监视标识和访问Monitor identity and access

安全边界已从网络边界演进成标识边界。The security perimeter has evolved from a network perimeter to an identity perimeter. 通过这种发展,安全性越来越少地与如何保护网络相关,而更多地与如何管理应用、数据和用户的安全性相关。With this development, security is less about defending your network, and more about managing the security of your apps, data, and users.

通过监视与标识相关的活动和配置设置,你可在事件发生之前主动采取措施或事后采取措施来阻止尝试进行的攻击。By monitoring the activities and configuration settings related to identity, you can take proactive actions before an incident takes place, or reactive actions to stop attempted attacks.

安全中心提供哪些标识和访问保护?What identity and access safeguards does Security Center provide?

Azure 安全中心具有两个专用的安全控件,用于确保满足组织的标识和安全要求:Azure Security Center has two dedicated security controls for ensuring you're meeting your organization's identity and security requirements:

  • 管理访问和权限 - 建议采用 最小特权访问模式,并确保仅向用户授予完成其工作所需的访问权限。Manage access and permissions - We encourage you to adopt the least privilege access model and ensure you grant your users only the access necessary for them to do their jobs. 此控件还包括有关实现 Azure 基于角色的访问控制 (Azure RBAC) 来控制对资源的访问的建议。This control also includes recommendations for implementing Azure role-based access control (Azure RBAC) to control access to your resources.

  • 启用 MFA - 启用 MFA 后,帐户将更加安全,用户仍可通过单一登录对几乎所有应用程序进行身份验证。Enable MFA - With MFA enabled, your accounts are more secure, and users can still authenticate to almost any application with single sign-on.

标识和访问的示例建议Example recommendations for identity and access

在安全中心的“建议”页上的这两个控件中可能会显示以下示例建议:Examples of recommendations you might see in these two controls on Security Center's Recommendations page:

  • 应在对订阅拥有所有者权限的帐户上启用 MFAMFA should be enabled on accounts with owner permissions on your subscription
  • 只多只为订阅指定 3 个所有者A maximum of 3 owners should be designated for your subscription
  • 应从订阅中删除拥有读取权限的外部帐户External accounts with read permissions should be removed from your subscription
  • 应从订阅中删除弃用的帐户(弃用的帐户是不再需要且被 Azure Active Directory 阻止登录的帐户)Deprecated accounts should be removed from your subscription (Deprecated accounts are accounts that are no longer needed, and blocked from signing in by Azure Active Directory)

提示

有关这些建议以及可能会在这些控件中看到其他建议的详细信息,请参阅标识和访问建议For more information about these recommendations and the others you might see in these controls, see Identity and Access recommendations.

限制Limitations

安全中心的标识和访问保护存在一些限制:There are some limitations to Security Center's identity and access protections:

  • 标识建议不适用于拥有超过 600 个帐户的订阅。Identity recommendations aren't available for subscriptions with more than 600 accounts. 在这种情况下,这些建议将在“不可用的评估”下列出。In such cases, these recommendations will be listed under "unavailable assessments".
  • 标识建议不适用于云解决方案提供商 (CSP) 合作伙伴的管理代理。Identity recommendations aren't available for Cloud Solution Provider (CSP) partner's admin agents.
  • 标识建议不标识使用 Privileged Identity Management (PIM) 系统管理的帐户。Identity recommendations don�t identify accounts that are managed with a privileged identity management (PIM) system. 如果使用的是 PIM 工具,则可能会在“管理访问和权限”控件中看到不准确的结果。If you're using a PIM tool, you might see inaccurate results in the Manage access and permissions control.

多重身份验证 (MFA) 和 Azure Active DirectoryMulti-factor authentication (MFA) and Azure Active Directory

启用 MFA 需要 Azure Active Directory (AD) 租户权限Enabling MFA requires Azure Active Directory (AD) tenant permissions.

标识未启用多重身份验证 (MFA) 的帐户Identify accounts without multi-factor authentication (MFA) enabled

若要查看未启用 MFA 的帐户,请使用以下 Azure Resource Graph 查询。To see which accounts don't have MFA enabled, use the following Azure Resource Graph query. 该查询返回建议“应对拥有订阅所有者权限的帐户启用 MFA”的所有运行不正常的资源 - 帐户。The query returns all unhealthy resources - accounts - of the recommendation "MFA should be enabled on accounts with owner permissions on your subscription".

  1. 打开“Azure Resource Graph 资源管理器”。Open Azure Resource Graph Explorer.

    启动 Azure Resource Graph Explorer 建议页面

  2. 输入以下查询并选择“运行查询”。Enter the following query and select Run query.

    securityresources
     | where type == "microsoft.security/assessments"
     | where properties.displayName == "MFA should be enabled on accounts with owner permissions on your subscription"
     | where properties.status.code == "Unhealthy"
    
  3. additionalData 属性显示未强制启用 MFA 的帐户的帐户对象 ID 列表。The additionalData property reveals the list of account object IDs for accounts that don't have MFA enforced.

    备注

    这些帐户显示为对象 ID 而不是帐户名称,以保护帐户持有者的隐私。The accounts are shown as object IDs rather than account names to protect the privacy of the account holders.

提示

或者,可以使用安全中心的 REST API 方法评估 - 获取Alternatively, you can use Security Center's REST API method Assessments - Get.

后续步骤Next steps

若要详细了解适用于其他 Azure 资源类型的建议,请参阅以下文章:To learn more about recommendations that apply to other Azure resource types, see the following article: