使用安全策略Working with security policies

本文介绍如何配置安全策略,以及如何在安全中心查看这些策略。This article explains how security policies are configured, and how to view them in Security Center.

安全策略简介Introduction to security policies

安全策略定义工作负荷的所需配置,并帮助确保遵守公司或监管机构的安全要求。A security policy defines the desired configuration of your workloads and helps ensure you're complying with the security requirements of your company or regulators.

Azure 安全中心根据所选的策略提供安全建议。Azure Security Center makes its security recommendations based on your chosen policies. 安全中心策略基于 Azure Policy 中创建的策略计划。Security Center policies are based on policy initiatives created in Azure Policy. 可以使用 Azure Policy 来管理策略,以及跨管理组和多个订阅设置策略。You can use Azure Policy to manage your policies and to set policies across Management groups and across multiple subscriptions.

安全中心提供以下选项来让用户使用安全策略:Security Center offers the following options for working with security policies:

  • 查看和编辑内置默认策略 - 启用安全中心时,会将一个名为“ASC default”的内置计划自动分配到所有已在安全中心注册的订阅(免费或标准层)。View and edit the built-in default policy - When you enable Security Center, a built-in initiative named 'ASC default' is automatically assigned to all Security Center registered subscriptions (Free or Standard tiers). 若要自定义此计划,可在其中启用或禁用单个策略。To customize this initiative, you can enable or disable individual policies within it.

  • 添加自己的自定义策略 - 如果希望自定义要应用到自己的订阅的安全计划,可以在安全中心执行此操作。Add your own custom policies - If you want to customize the security initiatives applied to your subscription, you can do so within Security Center. 如果计算机不遵循创建的策略,则你会收到建议。You'll then receive recommendations if your machines don't follow the policies you create.

  • 添加合规性策略 - 安全中心的合规性仪表板显示环境内的所有评估在特定标准或法规(例如 Azure CIS、NIST SP 800-53 R4、SWIFT CSP CSCF-v2020)上下文中的状态。Add regulatory compliance policies - Security Center's regulatory compliance dashboard shows the status of all the assessments within your environment in the context of a particular standard or regulation (such as Azure CIS, NIST SP 800-53 R4, SWIFT CSP CSCF-v2020). 有关详细信息,请参阅改善合规性For more information, see Improve your regulatory compliance.

管理安全策略Managing your security policies

要在安全中心内查看安全策略,请执行以下操作:To view your security policies in Security Center:

  1. 在“安全中心”仪表板中,选择“安全策略” 。In the Security Center dashboard, select Security policy.

    “策略管理”窗格

    在“策略管理”屏幕中,可以看到管理组数、订阅数、工作区数以及管理组结构。In the Policy management screen, you can see the number of management groups, subscriptions, and workspaces as well as your management group structure.

  2. 选择想要查看其策略的订阅或管理组。Select the subscription or management group whose policies you want to view.

  3. 此时会显示该订阅或管理组的安全策略页。The security policy page for that subscription or management group appears. 其中显示了可用和已分配的策略。It shows the available and assigned policies.

    策略屏幕

    Note

    如果默认策略旁边有一个标签“MG 已继承”,则表示该策略已分配到某个管理组,并已由当前你正在查看的订阅继承。If there is a label "MG Inherited" alongside your default policy, it means that the policy has been assigned to a management group and inherited by the subscription you're viewing.

  4. 从此页提供的可用选项中进行选择:Choose from the available options on this page:

    1. 若要使用行业策略,请单击“添加更多标准”。To work with industry policies, click Add more standards.

    2. 若要分配和管理自定义计划,请单击“添加自定义计划”。To assign and manage custom initiatives, click Add custom initiatives.

    3. 若要查看和编辑默认策略,请单击“查看有效策略”并按如下所述继续操作。To view and edit the default policy, click View effective policy and proceed as described below.

      策略屏幕

      此“安全策略”屏幕反映在所选订阅或管理组中分配的策略所执行的操作。This Security policy screen reflects the action taken by the policies assigned on the subscription or management group you selected.

      • 使用顶部的链接打开在订阅或管理组中应用的每个策略分配Use the links at the top to open a policy assignment that applies on the subscription or management group. 可以使用这些链接访问分配,以及编辑或禁用策略。These links let you access the assignment and edit or disable the policy. 例如,如果你发现特定的策略分配正在有效地拒绝终结点保护,可使用该链接来编辑或禁用该策略。For example, if you see that a particular policy assignment is effectively denying endpoint protection, use the link to edit or disable the policy.

      • 在策略列表中,可以看到策略有效应用于订阅或管理组。In the list of policies, you can see the effective application of the policy on your subscription or management group. 将考虑适用于该范围的每个策略的设置,并显示该策略执行的操作的累积效果。The settings of each policy that apply to the scope are taken into consideration and the cumulative outcome of actions taken by the policy is shown. 例如,如果一个分配禁用此策略,而另一个设置为 AuditIfNotExist,则累积效果将应用 AuditIfNotExist。For example, if in one assignment of the policy is disabled, but in another it's set to AuditIfNotExist, then the cumulative effect applies AuditIfNotExist. 更积极的效果始终优先。The more active effect always takes precedence.

      • 策略的效果可以是:追加、审核、AuditIfNotExists、拒绝、DeployIfNotExists 和禁用。The policies' effect can be: Append, Audit, AuditIfNotExists, Deny, DeployIfNotExists, Disabled. 有关如何应用效果的详细信息,请参阅了解策略效果For more information on how effects are applied, see Understand Policy effects.

      Note

      查看已分配的策略时,可以看到多个分配并且可以看到每个分配如何自行配置。When you view assigned policies, you can see multiple assignments and you can see how each assignment is configured on its own.

谁可以编辑安全策略?Who can edit security policies?

你可以在 Azure Policy 门户中通过 REST API 或 Windows PowerShell 编辑安全策略。You can edit security policies through the Azure Policy portal, via REST API or using Windows PowerShell.

安全中心使用基于角色的访问控制 (RBAC),提供可以分配给 Azure 中用户、组和服务的内置角色。Security Center uses Role-Based Access Control (RBAC), which provides built-in roles that can be assigned to users, groups, and services in Azure. 用户打开安全中心时,只能看到其有权访问的资源的相关信息。When users open Security Center, they see only information that's related to resources they have access to. 这意味着,将为用户分配对资源订阅的所有者、参与者或读取者角色。 Which means that users are assigned the role of owner, contributor, or reader to the resource's subscription. 除这些角色外,还有两个特定的安全中心角色:As well as these roles, there are two specific Security Center roles:

  • 安全读取者:有权查看安全中心,包括建议、警报、策略和运行状况,但无法进行更改。Security reader: Have view rights to Security Center, which includes recommendations, alerts, policy, and health, but they can't make changes.
  • 安全管理员:拥有与安全读取者相同的查看权限,不同之处在于该角色有权更新安全策略、驳回建议和关闭警报。Security admin: Have the same view rights as security reader, and they can also update the security policy and dismiss recommendations and alerts.

禁用安全策略Disable security policies

如果默认安全策略生成的建议与你的环境不相关,可以通过禁用发送建议的策略定义将其停止。If the default security policy is generating a recommendation that's not relevant for your environment, you can stop it by disabling the policy definition that sends the recommendation. 有关建议的详细信息,请参阅管理安全建议For more information about recommendations, see Managing security recommendations.

  1. 在安全中心的“策略和符合性”部分中,单击“安全策略”。In the Security Center, from the Policy & Compliance section, click Security policy.

    策略管理

  2. 单击要禁用其建议的订阅或管理组。Click the subscription or management group for which you want to disable the recommendation.

    Note

    请记住,管理组将其策略应用于其订阅。Remember that a management group applies its policies to its subscriptions. 因此,如果禁用订阅的策略,并且订阅属于仍使用相同策略的管理组,则你将继续收到策略建议。Therefore, if you disable a subscription's policy, and the subscription belongs to a management group that still uses the same policy, then you will continue to receive the policy recommendations. 仍将从管理级别应用该策略,且仍将生成建议。The policy will still be applied from the management level and the recommendations will still be generated.

  3. 单击“查看有效策略”。Click View effective policy.

    禁用策略

  4. 单击分配的策略。Click the assigned policy.

    禁用策略

  5. 在“参数”部分中,搜索调用要禁用的建议的策略,然后从下拉列表中选择“禁用”In the PARAMETERS section, search for the policy that invokes the recommendation that you want to disable, and from the dropdown list, select Disabled

    禁用策略

  6. 单击“保存” 。Click Save.

    Note

    禁用策略更改可能需要长达 12 小时才会生效。The disable policy changes can take up to 12 hours to take effect.

后续步骤Next steps

本文介绍了安全策略。In this article, you learned about security policies. 有关更多信息,请参阅以下文章:For related information, see the following articles: