非 Azure 计算机上运行。
Adaptive application control (AAC) is an intelligent, automated, end-to-end solution, which allows you to control which applications can run on your Azure and non-Azure machines. 它还有助于强化计算机免受恶意软件的侵害。It also helps to harden your machines against malware.
安全中心使用机器学习为一组计算机创建一个已知安全应用程序列表。Security Center uses machine learning to create a list of known-safe applications for a group of machines.
这种将已批准的应用程序列入列表的创新方法在不增加管理复杂性的情况下提供了安全优势。This innovative approach to approved application listing provides the security benefits without the management complexity.
AAC 尤其适用于需要运行一组特定应用程序的专用服务器。AAC is particularly relevant for purpose-built servers that need to run a specific set of applications.
-应在计算机中启用自适应应用程序控制以定义安全应用程序- Adaptive application controls for defining safe applications should be enabled on your machines
- 应更新自适应应用程序控制策略中的允许列表规则- Allowlist rules in your adaptive application control policy should be updated
- 应在计算机上解决 Log Analytics 代理运行状况问题- Log Analytics agent health issues should be resolved on your machines
- 应在基于 Linux 的 Azure Arc 计算机上安装 Log Analytics 代理- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- 应在虚拟机上安装 Log Analytics 代理- Log Analytics agent should be installed on your virtual machine
- 应在基于 Windows 的 Azure Arc 计算机上安装 Log Analytics 代理- Log Analytics agent should be installed on your Windows-based Azure Arc machines
- 应在计算机上安装监视代理- Monitoring agent should be installed on your machines

2

2

通过 Azure 高级网络解决方案保护应用程序

Protect your applications with Azure advanced networking solutions

- 应启用 Azure DDoS 防护标准- Azure DDoS Protection Standard should be enabled
- 应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters
- 应强制执行容器 CPU 和内存限制- Container CPU and memory limits should be enforced
- 应为应用程序网关启用 Web 应用程序防火墙 (WAF)- Web Application Firewall (WAF) should be enabled for Application Gateway
- 应为 Azure Front Door 服务启用 Web 应用程序防火墙 (WAF)- Web Application Firewall (WAF) should be enabled for Azure Front Door Service service

2

2

启用终结点保护

Enable endpoint protection

为确保终结点免受恶意软件的侵害,行为传感器会从终结点的操作系统收集数据并加以处理,然后将此数据发送到私有云进行分析。
To ensure your endpoints are protected from malware, behavioral sensors collect and process data from your endpoints' operating systems and send this data to the private cloud for analysis. 安全分析利用大数据、机器学习和其他来源针对威胁提出响应建议。Security analytics leverage big-data, machine-learning, and other sources to recommend responses to threats. 例如,Microsoft Defender ATP 使用威胁情报来识别攻击方法并生成安全警报。For example, Microsoft Defender ATP uses threat intelligence to identify attack methods and generate security alerts.
安全中心支持以下终结点保护解决方案:Windows Defender、System Center Endpoint Protection、Trend Micro、Symantec v12.1.1.1100、适用于 Windows 的 McAfee v10、适用于 Linux 的 McAfee v10 和适用于 Linux 的 Sophos v9。Security Center supports the following endpoint protection solutions: Windows Defender, System Center Endpoint Protection, Trend Micro, Symantec v12.1.1.1100, McAfee v10 for Windows, McAfee v10 for Linux and Sophos v9 for Linux. 如果安全中心检测到以上任一解决方案,则不再显示安装 Endpoint Protection 的建议。If Security Center detects any of these solutions, the recommendation to install endpoint protection will no longer appear.
- 应在虚拟机规模集上修正 Endpoint Protection 运行状况故障- Endpoint protection health failures should be remediated on virtual machine scale sets
- 应在计算机上解决 Endpoint Protection 运行状况问题- Endpoint protection health issues should be resolved on your machines
- 应在计算机上解决 Endpoint Protection 运行状况问题- Endpoint protection health issues should be resolved on your machines
- 应在计算机上安装 Endpoint Protection- Endpoint protection should be installed on your machines
- 应在虚拟机规模集上安装 Endpoint Protection 解决方案- Endpoint protection solution should be installed on virtual machine scale sets
- 应在服务器上启用文件完整性监视- File integrity monitoring should be enabled on servers
- 在虚拟机上安装 Endpoint Protection 解决方案- Install endpoint protection solution on virtual machines
- 在计算机上安装 Endpoint Protection 解决方案- Install endpoint protection solution on your machines
- 应在计算机上解决 Log Analytics 代理运行状况问题- Log Analytics agent health issues should be resolved on your machines
- 应在基于 Linux 的 Azure Arc 计算机上安装 Log Analytics 代理- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- 应在虚拟机上安装 Log Analytics 代理- Log Analytics agent should be installed on your virtual machine
- 应在虚拟机规模集上安装 Log Analytics 代理- Log Analytics agent should be installed on your virtual machine scale sets
- 应在基于 Windows 的 Azure Arc 计算机上安装 Log Analytics 代理- Log Analytics agent should be installed on your Windows-based Azure Arc machines
- 应在计算机上安装监视代理- Monitoring agent should be installed on your machines

1

1

启用审核和日志记录

Enable auditing and logging

日志记录数据可让你深入了解过去的问题,防止潜在的问题,可以提高应用程序的性能,并允许自动执行原本手动执行的操作。
Logging data provides insights into past problems, prevents potential ones, can improve application performance, and provides the ability to automate actions that would otherwise be manual.
- 控制和管理日志提供有关 Azure 资源管理器操作的信息。- Control and management logs provide information about Azure Resource Manager operations.
- 数据平面日志提供作为 Azure 资源使用情况的一部分引发的事件的相关信息。- Data plane logs provide information about events raised as part of Azure resource usage.
- 已处理的事件提供已处理的分析事件/警报的相关信息。- Processed events provide information about analyzed events/alerts that have been processed.
- 应对 SQL Server 启用审核- Auditing on SQL server should be enabled
- 应启用 Azure Data Lake Store 的诊断日志- Diagnostic logs in Azure Data Lake Store should be enabled
- 应启用 Azure 流分析的诊断日志- Diagnostic logs in Azure Stream Analytics should be enabled
- 应启用 Batch 帐户的诊断日志- Diagnostic logs in Batch accounts should be enabled
- 应启用 Data Lake Analytics 的诊断日志- Diagnostic logs in Data Lake Analytics should be enabled
- 应启用事件中心的诊断日志- Diagnostic logs in Event Hub should be enabled
- 应启用 IoT 中心的诊断日志- Diagnostic logs in IoT Hub should be enabled
- 应启用密钥保管库的诊断日志- Diagnostic logs in Key Vault should be enabled
- 应启用逻辑应用的诊断日志- Diagnostic logs in Logic Apps should be enabled
- 应启用搜索服务的诊断日志- Diagnostic logs in Search services should be enabled
- 应启用服务总线的诊断日志- Diagnostic logs in Service Bus should be enabled
- 应启用虚拟机规模集的诊断日志- Diagnostic logs in Virtual Machine Scale Sets should be enabled
- 应在应用服务中启用诊断日志- Diagnostic logs should be enabled in App Service

0

0

实现安全最佳做法

Implement security best practices

新式安全做法“假定突破”网络边界。
Modern security practices "assume breach" of the network perimeter. 因此,此控制中的许多最佳做法都集中在标识管理上。For that reason, many of the best practices in this control focus on managing identities.
丢失密钥和凭据是一个常见问题。Losing keys and credentials is a common problem. Azure 密钥保管库通过加密密钥、.pfx 文件和密码来保护密钥和机密。Azure Key Vault protects keys and secrets by encrypting keys, .pfx files, and passwords.
虚拟专用网 (VPN) 是访问虚拟机的一种安全方法。Virtual private networks (VPNs) are a secure way to access your virtual machines. 如果 VPN 不可用,请使用复杂的密码和双重身份验证(例如 Azure AD 多重身份验证)。If VPNs aren't available, use complex passphrases and two-factor authentication such as Azure AD Multi-Factor Authentication. 双重身份验证避开了固有的仅依赖用户名和密码的弱点。Two-factor authentication avoids the weaknesses inherent in relying only on usernames and passwords.
使用强身份验证和授权平台是另一种最佳做法。Using strong authentication and authorization platforms is another best practice. 组织可以使用联合标识来委派授权标识的管理。Using federated identities allows organizations to delegate management of authorized identities. 当员工离职,需要撤销其访问权限时,这一点也很重要。This is also important when employees are terminated, and their access needs to be revoked.
- 最多只能为订阅指定 3 个所有者- A maximum of 3 owners should be designated for your subscription
- 应限制对具有防火墙和虚拟网络配置的存储帐户的访问- Access to storage accounts with firewall and virtual network configurations should be restricted
- 应在面向内部的虚拟机上应用自适应网络强化建议- Adaptive Network Hardening recommendations should be applied on internal facing virtual machines
- 应在 SQL 托管实例的高级数据安全设置中启用所有高级威胁防护类型- All advanced threat protection types should be enabled in SQL managed instance advanced data security settings
- 应在 SQL Server 的高级数据安全设置中启用所有高级威胁防护类型- All advanced threat protection types should be enabled in SQL server advanced data security settings
- 应为 SQL Server 预配 Azure Active Directory 管理员- An Azure Active Directory administrator should be provisioned for SQL servers
- 应将 SQL Server 的审核保留设置为至少 90 天- Audit retention for SQL servers should be set to at least 90 days
- 应对订阅启用 Log Analytics 代理自动预配- Auto provisioning of the Log Analytics agent should be enabled on your subscription
- 应为虚拟机启用 Azure 备份- Azure Backup should be enabled for virtual machines
- 应启用高严重性警报的电子邮件通知- Email notification for high severity alerts should be enabled
- 应启用向订阅所有者发送高严重性警报的电子邮件通知- Email notification to subscription owner for high severity alerts should be enabled
- 应从订阅中删除拥有读取权限的外部帐户- External accounts with read permissions should be removed from your subscription
- 应为 Azure Database for MariaDB 启用异地冗余备份- Geo-redundant backup should be enabled for Azure Database for MariaDB
- 应为 Azure Database for MySQL 启用异地冗余备份- Geo-redundant backup should be enabled for Azure Database for MySQL
- 应为 Azure Database for PostgreSQL 启用异地冗余备份- Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- 应在计算机上安装来宾配置扩展- Guest Configuration extension should be installed on your machines
- IoT 设备 - 代理正在发送未充分利用的消息- IoT Devices - Agent sending underutilized messages
- 应将 Java 更新为 API 应用的最新版本- Java should be updated to the latest version for your API app
- 应将 Java 更新为函数应用的最新版本- Java should be updated to the latest version for your function app
- 应将 Java 更新为 Web 应用的最新版本- Java should be updated to the latest version for your web app
- Key Vault 密钥应具有到期日期- Key Vault keys should have an expiration date
- Key Vault 机密应具有到期日期- Key Vault secrets should have an expiration date
- 密钥保管库应启用清除保护- Key vaults should have purge protection enabled
- 密钥保管库应启用软删除- Key vaults should have soft delete enabled
- 应在对订阅拥有读取权限的帐户上启用 MFA- MFA should be enabled on accounts with read permissions on your subscription
- 应在 Linux 虚拟机上安装网络流量数据收集代理- Network traffic data collection agent should be installed on Linux virtual machines
- 应在 Windows 虚拟机上安装网络流量数据收集代理- Network traffic data collection agent should be installed on Windows virtual machines
- 应使用网络安全组来保护非面向 Internet 的虚拟机- Non-internet-facing virtual machines should be protected with network security groups
- 应将 PHP 更新为 API 应用的最新版本- PHP should be updated to the latest version for your API app
- 应将 PHP 更新为 Web 应用的最新版本- PHP should be updated to the latest version for your web app
- 应将 Python 更新为 API 应用的最新版本- Python should be updated to the latest version for your API app
- 应将 Python 更新为函数应用的最新版本- Python should be updated to the latest version for your function app
- 应将 Python 更新为 Web 应用的最新版本- Python should be updated to the latest version for your web app
- 应为 API 应用禁用远程调试- Remote debugging should be turned off for API App
- 应为函数应用禁用远程调试- Remote debugging should be turned off for Function App
- 应禁用 Web 应用程序的远程调试- Remote debugging should be turned off for Web Applications
- 应将存储帐户迁移到新的 Azure 资源管理器资源- Storage accounts should be migrated to new Azure Resource Manager resources
- 子网应与网络安全组关联- Subnets should be associated with a network security group
- 订阅应有一个联系人电子邮件地址,用于接收安全问题通知- Subscriptions should have a contact email address for security issues
- 存储在 Azure Key Vault 中的证书的有效期不得超过 12 个月- Validity period of certificates stored in Azure Key Vault should not exceed 12 months
- 应将虚拟机迁移到新的 Azure 资源管理器资源- Virtual machines should be migrated to new Azure Resource Manager resources
- Web 应用应该请求一个用于所有传入请求的 SSL 证书- Web apps should request an SSL certificate for all incoming requests
- 应在计算机上启用 Windows Defender 攻击防护- Windows Defender Exploit Guard should be enabled on your machines

0

0

启用高级威胁防护

Enable Advanced Threat Protection

Azure 安全中心的可选 Azure Defender 威胁防护计划为你的环境提供了全面的防御。
Azure Security Center's optional Azure Defender threat protection plans provide comprehensive defenses for your environment. 当安全中心检测到环境中的任何区域遭到威胁时,会生成警报。When Security Center detects a threat in any area of your environment, it generates an alert. 这些警报会描述受影响资源的详细信息、建议的修正步骤,在某些情况下还会提供触发逻辑应用作为响应的选项。These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response.
每个 Azure Defender 计划都是单独的可选产品/服务,可以使用此安全控件中的相关建议启用该产品/服务。Each Azure Defender plan is a separate, optional offering which you can enable using the relevant recommendation in this security control.
详细了解安全中心的威胁防护Learn more about threat protection in Security Center.
- 应启用适用于应用服务的 Azure Defender- Azure Defender for App Service should be enabled
- 应启用适用于 Azure SQL 数据库服务器的 Azure Defender- Azure Defender for Azure SQL Database servers should be enabled
- 应启用适用于容器注册表的 Azure Defender- Azure Defender for container registries should be enabled
- 应启用适用于 Key Vault 的 Azure Defender- Azure Defender for Key Vault should be enabled
- 应启用 Azure Defender for Kubernetes- Azure Defender for Kubernetes should be enabled
- 应启用适用于服务器的 Azure Defender- Azure Defender for servers should be enabled
- 应启用适用于计算机上的 SQL 服务器的 Azure Defender- Azure Defender for SQL servers on machines should be enabled
- 应启用适用于存储的 Azure Defender- Azure Defender for Storage should be enabled

安全评分 FAQSecure score FAQ

如果仅处理某个安全控制四分之三的建议,安全评分是否会变化?If I address only three out of four recommendations in a security control, will my secure score change?

否。No. 为单个资源修正所有建议后,安全评分才会变化。It won't change until you remediate all of the recommendations for a single resource. 若要获得某个控制的最高分,必须为所有资源修正所有建议。To get the maximum score for a control, you must remediate all recommendations, for all resources.

如果某个建议对我不适用,我在策略中禁用它,我能否达到安全控制的要求,我的安全评分是否会更新?If a recommendation isn't applicable to me, and I disable it in the policy, will my security control be fulfilled and my secure score updated?

是的。Yes. 如果建议不适用于你的环境,建议禁用它们。We recommend disabling recommendations when they're inapplicable in your environment. 有关如何禁用特定建议的说明,请参阅禁用安全策略For instructions on how to disable a specific recommendation, see Disable security policies.

如果某个安全控制为安全评分贡献的分数为零,我应该忽略它吗?If a security control offers me zero points towards my secure score, should I ignore it?

在某些情况下,你会看到某个控制的最高分大于零,但影响为零。In some cases, you'll see a control max score greater than zero, but the impact is zero. 如果通过修复资源增加的分数可忽略不计,则会将其舍入为零。When the incremental score for fixing resources is negligible, it's rounded to zero. 请勿忽略这些建议,因为它们仍然可以改善安全性。Don't ignore these recommendations as they still bring security improvements. 唯一的例外是“其他最佳做法”控制。The only exception is the "Additional Best Practice" control. 修正这些建议不会提高分数,但会提高整体安全性。Remediating these recommendations won't increase your score, but it will enhance your overall security.

后续步骤Next steps

本文介绍了安全评分及其引入的安全控制。This article described the secure score and the security controls it introduces. 如需相关材料,请参阅以下文章:For related material, see the following articles: