安全控制 V2:标识管理Security Control V2: Identity Management

标识管理涵盖了使用 Azure Active Directory 建立安全标识和访问控制的控件。Identity Management covers controls to establish a secure identity and access controls using Azure Active Directory. 这包括将单一登录、强身份验证、托管标识(和服务主体)用于应用程序、条件访问和帐户异常监视。This includes the use of single sign-on, strong authentications, managed identities (and service principles) for applications, conditional access, and account anomalies monitoring.

IM-1:将 Azure Active Directory 标准化为中央标识和身份验证系统IM-1: Standardize Azure Active Directory as the central identity and authentication system

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IM-1IM-1 16.1、16.2、16.4、16.516.1, 16.2, 16.4, 16.5 IA-2、IA-8、AC-2、AC-3IA-2, IA-8, AC-2, AC-3

Azure Active Directory (Azure AD) 是 Azure 的默认标识和访问管理服务。Azure Active Directory (Azure AD) is Azure's default identity and access management service. 你应该在 Azure AD 上标准化,以便控制你的组织在以下方面的标识和访问管理:You should standardize on Azure AD to govern your organization’s identity and access management in:

  • Azure 云资源,例如 Azure 门户、Azure 存储、Azure 虚拟机(Linux 和 Windows)、Azure Key Vault、PaaS 和 SaaS 应用程序。Azure cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.

  • 你的组织的资源,例如 Azure 上的应用程序,或公司网络资源。Your organization's resources, such as applications on Azure or your corporate network resources.

在组织的云安全做法中,应优先处理 Azure AD 保护事宜。Securing Azure AD should be a high priority in your organization’s cloud security practice. Azure AD 提供标识安全分数,让你可以根据 Microsoft 的最佳做法建议来评估标识安全状况。Azure AD provides an identity secure score to help you assess your identity security posture relative to Microsoft’s best practice recommendations. 使用评分来估计你的配置与最佳做法建议的匹配程度,并改善你的安全状况。Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

注意:Azure AD 支持外部标识提供者,这些提供者允许没有 Microsoft 帐户的用户使用其外部标识登录到其应用程序和资源。Note: Azure AD supports external identity providers, which allow users without a Microsoft account to sign in to their applications and resources with their external identity.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IM-2:安全且自动地管理应用程序标识IM-2: Manage application identities securely and automatically

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IM-2IM-2 空值N/A AC-2、AC-3、IA-2、IA-4、IA-9AC-2, AC-3, IA-2, IA-4, IA-9

对于非人工帐户(例如服务或自动化),请使用 Azure 托管标识,而不是创建功能更强大的人工帐户来访问资源或执行代码。For non-human accounts such as services or automation, use Azure managed identities, instead of creating a more powerful human account to access resources or execute code. Azure 托管标识可以向支持 Azure AD 身份验证的 Azure 服务和资源进行身份验证。Azure managed identities can authenticate to Azure services and resources that support Azure AD authentication. 身份验证是通过预定义的访问授权规则启用的,避免了在源代码或配置文件中使用硬编码的凭据。Authentication is enabled through pre-defined access grant rules, avoiding hard-coded credentials in source code or configuration files.

对于不支持托管标识的服务,则请使用 Azure AD 在资源级别创建权限受限的服务主体。For services that do not support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level instead. 建议使用证书凭据配置服务主体,并回退到客户端机密。It is recommended to configure service principals with certificate credentials and fall back to client secrets. 在这两种情况下,都可以将 Azure Key Vault 与 Azure 托管标识结合使用,以便运行时环境(例如 Azure 函数)可以从密钥保管库中检索凭据。In both cases, Azure Key Vault can be used in conjunction with Azure managed identities, so that the runtime environment (such as an Azure function) can retrieve the credential from the key vault.

使用 Azure Key Vault 进行安全主体注册:authentication#authorize-a-security-principal-to-access-key-vaultUse Azure Key Vault for security principal registration: authentication#authorize-a-security-principal-to-access-key-vault

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IM-3:使用 Azure AD 单一登录 (SSO) 进行应用程序访问IM-3: Use Azure AD single sign-on (SSO) for application access

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IM-3IM-3 4.44.4 IA-2、IA-4IA-2, IA-4

Azure AD 提供对 Azure 资源、云应用程序和本地应用程序的标识和访问管理。Azure AD provides identity and access management to Azure resources, cloud applications, and on-premises applications. 标识和访问管理适用于企业标识(例如员工)以及外部标识(例如合作伙伴、供应商和提供商)。Identity and access management applies to enterprise identities such as employees, as well as external identities such as partners, vendors, and suppliers.

使用 Azure AD 单一登录 (SSO) 管理你的组织在本地和云中的数据和资源,并对其进行安全的访问。Use Azure AD single sign-on (SSO) to manage and secure access to your organization’s data and resources on-premises and in the cloud. 将你的所有用户、应用程序和设备连接到 Azure AD,以便实现无缝的安全访问,并实现更好的可见性和控制。Connect all your users, applications, and devices to Azure AD for seamless, secure access, and greater visibility and control.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IM-4:对所有基于 Azure Active Directory 的访问使用强身份验证控制IM-4: Use strong authentication controls for all Azure Active Directory based access

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IM-4IM-4 4.2、4.4、4.5、11.5、12.11、16.34.2, 4.4 4.5, 11.5, 12.11, 16.3 AC-2、AC-3、IA-2、IA-4AC-2, AC-3, IA-2, IA-4

Azure AD 支持通过多重身份验证 (MFA) 和强无密码方法进行强身份验证控制。Azure AD supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods.

  • 多重身份验证:启用 Azure AD MFA,并遵循 Azure 安全中心标识和访问管理建议来设置你的 MFA。Multi-factor authentication: Enable Azure AD MFA and follow Azure Security Center identity and access management recommendations for your MFA setup. 可以基于登录条件和风险因素,对所有用户、特选用户或单个用户强制执行 MFA。MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors.

  • 无密码身份验证:有三个无密码身份验证选项可用:Windows Hello for Business、Microsoft Authenticator 应用和本地身份验证方法(例如智能卡)。Passwordless authentication: Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards.

对于管理员和特权用户,请确保使用最高级别的强身份验证方法,然后将相应的强身份验证策略推广到其他用户。For administrator and privileged users, ensure the highest level of the strong authentication method is used, followed by rolling out the appropriate strong authentication policy to other users.

如果仍使用传统的基于密码的身份验证进行 Azure AD 身份验证,请注意,纯云帐户(直接在 Azure 中创建的用户帐户)具有默认的基线密码策略。If legacy password-based authentication is still used for Azure AD authentication, please be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. 混合帐户(来自本地 Active Directory 的用户帐户)遵循本地密码策略。And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. 使用基于密码的身份验证时,Azure AD 提供了密码保护功能,以防止用户设置容易猜出的密码。When using password-based authentication, Azure AD provides a password protection capability that prevents users from setting passwords that are easy to guess. Microsoft 提供了基于遥测进行更新的受禁密码的全局列表,客户可以根据自己的需求(例如品牌、文化参考等)来补充列表。Microsoft provides a global list of banned passwords that is updated based on telemetry, and customers can augment the list based on their needs (e.g. branding, cultural references, etc.). 此密码保护可用于纯云帐户和混合帐户。This password protection can be used for cloud-only and hybrid accounts.

注意:仅基于密码凭据的身份验证容易遭受常见的攻击方法攻击。Note: Authentication based on password credentials alone is susceptible to popular attack methods. 为了提高安全性,请使用强身份验证,例如 MFA 和强密码策略。For higher security, use strong authentication such as MFA and a strong password policy. 对于可能具有默认密码的第三方应用程序和市场服务,应在初次设置服务期间更改这些设置。For third-party applications and marketplace services that may have default passwords, you should change them during initial service setup.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IM-5:监视并提醒帐户异常IM-5: Monitor and alert on account anomalies

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IM-5IM-5 4.8、4.9、16.12、16.134.8, 4.9, 16.12, 16.13 AC-2、AC-3、AC-7、AU-6AC-2, AC-3, AC-7, AU-6

Azure AD 提供了以下数据源:Azure AD provides the following data sources:

  • 登录 - 登录报告提供的信息涉及托管应用程序的使用情况和用户登录活动。Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.

  • 审核日志 - 对于通过 Azure AD 中的各种功能所做的所有更改,可以通过日志为其提供可跟踪性。Audit logs - Provides traceability through logs for all changes made through various features in Azure AD. 所记录的更改审核日志的示例包括添加或删除用户、应用、组、角色和策略。Examples of logged changes audit logs include adding or removing users, apps, groups, roles, and policies.

  • 风险登录 - 风险登录是指可能由非用户帐户合法拥有者进行的登录尝试。Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.

  • 已标记为存在风险的用户 - 风险用户是指可能已泄露的用户帐户。Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

这些数据源可以与 Azure Monitor 或第三方 SIEM 系统集成。These data sources can be integrated with Azure Monitor or third party SIEM systems.

Azure 安全中心还可针对某些可疑活动(例如失败的身份验证尝试次数太多,以及帐户已在订阅中遭到弃用)发出警报。Azure Security Center can also alert on certain suspicious activities such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription.

Azure 高级威胁防护 (ATP) 是一种安全解决方案,可使用本地 Active Directory 信号来识别、检测和调查高级威胁、遭到入侵的标识和恶意的内部操作。Azure Advanced Threat Protection (ATP) is a security solution that can use on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IM-6:基于条件限制 Azure 资源访问IM-6: Restrict Azure resource access based on conditions

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IM-6IM-6 空值N/A AC-2、AC-3AC-2, AC-3

基于用户定义的条件,使用 Azure AD 条件访问进行更精细的访问控制,例如,要求从特定 IP 范围登录的用户使用 MFA。Use Azure AD conditional access for more granular access control based on user-defined conditions, such as requiring user logins from certain IP ranges to use MFA. 还可以通过 Azure AD 条件访问策略对不同的用例使用精细的身份验证会话管理。A granular authentication session management can also be used through Azure AD conditional access policy for different use cases.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IM-7:消除意外的凭据透露IM-7: Eliminate unintended credential exposure

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IM-7IM-7 18.1, 18.718.1, 18.7 IA-5IA-5

执行 Azure DevOps 凭据扫描程序来识别代码中的凭据。Implement Azure DevOps Credential Scanner to identify credentials within the code. 凭据扫描程序还会建议你将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner also encourages moving discovered credentials to more secure locations such as Azure Key Vault.

对于 GitHub,你可以使用原生的机密扫描功能来识别代码中的凭据或其他形式的机密。For GitHub, you can use native secret scanning feature to identify credentials or other form of secrets within the code.

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

IM-8:保护用户对旧版应用程序的访问IM-8: Secure user access to legacy applications

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
IM-8IM-8 14.614.6 AC-2、AC-3、SC-11AC-2, AC-3, SC-11

确保为旧版应用程序和它们存储和处理的数据提供新式访问控制和会话监视。Ensure you have modern access controls and session monitoring for legacy applications and the data they store and process. 虽然通常使用 VPN 来访问旧版应用程序,但它们通常只有基本的访问控制和有限的会话监视。While VPNs are commonly used to access legacy applications, they often have only basic access control and limited session monitoring.

使用 Azure AD 应用程序代理,你可以将旧版本地应用程序发布到采用单一登录 (SSO) 的远程用户,同时使用 Azure AD 条件访问显式验证远程用户和设备的可信度。Azure AD Application Proxy enables you to publish legacy on-premises applications to remote users with single sign-on (SSO) while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access.

另外,Microsoft Cloud App Security 是一种云访问安全代理 (CASB) 服务,其提供的控件可用于监视用户的应用程序会话并阻止操作(适用于旧版本地应用程序和云软件即服务 (SaaS) 应用程序)。Alternatively, Microsoft Cloud App Security is a cloud access security broker (CASB) service that can provide controls for monitoring a user’s application sessions and blocking actions (for both legacy on-premises applications and cloud software as a service (SaaS) applications).

责任:客户Responsibility: Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):