安全控制:漏洞管理Security Control: Vulnerability Management

漏洞管理建议侧重于解决与不断获取、评估和处理新信息相关的问题,以便识别和修正漏洞,并尽量减少攻击者的机会窗口。Vulnerability management recommendations focus on addressing issues related to continuously acquiring, assessing, and acting on new information in order to identify and remediate vulnerabilities as well as minimizing the window of opportunity for attackers.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
5.15.1 3.1、3.2、3.33.1, 3.2, 3.3 客户Customer

遵循 Azure 安全中心关于在 Azure 虚拟机、容器映像和 SQL 服务器上执行漏洞评估的建议。Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers.

使用第三方解决方案对网络设备和 Web 应用程序执行漏洞评估。Use a third-party solution for performing vulnerability assessments on network devices and web applications. 执行远程扫描时,不要使用单个永久管理帐户。When conducting remote scans, do not use a single, perpetual, administrative account. 请考虑为扫描帐户实现 JIT 预配方法。Consider implementing JIT provisioning methodology for the scan account. 扫描帐户的凭据应受到保护、监视,并且仅用于漏洞扫描。Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
5.25.2 3.43.4 客户Customer

对于 Windows 虚拟机,请确保已启用 Windows 更新并将其设置为自动更新。For Windows VMs, ensure Windows Update has been enabled and set to update automatically.

5.3:为第三方软件部署自动修补程序管理解决方案5.3: Deploy automated patch management solution for third-party software titles

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
5.35.3 3.53.5 客户Customer

使用第三方修补程序管理解决方案。Use a third-party patch management solution. 已在其环境中使用 System Center Configuration Manager 的客户可以使用 System Center Updates Publisher,以允许他们将自定义更新发布到 Windows Server 更新服务中。Customers already leveraging System Center Configuration Manager in their environment may leverage System Center Updates Publisher, allowing them to publish custom updates into Windows Server Update Service. 这样,更新管理员便可使用第三方软件来修补使用 System Center Configuration Manager 作为更新存储库的计算机。This allows Update Manager to patch machines that use System Center Configuration Manager as their update repository with third-party software.

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
5.45.4 3.63.6 客户Customer

以一致的间隔导出扫描结果,并比较结果以验证漏洞是否已修复。Export scan results at consistent intervals and compare the results to verify that vulnerabilities have been remediated. 使用 Azure 安全中心建议的漏洞管理建议时,可以转到选定解决方案的门户查看历史扫描数据。When using vulnerability management recommendations suggested by Azure Security Center, you may pivot into the selected solution's portal to view historical scan data.

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

Azure IDAzure ID CIS IDCIS IDs 责任方Responsibility
5.55.5 3.73.7 客户Customer

使用通用风险评分程序(例如通用漏洞评分系统)或第三方扫描工具提供的默认风险评级。Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool.

后续步骤Next steps