Azure 基础结构完整性Azure infrastructure integrity

软件安装Software installation

安装在 Azure 环境中的软件堆栈中的所有组件都是按照 Microsoft 的安全开发生命周期 (SDL) 流程自定义生成的。All components in the software stack that are installed in the Azure environment are custom built following the Microsoft Security Development Lifecycle (SDL) process. 所有软件组件(包括操作系统 (OS) 映像和 SQL 数据库)都在变更管理和发布管理过程中进行部署。All software components, including operating system (OS) images and SQL Database, are deployed as part of the change management and release management process. 在所有节点上运行的 OS 是 Windows Server 2008 或 Windows Server 2012 的自定义版本。The OS that runs on all nodes is a customized version of Windows Server 2008 or Windows Server 2012. 结构控制器 (FC) 根据其为 OS 设定的角色来选择确切的版本。The exact version is chosen by the fabric controller (FC) according to the role it intends for the OS to play. 此外,主机 OS 不允许安装任何未经授权的软件组件。In addition, the host OS does not allow installation of any unauthorized software components.

某些 Azure 组件作为 Azure 客户部署在来宾 OS 上运行的来宾 VM 上。Some Azure components are deployed as Azure customers on a guest VM running on a guest OS.

生成时的病毒扫描Virus scans on builds

Azure 软件组件(包括 OS)生成必须使用终结点保护防病毒工具进行病毒扫描。Azure software component (including OS) builds have to undergo a virus scan that uses the Endpoint Protection anti-virus tool. 每次病毒扫描都会在关联的生成目录中创建一个日志,详细说明扫描的内容和扫描结果。Each virus scan creates a log within the associated build directory, detailing what was scanned and the results of the scan. 病毒扫描是 Azure 中每个组件的生成源代码的一部分。The virus scan is part of the build source code for every component within Azure. 如果未对代码进行干净且成功的病毒扫描,就不会将其移至生产环境中。Code is not moved to production without having a clean and successful virus scan. 一旦发现任何问题,就会将生成冻结,并提交给 Microsoft Security 的安全团队,以确定在生成的哪一处混入了“未授权”代码。If any issues are noted, the build is frozen and then goes to the security teams within Microsoft Security to identify where the "rogue" code entered the build.

封闭和锁定的环境Closed and locked environment

默认情况下,Azure 基础结构节点和来宾 VM 上不会创建用户帐户。By default, Azure infrastructure nodes and guest VMs do not have user accounts created on them. 此外,默认的 Windows 管理员帐户也处于禁用状态。In addition, default Windows administrator accounts are also disabled. Azure Live Support 的管理员经过适当的身份验证后,可以登录这些计算机并管理 Azure 生产网络以进行紧急维修。Administrators from Azure live support can, with proper authentication, log into these machines and administer the Azure production network for emergency repairs.

Azure SQL 数据库身份验证Azure SQL Database authentication

与 SQL Server 的任何实现一样,必须严格控制用户帐户管理。As with any implementation of SQL Server, user account management must be tightly controlled. Azure SQL 数据库仅支持 SQL Server 身份验证。Azure SQL Database supports only SQL Server authentication. 若要补充客户的数据安全模型,还应使用具有强密码并配置有特定权限的用户帐户。To complement a customer's data security model, user accounts with strong passwords and configured with specific rights should be used as well.

Microsoft 企业网络与 Azure 群集之间的 ACL 和防火墙ACLs and firewalls between the Microsoft corporate network and an Azure cluster

服务平台与 Microsoft 企业网络之间的访问控制列表 (ACL) 和防火墙可防止未经授权的内部人员访问 SQL 数据库实例。Access-control lists (ACLs) and firewalls between the service platform and the Microsoft corporate network protect SQL Database instances from unauthorized insider access. 此外,只有来自 Microsoft 企业网络的 IP 地址范围的用户才能访问 Windows Fabric 平台管理终结点。Further, only users from IP address ranges from the Microsoft corporate network can access the Windows Fabric platform-management endpoint.

SQL 数据库群集节点之间的 ACL 和防火墙ACLs and firewalls between nodes in a SQL Database cluster

作为额外保护以及深入防御策略的一部分,已在 SQL 数据库群集中的节点之间实施 ACL 和防火墙。As an additional protection, as part of the defense-in depth-strategy, ACLs and a firewall have been implemented between nodes in a SQL Database cluster. Windows Fabric 平台群集内的所有通信以及所有正在运行的代码都是可信的。All communication inside the Windows Fabric platform cluster as well as all running code is trusted.

自定义监视代理Custom monitoring agents

SQL 数据库使用称为监视器的自定义监视代理 (MA) 来监视 SQL 数据库群集的运行状况。SQL Database employs custom monitoring agents (MAs), also called watchdogs, to monitor the health of the SQL Database cluster.

Web 协议Web protocols

角色实例监视和重启Role instance monitoring and restart

Azure 确保部署的所有正在运行的角色(面向 Internet 的 Web 角色或后端处理辅助角色)都受到持续的运行状况监视,以确保这些角色有效且高效地提供已预配它们的服务。Azure ensures that all deployed, running roles (internet-facing web, or back-end processing worker roles) are subject to sustained health monitoring to ensure that they effectively and efficiently deliver the services for which they’ve been provisioned. 如果某个角色由于托管应用程序中的严重故障或角色实例本身的基础配置问题而变得不正常,FC 将检测角色实例中的问题并启动纠正状态。If a role becomes unhealthy, by either a critical fault in the application that's being hosted or an underlying configuration problem within the role instance itself, the FC detects the problem within the role instance and initiates a corrective state.

计算连接Compute connectivity

Azure 确保可通过基于 Web 的标准协议来访问部署的应用程序或服务。Azure ensures that the deployed application or service is reachable via standard web-based protocols. 面向 Internet 的 Web 角色的虚拟实例具有外部 Internet 连接,并且可供 Web 用户直接访问。Virtual instances of internet-facing web roles have external internet connectivity and are reachable directly by web users. 为了保护辅助角色代表可公开访问的 Web 角色虚拟实例执行的操作的敏感性和完整性,后端处理辅助角色的虚拟实例具有外部 Internet 连接,但不能由外部 Web 用户直接访问。To protect the sensitivity and integrity of the operations that worker roles perform on behalf of the publicly-accessible web role virtual instances, virtual instances of back-end processing worker roles have external internet connectivity but cannot be accessed directly by external web users.

后续步骤Next steps

若要详细了解 Microsoft 如何保护 Azure 基础结构,请参阅:To learn more about what Microsoft does to secure the Azure infrastructure, see: