在 Azure 安全中心修正建议Remediate recommendations in Azure Security Center

建议提供了有关如何更好地保护资源的意见。Recommendations give you suggestions on how to better secure your resources. 可以按照建议中提供的修正步骤来实施建议。You implement a recommendation by following the remediation steps provided in the recommendation.

修正步骤Remediation steps

在查看完所有建议后,决定先修正哪一建议。After reviewing all the recommendations, decide which one to remediate first. 建议使用安全分数影响来帮助确定首先要执行的操作。We recommend that you use the Secure Score impact to help prioritize what to do first.

  1. 从列表中单击建议。From the list, click the recommendation.

  2. 按照“修正步骤”部分中的说明进行操作。Follow the instructions in the Remediation steps section. 每个建议都有其自己的一组指令。Each recommendation has its own set of instructions. 以下屏幕截图显示了一些修正步骤,这些步骤用于将应用程序配置为仅允许通过 HTTPS 传输的流量。The following screenshot shows remediation steps for configuring applications to only allow traffic over HTTPS.

    建议详细信息

  3. 完成后,将显示一条通知,告知你修正是否成功。Once completed, a notification appears informing you if the remediation succeeded.

“快速修复”修正Quick Fix remediation

快速修复使你能够针对多个资源快速修正某个建议。Quick Fix enables you to quickly remediate a recommendation on multiple resources. 它仅可用于特定的建议。It's only available for specific recommendations. 快速修复可简化修正,使你能够快速增加你的安全分数,提高环境的安全性。Quick Fix simplifies remediation and enables you to quickly increase your Secure Score, improving your environment's security.

若要实现“快速修复”修正,请执行以下操作:To implement Quick Fix remediation:

  1. 在带有“快速修复!”标签的建议的列表中,From the list of recommendations that have the Quick Fix! 单击建议。label, click on the recommendation.

    选择“快速修复!”Select Quick Fix!

  2. 从“不正常的资源”选项卡上,选择要对其实施建议的资源,然后单击“修正”。From the Unhealthy resources tab, select the resources that you want to implement the recommendation on, and click Remediate.

    备注

    列出的某些资源可能已禁用,因为你没有相应的权限,无法修改它们。Some of the listed resources might be disabled, because you don't have the appropriate permissions to modify them.

  3. 在确认框中,阅读修正详细信息和影响。In the confirmation box, read the remediation details and implications.

    快速修复

    备注

    影响在单击“修正”后打开的“修正资源”窗口的灰色框中列出。The implications are listed in the grey box in the Remediate resources window that opens after clicking Remediate. 其中列出了在继续进行“快速修复”修正时会发生哪些更改。They list what changes happen when proceeding with the Quick Fix remediation.

  4. 请插入相关参数(如有必要),并批准修正。Insert the relevant parameters if necessary, and approve the remediation.

    备注

    修正完成后可能需要几分钟时间,才能在“正常的资源”选项卡中看到资源。若要查看修正操作,请查阅活动日志It can take several minutes after remediation completes to see the resources in the Healthy resources tab. To view the remediation actions, check the activity log.

  5. 完成后,将显示一条通知,告知你修正是否成功。Once completed, a notification appears informing you if the remediation succeeded.

活动日志中的“快速修复”修正日志记录 Quick Fix remediation logging in the activity log

修正操作使用模板部署或 REST PATCH API 调用,将配置应用于资源。The remediation operation uses a template deployment or REST PATCH API call to apply the configuration on the resource. 这些操作记录在 Azure 活动日志中。These operations are logged in Azure activity log.

“快速修复”修正建议Recommendations with Quick Fix remediation

建议Recommendation 影响Implication
应在 SQL 服务器上启用审核Auditing on SQL servers should be enabled 此操作将在这些服务器及其数据库上启用 SQL 审核。This action will enable SQL auditing on these servers and their databases.
注意Note:
  • 对于所选 SQL 服务器的每个区域,都将创建一个用于保存审核日志的存储帐户,并且此帐户将由该区域中的所有服务器共享。For each region of the selected SQL servers, a storage account for saving audit logs will be created and shared by all the servers in that region.
  • 为了确保正确审核,请勿删除或重命名资源组或存储帐户。To ensure proper auditing, do not delete or rename the resource group or the storage accounts.
应在 SQL 托管实例上启用高级数据安全性Advanced data security should be enabled on your SQL managed instances 此操作将在选定 SQL 托管实例上启用 SQL 高级数据安全 (ADS)。This action will enable SQL Advanced Data Security (ADS) on the selected SQL managed instances.
注意Note:
  • 对于选定 SQL 托管实例的每个区域和资源组,都将创建一个用于保存扫描结果的存储帐户,并且此帐户将由该区域中的所有实例共享。For each region and resource group of the selected SQL managed instances, a storage account for saving scan results will be created and shared by all the instances in that region.
  • 每个 SQL 托管实例的 ADS 费用为 $15。ADS is charged at $15 per SQL managed instance.
应对 SQL 托管实例启用漏洞评估Vulnerability assessment should be enabled on your SQL managed instances 此操作将在选定 SQL 托管实例上启用 SQL 漏洞评估。This action will enable SQL Vulnerability Assessment on the selected SQL managed instances.
注意Note:
  • SQL 漏洞评估是 SQL 高级数据安全 (ADS) 包的一部分。SQL Vulnerability Assessment is part of the SQL Advanced Data Security (ADS) package. 如果尚未启用 ADS,那么它将在托管实例上自动启用。If ADS is not enabled already, it will automatically be enabled on the managed instance.
  • 对于选定 SQL 托管实例的每个区域和资源组,都将创建一个用于存储扫描结果的存储帐户,并且此帐户将由该区域中的所有实例共享。For each region and resource group of the selected SQL managed instances, a storage account for storing scan results will be created and shared by all the instances in that region.
  • 每个 SQL 服务器的 ADS 费用为 $15。ADS is charged at $15 per SQL server.
应在 SQL 服务器上启用高级数据安全Advanced Data Security should be enabled on your SQL servers 此操作将在这些选定服务器及其数据库上启用高级数据安全 (ADS)。This action will enable Advanced Data Security (ADS) on these selected servers and their databases.
注意Note:
  • 对于选定 SQL 服务器的每个区域和资源组,都将创建一个用于存储扫描结果的存储帐户,并且此帐户将由该区域中的所有服务器共享。For each region and resource group of the selected SQL servers, a storage account for storing scan results will be created and shared by all the servers in that region.<
  • 每个 SQL 服务器的 ADS 费用为 $15。ADS is charged at $15 per SQL server.
应在 SQL 服务器上启用漏洞评估Vulnerability Assessment should be enabled on your SQL servers 此操作将在这些选定服务器及其数据库上启用 SQL 漏洞评估。This action will enable SQL Vulnerability Assessment on these selected servers and their databases.
注意Note:
  • SQL 漏洞评估是 SQL 高级数据安全 (ADS) 包的一部分。SQL Vulnerability Assessment is part of the SQL Advanced Data Security (ADS) package. 如果尚未启用 ADS,那么它将在 SQL 服务器上自动启用。If ADS isn't enabled already, it will automatically be enabled on the SQL server.
  • 对于选定 SQL 服务器的每个区域和资源组,都将创建一个用于存储扫描结果的存储帐户,并且此帐户将由该区域中的所有实例共享。For each region and resource group of the selected SQL servers, a storage account for storing scan results will be created and shared by all the instances in that region.
  • 每个 SQL 服务器的 ADS 费用为 $15。ADS is charged at $15 per SQL server.
应在 SQL 数据库上启用透明数据加密Transparent data encryption on SQL databases should be enabled 此操作在选定数据库上启用 SQL 数据库透明数据加密 (TDE)。This action enables SQL Database Transparent Data Encryption (TDE) on the selected databases.
注意:默认情况下,将使用服务管理的 TDE 密钥。Note: By default, service-managed TDE keys will be used.
应该启用安全传输到存储帐户Secure transfer to storage accounts should be enabled 此操作将你的存储帐户安全设置更新为,仅允许来自安全连接的请求This action updates your storage account security to only allow requests by secure connections. (HTTPS)。(HTTPS).
注意Note:
  • 使用 HTTP 的任何请求都将被拒绝。Any requests using HTTP will be rejected.
  • 使用 Azure 文件服务时,在不加密的情况下进行连接将失败,包括在不加密的情况下使用 SMB 2.1、SMB 3.0 的方案,以及某些风格的 Linux SMB 客户端。When you're using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. 了解详细信息。Learn more.
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 此操作会将所选资源上的所有流量从 HTTP 重定向到 HTTPS。This action will redirect all traffic from HTTP to HTTPS, on the selected resources.
注意Note:
  • 没有 SSL 证书的 HTTPS 终结点将在浏览器中显示为带有“隐私错误”。An HTTPS endpoint that doesn't have an SSL certificate will show up in the browser with a 'Privacy Error'. 因此,拥有自定义域的用户需要验证他们是否已设置 SSL 证书。So users who have a custom domain need to verify they have set up an SSL certificate.
  • 请确保用于保护应用服务的数据包和 Web 应用程序防火墙允许 HTTPS 会话转发。Make sure packet and web application firewalls protecting the app service, allow HTTPS sessions forwarding.
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 此操作会将所选资源上的所有流量从 HTTP 重定向到 HTTPS。This action will redirect all traffic from HTTP to HTTPS, on the selected resources.
注意Note:
  • 没有 SSL 证书的 HTTPS 终结点将在浏览器中显示为带有“隐私错误”。An HTTPS endpoint that doesn't have an SSL certificate will show up in the browser with a 'Privacy Error'. 因此,拥有自定义域的用户需要验证他们是否已设置 SSL 证书。So users who have a custom domain need to verify they have set up an SSL certificate.
  • 请确保用于保护应用服务的数据包和 Web 应用程序防火墙允许 HTTPS 会话转发。Make sure packet and web application firewalls protecting the app service, allow HTTPS sessions forwarding.
只能通过 HTTPS 访问 API 应用API App should only be accessible over HTTPS 此操作会将所选资源上的所有流量从 HTTP 重定向到 HTTPS。This action will redirect all traffic from HTTP to HTTPS, on the selected resources.
注意Note:
  • 没有 SSL 证书的 HTTPS 终结点将在浏览器中显示为带有“隐私错误”。An HTTPS endpoint that doesn't have an SSL certificate will show up in the browser with a 'Privacy Error'. 因此,拥有自定义域的用户需要验证他们是否已设置 SSL 证书。So users who have a custom domain need to verify they have set up an SSL certificate.
  • 请确保用于保护应用服务的数据包和 Web 应用程序防火墙允许 HTTPS 会话转发。Make sure packet and web application firewalls protecting the app service, allow HTTPS sessions forwarding.
应禁用 Web 应用程序的远程调试Remote debugging should be turned off for Web Application 此操作将禁用远程调试。This action disables remote debugging.
应对函数应用禁用远程调试Remote debugging should be turned off for Function App 此操作将禁用远程调试。This action disables remote debugging.
应为 API 应用禁用远程调试Remote debugging should be turned off for API App 此操作将禁用远程调试。This action disables remote debugging.
CORS 不应允许所有资源都能访问你的 Web 应用程序CORS should not allow every resource to access your Web Application 此操作将阻止其他域访问你的 Web 应用程序。This action blocks other domains from accessing your Web Application. 若要允许特定的域,请在“允许的源”字段中输入它们(用逗号分隔)。To allow specific domains, enter them in the Allowed origins field (separated by commas).
注意:如果将此字段留空,将会阻止所有跨源调用。参数字段标题:“允许的源”Note: Leaving the field empty will block all cross-origin calls.'Param field title: 'Allowed origins'
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function App 此操作将阻止其他域访问你的函数应用程序。This action blocks other domains from accessing your Function Application. 若要允许特定的域,请在“允许的源”字段中输入它们(用逗号分隔)。To allow specific domains, enter them in the Allowed origins field (separated by commas).
注意:如果将此字段留空,将会阻止所有跨源调用。参数字段标题:“允许的源”Note: Leaving the field empty will block all cross-origin calls.'Param field title: 'Allowed origins'
CORS 不应允许所有资源访问 API 应用CORS should not allow every resource to access your API App 此操作将阻止其他域访问你的 API 应用程序。This action blocks other domains from accessing your API Application. 若要允许特定的域,请在“允许的源”字段中输入它们(用逗号分隔)。To allow specific domains, enter them in the Allowed origins field (separated by commas).
注意:如果将此字段留空,将会阻止所有跨源调用。参数字段标题:“允许的源”Note: Leaving the field empty will block all cross-origin calls.'Param field title: 'Allowed origins'
应在虚拟机上启用监视代理Monitoring agent should be enabled on your virtual machines 此操作在所选虚拟机上安装监视代理。This action installs a monitoring agent on the selected virtual machines. 选择代理要向其报告的工作区。Select a workspace for the agent to report to.
  • 如果更新策略设置为“自动”,它会部署到新的现有实例上。If your update policy is set to automatic, it will deploy on new existing instances.
  • 如果更新策略设置为“手动”,并且你想要在现有实例上安装代理,请选中相应的复选框选项。If your update policy is set to manual and you would like to install the agent on existing instances, select the check box option. 了解详细信息Learn more
应启用 Key Vault 中的诊断日志Diagnostic logs in Key Vault should be enabled 此操作在密钥保管库上启用诊断日志。This action enables diagnostic logs on key vaults. 诊断日志和指标保存在选定工作区中。Diagnostic logs and metrics are saved in the selected workspace.
应启用服务总线中的诊断日志Diagnostic logs in Service bus should be enabled 此操作在服务总线上启用诊断日志。This action enables diagnostic logs on the service bus. 诊断日志和指标保存在选定工作区中。Diagnostic logs and metrics are saved in the selected workspace.

后续步骤Next steps

在本文档中,已向你介绍了如何在安全中心修正建议。In this document, you were shown how to remediate recommendations in Security Center. 若要了解有关安全中心的详细信息,请参阅以下主题:To learn more about Security Center, see the following topics: