虚拟网络的 Azure 安全基线Azure security baseline for Virtual Network

此安全基线将 Azure 安全基准版本 1.0 中的指南应用于 Azure 虚拟网络。This security baseline applies guidance from the Azure Security Benchmark version 1.0 to Azure Virtual Network. Azure 安全基准提供有关如何在 Azure 上保护云解决方案的建议。The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. 内容按“安全控制”分组,这些控制根据适用于 Azure 虚拟网络的 Azure 安全基准和相关指南进行定义。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Virtual Network. 排除了不适用于 Azure 虚拟网络的控制。Controls not applicable to Azure Virtual Network have been excluded.

若要查看 Azure 虚拟网络如何完全映射到 Azure 安全基准,请参阅完整的 Azure 虚拟网络安全基线映射文件To see how Azure Virtual Network completely maps to the Azure Security Benchmark, see the full Azure Virtual Network security baseline mapping file.

网络安全性Network security

有关详细信息,请参阅 Azure 安全基线: 网络安全For more information, see the Azure Security Benchmark: Network security.

1.2:监视并记录虚拟网络、子网和网络接口的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces

指导:使用安全中心并遵循网络保护建议来帮助保护 Azure 中的网络资源。Guidance: Use Security Center and follow network protection recommendations to help secure your network resources in Azure.

将网络安全组流日志发送到 Log Analytics 工作区,并使用流量分析提供有关 Azure 云中流量流的见解。Send network security group flow logs to a Log Analytics Workspace and use Traffic Analytics to provide insights into traffic flow into your Azure cloud. 流量分析提供可视化网络活动、识别热点、识别安全威胁、了解流量流模式,以及查明网络不当配置的功能。Traffic Analytics offers the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

使用 Azure Monitor 日志可以深入了解环境。Use Azure Monitor logs to provide insights into your environment. 工作区应该用于整理和分析数据,并可与 Application Insights 和安全中心等其他 Azure 服务集成。A workspace should be used to collate and analyze the data, and can integrate with other Azure services such as Application Insights and Security Center.

选择要发送到 Azure 存储帐户或事件中心的资源日志。Choose resource logs to send to an Azure storage account or an event hub. 也可以使用不同的平台来分析日志。A different platform can also be used to analyze the logs.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.4:拒绝与已知恶意的 IP 地址进行通信1.4: Deny communications with known-malicious IP addresses

指导:在 Azure 虚拟网络上启用分布式拒绝服务 (DDoS) 标准保护,以防范 DDoS 攻击。Guidance: Enable distributed denial of service (DDoS) Standard protection on your Azure Virtual Network to guard against DDoS attacks.

在组织的每个网络边界上部署 Azure 防火墙,启用基于威胁情报的筛选并将其配置为针对恶意网络流量执行“发出警报并拒绝”操作。Deploy Azure Firewall at each of the organization's network boundaries with threat intelligence-based filtering enabled and configured to "Alert and deny" for malicious network traffic.

使用安全中心的威胁防护功能来检测与已知恶意 IP 地址的通信。Use Security Center's threat protection features to detect communications with known malicious IP addresses.

应用 Azure 安全中心针对网络安全组配置的自适应网络强化建议,这些配置基于实际流量和威胁情报限制端口和源 IP。Apply Security Center's Adaptive Network Hardening recommendations for network security group configurations that limit ports and source IPs based on actual traffic and threat intelligence.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.5:记录网络数据包1.5: Record network packets

指导:除了常用的数据包捕获工具,还可以使用 VPN 网关的数据包捕获来记录网络数据包。Guidance: Use VPN Gateway's packet capture in addition to commonly available packet capture tools to record network packets.

还可以通过 Azure 市场产品中提供的数据包代理合作伙伴解决方案,查看提供终端接入点 (TAP) 或网络可见性功能的基于代理或 NVA 的解决方案。You can also review agent based or NVA solutions that provide Terminal Access Point (TAP) or Network Visibility functionality through Packet Broker partner solutions available in Azure Marketplace Offerings.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

1.6:部署基于网络的入侵检测/入侵防护系统 (IDS/IPS)1.6: Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)

指导:使用部署在启用威胁情报的虚拟网络上的 Azure 防火墙。Guidance: Use an Azure Firewall deployed on your virtual network with Threat Intelligence enabled. 使用基于 Azure 防火墙威胁情报的筛选功能,发出警报或拒绝往返于已知恶意 IP 地址和域的流量。Use Azure Firewall Threat intelligence-based filtering to alert or to deny traffic to and from known malicious IP addresses and domains. IP 地址和域源自 Microsoft 威胁智能源。The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.

也可以从 Azure 市场中选择一种产品/服务,该产品/服务应支持包含有效负载检查功能的 IDS/IPS 功能。You can also select an appropriate offer from the Azure Marketplace that supports IDS/IPS functionality with payload inspection capabilities.

在组织的每个网络边界上部署所选的防火墙解决方案,以检测和/或拒绝恶意流量。Deploy the firewall solution of your choice at each of your organization's network boundaries to detect and/or deny malicious traffic.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指导:在网络安全组或 Azure 防火墙中使用虚拟网络服务标记来定义网络访问控制。Guidance: Use Virtual Network service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定 IP 地址。Service tags can be used in place of specific IP addresses when creating security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 ApiManagement),允许或拒绝相应服务的流量。Allow or deny the traffic for the corresponding service by specifying the service tag name (for example, ApiManagement) in the appropriate source or destination field of a rule. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

使用应用程序安全组来帮助简化复杂的安全配置。Use Application Security Groups to help simplify complex security configuration. 通过应用程序安全组,可将网络安全配置为应用程序结构的自然扩展。Application security groups allow you to configure network security as a natural extension of an application's structure. 这使你能够对虚拟机进行分组,并基于这些组定义网络安全策略。This enables you to group virtual machines and define network security policies based on those groups.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指导:使用 Azure Policy 为网络资源定义和实现标准安全配置,并评审内置网络策略定义以供实现。Guidance: Define and implement standard security configurations for network resources with Azure Policy and review the built-in network policy definitions for implementation.

请参阅安全中心的默认策略,其中提供了与虚拟网络相关的可用安全建议。Refer to the default policy for Security Center which contains available security recommendations related to your virtual networks.

使用 Azure 蓝图,通过在单个蓝图定义中打包关键环境项目(例如 Azure 资源管理器模板、Azure 基于角色的访问控制 (Azure RBAC) 分配和策略),来简化大规模的 Azure 部署。Use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, Azure role-based access control (Azure RBAC) assignments, and policies, in a single blueprint definition. 可将 Azure 蓝图应用到新的订阅,通过版本控制来微调控制措施和管理。Azure Blueprint can be applied to new subscriptions for fine-tuned control and management through versioning.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指导:将标记用于网络安全组以及其他与网络安全和流量流有关的资源。Guidance: Use tags for network security groups and other resources related to network security and traffic flow. 使用各个网络安全组规则的“说明”字段为允许流量传入/传出网络的任何规则指定业务需要、持续时间以及其他信息。Use the "Description" field to specify business need, duration, and other information for any rules that allow traffic to/from a network for individual network security group rules. 使用标记相关的任何内置 Azure Policy 定义(例如“需要标记及其值”)来确保使用标记创建所有资源,并在有现有资源不带标记时发出通知。Use any of the built-in Azure Policy definitions related to tagging, such as "Require tag and its value" to ensure that all resources are created with tags and to notify you of existing untagged resources.

选择 Azure PowerShell 或 Azure CLI,基于资源的标记查找资源或对其执行操作。Choose Azure PowerShell or Azure CLI to look up or perform actions on resources based on their tags.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指导:使用 Azure 活动日志监视网络资源配置,并检测虚拟网络的更改。Guidance: Use Azure Activity Log to monitor resource configurations and detect changes to your virtual network. 在 Azure Monitor 中创建当关键资源发生更改时触发的警报。Create alerts within Azure Monitor which will trigger when changes to critical resources take place.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

日志记录和监视Logging and monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and monitoring.

2.2:配置中心安全日志管理2.2: Configure central security log management

指导:启用 Azure Monitor 以访问审核和活动日志,其中包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用元素。Guidance: Enable Azure Monitor for access to your audit and activity logs which includes event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

在 Azure Monitor 中,使用 Log Analytics 工作区查询和执行分析,并使用 Azure 存储帐户进行长期/存档存储。In Azure Monitor, use Log Analytics Workspaces to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage. 或者,可以启用将数据加入 Azure Sentinel 或第三方 SIEM 的功能。Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指导:使 Azure Monitor 可以访问审核和活动日志,其中包括事件源、日期、用户、时间戳、源地址、目标地址和其他有用元素。Guidance: Enable Azure Monitor for access to your audit and activity logs which includes event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指南:在 Azure Monitor 中,根据组织的合规性规则设置 Log Analytics 工作区保持期。Guidance: Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. 使用 Azure 存储帐户进行安全日志存储保留期的长期/存档存储。Use Azure Storage accounts for long-term/archival storage of security log storage retention.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

2.6:监视和查看日志2.6: Monitor and review logs

指导:分析和监视日志中的异常行为,并定期查看结果。Guidance: Analyze and monitor logs for anomalous behavior and regularly review results. 使用 Azure Monitor 的 Log Analytics 工作区来查询和执行分析,并使用 Azure 存储帐户进行长期/存档存储。Use Azure Monitor's Log Analytics Workspace to query and perform analytics, and use Azure Storage Accounts for long-term/archival storage.

或者,可以启用将数据加入 Azure Sentinel 或第三方 SIEM 的功能。Alternatively, you may enable and on-board data to Azure Sentinel or a third-party SIEM.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指导:使用安全中心和 Log Analytics 工作区监视安全日志和事件中的异常活动并发出警报。Guidance: Use Security Center with Log Analytics Workspace for monitoring and alerting on anomalous activity found in security logs and events.

或者,可以启用将数据加入 Azure Sentinel 或用于警报的第三方 SIEM 的功能。Alternatively, you may enable and onboard data to Azure Sentinel or a third-party SIEM for alerting.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

2.9:启用 DNS 查询日志记录2.9: Enable DNS query logging

指导:根据你的组织需要,从 Azure 市场为 DNS 日志记录解决方案实现第三方解决方案。Guidance: Implement a third-party solution from Azure Marketplace for DNS logging solution as per your organizational need.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

标识和访问控制Identity and access control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and access control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指导:使用可显式分配并可查询的 Azure Active Directory (Azure AD) 内置管理员角色。Guidance: Use Azure Active Directory (Azure AD) built-in administrator roles that can be explicitly assigned and are queryable.

使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组的成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用安全中心标识和访问管理来监视管理帐户的数量。Use Security Center's Identity and Access Management to monitor the number of administrative accounts.

通过使用 Azure 服务的 Azure AD Privileged Identity Management 特权角色和 Azure 资源管理器来启用实时/足够访问权限。Enable Just-In-Time / Just-Enough-Access by using Azure AD Privileged Identity Management Privileged Roles for Azure Services and Azure Resource Manager.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.4:使用 Azure Active Directory 单一登录 (SSO)3.4: Use Azure Active Directory single sign-on (SSO)

指导:使用 Azure Active Directory (Azure AD) SSO,而不是为每个服务配置单个独立凭据。Guidance: Use SSO with Azure Active Directory (Azure AD) rather than configuring individual stand-alone credentials per-service. 使用安全中心的标识和访问管理建议。Use Security Center's Identity and Access Management recommendations.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory-based access

指导:启用 Azure Active Directory (Azure AD) 多重身份验证 (MFA),并遵循安全中心标识和访问管理建议。Guidance: Enable Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) and follow Security Center's Identity and Access Management recommendations.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.6:使用由 Azure 管理的安全工作站执行管理任务3.6: Use secure, Azure-managed workstations for administrative tasks

指导:使用配置了多重身份验证 (MFA) 的特权访问工作站 (PAW) 来登录并访问 Azure 网络资源。Guidance: Use Privileged Access Workstations (PAW) with Multi-Factor Authentication (MFA) configured to log into and access Azure network resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指导:使用 Azure Active Directory (Azure AD) 风险检测查看有关风险用户行为的警报和报告。Guidance: Utilize Azure Active Directory (Azure AD) Risk Detections to view alerts and reports on risky user behavior.

请将 Azure 安全中心风险检测警报引入 Azure Monitor 中,并使用操作组配置自定义警报/通知。Ingest Security Center Risk Detection alerts into Azure Monitor and configure custom alerting/notifications using Action Groups.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指导:使用条件访问命名位置,仅允许从 IP 地址范围或国家/地区的特定逻辑分组进行访问。Guidance: Use Conditional Access named locations to allow access from only specific logical groupings of IP address ranges or countries/regions.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指导:使用 Azure Active Directory (Azure AD) 作为服务的中心身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as a central authentication and authorization system for your services. Azure AD 通过对静态数据和传输中数据使用强加密以及加盐、哈希处理和安全存储用户凭据来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit and also salts, hashes, and securely stores user credentials.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指导:使用 Azure Active Directory (Azure AD) 提供日志来帮助发现过时的帐户。Guidance: Use Azure Active Directory (Azure AD) to provide logs to help discover stale accounts.

可以执行 Azure 标识访问评审来高效地管理组成员身份、对企业应用程序的访问和角色分配。Azure Identity Access Reviews can be performed to efficiently manage group memberships, access to enterprise applications, and role assignments. 应定期评审用户的访问权限,确保只有活动用户才持续拥有访问权限。User access should be reviewed on a regular basis to make sure only the active users have continued access.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指导:使用任何 SIEM 或基于访问的监视工具,来集成 Azure Active Directory (Azure AD) 登录活动、审核和风险事件日志源。Guidance: Integrate Azure Active Directory (Azure AD) Sign-in Activity, Audit and Risk Event log sources, with any SIEM or Monitoring tool based on your access.

通过为 Azure Active Directory 用户帐户创建诊断设置并将审核日志和登录日志发送到 Log Analytics 工作区来简化此过程。Streamline this process by creating Diagnostic Settings for Azure Active Directory user accounts and sending the audit logs and sign-in logs to a Log Analytics Workspace. 可以在 Log Analytics 工作区中配置任何所需的警报。Any desired alerts can be configured within Log Analytics Workspace.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

数据保护Data protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data protection.

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指导:加密传输中的所有敏感信息。Guidance: Encrypt all sensitive information in transit. 确保连接到虚拟网络中的 Azure 资源的任何客户端都能够协商 TLS 1.2 或更高版本。Ensure that any clients connecting to your Azure resources in your virtual networks are able to negotiate TLS 1.2 or greater. 请按照安全中心的建议,了解静态加密和传输中加密。Follow Security Center recommendations for encryption at rest and encryption in transit.

Azure 提供了许多选项,客户可使用它们保护在 Azure 网络内部传输和跨 Internet 外部传输到最终用户的数据。Azure provides several options which can be utilized by customers for securing data in transit internally within the Azure network and externally across the Internet to the end user. 其中包括通过虚拟专用网(使用 IPsec/IKE 加密)、传输层安全性 (TLS) 1.2 或更高版本(通过 Azure 组件,例如应用程序网关或 Azure Front Door)、直接在 Azure 虚拟机上的协议(例如 Windows IPsec 或 SMB)等进行通信。These include communication through Virtual Private Networks (utilizing IPsec/IKE encryption), Transport Layer Security (TLS) 1.2 or later (via Azure components such as Application Gateway or Azure Front Door), protocols directly on the Azure virtual machines (such as Windows IPsec or SMB), and more.

此外,对于在 Azure 数据中心之间传输的所有 Azure 流量,启用使用 MACsec(数据链路层的 IEEE 标准)的“默认加密”,以确保客户数据的机密性和完整性。Additionally, "encryption by default" using MACsec (an IEEE standard at the data-link layer) is enabled for all Azure traffic traveling between Azure datacenters to ensure confidentiality and integrity of customer data.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:共享Responsibility: Shared

4.6:使用 Azure RBAC 管理对资源的访问4.6: Use Azure RBAC to manage access to resources

指导:使用 Azure 基于角色的访问控制 (Azure RBAC) 来管理对数据和资源的访问。Guidance: Use Azure role-based access control (Azure RBAC) to manage access to data and resources. 否则,请使用特定于服务的访问控制方法。Otherwise use service-specific access-control methods.

选择内置角色,如所有者、参与者或网络参与者,并将角色分配到适当的范围。Choose built-in roles like Owner, Contributor, or Network contributor and assign the role to the appropriate scope. 例如,可将具有虚拟网络所需特定权限的虚拟网络功能的子集分配给这些角色中的任何一个。For example, you can assign a subset of virtual network capabilities with the specific permissions required for virtual networks to any of these roles.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指导:结合使用 Azure Monitor 和 Azure 活动日志,创建在关键 Azure 资源(例如虚拟网络和网络安全组)发生更改时发出的警报。Guidance: Use Azure Monitor with the Azure Activity Logs to create alerts for when changes take place to critical Azure resources like Virtual Networks and network security groups.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

库存和资产管理Inventory and asset management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and asset management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指导:使用 Azure Resource Graph 查询和发现订阅中的所有网络资源(例如虚拟网络)。Guidance: Use Azure Resource Graph to query and discover all networking resources like Virtual Networks, subnets within your subscriptions. 确保你在租户中拥有适当的(读取)权限,并且可以枚举所有 Azure 订阅,以及订阅中的资源。Ensure you have appropriate (read) permissions in your tenant and are able to enumerate all Azure subscriptions as well as resources within your subscriptions.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.2:维护资产元数据6.2: Maintain asset metadata

指导:将标记应用于 Azure 资源,从而将元数据按逻辑组织到分类中。Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指导:使用标记、管理组和单独订阅(如果适用)来组织和跟踪虚拟网络和相关资源。Guidance: Use tagging, management groups, and separate subscriptions, where appropriate, to organize and track Virtual network and related resources. 定期核对清单,确保及时地从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.4:定义并维护已批准的 Azure 资源的清单6.4: Define and maintain inventory of approved Azure resources

指导:你将需要根据组织需求,创建已获批 Azure 资源以及已获批用于计算资源的软件的清单。Guidance: You will need to create an inventory of approved Azure resources and approved software for compute resources as per your organizational needs.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

在基于高安全性的环境(例如具有 Azure 存储帐户的环境)中使用 Azure Resource Graph 查询或发现订阅中的资源。Query or discover resources within the subscriptions with Azure Resource Graph in high security-based environments, such as those with Azure Storage accounts.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指导:根据组织策略的要求,阻止使用 Azure Policy 创建或使用资源。Guidance: Prevent resource creation or usage with Azure Policy as required by the organization's policies. 实现删除未授权资源的过程。Implement processes for removing unauthorized resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指导:在 Azure Policy 中使用以下内置策略定义,对可以在客户订阅中创建的资源类型施加限制:Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指导:通过为“Azure 管理”应用配置“阻止访问”,使用 Azure 条件访问来限制用户与 Azure 资源管理器交互的功能。Guidance: Use Azure Conditional Access to limit user's ability to interact with Azure Resource Manager by configuring "Block access" for the "Azure Management" App.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

安全配置Secure configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指导:使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure 网络资源的配置并使用内置 Azure Policy 目标。Guidance: Use Azure Policy aliases to create custom policies to audit or enforce the configuration of your Azure network resources and also use built-in Azure Policy definitions.

使用 Azure 资源管理器导出 JavaScript 对象表示法 (JSON) 中你构建的任何模板,并对其进行评审,以确保配置满足或超过组织的安全要求。Export any of your build templates with Azure Resource Manager in JavaScript Object Notation (JSON) form and review it to ensure that the configurations meet or exceed the security requirements for your organization.

实现来自安全中心的建议作为 Azure 资源的安全配置基线。Implement recommendations from Security Center as a secure configuration baseline for your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指导:使用 Azure 资源管理器模板和 Azure 策略安全地配置与虚拟网络和相关资源关联的 Azure 资源。Guidance: Use Azure Resource Manager templates and Azure Policies to securely configure Azure resources associated with the Virtual network and related resources. Azure 资源管理器模板是基于 JSON(JavaScript 对象表示法)的文件,用于与 Azure 资源一起部署虚拟机。Azure Resource Manager templates are JSON (JavaScript Object Notation) based files used to deploy virtual machines along with Azure resources. Azure 对基本模板进行维护。Azure performs the maintenance on the base templates.

使用 Azure Policy“[拒绝]”和“[不存在则部署]”效果对不同的 Azure 资源强制实施安全设置。Use Azure Policy [deny] and [deploy if not exist] effects to enforce secure settings across your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指导:使用 Azure DevOps 安全地存储和管理代码,如自定义 Azure 策略、Azure 资源管理器模板、Desired State Configuration 脚本。Guidance: Use Azure DevOps to securely store and manage your code like custom Azure policies, Azure Resource Manager templates, desired state configuration scripts. 等等。and so on.

若要访问希望在 Azure DevOps 中管理的资源(例如代码、生成和工作跟踪),必须具有对这些资源的权限。You must have permissions to access the resources you wish to manage in Azure DevOps, such as your code, builds, and work tracking. 大多数权限通过内置安全组授予。Most permissions are granted through built-in security groups. 你可以向特定用户、内置安全组或者 Azure Active Directory (Azure AD)(如果与 Azure DevOps 集成)或 Active Directory(如果与 Team Foundation Server 集成)中定义的组授予权限,或拒绝向其授予权限。You can grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with Team Foundation Server.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指导:使用 Azure Policy 为 Azure 资源定义和实施标准安全配置。Guidance: Define and implement standard security configurations for Azure resources using Azure Policy. 使用 Azure Policy 别名创建自定义策略,以审核或强制实施 Azure 资源的网络配置以及与特定资源相关的任何内置策略定义。Use Azure Policy aliases to create custom policies to audit or enforce the network configuration of your Azure resources and any built-in policy definitions related to specific resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指导:使用安全中心对 Azure 虚拟网络和相关资源执行基线扫描。Guidance: Use Security Center to perform baseline scans for your Azure Virtual Network and related resources. 使用 Azure Policy 发出警告并审核 Azure 资源配置。Use Azure Policy to alert and audit Azure resource configurations.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指导:将托管服务标识与 Azure Key Vault 结合使用,以便简化和保护托管在 Azure 虚拟网络中的 Azure 资源的机密管理。Guidance: Use Managed Service Identity in conjunction with Azure Key Vault to simplify and secure secret management for your Azure resources hosted in an Azure Virtual Network.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

数据恢复Data recovery

有关详细信息,请参阅 Azure 安全基线: 数据恢复For more information, see the Azure Security Benchmark: Data recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back-ups

指导:使用 Azure 资源管理器部署虚拟网络和相关资源。Guidance: Use Azure Resource Manager to deploy a virtual network and related resources. Azure 资源管理器提供导出模板的功能,这些模板可用作还原虚拟网络和相关资源的备份。Azure Resource Manager provides ability to export templates which can be used as backups to restore Virtual network and related resources. 使用 Azure 自动化定期调用 Azure 资源管理器模板导出 API。Use Azure Automation to call the Azure Resource Manager template export API on a regular basis.

Azure 安全中心监视:目前不可用Azure Security Center monitoring: Currently not available

责任:客户Responsibility: Customer

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指导:使用 Azure 资源管理器部署虚拟网络和相关资源。Guidance: Use Azure Resource Manager to deploy a virtual network and related resources. Azure 资源管理器提供导出模板的功能,这些模板可用作还原虚拟网络和相关资源的备份。Azure Resource Manager provides ability to export templates which can be used as backups to restore Virtual network and related resources. 使用 Azure 自动化定期调用 Azure 资源管理器模板导出 API。Use Azure Automation to call the Azure Resource Manager template export API on a regular basis. 在 Azure Key Vault 中备份客户管理的密钥。Back up customer-managed keys within Azure Key Vault.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指导:定期将 Azure 资源管理器模板部署到独立订阅,并对备份的客户管理的密钥进行还原测试。Guidance: Periodically perform deployment of Azure Resource Manager templates to an isolated subscription and test restoration of backed up customer-managed keys.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指南:使用 Azure DevOps 安全地存储和管理你的代码,例如自定义 Azure Policy 定义和 Azure 资源管理器模板。Guidance: Use Azure DevOps to securely store and manage your code like custom Azure Policy definitions and Azure Resource Manager templates.

向特定用户、内置安全组或者 Azure Active Directory (Azure AD)(如果与 Azure DevOps 集成)或 Active Directory(如果与 Team Foundation Server 集成)中定义的组授予权限,或拒绝向其授予权限。Grant or deny permissions to specific users, built-in security groups, or groups defined in Azure Active Directory (Azure AD) if integrated with Azure DevOps, or Active Directory if integrated with Team Foundation Server.

使用 Azure 基于角色的访问控制 (Azure RBAC) 保护客户管理的密钥。Use Azure role-based access control (Azure RBAC) to protect customer-managed keys.

在密钥保管库中启用软删除和清除保护,以防止意外删除或恶意删除密钥。Enable Soft-Delete and purge protection in Key Vault to protect keys against accidental or malicious deletion.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

事件响应Incident response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指南:安全中心向每个警报分配一个严重性,帮助你优先处理应首先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心在发出警报时所依据的检测结果和分析结果的置信度,以及导致发出警报的活动的恶意企图的置信度。The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

使用标记清楚地标记订阅(例如生产或非生产)并创建命名系统来对 Azure 资源进行明确标识和分类,特别是处理敏感数据的资源。Clearly mark subscriptions (for example, production or non-production) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. 你的责任是根据发生事件的 Azure 资源和环境的关键性确定修正警报的优先级。It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.3:测试安全响应过程10.3: Test security response procedures

指导:定期执行演练来测试系统的事件响应功能,以帮助保护 Azure 资源。Guidance: Conduct exercises to test your systems' incident response capabilities on a regular cadence to help protect your Azure resources. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指导:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了你的数据,Azure 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Azure to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出安全中心警报和建议,以便确定 Azure 资源的风险。Guidance: Export your Security Center alerts and recommendations using the Continuous Export feature to help identify risks to Azure resources. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion.

也可以使用安全中心数据连接器将警报流式传输到 Azure Sentinel。You can also use the Security Center data connector to stream the alerts to Azure Sentinel.

Azure 安全中心监视:是Azure Security Center monitoring: Yes

责任:客户Responsibility: Customer

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用安全中心内的工作流自动化功能,通过“逻辑应用”针对安全警报和建议自动触发响应,以保护 Azure 资源。Guidance: Use the Workflow Automation feature in Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations to protect your Azure resources.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:客户Responsibility: Customer

渗透测试和红队练习Penetration tests and red team exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration tests and red team exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:遵循 Azure 互动规则,确保你的渗透测试不违反 Azure 政策。Guidance: Follow the Azure Rules of Engagement to ensure your Penetration Tests are not in violation of Azure policies. 使用 Azure 红队演练策略和执行,并针对 Azure 托管云基础结构、服务和应用程序执行现场渗透测试。Use Azure's strategy and execution of Red Teaming and live site penetration testing against Azure-managed cloud infrastructure, services, and applications.

Azure 安全中心监视:不适用Azure Security Center monitoring: Not applicable

责任:共享Responsibility: Shared