安全框架：通信安全 | 缓解措施Security Frame: Communication Security | Mitigations

• 使用 SSL/TLS 保护与事件中心之间的通信Secure communication to Event Hub using SSL/TLS

• 检查服务帐户特权，并检查自定义服务或 ASP.NET 页面是否遵循 CRM 的安全性Check service account privileges and check that the custom Services or ASP.NET Pages respect CRM's security

• 将本地 SQL Server 连接到 Azure 数据工厂时使用数据管理网关Use Data management gateway while connecting On-premises SQL Server to Azure Data Factory

• 确保发往标识服务器的所有流量都通过 HTTPS 连接传输Ensure that all traffic to Identity Server is over HTTPS connection

• 验证用于对 SSL、TLS 和 DTLS 连接进行身份验证的 X.509 证书Verify X.509 certificates used to authenticate SSL, TLS, and DTLS connections
• 在 Azure 应用服务中为自定义域配置 TLS/SSL 证书Configure TLS/SSL certificate for custom domain in Azure App Service
• 强制要求发往 Azure 应用服务的所有流量都通过 HTTPS 连接传输Force all traffic to Azure App Service over HTTPS connection
• 启用 HTTP 严格传输安全性 (HSTS)Enable HTTP Strict Transport Security (HSTS)

• 确保加密 SQL Server 连接并验证证书Ensure SQL server connection encryption and certificate validation
• 强制以加密形式来与 SQL Server 通信Force Encrypted communication to SQL server

• 确保与 Azure 存储之间的通信通过 HTTPS 进行Ensure that communication to Azure Storage is over HTTPS
• 如果无法启用 HTTPS，请在下载 Blob 后验证 MD5 哈希Validate MD5 hash after downloading blob if HTTPS cannot be enabled
• 使用 SMB 3.0 兼容的客户端来确保传输到 Azure 文件共享的数据经过加密Use SMB 3.0 compatible client to ensure in-transit data encryption to Azure File Shares

• 实施证书绑定Implement Certificate Pinning

• 启用 HTTPS - 安全传输通道Enable HTTPS - Secure Transport channel
• WCF：将消息安全保护级别设置为 EncryptAndSignWCF: Set Message security Protection level to EncryptAndSign
• WCF：使用最低特权帐户运行 WCF 服务WCF: Use a least-privileged account to run your WCF service

• 强制要求发往 Web API 的所有流量都通过 HTTPS 连接传输Force all traffic to Web APIs over HTTPS connection

• 确保与 Azure Cache for Redis 之间的通信通过 TLS 进行Ensure that communication to Azure Cache for Redis is over TLS

• 保护设备与现场网关之间的通信Secure Device to Field Gateway communication

• 使用 SSL/TLS 保护设备与云网关之间的通信Secure Device to Cloud Gateway communication using SSL/TLS

需要使用数据管理网关 (DMG) 工具连接到受企业网络或防火墙保护的数据源。The Data Management Gateway (DMG) tool is required to connect to data sources which are protected behind corpnet or a firewall.

1. 锁定计算机可以隔离 DMG 工具，防止不正常的程序损坏源计算机或者窥视其数据。Locking down the machine isolates the DMG tool and prevents malfunctioning programs from damaging or snooping on the data source machine. （例如，(E.g. 必须安装最新的更新、启用所需的最少量端口、预配受控帐户、审核启用、启用磁盘加密，等等。）latest updates must be installed, enable minimum required ports, controlled accounts provisioning, auditing enabled, disk encryption enabled etc.)
2. 必须经常或者每当 DMG 服务帐户密码续订时轮替数据网关密钥Data Gateway key must be rotated at frequent intervals or whenever the DMG service account password renews
3. 通过链接服务传输的数据必须加密Data transits through Link Service must be encrypted

使用 SSL、TLS 或 DTLS 的应用程序必须全面验证它们所要连接到的实体的 X.509 证书。Applications that use SSL, TLS, or DTLS must fully verify the X.509 certificates of the entities they connect to. 这包括验证证书的以下信息：This includes verification of the certificates for:

• 域名Domain name
• 生效日期（开始日期和过期日期）Validity dates (both beginning and expiration dates)
• 吊销状态Revocation status
• 用途（例如，对服务器进行服务器身份验证，对客户端进行客户端身份验证）Usage (for example, Server Authentication for servers, Client Authentication for clients)
• 信任链。Trust chain. 证书必须链接到平台信任的或者由管理员显式配置的根证书颁发机构 (CA)Certificates must chain to a root certification authority (CA) that is trusted by the platform or explicitly configured by the administrator
• 证书公钥的密钥长度必须 >2048 位Key length of certificate's public key must be >2048 bits
• 哈希算法必须是 SHA256 和更高级别Hashing algorithm must be SHA256 and above

尽管 Azure 已使用 *.chinacloudsites.cn 域的通配符证书为 Azure 应用服务启用了 HTTPS，但它并不强制实施 HTTPS。Though Azure already enables HTTPS for Azure app services with a wildcard certificate for the domain *.chinacloudsites.cn, it do not enforce HTTPS. 访问者仍可使用 HTTP 访问应用，这可能会损害应用的安全性，因此必须显式强制 HTTPS。Visitors may still access the app using HTTP, which may compromise the app's security and hence HTTPS has to be enforced explicitly. ASP.NET MVC 应用程序应使用 RequireHttps 筛选器，强制要求通过 HTTPS 重新发送不安全的 HTTP 请求。ASP.NET MVC applications should use the RequireHttps filter that forces an unsecured HTTP request to be re-sent over HTTPS.

或者，可以使用 Azure 应用服务随附的 URL 重写模块来强制 HTTPS。Alternatively, the URL Rewrite module, which is included with Azure App Service can be used to enforce HTTPS. 开发人员可以使用 URL 重写模块来定义将请求传递给应用程序之前应用到传入请求的规则。URL Rewrite module enables developers to define rules that are applied to incoming requests before the requests are handed to your application. URL 重写规则在 web.config 文件中定义，该文件存储在应用程序根目录中。URL Rewrite rules are defined in a web.config file stored in the root of the application

HTTP 严格传输安全性 (HSTS) 是 Web 应用程序使用特殊响应标头指定的一个选用的安全增强功能。HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. 支持的浏览器收到此标头后，将阻止通过 HTTP 将任何通信发送到指定的域，并改为通过 HTTPS 发送所有通信。Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. 它还可以防止浏览器中出现 HTTPS 点击提示。It also prevents HTTPS click through prompts on browsers.

若要实现 HSTS，必须在代码或配置中为网站全局配置以下响应标头。Strict-Transport-Security: max-age=300; includeSubDomains。HSTS 可解决以下威胁：To implement HSTS, the following response header has to be configured for a website globally, either in code or in config. Strict-Transport-Security: max-age=300; includeSubDomains HSTS addresses the following threats:

• 用户将 https://example.com 加入书签或手动键入时容易受到中间人攻击者的攻击：HSTS 会自动将 HTTP 请求重定向到目标域的 HTTPSUser bookmarks or manually types https://example.com and is subject to a man-in-the-middle attacker: HSTS automatically redirects HTTP requests to HTTPS for the target domain
• 纯粹只进行 HTTPS 通信的 Web 应用程序无意中包含 HTTP 链接或通过 HTTP 提供内容：HSTS 会自动将 HTTP 请求重定向到目标域的 HTTPSWeb application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP: HSTS automatically redirects HTTP requests to HTTPS for the target domain
• 中间人攻击者试图使用无效的证书来截获受害用户发送的流量，并希望此用户接受错误的证书：HSTS 不允许用户替代无效的证书消息A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate: HSTS does not allow a user to override the invalid certificate message

SQL 数据库与客户端应用程序之间的所有通信始终使用传输层安全性（TLS，以前称为安全套接字层 (SSL)）进行加密。All communications between SQL Database and a client application are encrypted using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), at all times. SQL 数据库不支持未加密的连接。SQL Database doesn't support unencrypted connections. 若要使用应用程序代码或工具验证证书，需显式请求一个加密的连接并且不信任服务器证书。To validate certificates with application code or tools, explicitly request an encrypted connection and do not trust the server certificates. 即使应用程序代码或工具未请求加密的连接，它们仍会收到加密的连接If your application code or tools do not request an encrypted connection, they will still receive encrypted connections

但是，它们可能不会验证服务器证书，因此将容易受到“中间人”攻击。However, they may not validate the server certificates and thus will be susceptible to "man in the middle" attacks. 若要使用 ADO.NET 应用程序代码验证证书，请在数据库连接字符串中设置 Encrypt=True 和 TrustServerCertificate=False。To validate certificates with ADO.NET application code, set Encrypt=True and TrustServerCertificate=False in the database connection string. 若要通过 SQL Server Management Studio 验证证书，请打开“连接到服务器”对话框。To validate certificates via SQL Server Management Studio, open the Connect to Server dialog box. 在“连接属性”选项卡中单击“加密连接”Click Encrypt connection on the Connection Properties tab

Windows Azure Blob 服务提供相应的机制来确保应用程序和传输层的数据完整性。Windows Azure Blob service provides mechanisms to ensure data integrity both at the application and transport layers. 如果出于任何原因需要使用 HTTP 而不是 HTTPS，并且使用的是块 Blob，则可以使用 MD5 检查，帮助验证正在传输的 Blob 的完整性。If for any reason you need to use HTTP instead of HTTPS and you are working with block blobs, you can use MD5 checking to help verify the integrity of the blobs being transferred

这会有助于防止网络/传输层错误，但不一定可帮助防止中间攻击。This will help with protection from network/transport layer errors, but not necessarily with intermediary attacks. 如果可以使用提供传输级安全的 HTTPS，则使用 MD5 检查就很多余且不必要。If you can use HTTPS, which provides transport level security, then using MD5 checking is redundant and unnecessary.

证书绑定可以防范中间人 (MITM) 攻击。Certificate pinning defends against Man-In-The-Middle (MITM) attacks. 绑定是将主机与其预期 X509 证书或公钥相关联的过程。Pinning is the process of associating a host with their expected X509 certificate or public key. 某个主机知悉或者识别到某个证书或公钥后，该证书或公钥将关联或“绑定”到该主机。Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.

因此，当攻击者尝试展开 TLS MITM 攻击时，在 TLS 握手期间，攻击者服务器中的密钥将与绑定证书的密钥不同，因此会丢弃该请求，阻止 MITM。可以通过实现 ServicePointManager 的 ServerCertificateValidationCallback 委派来完成证书绑定。Thus, when an adversary attempts to do TLS MITM attack, during TLS handshake the key from attacker's server will be different from the pinned certificate's key, and the request will be discarded, thus preventing MITM Certificate pinning can be achieved by implementing ServicePointManager's ServerCertificateValidationCallback delegate.

• 解释： 如果应用程序需要处理敏感信息并且没有使用消息级别加密，则只应允许它通过加密的传输通道进行通信。EXPLANATION: If an application handles sensitive information and does not use message-level encryption, then it should only be allowed to communicate over an encrypted transport channel.
• 建议： 确保禁用 HTTP 传输，改为启用 HTTPS 传输。RECOMMENDATIONS: Ensure that HTTP transport is disabled and enable HTTPS transport instead. 例如，将 <httpTransport/> 替换为 <httpsTransport/> 标记。For example, replace the <httpTransport/> with <httpsTransport/> tag. 不要依赖使用网络配置（防火墙）来保证只能通过安全通道访问应用程序。Do not rely on a network configuration (firewall) to guarantee that the application can only be accessed over a secure channel. 从哲学的观点来讲，应用程序不应依赖于网络来保证其安全性。From a philosophical point of view, the application should not depend on the network for its security.

从实践的观点来讲，负责保护网络的人不会一直跟进应用程序的不断变化的安全要求。From a practical point of view, the people responsible for securing the network do not always track the security requirements of the application as they evolve.

• 解释： 当保护级别设置为“none”时，将禁用消息保护。EXPLANATION: When Protection level is set to "none" it will disable message protection. 保密性和完整性是使用适当的设置级别实现的。Confidentiality and integrity is achieved with appropriate level of setting.
• 建议：RECOMMENDATIONS:
  • 当 Mode=None 时 - 禁用消息保护when Mode=None - Disables message protection
  • 当 Mode=Sign 时 - 将消息签名但不加密；当数据完整性非常重要时应使用该设置when Mode=Sign - Signs but does not encrypt the message; should be used when data integrity is important
  • 当 Mode=EncryptAndSign 时 - 将消息签名并加密when Mode=EncryptAndSign - Signs and encrypts the message

请考虑禁用加密，仅当只是需要验证信息的完整性而不关心机密性时，才为消息签名。Consider turning off encryption and only signing your message when you just need to validate the integrity of the information without concerns of confidentiality. 对于需要验证原始发送者但不传输任何敏感数据的操作或服务约定，这种做法可能很有用。This may be useful for operations or service contracts in which you need to validate the original sender but no sensitive data is transmitted. 降低保护级别时，请注意不要在消息中包含任何个人数据。When reducing the protection level, be careful that the message does not contain any personal data.

• 解释： 不要在管理员或高特权帐户下运行 WCF 服务。EXPLANATION: Do not run WCF services under admin or high privilege account. 否则，如果服务遭到入侵，将导致严重影响。in case of services compromise it will result in high impact.
• 建议： 请使用最低特权帐户托管 WCF 服务，因为这样可以在遭到攻击时减小应用程序的攻击面，降低潜在损害。RECOMMENDATIONS: Use a least-privileged account to host your WCF service because it will reduce your application's attack surface and reduce the potential damage if you are attacked. 如果服务帐户需要 MSMQ、事件日志、性能计数器和文件系统等基础结构资源的其他访问权限，应该授予对这些资源的相应权限，使 WCF 服务能够成功运行。If the service account requires additional access rights on infrastructure resources such as MSMQ, the event log, performance counters, and the file system, appropriate permissions should be given to these resources so that the WCF service can run successfully.

如果服务需要代表原始调用方访问特定的资源，请使用模拟和委派来传送调用方的标识，以便在下游进行授权检查。If your service needs to access specific resources on behalf of the original caller, use impersonation and delegation to flow the caller's identity for a downstream authorization check. 在开发方案中，请使用本地网络服务帐户，这是一个特权降低的特殊内置帐户。In a development scenario, use the local network service account, which is a special built-in account that has reduced privileges. 在生产方案中，请创建最低特权的自定义域服务帐户。In a production scenario, create a least-privileged custom domain service account.