Azure 安全中心安全基线Azure security baseline for Security Center

此安全基线将指南从 Azure 安全基准应用到 Azure 安全中心。This security baseline applies guidance from the Azure Security Benchmark to Azure Security Center. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控件”分组,此类控件按适用于 Azure 安全中心的 Azure 安全基准和相关的指南定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Security Center. 排除了不适用于 Azure 安全中心的控件。Controls not applicable to Azure Security Center have been excluded. 若要查看 Azure 安全中心如何完全映射到 Azure 安全基准,请参阅完整的 Azure 安全中心安全基线映射文件To see how Azure Security Center completely maps to the Azure Security Benchmark, see the full Azure Security Center security baseline mapping file.

网络安全性Network security

有关详细信息,请参阅 Azure 安全基线: 网络安全For more information, see the Azure Security Benchmark: Network security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指南:Azure 安全中心是 Azure 的核心产品/服务。Guidance: Azure Security Center is a core Azure offering. 不能将虚拟网络、子网或网络安全组直接关联到安全中心。You cannot associate a virtual network, subnet, or network security group directly to Security Center. 如果为计算资源启用了数据收集,然后安全中心通过 Log Analytics 工作区存储它收集的数据,则可以将该工作区配置为使用专用链接通过虚拟网络中的专用终结点访问工作区数据。If you enable data collection for your compute resources then Security Center stores the data it collects via a Log Analytics workspace, you can configure that workspace to use Private Link for access to your workspace data over a private endpoint in your virtual network. 此外,如果使用数据收集,则安全中心依赖部署到服务器的 Log Analytics 代理来收集安全数据,并为这些计算资源提供保护。Also, if using data collection Security Center relies on the Log Analytics agent being deployed to your servers to collect security data and provide protection to these compute resources. Log Analytics 代理要求为安全中心的适当操作打开特定的端口和协议。The Log Analytics agent requires specific ports and protocols to be opened for proper operation with Security Center. 锁定网络以仅允许这些必需的端口和协议,并仅添加应用程序通过网络安全组运行所需的其他规则。Lock down your networks to only allow these required ports and protocols and only add additional rules that your application requires to operate via network security groups.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指南:Azure 安全中心产品/服务不直接与虚拟网络集成,但可从使用 Log Analytics 代理配置的服务器(这些服务器已部署在网络上)上收集数据。Guidance: The Azure Security Center offering does not directly integrate with a virtual network but it can collect data from servers configured with the Log Analytics agent which are deployed on your networks. 配置为将数据发送到安全中心的服务器要求允许特定端口和协议才能进行适当通信。Your servers that are configured to send data to Security Center require certain ports and protocols to be allowed to communicate properly. 使用 Azure Policy 为这些网络资源定义并强制实施标准安全配置。Define and enforce standard security configurations for these network resources with Azure Policy.

还可以使用 Azure 蓝图,通过在单个蓝图定义中打包关键环境项目(例如 Azure 资源管理器模板、角色分配和 Azure Policy 分配)来简化大规模的 Azure 部署。You can also use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, role assignments, and Azure Policy assignments, in a single blueprint definition. 可以将蓝图应用于新的订阅,通过一致且安全的方式部署安全中心配置和相关的网络资源。You can apply the blueprint to new subscriptions to deploy Security Center configurations and related networking resources consistently and securely.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指南:Azure 安全中心产品/服务不直接与虚拟网络集成,但可从使用 Log Analytics 代理配置的服务器(这些服务器已部署在网络上)上收集数据。Guidance: The Azure Security Center offering does not directly integrate with a virtual network but it can collect data from servers configured with the Log Analytics agent which are deployed on your networks. 配置为将数据发送到安全中心的服务器要求允许特定端口和协议才能进行适当通信。Your servers that are configured to send data to Security Center require certain ports and protocols to be allowed to communicate properly. 使用 Azure Policy 为这些网络资源定义并强制实施标准安全配置。Define and enforce standard security configurations for these network resources with Azure Policy.

将资源标记用于网络安全组和其他资源,例如网络上配置为将安全日志发送到 Azure 安全中心的服务器。Use resource tags for network security groups and other resources like servers on your networks that are configured to send security logs to Azure Security Center. 对于单独的网络安全组规则,请使用“说明”字段来记录允许流入/流出网络的流量的规则。For individual network security group rules, use the "Description" field to document the rules that allow traffic to/from a network.

使用标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在有现有资源不带标记时发出通知。Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with tags and to notify you of existing untagged resources.

可使用 Azure PowerShell 或 Azure CLI,基于资源的标记查找资源或对其执行操作。You can use Azure PowerShell or Azure CLI to look up or perform actions on resources based on their tags.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指南:使用 Azure 活动日志监视资源配置并检测对与 Azure 安全中心相关的网络资源所做的更改。Guidance: Use Azure Activity log to monitor resource configurations and detect changes for network resources related to Azure Security Center. 在 Azure Monitor 中创建警报,以便在关键资源发生更改时通知你。Create alerts in Azure Monitor to notify you when changes to critical resources take place.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

日志记录和监视Logging and monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and monitoring.

2.2:配置中心安全日志管理2.2: Configure central security log management

指南:使用中心 Log Analytics 工作区聚合由 Azure 安全中心及其连接的源生成的安全数据。Guidance: Aggregate security data generated by Azure Security Center and its connected sources using a central Log Analytics workspace.

配置安全中心的数据收集,将安全数据和事件从连接的 Azure 计算资源发送到中心 Log Analytics 工作区。Configure Security Center's data collection to send security data and events from your connected Azure compute resources to a central Log Analytics workspace. 除了数据收集,还可以使用连续导出功能将由安全中心生成的安全警报和建议流式传输到中心 Log Analytics 工作区。In addition to data collection, use the continuous export feature to stream security alerts and recommendations generated by Security Center to your central Log Analytics workspace. 在 Azure Monitor 中,可以查询从安全中心和连接的 Azure 资源生成的安全数据并对其执行分析。In Azure Monitor, you can query and perform analytics on the security data generated from Security Center and your connected Azure resources.

也可以将由安全中心生成的数据发送到第三方 SIEM。Alternatively, you can send data produced by Security Center to a third-party SIEM.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指南:Azure Monitor 活动日志会自动提供,这些日志包含针对资源(如 Azure 安全中心)的所有写入操作,包括执行的操作、启动操作的人员以及发生时间。Guidance: Azure Monitor Activity logs are automatically available, these logs contain all write operations for your resource like Azure Security Center including what operations were made, who started the operation, and when they occurred. 将 Azure 活动日志发送到 Log Analytics 工作区以合并日志并延长保留期。Send your Azure Activity logs to a Log Analytics workspace for log consolidation and increased retention.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指南:在 Azure Monitor 中,根据组织的合规性规则设置 Log Analytics 工作区保持期。Guidance: In Azure Monitor, set your Log Analytics workspace retention period according to your organization's compliance regulations. 将 Azure 存储帐户用于长期存储和存档存储。Use Azure Storage accounts for long-term and archival storage.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和查看日志2.6: Monitor and review logs

指南:分析和监视由 Azure 安全中心及其连接的源生成的日志中是否存在异常行为,并定期查看结果。Guidance: Analyze and monitor logs produced by Azure Security Center and its connected sources for anomalous behavior and regularly review the results. 使用 Azure Monitor 和 Log Analytics 工作区查看日志并对日志数据执行查询。Use Azure Monitor and a Log Analytics workspace to review logs and perform queries on log data.

也可以启用数据并将其加入第三方 SIEM。Alternatively, you can enable and on-board data to a third-party SIEM.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指南:配置 Azure Monitor 日志警报,查询由活动日志或 Azure 安全中心生成的数据所记录的无用或异常活动。Guidance: Configure Azure Monitor log alerts to query for unwanted or anomalous activities that are recorded by your activity log or the data produced by Azure Security Center. 设置操作组,以便在针对异常活动发起日志警报时通知组织,使其可以采取措施。Set up Action Groups so that your organization is notified and can take action if a log alert is initiated for anomalous activity. 安全中心工作流自动化功能用于触发关于安全警报和建议的逻辑应用。Use Security Center workflow automation feature to trigger logic apps on security alerts and recommendations. 安全中心工作流可用于通知用户,以便他们能够根据警报信息对事件进行响应,或采取措施以更正资源。Security Center workflows can be used to notify users for incident response, or take actions to remediate resources based on the alert information.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

标识和访问控制Identity and access control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指南:借助基于 Azure 角色的访问控制 (Azure RBAC),可以通过角色分配管理对 Azure 资源的访问。Guidance: Azure role-based access control (Azure RBAC) allows you to manage access to Azure resources through role assignments. 可以将这些角色分配给用户、组服务主体和托管标识。You can assign these roles to users, groups service principals and managed identities. 某些资源具有预定义的内置角色,可以通过工具(例如 Azure CLI、Azure PowerShell 或 Azure 门户)来清点或查询这些角色。There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell or the Azure portal. Azure 安全中心具有“安全读取者”或“安全管理员”内置角色,这些角色允许用户读取或更新安全策略以及关闭警报和建议。Azure Security Center has built-in roles for 'Security Reader' or 'Security Admin' which allows users to read or update security policies and dismiss alerts and recommendations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:创建有关使用专用于 Azure 平台或特定于 Azure 安全中心产品/服务的管理帐户的标准操作过程。Guidance: Create standard operating procedures around the use of dedicated administrative accounts for the Azure Platform or specific to the Azure Security Center offering. 使用 Azure 安全中心标识和访问管理来监视 Azure Active Directory 中管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts in Azure Active Directory. 安全中心还具有“安全管理员”内置角色,该角色允许用户更新安全策略以及关闭警报和建议,确保定期评审和协调具有此角色分配的所有用户。Security Center also has built-in roles for 'Security Admin' which allows users to update security policies and dismiss alerts and recommendations, ensure you review and reconcile any users who have this role assignment on a regular basis.

此外,为了帮助你跟踪专用管理帐户,你可以使用 Azure 安全中心或内置的 Azure 策略提供的建议,例如:Additionally, to help you keep track of dedicated administrative accounts, you may use recommendations from Azure Security Center or built-in Azure Policies, such as:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指南:启用 Azure Active Directory MFA 以访问 Azure 安全中心和 Azure 门户,并遵循任何安全中心标识和访问建议。Guidance: Enable Azure Active Directory MFA for accessing Azure Security Center and the Azure portal, follow any Security Center identity and access recommendations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:对于需要提升的权限的管理任务,请使用安全的 Azure 托管工作站(也称为特权访问工作站,简称 PAW)。Guidance: Use a secure, Azure-managed workstation (also known as a Privileged Access Workstation, or PAW) for administrative tasks that require elevated privileges.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导:使用 Azure Active Directory 安全报告和监视来检测环境中何时发生可疑活动或不安全的活动。Guidance: Use Azure Active Directory security reports and monitoring to detect when suspicious or unsafe activity occurs in the environment. 使用 Azure 安全中心监视标识和访问活动。Use Azure Security Center to monitor identity and access activity.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导:使用 Azure AD 命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance: Use Azure AD named locations to allow access only from specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指南:使用 Azure 安全中心时,请使用 Azure Active Directory (Azure AD) 作为中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system when using Azure Security Center. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会对用户凭据进行加盐、哈希处理和安全存储操作。Azure AD also salts, hashes, and securely stores user credentials. Azure 安全中心具有可分配的内置角色(例如“安全管理员”),该角色允许用户更新安全策略以及关闭警报和建议。Azure Security Center has built-in roles that are assignable like 'Security Admin' which allows users to update security policies and dismiss alerts and recommendations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指南:Azure Active Directory 提供日志来帮助发现过时的帐户。Guidance: Azure Active Directory provides logs to help discover stale accounts. 此外,请使用 Azure AD 标识和访问评审来有效管理组成员身份、对企业应用程序的访问以及角色分配。In addition, use Azure AD identity and access reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可定期评审与 Azure 安全中心相关的用户访问权限,确保相应人员继续拥有访问权限。User access related to Azure Security Center can be reviewed on a regular basis to make sure only the right users have continued access.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导:你有权访问 Azure AD 登录活动、审核和风险事件日志源,因此可以与任何 SIEM/监视工具集成。Guidance: You have access to Azure AD sign-in activity, audit, and risk event log sources, which allow you to integrate with any SIEM/monitoring tool.

可以通过为 Azure AD 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating diagnostic settings for Azure AD user accounts and sending the audit logs and sign-in logs to a Log Analytics workspace. 你可以在 Log Analytics 工作区中配置所需的警报。You can configure desired alerts within Log Analytics workspace.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指南:使用标记来辅助跟踪 Azure 资源,例如 Log Analytics 工作区,该工作区存储来自 Azure 安全中心的敏感安全信息。Guidance: Use tags to assist in tracking Azure resources like the Log Analytics workspace which stores sensitive security information from Azure Security Center.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:使用单独的订阅和管理组对各个安全域(如环境类型和数据敏感度级别)实现隔离。Guidance: Implement isolation using separate subscriptions and management groups for individual security domains such as environment type and data sensitivity level. 你可以限制对应用程序和企业环境所需 Azure 资源的访问级别。You can restrict the level of access to your Azure resources that your applications and enterprise environments demand. 可以通过 Azure RBAC 来控制对 Azure 资源的访问。You can control access to Azure resources via Azure RBAC.

默认情况下,Azure 安全中心数据存储在安全中心后端服务中。By default Azure Security Center data is stored in the Security Center backend service. 如果组织还要求将这些数据存储在自己的资源中,则可以配置 Log Analytics 工作区来存储安全中心数据、警报和建议。If your organization has added requirements to store this data in your own resources you can configure a Log Analytics workspace to store Security Center data, alerts, and recommendations. 使用自己的工作区时,可以根据数据环境来源配置不同的工作区,从而实现进一步分离。When using your own workspace you can add further separation by configuring different workspaces according to which environment the data originated in.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:加密传输中的所有敏感信息。Guidance: Encrypt all sensitive information in transit. 确保连接到 Azure 资源的任何客户端能够协商 TLS 1.2 或更高版本。Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater. 任何配置有 Log Analytics 代理的虚拟机,如果要将数据发送到 Azure 安全中心,还应配置为使用 TLS 1.2。Any virtual machines that are configured with the Log Analytics agent and to send data to Azure Security center should be configured to use TLS 1.2.

请按照 Azure 安全中心的建议,了解静态加密和传输中的加密(如果适用)。Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指南:使用 Azure 基于角色的访问控制 (Azure RBAC) 管理对与 Azure 安全中心相关的数据和资源的访问。Guidance: Use Azure role-based access control (Azure RBAC) to manage access to Azure Security Center related data and resources. Azure 安全中心具有“安全读取者”或“安全管理员”内置角色,这些角色允许用户读取或更新安全策略以及关闭警报和建议。Azure Security Center has built-in roles for 'Security Reader' or 'Security Admin' which allows users to read or update security policies and dismiss alerts and recommendations. 用于存储安全中心收集的数据的 Log Analytics 工作区也具有可分配的内置角色,例如“Log Analytics 读者”、“Log Analytics 参与者”等。The Log Analytics workspace that stores the data collected by Security Center also has built-in roles you can assign like 'Log Analytics Reader', 'Log Analytics Contributor', and others. 分配用户完成其所需任务需要的最少许可角色。Assign the least permissive role needed for users to complete their required tasks. 例如,将“读者”角色分配到只需查看有关资源的安全运行状况而不执行操作(例如应用建议或编辑策略)的用户。For example, assign the Reader role to users who only need to view information about the security health of a resource but not take action, such as applying recommendations or editing policies.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指南:当对与 Azure 安全中心相关的关键 Azure 资源进行更改时,可以使用 Azure Monitor 创建警报。Guidance: Use Azure Monitor to create alerts when changes take place to critical Azure resources related to Azure Security Center. 这些更改可能包括修改与安全中心有关的配置的任何操作,例如禁用警报或建议,或更新或删除数据存储。These changes may include any actions that modify configurations related to security center like the disabling of alerts or recommendations, or the update or deletion of data stores.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

漏洞管理Vulnerability management

有关详细信息,请参阅 Azure 安全基线: 漏洞管理For more information, see the Azure Security Benchmark: Vulnerability management.

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指南:使用通用风险评分程序(例如通用漏洞评分系统)或第三方扫描工具提供的默认风险评级。Guidance: Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

库存和资产管理Inventory and asset management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指南:使用 Azure Resource Graph 查询和发现订阅中与 Azure 安全中心相关的所有资源。Guidance: Use Azure Resource Graph to query for and discover all resources related to Azure Security Center in your subscriptions. 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅,以发现安全中心资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions to discover Security Center resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指南:使用标记来辅助跟踪 Azure 资源,例如 Log Analytics 工作区,该工作区存储来自 Azure 安全中心的敏感安全信息。Guidance: Use tags to assist in tracking Azure resources like the Log Analytics workspace which stores sensitive security information from Azure Security Center.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指南:在适当的情况下,使用标记、管理组和单独的订阅来组织和跟踪 Azure 安全中心资源。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Security Center resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

此外,使用 Azure Policy 对可使用以下内置策略定义在客户订阅中创建的资源类型施加限制:In addition, use Azure policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:定义并维护已批准的 Azure 资源的清单6.4: Define and maintain inventory of approved Azure resources

指导:根据组织需求,创建已获批 Azure 资源以及已获批用于计算资源的软件的清单。Guidance: Create an inventory of approved Azure resources and approved software for compute resources as per your organizational needs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions.

使用 Azure Resource Graph 查询和发现订阅中的资源。Use Azure Resource Graph to query for and discover resources within their subscriptions. 确保环境中的所有 Azure 资源均已获得批准。Ensure that all Azure resources present in the environment are approved.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指南:当组织在清点和审核过程中不再需要与 Azure 安全中心相关的 Azure 资源时,将其删除。Guidance: Remove Azure resources related to Azure Security Center when they are no longer needed as part of your organization's inventory and review process.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指南:使用 Azure Policy 对可使用以下内置策略定义在订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions using the following built-in policy definitions:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导:通过对“Azure 管理”应用配置“阻止访问”,配置 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

安全配置Secure configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指南:通过 Azure Policy 为 Azure 安全中心及其连接的工作区定义和实现标准安全配置。Guidance: Define and implement standard security configurations for Azure Security Center and its connected workspace via Azure Policy. 在“Microsoft.OperationalInsights”和“Microsoft.Security”命名空间中使用 Azure Policy 别名创建自定义 Azure Policy 定义,审核或强制实施安全中心及其 Log Analytics 工作区的配置。Use Azure Policy aliases in the "Microsoft.OperationalInsights" and "Microsoft.Security" namespaces to create custom Azure Policy definitions to audit or enforce the configuration of Security Center and its Log Analytics workspace.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure Policy 的“拒绝”和“如果不存在则进行部署”效果来跨 Azure 资源强制实施安全设置。Guidance: Use Azure Policy effects for 'deny' and 'deploy if not exist' to enforce secure settings across your Azure resources. 此外,你可以使用 Azure 资源管理器模板维护组织所需的 Azure 资源的安全配置。In addition, you can use Azure Resource Manager templates to maintain the security configuration of your Azure resources required by your organization.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导:使用 Azure Policy 为 Azure 资源定义和实施标准安全配置。Guidance: Define and implement standard security configurations for Azure resources using Azure Policy. 使用 Azure Policy 别名创建自定义策略,审核或强制实施与 Azure 安全中心相关的资源的配置。Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure Security Center related resources. 此外,也可以使用 Azure 自动化来部署配置更改。Additionally, you can use Azure Automation to deploy configuration changes.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指南:在“Microsoft.OperationalInsights”和“Microsoft.Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.OperationalInsights" and "Microsoft. Security”命名空间中使用内置的 Azure Policy 定义以及 Azure Policy 别名创建自定义策略,审核和强制实施 Azure 资源配置并为其发出警报。Security" namespaces to create custom policies to alert, audit, and enforce Azure resource configurations. 使用 Azure 策略效果“审核”、“拒绝”和“如果不存在则进行部署”自动强制实施 Azure 资源的配置。Use Azure policy effects "audit", "deny", and "deploy if not exist" to automatically enforce configurations for your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware defense

有关详细信息,请参阅 Azure 安全基线: 恶意软件防护For more information, see the Azure Security Benchmark: Malware defense.

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指南:Azure 安全中心不用于存储或处理文件。Guidance: Azure Security Center is not intended to store or process files. 你需要负责预先扫描要上传到非计算 Azure 资源(包括 Log Analytics 工作区)的任何内容。It is your responsibility to pre-scan any content being uploaded to non-compute Azure resources, including Log Analytics workspace.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

数据恢复Data recovery

有关详细信息,请参阅 Azure 安全基线: 数据恢复For more information, see the Azure Security Benchmark: Data recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指南:遵循基础结构即代码 (IAC) 方法,并使用 Azure 资源管理器采用 JavaScript 对象表示法 (JSON) 模板(该模板可用作与资源相关的配置的备份)部署与 Azure 安全中心相关的资源。Guidance: Follow an infrastructure as code (IAC) approach and use Azure Resource Manager to deploy your Azure Security Center related resources in a JavaScript Object Notation (JSON) template which can be used as backup for resource-related configurations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指南:Azure 安全中心使用 Log Analytics 工作区存储其生成的数据、警报和建议。Guidance: Azure Security Center uses a Log Analytics workspace to store the data, alerts, and recommendations that it generates. 可以配置 Azure Monitor 和被安全中心用来启用客户管理的密钥的工作区。You can configure Azure Monitor and the workspace that Security Center uses to enable a customer-managed key. 如果使用 Key Vault 存储客户管理的密钥,请确保定期对密钥进行自动备份。If you are using a Key Vault to store your customer-managed keys, ensure regular automated backups of your keys.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指南:确保能够使用 Azure 资源管理器支持的模板文件定期执行还原操作。Guidance: Ensure ability to periodically perform restoration using Azure Resource Manager backed template files. 测试对备份的客户管理的密钥进行还原。Test restoration of backed up customer-managed keys.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指南:使用 Azure DevOps 安全地存储和管理你的代码,例如自定义 Azure Policy 定义和 Azure 资源管理器模板。Guidance: Use Azure DevOps to securely store and manage your code like custom Azure Policy definitions and Azure Resource Manager templates. 若要保护在 Azure DevOps 中管理的资源,可以向特定用户、内置安全组或 Azure Active Directory (Azure AD)(如果与 Azure DevOps 集成)中定义的组或 Active Directory(如果与 TFS 集成)授予或拒绝授予权限。To protect resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS. 使用基于角色的访问控制保护客户管理的密钥。Use role-based access control to protect customer-managed keys.

此外,在 Key Vault 中启用软删除和清除保护,以防止意外删除或恶意删除密钥。Additionally, Enable Soft-Delete and purge protection in Key Vault to protect keys against accidental or malicious deletion. 如果将 Azure 存储用于存储 Azure 资源管理器模板备份,请启用软删除以在 blob 或 blob 快照被删除时保存和恢复数据。If Azure Storage is used to store Azure Resource Manager template backups, enable soft delete to save and recover your data when blobs or blob snapshots are deleted.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

事件响应Incident response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident response.

10.1:创建事件响应指导10.1: Create an incident response guide

指导:为组织制定事件响应指南。Guidance: Develop an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理和管理从检测到事件后审查的各个阶段。Ensure there are written incident response plans that define all the roles of personnel as well as the phases of incident handling and management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:Azure 安全中心为每条警报分配严重性,方便你根据优先级来确定应该最先调查的警报。Guidance: Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,使用标记来标记订阅,并创建命名系统来对 Azure 资源进行标识和分类,特别是处理敏感数据的资源。Additionally, mark subscriptions using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It's your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能,以帮助保护 Azure 资源。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. 查明弱点和差距,并根据需要修改你的响应计划。Identify weak points and gaps and then revise your response plan as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现数据被某方非法访问或未经授权访问,Microsoft 会使用安全事件联系信息联系用户。Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出 Azure 安全中心警报和建议,以便确定 Azure 资源的风险。Guidance: Export your Azure Security Center alerts and recommendations using the continuous export feature to help identify risks to Azure resources. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心的工作流自动化功能,针对安全警报和建议自动触发响应,以保护 Azure 资源。Guidance: Use workflow automation feature Azure Security Center to automatically trigger responses to security alerts and recommendations to protect your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Microsoft 政策。Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. 使用 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序执行现场渗透测试。Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps