适用于流分析的 Azure 安全基线Azure security baseline for Stream Analytics

适用于流分析的 Azure 安全基线包含有助于改进部署安全状况的建议。The Azure Security Baseline for Stream Analytics contains recommendations that will help you improve the security posture of your deployment.

此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

有关详细信息,请参阅 Azure 安全基线概述For more information, see the Azure security baselines overview.

网络安全Network security

有关详细信息,请参阅安全控制:网络安全For more information, see Security control: Network security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指导:Azure 流分析不支持使用网络安全组 (NSG) 和 Azure 防火墙。Guidance: Azure Stream Analytics does not support the use of network security groups (NSG) and Azure Firewall.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.2:监视和记录虚拟网络、子网和 NIC 的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and NICs

指导:Azure 流分析不支持使用虚拟网络和子网。Guidance: Azure Stream Analytics does not support the use of virtual networks and subnets.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.4:拒绝与已知恶意的 IP 地址进行通信1.4: Deny communications with known malicious IP addresses

指导:使用 Azure 安全中心威胁防护检测和警报已知恶意的或未使用过的 Internet IP 地址通信。Guidance: Use Azure Security Center threat protection to detect and alert on communications with known malicious or unused Internet IP addresses.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.5:记录网络数据包1.5: Record network packets

指导:Azure 流分析不使用网络安全组,也不会捕获 Azure Key Vault 的流日志。Guidance: Azure Stream Analytics does not use network security groups, and flow logs for Azure Key Vault are not captured.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:使用 Azure 安全中心威胁防护检测 Azure 订阅环境中的异常或潜在有害操作。Guidance: Use Azure Security Center threat protection to detect unusual or potentially harmful operations in your Azure subscription environment.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:Azure 流分析不支持使用虚拟网络和网络规则。Guidance: Azure Stream Analytics does not support the use of virtual networks and network rules.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:Azure 流分析不支持使用虚拟网络和网络设备。Guidance: Azure Stream Analytics does not support use of virtual networks and network devices.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:Azure 流分析不支持使用虚拟网络和流量配置规则。Guidance: Azure Stream Analytics does not support the use of virtual networks and traffic configuration rules.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测流分析资源的变化。Guidance: Use Azure Activity Log to monitor resource configurations and detect changes for your Stream Analytics resources. 在 Azure Monitor 中创建当关键资源发生更改时触发的警报。Create alerts within Azure Monitor that will trigger when changes to critical resources take place.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

日志记录和监视Logging and monitoring

有关详细信息,请参阅安全控制:日志记录和监视For more information, see Security control: Logging and monitoring.

2.1:使用批准的时间同步源2.1: Use approved time synchronization sources

指导:Microsoft 维护用于 Azure 资源的时间源,如流分析。Guidance: Microsoft maintains the time source used for Azure resources, such as Stream Analytics.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:通过 Azure Monitor 引入日志来聚合安全数据,如审核事件和请求。Guidance: Ingest logs via Azure Monitor to aggregate security data such as audit events and requests. 在 Azure Monitor 中,使用 Log Analytics 工作区查询和执行分析,并使用 Azure 存储帐户进行长期/存档存储,可以选择使用不可变存储和强制保留等安全功能。Within Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accountyfor long-term/archival storage, optionally with security features such as immutable storage and enforced retention holds.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:在 Azure 流分析上启用诊断设置,以访问管理、安全性和诊断日志。Guidance: Enable Diagnostic Settings on your Azure Stream Analytics for access to administrative, security, and diagnostic logs. 还可以启用 Azure 活动日志诊断设置,并将日志发送到同一 Log Analytics 工作区或存储帐户。You may also enable Azure Activity Log Diagnostic Settings and send the logs to the same Log Analytics workspace or storage account.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.4:从操作系统收集安全日志2.4: Collect security logs from operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指导:在 Azure 存储帐户或 Log Analytics 工作区中存储安全事件日志时,可以根据组织的要求设置保留策略。Guidance: When storing security event logs in the Azure Storage account or Log Analytics workspace, you may set the retention policy according to your organization's requirements.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.6:监视和审查日志2.6: Monitor and review Logs

指导:分析和监视日志中的异常行为,并定期审查流分析资源的结果。Guidance: Analyze and monitor logs for anomalous behavior and regularly review the results for your Stream Analytics resources. 使用 Azure Monitor 的 Log Analytics 工作区查看日志并对日志数据执行查询。Use Azure Monitor's Log Analytics Workspace to review logs and perform queries on log data. 或者,可以启用将数据加入 Azure Sentinel 或第三方 SIEM 的功能。Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导:启用流分析的诊断设置,并将日志发送到 Log Analytics 工作区。Guidance: Enable Diagnostic Settings for Stream Analytics and send logs to a Log Analytics Workspace. 将 Log Analytics 工作区加入 Azure Sentinel,因为它提供了安全业务流程自动化响应 (SOAR) 解决方案。Onboard your Log Analytics Workspace to Azure Sentinel as it provides a security orchestration automated response (SOAR) solution. 这样便可以创建 playbook(自动化解决方案)并将其用于修正安全问题。This allows for playbooks (automated solutions) to be created and used to remediate security issues.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.8:集中管理反恶意软件日志记录2.8: Centralize anti-malware logging

指导:不适用;流分析不会处理或生成与反恶意软件相关的日志。Guidance: Not applicable; Stream Analytics does not process or produce anti-malware related logs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:Azure Monitor 中的 Azure DNS Analytics(预览)解决方案收集有关 DNS 基础结构安全性、性能和操作的见解。Guidance: Azure DNS Analytics (Preview) solution in Azure Monitor gathers insights into DNS infrastructure on security, performance, and operations. 目前,该解决方案不支持 Azure 流分析,但你可以使用第三方 DNS 日志记录解决方案。Currently this does not support Azure Stream Analytics however you can use third-party dns logging solution.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.10:启用命令行审核日志记录2.10: Enable command-line audit logging

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

标识和访问控制Identity and access control

有关详细信息,请参阅安全控制:标识和访问控制For more information, see Security control: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:Azure AD 具有必须显式分配的内置角色。Guidance: Azure AD has built-in roles that must be explicitly assigned. 可以查询角色以了解成员资格。Roles can be queried to discover membership. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:流分析没有默认密码的概念,因为身份验证是 Azure Active Directory 提供的,并且由用于管理服务的基于角色的访问控制 (RBAC) 进行保护。Guidance: Stream Analytics does not have the concept of default passwords as authentication is provided with Azure Active Directory and secured by role-based access control (RBAC) to manage the service. 根据注入流服务和输出服务,你需要轮换在作业中配置的凭据。Depending on the injection stream services and output services, you need to rotate credentials configured in the jobs.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指导:创建标识管理和角色安全性计划,遵循最佳做法,包括管理员角色的最小特权访问原则。Guidance: Create an identity management and role security plan, following best practices including the principle of least privileged access for administrator roles. 使用 Azure Privileged Identity Management (PIM) 提供对 Azure AD 和 Azure 资源的实时特权访问权限。Use Azure Privileged Identity Management (PIM) to provide just-in-time privileged access to Azure AD and Azure resources. 使用 Azure PIM 警报和审核历史记录监视管理帐户的活动。Use Azure PIM alerts and audit history to monitor the activity of administrative accounts. 使用 Azure AD 安全报告帮助标识可能已泄露的管理帐户。Use Azure AD security reports to help identify administrative accounts that might have been compromised.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.4:将单一登录 (SSO) 与 Azure Active Directory 配合使用3.4: Use single sign-on (SSO) with Azure Active Directory

指导:请尽可能使用 Azure Active Directory SSO,而不是为每个服务配置独立凭据。Guidance: Wherever possible, use Azure Active Directory SSO instead of configuring stand-alone credentials per-service. 实现 Azure 安全中心标识 & 访问建议。Implement the Azure Security Center identity & access recommendations.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory based access

指导:启用 Azure Active Directory 多重身份验证 (MFA),并遵循 Azure 安全中心标识和访问管理建议,以帮助保护你的流分析资源。Guidance: Enable Azure Active Directory multi-factor authentication (MFA) and follow Azure Security Center Identity and access management recommendations to help protect your Stream Analytics resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:对所有管理任务使用专用计算机(特权访问工作站)3.6: Use dedicated machines (Privileged Access Workstations) for all administrative tasks

指导:使用配置了多重身份验证 (MFA) 的 PAW(特权访问工作站)登录和配置流分析资源。Guidance: Use PAWs (privileged access workstations) with multi-factor authentication (MFA) configured to log into and configure Stream Analytics resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导:使用 Azure Active Directory 安全报告在环境中发生可疑活动或不安全的活动时生成日志和警报。Guidance: Use Azure Active Directory security reports for generation of logs and alerts when suspicious or unsafe activity occurs in the environment. 使用 Azure 安全中心监视标识和访问活动。Use Azure Security Center to monitor identity and access activity.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导:使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance: Use Conditional Access named locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (Azure AD) 作为中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system. Azure AD 提供基于角色的访问控制 (RBAC),用于精细地控制客户端对流分析资源的访问权限。Azure AD provides role-based access control (RBAC) for fine-grained control over a client's access to Stream Analytics resources.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:检查 Azure Active Directory 日志,以帮助发现可能包含具有存储帐户管理角色的陈旧帐户。Guidance: Review the Azure Active Directory logs to help discover stale accounts which can include those with Storage account administrative roles. 此外,请使用 Azure 标识访问评审来有效管理组成员身份、对企业应用程序的访问和角色分配。In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. 应定期评审用户的访问权限,确保只有适当的用户才持续拥有访问权限。User access should be reviewed on a regular basis to make sure only the right Users have continued access.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导:为 Azure 流分析和 Azure Active Directory 启用诊断设置,将所有日志都发送到 Log Analytics 工作区。Guidance: Enable diagnostic settings for Azure Stream Analytics and Azure Active Directory, sending all logs to a Log Analytics workspace. 在 Log Analytics 中配置所需警报(例如尝试访问禁用的机密)。Configure desired alerts (such as attempts to access disabled secrets) within Log Analytics.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.12:针对帐户登录行为偏差发出警报3.12: Alert on account login behavior deviation

指导:使用 Azure Active Directory 的风险和标识保护功能配置对检测到的与流分析资源相关的可疑操作的自动响应。Guidance: Use Azure Active Directory's Risk and Identity Protection features to configure automated responses to detected suspicious actions related to your Stream Analytics resources. 应通过 Azure Sentinel 启用自动响应,以实现组织的安全响应。You should enable automated responses through Azure Sentinel to implement your organization's security responses.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.13:在支持场合下为 Microsoft 提供对相关客户数据的访问权限3.13: Provide Microsoft with access to relevant customer data during support scenarios

指导:不适用;Azure 流分析不支持客户密码箱。Guidance: Not applicable; Customer Lockbox not supported for Azure Stream Analytics.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

数据保护Data protection

有关详细信息,请参阅安全控制:数据保护For more information, see Security control: Data protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指导:使用标记可以帮助跟踪存储或处理敏感信息的流分析资源。Guidance: Use tags to assist in tracking Stream Analytics resources that store or process sensitive information.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指导:通过将输入、输出和存储帐户放在同一订阅中来隔离流分析作业。Guidance: Isolate Stream Analytics jobs by putting inputs, outputs, and Storage accounts in the same subscription. 你可以限制流分析,以控制对应用程序和企业环境所需流分析资源的访问级别。You can restrict your Stream Analytics to control the level of access to your Stream Analytics resources that your applications and enterprise environments demand. 可以通过 Azure AD RBAC 控制对 Azure 流分析的访问。You can control access to Azure Stream Analytics via Azure AD RBAC.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指导:数据丢失防护功能尚不可用于 Azure 流分析资源。Guidance: Data loss prevention features are not yet available for Azure Stream Analytics resources. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

对于 Microsoft 管理的基础平台,Microsoft 会将所有客户内容视为敏感数据,并全方位防范客户数据丢失和泄露。For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 已实施并维护一套可靠的数据保护控制机制和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:Azure 流分析会加密所有传入和传出通信,并支持 TLS 1.2。Guidance: Azure Stream Analytics encrypts all incoming and outgoing communications and supports TLS 1.2. 内置检查点也是加密的。Built-in checkpoints are also encrypted.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:MicrosoftResponsibility: Microsoft

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指导:数据标识功能尚不可用于 Azure 流分析资源。Guidance: Data identification features are not yet available for Azure Stream Analytics resources. 如果需要出于合规性目的使用这些功能,请实施第三方解决方案。Implement third-party solution if required for compliance purposes.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指导:使用 Azure 基于角色的访问控制 (Azure RBAC) 来控制用户与服务交互的方式。Guidance: Use Azure role-based access control (Azure RBAC) to control how users interact with the service.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.7:使用基于主机的数据丢失防护来强制实施访问控制4.7: Use host-based data loss prevention to enforce access control

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指导:流分析不存储传入数据,因为所有处理都在内存中完成。Guidance: Stream Analytics doesn't store the incoming data since all processing is done in-memory. 任何私有数据(包括流分析需要保留的查询和功能)都存储在配置的存储帐户中。Any private data including queries and functions that is required to be persisted by Stream Analytics is stored in the configured storage account. 使用客户管理的密钥 (CMK) 对存储帐户中的输出静态数据进行加密。Use customer-managed keys (CMK) to encrypt your output data at rest in your storage accounts. 即使没有 CMK,流分析也会自动在其基础架构中采用一流的加密标准来加密和保护数据。Even without CMK, Stream Analytics automatically employs best-in-class encryption standards across its infrastructure to encrypt and secure your data.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:将 Azure Monitor 与 Azure 活动日志结合使用,以创建在 Azure 流分析资源生产实例发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity log to create alerts for when changes take place to production instances of Azure Stream Analytics resources.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

漏洞管理Vulnerability management

有关详细信息,请参阅安全控制:漏洞管理For more information, see Security control: Vulnerability management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指导:请遵循 Azure 安全中心关于保护 Azure 流分析资源的建议。Guidance: Follow recommendations from Azure Security Center on securing your Azure Stream Analytics resources.

Microsoft 对支持 Azure 流分析的基础系统执行漏洞管理。Microsoft performs vulnerability management on the underlying systems that support Azure Stream Analytics.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

5.2:部署自动操作系统修补管理解决方案5.2: Deploy automated operating system patch management solution

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

5.3:为第三方软件部署自动修补程序管理解决方案5.3: Deploy automated patch management solution for third-party software titles

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

5.4:比较连续进行的漏洞扫描5.4: Compare back-to-back vulnerability scans

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指导:使用 Azure 安全中心提供的默认风险评级(安全功能分数)。Guidance: Use the default risk ratings (Secure Score) provided by Azure Security Center.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

库存和资产管理Inventory and asset management

有关详细信息,请参阅安全控制:清单和资产管理For more information, see Security control: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated Asset Discovery solution

指导:使用 Azure Resource Graph 查询/发现订阅中的所有资源(例如计算、存储、网络、端口和协议等)。Guidance: Use Azure Resource Graph to query/discover all resources (such as compute, storage, network, ports, and protocols etc.) within your subscription(s). 确保租户中具有适当的(读取)权限,并枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用到 Azure资源,以便有条理地将元数据组织成某种分类。Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:在适用的情况下,请使用标记、管理组和单独的订阅来组织和跟踪 Azure 流分析资产。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Azure Stream Analytics resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

此外,在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:In addition, use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:定义并维护已获批 Azure 资源的清单6.4: Define and Maintain an inventory of approved Azure resources

指导:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

此外,请使用 Azure Resource Graph 来查询/发现订阅中的资源。In addition, use Azure Resource Graph to query/discover resources within the subscription(s).

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指南:不适用;此建议适用于计算资源和整个 Azure。Guidance: Not applicable; this recommendation is intended for compute resources and Azure as a whole.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指南:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.10:维护已获批软件的清单6.10: Maintain an inventory of approved software titles

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导:通过对“Azure 管理”应用配置“阻止访问”,配置 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指导:不适用;此建议适用于 Azure 应用服务或计算资源上运行的 Web 应用程序。Guidance: Not applicable; this recommendation is intended for web applications running on Azure App Service or compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

安全配置Secure configuration

有关详细信息,请参阅安全控制:安全配置For more information, see Security control: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用“Microsoft.StreamAnalytics”命名空间中的 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure 流分析的配置。Guidance: Use Azure Policy aliases in the "Microsoft.StreamAnalytics" namespace to create custom policies to audit or enforce the configuration of your Azure Stream Analytics. 还可使用与 Azure 流分析相关的内置策略定义,例如: - 应启用 Azure 流分析中的诊断日志You may also make use of built-in policy definitions related to your Azure Stream Analytics, such as: -Diagnostic logs in Azure Stream Analytics should be enabled

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.2:建立安全的操作系统配置7.2: Establish secure operating system configurations

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure Policy“[拒绝]”和“[不存在则部署]”对不同的 Azure 资源强制实施安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings across your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.4:维护安全的操作系统配置7.4: Maintain secure operating system configurations

指导:不适用;此项指导适用于计算资源。Guidance: Not applicable; this guideline is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:使用 Azure Repos 安全地存储和管理代码,包括自定义 Azure 策略、Azure 资源管理器模板、Desired State Configuration 脚本、用户定义的函数、查询。Guidance: Use Azure Repos to securely store and manage your code including custom Azure policies, Azure Resource Manager templates, Desired State Configuration scripts, user defined functions, queries. 若要访问在 Azure DevOps 中管理的资源,可以向特定用户、内置安全组或 Azure Active Directory (Azure AD)(如果与 Azure DevOps 集成)中定义的组或 Active Directory(如果与 TFS 集成)授予或拒绝授予权限。To access the resources you manage in Azure DevOps, you can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with TFS.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.6:安全存储自定义操作系统映像7.6: Securely store custom operating system images

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导:使用“Microsoft.StreamAnalytics”命名空间中的 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.StreamAnalytics" namespace to create custom policies to alert, audit, and enforce system configurations. 另外,开发一个用于管理策略例外的流程和管道。Additionally, develop a process and pipeline for managing policy exceptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.8:部署操作系统的配置管理工具7.8: Deploy configuration management tools for operating systems

指导:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导:使用“Microsoft.StreamAnalytics”命名空间中的 Azure Policy 别名创建自定义策略,以审核、强制实施系统配置并为其发出警报。Guidance: Use Azure Policy aliases in the "Microsoft.StreamAnalytics" namespace to create custom policies to alert, audit, and enforce system configurations. 使用 Azure Policy“[审核]”、“[拒绝]”和“[不存在则部署]”自动强制实施 Azure 流分析资源的配置。Use Azure Policy [audit], [deny], and [deploy if not exist] to automatically enforce configurations for your Azure Stream Analytics resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.10:为操作系统实施自动配置监视7.10: Implement automated configuration monitoring for operating systems

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:流分析作业使用的输入或输出资源的连接详细信息存储在配置的存储帐户中。Guidance: Connection details of input or output resources, which are used by your Stream Analytics job, are stored in the configured storage account. 加密存储帐户以保护你的所有数据。Encrypt your storage account to secure all of your data. 此外,定期轮换流分析作业的输入或输出凭据。Also, regularly rotate credentials for an input or output of a Stream Analytics job.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指导:用于输出的托管标识身份验证允许流分析作业直接访问服务,包括 Power BI、存储帐户,而不是使用连接字符串。Guidance: Managed Identity authentication for output gives Stream Analytics jobs direct access to service including Power BI, Storage Account, instead of using a connection string.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

恶意软件防护Malware defense

有关详细信息,请参阅安全控制:恶意软件防护For more information, see Security control: Malware defense.

8.1:使用集中管理的反恶意软件8.1: Use centrally managed anti-malware software

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

8.2:预先扫描要上传到非计算 Azure 资源的文件8.2: Pre-scan files to be uploaded to non-compute Azure resources

指导:在支持 Azure 服务(例如 Azure 流分析)的底层主机上已启用 Microsoft Antimalware,但是,该软件不会针对客户内容运行。Guidance: Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure Stream Analytics), however it does not run on customer content.

预扫描上传到 Azure 资源的任何内容,如应用服务、流分析、Blob 存储等。Microsoft 无法访问这些实例中的数据。Pre-scan any content being uploaded to Azure resources, such as App Service, Stream Analytics, Blob Storage etc. Microsoft cannot access your data in these instances.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

步骤 8.3:确保反恶意软件和签名已更新8.3: Ensure anti-malware software and signatures are updated

指南:不适用;此建议适用于计算资源。Guidance: Not applicable; this recommendation is intended for compute resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

数据恢复Data recovery

有关详细信息,请参阅安全控制:数据恢复For more information, see Security control: Data recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back ups

指导:基于所选的输出服务的类型。Guidance: Based on the type of output service selected. 可以根据输出服务的建议指南对输出数据执行自动备份。you can perform automated backups of the output data as per recommended guidelines for your output service. 内部数据(包括用户定义的函数、查询、数据快照)存储在配置的存储帐户中,你可以定期备份该帐户。The internal data including User-defined functions, queries, data snapshots is stored in the configured storage account which you can backup on a regular basis.

始终自动复制 Azure 存储帐户中的数据,确保持久性和高可用性。The data in your Azure storage account is always automatically replicated to ensure durability and high availability. Azure 存储功能会复制数据,以防范各种计划内和计划外的事件,包括暂时性的硬件故障、网络中断或断电、大范围自然灾害等。Azure Storage copies your data so that it is protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive natural disasters. 可以选择在同一数据中心中、跨同一区域中的局域数据中心或跨地理上隔离的区域复制数据。You can choose to replicate your data within the same data center, across zonal data centers within the same region, or across geographically separated regions.

还可以使用生命周期管理功能将数据备份到存档层。You can also use lifecycle management feature to backup data to the Archive tier. 此外,为存储在存储帐户中的备份启用软删除。Additionally, enable soft delete for your backups stored in Storage account.

Azure 存储 Blob 的软删除:/storage/blobs/storage-blob-soft-delete?tabs=azure-portalSoft delete for Azure Storage blobs: /storage/blobs/storage-blob-soft-delete?tabs=azure-portal

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指导:内部数据(包括用户定义的函数、查询、数据快照)存储在配置的存储帐户中,你可以定期备份该帐户。Guidance: The internal data including User-defined functions, queries, data snapshots is stored in the configured storage account which you can backup on a regular basis.

从存储帐户支持的服务备份数据,有多种可用方法,包括使用 azcopy 或第三方工具。In order to backup data from Storage account supported services, there are multiple methods available including using azcopy or third-party tools. Azure Blob 存储的不可变存储可让用户以 WORM(一次写入,多次读取)状态存储业务关键型数据对象。Immutable storage for Azure Blob storage enables users to store business-critical data objects in a WORM (Write Once, Read Many) state. 此状态可以根据用户指定的时间间隔使数据保持不可擦除且不可修改的状态。This state makes the data non-erasable and non-modifiable for a user-specified interval.

可以使用 Azure CLI 或 PowerShell 在 Azure Key Vault 中备份客户管理/提供的密钥。Customer-managed / provided keys can be backed within Azure Key Vault using Azure CLI or PowerShell.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指导:定期对备份数据执行数据恢复,以测试数据的完整性。Guidance: Periodically perform data restoration of your backup data to test the integrity of the data.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指导:默认情况下,存储在 Azure 存储中的流分析备份支持加密,并且无法关闭。Guidance: Stream Analytics backups stored within your Azure Storage supports encryption by default and cannot be turned off. 你应将备份视为敏感数据,并应用相关的访问和数据保护控制作为此基线的一部分。You should treat your backups as sensitive data and apply the relevant access and data protection controls as part of this baseline.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

事件响应Incident response

有关详细信息,请参阅安全控制:事件响应For more information, see Security control: Incident response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指南:安全中心向每个警报分配一个严重性,帮助你优先处理应首先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,请明确标记订阅(例如Additionally, clearly mark subscriptions (for ex. 生产、非生产)并创建命名系统来对 Azure 资源进行明确标识和分类,特别是处理敏感数据的资源。production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指南:定期执行演练来测试系统的事件响应功能,以帮助保护 Azure 资源。Guidance: Conduct exercises to test your systems’ incident response capabilities on a regular cadence to help protect your Azure resources. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现数据被某方非法访问或未经授权访问,Microsoft 会使用安全事件联系信息联系用户。Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指南:使用连续导出功能导出 Azure 安全中心警报和建议,以帮助确定 Azure 资源的风险。Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature to help identify risks to Azure resources. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. 可以使用 Azure 安全中心数据连接器将警报流式传输到 Azure Sentinel。You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用 Azure 安全中心内的工作流自动化功能,通过“逻辑应用”针对安全警报和建议自动触发响应,以保护 Azure 资源。Guidance: Use the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations to protect your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅安全控制:渗透测试和红队演练For more information, see Security control: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导Guidance:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared

后续步骤Next steps