保护计算机和应用程序Protect your machines and applications

在 Azure 安全中心识别出潜在的安全漏洞时,它会创建建议,指导你完成配置所需控件以强化和保护资源的过程。When Azure Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your resources.

本文介绍安全中心的资源安全部分的“计算和应用”页。This article explains the Compute and Apps page of Security Center's resource security section.

有关可能在此页显示的完整建议列表,请参阅计算和应用建议For a full list of the recommendations you might see on this page, see Compute and apps recommendations.

查看计算和应用资源的安全性View the security of your compute and apps resources

安全中心仪表板Security Center dashboard

若要查看计算和应用资源的状态,请在安全中心左侧窗格中选择“计算和应用”。To view the status of your compute and apps resources, from the left pane in Security Center, select Compute & apps. 以下选项卡可用:The following tabs are available:

  • 概览:列出所有计算和应用资源及其当前安全状态的建议Overview: lists the recommendations for all the compute and apps resources as well as their current security status

  • VM 和服务器:列出对 VM、计算机的建议以及各自当前的安全状态VMs and Servers: lists the recommendations for your VMs, computers, and current security state of each

  • VM 规模集:列出对规模集的建议VM scale sets: lists the recommendations for your scale sets,

  • 云服务:列出对由安全中心监视的 Web 角色和辅助角色的建议Cloud services: lists the recommendations for your web and worker roles monitored by Security Center

  • 应用服务:列出应用服务环境及其当前安全状态的建议App services: lists the recommendations for your App service environments and the current security state of each

  • 容器:列出对容器的建议以及对其配置的安全评估Containers: lists the recommendations for your containers and security assessment of their configurations

  • 计算资源:列出针对计算资源(例如 Service Fabric 群集和事件中心)的建议Compute resources: lists the recommendations for your compute resources, such as Service Fabric clusters and Event hubs

每个选项卡中的内容What's in each tab?

每个选项卡都有多个部分。在每个部分中,可以通过向下钻取查看已显示项的其他详细信息。Each tab has multiple sections, and in each section, you can drill down to see additional details about the item shown.

在每个选项卡中,还会看到有关受监视环境中的相关资源的建议。In each tab, you will also see recommendations for the relevant resources in your monitored environment. 第一列列出建议,第二列显示受影响资源的总数,第三列显示问题的严重性。The first column lists the recommendation, the second shows the total number of resources affected, and the third shows the severity of the issue.

每条建议附带一组操作,可在选择该建议后执行这些操作。Each recommendation has a set of actions that you can perform after you select it. 例如,如果选择“缺失的系统更新”,则会显示缺少修补程序的 VM 和计算机数目,以及所缺更新的严重性。For example, if you select Missing system updates, the number of VMs and computers that are missing patches, and the severity of the missing update appears.

备注

安全建议与“建议”页上的相同,但此处会将其筛选为所选的特定资源类型。The security recommendations are the same as those on the Recommendations page, but here they're filtered to the specific resource type you've selected. 有关如何解决建议的详细信息,请参阅在 Azure 安全中心实施安全建议For more information about how to resolve recommendations, see Implementing security recommendations in Azure Security Center.

VM 和服务器VMs and Servers

“VM 和计算机”部分概述了有关 VM 和计算机的所有安全建议。The VMs and computers section gives you an overview of all security recommendations for your VMs and computers. 包括四种类型的计算机:Four types of machines are included:

非 Azure 计算机 非 Azure 计算机。Non-Azure computer.

Azure 资源管理器 VM Azure 资源管理器 VM。Azure Resource Manager VM.

Azure 经典 VM Azure 经典 VM。Azure Classic VM.

从工作区中识别的 VM 只能通过工作区(属于所查看的订阅)标识的 VM。VMs that are identified only from the workspace that is part of the viewed subscription. 其中包括其他订阅中向此订阅中的工作区报告的 VM,以及使用 Operations Manager 直接代理安装的 VM(没有资源 ID)。This includes VMs from other subscriptions that report to the workspace in this subscription, and VMs that were installed with Operations Manager direct agent, and have no resource ID.

每条建议下面显示的图标有助于快速识别需要关注的 VM 和计算机以及建议的类型。The icon that appears under each recommendation helps you to quickly identify the VM and computer that needs attention, and the type of recommendation. 也可使用筛选器,按“资源类型”和“严重性”搜索列表。 You can also use the filters to search the list by Resource type and by Severity.

若要向下钻取每个 VM 的安全建议,请单击相应的 VM。To drill down into the security recommendations for each VM, click on the VM. 此处显示 VM 或计算机的安全详细信息。Here you see the security details for the VM or computer. 在底部可以看到建议的操作以及每个问题的严重性。At the bottom, you can see the recommended action and the severity of each issue.

云服务Cloud services

虚拟机规模集Virtual machine scale sets

安全中心会自动发现你是否有规模集,并会建议你在其上安装 Log Analytics 代理。Security Center automatically discovers whether you have scale sets and recommends that you install the Log Analytics agent on them.

若要安装 Log Analytics 代理,请执行以下操作:To install the Log Analytics agent:

  1. 选择建议“在虚拟机规模集上安装监视代理”。Select the recommendation Install the monitoring agent on virtual machine scale set. 你会获得未收监视的规模集的列表。You get a list of unmonitored scale sets.

  2. 选择不正常的规模集。Select an unhealthy scale set. 按照说明操作,使用现有的已填充工作区或新建的工作区安装监视代理。Follow the instructions to install the monitoring agent using an existing populated workspace or create a new one. 确保设置工作区定价层(如果尚未设置)。Make sure to set the workspace pricing tier if it's not set.

    安装 MMS

若要将新规模集设置为自动安装 Log Analytics 代理,请执行以下操作:To set new scale sets to automatically install the Log Analytics agent:

  1. 转到 Azure Policy,单击“定义”。Go to Azure Policy and click Definitions.

  2. 搜索策略“为 Windows 虚拟机规模集部署 Log Analytics 代理”,然后单击它。Search for the policy Deploy Log Analytics agent for Windows virtual machine scale sets and click on it.

  3. 单击“分配”。Click Assign.

  4. 设置“范围”和“Log Analytics 工作区”,然后单击“分配”。 Set the Scope and Log Analytics workspace and click Assign.

若要将所有现有的规模集设置为安装 Log Analytics 代理,请在 Azure Policy 中转到“修正”,将现有的策略应用到现有的规模集。If you want to set all existing scale sets to install the Log Analytics agent, in Azure Policy, go to Remediation and apply the existing policy to existing scale sets.

云服务Cloud services

对于云服务,会在操作系统版本过期时创建建议。For cloud services, a recommendation is created when the operating system version is out of date.

云服务

在有建议的方案中,请按建议中的步骤更新操作系统。In a scenario where you have a recommendation, follow the steps in the recommendation to update the operating system. 如果有可用的更新,会出现警报(红色或橙色 - 取决于问题的严重性)。When an update is available, you will have an alert (red or orange - depending on the severity of the issue). 有关此建议的完整说明,请在“说明”栏下单击“更新 OS 版本”。 For a full explanation of this recommendation, click Update OS version under the DESCRIPTION column.

应用服务App services

若要查看应用服务信息,你必须位于安全中心的“标准”定价层,并在订阅中启用应用服务。To view the App Service information, you must be on Security Center's standard pricing tier and enable App Service in your subscription. 有关如何启用此功能的说明,请参阅使用 Azure 安全中心保护应用服务For instructions on enabling this feature, see Protect App Service with Azure Security Center.

在“应用服务”下,可以看到应用服务环境的列表,以及安全中心执行评估后提供的运行状况摘要。Under App services, you find a list of your App service environments and the health summary based on the assessment Security Center performed.

应用程序服务

显示了三种类型的应用程序服务:There are three types of application services shown:

应用服务环境 应用服务环境App services environment

Web 应用程序 Web 应用程序Web application

函数应用程序 函数应用程序Function application

如果选择 Web 应用程序,则会打开摘要视图,其中包含三个选项卡:If you select a web application, a summary view opens with three tabs:

  • 建议:基于安全中心执行的失败的评估。Recommendations: based on assessments performed by Security Center that failed.
  • 已通过的评估:安全中心执行的、已通过的评估列表。Passed assessments: list of assessments performed by Security Center that passed.
  • 不可用的评估:由于出错或者建议与特定的应用服务不相关,而未能运行的评估列表。Unavailable assessments: list of assessments that failed to run due to an error or the recommendation is not relevant for the specific App service

“建议”下面是选定 Web 应用程序的建议列表,以及每条建议的严重性。Under Recommendations is a list of the recommendations for the selected web application and severity of each recommendation.

应用服务建议

选择一条建议即可查看其说明,以及不正常资源、正常资源和未扫描资源的列表。Select a recommendation to see a description of the recommendation and a list of unhealthy resources, healthy resources, and unscanned resources.

  • “已通过的评估”列显示已通过的评估的列表。The Passed assessments column shows a list of passed assessments. 这些评估的严重性始终为绿色。Severity of these assessments is always green.

  • 从评估说明列表、不正常和正常资源列表以及未扫描的资源列表中选择一个已通过的评估。Select a passed assessment from the list for a description of the assessment, a list of unhealthy and healthy resources, and a list of unscanned resources. 不正常的资源有一个对应的选项卡,但其中的列表始终为空,因为评估已经通过。There is a tab for unhealthy resources but that list is always empty since the assessment passed.

容器Containers

打开“容器”选项卡时,根据所处环境可能会显示以下三种类型的资源:When you open the Containers tab, depending on your environment, you might see any of three types of resources:

容器主机 容器主机 - 运行 docker 的 VMContainer hosts - VMs running docker

Kubernetes 服务 Azure Kubernetes 服务 (AKS) 群集。Kubernetes service Azure Kubernetes Service (AKS) clusters. 了解安全中心的 AKS 捆绑包Learn about Security Center's AKS bundle

容器注册表 Azure 容器注册表 (ACR) 注册表。Azure Container Registry (ACR) registries.

容器选项卡Containers tab

若要查看列表中特定资源的建议,请单击该资源。To see the recommendations for a specific resource in the list, click that resource.

可查看容器注册表Visibility into container registries

例如,单击上图所示列表中的 asc-demo ACR 注册表会出现以下详细信息页:For example, clicking the asc-demo ACR registry from the list shown in the graphic above leads to this details page:

特定 ACR 注册表的建议Recommendations for a specific ACR registry

可查看 IaaS Linux 计算机上托管的容器Visibility into containers hosted on IaaS Linux machines

单击其中一个运行 docker 的 VM 将显示详细信息页,其中包含与计算机上的容器相关的信息,例如 Docker 版本和主机上运行的映像的数量。When you click one of the VMs running docker, you'll see the details page with information related to the containers on the machine, such as Docker version and the number of images running on the host.

针对运行 docker 的 VM 的建议

基于针对 Docker 的 CIS 基准的安全建议Security recommendations based on CIS benchmark for Docker

安全中心扫描 Docker 配置,并提供已评估的所有失败规则列表让你洞察错误配置。Security Center scans your Docker configurations and gives you visibility into misconfigurations by providing a list of all failed rules that were assessed. 安全中心提供指导来帮助你快速解决这些问题,因此可节省时间。Security Center provides guidelines to help you resolve these issues quickly and save time. 安全中心持续评估 Docker 配置,并提供其最新状态。Security Center continuously assesses the Docker configurations and provides you with their latest state.

容器选项卡

后续步骤Next steps

若要详细了解适用于其他 Azure 资源类型的建议,请参阅以下文章:To learn more about recommendations that apply to other Azure resource types, see the following articles: