安全控制:标识和访问控制Security Control: Identity and Access Control

标识和访问管理建议侧重于解决与以下方面相关的问题:基于标识的访问控制、锁定管理访问权限、对与标识相关的事件发出警报、异常帐户行为和基于角色的访问控制。Identity and access management recommendations focus on addressing issues related to identity-based access control, locking down administrative access, alerting on identity-related events, abnormal account behavior, and role-based access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.13.1 4.14.1 客户Customer

Azure AD 具有必须显式分配且可查询的内置角色。Azure AD has built-in roles that must be explicitly assigned and are queryable. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组的成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.23.2 4.24.2 客户Customer

Azure AD 没有默认密码。Azure AD does not have the concept of default passwords. 其他需要密码的 Azure 资源会强制创建具有复杂性要求和最小密码长度的密码,该长度因服务而异。Other Azure resources requiring a password forces a password to be created with complexity requirements and a minimum password length, which differs depending on the service. 你对可能使用默认密码的第三方应用程序和市场服务负责。You are responsible for third-party applications and marketplace services that may use default passwords.

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.33.3 4.34.3 客户Customer

围绕专用管理帐户的使用创建标准操作程序。Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

还可以通过使用 Microsoft 服务的 Azure AD Privileged Identity Management 特权角色和 Azure 资源管理器来启用实时/足够访问权限。You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.53.5 4.5、11.5、12.11、16.34.5, 11.5, 12.11, 16.3 客户Customer

启用 Azure AD MFA,并遵循 Azure 安全中心标识和访问管理建议。Enable Azure AD MFA and follow Azure Security Center Identity and Access Management recommendations.

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.63.6 4.6、11.6、12.124.6, 11.6, 12.12 客户Customer

使用配置了 MFA 的 PAW(特权访问工作站)来登录并配置 Azure 资源。Use PAWs (privileged access workstations) with MFA configured to log into and configure Azure resources.

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.73.7 4.8、4.94.8, 4.9 客户Customer

使用 Azure Active Directory 安全报告在环境中发生可疑活动或不安全的活动时生成日志和警报。Use Azure Active Directory security reports for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. 使用 Azure 安全中心监视标识和访问活动。Use Azure Security Center to monitor identity and access activity.

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.83.8 11.711.7 客户Customer

使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Use Conditional Access Named Locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.93.9 16.1、16.2、16.4、16.5、16.616.1, 16.2, 16.4, 16.5, 16.6 客户Customer

使用 Azure Active Directory 作为集中身份验证和授权系统。Use Azure Active Directory as the central authentication and authorization system. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit. Azure AD 还会对用户凭据进行加盐、哈希处理和安全存储操作。Azure AD also salts, hashes, and securely stores user credentials.

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.103.10 16.9、16.1016.9, 16.10 客户Customer

Azure AD 提供日志来帮助发现过时的帐户。Azure AD provides logs to help discover stale accounts. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right Users have continued access.

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.113.11 16.1216.12 客户Customer

你有权访问 Azure AD 登录活动、审核和风险事件日志源,以便与任何 SIEM/监视工具集成。You have access to Azure AD Sign-in Activity, Audit and Risk Event log sources, which allow you to integrate with any SIEM/Monitoring tool.

可以通过为 Azure Active Directory 用户帐户创建诊断设置,并将审核日志和登录日志发送到 Log Analytics 工作区,来简化此过程。You can streamline this process by creating Diagnostic Settings for Azure Active Directory user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. 你可以在 Log Analytics 工作区中配置所需的警报。You can configure desired Alerts within Log Analytics Workspace.

后续步骤Next steps