Site Recovery 的 Azure 安全基线Azure security baseline for Site Recovery

此安全基线将 Azure 安全基准版本 1.0 中的指南应用于 Site Recovery。This security baseline applies guidance from the Azure Security Benchmark version 1.0 to Site Recovery. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控件”分组,这些控件由适用于 Site Recovery 的 Azure 安全基准和相关的指南定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Site Recovery. 排除了不适用于 Site Recovery 的控件。Controls not applicable to Site Recovery have been excluded.

若要了解 Site Recovery 如何完全映射到 Azure 安全基准,请参阅完整的 Site Recovery 安全基线映射文件To see how Site Recovery completely maps to the Azure Security Benchmark, see the full Site Recovery security baseline mapping file.

网络安全Network Security

有关详细信息,请参阅 Azure 安全基线: 网络安全性For more information, see the Azure Security Benchmark: Network Security.

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:Site Recovery 服务支持服务标记,这允许客户打开仅通向特定服务和端口的流量。Guidance: Site Recovery service supports service tags, which allow customers to open traffic only to specific services and ports. 若要允许对 Site Recovery 服务进行出站访问,客户必须允许其防火墙或网络安全组上的“AzureSiteRecovery”服务标记。Customers have to allow "AzureSiteRecovery" service tag on their firewall or network security group to allow outbound access to Site Recovery service.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:为网络安全组以及与网络安全和通信流相关的其他资源使用资源标记。Guidance: Use resource tags for network security groups and other resources related to network security and traffic flow. 对于单独的网络安全组规则,请使用“说明”字段来记录那些允许流量进出网络的规则。For individual network security group rules, use the "Description" field to document the rules that allow traffic to and from a network.

引入与标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在现有资源不带标记时发出通知。Incorporate any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with tags and to notify you of existing untagged resources.

可使用 Azure PowerShell 或 Azure CLI,基于资源的标记查找资源或对其执行操作。You can use Azure PowerShell or Azure CLI to look up or perform actions on resources based on their tags.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视与 Site Recovery 服务相关的网络资源配置的任何更改。Guidance: Monitor any changes to network resource configurations related to the Site Recovery service using Azure Activity Logs. 在 Azure Monitor 中创建警报,以便系统在关键 Site Recovery 网络资源发生更改时通知你。Create alerts in Azure Monitor to notify you when critical Site Recovery network resources are changed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

日志记录和监视Logging and Monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and Monitoring.

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:启用 Azure 活动日志诊断设置以审核日志记录,并将日志发送到 Log Analytics 工作区、Azure 存储帐户或 Azure 事件中心进行存档。Guidance: Enable Azure Activity Log diagnostic settings for audit logging and send the logs to a Log Analytics workspace, Azure Storage account or an Azure Event Hub for archival.

使用 Azure 活动日志数据确定针对 Azure 资源执行的任何写入操作(PUT、POST、DELETE)的“操作内容、操作人员和操作时间”。Use Azure Activity Log data to determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed on your Azure resources.

在 Azure Monitor 中引入 Site Recovery 日志以聚合生成的安全数据。Ingest Site Recovery logs in Azure Monitor to aggregate generated security data. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用存储帐户进行长期存储或存档存储。Within Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use storage accounts for long-term or archival storage. 另外,你可以启用 Azure Sentinel 或第三方安全信息和事件管理 (SIEM) 解决方案并将数据载入其中。Also, you may enable and on-board data to Azure Sentinel or a third-party Security Incident and Event Management (SIEM) solution.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:启用 Azure 活动日志诊断设置以审核日志记录,并将日志发送到 Log Analytics 工作区、Azure 存储帐户或 Azure 事件中心进行存档。Guidance: Enable Azure Activity Log diagnostic settings for audit logging and send the logs to a Log Analytics workspace, Azure Storage account or to an Azure Event Hub for archival.

使用 Azure 活动日志数据确定针对 Azure 资源执行的任何写入操作(PUT、POST、DELETE)的“操作内容、操作人员和操作时间”。Use Azure Activity Log data to determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed on your Azure resources.

通过 Azure Monitor 引入 Site Recovery 日志以聚合生成的安全数据。Ingest Site Recovery logs with Azure Monitor to aggregate generated security data. 在 Azure Monitor 中,使用 Log Analytics 工作区来查询和执行分析,并使用存储帐户进行长期/存档存储。Within Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use storage accounts for long-term/archival storage. 启用 Azure Sentinel 或第三方安全信息和事件管理 (SIEM) 解决方案并将数据载入其中。Enable and on-board data to Azure Sentinel or a third-party Security Incident and Event Management (SIEM) solution.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:使用 Azure Monitor,根据组织的合规性规定,为与 Azure 恢复服务保管库关联的 Log Analytics 工作区设置日志保留期。Guidance: Set log retention period for Log Analytics workspaces associated with your Azure Recovery Services vaults using Azure Monitor according to your organization's compliance regulations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:启用 Azure 活动日志诊断设置,并将日志发送到 Log Analytics 工作区。Guidance: Enable Azure Activity Log diagnostic settings and send the logs to a Log Analytics workspace.

在 Log Analytics 中执行查询,以搜索字词、识别趋势、分析模式,以及基于从恢复服务保管库收集的活动日志数据提供见解。Perform queries in Log Analytics to search terms, identify trends, analyze patterns, and insights on the Activity Log Data collected from Recovery Services Vaults.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导:使用 Azure Monitor 日志和 Log Analytics 监视 Azure Site Recovery 复制的计算机。Guidance: Monitor machines replicated by Azure Site Recovery using Azure Monitor logs and Log Analytics. 在 Azure Monitor 中使用 Log Analytics 编写和测试日志查询,并以交互方式分析日志数据。Use Log Analytics within Azure Monitor to write and test log queries and to interactively analyze log data. Azure Monitor 收集活动和资源日志,以及其他监视数据。Azure Monitor collects activity and resource logs, along with other monitoring data.

可视化和查询日志结果,并配置警报来根据监视的数据采取措施。Visualize and query log results, and configure alerts to take actions based on monitored data. 在已加入 Azure Sentinel 的 Log Analytics 工作区上设置警报,因为它提供了安全业务流程自动化响应 (SOAR) 解决方案。Setup alerts on a Log Analytics workspace to Azure Sentinel as it provides a security orchestration automated response (SOAR) solution. 这样便可以创建自动化解决方案(例如 playbook)并将其用于修正安全问题。This allows for automated solutions, like playbooks to be created and used to remediate security issues. 使用 Azure Monitor 在 Log Analytics 工作区中创建自定义日志警报。Create custom log alerts in your Log Analytics workspace using Azure Monitor.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

标识和访问控制Identity and Access Control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:默认情况下,不分配任何角色。Guidance: No roles are assigned by default. 需要根据业务需求显式分配它们。They need to be explicitly assigned based on business need. 可以通过 PowerShell CLI 或 Azure Active Directory (Azure AD) 检查任何角色分配,以发现作为管理组成员的帐户。Any role assignments can be checked with PowerShell CLI or Azure Active Directory (Azure AD) to discover accounts that are members of administrative groups.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用安全中心的标识和访问管理功能来监视管理帐户的数量。Use Security Center's Identity and Access Management features to monitor the number of administrative accounts.

此外,为了跟踪专用管理帐户,你可以使用安全中心或内置的 Azure 策略提供的建议,例如:Additionally, to help you keep track of dedicated administrative accounts, use recommendations from Security Center or built-in Azure policies, such as:

  • 应该为你的订阅分配了多个所有者There should be more than one owner assigned to your subscription

  • 应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription

  • 应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription

创建一个流程来跟踪管理帐户的标识和访问控制,并定期查看它。Create a process to track identity and access control for administrative accounts and review it periodically.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Use single sign-on (SSO) with Azure Active Directory

指导:将 Azure 应用注册与服务主体配合使用来检索令牌,以便使用该令牌通过 API 调用与恢复服务保管库进行交互。Guidance: Use Azure app registration with a Service Principal to retrieve a token to be used to interact with your Recovery Services vaults through API calls.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure AD、多重身份验证,并遵循安全中心的标识和访问建议。Guidance: Enable Azure AD, multifactor authentication and follow Security Center's Identity and Access recommendations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:将安全的、由 Azure 托管的工作站(也称为特权访问工作站 (PAW))与 Azure 多重身份验证配合使用来执行管理任务,以及对 Site Recovery 资源执行特权操作。Guidance: Use a secure, Azure-managed workstation (also known as a Privileged Access Workstation (PAW)) with Azure multifactor authentication for administrative tasks and to perform privileged actions on Site Recovery resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导:使用 Azure AD 的 Privileged Identity Management (PIM) 功能在环境中出现可疑或不安全的活动时生成日志和警报。Guidance: Use Azure AD's Privileged Identity Management (PIM) feature for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. 使用 Azure AD 风险检测功能查看有关高风险用户行为的警报和报告。View alerts and reports on risky user behavior with Azure AD risk detection feature.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources only from approved locations

指导:使用条件访问命名位置,仅允许从 IP 地址范围、区域或国家/地区的特定逻辑分组访问 Azure 门户。Guidance: Use Conditional Access Named Locations to allow access to the Azure portal from only specific logical groupings of IP address ranges, regions, or countries.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure AD 作为 Site Recovery 的中央身份验证和授权系统。Guidance: Use Azure AD as the central authentication and authorization system for Site Recovery. Azure AD 通过对静态数据和传输中数据使用强加密来保护数据,并对用户凭据进行加盐和哈希处理,然后安全地存储它们。Azure AD protects data by using strong encryption for data at rest, in transit and also salts, hashes, and securely stores user credentials.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:使用 Azure AD 日志有助于发现过时的帐户。Guidance: Use Azure AD logs to help discover stale accounts.

使用 Azure AD 的标识和访问评审来有效管理组成员身份、对企业应用程序的访问以及角色分配。Efficiently manage group memberships, access to enterprise applications and role assignments with Azure AD's Identity and Access Reviews.

创建一个流程来定期评审用户访问权限,以确保只有经历过完整访问评审的用户才能继续访问。Create a process to review user access on a regular basis to ensure only users with completed access reviews have continued access.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

数据保护Data Protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用标记可以帮助跟踪存储或处理敏感信息的 Azure 资源。Guidance: Use tags to assist in tracking Azure resources that store or process sensitive information.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:为开发、测试和生产恢复服务保管库采用单独的订阅或管理组。Guidance: Implement separate subscriptions or management groups for development, test, and production Recovery Services Vaults. 使用虚拟网络或子网分隔资源,对其进行相应的标记,并由网络安全组或 Azure 防火墙提供保护。Separate resources with a virtual network or subnet, tagged appropriately, and secured by a network security group or Azure Firewall.

当存储或处理敏感数据的虚拟机处于不使用状态时将其关闭。Turn off virtual machines, which store or process sensitive data, when not in use. 实施策略和过程,以使其成为一个重复性流程。Implement policy and procedures to make this a recurring process.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:使用专用链接或专用终结点、网络安全组和服务标记来降低启用了 Site Recovery 的虚拟机的数据泄露几率。Guidance: Use Private Link or Private Endpoint, network security groups, and service tags to mitigate any opportunities for data exfiltration from the Site Recovery enabled virtual machines.

Azure 管理 Site Recovery 使用的基础平台,并将所有客户内容视为敏感数据,防范客户数据丢失和泄露。Azure manages the underlying platform used by Site Recovery and treats all customer content as sensitive and guard against customer data loss and exposure. Azure 已实施并维护一套可靠的数据保护控制机制和功能,以确保 Azure 中的客户数据始终安全。Azure has implemented and maintains a suite of robust data protection controls and capabilities to ensure customer data within Azure remains secure.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:Site Recovery 使用安全的 https 通道,该通道使用高级加密标准 (AES 256) 进行加密,从 Azure 工作负荷服务器通向承载在恢复服务保管库后面的 Site Recovery 服务。Guidance: Site Recovery uses a secure https channel, encrypted using Advanced Encryption Standard (AES 256), from Azure workload servers to Site Recovery services hosted behind a Recovery Services vault.

在 2019 年底前启用的区域中,Site Recovery 支持的当前 TLS 版本为 TLS 1.0、TLS 1.1、TLS 1.2。Current TLS versions supported for Site Recovery are TLS 1.0, TLS 1.1, TLS 1.2 in regions, which were live by the end of 2019. 对于任何新区域,TLS1.2 是唯一受支持的 TLS 版本。TLS1.2 is the only supported TLS version for any new regions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:数据标识、分类和丢失防护功能尚不适用于 Site Recovery。Guidance: Data identification, classification, and loss prevention features are not yet available for Site Recovery.

可以根据合规性需要实施第三方解决方案。Implement a third-party solution, as necessary, for compliance purposes.

Azure 管理 Site Recovery 使用的基础平台,并将所有客户内容视为敏感数据,防范客户数据丢失和泄露。Azure manages the underlying platform used by Site Recovery and treats all customer content as sensitive and guards against customer data loss and exposure. 它已实施并维护一套可靠的数据保护控制机制和功能,以确保 Azure 中的客户数据始终安全。It has implemented and maintains a suite of robust data protection controls and capabilities to ensure customer data within Azure remains secure.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.6:使用 Azure RBAC 管理对资源的访问4.6: Use Azure RBAC to manage access to resources

指导:使用 Azure 基于角色的访问控制 (Azure RBAC) 管理对与 Site Recovery 资源相关的数据和资源的访问。Guidance: Use Azure role-based access control (Azure RBAC) to manage access to data and resources related to Site Recovery resources.

使用 Azure RBAC 划分工作职责,并授予其所需的适当访问权限。Separate work duties with Azure RBAC and grant appropriate access required for them. 使用内置的 Site Recovery 角色控制 Site Recovery 管理操作。Use the built-in Site Recovery roles to control Site Recovery management operations.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:使用平台管理的密钥和客户管理的密钥启用双重加密Guidance: Enable double encryption with both platform and customer-managed keys. Site Recovery 中提供了此功能。This capability is available in Site Recovery.

Site Recovery 支持数据的静态加密。Site Recovery supports encryption at-rest for data. 对于 Azure IaaS 工作负荷,请使用存储服务加密 (SSE) 对数据进行静态加密。For Azure IaaS workloads, data is encrypted-at-rest using Storage Service Encryption (SSE).

使用通过客户管理的密钥加密的恢复服务保管库时,只有客户能够访问加密密钥。Only the customer has access to the encryption key while using a Recovery Services vault encrypted with a customer-managed key. Azure 从不保留副本,没有密钥的访问权限,也不会在任何时候解密从主要位置传输到灾难恢复位置的数据。Azure never maintains a copy, does not have access to the key, and does not decrypt the data transferred from primary to Disaster Recovery location at any point.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以创建在关键资源发生更改时发出的警报。Guidance: Use Azure Monitor with Azure Activity Logs to create alerts when changes take place to critical resources,. 这些资源可能包括恢复服务保管库的生产实例、Site Recovery 服务的资源和相关资源。These resources could include production instances of Recovery Services Vaults, resources of Site Recovery service and related resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and Asset Management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 来查询或发现你的订阅中的所有资源(包括恢复服务保管库)。Guidance: Use Azure Resource Graph to query or discover all resources, including Recovery Services Vaults, within your subscriptions. 确保租户中具有适当的读取权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate read permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用于恢复服务保管库和其他相关资源,Site Recovery 会将这些资源与元数据一起使用,以逻辑方式将它们组织到分类中。Guidance: Apply tags to Recovery Services vaults and other related resources, used by Site Recovery with metadata, to logically organize them into a taxonomy.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:使用标记、管理组和单独的订阅(如果适用)来组织和跟踪 Site Recovery(恢复服务保管库)和其他相关资源。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Site Recovery (Recovery Services vaults) and other related resources.

此外,使用 Azure Policy 对可使用以下内置策略定义在客户订阅中创建的资源类型施加限制:In addition, use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:定义并维护已批准 Azure 资源的清单6.4: Define and maintain an inventory of approved Azure resources

指导:根据客户的组织需求,创建已获批 Azure 资源以及已获批用于计算资源的软件的清单。Guidance: Create an inventory of approved Azure resources and approved software for compute resources based on customer's organizational requirements.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

使用 Azure Resource Graph 来查询和发现订阅中的资源。Use Azure Resource Graph to query for and discover resources within the subscriptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

了解如何在 Azure 中创建和管理策略对于保持与公司标准和服务级别协议的符合性来说非常重要。Understanding how to create and manage policies in Azure is important for staying compliant with your corporate standards and service level agreements.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导:通过为“Azure 管理”应用配置“阻止访问”,使用 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance: Use Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App. 这可防止在高度安全的环境中创建和更改资源。This can prevent the creation and changes to resources within a high security environment.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

安全配置Secure Configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用 Azure Policy 为恢复服务保管库定义和实施标准安全配置。Guidance: Define and implement standard security configurations for your Recovery Services vault with Azure Policy.

在“Microsoft.RecoveryServices”命名空间中使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Site Recovery 服务的恢复服务保管库资源的配置。Use Azure Policy aliases in the "Microsoft.RecoveryServices" namespace to create custom policies to audit, or enforce the configuration of the Recovery Services vault resources of Site Recovery service.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导:使用 Azure Policy“[拒绝]”和“[不存在则部署]”效果对不同的 Azure 资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] effects to enforce secure settings across your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:如果你对恢复服务保管库和相关资源使用自定义 Azure Policy 定义,请选择 Azure Repos 来安全地存储和管理代码。Guidance: Choose Azure Repos to securely store and manage your code if you're using custom Azure Policy definitions for your Recovery Services Vaults and related resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导:在“Microsoft.RecoveryServices”命名空间中使用内置的 Azure Policy 定义和 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.RecoveryServices" namespace to create custom policies to alert, audit, and enforce system configurations.

另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导:在“Microsoft.RecoveryServices”命名空间中使用内置的 Azure Policy 定义和 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.RecoveryServices" namespace to create custom policies to alert, audit, and enforce system configurations.

使用 Azure Policy 的“[审核]”、“[拒绝]”和“[不存在则部署]”效果自动强制实施 Azure 资源的配置。Use Azure Policy [audit], [deny], and [deploy if not exist] effects to automatically enforce configurations for your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:客户应当管理与 Azure Key Vault 集成的 Site Recovery 机密,同时为启用了 Azure 磁盘加密的虚拟机启用灾难恢复。Guidance: Customer should manage Site Recovery secrets integrated with Azure Key vault, while enabling Disaster Recovery for Azure Disk Encryption-enabled virtual machines.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware Defense

有关详细信息,请参阅 Azure 安全基线: 恶意软件防护For more information, see the Azure Security Benchmark: Malware Defense.

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:在支持 Azure 服务(例如 Site Recovery)的底层主机上已启用 Microsoft Antimalware,但是,该软件不会针对你的内容运行。Guidance: Microsoft Antimalware is enabled on the underlying host that supports Azure services (for example, Site Recovery), however it does not run on your content. 预扫描任何要上传到非计算 Azure 资源(例如应用服务、Data Lake Storage 和 Blob 存储)的文件。Pre-scan any files being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, and Blob Storage.

使用安全中心的数据服务威胁检测来检测上传到存储帐户的恶意软件。Use Security Center's Threat detection for data services to detect malware uploaded to storage accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

数据恢复Data Recovery

有关详细信息,请参阅 Azure 安全基线: 数据恢复For more information, see the Azure Security Benchmark: Data Recovery.

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指导:Site Recovery 会根据客户在其工作负荷上配置的内容,在内部使用 Azure 存储帐户来维护灾难恢复解决方案的状态。Guidance: Site Recovery internally uses an Azure Storage account to maintain the state of the Disaster Recovery solution, as configured by customers on their workloads.

Site Recovery 服务元数据使用的所有存储资源,其配置的类型为:读取访问异地冗余存储 (RA-GRS)。All the storage resources used by Site Recovery services metadata with configuration of type: Read Access Geo-redundant storage (RA-GRS). 高于 GRS 的类型(例如 RAGRS、RAG-ZRS)的存储帐户将数据复制到次要区域(离源数据的主位置数百英里以外),以便在中断期间继续为客户提供灾难恢复服务。Storage accounts of type above GRS (Like RAGRS, RAG-ZRS) replicate your data to a secondary region (hundreds of miles away from the primary location of the source data) to continue to serve Disaster Recovery for customers during outages.

这超出了客户职责,由 Site Recovery 团队在内部进行处理。This is out of customer scope and Site Recovery team takes care of it internally. 客户可以在 Azure 中备份 Key Vault 密钥。Customer can backup Key Vault keys in Azure.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指导:对已备份的由客户管理的密钥定期进行还原测试。Guidance: Periodically test restores of backed-up customer-managed keys.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指导:将存储服务加密 (SSE) 与 Azure 的基于基础结构即服务 (IaaS) 的虚拟机配合使用,对数据进行静态加密。Guidance: Data is encrypted-at-rest using Storage Service Encryption (SSE) with Azure's Infrastructure as a Service (IaaS) based Virtual Machines. 在 Key Vault 中启用“软删除”,以防止意外删除或恶意删除密钥。Enable soft-delete in Key Vault to protect keys against accidental or malicious deletion.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

事件响应Incident Response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization.

确保在书面的事件响应计划中定义人员的所有职责,以及事件处理或管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling or management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指导:根据安全中心分配的警报严重性,确定应当优先调查哪些警报。Guidance: Prioritize which alerts should be investigated first based on Security Center's assigned alert-severity. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

清楚地标记订阅(例如生产、非生产),并创建命名系统来对 Azure 资源进行明确标识和分类。Mark subscriptions clearly (for example, production, non-production) and create a naming system to clearly identify and categorize Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划Identify weak points and gaps and revise plan as needed

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了客户的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party.

创建一个流程来审核已发生的事件,以确保解决问题。Create a process to review incidents, post occurrence, to ensure that issues are resolved.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出安全中心警报和建议。Guidance: Export your Security Center alerts and recommendations using the Continuous Export feature. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.

根据需要使用安全中心数据连接器将警报流式传输到 Azure Sentinel。Use the Security Center data connector to stream the alerts to Azure Sentinel, as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用安全中心内的工作流自动化功能可以通过“逻辑应用”针对安全警报和建议自动触发响应。Guidance: Use the Workflow Automation feature in Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:遵循 Azure 互动规则,确保你的渗透测试不违反 Azure 政策: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1Guidance: Follow the Azure Rules of Engagement to ensure your Penetration Tests are not in violation of Azure policies: https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps