教程:使用 Azure 安全中心来保护资源Tutorial: Protect your resources with Azure Security Center

安全中心使用访问控制和应用程序控制来阻止恶意活动,限制威胁所造成的危害。Security Center limits your exposure to threats by using access and application controls to block malicious activity. 可以通过实时 (JIT) 虚拟机 (VM) 访问拒绝对 VM 的永久性访问,减少自己遭受攻击的可能性。Just-in-Time (JIT) virtual machine (VM) access reduces your exposure to attacks by enabling you to deny persistent access to VMs. 仅在需要的情况下,才提供对 VM 的受控且经过审核的访问权限。Instead, you provide controlled and audited access to VMs only when needed. 自适应应用程序控制可以对哪些应用程序能够在 VM 上运行进行控制,从而强化 VM 对抗恶意软件的能力。Adaptive application controls help harden VMs against malware by controlling which applications can run on your VMs. 安全中心使用机器学习来分析在 VM 中运行的进程,帮助你运用此智能来应用允许列表规则。Security Center uses machine learning to analyze the processes running in the VM and helps you apply whitelisting rules using this intelligence.

本教程介绍如何执行下列操作:In this tutorial you learn how to:

  • 配置实时 VM 访问策略Configure a just in time VM access policy
  • 配置应用程序控制策略Configure an application control policy

先决条件Prerequisites

若要逐步执行本教程中介绍的功能,你必须位于安全中心的“标准”定价层。To step through the features covered in this tutorial, you must be on Security Center’s Standard pricing tier. 可以免费试用安全中心标准版。You can try Security Center Standard at no cost. 若要了解详细信息,请参阅定价页To learn more, see the pricing page. 快速入门教程“将 Azure 订阅载入到安全中心标准版”详细介绍了如何升级到标准版。The quickstart Onboard your Azure subscription to Security Center Standard walks you through how to upgrade to Standard.

管理 VM 访问权限Manage VM access

JIT VM 访问可以用来锁定发往 Azure VM 的入站流量,降低遭受攻击的可能性,同时在需要时还允许轻松连接到 VM。JIT VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

管理端口不需要始终处于打开状态。Management ports do not need to be open at all times. 它们只需要在特定的时间打开,例如在你连接到 VM 来执行管理或维护任务时。They only need to be open while you are connected to the VM, for example to perform management or maintenance tasks. 当启用了实时功能时,安全中心会使用网络安全组 (NSG) 规则,这些规则将限制对管理端口的访问以使其不会成为攻击者的目标。When just in time is enabled, Security Center uses Network Security Group (NSG) rules, which restrict access to management ports so they cannot be targeted by attackers.

  1. 在安全中心主菜单中的“高级云防御”下选择“实时 VM 访问”。 In the Security Center main menu, select Just-in-Time VM access under ADVANCED CLOUD DEFENSE.

    实时 VM 访问

    “实时 VM 访问”提供 VM 的状态信息 :Just-in-time VM access provides information on the state of your VMs:

    • 已配置 - 已配置为支持实时 VM 访问的 VM。Configured - VMs that have been configured to support just in time VM access.

    • 推荐 - 可以支持实时 VM 访问但尚未配置此功能的 VM。Recommended - VMs that can support just in time VM access but have not been configured to.

    • 不推荐 - 导致不推荐某个 VM 的可能原因有:No recommendation - Reasons that can cause a VM not to be recommended are:

      • 缺少 NSG - 实时解决方案需要 NSG 准备就绪。Missing NSG - The just in time solution requires an NSG to be in place.
      • 经典 VM - 安全中心实时 VM 访问当前仅支持通过 Azure 资源管理器部署的 VM。Classic VM - Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager.
      • 其他 - 如果在订阅或资源组的安全策略中未开启实时解决方案,或者 VM 缺少公共 IP 且没有已准备就绪的 NSG,则该 VM 将位于此类别中。Other - A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn't have an NSG in place.
  2. 选择一个建议的 VM,然后单击“在 1 个 VM 上启用 JIT”,为该 VM 配置实时策略: Select a recommended VM and click Enable JIT on 1 VM to configure a just in time policy for that VM:

    可以保存安全中心建议的默认端口,也可以添加并配置新的端口,以便在其上启用实时解决方案。You can save the default ports that Security Center recommends or you can add and configure a new port on which you want to enable the just in time solution. 本教程可选择“添加”来添加端口。 In this tutorial, let’s add a port by selecting Add.

    添加端口配置

  3. 在“添加端口配置”下,请标识: Under Add port configuration, you identify:

    • 端口The port
    • 协议类型The protocol type
    • 允许的源 IP - 允许根据批准的请求获取访问权限的 IP 范围Allowed source IPs - IP ranges allowed to get access upon an approved request
    • 最大请求时间 - 特定端口可以处于打开状态的最大时间范围Maximum request time - maximum time window that a specific port can be opened
  4. 选择“确定”进行保存。 Select OK to save.

强化 VM 对抗恶意软件的能力Harden VMs against malware

可以通过自适应应用程序控制来定义一组应用程序,允许这些应用程序在配置的资源组上运行。这样有很多好处,其中之一就是有助于强化 VM 对抗恶意软件的能力。Adaptive application controls help you define a set of applications that are allowed to run on configured resource groups, which among other benefits helps harden your VMs against malware. 安全中心使用机器学习来分析在 VM 中运行的进程,帮助你运用此智能来应用允许列表规则。Security Center uses machine learning to analyze the processes running in the VM and helps you apply whitelisting rules using this intelligence.

  1. 返回到安全中心主菜单。Return to the Security Center main menu. 在“高级云防御”下选择“自适应应用程序控制”。 Under ADVANCED CLOUD DEFENSE, select Adaptive application controls.

    自适应应用程序控制

    “资源组”部分包含三个选项卡: The Resource groups section contains three tabs:

    • 已配置:所含 VM 已配置了应用程序控制的资源组的列表。Configured: List of resource groups containing the VMs that were configured with application control.
    • 建议:建议对其实施应用程序控制的资源组的列表。Recommended: List of resource groups for which application control is recommended.
    • 无建议:所含 VM 没有任何应用程序控制建议的资源组的列表。No recommendation: List of resource groups containing VMs without any application control recommendations. 例如,其上的应用程序始终变化,尚未达到稳定状态的 VM。For example, VMs on which applications are always changing, and haven’t reached a steady state.
  2. 选择“已建议”选项卡会出现一个列表,其中包含的资源组带有应用程序控制建议 。Select the Recommended tab for a list of resource groups with application control recommendations.

    应用程序控制建议

  3. 选择一个资源组,打开“创建应用程序控制规则”选项。 Select a resource group to open the Create application control rules option. 在“选择 VM”中查看建议的 VM 的列表,取消选中不需向其应用应用程序控制的 VM。 In the Select VMs, review the list of recommended VMs and uncheck any you do not want to apply application control to. 在“选择适用于允许列表规则的进程”中查看建议的应用程序的列表,取消选中不需向其应用应用程序控制的应用程序。 In the Select processes for whitelisting rules, review the list of recommended applications, and uncheck any you do not want to apply. 此列表包括:The list includes:

    • 名称:完整的应用程序路径NAME: The full application path
    • 进程数:每个路径中驻留的应用程序数PROCESSES: How many applications reside within every path
    • 常用:“是”表示这些进程已在此资源组的大多数 VM 上执行COMMON: "Yes" indicates that these processes have been executed on most VMs in this resource group
    • 可利用:警告图标表示攻击者可能会利用应用程序来规避应用程序允许列表。EXPLOITABLE: A warning icon indicates if the applications could be used by an attacker to bypass application whitelisting. 建议在这些应用程序审批前查看它们。It is recommended to review these applications prior to their approval.
  4. 选择完以后,请选择“创建”。 Once you finish your selections, select Create.

清理资源Clean up resources

本系列中的其他快速入门和教程是在本快速入门的基础上制作的。Other quickstarts and tutorials in this collection build upon this quickstart. 如果打算继续学习后续的快速入门和教程,请继续运行“标准”层并让自动预配保持启用状态。If you plan to continue on to work with subsequent quickstarts and tutorials, continue running the Standard tier and keep automatic provisioning enabled. 如果不打算继续或想要返回到“免费”层,请执行以下操作:If you do not plan to continue or wish to return to the Free tier:

  1. 返回到安全中心主菜单,选择“安全策略”。 Return to the Security Center main menu and select Security Policy.
  2. 选择要返回到“免费”层的订阅或策略。Select the subscription or policy that you want to return to Free. 此时会打开“安全策略”。 Security policy opens.
  3. 在“策略组件” 下选择“定价层” 。Under POLICY COMPONENTS, select Pricing tier.
  4. 选择“免费”,将订阅从“标准”层更改为“免费”层。 Select Free to change subscription from Standard tier to Free tier.
  5. 选择“保存”。 Select Save.

如果希望禁用自动预配,请执行以下操作:If you wish to disable automatic provisioning:

  1. 返回到安全中心主菜单,选择“安全策略”。 Return to the Security Center main menu and select Security policy.
  2. 选择希望禁用自动设置的订阅。Select the subscription that you wish to disable automatic provisioning.
  3. 在“安全策略 - 数据收集” 下的“载入” 下选择“关闭” ,禁用自动预配。Under Security policy – Data Collection, select Off under Onboarding to disable automatic provisioning.
  4. 选择“保存” 。Select Save.

Note

禁用自动设置不会从已预配代理的 Azure VM 中删除 Azure Monitoring Agent。Disabling automatic provisioning does not remove the Azure Monitoring Agent from Azure VMs where the agent has been provisioned. 禁用自动设置会限制对资源的安全监视。Disabling automatic provisioning limits security monitoring for your resources.

后续步骤Next steps

本教程介绍了如何限制威胁所造成的危害,方法是:In this tutorial, you learned how to limit your exposure to threats by:

  • 配置实时 VM 访问策略,仅在需要的时候提供受控且经过审核的 VM 访问权限Configuring a just in time VM access policy to provide controlled and audited access to VMs only when needed
  • 配置自适应应用程序控制策略,对哪些应用程序可以在 VM 上运行进行控制Configuring an adaptive application controls policy to control which applications can run on your VMs

若要了解如何响应安全事件,请转到下一教程。Advance to the next tutorial to learn about responding to security incidents.