安全控制:标识和访问控制Security Control: Identity and Access Control

标识和访问管理建议侧重于解决与以下方面相关的问题:基于标识的访问控制、锁定管理访问权限、对与标识相关的事件发出警报、异常帐户行为和基于角色的访问控制。Identity and access management recommendations focus on addressing issues related to identity-based access control, locking down administrative access, alerting on identity-related events, abnormal account behavior, and role-based access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.13.1 4.14.1 客户Customer

Azure AD 具有必须显式分配且可查询的内置角色。Azure AD has built-in roles that must be explicitly assigned and are queryable. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组的成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.23.2 4.24.2 客户Customer

Azure AD 没有默认密码。Azure AD does not have the concept of default passwords. 其他需要密码的 Azure 资源会强制创建具有复杂性要求和最小密码长度的密码,该长度因服务而异。Other Azure resources requiring a password forces a password to be created with complexity requirements and a minimum password length, which differs depending on the service. 你对可能使用默认密码的第三方应用程序和市场服务负责。You are responsible for third-party applications and marketplace services that may use default passwords.

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.33.3 4.34.3 客户Customer

围绕专用管理帐户的使用创建标准操作程序。Create standard operating procedures around the use of dedicated administrative accounts. 使用 Azure 安全中心标识和访问管理来监视管理帐户的数量。Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.

还可以通过使用 Microsoft 服务的 Azure AD Privileged Identity Management 特权角色和 Azure 资源管理器来启用实时/足够访问权限。You can also enable a Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.

3.4:使用 Azure Active Directory3.4: Use Azure Active Directory

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.93.9 16.1、16.2、16.4、16.5、16.616.1, 16.2, 16.4, 16.5, 16.6 客户Customer

使用 Azure Active Directory (AAD) 作为中心身份验证和授权系统。Use Azure Active Directory (AAD) as the central authentication and authorization system. AAD 通过对静态数据和传输中数据使用强加密来保护数据。AAD protects data by using strong encryption for data at rest and in transit. AAD 还会对用户凭据进行加盐、哈希处理和安全存储。AAD also salts, hashes, and securely stores user credentials.

3.5:定期审查和协调用户访问3.5: Regularly review and reconcile user access

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
3.103.10 16.9、16.1016.9, 16.10 客户Customer

Azure AD 提供日志来帮助发现过时的帐户。Azure AD provides logs to help discover stale accounts. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 可以定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access can be reviewed on a regular basis to make sure only the right Users have continued access.

后续步骤Next steps