使用安全策略Working with security policies

本文介绍如何配置安全策略,以及如何在安全中心查看这些策略。This article explains how security policies are configured, and how to view them in Security Center. 可以在 Azure Policy 中配置这些策略,由此也可跨管理组和跨多个订阅设置策略。You can configure them in Azure Policy, which also enables you to set policies across Management groups and across multiple subscriptions.

有关如何使用 PowerShell 设置策略的说明,请参阅快速入门:使用 Azure PowerShell 模块创建策略分配以识别不合规资源For instructions on how to set policies using PowerShell, see Quickstart: Create a policy assignment to identify non-compliant resources using the Azure PowerShell module.

Note

安全中心使用 Azure Policy 开始集成。Security Center started its integration with Azure Policy. 现有客户将自动迁移到 Azure Policy 中新的内置计划,而不是安全中心中的旧的安全策略。Existing customers will be automatically migrated to the new built-in initiative in Azure Policy, instead of the previous security policies in Security Center. 除了 Azure Policy 中存在新计划外,此更改不会影响资源或环境。This change will not affect your resources or environment except the presence of the new initiative in Azure Policy.

什么是安全策略?What are security policies?

安全策略定义了工作负载的相应配置,有助于确保用户遵守公司或法规方面的安全要求。A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. 在 Azure Policy 中,可定义 Azure 订阅策略,并根据工作负载类型或数据机密性进行量身定制。In Azure Policy, you can define policies for your Azure subscriptions and tailor them to your type of workload or the sensitivity of your data. 例如,使用受管制数据(如个人身份信息)的应用程序可能需要比其他工作负载更高级别的安全性。For example, applications that use regulated data, such as personally identifiable information, might require a higher level of security than other workloads. 若要跨订阅或管理组设置策略,请在 Azure Policy 中进行设置。To set a policy across subscriptions or on Management groups, set them in Azure Policy.

安全策略驱动在 Azure 安全中心获得的安全建议。Your security policies drive the security recommendations you get in Azure Security Center. 可以使用它们监视符合性以帮助识别潜在漏洞和缓解威胁。You can monitor compliance with them to help you identify potential vulnerabilities and mitigate threats.

当启用安全中心时,内置到安全中心的安全策略将作为内置的计划反映在 Azure Policy 中,位于“安全中心”类别下。When you enable Security Center, the security policy built-in to Security Center is reflected in Azure Policy as a built-in initiative under the category Security Center. 内置的计划自动分配给安全中心注册的所有订阅(免费或标准层)。The built-in initiative is automatically assigned to all Security Center registered subscriptions (Free or Standard tiers). 内置的计划仅包含审核策略。The built-in initiative contains only Audit policies.

管理组Management groups

如果你的组织有多个订阅,则可能需要一种方法来高效地管理这些订阅的访问权限、策略和符合性。If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure 管理组提供订阅上的作用域级别。Azure Management Groups provides a level of scope above subscriptions. 可将订阅组织到名为“管理组”的容器中,并将管理策略应用到管理组。You organize subscriptions into containers called "management groups" and apply your governance policies to the management groups. 管理组中的所有订阅都将自动继承应用于管理组的策略。All subscriptions within a management group automatically inherit the policies applied to the management group. 为每个目录指定了一个称为“根”管理组的顶级管理组。Each directory is given a single top-level management group called the "root" management group. 此根管理组内置在层次结构中,包含其所有下级管理组和订阅。This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. 此根管理组允许在目录级别应用全局策略和 RBAC 分配。This root management group allows for global policies and RBAC assignments to be applied at the directory level.

Note

务必要了解管理组和订阅的层次结构。It’s important that you understand the hierarchy of management groups and subscriptions. 请参阅使用 Azure 管理组来组织资源来了解有关管理组、根管理和管理组访问权限的详细信息。See Organize your resources with Azure Management Groups to learn more about management groups, root management, and management group access.

安全策略工作原理How security policies work

安全中心自动为每个 Azure 订阅创建默认的安全策略。Security Center automatically creates a default security policy for each of your Azure subscriptions. 可以在 Azure Policy 内编辑策略,执行以下操作:You can edit the policies in Azure Policy to do the following things:

  • 创建新的策略定义。Create new policy definitions.
  • 跨管理组和订阅分配策略,这些管理组和订阅可以代表整个组织,或者组织中的某个业务部门。Assign policies across management groups and subscriptions, which can represent an entire organization or a business unit within the organization.
  • 监视策略符合性。Monitor policy compliance.

有关 Azure Policy 的详细信息,请参阅创建和管理策略以强制实施符合性For more information about Azure Policy, see Create and manage policies to enforce compliance.

Azure Policy 由以下组件构成:An Azure policy consists of the following components:

  • “策略”是一项规则 。A policy is a rule.
  • “计划”是一个策略集合 。An initiative is a collection of policies.
  • “分配”是将计划或策略应用于特定的范围(管理组、订阅或资源组) 。An assignment is the application of an initiative or a policy to a specific scope (management group, subscription, or resource group).

查看安全策略View security policies

要在安全中心内查看安全策略,请执行以下操作:To view your security policies in Security Center:

  1. 在“安全中心”仪表板中,选择“安全策略” 。In the Security Center dashboard, select Security policy.

    “策略管理”窗格

    在“策略管理”屏幕中,可以看到管理组数、订阅数、工作区数以及管理组结构 。In the Policy management screen, you can see the number of management groups, subscriptions, and workspaces as well as your management group structure.

    Note

    • “安全中心”仪表板在“订阅覆盖范围”下显示的订阅数可能会高于在“策略管理”下显示的订阅数 。The Security Center dashboard may show a higher number of subscriptions under Subscription coverage than the number of subscriptions shown under Policy management. 订阅覆盖范围显示标准订阅、免费订阅和“未覆盖”订阅的数量。Subscription coverage shows the number of Standard, Free, and “not covered” subscriptions. “未覆盖”订阅未启用“安全中心”,并且不会显示在“策略管理”下 。The “not covered” subscriptions do not have Security Center enabled and are not displayed under Policy management.
  2. 选择想要查看其策略的订阅或管理组。Select the subscription or management group whose policies you want to view.

    • “安全策略”屏幕反映在所选订阅或管理组上分配的策略所执行的操作 。The Security policy screen reflects the action taken by the policies assigned on the subscription or management group you selected.
    • 在顶部,使用提供的链接打开适用于订阅或管理组的每个策略“分配” 。At the top, use the links provided to open each policy assignment that applies on the subscription or management group. 可以使用链接访问分配以及编辑或禁用策略。You can use the links to access the assignment and edit or disable the policy. 例如,如果发现特定策略分配有效地拒绝终结点保护,则可以使用该链接访问策略以及辑或禁用它。For example, if you see that a particular policy assignment is effectively denying endpoint protection, you can use the link to access the policy and edit or disable it.
    • 在策略列表中,可以看到策略有效应用于订阅或管理组。In the list of policies, you can see the effective application of the policy on your subscription or management group. 这意味着将考虑适用于该范围的每个策略的设置,并提供策略所执行操作的累计效果。This means that the settings of each policy that apply to the scope are taken into consideration and you are provided with the cumulative outcome of what action is taken by the policy. 例如,如果一个分配禁用此策略,而另一个设置为 AuditIfNotExist,则累计效果适用于 AuditIfNotExist。For example, if in one assignment the policy is disabled, but in another it is set to AuditIfNotExist, then the cumulative effect applies AuditIfNotExist. 更积极的效果始终优先。The more active effect always takes precedence.
    • 策略的效果可以是:追加、审核、AuditIfNotExists、拒绝、DeployIfNotExists 和禁用。The policies' effect can be: Append, Audit, AuditIfNotExists, Deny, DeployIfNotExists, Disabled. 有关如何应用效果的详细信息,请参阅了解策略效果For more information on how effects are applied, see Understand Policy effects.

    策略屏幕

Note

  • 查看已分配的策略时,可以看到多个分配并且可以看到每个分配如何自行配置。When you view assigned policies, you can see multiple assignments and you can see how each assignment is configured on its own.

编辑安全策略Edit security policies

可以在 Azure Policy 中为每个 Azure 订阅和管理组编辑默认的安全策略。You can edit the default security policy for each of your Azure subscriptions and management groups in Azure Policy. 若要修改安全策略,你必须是该订阅或包含型管理组的所有者、参与者或安全管理员。To modify a security policy, you must be an owner, contributor, or security administrator of the subscription or the containing management group.

有关如何在 Azure Policy 中编辑安全策略的说明,请参阅创建和管理策略以强制实施符合性For instructions on how to edit a security policy in Azure Policy, see and Create and manage policies to enforce compliance.

你可以在 Azure Policy 门户中通过 REST API 或 Windows PowerShell 编辑安全策略。You can edit security policies through the Azure Policy portal, via REST API or using Windows PowerShell. 以下示例为使用 REST API 进行编辑的相关说明。The following example provides instructions for editing using REST API.

禁用安全策略Disable security policies

如果默认安全策略生成的建议不与你的环境相关,则可以通过禁用发送建议的策略定义将其停止。If the default security policy is generating a recommendation that is not relevant for your environment, you can stop it by disabling the policy definition that sends the recommendation. 有关建议的详细信息,请参阅管理安全建议For further information about recommendations, see Managing security recommendations.

  1. 在安全中心的“策略和符合性” 部分中,单击“安全策略” 。In the Security Center, from the Policy & Compliance section, click Security policy.

    策略管理

  2. 单击要禁用其建议的订阅或管理组。Click the subscription or management group for which you want to disable the recommendation.

    Note

    请记住,管理组将其策略应用于其订阅。Remember that a management group applies its policies to its subscriptions. 因此,如果禁用订阅的策略,并且订阅属于仍使用相同策略的管理组,则你将继续收到策略建议。Therefore, if you disable a subscription's policy, and the subscription belongs to a management group that still uses the same policy, then you will continue to receive the policy recommendations. 仍将从管理级别应用该策略,且仍将生成建议。The policy will still be applied from the management level and the recommendations will still be generated.

  3. 单击分配的策略。Click the assigned policy.

    禁用策略

  4. 在“参数” 部分中,搜索调用要禁用的建议的策略,然后从下拉列表中选择“禁用” In the PARAMETERS section, search for the policy that invokes the recommendation that you want to disable, and from the dropdown list, select Disabled

    禁用策略

  5. 单击“保存” 。Click Save.

    Note

    禁用策略更改可能需要长达 12 小时才会生效。The disable policy changes can take up to 12 hours to take effect.

使用 REST API 配置安全策略Configure a security policy using the REST API

Azure 安全中心与 Azure Policy 实现了本机集成,借助它,可以利用 Azure Policy 的 REST API 来创建策略分配。As part of the native integration with Azure Policy, Azure Security Center enables you to take advantage Azure Policy’s REST API to create policy assignments. 以下说明演示如何创建策略分配以及如何自定义现有的分配。The following instructions walk you through creation of policy assignments, as well as customization of existing assignments.

Azure Policy 中的重要概念:Important concepts in Azure Policy:

  • *策略定义* 是规则A policy definition is a rule

  • *计划* 是策略定义(规则)的集合An initiative is a collection of policy definitions (rules)

  • *分配* 是将计划或策略应用于特定的范围(管理组、订阅等)An assignment is an application of an initiative or a policy to a specific scope (management group, subscription, etc.)

安全中心有一项内置计划,它包括中心内的所有安全策略。Security Center has a built-in initiative that includes all of its security policies. 为评估对 Azure 资源的安全中心策略,应对管理组或想访问的订阅创建一个分配。In order to assess Security Center’s policies on your Azure resources, you should create an assignment on the management group, or subscription you want to assess.

内置计划默认启用所有安全中心策略。The built-in initiative has all of Security Center’s policies enabled by default. 你可以选择禁用内置计划中的某些策略,例如:可用将“Web 应用程序防火墙”策略的效果参数更改为“禁用”,应用除它以外的所有安全中心策略 。You can choose to disable certain policies from the built-in initiative, for example you can apply all of Security Center’s policies except web application firewall, by changing the value of the policy’s effect parameter to Disabled.

API 示例API examples

在下面的示例中,替换以下三个变量:In the following examples, replace these variables:

  • {scope} ,用于输入要应用策略的管理组或订阅的名称。{scope} enter the name of the management group or subscription you are applying the policy to.
  • {policyAssignmentName} ,用于输入相关策略分配的名称{policyAssignmentName} enter the name of the relevant policy assignment.
  • {name} ,用于输入你的名字或批准策略更改的管理员的名字。{name} enter your name, or the name of the administrator who approved the policy change.

本示例演示如何对订阅或管理组分配内置的安全中心计划This example shows you how to assign the built-in Security Center initiative on a subscription or management group

   PUT  
   https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 

   Request Body (JSON) 

   { 

     "properties":{ 

   "displayName":"Enable Monitoring in Azure Security Center", 

   "metadata":{ 

   "assignedBy":"{Name}" 

   }, 

   "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", 

   "parameters":{}, 

   } 

   } 

本示例演示如何对订阅分配内置的安全中心计划,且禁用以下策略:This example shows you how to assign the built-in Security Center initiative on a subscription, with the following policies disabled:

  • 系统更新 ("systemUpdatesMonitoringEffect")System updates (“systemUpdatesMonitoringEffect”)

  • 安全配置 ("systemConfigurationsMonitoringEffect")Security configurations ("systemConfigurationsMonitoringEffect")

  • 终结点保护 ("endpointProtectionMonitoringEffect")Endpoint protection ("endpointProtectionMonitoringEffect")

    PUT https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01PUT https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01

    请求正文 (JSON)Request Body (JSON)

    {{

    "properties":{

    "displayName":"Enable Monitoring in Azure Security Center","displayName":"Enable Monitoring in Azure Security Center",

    "metadata":{"metadata":{

    "assignedBy":"{Name}""assignedBy":"{Name}"

    },},

    "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",

    "parameters":{"parameters":{

    "systemUpdatesMonitoringEffect":{"value":"Disabled"},"systemUpdatesMonitoringEffect":{"value":"Disabled"},

    "systemConfigurationsMonitoringEffect":{"value":"Disabled"},"systemConfigurationsMonitoringEffect":{"value":"Disabled"},

    "endpointProtectionMonitoringEffect":{"value":"Disabled"},"endpointProtectionMonitoringEffect":{"value":"Disabled"},

    },},

    }}

    }}

此示例演示如何删除分配:This example shows you how to remove an assignment:

DELETE   
https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 

策略名引用 Policy names reference

安全中心内的策略名Policy name in Security Center Azure Policy 中显示的策略名Policy name displayed in Azure Policy 策略效果参数名Policy effect parameter name
SQL 加密SQL Encryption 监视 Azure 安全中心内未加密的 SQL 数据库Monitor unencrypted SQL database in Azure Security Center sqlEncryptionMonitoringEffectsqlEncryptionMonitoringEffect
SQL 审核SQL Auditing 监视 Azure 安全中心内未审核的 SQL 数据库Monitor unaudited SQL database in Azure Security Center sqlAuditingMonitoringEffectsqlAuditingMonitoringEffect
系统更新System updates 监视 Azure 安全中心内系统更新的缺失情况Monitor missing system updates in Azure Security Center systemUpdatesMonitoringEffectsystemUpdatesMonitoringEffect
存储加密Storage encryption 审核存储帐户是否缺少 blob 加密Audit missing blob encryption for storage accounts storageEncryptionMonitoringEffectstorageEncryptionMonitoringEffect
JIT 网络访问JIT Network access 监视 Azure 安全中心内可能的网络即时(JIT)访问Monitor possible network Just In Time (JIT) access in Azure Security Center jitNetworkAccessMonitoringEffectjitNetworkAccessMonitoringEffect
自适应应用程序控制Adaptive application controls 监视 Azure 安全中心内列入允许列表的可能的应用Monitor possible app Whitelisting in Azure Security Center adaptiveApplicationControlsMonitoringEffectadaptiveApplicationControlsMonitoringEffect
网络安全组Network security groups 监视 Azure 安全中心内规则较宽松的网络访问Monitor permissive network access in Azure Security Center networkSecurityGroupsMonitoringEffectnetworkSecurityGroupsMonitoringEffect
安全配置Security configurations 监视 Azure 安全中心的 OS 漏洞Monitor OS vulnerabilities in Azure Security Center systemConfigurationsMonitoringEffectsystemConfigurationsMonitoringEffect
终结点保护Endpoint protection 监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center endpointProtectionMonitoringEffectendpointProtectionMonitoringEffect
磁盘加密Disk encryption 监视 Azure 安全中心内未加密的 VM 磁盘Monitor unencrypted VM Disks in Azure Security Center diskEncryptionMonitoringEffectdiskEncryptionMonitoringEffect
漏洞评估Vulnerability assessment 监视 Azure 安全中心的 VM 漏洞Monitor VM Vulnerabilities in Azure Security Center vulnerabilityAssessmentMonitoringEffectvulnerabilityAssessmentMonitoringEffect
Web 应用程序防火墙Web application firewall 监视 Azure 安全中心内未受保护的 Web 应用程序Monitor unprotected web application in Azure Security Center webApplicationFirewallMonitoringEffectwebApplicationFirewallMonitoringEffect
下一代防火墙Next generation firewall 监视 Azure 安全中心内未受保护的网络终结点Monitor unprotected network endpoints in Azure Security Center

谁可以编辑安全策略?Who can edit security policies?

安全中心使用基于角色的访问控制 (RBAC),提供可以分配给 Azure 中用户、组和服务的内置角色。Security Center uses Role-Based Access Control (RBAC), which provides built-in roles that can be assigned to users, groups, and services in Azure. 用户打开安全中心时,只能看到其有权访问的资源的相关信息。When users open Security Center, they see only information that's related to resources they have access to. 这意味着,向用户分配了资源所属的订阅或资源组的“所有者”、“参与者”或“读者”角色。Which means that users are assigned the role of owner, contributor, or reader to the subscription or resource group that a resource belongs to. 除这些角色外,还有两个特定的安全中心角色:In addition to these roles, there are two specific Security Center roles:

  • 安全读取者:有权查看安全中心,包括建议、警报、策略和运行状况,但无法进行更改。Security reader: Have view rights to Security Center, which includes recommendations, alerts, policy, and health, but they can't make changes.
  • 安全管理员:拥有与安全读取者相同的查看权限,不同之处在于该角色有权更新安全策略、驳回建议和关闭警报。Security admin: Have the same view rights as security reader, and they can also update the security policy and dismiss recommendations and alerts.

后续步骤Next steps

本文介绍了如何在 Azure Policy 中编辑安全策略。In this article, you learned how to edit security policies in Azure Policy. 若要详细了解安全中心,请参阅以下文章:To learn more about Security Center, see the following articles:

若要了解有关 Azure Policy 的详细信息,请参阅什么是 Azure Policy?To learn more about Azure Policy, see What is Azure Policy?