安全控制 V2:特权访问Security Control V2: Privileged Access

特权访问包含用于保护对 Azure 租户和资源的特权访问的控制措施。Privileged Access covers controls to protect privileged access to your Azure tenant and resources. 这包括一系列用于避免管理模型、管理帐户和特权访问工作站面临有意和无意的风险的控制措施。This includes a range of controls to protect your administrative model, administrative accounts, and privileged access workstations against deliberate and inadvertent risk.

PA-1:保护和限制具有较高权限的用户PA-1: Protect and limit highly privileged users

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PA-1PA-1 4.3、4.84.3, 4.8 AC-2AC-2

限制具有较高权限的用户帐户的数量,并提升这些帐户的保护级别。Limit the number of highly privileged user accounts, and protect these accounts at an elevated level. Azure AD 中最重要的内置角色是全局管理员和特权角色管理员,因为分配到这两种角色的用户可以委派管理员角色。The most critical built-in roles in Azure AD are Global Administrator and the Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. 有了这些特权,用户可直接或间接读取和修改 Azure 环境中的每项资源:With these privileges, users can directly or indirectly read and modify every resource in your Azure environment:

  • 全局管理员/公司管理员:具有此角色的用户可访问 Azure AD 中的所有管理功能,还可访问使用 Azure AD 标识的服务。Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.

  • 特权角色管理员:具有此角色的用户可管理 Azure AD 和 Azure AD Privileged Identity Management (PIM) 中的角色分配。Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). 此外,该角色可管理 PIM 和管理单元的各个方面。In addition, this role allows management of all aspects of PIM and administrative units.

注意:如果你使用的是分配了某些特权的自定义角色,则可能有其他关键角色需要进行管理。Note: You may have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. 此外,你可能还需要将类似的控制措施应用于关键业务资产的管理员帐户。And you may also want to apply similar controls to the administrator account of critical business assets.

你可使用Azure AD Privileged Identity Management (PIM) 提供对 Azure 资源和 Azure AD 的实时 (JIT) 特权访问权限。You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT 仅在用户需要执行特权任务时授予临时权限。JIT grants temporary permissions to perform privileged tasks only when users need it. 当 Azure AD 组织中存在可疑或不安全的活动时,PIM 还会生成安全警报。PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PA-2:限制对关键业务型系统的管理访问权限PA-2: Restrict administrative access to business-critical systems

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PA-2PA-2 13.2、2.1013.2, 2.10 AC-2、SC-3、SC-7AC-2, SC-3, SC-7

通过限制向哪些帐户授予对其所属的订阅和管理组的特权访问权限,隔离对业务关键型系统的访问。Isolate access to business-critical systems by restricting which accounts are granted privileged access to the subscriptions and management groups they are in. 确保还限制了对你的业务关键型资产具有管理访问权限的管理、标识和安全系统的访问,这些资产包括在业务关键型系统上安装了代理的 Active Directory 域控制器 (DC)、安全工具和系统管理工具。Ensure that you also restrict access to the management, identity, and security systems that have administrative access to your business critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business critical systems. 入侵这些管理和安全系统的攻击者可以立即将它们用作损害业务关键型资产的武器。Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.

所有类型的访问控制都应符合企业分段策略,确保访问控制保持一致。All types of access controls should be aligned to your enterprise segmentation strategy to ensure consistent access control.

确保分配单独的特权帐户,这些帐户应不同于电子邮件、浏览和高效办公任务所用的标准用户帐户。Ensure to assign separate privileged accounts that are distinct from the standard user accounts used for email, browsing, and productivity tasks.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PA-3:定期审查和协调用户访问权限PA-3: Review and reconcile user access regularly

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PA-3PA-3 4.1、16.9、16.104.1, 16.9, 16.10 AC-2AC-2

定期审查用户帐户和访问权限分配,确保帐户及其访问权限级别均有效。Review user accounts and access assignment regularly to ensure the accounts and their level of access are valid. 可使用 Azure AD 访问评审来审查组成员身份、对企业应用程序的访问权限和角色分配。You can use Azure AD access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD 报告提供日志来帮助发现过时的帐户。Azure AD reporting can provide logs to help discover stale accounts. 你还可使用 Azure AD Privileged Identity Management 来创建便于审查的访问评审报表工作流。You can also use Azure AD Privileged Identity Management to create an access review report workflow that facilitates the review process. 此外,Azure Privileged Identity Management 还可配置为在创建过多的管理员帐户时发出警报,并识别过时或配置不正确的管理员帐户。In addition, Azure Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.

注意:某些 Azure 服务支持不通过 Azure AD 管理的本地用户和角色。Note: Some Azure services support local users and roles that aren't managed through Azure AD. 你必须单独管理这些用户。You must manage these users separately.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PA-4:在 Azure AD 中设置紧急访问PA-4: Set up emergency access in Azure AD

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PA-4PA-4 1616 AC-2、CP-2AC-2, CP-2

为了防止意外退出 Azure AD 组织,请设置一个紧急访问帐户,以便在正常管理帐户无法使用时进行访问。To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account for access when normal administrative accounts cannot be used. 紧急访问帐户通常拥有较高的权限,因此请不要将其分配给特定的个人。Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. 紧急访问帐户只能用于“不受限”紧急情况,即不能使用正常管理帐户的情况。Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. 应确保妥善保管紧急访问帐户的凭据(例如密码、证书或智能卡),仅将其告诉只能在紧急情况下有权使用它们的个人。You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PA-5:将权利管理自动化PA-5: Automate entitlement management

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PA-5PA-5 1616 AC-2、AC-5、PM-10AC-2, AC-5, PM-10

使用 Azure AD 的权利管理功能可自动执行访问请求工作流,包括访问权限分配、审查和过期。Use Azure AD entitlement management features to automate access request workflows, including access assignments, reviews, and expiration. 还支持两阶段或多阶段审批。Dual or multi-stage approval is also supported.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PA-6:使用特权访问工作站PA-6: Use privileged access workstations

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PA-6PA-6 4.6、11.6、12.124.6, 11.6, 12.12 AC-2、SC-3、SC-7AC-2, SC-3, SC-7

受保护的独立工作站对于机密角色(如管理员、开发人员和关键服务操作员)的安全性至关重要。Secured, isolated workstations are critically important for the security of sensitive roles like administrators, developers, and critical service operators. 使用高度安全的用户工作站和/或 Azure Bastion 执行管理任务。Use highly secured user workstations and/or Azure Bastion for administrative tasks. 使用 Azure Active Directory、Microsoft Defender 高级威胁防护 (ATP) 和/或 Microsoft Intune 部署安全的托管用户工作站,用于执行管理任务。Use Azure Active Directory, Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. 可集中管理安全工作站,强制实施安全配置,包括强身份验证、软件和硬件基线,以及受限制的逻辑和网络访问。The secured workstations can be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

PA-7:遵循 Just Enough Administration(最小特权原则)PA-7: Follow just enough administration (least privilege principle)

Azure IDAzure ID CIS Controls v7.1 IDCIS Controls v7.1 ID(s) NIST SP800-53 r4 IDNIST SP800-53 r4 ID(s)
PA-7PA-7 14.614.6 AC-2、AC-3、SC-3AC-2, AC-3, SC-3

借助 Azure 基于角色的访问控制 (Azure RBAC),可通过角色分配管理 Azure 资源访问权限。Azure role-based access control (Azure RBAC) allows you to manage Azure resource access through role assignments. 你可将这些角色分配给用户、组服务主体和托管标识。You can assign these roles to users, group service principals, and managed identities. 某些资源具有预定义的内置角色,可通过 Azure CLI、Azure PowerShell 和 Azure 门户等工具来清点或查询这些角色。There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. 通过 Azure RBAC 分配给资源的权限应始终限制为角色所需的权限。The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. 受限权限是对 Azure AD Privileged Identity Management (PIM) 的实时 (JIT) 方法的补充,应定期检查这些权限。Limited privileges complement the just in time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically. 请使用内置角色来分配权限,仅在必要时创建自定义角色。Use built-in roles to allocate permission and only create custom role when required.

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):

责任 :客户Responsibility : Customer

客户安全利益干系人(了解详细信息):Customer Security Stakeholders (Learn more):