Azure 虚拟机规模集的 Azure Policy 内置定义Azure Policy built-in definitions for Azure virtual machine scale sets

此页是 Azure 虚拟机规模集的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Azure virtual machine scale sets. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Microsoft.ComputeMicrosoft.Compute

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
[预览版]:审核 Log Analytics 代理部署 - VM 映像 (OS) 未列出[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则报告 VM 不合规。Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview
应在虚拟机上启用漏洞评估解决方案A vulnerability assessment solution should be enabled on your virtual machines 审核虚拟机以检测其是否正在运行受支持的漏洞评估解决方案。Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. 每个网络风险和安全计划的核心部分都是识别和分析漏洞。A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure 安全中心的标准定价层包括对虚拟机进行漏洞扫描,无需额外付费。Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. 此外,安全中心可以自动为你部署此工具。Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该限制通过面向 Internet 的终结点进行访问Access through Internet facing endpoint should be restricted Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security center has identified some of your Network Security Groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够轻松地将你的资源定为攻击目标。This can potentially enable attackers to easily target your resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在面向 Internet 的虚拟机上应用自适应网络强化建议Adaptive Network Hardening recommendations should be applied on internet facing virtual machines Azure 安全中心会分析面向虚拟机的 Internet 的流量模式,并提供可减小潜在攻击面的网络安全组规则建议Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
添加系统分配的托管标识,在没有标识的虚拟机上启用来宾配置分配Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 此策略将系统分配的托管标识添加到托管在 Azure 中的虚拟机,这些虚拟机受来宾配置支持,但没有任何托管标识。This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. 系统分配的托管标识是所有来宾配置分配的先决条件,在使用任何来宾配置策略定义之前必须被添加到计算机。A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. 有关来宾配置的详细信息,请访问 https://aka.ms/gcpolFor more information on Guest Configuration, visit https://aka.ms/gcpol. modifymodify 1.0.0-preview1.0.0-preview
添加系统分配的托管标识,以在具有用户分配的标识的 VM 上启用来宾配置分配Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 此策略将系统分配的托管标识添加到托管在 Azure 中的虚拟机,这些虚拟机受来宾配置支持、至少有一个用户分配的标识,但没有系统分配的托管标识。This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. 系统分配的托管标识是所有来宾配置分配的先决条件,在使用任何来宾配置策略定义之前必须被添加到计算机。A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. 有关来宾配置的详细信息,请访问 https://aka.ms/gcpolFor more information on Guest Configuration, visit https://aka.ms/gcpol. modifymodify 1.0.0-preview1.0.0-preview
允许的虚拟机大小 SKUAllowed virtual machine size SKUs 此策略可便于指定组织可部署的一组虚拟机大小 SKU。This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. 拒绝Deny 1.0.11.0.1
应更新自适应应用程序控制策略中的允许列表规则Allowlist rules in your adaptive application control policy should be updated 监视配置为供 Azure 安全中心的自适应应用程序控制进行审核的计算机组是否有行为变化。Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. 安全中心使用机器学习来分析计算机上的运行过程,并建议已知安全应用程序的列表。Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. 这些应用程序作为推荐的应用显示,在自适应应用程序控制策略中允许使用。These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
审核 Dependency Agent 部署 - VM 映像 (OS) 未列出Audit Dependency agent deployment - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则报告 VM 不合规。Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1
审核虚拟机规模集中的 Dependency Agent 部署 - VM 映像 (OS) 未列出Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则将虚拟机规模集报告为“不合规”。Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1
审核允许在没有密码的情况下从帐户进行远程连接的 Linux 计算机Audit Linux machines that allow remote connections from accounts without passwords 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Linux 计算机允许在没有密码的情况下从帐户进行远程连接,则计算机不符合要求Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核没有使用 SSH 密钥进行身份验证的 Linux 计算机Audit Linux machines that are not using SSH key for authentication 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果计算机允许使用密码通过 SSH 进行身份验证,则计算机不符合要求Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
审核没有将 passwd 文件权限设为 0644 的 Linux 计算机Audit Linux machines that do not have the passwd file permissions set to 0644 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Linux 计算机没有将 passwd 文件权限设为 0644,则计算机不符合要求Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核未安装指定应用程序的 Linux 计算机Audit Linux machines that don't have the specified applications installed 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Chef InSpec 资源指示参数提供的一个或多个包未安装,则计算机不符合要求。Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核帐户没有密码的 Linux 计算机Audit Linux machines that have accounts without passwords 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Linux 计算机包含没有密码的帐户,则计算机不符合要求Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核安装了指定应用程序的 Linux 计算机Audit Linux machines that have the specified applications installed 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Chef InSpec 资源指示参数提供的一个或多个包已安装,则计算机不符合要求。Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核未启用 Linux 来宾配置扩展的 Linux 虚拟机Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled 此策略审核托管在 Azure 中的 Linux 虚拟机,这些虚拟机受来宾配置支持但未启用来宾配置扩展。This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. 有关来宾配置的详细信息,请访问 https://aka.ms/gcpolFor more information on Guest Configuration, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核虚拟机规模集中的 Log Analytics 代理部署 - VM 映像 (OS) 未列出Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则将虚拟机规模集报告为“不合规”。Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1
审核 VM 的 Log Analytics 工作区 — 报告不匹配Audit Log Analytics workspace for VM - Report Mismatch 如果 VM 未记录到策略/计划分配中指定的 Log Analytics 工作区,则将 VM 报告为“不合规”。Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. 审核audit 1.0.11.0.1
审核未配置灾难恢复的虚拟机Audit virtual machines without disaster recovery configured 审核未配置灾难恢复的虚拟机。Audit virtual machines which do not have disaster recovery configured. 若要详细了解灾难恢复,请访问 https://aka.ms/asr-docTo learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核未使用托管磁盘的 VMAudit VMs that do not use managed disks 此策略审核未使用托管磁盘的 VMThis policy audits VMs that do not use managed disks 审核audit 1.0.01.0.0
审核 Administrators 组中缺少任何指定成员的 Windows 计算机Audit Windows machines missing any of specified members in the Administrators group 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果本地 Administrators 组未包含策略参数中列出的一个或多个成员,则计算机不符合要求。Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核 Windows 计算机网络连接性Audit Windows machines network connectivity 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 IP 和 TCP 端口的网络连接状态与策略参数不匹配,则计算机不符合要求。Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核 DSC 配置不符合要求的 Windows 计算机Audit Windows machines on which the DSC configuration is not compliant 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Windows PowerShell 命令 Get-DSCConfigurationStatus 返回的信息表明计算机的 DSC 配置不符合要求,则计算机不符合要求。Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核 Log Analytics 代理未按预期方式连接的 Windows 计算机Audit Windows machines on which the Log Analytics agent is not connected as expected 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果没有安装代理,或者已安装代理,但 COM 对象 AgentConfigManager.MgmtSvcCfg 返回的信息表明它注册到的工作区的 ID 不是在策略参数中指定的 ID,则计算机不符合要求。Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核未安装和“运行”指定服务的 Windows 计算机Audit Windows machines on which the specified services are not installed and 'Running' 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Windows PowerShell 命令 Get-Service 的结果未包括策略参数指定的具有匹配状态的服务名称,则计算机不符合要求。Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核未启用 Windows Defender 攻击防护的 Windows 计算机Audit Windows machines on which Windows Defender Exploit Guard is not enabled 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 PowerShell 命令 Get-MPPreference 返回的配置详细信息与预期的值不匹配,则计算机不符合要求。Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender 攻击防护可帮助防范利用漏洞感染设备和进行传播的恶意软件。Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. 攻击防护保护包含多项可应用于操作系统或单个应用的缓解操作。Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.1.0-preview1.1.0-preview
审核未启用 Windows 串行控制台的 Windows 计算机Audit Windows machines on which Windows Serial Console is not enabled 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果计算机没有安装串行控制台软件,或者 EMS 端口号或波特率没有配置与策略参数相同的值,则计算机不符合要求。Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核允许重用以前的 24 个密码的 Windows 计算机Audit Windows machines that allow re-use of the previous 24 passwords 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Windows 计算机允许重用以前的 24 个密码,则计算机不符合要求Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核未加入指定域的 Windows 计算机Audit Windows machines that are not joined to the specified domain 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 WMI 类 win32_computersystem 中 Domain 属性的值与策略参数中的值不匹配,则计算机不符合要求。Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核未设置为指定时区的 Windows 计算机Audit Windows machines that are not set to the specified time zone 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 WMI 类 Win32_TimeZone 中 StandardName 属性的值与为策略参数选择的时区不匹配,则计算机不符合要求。Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核所含证书将在指定天数内到期的 Windows 计算机Audit Windows machines that contain certificates expiring within the specified number of days 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果指定存储中的证书的到期日期超出了作为参数提供的天数范围,则计算机不符合要求。Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. 该策略还允许选择仅检查特定证书或排除特定证书,以及允许选择是否报告过期证书。The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核在受信任的根中不包含指定证书的 Windows 计算机Audit Windows machines that do not contain the specified certificates in Trusted Root 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果计算机的受信任的根证书存储 (Cert:\LocalMachine\Root) 未包含由策略参数列出的一个或多个证书,则计算机不符合要求。Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy paramter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核没有将最长密码期限设置为 70 天的 Windows 计算机Audit Windows machines that do not have a maximum password age of 70 days 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Windows 计算机没有将最长密码期限设置为 70 天,则计算机不符合要求Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核没有将最短密码期限设置为 1 天的 Windows 计算机Audit Windows machines that do not have a minimum password age of 1 day 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Windows 计算机没有将最短密码期限设置为 1 天,则计算机不符合要求Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核未启用密码复杂性设置的 Windows 计算机Audit Windows machines that do not have the password complexity setting enabled 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Windows 计算机未启用密码复杂性设置,则计算机不符合要求Machines are non-compliant if Windows machines that do not have the password complexity setting enabled AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核没有指定的 Windows PowerShell 执行策略的 Windows 计算机Audit Windows machines that do not have the specified Windows PowerShell execution policy 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Windows PowerShell 命令 Get-ExecutionPolicy 返回的值不是策略参数中所选的值,则计算机不符合要求。Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核没有安装指定 Windows PowerShell 模块的 Windows 计算机Audit Windows machines that do not have the specified Windows PowerShell modules installed 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果模块在环境变量 PSModulePath 指定的位置中不可用,则计算机不符合要求。Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核没有将最短密码长度限制为 14 个字符的 Windows 计算机Audit Windows machines that do not restrict the minimum password length to 14 characters 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Windows 计算机没有将最短密码长度限制为 14 个字符,则计算机不符合要求Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核没有使用可逆加密来存储密码的 Windows 计算机Audit Windows machines that do not store passwords using reversible encryption 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Windows 计算机没有使用可逆加密来存储密码,则计算机不符合要求Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核未安装指定应用程序的 Windows 计算机Audit Windows machines that don't have the specified applications installed 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果在以下任何注册表路径中都找不到应用程序名称,则计算机不符合要求:HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall、HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall、HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall。Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核 Administrators 组中有额外帐户的 Windows 计算机Audit Windows machines that have extra accounts in the Administrators group 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果本地 Administrators 组包含策略参数中未列出的成员,则计算机不符合要求。Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核没有在指定天数内重启的 Windows 计算机Audit Windows machines that have not restarted within the specified number of days 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Win32_Operatingsystem 类中的 WMI 属性 LastBootUpTime 不在策略参数提供的天数范围内,则计算机不符合要求。Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核安装了指定应用程序的 Windows 计算机Audit Windows machines that have the specified applications installed 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果在以下任何注册表路径中找到了应用程序名称,则计算机不符合要求:HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall、HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall、HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall。Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核 Administrators 组中有指定成员的 Windows 计算机Audit Windows machines that have the specified members in the Administrators group 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果本地 Administrators 组包含策略参数中列出的一个或多个成员,则计算机不符合要求。Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核未启用 Windows 来宾配置扩展的 Windows 虚拟机Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled 此策略审核托管在 Azure 中的 Windows 虚拟机,这些虚拟机受来宾配置支持但未启用来宾配置扩展。This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. 有关来宾配置的详细信息,请访问 https://aka.ms/gcpolFor more information on Guest Configuration, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
审核正在等待重新启动的 Windows VMAudit Windows VMs with a pending reboot 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果计算机由于以下任一原因正在等待重启,则计算机不符合要求:基于组件的服务、Windows 更新、挂起的文件重命名、挂起的计算机重命名、Configuration Manager 等待重启。Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. 每个检测都有唯一的注册表路径。Each detection has a unique registry path. auditIfNotExistsauditIfNotExists 1.0.01.0.0
审核未使用安全通信协议的 Windows Web 服务器Audit Windows web servers that are not using secure communication protocols 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果注册表项 HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols 包含的协议不如策略参数中选择的协议安全,则计算机不符合要求。Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. auditIfNotExistsauditIfNotExists 1.0.01.0.0
应为虚拟机启用 Azure 备份Azure Backup should be enabled for Virtual Machines 通过启用 Azure 备份,确保对 Azure 虚拟机进行保护。Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure 备份是一种安全且经济高效的数据保护解决方案,适用于 Azure。Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
将某个位置的 VM 的备份配置到同一位置中的现有中央保管库Configure backup on VMs of a location to an existing central Vault in the same location 此策略将给定位置的虚拟机上的 Azure 备份保护配置到同一位置中的现有中央保管库。This policy configures Azure Backup protection on VMs in a given location to an existing central vault in the same location. 它仅适用于尚未配置备份的那些 VM。It applies to only those VMs that are not already configured for backup. 建议将此策略分配给不超过 200 个 VM。It is recommended that this policy is assigned to not more than 200 VMs. 如果将此策略分配给超过 200 个 VM,它可能会导致备份在定义的计划过去几小时后才被触发。If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond the defined schedule. 此策略将进行增强以支持更多 VM 映像。This policy will be enhanced to support more VM images. deployIfNotExists、auditIfNotExists、disableddeployIfNotExists, auditIfNotExists, disabled 1.0.01.0.0
在 Windows 计算机上配置时区。Configure time zone on Windows machines. 此策略创建一个 Guest Configuration 分配用于在 Windows 虚拟机上设置指定的时区。This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. deployIfNotExistsdeployIfNotExists 1.1.0-preview1.1.0-preview
为 Windows Server 部署默认 Microsoft IaaSAntimalware 扩展Deploy default Microsoft IaaSAntimalware extension for Windows Server 如果 VM 未配置反恶意软件扩展,则此策略部署使用默认配置的 Microsoft IaaSAntimalware 扩展。This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. deployIfNotExistsdeployIfNotExists 1.0.01.0.0
为 Linux 虚拟机规模集部署 Dependency AgentDeploy Dependency agent for Linux virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux 虚拟机规模集部署 Dependency Agent。Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. 注意:如果规模集 upgradePolicy 设置为“Manual”,你则需要通过对规模集调用升级将扩展应用到集中的所有虚拟机。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. 在 CLI 中,这将是 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
为 Linux 虚拟机部署 Dependency AgentDeploy Dependency agent for Linux virtual machines 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,则为 Linux 虚拟机部署 Dependency Agent。Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
为 Windows 虚拟机规模集部署 Dependency AgentDeploy Dependency agent for Windows virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows 虚拟机规模集部署 Dependency Agent。Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. 注意:如果规模集 upgradePolicy 设置为“Manual”,你则需要通过对规模集调用升级将扩展应用到集中的所有虚拟机。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. 在 CLI 中,这将是 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
为 Windows 虚拟机部署 Dependency AgentDeploy Dependency agent for Windows virtual machines 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,则为 Windows 虚拟机部署 Dependency Agent。Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
为 Linux 虚拟机规模集部署 Log Analytics 代理Deploy Log Analytics agent for Linux virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux 虚拟机规模集部署 Log Analytics 代理。Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. 注意:如果规模集 upgradePolicy 设置为“Manual”,则需要通过对规模集调用升级将扩展应用到集中的所有 VM。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. 在 CLI 中,此命令为 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
为 Linux VM 部署 Log Analytics 代理Deploy Log Analytics agent for Linux VMs 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux VM 部署 Log Analytics 代理。Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
为 Windows 虚拟机规模集部署 Log Analytics 代理Deploy Log Analytics agent for Windows virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows 虚拟机规模集部署 Log Analytics 代理。Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. 注意:如果规模集 upgradePolicy 设置为“手动”,则需要通过对 VM 调用升级将扩展应用到集中的所有 VM。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. 在 CLI 中,此命令为 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
为 Windows VM 部署 Log Analytics 代理Deploy Log Analytics agent for Windows VMs 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows VM 部署 Log Analytics 代理。Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
部署 Linux 来宾配置扩展以在 Linux VM 上启用来宾配置分配Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 此策略将 Linux 来宾配置扩展部署到托管在 Azure 中受来宾配置支持的 Linux 虚拟机。This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. Linux 来宾配置扩展是所有 Linux 来宾配置分配的先决条件,在使用任何 Linux 来宾配置策略定义之前必须被部署到计算机。The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. 有关来宾配置的详细信息,请访问 https://aka.ms/gcpolFor more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview
部署 Windows 来宾配置扩展以在 Windows VM 上启用来宾配置分配Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 此策略将 Windows 来宾配置扩展部署到托管在 Azure 中受来宾配置支持的 Windows 虚拟机。This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. Windows 来宾配置扩展是所有 Windows 来宾配置分配的先决条件,在使用任何 Windows 来宾配置策略定义之前必须被部署到计算机。The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. 有关来宾配置的详细信息,请访问 https://aka.ms/gcpolFor more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExistsdeployIfNotExists 1.0.0-preview1.0.0-preview
应当启用虚拟机规模集中的诊断日志Diagnostic logs in Virtual Machine Scale Sets should be enabled 建议启用日志,以便在出现某个事件或遭到入侵后需要进行调查时可以重新创建活动线索。It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines Azure 安全中心建议对未启用磁盘加密的虚拟机进行监视。Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在虚拟机规模集上安装终结点保护解决方案Endpoint protection solution should be installed on virtual machine scale sets 审核终结点保护解决方案在虚拟机规模集上的存在性和运行状况 ,以保护其免受威胁和漏洞的侵害。Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范 VM 遭受潜在威胁。Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应禁用虚拟机上的 IP 转发IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
Linux 计算机应符合 Azure 安全基线的要求Linux machines should meet requirements for the Azure security baseline 要求将先决条件部署到策略分配范围。Requires that prerequisites are deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. 如果 Linux 计算机应符合 Azure 安全基线的要求,则计算机不符合要求Machines are non-compliant if Linux machines should meet the requirements for the Azure security baseline AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview
应在计算机上解决 Log Analytics 代理运行状况问题Log Analytics agent health issues should be resolved on your machines 安全中心使用 Log Analytics 代理,它之前被称为 Microsoft Monitoring Agent (MMA)。Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). 为了确保成功监视虚拟机,需要确保此代理安装在虚拟机上,并能正确地将安全事件收集到配置的工作区中。To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 此策略审核是否有任何 Windows/Linux 虚拟机 (VM) 没有安装安全中心用于监视安全漏洞和威胁的 Log Analytics 代理This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机规模集上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 安全中心从 Azure 虚拟机 (VM) 收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应通过即时网络访问控制来保护虚拟机的管理端口Management ports of virtual machines should be protected with just-in-time network access control 建议通过 Azure 安全中心监视可能的网络适时 (JIT) 访问Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
Microsoft Antimalware for Azure 应配置为自动更新保护签名Microsoft Antimalware for Azure should be configured to automatically update protection signatures 此策略会审核所有未配置自动更新 Microsoft Antimalware 保护签名的 Windows 虚拟机。This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Windows Server 上部署 Microsoft IaaSAntimalware 扩展Microsoft IaaSAntimalware extension should be deployed on Windows servers 此策略会审核所有未部署 Microsoft IaaSAntimalware 扩展的 Windows Server VM。This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Linux 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Linux virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
应在 Windows 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Windows virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
应使用网络安全组来保护非面向 Internet 的虚拟机Non-internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范非面向 Internet 的 VM 遭受潜在威胁。Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应当仅安装已批准的 VM 扩展Only approved VM extensions should be installed 此策略约束未获批准的虚拟机扩展。This policy governs the virtual machine extensions that are not approved. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
要求自动在虚拟机规模集上执行 OS 映像修补Require automatic OS image patching on Virtual Machine Scale Sets 该策略可强制启用虚拟机规模集上的自动 OS 映像修补程序,以便通过应用每月的最新安全修补程序始终确保虚拟机安全。This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. denydeny 1.0.01.0.0
应在虚拟机规模集上安装系统更新System updates on virtual machine scale sets should be installed 审核是否缺少系统安全更新和关键更新,为了确保 Windows 和 Linux 虚拟机规模集的安全,应安装这些更新。Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在计算机上安装系统更新System updates should be installed on your machines 建议通过 Azure 安全中心监视服务器上缺失的安全系统更新Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在虚拟机规模集上安装 Log Analytics 代理The Log Analytics agent should be installed on Virtual Machine Scale Sets 此策略审核是否有任何 Windows/Linux 虚拟机规模集未安装 Log Analytics 代理。This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在虚拟机上安装 Log Analytics 代理The Log Analytics agent should be installed on virtual machines 此策略审核是否有任何 Windows/Linux 虚拟机未安装 Log Analytics 代理。This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应当加密未附加的磁盘Unattached disks should be encrypted 此策略会审核未启用加密的所有未附加磁盘。This policy audits any unattached disk without encryption enabled. Audit、DisabledAudit, Disabled 1.0.01.0.0
应将虚拟机迁移到新的 Azure 资源管理器资源Virtual machines should be migrated to new Azure Resource Manager resources 对虚拟机使用新的 Azure 资源管理器以提供安全增强功能,例如:更强的访问控制 (RBAC)、更佳审核功能、基于 Azure 资源管理器的部署和治理、对托管标识的访问、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及支持使用标记和资源组简化安全管理Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复虚拟机规模集上安全配置中的漏洞Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 审核虚拟机规模集上的 OS 漏洞,以保护其免受攻击。Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应通过漏洞评估解决方案修复漏洞Vulnerabilities should be remediated by a Vulnerability Assessment solution 建议在 Azure 安全中心监视漏洞评估解决方案检测到的漏洞和没有漏洞评估解决方案的 VM。Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
Windows 计算机应符合“管理模板 - 控制面板”的要求Windows machines should meet requirements for 'Administrative Templates - Control Panel' 对于输入个性化和阻止启用锁屏界面,Windows 计算机应在“管理模板 - 控制面板”类别中具有指定的组策略设置。Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“管理模板 - MSS (旧版)”的要求Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' 对于自动登录、屏幕保护程序、网络行为、安全 DLL 和事件日志,Windows 计算机应在“管理模板 - MSS (旧版)”类别中具有指定的组策略设置。Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“管理模板 - 网络”的要求Windows machines should meet requirements for 'Administrative Templates - Network' Windows 计算机应在“管理模板 - 网络”类别中使用指定的组策略设置,用于来宾登录、并发连接、网桥、ICS 和多播名称解析。Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“管理模板 - 系统”的要求Windows machines should meet requirements for 'Administrative Templates - System' 对于控制管理体验和远程协助的设置,Windows 计算机应在“管理模板 - 系统”类别中具有指定的组策略设置。Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 帐户”的要求Windows machines should meet requirements for 'Security Options - Accounts' Windows 计算机应在“安全选项 - 帐户”类别中具有指定的组策略设置,以限制本地帐户使用空白密码和来宾帐户状态。Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 审核”的要求Windows machines should meet requirements for 'Security Options - Audit' Windows 计算机应在“安全选项 - 审核”类别中具有指定的组策略设置,以便在无法记录安全审核的情况下,强制实施审核策略子类别并进行关闭。Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 设备”的要求Windows machines should meet requirements for 'Security Options - Devices' Windows 计算机应在“安全选项 - 设备”类别中具有指定的组策略设置,以便在不登录的情况下进行移除、安装打印驱动程序以及设置格式/弹出媒体。Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 交互式登录”的要求Windows machines should meet requirements for 'Security Options - Interactive Logon' Windows 计算机应在“安全选项 - 交互式登录”类别中具有指定的组策略设置,以便显示上一个用户名并要求按 Ctrl-Alt-Del。此策略要求来宾配置先决条件已部署到策略分配范围。Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - Microsoft 网络客户端”的要求Windows machines should meet requirements for 'Security Options - Microsoft Network Client' 对于 Microsoft 网络客户端/服务器和 SMB v1,Windows 计算机应在“安全选项 - Microsoft 网络客户端”类别中具有指定的组策略设置。Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - Microsoft 网络服务器”的要求Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows 计算机应在“安全选项 - Microsoft 网络服务器”类别中具有指定的组策略设置,以禁用 SMB v1 服务器。Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 网络访问”的要求Windows machines should meet requirements for 'Security Options - Network Access' Windows 计算机应在“安全选项 - 网络访问”类别中具有指定的组策略设置,以包含匿名用户、本地帐户的访问权限和对注册表的远程访问权限。Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 网络安全”的要求Windows machines should meet requirements for 'Security Options - Network Security' Windows 计算机应在“安全选项 - 网络安全”类别中使用指定的组策略设置,以包含本地系统行为、PKU2U、LAN Manager、LDAP 客户端和 NTLM SSP。Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 恢复控制台”的要求Windows machines should meet requirements for 'Security Options - Recovery console' Windows 计算机应在“安全选项 - 恢复控制台”类别中具有指定的组策略设置,以便允许对所有驱动器和文件夹进行软盘复制和访问。Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 关闭”的要求Windows machines should meet requirements for 'Security Options - Shutdown' Windows 计算机应在“安全选项 - 关闭”类别中具有指定的组策略设置,以便允许在未登录的情况下关闭并清除虚拟内存页面文件。Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 系统对象”的要求Windows machines should meet requirements for 'Security Options - System objects' 对于非 Windows 子系统不区分大小写和内部系统对象的权限,Windows 计算机应在“安全选项 - 系统对象”类别中具有指定的组策略设置。Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 系统设置”的要求Windows machines should meet requirements for 'Security Options - System settings' 对于 SRP 和可选子系统的可执行文件的证书规则,Windows 计算机应在“安全选项 - 系统设置”类别中具有指定的组策略设置。Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全选项 - 用户帐户控制”的要求Windows machines should meet requirements for 'Security Options - User Account Control' 对于管理员模式、提升提示行为以及虚拟化文件和注册表写入失败,Windows 计算机应在“安全选项 - 用户帐户控制”类别中具有指定的组策略设置。Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“安全设置 - 帐户策略”的要求Windows machines should meet requirements for 'Security Settings - Account Policies' 对于密码历史记录、使用期限、长度、复杂性以及使用可还原加密存储密码,Windows 计算机应在“安全设置 - 帐户策略”类别中具有指定的组策略设置。Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“系统审核策略 - 帐户登录”的要求Windows machines should meet requirements for 'System Audit Policies - Account Logon' Windows 计算机应在“系统审核策略 - 帐户登录”类别中具有指定的组策略设置,以便审核凭据验证和其他帐户登录事件。Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“系统审核策略 - 帐户管理”的要求Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows 计算机应在“系统审核策略 - 帐户管理”类别中具有指定的组策略设置,以便审核应用程序、安全性和用户组管理以及其他管理事件。Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“系统审核策略 - 详细跟踪”的要求Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows 计算机应在“系统审核策略 - 详细跟踪”类别中具有指定的组策略设置,以便审核 DPAPI、进程创建/终止、RPC 事件和 PNP 活动。Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“系统审核策略 - 登录与注销”的要求Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' Windows 计算机应在“系统审核策略 - 登录与注销”类别中具有指定的组策略设置,以便审核 IPSec、网络策略、声明、帐户锁定、组成员身份和登录/注销事件。Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“系统审核策略 - 对象访问”的要求Windows machines should meet requirements for 'System Audit Policies - Object Access' Windows 计算机应在“系统审核策略 - 对象访问”类别中具有指定的组策略设置,以便审核文件、注册表、SAM、存储、筛选、内核和其他系统类型。Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“系统审核策略 - 策略更改”的要求Windows machines should meet requirements for 'System Audit Policies - Policy Change' Windows 计算机应在“系统审核策略 - 策略更改”类别中具有指定的组策略设置,以便审核对系统审核策略所做的更改。Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“系统审核策略 - 特权使用”的要求Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Windows 计算机应在“系统审核策略 - 特权使用”类别中具有指定的组策略设置,以便审核非敏感特权和其他权限使用。Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“系统审核策略 - 系统”的要求Windows machines should meet requirements for 'System Audit Policies - System' Windows 计算机应在“系统审核策略 - 系统”类别中具有指定的组策略设置,以便审核 IPsec 驱动程序、系统完整性、系统扩展、状态更改和其他系统事件。Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“用户权限分配”的要求Windows machines should meet requirements for 'User Rights Assignment' Windows 计算机应在“用户权限分配”类别中具有指定的组策略设置,以允许本地登录、RDP、从网络进行访问以及其他很多用户活动。Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“Windows 组件”的要求Windows machines should meet requirements for 'Windows Components' 对于基本身份验证、未加密的流量、Microsoft 帐户、遥测、Cortana 和其他 Windows 行为,Windows 计算机应在“Windows 组件”类别中具有指定的组策略设置。Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
Windows 计算机应符合“Windows 防火墙属性”的要求Windows machines should meet requirements for 'Windows Firewall Properties' 对于防火墙状态、连接、规则管理和通知,Windows 计算机应在“Windows 防火墙属性”类别中具有指定的组策略设置。Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. 此策略要求来宾配置先决条件已部署到策略分配范围。This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. 有关详细信息,请访问 https://aka.ms/gcpolFor details, visit https://aka.ms/gcpol. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview

Microsoft.ClassicComputeMicrosoft.ClassicCompute

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在虚拟机上启用漏洞评估解决方案A vulnerability assessment solution should be enabled on your virtual machines 审核虚拟机以检测其是否正在运行受支持的漏洞评估解决方案。Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. 每个网络风险和安全计划的核心部分都是识别和分析漏洞。A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure 安全中心的标准定价层包括对虚拟机进行漏洞扫描,无需额外付费。Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. 此外,安全中心可以自动为你部署此工具。Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该限制通过面向 Internet 的终结点进行访问Access through Internet facing endpoint should be restricted Azure 安全中心已识别到网络安全组的某些入站规则过于宽松。Azure Security center has identified some of your Network Security Groups' inbound rules to be too permissive. 入站规则不应允许从“任何”或“Internet”范围进行访问。Inbound rules should not allow access from 'Any' or 'Internet' ranges. 这有可能使得攻击者能够轻松地将你的资源定为攻击目标。This can potentially enable attackers to easily target your resources. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在计算机中启用自适应应用程序控制以定义安全应用程序Adaptive application controls for defining safe applications should be enabled on your machines 启用应用程序控制,以定义计算机中正在运行的已知安全应用程序列表,并在其他应用程序运行时向你发出警报。Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. 这有助于强化计算机免受恶意软件的侵害。This helps harden your machines against malware. 为了简化配置和维护规则的过程,安全中心使用机器学习来分析在每台计算机上运行的应用程序,并建议已知安全应用程序的列表。To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应更新自适应应用程序控制策略中的允许列表规则Allowlist rules in your adaptive application control policy should be updated 监视配置为供 Azure 安全中心的自适应应用程序控制进行审核的计算机组是否有行为变化。Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. 安全中心使用机器学习来分析计算机上的运行过程,并建议已知安全应用程序的列表。Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. 这些应用程序作为推荐的应用显示,在自适应应用程序控制策略中允许使用。These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
审核未配置灾难恢复的虚拟机Audit virtual machines without disaster recovery configured 审核未配置灾难恢复的虚拟机。Audit virtual machines which do not have disaster recovery configured. 若要详细了解灾难恢复,请访问 https://aka.ms/asr-docTo learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExistsauditIfNotExists 1.0.01.0.0
应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines Azure 安全中心建议对未启用磁盘加密的虚拟机进行监视。Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
面向 Internet 的虚拟机应使用网络安全组进行保护Internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范 VM 遭受潜在威胁。Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应禁用虚拟机上的 IP 转发IP Forwarding on your virtual machine should be disabled 在虚拟机的 NIC 上启用 IP 转发可让该计算机接收发往其他目标的流量。Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. 极少需要启用 IP 转发(例如,将 VM 用作网络虚拟设备时),因此,此策略应由网络安全团队评审。IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在计算机上解决 Log Analytics 代理运行状况问题Log Analytics agent health issues should be resolved on your machines 安全中心使用 Log Analytics 代理,它之前被称为 Microsoft Monitoring Agent (MMA)。Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). 为了确保成功监视虚拟机,需要确保此代理安装在虚拟机上,并能正确地将安全事件收集到配置的工作区中。To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Log Analytics 代理应安装在虚拟机上,用于 Azure 安全中心监视Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 此策略审核是否有任何 Windows/Linux 虚拟机 (VM) 没有安装安全中心用于监视安全漏洞和威胁的 Log Analytics 代理This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应关闭虚拟机上的管理端口Management ports should be closed on your virtual machines 打开远程管理端口会使 VM 暴露在较高级别的 Internet 攻击风险之下。Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. 此类攻击试图暴力破解凭据,来获取对计算机的管理员访问权限。These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center 建议通过 Azure 安全中心监视未安装 Endpoint Protection 代理的服务器Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应使用网络安全组来保护非面向 Internet 的虚拟机Non-internet-facing virtual machines should be protected with network security groups 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范非面向 Internet 的 VM 遭受潜在威胁。Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). 如需详细了解如何使用 NSG 控制流量,请访问 https://aka.ms/nsg-docLearn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
操作系统版本应为云服务角色支持的最新版本Operating system version should be the most current version for your cloud service roles 通过将操作系统 (OS) 保持为云服务角色支持的最新版本,可增强系统安全态势。Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在计算机上安装系统更新System updates should be installed on your machines 建议通过 Azure 安全中心监视服务器上缺失的安全系统更新Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应将虚拟机迁移到新的 Azure 资源管理器资源Virtual machines should be migrated to new Azure Resource Manager resources 对虚拟机使用新的 Azure 资源管理器以提供安全增强功能,例如:更强的访问控制 (RBAC)、更佳审核功能、基于 Azure 资源管理器的部署和治理、对托管标识的访问、访问密钥保管库以获取机密、基于 Azure AD 的身份验证以及支持使用标记和资源组简化安全管理Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
应修正容器安全配置中的漏洞Vulnerabilities in container security configurations should be remediated 在安装了 Docker 的计算机上审核安全配置中的漏洞,并在 Azure 安全中心显示为建议。Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应修复计算机上安全配置中的漏洞Vulnerabilities in security configuration on your machines should be remediated 建议通过 Azure 安全中心监视不满足配置的基线的服务器Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应通过漏洞评估解决方案修复漏洞Vulnerabilities should be remediated by a Vulnerability Assessment solution 建议在 Azure 安全中心监视漏洞评估解决方案检测到的漏洞和没有漏洞评估解决方案的 VM。Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

后续步骤Next steps