Azure 中的安全管理Security management in Azure

Azure 订阅者可从多个设备管理他们的云环境,这些设备包括管理工作站、开发人员电脑,甚至是具有特定于任务的权限的特权最终用户设备。Azure subscribers may manage their cloud environments from multiple devices, including management workstations, developer PCs, and even privileged end-user devices that have task-specific permissions. 在某些情况下,可通过基于 Web 的控制台(例如 Azure 门户)来执行管理功能。In some cases, administrative functions are performed through web-based consoles such as the Azure portal. 在其他情况下,可能存在通过虚拟专用网络 (VPN)、终端服务、客户端应用程序协议或(以编程方式)通过 Azure 服务管理 API (SMAPI) 从本地系统直接连接到 Azure。In other cases, there may be direct connections to Azure from on-premises systems over Virtual Private Networks (VPNs), Terminal Services, client application protocols, or (programmatically) the Azure Service Management API (SMAPI). 此外,客户端终结点(例如平板电脑或智能手机)可以加入域或者受到隔离且不受管理。Additionally, client endpoints can be either domain joined or isolated and unmanaged, such as tablets or smartphones.

尽管多种访问和管理功能提供了丰富的选项,但这种变化性可能会让云部署承受巨大风险。Although multiple access and management capabilities provide a rich set of options, this variability can add significant risk to a cloud deployment. 可能难以管理、跟踪和审核管理操作。It can be difficult to manage, track, and audit administrative actions. 这种差异还可能由于用于管理云服务的客户端终结点进行的访问不受管制而带来安全威胁。This variability may also introduce security threats through unregulated access to client endpoints that are used for managing cloud services. 使用普通工作站或专用工作站开发和管理基础结构将会打开诸如 Web 浏览(例如水坑攻击)或电子邮件(例如社交工程和网络钓鱼)等不可预测的威胁媒介。Using general or personal workstations for developing and managing infrastructure opens unpredictable threat vectors such as web browsing (for example, watering hole attacks) or email (for example, social engineering and phishing).

在这种类型的环境中,发生攻击的可能性将会增加,因为难以构造安全策略和机制来适当管理各种终结点对 Azure 接口(例如 SMAPI)的访问。The potential for attacks increases in this type of environment because it is challenging to construct security policies and mechanisms to appropriately manage access to Azure interfaces (such as SMAPI) from widely varied endpoints.

远程管理威胁Remote management threats

攻击者经常会尝试通过入侵帐户凭据(例如,通过暴力破解密码、网络钓鱼和搜集凭据)或诱骗用户运行有害代码(例如,从具有偷渡式下载的有害网站或从有害电子邮件的附件)来获取特权访问权限。Attackers often attempt to gain privileged access by compromising account credentials (for example, through password brute forcing, phishing, and credential harvesting), or by tricking users into running harmful code (for example, from harmful websites with drive-by downloads or from harmful email attachments). 远程管理的云环境由于具有随时随地访问的特性,因此如果帐户遭到入侵,风险会大增。In a remotely managed cloud environment, account breaches can lead to an increased risk due to anywhere, anytime access.

即使主要管理员帐户受到严格控制,攻击者仍可使用较低级别的用户帐户来利用安全策略中的弱点。Even with tight controls on primary administrator accounts, lower-level user accounts can be used to exploit weaknesses in one’s security strategy. 缺乏适当的安全培训而使帐户信息意外泄漏或曝光,也可能导致数据泄露。Lack of appropriate security training can also lead to breaches through accidental disclosure or exposure of account information.

如果用户工作站也用于管理任务,可能会在许多不同的位置遭到入侵。When a user workstation is also used for administrative tasks, it can be compromised at many different points. 无论用户是在浏览 Web、使用第三方工具和开源工具,还是打开包含特洛伊木马的有害文档,都将面临入侵风险。Whether a user is browsing the web, using 3rd-party and open-source tools, or opening a harmful document file that contains a trojan.

一般情况下,大多数导致数据泄漏的锁定式攻击,追根究底都是台式机上的浏览器入侵、外挂程序(例如 Flash、PDF、Java)和鱼叉式网络钓鱼(电子邮件)所造成的。In general, most targeted attacks that result in data breaches can be traced to browser exploits, plug-ins (such as Flash, PDF, Java), and spear phishing (email) on desktop machines. 这些计算机在用于开发或管理其他资产时,可能具有可供访问运行中服务器或网络设备以执行操作的管理级别权限或服务级别权限。These machines may have administrative-level or service-level permissions to access live servers or network devices for operations when used for development or management of other assets.

操作安全性基础知识Operational security fundamentals

为了提升管理和操作的安全性,可以减少可能的入口点数目以尽可能缩小客户端的受攻击面。For more secure management and operations, you can minimize a client’s attack surface by reducing the number of possible entry points. 这可以通过“职责分离”和“环境隔离”安全原则来实现。This can be done through security principles: “separation of duties” and “segregation of environments.”

让敏感功能彼此隔离以降低某个级别的错误导致另一个级别出现数据泄漏的可能性。Isolate sensitive functions from one another to decrease the likelihood that a mistake at one level leads to a breach in another. 示例:Examples:

  • 管理任务不应该与可能将造成入侵的活动合并(例如,管理员的电子邮件中有恶意代码,从而感染基础结构服务器)。Administrative tasks should not be combined with activities that might lead to a compromise (for example, malware in an administrator’s email that then infects an infrastructure server).
  • 用于高敏感性操作的工作站也不应该是用于高风险用途(例如浏览 Internet)的同一系统。A workstation used for high-sensitivity operations should not be the same system used for high-risk purposes such as browsing the Internet.

通过删除不必要的软件来减少系统的受攻击面。Reduce the system’s attack surface by removing unnecessary software. 示例:Example:

  • 如果设备的主要用途是管理云服务,则标准的管理、支持或开发工作站都不应该请求安装电子邮件客户端或其他生产力应用程序。Standard administrative, support, or development workstation should not require installation of an email client or other productivity applications if the device’s main purpose is to manage cloud services.

对基础结构组件拥有管理员访问权限的客户端系统应该尽可能受到严格策略的限制,以降低安全风险。Client systems that have administrator access to infrastructure components should be subjected to the strictest possible policy to reduce security risks. 示例:Examples:

  • 安全策略可以包含拒绝设备进行开放访问 Internet 和使用严格防火墙配置的组策略设置。Security policies can include Group Policy settings that deny open Internet access from the device and use of a restrictive firewall configuration.
  • 如果需要直接访问,请使用 Internet 协议安全性 (IPsec) VPN。Use Internet Protocol security (IPsec) VPNs if direct access is needed.
  • 配置不同的管理和开发 Active Directory 域。Configure separate management and development Active Directory domains.
  • 隔离和筛选管理工作站的网络流量。Isolate and filter management workstation network traffic.
  • 使用反恶意软件的软件。Use antimalware software.
  • 实施多重身份验证以降低凭据失窃的风险。Implement multi-factor authentication to reduce the risk of stolen credentials.

合并访问资源并消除不受管理的终结点也可以简化管理任务。Consolidating access resources and eliminating unmanaged endpoints also simplifies management tasks.

为 Azure 远程管理提供安全性Providing security for Azure remote management

Azure 提供了安全机制来帮助管理员管理 Azure 云服务和虚拟机。Azure provides security mechanisms to aid administrators who manage Azure cloud services and virtual machines. 这些机制包括:These mechanisms include:

  • 身份验证和基于角色的访问控制Authentication and role-based access control.
  • 监视、日志记录和审核。Monitoring, logging, and auditing.
  • 证书和加密通信。Certificates and encrypted communications.
  • Web 管理门户。A web management portal.
  • 网络数据包筛选。Network packet filtering.

借助客户端安全配置和管理网关的数据中心部署,可以限制并监视管理员对于云应用程序和数据的访问。With client-side security configuration and datacenter deployment of a management gateway, it is possible to restrict and monitor administrator access to cloud applications and data.

备注

本文中的某些建议可能会导致数据、网络或计算资源使用量增加,从而增加许可或订阅成本。Certain recommendations in this article may result in increased data, network, or compute resource usage, and may increase your license or subscription costs.

强化的管理工作站Hardened workstation for management

强化工作站的目标是要去除其他所有功能,只留下其运行所需的最重要功能,尽可能缩小潜在的受攻击面。The goal of hardening a workstation is to eliminate all but the most critical functions required for it to operate, making the potential attack surface as small as possible. 系统强化包括安装最少量的服务和应用程序、限制应用程序执行、限制网络只能访问所需资源,以及让系统随时保持最新状态。System hardening includes minimizing the number of installed services and applications, limiting application execution, restricting network access to only what is needed, and always keeping the system up to date. 此外,使用经过强化的管理工作站能够将管理工具和活动与其他最终用户任务隔离开来。Furthermore, using a hardened workstation for management segregates administrative tools and activities from other end-user tasks.

在本地企业环境中,可以通过专用的管理网络、必须用身份卡才能进入的服务器机房以及在受保护的网络区域上执行的工作站,限制物理基础结构的受攻击面。Within an on-premises enterprise environment, you can limit the attack surface of your physical infrastructure through dedicated management networks, server rooms that have card access, and workstations that run on protected areas of the network. 在云或混合 IT 模型中,由于无法实际接触到 IT 资源,因此想要让管理服务保持安全是更复杂的任务。In a cloud or hybrid IT model, being diligent about secure management services can be more complex because of the lack of physical access to IT resources. 实现保护解决方案需要小心软件设置、安全为主的处理程序及完善的策略。Implementing protection solutions requires careful software configuration, security-focused processes, and comprehensive policies.

在锁定的工作站中使用仅需最低特权的最少软件使用量来进行云管理(以及应用程序开发),可以通过将远程管理和开发环境标准化来降低引发安全事件的风险。Using a least-privilege minimized software footprint in a locked-down workstation for cloud management—and for application development—can reduce the risk of security incidents by standardizing the remote management and development environments. 强化后的工作站配置可通过关闭恶意代码和入侵程序使用的许多常见手段,来帮助避免用于管理重要云资源的帐户遭到入侵。A hardened workstation configuration can help prevent the compromise of accounts that are used to manage critical cloud resources by closing many common avenues used by malware and exploits. 具体而言,可以使用 Windows AppLocker 和 Hyper-V 技术来控制和隔离客户端系统行为并缓解威胁,包括电子邮件或 Internet 浏览。Specifically, you can use Windows AppLocker and Hyper-V technology to control and isolate client system behavior and mitigate threats, including email or Internet browsing.

在强化后的工作站上,管理员将运行标准用户帐户(它将阻止管理级别的执行),关联的应用程序将由允许列表进行控制。On a hardened workstation, the administrator runs a standard user account (which blocks administrative-level execution) and associated applications are controlled by an allow list. 强化后的工作站的基本要素如下:The basic elements of a hardened workstation are as follows:

  • 活动的扫描和修补。Active scanning and patching. 部署反恶意代码软件,定期执行漏洞扫描,及时使用最新的安全更新来更新所有工作站。Deploy antimalware software, perform regular vulnerability scans, and update all workstations by using the latest security update in a timely fashion.
  • 有限的功能。Limited functionality. 卸载任何不需要的应用程序,并禁用不必要的(启动)服务。Uninstall any applications that are not needed and disable unnecessary (startup) services.
  • 强化网络。Network hardening. 使用 Windows 防火墙规则,仅允许与 Azure 管理相关的有效 IP 地址、端口和 URL。Use Windows Firewall rules to allow only valid IP addresses, ports, and URLs related to Azure management. 同时确保阻止工作站的入站远程连接。Ensure that inbound remote connections to the workstation are also blocked.
  • 执行限制。Execution restriction. 仅允许运行一组管理所需的预定义可执行文件(称为“默认拒绝”)。Allow only a set of predefined executable files that are needed for management to run (referred to as “default-deny”). 默认情况下,除非已在允许列表中明确定义,否则应该拒绝用户运行任何程序的权限。By default, users should be denied permission to run any program unless it is explicitly defined in the allow list.
  • 最低特权。Least privilege. 管理工作站的用户不应该拥有本地计算机本身的任何管理特权。Management workstation users should not have any administrative privileges on the local machine itself. 这样,他们无法更改系统配置或系统文件(无论是有意或无意)。This way, they cannot change the system configuration or the system files, either intentionally or unintentionally.

管理服务、应用程序和数据Managing services, applications, and data

可以在 Azure 门户或 SMAPI 中通过 Windows PowerShell 命令行接口或利用这些 RESTful 接口的自建应用程序来执行 Azure 云服务配置。Azure cloud services configuration is performed through either the Azure portal or SMAPI, via the Windows PowerShell command-line interface or a custom-built application that takes advantage of these RESTful interfaces. 使用这些机制的服务包括 Azure Active Directory (Azure AD)、Azure 存储、Azure 网站和 Azure 虚拟网络,等等。Services using these mechanisms include Azure Active Directory (Azure AD), Azure Storage, Azure Websites, and Azure Virtual Network, and others.

虚拟机部署的应用程序将根据需要提供自身的客户端工具和界面(例如 Microsoft Management Console (MMC))、企业管理控制台(例如 Microsoft System Center 或 Windows Intune)或其他管理应用程序(例如 Microsoft SQL Server Management Studio)。Virtual Machine–deployed applications provide their own client tools and interfaces as needed, such as the Microsoft Management Console (MMC), an enterprise management console (such as Microsoft System Center or Windows Intune), or another management application—Microsoft SQL Server Management Studio, for example. 这些工具通常驻留在企业环境或客户端网络中。These tools typically reside in an enterprise environment or client network. 它们可能依赖于需要直接有状态连接的特定网络协议,例如远程桌面协议 (RDP)。They may depend on specific network protocols, such as Remote Desktop Protocol (RDP), that require direct, stateful connections. 有些可能包含不应该通过 Internet 公开发布或访问的具有 Web 功能的接口。Some may have web-enabled interfaces that should not be openly published or accessible via the Internet.

可以使用多重身份验证X.509 管理证书和防火墙规则来限制访问 Azure 中的基础结构和平台服务管理。You can restrict access to infrastructure and platform services management in Azure by using multi-factor authentication, X.509 management certificates, and firewall rules. Azure 门户和 SMAPI 需要传输层安全性 (TLS)。The Azure portal and SMAPI require Transport Layer Security (TLS). 但是,部署到 Azure 的服务和应用程序需要根据应用程序采取适当的保护措施。However, services and applications that you deploy into Azure require you to take protection measures that are appropriate based on your application. 可以通过标准化的强化后工作站配置更轻松地经常启用这些机制。These mechanisms can frequently be enabled more easily through a standardized hardened workstation configuration.

管理网关Management gateway

若要集中管理所有管理访问权限并简化监视与日志记录,可以在本地网络中部署连接到 Azure 环境的专用 Remote Desktop Gateway(远程桌面网关)(RD 网关)服务器。To centralize all administrative access and simplify monitoring and logging, you can deploy a dedicated Remote Desktop Gateway (RD Gateway) server in your on-premises network, connected to your Azure environment.

远程桌面网关是基于策略的 RDP 代理服务,可强制实施安全要求。A Remote Desktop Gateway is a policy-based RDP proxy service that enforces security requirements. 同时实现 RD 网关与 Windows Server 网络访问保护 (NAP),可帮助确保只有符合 Active Directory 域服务 (AD DS) 组策略对象 (GPO) 创建的特定安全运行状况条件的客户端可以连接。Implementing RD Gateway together with Windows Server Network Access Protection (NAP) helps ensure that only clients that meet specific security health criteria established by Active Directory Domain Services (AD DS) Group Policy objects (GPOs) can connect. 此外:In addition:

  • 在 RD 网关上预配 Azure 管理证书,使它成为可以访问 Azure 门户的唯一主机。Provision an Azure management certificate on the RD Gateway so that it is the only host allowed to access the Azure portal.
  • 将 RD 网关加入管理员工作站所在的同一个管理域Join the RD Gateway to the same management domain as the administrator workstations. 在具有对 Azure AD 的单向信任的域中使用站点到站点 IPsec VPN 或 ExpressRoute 时,或者要联合本地 AD DS 实例与 Azure AD 之间的凭据时,就必须这样做。This is necessary when you are using a site-to-site IPsec VPN or ExpressRoute within a domain that has a one-way trust to Azure AD, or if you are federating credentials between your on-premises AD DS instance and Azure AD.
  • 配置客户端连接授权策略,以让 RD 网关验证客户端计算机名称是否有效(已加入域)并可以访问 Azure 门户。Configure a client connection authorization policy to let the RD Gateway verify that the client machine name is valid (domain joined) and allowed to access the Azure portal.
  • 针对 Azure VPN 使用 IPsec 以进一步防止管理流量遭到窃听和令牌失窃,或考虑使用通过 Azure ExpressRoute 隔离的 Internet 链接。Use IPsec for Azure VPN to further protect management traffic from eavesdropping and token theft, or consider an isolated Internet link via Azure ExpressRoute.
  • 针对通过 RD 网关登录的管理员启用多重身份验证(通过 Azure 多重身份验证)或智能卡身份验证。Enable multi-factor authentication (via Azure Multi-Factor Authentication) or smart-card authentication for administrators who log on through RD Gateway.
  • 在 Azure 中配置源 IP 地址限制网络安全组,将允许的管理终结点数降到最低。Configure source IP address restrictions or Network Security Groups in Azure to minimize the number of permitted management endpoints.

安全指导原则Security guidelines

一般情况下,帮助保护用于云的管理员工作站的做法,与用于任何本地工作站的做法类似 — 例如,最小化生成和限制权限。In general, helping to secure administrator workstations for use with the cloud is similar to the practices used for any workstation on-premises—for example, minimized build and restrictive permissions. 云管理的某些独特之处更类似于远程或带外企业管理。Some unique aspects of cloud management are more akin to remote or out-of-band enterprise management. 这些特点包括使用和审核凭据、增强安全的远程访问以及威胁检测和响应。These include the use and auditing of credentials, security-enhanced remote access, and threat detection and response.

身份验证Authentication

可以使用 Azure 登录限制来限制用于访问管理工具的源 IP 地址和审核访问请求。You can use Azure logon restrictions to constrain source IP addresses for accessing administrative tools and audit access requests. 若要帮助 Azure 识别管理客户端(工作站和/或应用程序),可以同时配置 SMAPI(通过客户开发的工具,例如 Windows PowerShell cmdlet)和 Azure 门户,以要求除 SSL 证书外,还必须安装客户端管理证书。To help Azure identify management clients (workstations and/or applications), you can configure both SMAPI (via customer-developed tools such as Windows PowerShell cmdlets) and the Azure portal to require client-side management certificates to be installed, in addition to SSL certificates. 我们还建议管理员访问需要经过多重身份验证。We also recommend that administrator access require multi-factor authentication.

部署到 Azure 的某些应用程序或服务可能会针对用户和管理员访问拥有自己的身份验证机制,而其他应用程序或服务则会充分利用 Azure AD。Some applications or services that you deploy into Azure may have their own authentication mechanisms for both end-user and administrator access, whereas others take full advantage of Azure AD. 根据是通过 Active Directory 联合身份验证服务 (AD FS)、使用目录同步还是仅在云中维护用户帐户来联合凭据,使用 Microsoft Identity Manager(Azure AD 高级版中已随附)可帮助管理资源之间的标识生命周期。Depending on whether you are federating credentials via Active Directory Federation Services (AD FS), using directory synchronization or maintaining user accounts solely in the cloud, using Microsoft Identity Manager (part of Azure AD Premium) helps you manage identity lifecycles between the resources.

连接Connectivity

有多种机制可供帮助保护客户端与 Azure 虚拟网络的连接。Several mechanisms are available to help secure client connections to your Azure virtual networks. 在这些机制中,有两个机制(站点到站点 VPN (S2S) 和点到站点 VPN (P2S))支持使用行业标准 IPsec (S2S) 或安全套接字隧道协议 (SSTP) (P2S) 来进行加密和隧道传输。Two of these mechanisms, site-to-site VPN (S2S) and point-to-site VPN (P2S), enable the use of industry standard IPsec (S2S) or the Secure Socket Tunneling Protocol (SSTP) (P2S) for encryption and tunneling. 当 Azure 连接到面向公众的 Azure 服务管理(例如 Azure 门户)时,Azure 需要超文本安全传输协议 (HTTPS)。When Azure is connecting to public-facing Azure services management such as the Azure portal, Azure requires Hypertext Transfer Protocol Secure (HTTPS).

未通过 RD 网关连接到 Azure 的独立强化工作站应使用基于 SSTP 的点到站点 VPN 来与 Azure 虚拟网络建立初始连接,并从 VPN 隧道与各个虚拟机建立 RDP 连接。A stand-alone hardened workstation that does not connect to Azure through an RD Gateway should use the SSTP-based point-to-site VPN to create the initial connection to the Azure Virtual Network, and then establish RDP connection to individual virtual machines from with the VPN tunnel.

管理审核与策略强制实施Management auditing vs. policy enforcement

一般而言,有两种方法可用于帮助保护管理程序:审核和策略强制实施。Typically, there are two approaches for helping to secure management processes: auditing and policy enforcement. 同时采用这两种方法可进行全面控制,但并非所有情况下都能这样做。Doing both provides comprehensive controls, but may not be possible in all situations. 此外,每种方法在管理安全时都需要不同程度的风险、成本和精力,特别是当它涉及到对个人和系统体系结构给予的信任级别时。In addition, each approach has different levels of risk, cost, and effort associated with managing security, particularly as it relates to the level of trust placed in both individuals and system architectures.

监视、日志记录和审核可为跟踪和了解管理活动提供基础,但受限于所生成的数据量,它不一定都能巨细无遗地审核所有操作。Monitoring, logging, and auditing provide a basis for tracking and understanding administrative activities, but it may not always be feasible to audit all actions in complete detail due to the amount of data generated. 但是,审核管理策略的效果是最佳做法。Auditing the effectiveness of the management policies is a best practice, however.

包含严格访问控制的策略强制实施具有可控制管理员操作的编程机制,并可帮助确保使用所有可能的保护措施。Policy enforcement that includes strict access controls puts programmatic mechanisms in place that can govern administrator actions, and it helps ensure that all possible protection measures are being used. 日志记录可提供强制实施的证明,以及什么人在何时从什么地方执行了什么操作的日志。Logging provides proof of enforcement, in addition to a record of who did what, from where, and when. 日志记录还可让你审核和交叉检查管理员如何遵循策略的相关信息,同时提供活动的证据。Logging also enables you to audit and crosscheck information about how administrators follow policies, and it provides evidence of activities

客户端配置Client configuration

对于强化的工作站,我们提供三种主要配置。We recommend three primary configurations for a hardened workstation. 这三者之间最大的差异在于成本、可用性和可访问性,但它们提供的所有选项都有类似的安全设置文件。The biggest differentiators between them are cost, usability, and accessibility, while maintaining a similar security profile across all options. 下表简要分析了各种配置的优点与风险。The following table provides a short analysis of the benefits and risks to each. (请注意,“企业电脑”指的是将为所有域用户(无论角色为何)部署的标准台式机配置)。(Note that “corporate PC” refers to a standard desktop PC configuration that would be deployed for all domain users, regardless of roles.)

配置Configuration 优点Benefits 缺点Cons
独立的强化工作站Stand-alone hardened workstation 受到严格控制的工作站Tightly controlled workstation 增加专用台式机的成本higher cost for dedicated desktops
- 降低应用程序被利用的风险Reduced risk of application exploits 增加管理工作Increased management effort
- 明确的职责分离Clear separation of duties -
将企业电脑用作虚拟机Corporate PC as virtual machine 降低硬件成本Reduced hardware costs -
- 角色和应用程序隔离Segregation of role and applications -
Windows To Go 与 BitLocker 驱动器加密Windows to go with BitLocker drive encryption 与大部分电脑兼容Compatibility with most PCs 资产跟踪Asset tracking
- 成本效益和可移植性Cost-effectiveness and portability -
- 隔离的管理环境Isolated management environment -

必须将强化的工作站用作主机而不是来宾,且主机操作系统与硬件之间没有任何组件。It is important that the hardened workstation is the host and not the guest, with nothing between the host operating system and the hardware. 遵循“干净源原则”(也称为“安全来源”)意味着主机应该是最可靠的。Following the “clean source principle” (also known as “secure origin”) means that the host should be the most hardened. 否则,强化的工作站(来宾)在其托管所在的系统上容易受到攻击。Otherwise, the hardened workstation (guest) is subject to attacks on the system on which it is hosted.

可以通过专用系统映像为每一台强化工作站进一步隔离管理功能,使其只具有管理选定的 Azure 和云应用程序所需的工具和权限,以及用于必要任务的特定本地 AD DS GPO。You can further segregate administrative functions through dedicated system images for each hardened workstation that have only the tools and permissions needed for managing select Azure and cloud applications, with specific local AD DS GPOs for the necessary tasks.

对于没有任何本地基础结构的 IT 环境(例如,由于所有服务器都在云端而不能访问 GPO 的本地 AD DS 实例),Microsoft Intune 等服务可以简化工作站配置的部署和维护任务。For IT environments that have no on-premises infrastructure (for example, no access to a local AD DS instance for GPOs because all servers are in the cloud), a service such as Microsoft Intune can simplify deploying and maintaining workstation configurations.

用于管理的独立强化工作站Stand-alone hardened workstation for management

使用独立的强化工作站时,管理员使用一台电脑或膝上型计算机来执行管理任务,并使用另一台不同的电脑或膝上型计算机来执行非管理任务。With a stand-alone hardened workstation, administrators have a PC or laptop that they use for administrative tasks and another, separate PC or laptop for non-administrative tasks. 专门负责管理 Azure 服务的工作站不需要安装其他应用程序。A workstation dedicated to managing your Azure services does not need other applications installed. 此外,使用的工作站如果支持受信任的平台模块 (TPM) 或类似的硬件级加密技术,将有助于进行设备身份验证和预防特定攻击。Additionally, using workstations that support a Trusted Platform Module (TPM) or similar hardware-level cryptography technology aids in device authentication and prevention of certain attacks. TPM 还可以使用 BitLocker 驱动器加密来支持系统驱动器的整卷保护。TPM can also support full volume protection of the system drive by using BitLocker Drive Encryption.

在独立的强化工作站方案中(如下所示),Windows 防火墙(或非 Microsoft 客户端防火墙)的本地实例将配置为阻止入站连接,例如 RDP。In the stand-alone hardened workstation scenario (shown below), the local instance of Windows Firewall (or a non-Microsoft client firewall) is configured to block inbound connections, such as RDP. 管理员可以登录到强化的工作站,并在与 Azure 虚拟网络建立 VPN 连接之后启动连接到 Azure 的 RDP 会话,但无法登录到企业电脑并使用 RDP 连接到强化的工作站本身。The administrator can log on to the hardened workstation and start an RDP session that connects to Azure after establishing a VPN connect with an Azure Virtual Network, but cannot log on to a corporate PC and use RDP to connect to the hardened workstation itself.

将企业电脑用作虚拟机Corporate PC as virtual machine

在部署单个独立强化工作站需要高昂成本或者不方便的情况下,强化的工作站可以托管用于执行非管理任务的虚拟机。In cases where a separate stand-alone hardened workstation is cost prohibitive or inconvenient, the hardened workstation can host a virtual machine to perform non-administrative tasks.

若要避免使用单一工作站来进行管理和其他日常工作任务所可能引发的诸多安全风险,可以在强化的工作站部署 Windows Hyper-V 虚拟机。To avoid several security risks that can arise from using one workstation for systems management and other daily work tasks, you can deploy a Windows Hyper-V virtual machine to the hardened workstation. 此虚拟机可用作企业电脑。This virtual machine can be used as the corporate PC. 企业电脑环境可以与主机保持隔离,以减少其受攻击面,并使得用户的日常活动(例如电子邮件)不会与机密的管理任务共存。The corporate PC environment can remain isolated from the Host, which reduces its attack surface and removes the user’s daily activities (such as email) from coexisting with sensitive administrative tasks.

企业电脑虚拟机在受保护的空间内运行,并提供用户应用程序。The corporate PC virtual machine runs in a protected space and provides user applications. 主机仍是“干净源”,并且将在根操作系统中强制实施严格的网络策略(例如,阻止来自虚拟机的 RDP 访问)。The host remains a “clean source” and enforces strict network policies in the root operating system (for example, blocking RDP access from the virtual machine).

Windows To GoWindows To Go

需要独立的强化工作站的另一个替代方式是使用 Windows To Go 驱动器,此功能支持客户端 USB 启动功能。Another alternative to requiring a stand-alone hardened workstation is to use a Windows To Go drive, a feature that supports a client-side USB-boot capability. Windows To Go 可让用户将兼容的电脑启动到从加密 USB 闪存驱动器运行的隔离系统映像。Windows To Go enables users to boot a compatible PC to an isolated system image running from an encrypted USB flash drive. 由于映像可以完全由企业 IT 团队负责管理、有严格的安全策略、最小的 OS 生成和 TPM 支持,因此 Windows To Go 可以提升对远程管理终结点的控制度。It provides additional controls for remote-administration endpoints because the image can be fully managed by a corporate IT group, with strict security policies, a minimal OS build, and TPM support.

在下图中,可移动映像是已加入域的系统,它已预配置为仅连接到 Azure、需要多重身份验证并阻止所有非管理流量。In the figure below, the portable image is a domain-joined system that is preconfigured to connect only to Azure, requires multi-factor authentication, and blocks all non-management traffic. 如果用户将同一台电脑启动到标准企业映像,并尝试访问 Azure 管理工具的 RD 网关,会话会被阻止。If a user boots the same PC to the standard corporate image and tries accessing RD Gateway for Azure management tools, the session is blocked. Windows To Go 将成为根级操作系统,并且不需要可能更容易遭受外部攻击的其他层(主机操作系统、虚拟机监控程序、虚拟机)。Windows To Go becomes the root-level operating system, and no additional layers are required (host operating system, hypervisor, virtual machine) that may be more vulnerable to outside attacks.

请务必注意,相比普通的台式机,USB 闪存驱动器更容易丢失。It is important to note that USB flash drives are more easily lost than an average desktop PC. 使用 BitLocker 加密整个卷时,如果配合强密码,攻击者就更不可能使用驱动器映像来进行有害活动。Use of BitLocker to encrypt the entire volume, together with a strong password, makes it less likely that an attacker can use the drive image for harmful purposes. 此外,如果丢失 USB 闪存驱动器,则吊销和 颁发新管理证书 以及快速重置密码可以降低风险。Additionally, if the USB flash drive is lost, revoking and issuing a new management certificate along with a quick password reset can reduce exposure. 管理审核日志驻留在 Azure 而非客户端,进一步减少了丢失数据的可能性。Administrative audit logs reside within Azure, not on the client, further reducing potential data loss.

最佳实践Best practices

管理 Azure 中的应用程序和数据时,请注意以下附加指导原则。Consider the following additional guidelines when you are managing applications and data in Azure.

准则Dos and don'ts

不要因为工作站已被锁定,就认为不需要满足其他常见安全要求。Don't assume that because a workstation has been locked down that other common security requirements do not need to be met. 由于管理员帐户通常拥有提升权限的访问级别,因此潜在风险会提高。The potential risk is higher because of elevated access levels that administrator accounts generally possess. 下表显示了风险及其替代安全做法的示例。Examples of risks and their alternate safe practices are shown in the table below.

不要Don't Do
不要通过电子邮件发送用于管理员访问权限或其他密钥的凭据(例如 SSL 或管理证书)Don't email credentials for administrator access or other secrets (for example, SSL or management certificates) 用声音提供帐户名称和密码(但不要将它们存储在语音邮件中)以保持机密性、远程安装客户端/服务器证书(通过加密会话)、从受保护的网络共享下载,或通过可移动媒体手动分发。Maintain confidentiality by delivering account names and passwords by voice (but not storing them in voice mail), perform a remote installation of client/server certificates (via an encrypted session), download from a protected network share, or distribute by hand via removable media.
- 主动管理管理证书生命周期。Proactively manage your management certificate life cycles.
不要在应用程序存储中存储未加密或未哈希处理的帐户密码(例如在电子表格、SharePoint 站点或文件共享中)。Don't store account passwords unencrypted or un-hashed in application storage (such as in spreadsheets, SharePoint sites, or file shares). 创建安全管理策略和系统强化策略,并将它们应用到开发环境。Establish security management principles and system hardening policies, and apply them to your development environment.
- 使用 Enhanced Mitigation Experience Toolkit 5.5 证书绑定规则,以确保能够正常访问 Azure SSL/TLS 站点。Use Enhanced Mitigation Experience Toolkit 5.5 certificate pinning rules to ensure proper access to Azure SSL/TLS sites.
不要在管理员之间共享帐户和密码,或在多个用户帐户或服务之间重复使用密码,特别是用于社交媒体或其他非管理活动的帐户或服务。Don't share accounts and passwords between administrators, or reuse passwords across multiple user accounts or services, particularly those for social media or other nonadministrative activities. 创建专用的 Microsoft 帐户来管理 Azure 订阅 — 此帐户不用于个人电子邮件。Create a dedicated Microsoft account to manage your Azure subscription—an account that is not used for personal email.
不要通过电子邮件发送配置文件。Don't email configuration files. 应从受信任的源(例如,加密的 USB 闪存驱动器)而不是从可轻易入侵的机制(例如电子邮件)安装配置文件和档案。Configuration files and profiles should be installed from a trusted source (for example, an encrypted USB flash drive), not from a mechanism that can be easily compromised, such as email.
不要使用弱密码或简单的登录密码。Don't use weak or simple logon passwords. 强制实施强密码策略、过期周期(首次使用时更改)、控制台超时和自动帐户锁定。Enforce strong password policies, expiration cycles (changeon-first-use), console timeouts, and automatic account lockouts. 使用客户端密码管理系统配合多重身份验证来访问密码保管库。Use a client password management system with multi-factor authentication for password vault access.
不要在 Internet 上公开管理端口。Don't expose management ports to the Internet. 锁定 Azure 端口和 IP 地址以限制管理访问权限。Lock down Azure ports and IP addresses to restrict management access. 有关详细信息,请参阅 Azure Network Security (Azure 网络安全性)白皮书。For more information, see the Azure Network Security white paper.
- 针对所有管理连接使用防火墙、VPN 和 NAP。Use firewalls, VPNs, and NAP for all management connections.

Azure 操作Azure operations

在 Microsoft 的 Azure 操作中,访问 Azure 的生产系统的操作工程师和支持人员将使用强化的工作站电脑与其中预配的 VM 来进行内部企业网络访问和运行应用程序(例如电子邮件、Intranet 等)。Within Microsoft’s operation of Azure, operations engineers and support personnel who access Azure’s production systems use hardened workstation PCs with VMs provisioned on them for internal corporate network access and applications (such as e-mail, intranet, etc.). 所有管理工作站计算机都装有 TPM,主机启动驱动器已使用 BitLocker 加密,并且已加入 Microsoft 主要企业域中的特殊组织单位 (OU)。All management workstation computers have TPMs, the host boot drive is encrypted with BitLocker, and they are joined to a special organizational unit (OU) in Microsoft’s primary corporate domain.

系统强化是通过组策略以集中式软件更新来强制实施的。System hardening is enforced through Group Policy, with centralized software updating. 为了审核和分析,将从管理工作站收集事件日志(例如安全性和 AppLocker)并将其保存到中心位置。For auditing and analysis, event logs (such as security and AppLocker) are collected from management workstations and saved to a central location.

此外,使用 Microsoft 网络上需要双重身份验证的专用 Jumpbox 来连接到 Azure 的生产网络。In addition, dedicated jump-boxes on Microsoft’s network that require two-factor authentication are used to connect to Azure’s production network.

Azure 安全清单Azure security checklist

将管理员在强化的工作站上可以执行的任务数降到最低,有助于尽量降低开发和管理环境中的受攻击面。Minimizing the number of tasks that administrators can perform on a hardened workstation helps minimize the attack surface in your development and management environment. 请使用以下技术来帮助保护强化的工作站:Use the following technologies to help protect your hardened workstation:

  • IE 强化。IE hardening. 由于 Internet Explorer 浏览器(或任何类似的 Web 浏览器)将与外部服务器广泛交互,因此是有害代码的主要入口点。The Internet Explorer browser (or any web browser, for that matter) is a key entry point for harmful code due to its extensive interactions with external servers. 请查看客户端策略并强制要求在保护模式下运行、禁用附加组件、禁用文件下载,并使用 Microsoft SmartScreen 筛选。Review your client policies and enforce running in protected mode, disabling add-ons, disabling file downloads, and using Microsoft SmartScreen filtering. 确保显示安全警告。Ensure that security warnings are displayed. 利用 Internet 区域,并创建已为其配置合理强化的受信任站点列表。Take advantage of Internet zones and create a list of trusted sites for which you have configured reasonable hardening. 阻止其他所有站点和浏览器内代码,例如 ActiveX 和 Java。Block all other sites and in-browser code, such as ActiveX and Java.
  • 标准用户。Standard user. 以标准用户的身份运行有许多好处,最重要的好处是通过恶意代码窃取管理员凭据将变得更困难。Running as a standard user brings a number of benefits, the biggest of which is that stealing administrator credentials via malware becomes more difficult. 此外,标准用户帐户对根操作系统没有提升的权限,并且许多配置选项和 API 已按默认锁定。In addition, a standard user account does not have elevated privileges on the root operating system, and many configuration options and APIs are locked out by default.
  • AppLocker。AppLocker. 可以使用 AppLocker 来限制用户可以运行的程序和脚本。You can use AppLocker to restrict the programs and scripts that users can run. 可以在审核或强制模式下运行 AppLocker。You can run AppLocker in audit or enforcement mode. 默认情况下,AppLocker 的允许规则可让具有管理员令牌的用户运行客户端上的所有代码。By default, AppLocker has an allow rule that enables users who have an admin token to run all code on the client. 设置此规则是为了避免管理员将自己锁定,并且只应用到提升权限的令牌。This rule exists to prevent administrators from locking themselves out, and it applies only to elevated tokens. 另请参阅 Windows Server 核心安全性中的“代码完整性”。See also Code Integrity as part of Windows Server core security.
  • 代码签名。Code signing. 为管理员使用的所有工具和脚本进行代码签名可提供方便管理的机制来部署应用程序锁定策略。Code signing all tools and scripts used by administrators provides a manageable mechanism for deploying application lockdown policies. 哈希不会随着代码的快速更改而做出调整,并且文件路径不会提供高度安全性。Hashes do not scale with rapid changes to the code, and file paths do not provide a high level of security. 应将 AppLocker 规则与 PowerShell 执行策略合并,此策略只允许执行特定的已签名代码和脚本。You should combine AppLocker rules with a PowerShell execution policy that only allows specific signed code and scripts to be executed.
  • 组策略。Group Policy. 创建一个全局管理策略,该策略将应用到任何用于管理的域工作站(并阻止来自其他所有用途的访问),以及在这些工作站上进行身份验证的用户帐户。Create a global administrative policy that is applied to any domain workstation that is used for management (and block access from all others), and to user accounts authenticated on those workstations.
  • 安全性增强的预配。Security-enhanced provisioning. 保护基线强化工作站映像以防遭到篡改。Safeguard your baseline hardened workstation image to help protect against tampering. 使用加密和隔离等安全措施来存储映像、虚拟机和脚本,并限制访问(也许可以使用可审核的签入/签出过程)。Use security measures like encryption and isolation to store images, virtual machines, and scripts, and restrict access (perhaps use an auditable check-in/check-out process).
  • 修补。Patching. 维护一致的生成(或针对开发、操作和其他管理任务使用不同的映像)、定期扫描更改和恶意代码、让生成保持最新状态,并且只在需要时才激活计算机。Maintain a consistent build (or have separate images for development, operations, and other administrative tasks), scan for changes and malware routinely, keep the build up to date, and only activate machines when they are needed.
  • 加密。Encryption. 确保管理工作站装有 TPM 以便能够更安全地启用加密文件系统 (EFS) 和 BitLocker。Make sure that management workstations have a TPM to more securely enable Encrypting File System (EFS) and BitLocker. 如果使用 Windows To Go,请只配合 BitLocker 使用加密的 USB 密钥。If you are using Windows To Go, use only encrypted USB keys together with BitLocker.
  • 监管。Governance. 使用 AD DS GPO 来控制所有管理员的 Windows 接口,例如文件共享。Use AD DS GPOs to control all the administrators’ Windows interfaces, such as file sharing. 将管理工作站纳入审核、监视和日志记录过程中。Include management workstations in auditing, monitoring, and logging processes. 跟踪所有管理员和开发人员的访问和使用活动。Track all administrator and developer access and usage.

摘要Summary

使用强化的工作站配置来管理 Azure 云服务、虚拟机和应用程序,可帮助避免远程管理关键 IT 基础结构所造成的众多风险和威胁。Using a hardened workstation configuration for administering your Azure cloud services, Virtual Machines, and applications can help you avoid numerous risks and threats that can come from remotely managing critical IT infrastructure. Azure 和 Windows 提供了相关机制来帮助保护和控制通信、身份验证与客户端行为。Both Azure and Windows provide mechanisms that you can employ to help protect and control communications, authentication, and client behavior.

后续步骤Next steps

除了本文中所提到的特定项以外,以下资源也提供了有关 Azure 及相关 Microsoft 服务的更多常规信息:The following resources are available to provide more general information about Azure and related Microsoft services, in addition to specific items referenced in this paper:

  • 保护特权访问 – 获取有关设计和构建安全管理工作站以管理 Azure 的技术详细信息Securing Privileged Access – get the technical details for designing and building a secure administrative workstation for Azure management
  • Microsoft 信任中心 - 了解可保护 Azure 结构以及在 Azure 上运行的工作负荷的 Azure 平台功能Microsoft Trust Center - learn about Azure platform capabilities that protect the Azure fabric and the workloads that run on Azure