Azure 中 IaaS 工作负荷的安全性最佳实践Security best practices for IaaS workloads in Azure

本文介绍了 VM 和操作系统的安全最佳做法。This article describes security best practices for VMs and operating systems.

最佳做法以观点的共识以及 Azure 平台功能和特性集为基础。The best practices are based on a consensus of opinion, and they work with current Azure platform capabilities and feature sets. 由于观点和技术会随时改变,本文会进行更新以反映这些变化。Because opinions and technologies can change over time, this article will be updated to reflect those changes.

在大多数基础结构即服务 (IaaS) 方案中,Azure 虚拟机 (VM) 是使用云计算的组织的主要工作负荷。In most infrastructure as a service (IaaS) scenarios, Azure virtual machines (VMs) are the main workload for organizations that use cloud computing. 这种事实在混合方案中十分明显,组织希望在混合方案中慢慢将工作负载迁移到云。This fact is evident in hybrid scenarios where organizations want to slowly migrate workloads to the cloud. 在这种方案中,应遵循 IaaS 常规安全注意事项,并向所有 VM 应用安全最佳做法。In such scenarios, follow the general security considerations for IaaS, and apply security best practices to all your VMs.

通过身份验证和访问控制保护 VMProtect VMs by using authentication and access control

保护 VM 安全的第一步是确保只有授权用户才能设置新 VM 以及访问 VM。The first step in protecting your VMs is to ensure that only authorized users can set up new VMs and access VMs.

最佳做法:控制 VM 访问。Best practice: Control VM access.
详细信息:使用 Azure 策略建立组织中的资源约定和创建自定义策略。Detail: Use Azure policies to establish conventions for resources in your organization and create customized policies. 将这些策略应用于资源,如资源组Apply these policies to resources, such as resource groups. 属于该资源组的 VM 将继承该组的策略。VMs that belong to a resource group inherit its policies.

如果你的组织有多个订阅,则可能需要一种方法来高效地管理这些订阅的访问权限、策略和符合性。If your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure 管理组提供订阅上的作用域级别。Azure management groups provide a level of scope above subscriptions. 可将订阅组织到管理组(容器)中,并将管理条件应用到该组。You organize subscriptions into management groups (containers) and apply your governance conditions to those groups. 管理组中的所有订阅都将自动继承应用于该组的条件。All subscriptions within a management group automatically inherit the conditions applied to the group. 不管使用什么类型的订阅,管理组都能提供大规模的企业级管理。Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have.

最佳做法:减少 VM 的安装和部署的可变性。Best practice: Reduce variability in your setup and deployment of VMs.
详细信息:使用 Azure 资源管理器模板增强部署选项,使其更易理解并清点环境中的 VM。Detail: Use Azure Resource Manager templates to strengthen your deployment choices and make it easier to understand and inventory the VMs in your environment.

最佳做法:保护特权访问。Best practice: Secure privileged access.
详细信息:使用 最低特权方法和内置 Azure 角色使用户能够访问和设置 VM:Detail: Use a least privilege approach and built-in Azure roles to enable users to access and set up VMs:

  • 虚拟机参与者:可以管理 VM,但无法管理虚拟机连接的虚拟网络或存储帐户。Virtual Machine Contributor: Can manage VMs, but not the virtual network or storage account to which they are connected.
  • 经典虚拟机参与者:可管理使用经典部署模型创建的 VM,但无法管理这些 VM 连接到的虚拟网络或存储帐户。Classic Virtual Machine Contributor: Can manage VMs created by using the classic deployment model, but not the virtual network or storage account to which the VMs are connected.
  • 安全管理员:仅在安全中心内:可以查看安全策略、查看安全状态、编辑安全策略、查看警报和建议、关闭警报和建议。Security Admin: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations.
  • 开发测试实验室用户:可以查看所有内容,以及连接、启动、重新启动和关闭 VM。DevTest Labs User: Can view everything and connect, start, restart, and shut down VMs.

订阅管理员和共同管理员可更改此设置,使其成为订阅中所有 VM 的管理员。Your subscription admins and coadmins can change this setting, making them administrators of all the VMs in a subscription. 请确保你信任所有订阅管理员和共同管理员,以登录你的任何计算机。Be sure that you trust all of your subscription admins and coadmins to log in to any of your machines.


建议将具有相同生命周期的 VM 合并到同一个资源组中。We recommend that you consolidate VMs with the same lifecycle into the same resource group. 使用资源组可以部署和监视资源,并统计资源的计费成本。By using resource groups, you can deploy, monitor, and roll up billing costs for your resources.

控制 VM 访问和设置的组织可改善其整体 VM 安全性。Organizations that control VM access and setup improve their overall VM security.

使用多个 VM 提高可用性Use multiple VMs for better availability

如果 VM 运行需要具有高可用性的关键应用程序,我们强烈建议使用多个 VM。If your VM runs critical applications that need to have high availability, we strongly recommend that you use multiple VMs. 为提高可用性,可使用可用性集For better availability, use an availability set ..

可用性集是一种逻辑分组功能,在 Azure 中使用它可以确保将 VM 资源部署在 Azure 数据中心后,这些资源相互隔离。An availability set is a logical grouping that you can use in Azure to ensure that the VM resources you place within it are isolated from each other when they’re deployed in an Azure datacenter. Azure 确保可用性集中部署的 VM 能够跨多个物理服务器、计算机架、存储单元和网络交换机运行。Azure ensures that the VMs you place in an availability set run across multiple physical servers, compute racks, storage units, and network switches. 如果出现硬件或 Azure 软件故障,只有一部分 VM 会受到影响,整体应用程序仍可供客户使用。If a hardware or Azure software failure occurs, only a subset of your VMs are affected, and your overall application continues to be available to your customers. 如果想要构建可靠的云解决方案,可用性集是一项关键功能。Availability sets are an essential capability when you want to build reliable cloud solutions.

防范恶意软件Protect against malware

应安装反恶意软件保护,以帮助识别和删除病毒、间谍软件和其他恶意软件。You should install antimalware protection to help identify and remove viruses, spyware, and other malicious software. 可安装 Microsoft 反恶意软件或 Microsoft 合作伙伴的终结点保护解决方案(Trend MicroBroadcomMcAfeeWindows DefenderSystem Center Endpoint Protection)。You can install Microsoft Antimalware or a Microsoft partner’s endpoint protection solution (Trend Micro, Broadcom, McAfee, Windows Defender, and System Center Endpoint Protection).

Microsoft 反恶意软件包括实时保护、计划扫描、恶意软件修正、签名更新、引擎更新、示例报告和排除事件收集等功能。Microsoft Antimalware includes features like real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, and exclusion event collection. 对于与生产环境分开托管的环境,可以使用反恶意软件扩展来帮助保护 VM 和云服务。For environments that are hosted separately from your production environment, you can use an antimalware extension to help protect your VMs and cloud services.

可将 Microsoft 反恶意软件和合作伙伴解决方案与 Azure 安全中心集成,以方便部署和内置检测(警报和事件)。You can integrate Microsoft Antimalware and partner solutions with Azure Security Center for ease of deployment and built-in detections (alerts and incidents).

最佳做法:安装反恶意软件解决方案,以防范恶意软件。Best practice: Install an antimalware solution to protect against malware.
详细信息安装 Microsoft 合作伙伴解决方案或 Microsoft 反恶意软件Detail: Install a Microsoft partner solution or Microsoft Antimalware

最佳做法:将反恶意软件解决方案与安全中心集成,以监视保护状态。Best practice: Integrate your antimalware solution with Security Center to monitor the status of your protection.
详细信息使用安全中心管理终结点保护问题Detail: Manage endpoint protection issues with Security Center

管理 VM 更新Manage your VM updates

与所有本地 VM 一样,Azure VM 应由用户管理。Azure VMs, like all on-premises VMs, are meant to be user managed. Azure 不会向他们推送 Windows 更新。Azure doesn't push Windows updates to them. 你需要管理 VM 更新。You need to manage your VM updates.

最佳做法:使 VM 保持最新。Best practice: Keep your VMs current.
详细信息:使用 Azure 自动化中的更新管理解决方案,为部署在 Azure、本地环境或其他云提供程序中的 Windows 和 Linux 计算机管理操作系统更新。Detail: Use the Update Management solution in Azure Automation to manage operating system updates for your Windows and Linux computers that are deployed in Azure, in on-premises environments, or in other cloud providers. 可以快速评估所有代理计算机上可用更新的状态,并管理为服务器安装所需更新的过程。You can quickly assess the status of available updates on all agent computers and manage the process of installing required updates for servers.

由更新管理托管的计算机使用以下配置执行评估和更新部署:Computers that are managed by Update Management use the following configurations to perform assessment and update deployments:

  • 用于 Windows 或 Linux 的 Microsoft 监视代理 (MMA)Microsoft Monitoring Agent (MMA) for Windows or Linux
  • 用于 Linux 的 PowerShell 所需状态配置 (DSC)PowerShell Desired State Configuration (DSC) for Linux
  • 自动化混合 Runbook 辅助角色Automation Hybrid Runbook Worker
  • 适用于 Windows 计算机的 Microsoft 更新或 Windows Server 更新服务 (WSUS)Microsoft Update or Windows Server Update Services (WSUS) for Windows computers

若使用 Windows 更新,请启用 Windows 自动更新设置。If you use Windows Update, leave the automatic Windows Update setting enabled.

最佳做法:在部署时,确保构建的映像包含最新一轮的 Windows 更新。Best practice: Ensure at deployment that images you built include the most recent round of Windows updates.
详细信息:每个部署的第一步应是检查和安装所有 Windows 更新。Detail: Check for and install all Windows updates as a first step of every deployment. 在部署自己或库中提供的映像时,采用此措施就特别重要。This measure is especially important to apply when you deploy images that come from either you or your own library. 虽然默认情况下会自动更新 Azure 市场中的映像,但公开发布后可能会有延迟(最多几周)。Although images from the Azure Marketplace are updated automatically by default, there can be a lag time (up to a few weeks) after a public release.

最佳做法:定期重新部署 VM 以强制刷新操作系统版本。Best practice: Periodically redeploy your VMs to force a fresh version of the OS.
详细信息:使用 Azure 资源管理器模板定义 VM,以便轻松地重新部署。Detail: Define your VM with an Azure Resource Manager template so you can easily redeploy it. 使用模板可在需要时提供已修补且安全的 VM。Using a template gives you a patched and secure VM when you need it.

最佳做法:快速对 VM 应用安全更新。Best practice: Rapidly apply security updates to VMs.
详细信息:启用 Azure 安全中心(免费层或标准层)以 识别缺少的安全更新并应用这些安全更新Detail: Enable Azure Security Center (Free tier or Standard tier) to identify missing security updates and apply them.

最佳做法:安装最新的安全更新。Best practice: Install the latest security updates.
详细信息:客户移到 Azure 的部分首批工作负荷为实验室和面向外部的系统。Detail: Some of the first workloads that customers move to Azure are labs and external-facing systems. 如果 Azure VM 托管需要访问 Internet 的应用程序或服务,则需要警惕修补。If your Azure VMs host applications or services that need to be accessible to the internet, be vigilant about patching. 修补不仅仅包括操作系统。Patch beyond the operating system. 合作伙伴应用程序上未修补的漏洞还可能导致一些问题,而如果实施良好的修补程序管理,就可以避免这些问题。Unpatched vulnerabilities on partner applications can also lead to problems that can be avoided if good patch management is in place.

最佳做法:部署并测试一个备份解决方案。Best practice: Deploy and test a backup solution.
详细信息:需要按照处理任何其他操作的相同方法处理备份。Detail: A backup needs to be handled the same way that you handle any other operation. 这适合于属于扩展到云的生产环境的系统。This is true of systems that are part of your production environment extending to the cloud.

测试和开发系统必须遵循备份策略,这些策略可以根据用户的本地环境体验,提供与用户习惯的功能类似的存储功能。Test and dev systems must follow backup strategies that provide restore capabilities that are similar to what users have grown accustomed to, based on their experience with on-premises environments. 如果可能,迁移到 Azure 的生产工作负荷应与现有的备份解决方案集成。Production workloads moved to Azure should integrate with existing backup solutions when possible. 或者,可以使用 Azure 备份来帮助解决备份要求。Or, you can use Azure Backup to help address your backup requirements.

未实施软件更新策略的组织面临更多利用已修复的已知漏洞的威胁。Organizations that don't enforce software-update policies are more exposed to threats that exploit known, previously fixed vulnerabilities. 为了遵守行业法规,公司还必须证明他们在不断作出相应努力并使用正确的安全控制机制来帮助确保云中工作负载的安全性。To comply with industry regulations, companies must prove that they are diligent and using correct security controls to help ensure the security of their workloads located in the cloud.

传统数据中心与 Azure IaaS 之间的软件更新最佳做法存在许多相似之处。Software-update best practices for a traditional datacenter and Azure IaaS have many similarities. 建议评估当前的软件更新策略,将位于 Azure 中的 VM 包含在内。We recommend that you evaluate your current software update policies to include VMs located in Azure.

管理 VM 安全状况Manage your VM security posture

网络威胁不断加剧。Cyberthreats are evolving. 保护 VM 需要监视功能,以便快速检测威胁、防止有人未经授权访问资源、触发警报并减少误报。Safeguarding your VMs requires a monitoring capability that can quickly detect threats, prevent unauthorized access to your resources, trigger alerts, and reduce false positives.

若要监视 WindowsLinux VM 的安全状况,可以使用 Azure 安全中心To monitor the security posture of your Windows and Linux VMs, use Azure Security Center. 可以利用安全中心的以下功能来保护 VM:In Security Center, safeguard your VMs by taking advantage of the following capabilities:

  • 应用包含建议的配置规则的 OS 安全设置。Apply OS security settings with recommended configuration rules.
  • 识别并下载可能缺少的系统安全更新和关键更新。Identify and download system security and critical updates that might be missing.
  • 部署终结点反恶意软件防护建议措施。Deploy recommendations for endpoint antimalware protection.
  • 验证磁盘加密。Validate disk encryption.
  • 评估并修正漏洞。Assess and remediate vulnerabilities.
  • 检测威胁。Detect threats.

安全中心可主动监视威胁,并通过“安全警报”公开潜在的威胁。Security Center can actively monitor for threats, and potential threats are exposed in security alerts. 关联的威胁将合并到名为“安全事件”的单个视图中。Correlated threats are aggregated in a single view called a security incident.

安全中心将数据存储在 Azure Monitor 日志中。Security Center stores data in Azure Monitor logs. Azure Monitor 日志提供查询语言和分析引擎,让你能够深入了解应用程序和资源的操作。Azure Monitor logs provides a query language and analytics engine that gives you insights into the operation of your applications and resources. 数据也是从 Azure Monitor、管理解决方案以及安装在虚拟机(云中或本地)上的代理收集的数据。Data is also collected from Azure Monitor, management solutions, and agents installed on virtual machines in the cloud or on-premises. 可以通过此共享功能全面了解自己的环境。This shared functionality helps you form a complete picture of your environment.

没有为 VM 实施强大安全措施的组织将意识不到未经授权的用户可能试图绕过安全控制机制。Organizations that don't enforce strong security for their VMs remain unaware of potential attempts by unauthorized users to circumvent security controls.

监视 VM 性能Monitor VM performance

如果 VM 进程消耗的资源多过实际所需的量,可能会造成资源滥用的问题。Resource abuse can be a problem when VM processes consume more resources than they should. VM 性能问题可能会导致服务中断,从而违反可用性安全原则。Performance issues with a VM can lead to service disruption, which violates the security principle of availability. 这对于托管 IIS 或其他 Web 服务器的 VM 尤其重要,因为 CPU 或内存占用较高可能意味着遭到拒绝服务 (DoS) 攻击。This is particularly important for VMs that are hosting IIS or other web servers, because high CPU or memory usage might indicate a denial of service (DoS) attack. 不仅要在出现问题时被动监视 VM 的访问,而且还要在正常运行期间针对基准性能进行主动监视。It’s imperative to monitor VM access not only reactively while an issue is occurring, but also proactively against baseline performance as measured during normal operation.

我们还建议使用 Azure Monitor 来洞察资源的运行状况。We recommend that you use Azure Monitor to gain visibility into your resource’s health. Azure Monitor 功能:Azure Monitor features:

不监视 VM 性能的组织无法确定性能模式的某些变化是正常还是异常。Organizations that don't monitor VM performance can’t determine whether certain changes in performance patterns are normal or abnormal. 若 VM 消耗的资源超过平常,可能意味着存在来自外部资源的攻击,或者此 VM 中有不安全的进程正在运行。A VM that’s consuming more resources than normal might indicate an attack from an external resource or a compromised process running in the VM.

加密虚拟硬盘文件Encrypt your virtual hard disk files

建议加密虚拟硬盘 (VHD),以帮助保护存储中的静态启动卷和数据卷以及加密密钥和机密。We recommend that you encrypt your virtual hard disks (VHDs) to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets.

Azure 磁盘加密用于加密 Windows 和 Linux IaaS 虚拟机磁盘。Azure Disk Encryption helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure 磁盘加密利用 Windows 的行业标准 BitLocker 功能和 Linux 的 DM-Crypt 功能,为 OS 和数据磁盘提供卷加密。Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. 该解决方案与 Azure Key Vault 集成,帮助用户管理 Key Vault 订阅中的磁盘加密密钥和机密。The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. 此解决方案还可确保虚拟机磁盘上的所有数据在 Azure 存储中静态加密。The solution also ensures that all data on the virtual machine disks are encrypted at rest in Azure Storage.

下面是使用 Azure 磁盘加密的最佳做法:Following are best practices for using Azure Disk Encryption:

最佳做法:在 VM 上启用加密。Best practice: Enable encryption on VMs.
详细信息:Azure 磁盘加密将生成加密密钥并将其写入密钥保管库。Detail: Azure Disk Encryption generates and writes the encryption keys to your key vault. 在 Key Vault 中管理加密密钥需要 Azure AD 身份验证。Managing encryption keys in your key vault requires Azure AD authentication. 为此,请创建 Azure AD 应用程序。Create an Azure AD application for this purpose. 对于身份验证,可以使用基于客户端机密的身份验证或基于客户端证书的 Azure AD 身份验证For authentication purposes, you can use either client secret-based authentication or client certificate-based Azure AD authentication.

最佳做法:在加密磁盘之前创建 快照和/或备份。Best practice: Take a snapshot and/or backup before disks are encrypted. 如果加密期间发生意外故障,备份可提供恢复选项。Backups provide a recovery option if an unexpected failure happens during encryption.
详细信息:加密之前,需要备份包含托管磁盘的 VM。Detail: VMs with managed disks require a backup before encryption occurs. 备份之后,可以通过指定“-skipVmBackup”参数,使用“Set-AzVMDiskEncryptionExtension cmdlet”来加密托管磁盘。After a backup is made, you can use the Set-AzVMDiskEncryptionExtension cmdlet to encrypt managed disks by specifying the -skipVmBackup parameter. 有关如何备份和还原已加密 VM 的详细信息,请参阅 Azure 备份一文。For more information about how to back up and restore encrypted VMs, see the Azure Backup article.

最佳做法:为确保加密机密不会跨过区域边界,Azure 磁盘加密需要将密钥保管库和 VM 共置在同一区域。Best practice: To make sure the encryption secrets don’t cross regional boundaries, Azure Disk Encryption needs the key vault and the VMs to be located in the same region.
详细信息:在要加密的 VM 所在的同一区域中创建并使用密钥保管库。Detail: Create and use a key vault that is in the same region as the VM to be encrypted.

Azure 磁盘加密可解决以下业务需求:When you apply Azure Disk Encryption, you can satisfy the following business needs:

  • 使用行业标准的加密技术轻松保护 IaaS VM,满足组织的安全性与合规性要求。IaaS VMs are secured at rest through industry-standard encryption technology to address organizational security and compliance requirements.
  • IaaS VM 会根据客户控制的密钥和策略启动,客户可以在 Key Vault 中审核密钥和策略的使用方式。IaaS VMs start under customer-controlled keys and policies, and you can audit their usage in your key vault.

限制直接 Internet 连接Restrict direct internet connectivity

监视和限制 VM 直接 Internet 连接。Monitor and restrict VM direct internet connectivity. 攻击者可能会不断利用猜出的常用密码和已知的未修补漏洞,扫描公有云 IP 范围中的开放管理端口,然后试图发起“轻而易举”的攻击。Attackers constantly scan public cloud IP ranges for open management ports and attempt "easy" attacks like common passwords and known unpatched vulnerabilities. 下表列出了有助于防范这些攻击的最佳做法:The following table lists best practices to help protect against these attacks:

最佳做法:防止无意中暴露网络路由和安全性。Best practice: Prevent inadvertent exposure to network routing and security.
详细信息:使用 Azure RBAC 确保只有中心网络组有权访问网络资源。Detail: Use Azure RBAC to ensure that only the central networking group has permission to networking resources.

最佳做法:标识并修正允许从“任何”源 IP 地址访问的公开 VM。Best practice: Identify and remediate exposed VMs that allow access from "any" source IP address.
详细信息:使用 Azure 安全中心。Detail: Use Azure Security Center. 如果任何网络安全组具有一个或多个允许从“任何”源 IP 地址进行访问的入站规则,安全中心将建议通过面向 Internet 的终结点限制访问。Security Center will recommend that you restrict access through internet-facing endpoints if any of your network security groups has one or more inbound rules that allow access from "any" source IP address. 安全中心将建议编辑这些入站规则,以对实际需要访问的源 IP 地址限制访问Security Center will recommend that you edit these inbound rules to restrict access to source IP addresses that actually need access.

最佳做法:限制管理端口(RDP、SSH)。Best practice: Restrict management ports (RDP, SSH).
详细信息实时 (JIT) VM 访问可以用来锁定发往 Azure VM 的入站流量,降低遭受攻击的可能性,同时在需要时还允许轻松连接到 VM。Detail: Just-in-time (JIT) VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. 当 JIT 时,安全中心会通过创建网络安全组规则来锁定发往 Azure VM 的入站流量。When JIT is enabled, Security Center locks down inbound traffic to your Azure VMs by creating a network security group rule. 你需要选择要锁定 VM 上的哪些端口的入站流量。You select the ports on the VM to which inbound traffic will be locked down. 这些端口将受 JIT 解决方案控制。These ports are controlled by the JIT solution.

后续步骤Next steps

有关通过 Azure 设计、部署和管理云解决方案时可以使用的更多安全最佳做法,请参阅 Azure 安全最佳做法和模式See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.

以下资源提供了有关 Azure 安全性及相关 Microsoft 服务的更多常规信息:The following resources are available to provide more general information about Azure security and related Microsoft services: