管理安全策略Manage security policies

本文介绍如何配置安全策略,以及如何在安全中心查看这些策略。This article explains how security policies are configured, and how to view them in Security Center.

安全策略简介Introduction to security policies

安全策略定义工作负荷的所需配置,并帮助确保遵守公司或监管机构的安全要求。A security policy defines the desired configuration of your workloads and helps ensure you're complying with the security requirements of your company or regulators.

Azure 安全中心根据所选的策略提供安全建议。Azure Security Center makes its security recommendations based on your chosen policies. 安全中心策略基于 Azure Policy 中创建的策略计划。Security Center policies are based on policy initiatives created in Azure Policy. 可以使用 Azure Policy 来管理策略,以及跨管理组和多个订阅设置策略。You can use Azure Policy to manage your policies and to set policies across Management groups and across multiple subscriptions.

安全中心提供以下选项来让用户使用安全策略:Security Center offers the following options for working with security policies:

  • 查看和编辑内置默认策略 - 启用安全中心时,会将一个名为“ASC default”的内置计划自动分配到所有已在安全中心注册的订阅。View and edit the built-in default policy - When you enable Security Center, a built-in initiative named 'ASC default' is automatically assigned to all Security Center registered subscriptions. 若要自定义此计划,可在其中启用或禁用单个策略。To customize this initiative, you can enable or disable individual policies within it. 要了解现成可用的选项,请参阅内置安全策略列表。See the list of built-in security policies to understand the options available out-of-the-box.

  • 添加自己的自定义策略 - 如果希望自定义要应用到自己的订阅的安全计划,可以在安全中心执行此操作。Add your own custom policies - If you want to customize the security initiatives applied to your subscription, you can do so within Security Center. 如果计算机不遵循创建的策略,则你会收到建议。You'll then receive recommendations if your machines don't follow the policies you create. 有关生成和分配自定义策略的说明,请参阅使用自定义安全策略For instructions on building and assigning custom policies, see Using custom security policies.

  • 添加合规性策略 - 安全中心的合规性仪表板显示环境内的所有评估在特定标准或法规(例如 Azure CIS、NIST SP 800-53 R4、SWIFT CSP CSCF-v2020)上下文中的状态。Add regulatory compliance policies - Security Center's regulatory compliance dashboard shows the status of all the assessments within your environment in the context of a particular standard or regulation (such as Azure CIS, NIST SP 800-53 R4, SWIFT CSP CSCF-v2020). 有关详细信息,请参阅改善合规性For more information, see Improve your regulatory compliance.

管理安全策略Manage your security policies

要在安全中心内查看安全策略,请执行以下操作:To view your security policies in Security Center:

  1. 在“安全中心”仪表板中,选择“安全策略” 。In the Security Center dashboard, select Security policy.


    在“策略管理”屏幕中,可以看到管理组数、订阅数、工作区数以及管理组结构。In the Policy management screen, you can see the number of management groups, subscriptions, and workspaces as well as your management group structure.

  2. 选择想要查看其策略的订阅或管理组。Select the subscription or management group whose policies you want to view.

  3. 此时会显示该订阅或管理组的安全策略页。The security policy page for that subscription or management group appears. 其中显示了可用和已分配的策略。It shows the available and assigned policies.



    如果默认策略旁边有一个标签“MG 已继承”,则表示该策略已分配到某个管理组,并已由当前你正在查看的订阅继承。If there is a label "MG Inherited" alongside your default policy, it means that the policy has been assigned to a management group and inherited by the subscription you're viewing.

  4. 从此页提供的可用选项中进行选择:Choose from the available options on this page:

    1. 要使用行业策略,请选择“添加更多标准”。To work with industry policies, select Add more standards.

    2. 要分配和管理自定义计划,请选择“添加自定义计划”。To assign and manage custom initiatives, select Add custom initiatives. 有关详细信息,请参阅使用自定义安全策略For more information, see Using custom security policies.

    3. 要查看和编辑默认策略,请选择“查看有效策略”并按如下所述继续操作。To view and edit the default policy, select View effective policy and proceed as described below.


      此“安全策略”屏幕反映在所选订阅或管理组中分配的策略所执行的操作。This Security policy screen reflects the action taken by the policies assigned on the subscription or management group you selected.

      • 使用顶部的链接打开在订阅或管理组中应用的每个策略 分配Use the links at the top to open a policy assignment that applies on the subscription or management group. 可以使用这些链接访问分配,以及编辑或禁用策略。These links let you access the assignment and edit or disable the policy. 例如,如果你发现特定的策略分配正在有效地拒绝终结点保护,可使用该链接来编辑或禁用该策略。For example, if you see that a particular policy assignment is effectively denying endpoint protection, use the link to edit or disable the policy.

      • 在策略列表中,可以看到策略有效应用于订阅或管理组。In the list of policies, you can see the effective application of the policy on your subscription or management group. 将考虑适用于该范围的每个策略的设置,并显示该策略执行的操作的累积效果。The settings of each policy that apply to the scope are taken into consideration and the cumulative outcome of actions taken by the policy is shown. 例如,如果一个分配禁用此策略,而另一个设置为 AuditIfNotExist,则累积效果将应用 AuditIfNotExist。For example, if in one assignment of the policy is disabled, but in another it's set to AuditIfNotExist, then the cumulative effect applies AuditIfNotExist. 更积极的效果始终优先。The more active effect always takes precedence.

      • 策略的效果可以是:追加、审核、AuditIfNotExists、拒绝、DeployIfNotExists 和禁用。The policies' effect can be: Append, Audit, AuditIfNotExists, Deny, DeployIfNotExists, Disabled. 有关如何应用效果的详细信息,请参阅了解策略效果For more information on how effects are applied, see Understand Policy effects.


      查看已分配的策略时,可以看到多个分配并且可以看到每个分配如何自行配置。When you view assigned policies, you can see multiple assignments and you can see how each assignment is configured on its own.

谁可以编辑安全策略?Who can edit security policies?

你可以在 Azure Policy 门户中通过 REST API 或 Windows PowerShell 编辑安全策略。You can edit security policies through the Azure Policy portal, via REST API or using Windows PowerShell.

安全中心使用 Azure 基于角色的访问控制 (Azure RBAC),后者提供可分配到 Azure 用户、组和服务的内置角色。Security Center uses Azure role-based access control (Azure RBAC), which provides built-in roles you can assign to Azure users, groups, and services. 用户打开安全中心时,只能看到与他们可访问的资源相关的信息。When users open Security Center, they see only information related to the resources they can access. 这意味着,已为用户分配了资源订阅的所有者、参与者或读取者角色。 Which means users are assigned the role of owner, contributor, or reader to the resource's subscription. 还有两个特定的安全中心角色:There are also two specific Security Center roles:

  • 安全读取者:有权查看安全中心项,例如建议、警报、策略和运行状况。Security reader: Has rights to view Security Center items such as recommendations, alerts, policy, and health. 无法执行更改。Can't make changes.
  • 安全管理员:与安全读取者具有相同的查看权限。Security admin: Has the same view rights as security reader. 还可以更新安全策略并消除警报。Can also update the security policy and dismiss alerts.

禁用安全策略和禁用建议Disable security policies and disable recommendations

如果安全计划触发与环境无关的建议,你可以阻止该建议再次出现。When your security initiative triggers a recommendation that's irrelevant for your environment, you can prevent that recommendation from appearing again. 若要禁用建议,请禁用生成该建议的特定策略。To disable a recommendation, disable the specific policy that generates the recommendation.

如果已经使用安全中心的合规工具应用了法规标准,而你想要禁用的建议是这项法规标准所要求的,那么,你想要禁用的建议仍将会出现。The recommendation you want to disable will still appear if it's required for a regulatory standard you've applied with Security Center's regulatory compliance tools. 如果该建议对于合规性来说是必要的,那么,即使已在内置计划中禁用了策略,法规标准计划中的策略仍将触发该建议。Even if you've disabled a policy in the built-in initiative, a policy in the regulatory standard's initiative will still trigger the recommendation if it's necessary for compliance. 你无法禁用法规标准计划中的策略。You can't disable policies from regulatory standard initiatives.

有关建议的详细信息,请参阅管理安全建议For more information about recommendations, see Managing security recommendations.

  1. 在安全中心的“策略和符合性”部分,选择“安全策略” 。In Security Center, from the Policy & Compliance section, select Security policy.


  2. 选择要禁用其建议的订阅或管理组。Select the subscription or management group for which you want to disable the recommendation.


    请记住,管理组将其策略应用于其订阅。Remember that a management group applies its policies to its subscriptions. 因此,如果禁用了某个订阅策略,而该订阅属于仍使用同一策略的管理组,则你将继续收到策略建议。Therefore, if you disable a subscription's policy, and the subscription belongs to a management group that still uses the same policy, then you will continue to receive the policy recommendations. 仍将从管理级别应用该策略,且仍将生成建议。The policy will still be applied from the management level and the recommendations will still be generated.

  3. 选择“查看有效策略”。Select View effective policy.


  4. 选择分配的策略。Select the assigned policy.


  5. 在“参数”部分中,搜索调用要禁用的建议的策略,然后从下拉列表中选择“禁用”In the PARAMETERS section, search for the policy that invokes the recommendation that you want to disable, and from the dropdown list, select Disabled


  6. 选择“保存” 。Select Save.


    禁用策略更改可能需要长达 12 小时才会生效。The disable policy changes can take up to 12 hours to take effect.

后续步骤Next steps

本文介绍了安全策略。This article explained security policies. 有关更多信息,请参阅以下文章:For related information, see the following articles: