您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是基准策略?What are baseline policies?

基准策略是一组预定义策略,可帮助组织防范多种常见攻击。Baseline policies are a set of predefined policies that help protect organizations against many common attacks. 这些常见攻击可能包括密码喷射、重播和钓鱼。These common attacks can include password spray, replay, and phishing. 所有版本的 Azure AD 都提供基准策略。Baseline policies are available in all editions of Azure AD. Microsoft 会将这些基线保护策略提供给所有人,因为基于身份的攻击在过去几年呈上升趋势。Microsoft is making these baseline protection policies available to everyone because identity-based attacks have been on the rise over the last few years. 这四个策略的目标是确保所有组织都启用了基线级别 "安全",无需额外付费。The goal of these four policies is to ensure that all organizations have a baseline level of security enabled at no extra cost.

管理自定义条件访问策略需要 Azure AD Premium 许可证。Managing customized Conditional Access policies requires an Azure AD Premium license.

重要

不推荐使用基线策略。Baseline policies are being deprecated. 有关详细信息,请参阅Azure Active Directory 中的新增功能?See What's new in Azure Active Directory? for more information.

基线策略Baseline policies

Azure 门户中的条件性访问基线策略

有四个基准策略:There are four baseline policies:

  • 要求对管理员进行 MFA (预览)Require MFA for admins (preview)
  • 最终用户保护(预览版)End user protection (preview)
  • 阻止旧身份验证(预览)Block legacy authentication (preview)
  • 需要 MFA 进行服务管理(预览版)Require MFA for service management (preview)

这四个策略都将影响旧版身份验证流,如 POP、IMAP 和旧版 Office 桌面客户端。All four of these policies will impact legacy authentication flows like POP, IMAP, and older Office desktop clients.

排除在外Exclusions

当基线策略进入最初的公共预览版时,可以选择从策略中排除用户。When baseline policies went into their initial public preview, there was an option to exclude users from the policies. 此功能经过预览,并在2019年7月内被删除。This capability evolved through the preview and was removed in July of 2019. 已创建排除项的组织可以继续保持他们的新用户无法将排除添加到策略中。Organizations who had already created exclusions were able to continue to keep them new users were unable to add exclusions to the policies.

要求对管理员进行 MFA (预览)Require MFA for admins (preview)

由于管理员帐户具有的强大功能和访问权限,你应特别小心对待它们。Due to the power and access that administrator accounts have, you should treat them with special care. 改善特权帐户保护的一种常见方法是在使用登录时需要更强大的帐户验证形式。One common method to improve the protection of privileged accounts is to require a stronger form of account verification when they are used to sign in. 在 Azure Active Directory 中,你可以通过要求管理员注册并使用 Azure 多重身份验证来获取更强的帐户验证。In Azure Active Directory, you can get a stronger account verification by requiring administrators to register for and use Azure Multi-Factor Authentication.

"需要对管理员的 MFA (预览版)" 是需要对以下目录角色进行多重身份验证(MFA)的基准策略,被认为是最特权的 Azure AD 角色:Require MFA for admins (preview) is a baseline policy that requires multi-factor authentication (MFA) for the following directory roles, considered to be the most privileged Azure AD roles:

  • 全局管理员Global administrator
  • SharePoint 管理员SharePoint administrator
  • Exchange 管理员Exchange administrator
  • 条件访问管理员Conditional Access administrator
  • 安全管理员Security administrator
  • 支持管理员/密码管理员Helpdesk administrator / Password administrator
  • 计费管理员Billing administrator
  • 用户管理员User administrator

如果组织在脚本或代码中使用这些帐户,请考虑将其替换为托管标识If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.

最终用户保护(预览版)End user protection (preview)

高特权管理员并不是攻击者的唯一目标。High privileged administrators aren’t the only ones targeted in attacks. 不良的执行组件往往面向普通用户。Bad actors tend to target normal users. 获取访问权限后,这类不良的执行组件可以代表原始帐户持有者请求对特权信息的访问权限,也可以下载整个目录并对整个组织执行网络钓鱼攻击。After gaining access, these bad actors can request access to privileged information on behalf of the original account holder or download the entire directory and perform a phishing attack on your whole organization. 提高所有用户保护的一种常见方法是在检测到风险登录时需要更强大的帐户验证形式。One common method to improve the protection for all users is to require a stronger form of account verification when a risky sign-in is detected.

最终用户保护(预览版) 是保护目录中所有用户的基准策略。End user protection (preview) is a baseline policy that protects all users in a directory. 如果启用此策略,则需要所有用户在14天内注册 Azure 多重身份验证。Enabling this policy requires all users to register for Azure Multi-Factor Authentication within 14 days. 注册以后,系统仅在检测到风险登录尝试时提示用户进行 MFA。Once registered, users will be prompted for MFA only during risky sign-in attempts. 系统会阻止被盗用的用户帐户,直至用户重置密码并消除风险为止。Compromised user accounts are blocked until password reset and risk dismissal.

备注

之前标记为风险的任何用户都将被阻止,直到重置密码,并在策略激活时消除。Any users previously flagged for risk are blocked until password reset and risk dismissal upon policy activation.

阻止旧身份验证(预览)Block legacy authentication (preview)

旧的身份验证协议(例如: IMAP、SMTP、POP3)通常由较旧的邮件客户端用来进行身份验证。Legacy authentication protocols (ex: IMAP, SMTP, POP3) are protocols normally used by older mail clients to authenticate. 旧版协议不支持多重身份验证。Legacy protocols do not support multi-factor authentication. 即使你具有需要对目录进行多重身份验证的策略,糟糕的执行组件也可以使用其中一种旧协议进行身份验证,并绕过多重身份验证。Even if you have a policy requiring multi-factor authentication for your directory, a bad actor can authenticate using one of these legacy protocols and bypass multi-factor authentication.

保护你的帐户不受传统协议发出的恶意身份验证请求的最佳方式是阻止它们。The best way to protect your account from malicious authentication requests made by legacy protocols is to block them.

"阻止旧身份验证(预览版) " 基准策略阻止使用旧版协议发出的身份验证请求。The Block legacy authentication (preview) baseline policy blocks authentication requests that are made using legacy protocols. 必须使用新式身份验证才能成功登录所有用户。Modern authentication must be used to successfully sign in for all users. 与其他基准策略结合使用时,将阻止来自旧协议的请求。Used in conjunction with the other baseline policies, requests coming from legacy protocols will be blocked. 此外,在需要时,所有用户都需要进行 MFA。In addition, all users will be required to MFA whenever required. 此策略不会阻止 Exchange ActiveSync。This policy does not block Exchange ActiveSync.

需要 MFA 进行服务管理(预览版)Require MFA for service management (preview)

组织使用各种 Azure 服务,并通过 Azure 资源管理器工具(如下所示)对其进行管理:Organizations use a variety of Azure services and manage them from Azure Resource Manager based tools like:

  • Azure 门户Azure portal
  • Azure PowerShellAzure PowerShell
  • Azure CLIAzure CLI

使用这些工具中的任何一种执行资源管理是一种高度特权的操作。Using any of these tools to perform resource management is a highly privileged action. 这些工具可能会改变订阅范围的配置,例如服务设置和订阅计费。These tools can alter subscription-wide configurations, such as service settings and subscription billing.

若要保护特权操作,此操作需要针对任何用户访问 Azure 门户、Azure PowerShell 或 Azure CLI 的服务管理(预览版) 策略进行多重身份验证。To protect privileged actions, this Require MFA for service management (preview) policy will require multi-factor authentication for any user accessing Azure portal, Azure PowerShell, or Azure CLI.

后续步骤Next steps

有关详细信息,请参阅:For more information, see: