Azure 安全中心的安全评分Secure score in Azure Security Center

安全评分简介Introduction to secure score

Azure 安全中心有两个主要目标:Azure Security Center has two main goals:

  • 帮助你了解当前的安全状况to help you understand your current security situation
  • 帮助你有效提高安全性to help you efficiently and effectively improve your security

使你能够实现这些目标的安全中心的核心功能是安全功能分数。The central feature in Security Center that enables you to achieve those goals is secure score.

安全中心会持续评估资源、订阅和组织的安全问题。Security Center continually assesses your resources, subscriptions, and organization for security issues. 然后,它将所有调查结果汇总成一个分数,让你可以一目了然地了解当前的安全状况:分数越高,识别出的风险级别就越低。It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.

Azure 门户页面显示的安全功能分数为百分比值,但原值也一目了然:The secure score is shown in the Azure portal pages as a percentage value, but the underlying values are also clearly presented:

门户中显示的总体安全功能分数

若要提高安全性,请查看安全中心的建议页面,了解提高分数需要采取的有效措施。To increase your security, review Security Center's recommendations page for the outstanding actions necessary to raise your score. 每项建议都包含有助于你修正特定问题的说明。Each recommendation includes instructions to help you remediate the specific issue.

建议会被分组到各项安全控件中。Recommendations are grouped into security controls. 每个控件都是相关安全建议的逻辑组,反映易受攻击的攻击面。Each control is a logical group of related security recommendations, and reflects your vulnerable attack surfaces. 只有修正控制中针对单个资源的所有建议后,分数才会提高。Your score only improves when you remediate all of the recommendations for a single resource within a control. 若要查看你的组织对每个单独攻击面的保护力度,请查看每个安全控件的分数。To see how well your organization is securing each individual attack surface, review the scores for each security control.

有关详细信息,请参阅下面的如何计算安全功能分数For more information, see How your secure score is calculated below.

访问安全功能分数Access your secure score

可以通过 Azure 门户或以编程方式查找总体安全功能分数以及每个订阅的分数,如以下各部分所述:You can find your overall secure score, as well as your score per subscription, through the Azure portal or programatically as described in the following sections:

从门户获取安全功能分数Get your secure score from the portal

安全中心会在门户中突出显示你的分数:这是“安全中心”概述页面中显示的第一个主磁贴。Security Center displays your score prominently in the portal: it's the first main tile the Security Center overview page. 选择此磁贴,会转到专用安全功能分数页,其中显示按订阅细分的分数。Selecting this tile, takes you to the dedicated secure score page, where you'll see the score broken down by subscription. 选择单个订阅可查看重要建议的详细列表,以及实现这些建议将对订阅分数产生的潜在影响。Select a single subscription to see the detailed list of prioritized recommendations and the potential impact that remediating them will have on the subscription's score.

概括而言,你的安全功能分数将显示在安全中心门户页面的以下位置。To recap, your secure score is shown in the following locations in Security Center's portal pages.

  • 在安全中心的“概述”(主仪表板)上的磁贴中:In a tile on Security Center's Overview (main dashboard):

    安全中心仪表板上的安全功能分数

  • 在专用“安全功能分数”页面中:In the dedicated Secure score page:

    安全中心“安全功能分数”页面上的安全功能分数

  • 在“建议”页面的顶部:At the top of the Recommendations page:

    安全中心建议页面上的安全功能分数

从 REST API 获取安全功能分数Get your secure score from the REST API

可以通过安全功能分数 API(当前为预览版)访问分数。You can access your score via the secure score API (currently in preview). 通过 API 方法,可灵活地查询数据,久而久之构建自己的安全功能分数报告机制。The API methods provide the flexibility to query the data and build your own reporting mechanism of your secure scores over time. 例如,你可以使用安全功能分数 API 来获取特定订阅的分数。For example, you can use the Secure Scores API to get the score for a specific subscription. 此外,你可以使用 API 列出订阅的安全控件和当前分数。In addition, you can use the Secure Score Controls API to list the security controls and the current score of your subscriptions.

正在通过 API 检索单个安全功能分数

有关构建在安全功能分数 API 之上的工具示例,请参阅 GitHub 社区的安全功能分数区域For examples of tools built on top of the secure score API, see the secure score area of our GitHub community.

从 Azure Resource Graph (ARG) 获取安全功能分数Get your secure score from Azure Resource Graph (ARG)

使用 Azure Resource Graph (ARG),可以通过可靠的筛选、分组和排序功能,快速访问你的云环境中的资源信息。Azure Resource Graph provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. 这是以编程方式或从 Azure 门户中查询 Azure 订阅中的信息的一种快速且有效的方式。It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal. 详细了解 Azure Resource GraphLearn more about Azure Resource Graph.

使用 ARG 访问多个订阅的安全功能分数:To access the secure score for multiple subscriptions with ARG:

  1. 在 Azure 门户中,打开 Azure Resource Graph Explorer。From the Azure portal, open Azure Resource Graph Explorer.

    启动 Azure Resource Graph Explorer 建议页面

  2. 输入你的 Kusto 查询(使用下面的示例作为指导)。Enter your Kusto query (using the examples below for guidance).

    • 此查询返回订阅 ID、当前分数(以分数和百分比表示)以及订阅的最大分数。This query returns the subscription ID, the current score in points and as a percentage, and the maximum score for the subscription.

      SecurityResources 
      | where type == 'microsoft.security/securescores' 
      | extend current = properties.score.current, max = todouble(properties.score.max)
      | project subscriptionId, current, max, percentage = ((current / max)*100)
      
    • 该查询返回所有安全控件的状态。This query returns the status of all the security controls. 对于每个控件,你将获得运行不正常资源的数量、当前分数和最高分数。For each control, you'll get the number of unhealthy resources, the current score, and the maximum score.

      SecurityResources 
      | where type == 'microsoft.security/securescores/securescorecontrols'
      | extend SecureControl = properties.displayName, unhealthy = properties.unhealthyResourceCount, currentscore = properties.score.current, maxscore = properties.score.max
      | project SecureControl , unhealthy, currentscore, maxscore
      
  3. 选择“运行查询”。Select Run query.

如何计算安全功能分数How your secure score is calculated

建议页面上清楚地显示了每个安全控制对总体安全评分的贡献。The contribution of each security control towards the overall secure score is shown clearly on the recommendations page.

安全评分增强版引入了安全控制The enhanced secure score introduces security controls

若要获得某个安全控制所有可能的分数,你的所有资源都必须符合该安全控制中的所有安全建议。To get all the possible points for a security control, all your resources must comply with all of the security recommendations within the security control. 例如,安全中心针对如何保护管理端口提供了多条建议。For example, Security Center has multiple recommendations regarding how to secure your management ports. 过去,你可以只修正其中一些相关且相互依赖的建议,不用管其他建议,就能提高安全评分。In the past, you could remediate some of those related and interdependent recommendations while leaving others unsolved, and your secure score would improve. 从客观上来讲,若要改善安全性,理应修正所有建议。When looked at objectively, it's easy to argue that your security hadn't improved until you had resolved them all. 而现在,你必须修正所有建议,才能改变安全评分。Now, you must remediate them all to make a difference to your secure score.

例如,名为“应用系统更新”的安全控制的最高分为 6 分,你可以在该控制可能增加的分数值上的工具提示中看到它:For example, the security control called "Apply system updates" has a maximum score of six points, which you can see in the tooltip on the potential increase value of the control:

安全控制“应用系统更新”The security control "Apply system updates"

此控制(应用系统更新)的最高分始终为 6 分。The maximum score for this control, Apply system updates, is always 6. 此示例中一共有 50 个资源。In this example, there are 50 resources. 因此,我们将最高分除以 50,结果是每个资源贡献 0.12 分。So we divide the max score by 50, and the result is that every resource contributes 0.12 points.

  • 可能增加的分数(0.12 x 8 个运行不正常的资源 = 0.96)- 该控制中剩余可增加的分数。Potential increase (0.12 x 8 unhealthy resources = 0.96) - The remaining points available to you within the control. 如果修正此控制中的所有建议,分数将增加 2%(本例中为 0.96 分,四舍五入为 1 分)。If you remediate all the recommendations in this control, your score will increase by 2% (in this case, 0.96 points rounded up to 1 point).
  • 当前分数(0.12 x 42 个正常运行的资源 = 5.04)- 此控制的当前分数。Current score (0.12 x 42 healthy resources = 5.04) - The current score for this control. 每个控制都为总分贡献分数。Each control contributes towards the total score. 在此示例中,该控制为当前安全总分贡献了 5.04 分。In this example, the control is contributing 5.04 points to current secure total.
  • 最高分 - 完成某个控制中的所有建议后可获得的最高分数。Max score - The maximum number of points you can gain by completing all recommendations within a control. 控制的最高分表明该控制的相对重要性。The maximum score for a control indicates the relative significance of that control. 可使用最高分值来会审要优先处理的问题。Use the max score values to triage the issues to work on first.

计算 - 了解你的分数Calculations - understanding your score

指标Metric 公式和示例Formula and example
安全控制的当前分数Security control's current score
用于计算安全控制当前分数的公式Equation for calculating a security control's current score

每一个安全控制都计入安全评分。Each individual security control contributes towards the Security Score. 受控制中的建议影响的每个资源都计入控制的当前分数。Each resource affected by a recommendation within the control, contributes towards the control's current score. 各个控制的当前分数是对该控制中资源状态的度量。The current score for each control is a measure of the status of the resources within the control.
工具提示显示了计算安全控制的当前分数时使用的值Tooltips showing the values used when calculating the security control's current score
在此示例中,最高分 6 将除以 78,因为这是正常运行的资源和运行不正常的资源的总和。In this example, the max score of 6 would be divided by 78 because that's the sum of the healthy and unhealthy resources.
6/78 = 0.07696 / 78 = 0.0769
将其乘以正常运行的资源数量 (4) 可得出当前分数:Multiplying that by the number of healthy resources (4) results in the current score:
0.0769 * 4 = 0.310.0769 * 4 = 0.31

安全评分Secure score
一个订阅Single subscription

用于计算当前安全评分的公式

启用了所有控制的单个订阅的安全评分
在此示例中,单个订阅启用了所有安全控制(可能的最高分为 60 分)。In this example, there is a single subscription with all security controls available (a potential maximum score of 60 points). 该分数显示了可能的最高分 60 分中的 28 分,其余 32 分反映在安全控制的“可能增加的分数”数字中。The score shows 28 points out of a possible 60 and the remaining 32 points are reflected in the "Potential score increase" figures of the security controls.
控制和可能增加的分数的列表
安全评分Secure score
多个订阅Multiple subscriptions

将所有订阅中所有资源的当前分数相加,之后的计算方式与单个订阅相同The current scores for all resources across all subscriptions are added and the calculation is then the same as for a single subscription

查看多个订阅时,安全评分会计算所有已启用策略中的所有资源,并将其对每个安全控制的最高分的综合影响进行分组。When viewing multiple subscriptions, secure score evaluates all resources within all enabled policies and groups their combined impact on each security control's maximum score.
启用了所有控制的多个订阅的安全评分Secure score for multiple subscriptions with all controls enabled
综合得分不是平均值,而是指所有订阅中所有资源状态的计算状况。The combined score is not an average; rather it's the evaluated posture of the status of all resources across all subscriptions.
同样,在这里,如果转到建议页面并将可能得到的分数相加,你会发现结果是当前分数 (24) 与最高得分 (60) 之差。Here too, if you go to the recommendations page and add up the potential points available, you will find that it's the difference between the current score (24) and the maximum score available (60).

安全功能分数计算中包括哪些建议?Which recommendations are included in the secure score calculations?

只有内置建议才会影响安全评分。Only built-in recommendations have an impact on the secure score.

计算安全分数时不包括标记为“预览”的建议。Recommendations flagged as Preview aren't included in the calculations of your secure score. 仍应尽可能按这些建议修正,以便在预览期结束时,它们会有助于提升评分。They should still be remediated wherever possible, so that when the preview period ends they'll contribute towards your score.

预览建议示例如下:An example of a preview recommendation:

带有预览标志的建议

提高安全分数Improve your secure score

若要提高安全评分,请修正建议列表中的安全建议。To improve your secure score, remediate security recommendations from your recommendations list. 既可以为每个资源手动修正每个建议,也可以使用“快速修复!”You can remediate each recommendation manually for each resource, or by using the Quick Fix! 选项(如果有)对一组资源快速应用建议修正。option (when available) to apply a remediation for a recommendation to a group of resources quickly. 有关详细信息,请参阅修正建议For more information, see Remediate recommendations.

安全控制及其建议Security controls and their recommendations

下表列出了 Azure 安全中心的安全控制。The table below lists the security controls in Azure Security Center. 对于每个控制,可以看到为所有资源修正该控制中列出的所有建议后,安全评分可以增加的最高分数。For each control, you can see the maximum number of points you can add to your secure score if you remediate all of the recommendations listed in the control, for all of your resources.

安全中心提供的安全建议是针对每个组织环境中的可用资源量身定制的。The set of security recommendations provided with Security Center is tailored to the available resources in each organization’s environment. 可以通过禁用策略并从建议中排除特定资源来进一步自定义建议。The recommendations can be further customized by disabling policies and exempting specific resources from a recommendation.

建议每个组织仔细检查其分配的 Azure Policy 计划。We recommend every organization carefully review their assigned Azure Policy initiatives.

提示

有关查看和编辑你的计划的详细信息,请参阅使用安全策略For details of reviewing and editing your initiatives, see Working with security policies.

即使安全中心的默认安全计划是基于行业最佳做法和标准的,但在某些情况下,下面列出的内置建议可能并不完全适合你的组织。Even though Security Center’s default security initiative is based on industry best practices and standards, there are scenarios in which the built-in recommendations listed below might not completely fit your organization. 因此,有时有必要调整默认计划,而又不影响安全性,以确保其与组织自己的策略保持一致。Consequently, it’ll sometimes be necessary to adjust the default initiative - without compromising security - to ensure it’s aligned with your organization’s own policies. 你必须符合的行业标准、法规标准和基准。industry standards, regulatory standards, and benchmarks you’re obligated to meet.

安全控制、分数和说明Security control, score, and description
建议Recommendations

启用 MFA(最高 10 分)

Enable MFA (max score 10)

如果只使用密码对用户进行身份验证,则会开放攻击途径。
If you only use a password to authenticate a user, it leaves an attack vector open. 如果密码较弱或者已在其他位置公开,那么如何确定是该用户在使用用户名和密码登录?If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password?
启用 MFA 后,帐户将更安全,并且用户仍然可以通过单一登录 (SSO) 向几乎所有应用程序验证身份。With MFA enabled, your accounts are more secure, and users can still authenticate to almost any application with single sign-on (SSO).
- 应在对订阅拥有所有者权限的帐户上启用 MFA- MFA should be enabled on accounts with owner permissions on your subscription
- 应在对订阅拥有写入权限的帐户上启用 MFA- MFA should be enabled accounts with write permissions on your subscription

保护管理端口(最高 8 分)

Secure management ports (max score 8)

暴力攻击以管理端口为目标来获取对 VM 的访问权限。
Brute force attacks target management ports to gain access to a VM. 由于没必要总是打开端口,因此,使用实时网络访问控制、网络安全组和虚拟机端口管理来减少对端口的暴露不失为一种缓解策略。Since the ports don’t always need to be open, one mitigation strategy is to reduce exposure to the ports using just-in-time network access controls, network security groups, and virtual machine port management.
由于许多 IT 组织不会阻止从其网络出站的 SSH 通信,因此攻击者可以创建加密隧道,允许受感染系统上的 RDP 端口与攻击者命令通信,以便控制服务器。Since many IT organizations don't block SSH communications outbound from their network, attackers can create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attacker command to control servers. 攻击者可以使用 Windows 远程管理子系统在你的环境中横向移动,并使用盗用的凭据访问网络上的其他资源。Attackers can use the Windows Remote Management subsystem to move laterally across your environment and use stolen credentials to access other resources on a network.
- 应通过实时网络访问控制来保护虚拟机的管理端口- Management ports of virtual machines should be protected with just-in-time network access control
- 虚拟机应与网络安全组关联- Virtual machines should be associated with a Network Security Group
- 应关闭虚拟机上的管理端口- Management ports should be closed on your virtual machines

应用系统更新(最高 6 分)

Apply system updates (max score 6)

系统更新使组织能够保持运营效率、减少安全漏洞,并为最终用户提供更稳定的环境。
System updates provide organizations with the ability to maintain operational efficiency, reduce security vulnerabilities, and provide a more stable environment for end users. 不应用更新会留下未修补的漏洞,使环境容易受到攻击。Not applying updates leaves unpatched vulnerabilities and results in environments that are susceptible to attacks. 这些漏洞可能会被人利用,导致数据丢失、数据泄露、勒索软件和资源滥用。These vulnerabilities can be exploited and lead to data loss, data exfiltration, ransomware, and resource abuse. 若要部署系统更新,可以使用更新管理解决方案来管理虚拟机的修补程序和更新To deploy system updates, you can use the Update Management solution to manage patches and updates for your virtual machines. 更新管理是指控制软件版本的部署和维护的过程。Update management is the process of controlling the deployment and maintenance of software releases.
- 应在计算机上解决监视代理运行状况问题- Monitoring agent health issues should be resolved on your machines
- 应在虚拟机规模集上安装监视代理- Monitoring agent should be installed on virtual machine scale sets
- 应在计算机上安装监视代理- Monitoring agent should be installed on your machines
- 应为云服务角色更新 OS 版本- OS version should be updated for your cloud service roles
- 应在虚拟机规模集上安装系统更新- System updates on virtual machine scale sets should be installed
- 应在计算机上安装系统更新- System updates should be installed on your machines
- 应重启计算机来应用系统更新- Your machines should be restarted to apply system updates
- Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本- Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
- 应在虚拟机上安装监视代理- Monitoring agent should be installed on your virtual machines
- Log Analytics 代理应安装在基于 Windows 的 Azure Arc 计算机上(预览)- Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)
- Log Analytics 代理应安装在基于 Linux 的 Azure Arc 计算机上(预览)- Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)

修正漏洞(最高 6 分)

Remediate vulnerabilities (max score 6)

漏洞是攻击者可用来破坏资源机密性、可用性或完整性的薄弱环节。
A vulnerability is a weakness that a threat actor could leverage, to compromise the confidentiality, availability, or integrity of a resource. 管理漏洞可以减少组织暴露、强化终结点外围应用、提高组织复原能力以及减少资源的受攻击面。Managing vulnerabilities reduces organizational exposure, hardens endpoint surface area, increases organizational resilience, and reduces the attack surface of your resources. 威胁和漏洞管理可显示错误的软件和安全配置,并提供缓解建议。Threat and Vulnerability Management provides visibility into software and security misconfigurations and provide recommendations for mitigations.
- 应对 SQL 数据库启用高级数据安全- Advanced data security should be enabled on SQL Database
- 应修正 Azure 容器注册表映像中的漏洞- Vulnerabilities in Azure Container Registry images should be remediated
- 应修正 SQL 数据库中的漏洞- Vulnerabilities on your SQL databases should be remediated
- 应通过漏洞评估解决方案修正漏洞- Vulnerabilities should be remediated by a Vulnerability Assessment solution
- 应对 SQL 托管实例启用漏洞评估- Vulnerability assessment should be enabled on SQL Managed Instance
- 应对 SQL Server 启用漏洞评估- Vulnerability assessment should be enabled on your SQL servers
- 应在虚拟机上安装漏洞评估解决方案- Vulnerability assessment solution should be installed on your virtual machines
- 容器映像应仅从受信任的注册表中部署(预览)- Container images should be deployed from trusted registries only (preview)
- 应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项(预览)- Azure Policy add-on for Kubernetes should be installed and enabled on your clusters (preview)

启用静态加密(最高 4 分)

Enable encryption at rest (max score 4)

静态加密为已存储的数据提供数据保护。
Encryption at rest provides data protection for stored data. 对静态数据进行的攻击包括试图获得对存储数据的硬件的物理访问权限。Attacks against data at rest include attempts to gain physical access to the hardware on which the data is stored. Azure 使用对称加密来加密和解密大量静态数据。Azures use symmetric encryption to encrypt and decrypt large amounts of data at rest. 将使用对称加密密钥在将数据写入到存储时对数据进行加密。A symmetric encryption key is used to encrypt data as it is written to storage. 该加密密钥还用于解密准备在内存中使用的数据。That encryption key is also used to decrypt that data as it is readied for use in memory. 必须将密钥存储在实施了基于标识的访问控制和审核策略的安全位置。Keys must be stored in a secure location with identity-based access control and audit policies. Azure 密钥保管库就是这样的安全位置。One such secure location is Azure Key Vault. 如果攻击者获取了加密数据但未获取加密密钥,则攻击者必须破解加密才能访问数据。If an attacker obtains the encrypted data but not the encryption keys, the attacker can't access the data without breaking the encryption.
- 应对虚拟机应用磁盘加密- Disk encryption should be applied on virtual machines
- 应对 SQL 数据库启用透明数据加密- Transparent Data Encryption on SQL Database should be enabled
- 应加密自动化帐户变量- Automation account variables should be encrypted
- Service Fabric 群集应将 ClusterProtectionLevel 属性设置为 EncryptAndSign- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- 应使用自己的密钥加密 SQL Server 的 TDE 保护器- SQL server TDE protector should be encrypted with your own key

加密传输中的数据(最高 4 分)

Encrypt data in transit (max score 4)

在各组件、位置或程序间传输数据时,数据处于“传输中”状态。
Data is “in transit” when it's transmitted between components, locations, or programs. 无法保护传输中的数据的组织更容易遭受中间人攻击、窃听和会话劫持。Organizations that fail to protect data in transit are susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. 应使用 SSL/TLS 协议交换数据,并建议使用 VPN。SSL/TLS protocols should be used to exchange data and a VPN is recommended. 通过 Internet 在 Azure 虚拟机和本地位置之间发送加密数据时,可以使用虚拟网络网关(例如 Azure VPN 网关)发送加密流量。When sending encrypted data between an Azure virtual machine and an on-premise location, over the internet, you can use a virtual network gateway such as Azure VPN Gateway to send encrypted traffic.
- 只能通过 HTTPS 访问 API 应用- API App should only be accessible over HTTPS
- 只能通过 HTTPS 访问函数应用- Function App should only be accessible over HTTPS
- 应仅启用与 Redis 缓存的安全连接- Only secure connections to your Redis Cache should be enabled
- 应启用到存储帐户的安全传输- Secure transfer to storage accounts should be enabled
- 只能通过 HTTPS 访问 Web 应用程序- Web Application should only be accessible over HTTPS

管理访问和权限(最高 4 分)

Manage access and permissions (max score 4)

安全程序的核心是确保用户具有完成其工作(但仅限于此)所需的访问权限:最小特权访问模型
A core part of a security program is ensuring your users have the necessary access to do their jobs but no more than that: the least privilege access model.
使用基于角色的访问控制 (RBAC) 来创建角色分配,以此控制对资源的访问。Control access to your resources by creating role assignments with role-based access control (RBAC). 角色分配由三个元素组成:A role assignment consists of three elements:
- 安全主体:用户请求访问的对象- Security principal: the object the user is requesting access to
- 角色定义:他们的权限- Role definition: their permissions
- 作用域:权限适用于的资源集- Scope: the set of resources to which the permissions apply
- 应从订阅中删除弃用帐户(预览版)- Deprecated accounts should be removed from your subscription (Preview)
- 应从订阅中删除拥有所有者权限的弃用帐户(预览版)- Deprecated accounts with owner permissions should be removed from your subscription (Preview)
- 应从订阅中删除拥有所有者权限的外部帐户(预览版)- External accounts with owner permissions should be removed from your subscription (Preview)
- 应从订阅中删除拥有写入权限的外部帐户(预览版)- External accounts with write permissions should be removed from your subscription (Preview)
- 应向订阅分配多个所有者- There should be more than one owner assigned to your subscription
- 应在 Kubernetes 服务上使用基于角色的访问控制(RBAC)(预览版)- Role-Based Access Control (RBAC) should be used on Kubernetes Services (Preview)
- Service Fabric 群集应仅使用 Azure Active Directory 进行客户端身份验证- Service Fabric clusters should only use Azure Active Directory for client authentication
- 应使用服务主体(而不是管理证书)来保护你的订阅- Service principals should be used to protect your subscriptions instead of Management Certificates
- 应该对容器强制执行最低特权的 Linux 功能(预览)- Least privileged Linux capabilities should be enforced for containers (preview)
- 应该对容器强制执行不可变(只读)根文件系统(预览)- Immutable (read-only) root filesystem should be enforced for containers (preview)
- 应避免特权升级的容器(预览)- Container with privilege escalation should be avoided (preview)
- 应避免以根用户身份运行容器(预览)- Running containers as root user should be avoided (preview)
- 应避免共享敏感主机命名空间的容器(预览)- Containers sharing sensitive host namespaces should be avoided (preview)
- Pod HostPath 卷挂载的使用应限制在已知列表中(预览)- Usage of pod HostPath volume mounts should be restricted to a known list (preview)
- 应避免使用特权容器(预览)- Privileged containers should be avoided (preview)
- 应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项(预览)- Azure Policy add-on for Kubernetes should be installed and enabled on your clusters (preview)

修正安全配置(最高 4 分)

Remediate security configurations (max score 4)

配置错误的 IT 资产受到攻击的风险更高。
Misconfigured IT assets have a higher risk of being attacked. 当部署资产并且必须在截止日期之前完成时,通常会忘记基本的强化措施。Basic hardening actions are often forgotten when assets are being deployed and deadlines must be met. 错误的安全配置可能出现在基础结构中的任何级别:从操作系统和网络设备到云资源。Security misconfigurations can be at any level in the infrastructure: from the operating systems and network appliances, to cloud resources.
Azure 安全中心会不断将资源的配置与行业标准、法规和基准中的要求进行比较。Azure Security Center continually compares the configuration of your resources with requirements in industry standards, regulations, and benchmarks. 配置了对组织而言很重要的相关“合规性包”(标准和基线)后,任何差距都会产生安全建议,其中包括 CCEID 以及对潜在安全影响的说明。When you've configured the relevant "compliance packages" (standards and baselines) that matter to your organization, any gaps will result in security recommendations that include the CCEID and an explanation of the potential security impact.
常用包为 Azure 安全基准CIS Azure 基础基准版本 1.1.0Commonly used packages are Azure Security Benchmark and CIS Azure Foundations Benchmark version 1.1.0
- 应修正容器安全配置中的漏洞- Vulnerabilities in container security configurations should be remediated
- 应修正计算机上安全配置中的漏洞- Vulnerabilities in security configuration on your machines should be remediated
- 应修正虚拟机规模集上安全配置中的漏洞- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
- 应在虚拟机上安装监视代理- Monitoring agent should be installed on your virtual machines
- 应在计算机上安装监视代理- Monitoring agent should be installed on your machines
- Log Analytics 代理应安装在基于 Windows 的 Azure Arc 计算机上(预览)- Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)
- Log Analytics 代理应安装在基于 Linux 的 Azure Arc 计算机上(预览)- Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)
- 应在虚拟机规模集上安装监视代理- Monitoring agent should be installed on virtual machine scale sets
- 应在计算机上解决监视代理运行状况问题- Monitoring agent health issues should be resolved on your machines
- 应限制替代或禁用容器 AppArmor 配置文件(预览)- Overriding or disabling of containers AppArmor profile should be restricted (preview)
- 应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项(预览)- Azure Policy add-on for Kubernetes should be installed and enabled on your clusters (preview)

限制未经授权的网络访问(最高 4 分)

Restrict unauthorized network access (max score 4)

组织内的终结点提供从虚拟网络到受支持的 Azure 服务的直接连接。
Endpoints within an organization provide a direct connection from your virtual network to supported Azure services. 子网中的虚拟机可以与所有资源通信。Virtual machines in a subnet can communicate with all resources. 若要限制与子网内资源的通信,请创建一个网络安全组并将其关联到子网。To limit communication to and from resources within a subnet, create a network security group and associate it to the subnet. 组织可以通过创建入站和出站规则来限制和防范未经授权的流量。Organizations can limit and protect against unauthorized traffic by creating inbound and outbound rules.
- 应禁用虚拟机上的 IP 转发- IP forwarding on your virtual machine should be disabled
- 应在 Kubernetes 服务上定义已授权 IP 范围(预览版)- Authorized IP ranges should be defined on Kubernetes Services (Preview)
- (已弃用)应限制对应用服务的访问(预览版)- (DEPRECATED) Access to App Services should be restricted (Preview)
- (已弃用)应加强 IaaS NSG 上 Web 应用程序的规则- (DEPRECATED) The rules for web applications on IaaS NSGs should be hardened
- 虚拟机应与网络安全组关联- Virtual machines should be associated with a Network Security Group
- CORS 不应允许所有资源都能访问 API 应用- CORS should not allow every resource to access your API App
- CORS 不应允许所有资源都能访问函数应用- CORS should not allow every resource to access your Function App
- CORS 不应允许所有资源都能访问 Web 应用程序- CORS should not allow every resource to access your Web Application
- 应为 API 应用禁用远程调试- Remote debugging should be turned off for API App
- 应为函数应用禁用远程调试- Remote debugging should be turned off for Function App
- 应为 Web 应用程序禁用远程调试- Remote debugging should be turned off for Web Application
- 应限制许可网络安全组(包含面向 Internet 的 VM)的访问- Access should be restricted for permissive Network Security Groups with Internet-facing VMs
- 应强化面向 Internet 的虚拟机的网络安全组规则- Network Security Group Rules for Internet facing virtual machines should be hardened
- 应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项(预览)- Azure Policy add-on for Kubernetes should be installed and enabled on your clusters (preview)
- 容器应只侦听允许的端口(预览)- Containers should listen on allowed ports only (preview)
- 服务应只侦听允许的端口(预览)- Services should listen on allowed ports only (preview)
- 应限制对主机网络和端口的使用(预览)- Usage of host networking and ports should be restricted (preview)
- 虚拟网络应受 Azure 防火墙保护(预览)- Virtual networks should be protected by Azure Firewall (preview)

应用自适应应用程序控制(最高 3 分)

Apply adaptive application control (max score 3)

自适应应用程序控制 (AAC) 是一种智能的、自动化的端到端解决方案,可用于控制哪些应用程序可以在 Azure 计算机和非 Azure 计算机上运行。
Adaptive application control (AAC) is an intelligent, automated, end-to-end solution, which allows you to control which applications can run on your Azure and non-Azure machines. 它还有助于强化计算机免受恶意软件的侵害。It also helps to harden your machines against malware.
安全中心使用机器学习为一组计算机创建一个已知安全应用程序列表。Security Center uses machine learning to create a list of known-safe applications for a group of machines.
这种将已批准的应用程序列入列表的创新方法在不增加管理复杂性的情况下提供了安全优势。This innovative approach to approved application listing provides the security benefits without the management complexity.
AAC 尤其适用于需要运行一组特定应用程序的专用服务器。AAC is particularly relevant for purpose-built servers that need to run a specific set of applications.
- 应对虚拟机启用自适应应用程序控制- Adaptive Application Controls should be enabled on virtual machines
- 应在虚拟机上安装监视代理- Monitoring agent should be installed on your virtual machines
- 应在计算机上安装监视代理- Monitoring agent should be installed on your machines
- Log Analytics 代理应安装在基于 Windows 的 Azure Arc 计算机上(预览)- Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)
- Log Analytics 代理应安装在基于 Linux 的 Azure Arc 计算机上(预览)- Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)
- 应在计算机上解决监视代理运行状况问题- Monitoring agent health issues should be resolved on your machines

应用数据分类(最高 2 分)

Apply data classification (max score 2)

通过按敏感度和业务影响对组织数据进行分类,可以为数据确定并分配值,为治理提供策略和基础。
Classifying your organization's data by sensitivity and business impact allows you to determine and assign value to the data, and provides the strategy and basis for governance.
Azure 信息保护可帮助进行数据分类。Azure Information Protection can assist with data classification. 它使用加密、标识和授权策略来保护数据并限制数据访问。It uses encryption, identity, and authorization policies to protect data and restrict data access. Microsoft 使用的一些分类包括非业务、公共、常规、机密和高度机密。Some classifications that Microsoft uses are Non-business, Public, General, Confidential, and Highly Confidential.
- 应对 SQL 数据库中的敏感数据进行分类(预览版)- Sensitive data in your SQL databases should be classified (Preview)

保护应用程序免受 DDoS 攻击(最高 2 分)

Protect applications against DDoS attacks (max score 2)

分布式拒绝服务 (DDoS) 攻击会使资源瘫痪,导致应用程序无法使用。
Distributed denial-of-service (DDoS) attacks overwhelm resources and render applications unusable. 可使用 Azure DDoS 防护标准保护组织免受三种主要的 DDoS 攻击:Use Azure DDoS Protection Standard to defend your organization from the three main types of DDoS attacks:
- 容量耗尽攻击利用合法流量淹没网络。- Volumetric attacks flood the network with legitimate traffic. DDoS 防护标准通过自动吸收或清理来缓解这些攻击。DDoS Protection Standard mitigates these attacks by absorbing or scrubbing them automatically.
- 协议攻击通过利用第 3 层和第 4 层协议堆栈中的漏洞,使目标无法访问。- Protocol attacks render a target inaccessible, by exploiting weaknesses in the layer 3 and layer 4 protocol stack. DDoS 防护标准通过阻止恶意流量来缓解这些攻击。DDoS Protection Standard mitigates these attacks by blocking malicious traffic.
- 资源(应用程序)层攻击以 Web 应用程序数据包为目标。- Resource (application) layer attacks target web application packets. 可使用 Web 应用程序防火墙和 DDoS 防护标准来防御此类攻击。Defend against this type with a web application firewall and DDoS Protection Standard.
- 应启用 DDoS 防护标准- DDoS Protection Standard should be enabled
- 应强制执行容器 CPU 和内存限制(预览)- Container CPU and memory limits should be enforced (preview)
- 应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项(预览)- Azure Policy add-on for Kubernetes should be installed and enabled on your clusters (preview)

启用 Endpoint Protection(最高 2 分)

Enable endpoint protection (max score 2)

为确保终结点免受恶意软件的侵害,行为传感器会从终结点的操作系统收集数据并加以处理,然后将此数据发送到私有云进行分析。
To ensure your endpoints are protected from malware, behavioral sensors collect and process data from your endpoints' operating systems and send this data to the private cloud for analysis. 安全分析利用大数据、机器学习和其他来源针对威胁提出响应建议。Security analytics leverage big-data, machine-learning, and other sources to recommend responses to threats. 例如,Microsoft Defender ATP 使用威胁情报来识别攻击方法并生成安全警报。For example, Microsoft Defender ATP uses threat intelligence to identify attack methods and generate security alerts.
安全中心支持以下终结点保护解决方案:Windows Defender、System Center Endpoint Protection、Trend Micro、Symantec v12.1.1.1100、适用于 Windows 的 McAfee v10、适用于 Linux 的 McAfee v10 和适用于 Linux 的 Sophos v9。Security Center supports the following endpoint protection solutions: Windows Defender, System Center Endpoint Protection, Trend Micro, Symantec v12.1.1.1100, McAfee v10 for Windows, McAfee v10 for Linux and Sophos v9 for Linux. 如果安全中心检测到以上任一解决方案,则不再显示安装 Endpoint Protection 的建议。If Security Center detects any of these solutions, the recommendation to install endpoint protection will no longer appear.
- 应在虚拟机规模集上修正 Endpoint Protection 运行状况故障- Endpoint protection health failures should be remediated on virtual machine scale sets
- 应在计算机上解决 Endpoint Protection 运行状况问题- Endpoint protection health issues should be resolved on your machines
- 应在虚拟机规模集上安装 Endpoint Protection 解决方案- Endpoint protection solution should be installed on virtual machine scale sets
- 在虚拟机上安装 Endpoint Protection 解决方案- Install endpoint protection solution on virtual machines
- 应在计算机上解决监视代理运行状况问题- Monitoring agent health issues should be resolved on your machines
- 应在虚拟机规模集上安装监视代理- Monitoring agent should be installed on virtual machine scale sets
- 应在计算机上安装监视代理- Monitoring agent should be installed on your machines
- 应在虚拟机上安装监视代理- Monitoring agent should be installed on your virtual machines
- Log Analytics 代理应安装在基于 Windows 的 Azure Arc 计算机上(预览)- Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)
- Log Analytics 代理应安装在基于 Linux 的 Azure Arc 计算机上(预览)- Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)
- 在计算机上安装 Endpoint Protection 解决方案- Install endpoint protection solution on your machines

启用审核与日志记录(最高 1 分)

Enable auditing and logging (max score 1)

日志记录数据可让你深入了解过去的问题,防止潜在的问题,可以提高应用程序的性能,并允许自动执行原本手动执行的操作。
Logging data provides insights into past problems, prevents potential ones, can improve application performance, and provides the ability to automate actions that would otherwise be manual.
- 控制和管理日志提供有关 Azure 资源管理器操作的信息。- Control and management logs provide information about Azure Resource Manager operations.
- 数据平面日志提供作为 Azure 资源使用情况的一部分引发的事件的相关信息。- Data plane logs provide information about events raised as part of Azure resource usage.
- 已处理的事件提供已处理的分析事件/警报的相关信息。- Processed events provide information about analyzed events/alerts that have been processed.
- 应对 SQL Server 启用审核- Auditing on SQL server should be enabled
- 应启用应用服务的诊断日志- Diagnostic logs in App Services should be enabled
- 应启用 Azure Data Lake Store 的诊断日志- Diagnostic logs in Azure Data Lake Store should be enabled
- 应启用 Azure 流分析的诊断日志- Diagnostic logs in Azure Stream Analytics should be enabled
- 应启用 Batch 帐户的诊断日志- Diagnostic logs in Batch accounts should be enabled
- 应启用 Data Lake Analytics 的诊断日志- Diagnostic logs in Data Lake Analytics should be enabled
- 应启用事件中心的诊断日志- Diagnostic logs in Event Hub should be enabled
- 应启用 IoT 中心的诊断日志- Diagnostic logs in IoT Hub should be enabled
- 应启用密钥保管库的诊断日志- Diagnostic logs in Key Vault should be enabled
- 应启用逻辑应用的诊断日志- Diagnostic logs in Logic Apps should be enabled
- 应启用搜索服务的诊断日志- Diagnostic logs in Search service should be enabled
- 应启用服务总线的诊断日志- Diagnostic logs in Service Bus should be enabled
- 应启用虚拟机规模集的诊断日志- Diagnostic logs in Virtual Machine Scale Sets should be enabled
- 应对 Batch 帐户配置指标警报规则- Metric alert rules should be configured on Batch accounts
- SQL 审核设置中应包含配置为捕获关键活动的操作组- SQL Auditing settings should have Action-Groups configured to capture critical activities
- 应将 SQL Server 的审核保留期配置为大于 90 天。- SQL servers should be configured with auditing retention days greater than 90 days.

启用高级威胁防护(最大分数 0)

Enable advanced threat protection (max score 0)

Azure 安全中心的可选 Azure Defender 威胁防护计划为你的环境提供了全面的防御。
Azure Security Center's optional Azure Defender threat protection plans provide comprehensive defenses for your environment. 当安全中心检测到环境中的任何区域遭到威胁时,会生成警报。When Security Center detects a threat in any area of your environment, it generates an alert. 这些警报会描述受影响资源的详细信息、建议的修正步骤,在某些情况下还会提供触发逻辑应用作为响应的选项。These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response.
每个 Azure Defender 计划都是单独的可选产品/服务,可以使用此安全控件中的相关建议启用该产品/服务。Each Azure Defender plan is a separate, optional offering which you can enable using the relevant recommendation in this security control.
详细了解安全中心的威胁防护Learn more about threat protection in Security Center.
- 应在 Azure SQL Database 服务器上启用高级数据安全- Advanced data security should be enabled on Azure SQL Database servers
- 应对计算机上的 SQL Server 启用高级数据安全- Advanced data security should be enabled on SQL servers on machines
- 应对虚拟机启用高级威胁防护- Advanced threat protection should be enabled on Virtual Machines
- 应在 Azure 应用服务计划上启用高级威胁防护- Advanced threat protection should be enabled on Azure App Service plans
- 应对 Azure 存储帐户启用高级威胁防护- Advanced threat protection should be enabled on Azure Storage accounts
- 应对 Azure Kubernetes 服务的群集启用高级威胁防护- Advanced threat protection should be enabled on Azure Kubernetes Service clusters
- 应对 Azure 容器注册表的注册表启用高级威胁防护- Advanced threat protection should be enabled on Azure Container Registry registries
- 应对 Azure Key Vault 的保管库启用高级威胁防护- Advanced threat protection should be enabled on Azure Key Vault vaults

实施安全最佳做法(最高 0 分)

Implement security best practices (max score 0)

新式安全做法“假定突破”网络边界。
Modern security practices “assume breach” of the network perimeter. 因此,此控制中的许多最佳做法都集中在标识管理上。For that reason, many of the best practices in this control focus on managing identities.
丢失密钥和凭据是一个常见问题。Losing keys and credentials is a common problem. Azure 密钥保管库通过加密密钥、.pfx 文件和密码来保护密钥和机密。Azure Key Vault protects keys and secrets by encrypting keys, .pfx files, and passwords.
虚拟专用网 (VPN) 是访问虚拟机的一种安全方法。Virtual private networks (VPNs) are a secure way to access your virtual machines. 如果 VPN 不可用,请使用复杂的密码和双重身份验证(例如 Azure 多重身份验证)。If VPNs aren't available, use complex passphrases and two-factor authentication such as Azure Multi-Factor Authentication. 双重身份验证避开了固有的仅依赖用户名和密码的弱点。Two-factor authentication avoids the weaknesses inherent in relying only on usernames and passwords.
使用强身份验证和授权平台是另一种最佳做法。Using strong authentication and authorization platforms is another best practice. 组织可以使用联合标识来委派授权标识的管理。Using federated identities allows organizations to delegate management of authorized identities. 当员工离职,需要撤销其访问权限时,这一点也很重要。This is also important when employees are terminated, and their access needs to be revoked.
- 最多只能为订阅指定 3 个所有者- A maximum of 3 owners should be designated for your subscription
- 应从订阅中删除拥有读取权限的外部帐户- External accounts with read permissions should be removed from your subscription
- 应在对订阅拥有读取权限的帐户上启用 MFA- MFA should be enabled on accounts with read permissions on your subscription
- 应限制对具有防火墙和虚拟网络配置的存储帐户的访问- Access to storage accounts with firewall and virtual network configurations should be restricted
- 应从事件中心命名空间中删除 RootManageSharedAccessKey 以外的所有授权规则- All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace
- 应为 SQL Server 预配 Azure Active Directory 管理员- An Azure Active Directory administrator should be provisioned for SQL servers
- 应对托管实例启用高级数据安全- Advanced data security should be enabled on your managed instances
- 应定义事件中心实例上的授权规则- Authorization rules on the Event Hub instance should be defined
- 应将存储帐户迁移到新的 Azure 资源管理器资源- Storage accounts should be migrated to new Azure Resource Manager resources
- 应将虚拟机迁移到新的 Azure 资源管理器资源- Virtual machines should be migrated to new Azure Resource Manager resources
- 子网应与网络安全组关联- Subnets should be associated with a Network Security Group
- [预览版]应启用 Windows 攻击防护- [Preview] Windows exploit guard should be enabled
- [预览版]应安装来宾配置代理- [Preview] Guest configuration agent should be installed
- 应使用网络安全组来保护非面向 Internet 的虚拟机- Non-internet-facing virtual machines should be protected with network security groups

安全评分 FAQSecure score FAQ

如果仅处理某个安全控制四分之三的建议,安全评分是否会变化?If I address only three out of four recommendations in a security control, will my secure score change?

不是。No. 为单个资源修正所有建议后,安全评分才会变化。It won't change until you remediate all of the recommendations for a single resource. 若要获得某个控制的最高分,必须为所有资源修正所有建议。To get the maximum score for a control, you must remediate all recommendations, for all resources.

如果某个建议对我不适用,我在策略中禁用它,我能否达到安全控制的要求,我的安全评分是否会更新?If a recommendation isn't applicable to me, and I disable it in the policy, will my security control be fulfilled and my secure score updated?

是的。Yes. 如果建议不适用于你的环境,建议禁用它们。We recommend disabling recommendations when they're inapplicable in your environment. 有关如何禁用特定建议的说明,请参阅禁用安全策略For instructions on how to disable a specific recommendation, see Disable security policies.

如果某个安全控制为安全评分贡献的分数为零,我应该忽略它吗?If a security control offers me zero points towards my secure score, should I ignore it?

在某些情况下,你会看到某个控制的最高分大于零,但影响为零。In some cases, you'll see a control max score greater than zero, but the impact is zero. 如果通过修复资源增加的分数可忽略不计,则会将其舍入为零。When the incremental score for fixing resources is negligible, it's rounded to zero. 请勿忽略这些建议,因为它们仍然可以改善安全性。Don't ignore these recommendations as they still bring security improvements. 唯一的例外是“其他最佳做法”控制。The only exception is the "Additional Best Practice" control. 修正这些建议不会提高分数,但会提高整体安全性。Remediating these recommendations won't increase your score, but it will enhance your overall security.

后续步骤Next steps

本文介绍了安全评分及其引入的安全控制。This article described the secure score and the security controls it introduces. 如需相关材料,请参阅以下文章:For related material, see the following articles: