针对 Azure 中 Windows 虚拟机的安全建议Security recommendations for Windows virtual machines in Azure

本文包含适用于 Azure 虚拟机的安全建议。This article contains security recommendations for Azure Virtual Machines. 请遵循这些建议来履行我们责任分担模型中所述的安全义务。Follow these recommendations to help fulfill the security obligations described in our model for shared responsibility. 这些建议还有助于改善 Web 应用解决方案的整体安全性。The recommendations will also help you improve overall security for your web app solutions. 若要详细了解 Azure 采取哪些措施来履行服务提供商责任,请参阅云计算的分担责任For more information about what Azure does to fulfill service-provider responsibilities, see Shared responsibilities for cloud computing.

在 Azure 安全中心可以自动实施本文所述的某些建议。Some of this article's recommendations can be automatically addressed by Azure Security Center. 在保护 Azure 中的资源方面,Azure 安全中心是第一道防线。Azure Security Center is the first line of defense for your resources in Azure. 它定期分析 Azure 资源的安全状态,以识别潜在的安全漏洞。It periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. 然后,它会建议如何解决漏洞。It then recommends how to address the vulnerabilities. 有关详细信息,请参阅 Azure 安全中心的安全建议For more information, see Security recommendations in Azure Security Center.

有关 Azure 安全中心的常规信息,请参阅什么是 Azure 安全中心?For general information about Azure Security Center, see What is Azure Security Center?.

常规General

建议Recommendation 注释Comments 安全中心Security Center
生成自定义 VM 映像时,请应用最新的更新。When you build custom VM images, apply the latest updates. 在创建映像之前,为操作系统以及要包含在映像中的所有应用程序安装最新更新。Before you create images, install the latest updates for the operating system and for all applications that will be part of your image. -
使 VM 保持最新。Keep your VMs current. 可以使用 Azure 自动化中的更新管理解决方案来管理 Azure 中 Windows 和 Linux 计算机的操作系统更新。You can use the Update Management solution in Azure Automation to manage operating system updates for your Windows and Linux computers in Azure. Yes
备份 VM。Back up your VMs. Azure 备份可帮助保护应用程序数据,其运行开销极低。Azure Backup helps protect your application data and has minimal operating costs. 应用程序错误可能会损坏数据,人为错误可能会将 bug 引入应用程序。Application errors can corrupt your data, and human errors can introduce bugs into your applications. Azure 备份可以保护运行 Windows 和 Linux 的 VM。Azure Backup protects your VMs that run Windows and Linux. -
使用多个 VM 来提高复原能力和可用性。Use multiple VMs for greater resilience and availability. 如果 VM 运行的应用程序必须高度可用,请使用多个 VM 或可用性集If your VM runs applications that must be highly available, use multiple VMs or availability sets. -
采用业务连续性和灾难恢复 (BCDR) 策略。Adopt a business continuity and disaster recovery (BCDR) strategy. 使用 Azure Site Recovery 可以从支持业务连续性的不同选项中进行选择。Azure Site Recovery allows you to choose from different options designed to support business continuity. 它支持不同的复制和故障转移方案。It supports different replication and failover scenarios. 有关详细信息,请参阅关于 Site RecoveryFor more information, see About Site Recovery. -

数据安全性Data security

建议Recommendation 注释Comments 安全中心Security Center
加密操作系统磁盘。Encrypt operating system disks. Azure 磁盘加密可帮助你加密 Windows 和 Linux IaaS VM 磁盘。Azure Disk Encryption helps you encrypt your Windows and Linux IaaS VM disks. 在没有所需密钥的情况下,无法读取已加密磁盘的内容。Without the necessary keys, the contents of encrypted disks are unreadable. 磁盘加密可以防范有人未经授权访问存储的数据,否则他们可能会复制磁盘。Disk encryption protects stored data from unauthorized access that would otherwise be possible if the disk were copied. Yes
加密数据磁盘。Encrypt data disks. Azure 磁盘加密可帮助你加密 Windows 和 Linux IaaS VM 磁盘。Azure Disk Encryption helps you encrypt your Windows and Linux IaaS VM disks. 在没有所需密钥的情况下,无法读取已加密磁盘的内容。Without the necessary keys, the contents of encrypted disks are unreadable. 磁盘加密可以防范有人未经授权访问存储的数据,否则他们可能会复制磁盘。Disk encryption protects stored data from unauthorized access that would otherwise be possible if the disk were copied. -
限制安装的软件。Limit installed software. 将安装的软件限制为成功应用解决方案所需的软件。Limit installed software to what is required to successfully apply your solution. 此准则原则有助于减小解决方案的受攻击面。This guideline helps reduce your solution's attack surface. -
使用防病毒软件或反恶意软件。Use antivirus or antimalware. 在 Azure 中,可以使用安全供应商(例如 Microsoft、Symantec、Trend Micro 和 Kaspersky)提供的反恶意软件。In Azure, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, and Kaspersky. 这些软件可帮助保护 VM 免受恶意文件、广告程序和其他威胁的侵害。This software helps protect your VMs from malicious files, adware, and other threats. 可以根据应用程序工作负荷部署 Microsoft Antimalware。You can deploy Microsoft Antimalware based on your application workloads. Azure 反恶意软件仅适用于 Windows 计算机。Azure Antimalware is available for Windows machines only. 使用默认的基本安全性或高级自定义配置。Use either basic secure-by-default or advanced custom configuration. 有关详细信息,请参阅适用于 Azure 云服务和虚拟机的 Microsoft AntimalwareFor more information, see Microsoft Antimalware for Azure Cloud Services and Virtual Machines. -
安全存储密钥和机密。Securely store keys and secrets. 为应用程序所有者提供安全的集中管理选项来简化机密和密钥的管理。Simplify the management of your secrets and keys by providing your application owners with a secure, centrally managed option. 这种管理可以减少意外泄密或透露的风险。This management reduces the risk of an accidental compromise or leak. -

标识和访问管理Identity and access management

建议Recommendation 注释Comments 安全中心Security Center
集中进行 VM 身份验证。Centralize VM authentication. 可以使用 Azure Active Directory 身份验证集中进行 Windows 和 Linux VM 的身份验证。You can centralize the authentication of your Windows and Linux VMs by using Azure Active Directory authentication. -

网络Networking

建议Recommendation 注释Comments 安全中心Security Center
限制对管理端口的访问。Restrict access to management ports. 攻击者可能会利用猜出的常用密码和已知的未修补漏洞,扫描公有云 IP 范围中的开放管理端口,然后试图发起“轻而易举”的攻击。Attackers scan public cloud IP ranges for open management ports and attempt "easy" attacks like common passwords and known unpatched vulnerabilities. 可以使用实时 (JIT) VM 访问来锁定发往 Azure VM 的入站流量,降低遭受攻击的可能性,同时在需要时提供与 VM 的连接。You can use just-in-time (JIT) VM access to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy connections to VMs when they're needed. -
限制网络访问。Limit network access. 可以通过网络安全组限制网络访问并控制公开的终结点数。Network security groups allow you to restrict network access and control the number of exposed endpoints. 有关详细信息,请参阅创建、更改或删除网络安全组For more information, see Create, change, or delete a network security group. -