您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

适用于应用服务的 Azure 安全基准Azure security baseline for App Service

适用于应用服务的 Azure 安全基准包含有助于改进部署安全状况的建议。The Azure Security Baseline for App Service contains recommendations that will help you improve the security posture of your deployment. 此服务的基线摘自 Azure 安全基准版本 1.0,其中提供了有关如何根据我们的最佳做法指导保护 Azure 上的云解决方案的建议。The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance. 内容由 Azure 安全基准定义的 安全控制 和适用于应用服务的相关指南进行分组。The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to App Service. 排除了不适用于应用服务的 控件Controls not applicable to App Service have been excluded.

若要查看应用服务如何完全映射到 Azure 安全基准,请参阅 完整的应用服务安全基线映射文件To see how App Service completely maps to the Azure Security Benchmark, see the full App Service security baseline mapping file.

网络安全Network Security

有关详细信息,请参阅 Azure 安全基线: 网络安全性For more information, see the Azure Security Benchmark: Network Security.

1.1:保护虚拟网络中的 Azure 资源1.1: Protect Azure resources within virtual networks

指南:使用隔离定价层中的应用服务时,也称为应用服务环境 (ASE) ,可以直接将其部署到 Azure 虚拟网络中的子网中。Guidance: When using App Service in the Isolated pricing tier, also called an App Service Environment (ASE) you can deploy directly into a subnet within your Azure Virtual Network. 使用网络安全组来保护你的 Azure 应用服务环境,方法是阻止入站和出站流量到你的虚拟网络中的资源,或限制对应用服务环境中的应用的访问。Use network security groups to secure your Azure App Service Environment by blocking inbound and outbound traffic to resources in your virtual network, or to restrict access to apps in an App Service Environment.

默认情况下,网络安全组以最低优先级包含隐式拒绝规则,并要求你添加显式允许规则。By default, network security groups include an implicit deny rule at the lowest priority, and requires you to add explicit allow rules. 根据最小特权网络方法为网络安全组添加允许规则。Add allow rules for your network security group based on a least privileged networking approach. 用于承载应用服务环境的底层虚拟机不能直接访问,因为它们在 Microsoft 管理的订阅中。The underlying virtual machines that are used to host the App Service Environment are not directly accessible because they are in a Microsoft-managed subscription.

通过 Web 应用程序防火墙 (WAF) 启用 Azure 应用程序网关来路由流量,从而保护应用服务环境。Protect an App Service Environment by routing traffic through a Web Application Firewall (WAF) enabled Azure Application Gateway. 将服务终结点与应用程序网关结合使用,以保护应用程序的入站发布流量。Use service endpoints in conjunction with the Application Gateway to secure inbound publishing traffic to your app.

在多租户应用服务中 () 不在隔离层中的应用,请使用网络安全组来阻止应用的出站流量。In the multi-tenant App Service (an app not in Isolated tier), use network security groups to block outbound traffic from your app. 通过虚拟网络集成功能,使你的应用能够通过虚拟网络访问中的资源。Enable your apps to access resources in or through a Virtual Network, with the Virtual Network Integration feature. 此功能还可用于阻止从应用发送到公共地址的出站流量。This feature can also be used to block outbound traffic to public addresses from the app. 虚拟网络集成无法用于提供对应用程序的入站访问。Virtual Network Integration cannot be used to provide inbound access to an app.

通过以下方式保护应用程序的入站流量:Secure inbound traffic to your app with:

  • 访问限制-一系列控制入站访问的允许或拒绝规则Access Restrictions - a series of allow or deny rules that control inbound access
  • 服务终结点-可以拒绝来自指定虚拟网络或子网外部的入站流量Service Endpoints - can deny inbound traffic from outside of specified virtual networks or subnets
  • 专用终结点-使用专用 IP 地址将应用公开到虚拟网络。Private Endpoints - expose your app to your Virtual Network with a private IP address. 在应用上启用专用终结点后,它将无法再访问 internetWith the Private Endpoints enabled on your app, it is no longer internet-accessible

在同一区域中对虚拟网络使用虚拟网络集成功能时,请使用网络安全组和路由表和用户定义的路由。When using Virtual Network Integration feature with virtual networks in the same region, use network security groups and route tables with user-defined routes. 可以将用户定义的路由置于集成子网中,以按预期发送出站流量。User-defined routes can be placed on the integration subnet to send outbound traffic as intended.

请考虑实现 Azure 防火墙,以便跨订阅和虚拟网络集中创建、强制和记录应用程序和网络连接策略。Consider implementing an Azure Firewall to centrally create, enforce, and log application and network connectivity policies across your subscriptions and virtual networks. Azure 防火墙对虚拟网络资源使用静态公共 IP 地址,从而允许外部防火墙识别源自虚拟网络的流量。Azure Firewall uses a static public IP address for virtual network resources, which allows outside firewalls to identify traffic that originates from your virtual network.

责任:客户Responsibility: Customer

Azure 安全中心监视azure 安全基准 是安全中心的默认策略计划,是 安全中心建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure 策略定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要 Azure Defender 计划相关服务。Alerts related to this control may require an Azure Defender plan for the related services.

Azure 策略内置定义-MicrosoftAzure Policy built-in definitions - Microsoft.Network:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
所有 Internet 流量都应通过所部署的 Azure 防火墙进行路由All Internet traffic should be routed via your deployed Azure Firewall Azure 安全中心已确认,你的某些子网未使用下一代防火墙进行保护。Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. 通过使用 Azure 防火墙或受支持的下一代防火墙限制对子网的访问,保护子网免受潜在威胁的危害Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.0-preview3.0.0-preview
子网应与网络安全组关联Subnets should be associated with a Network Security Group 使用网络安全组 (NSG) 限制对 VM 的访问,以此防范子网遭受潜在威胁。Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSG 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网的网络流量。NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0
虚拟机应连接到已批准的虚拟网络Virtual machines should be connected to an approved virtual network 此策略审核任何已连接到未批准的虚拟网络的虚拟机。This policy audits any virtual machine connected to a virtual network that is not approved. Audit、Deny、DisabledAudit, Deny, Disabled 1.0.01.0.0
虚拟网络应使用指定的虚拟网络网关Virtual networks should use specified virtual network gateway 如果默认路由未指向指定的虚拟网络网关,则此策略会审核任何虚拟网络。This policy audits any virtual network if the default route does not point to the specified virtual network gateway. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

Azure 策略内置定义-MicrosoftAzure Policy built-in definitions - Microsoft.Web:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应用服务应使用虚拟网络服务终结点App Service should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的应用服务。This policy audits any App Service not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

1.2:监视并记录虚拟网络、子网和网络接口的配置与流量1.2: Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces

指南:从 Azure 安全中心实施网络保护建议,以确保与应用服务应用和 api 相关的网络资源和配置。Guidance: Implement network protection recommendations from Azure Security Center to secure network resources and configurations related to your App Service apps and APIs.

使用 Azure 防火墙发送流量,并跨订阅和虚拟网络集中创建、强制和记录应用程序和网络连接策略。Use Azure Firewall to send traffic and centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure 防火墙对虚拟网络资源使用静态公共 IP 地址,从而允许外部防火墙识别源自虚拟网络的流量。Azure Firewall uses a static public IP address for your virtual network resources, which allows outside firewalls to identify traffic that originates from your Virtual Network. Azure 防火墙服务还与用于日志记录和分析的 Azure Monitor 完全集成。The Azure Firewall service is also fully integrated with Azure Monitor for logging and analytics.

责任:客户Responsibility: Customer

Azure 安全中心监视azure 安全基准 是安全中心的默认策略计划,是 安全中心建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure 策略定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要 Azure Defender 计划相关服务。Alerts related to this control may require an Azure Defender plan for the related services.

Azure 策略内置定义-MicrosoftAzure Policy built-in definitions - Microsoft.Network:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用网络观察程序Network Watcher should be enabled 网络观察程序是一个区域性服务,可用于在网络方案级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. 使用方案级别监视可以诊断端到端网络级别视图的问题。Scenario level monitoring enables you to diagnose problems at an end to end network level view. 借助网络观察程序随附的网络诊断和可视化工具,可以了解、诊断和洞察 Azure 中的网络。Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

1.3:保护关键 Web 应用程序1.3: Protect critical web applications

指南:通过以下方式保护应用服务环境 () ASE 中的可访问 internet 的应用:Guidance: Secure an internet accessible app in an App Service Environment (ASE) by:

  • 在面向 internet 的应用程序前面使用 Azure 应用程序网关部署 Web 应用程序防火墙 (WAF) Deploying a Web Application Firewall (WAF) with Azure Application Gateway in front of an internet facing app
  • 使用访问限制来保护应用程序网关的入站流量Use Access Restrictions to secure inbound traffic to the Application Gateway
  • Azure Active Directory (Azure AD) 保护应用,确保身份验证Secure the app with Azure Active Directory (Azure AD) to ensure authentication
  • 将最低 TLS 版本设置为1。2Set the minimum TLS version to 1.2
  • 仅将应用设置为 HTTPSSet the app to HTTPS only

通过 Azure 防火墙设备对所有应用程序流量进行出站驱动,并监视这些日志。Drive all application traffic outbound through an Azure Firewall device and monitor the logs.

若要保护多租户应用服务中可访问 internet 的应用,请 (例如,而不是隔离层) To secure an internet accessible app in the multi-tenant App Service, (such as, not in the isolated tier)

  • 在应用程序的前面部署启用了防火墙的 Web 应用程序防火墙Deploy a Web Application Firewall-enabled device in front of an app
  • 使用访问限制或服务终结点来保护 Web 应用程序防火墙 (WAF) 设备的入站流量Use Access Restrictions or service endpoints to secure inbound traffic to the Web Application Firewall (WAF) device
  • 通过 Azure AD 保护应用以确保身份验证Secure the app with Azure AD to ensure authentication
  • 将最低 TLS 版本设置为1。2Set the minimum TLS version to 1.2
  • 仅将应用设置为 HTTPSSet the app to HTTPS only
  • 使用 "虚拟网络集成" 和 "应用设置" WEBSITE_VIRTUAL NETWORK_ROUTE_ALL,以使受网络安全组和用户定义的路由的所有出站流量在集成子网上。Use Virtual network Integration and the app setting WEBSITE_VIRTUAL NETWORK_ROUTE_ALL to make all outbound traffic subject to network security groups and user-defined routes on the integration subnet.

类似于应用程序服务环境应用,通过 Azure 防火墙设备驱动所有应用程序流量,并监视应用程序中的日志。Similar to the Application Service Environment app, drive all application traffic outbound through an Azure Firewall device and monitor the logs in the app.

此外,请查看并遵循锁定应用服务环境文档中的建议。Additionally, review and follow recommendations in the Locking down an App Service Environment document.

责任:客户Responsibility: Customer

Azure 安全中心监视azure 安全基准 是安全中心的默认策略计划,是 安全中心建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure 策略定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要 Azure Defender 计划相关服务。Alerts related to this control may require an Azure Defender plan for the related services.

Azure 策略内置定义-MicrosoftAzure Policy built-in definitions - Microsoft.Web:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
CORS 不应允许所有资源都能访问 API 应用CORS should not allow every resource to access your API App 跨源资源共享 (CORS) 不应允许所有域都能访问你的 API 应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. 仅允许所需的域与 API 应用交互。Allow only required domains to interact with your API app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function Apps 跨源资源共享 (CORS) 不应允许所有域都能访问你的函数应用。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. 仅允许所需的域与函数应用交互。Allow only required domains to interact with your Function app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
CORS 不应允许所有资源都能访问你的 Web 应用程序CORS should not allow every resource to access your Web Applications 跨源资源共享 (CORS) 不应允许所有域都能访问你的 Web 应用程序。Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. 仅允许所需的域与 Web 应用交互。Allow only required domains to interact with your web app. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
确保 WEB 应用的“客户端证书(传入客户端证书)”设置为“打开”Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 客户端证书允许应用请求传入请求的证书。Client certificates allow for the app to request a certificate for incoming requests. 只有具有有效证书的客户端才能访问该应用。Only clients that have a valid certificate will be able to reach the app. Audit、DisabledAudit, Disabled 1.0.01.0.0
应为 API 应用禁用远程调试Remote debugging should be turned off for API Apps 远程调试需要在 API 应用上打开入站端口。Remote debugging requires inbound ports to be opened on API apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应对函数应用禁用远程调试Remote debugging should be turned off for Function Apps 远程调试需要在函数应用上打开入站端口。Remote debugging requires inbound ports to be opened on function apps. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应禁用 Web 应用程序的远程调试Remote debugging should be turned off for Web Applications 远程调试需要在 Web 应用程序上打开入站端口。Remote debugging requires inbound ports to be opened on a web application. 应禁用远程调试。Remote debugging should be turned off. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

1.4:拒绝与已知恶意的 IP 地址进行通信1.4: Deny communications with known-malicious IP addresses

指南:按照锁定应用服务环境文档中所述,保护应用服务环境。Guidance: Secure the App Service Environment as described in the Locking down an App Service Environment documentation. 应用 Azure 安全中心的集成威胁情报功能,拒绝与已知恶意或未使用的公共 IP 地址进行通信。Apply the Integrated Threat Intelligence functionality in Azure Security Center to deny communications with known-malicious or unused public IP addresses. 使用访问限制来保护应用程序网关的入站流量。Use Access Restrictions to secure inbound traffic to the Application Gateway.

将多租户应用服务安全 (不在隔离层) 中的应用,并提供面向公共 internet 的终结点。Secure the multi-tenant App Service (an app not in an Isolated tier), with a public internet facing endpoint. 它只允许来自虚拟网络中特定子网的流量,并阻止其他所有内容。It allows traffic only from a specific subnet within your Virtual Network and blocks everything else. 使用访问限制配置网络访问控制列表 (IP 限制) 锁定允许的入站流量。Use Access Restrictions to configure network Access Control Lists (IP Restrictions) to lock down allowed inbound traffic.

定义按序允许或拒绝列表的优先级,以管理对应用的网络访问。Define priority among the ordered allow or deny list to manage network access to your app. 此列表可以包含 IP 地址或虚拟网络子网。This list can include IP addresses or Virtual Network subnets. 当列表的末尾有一个或多个项时,存在一个隐式 "拒绝全部" 规则。An implicit "deny all" rule exists at the end of the list when it contains one or more entries. 此功能适用于所有应用服务托管的工作负载,包括 Web 应用、API 应用、Linux 应用、Linux 容器应用和功能。This capability works with all App Service hosted work loads including, Web Apps, API Apps, Linux apps, Linux container apps, and Functions.

使用服务终结点限制对 Azure 虚拟网络中的 web 应用的访问。Use service endpoints to restrict access to your web app from an Azure Virtual Network. 使用服务终结点从所选子网中,将对多租户应用服务的访问限制 (不在隔离层中的应用) 。Limit access to a multi-tenant App Service (an app not in an Isolated tier), from selected subnets with service endpoints.

责任:客户Responsibility: Customer

Azure 安全中心监视azure 安全基准 是安全中心的默认策略计划,是 安全中心建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure 策略定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要 Azure Defender 计划相关服务。Alerts related to this control may require an Azure Defender plan for the related services.

Azure 策略内置定义-MicrosoftAzure Policy built-in definitions - Microsoft.Network:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
所有 Internet 流量都应通过所部署的 Azure 防火墙进行路由All Internet traffic should be routed via your deployed Azure Firewall Azure 安全中心已确认,你的某些子网未使用下一代防火墙进行保护。Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. 通过使用 Azure 防火墙或受支持的下一代防火墙限制对子网的访问,保护子网免受潜在威胁的危害Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.0-preview3.0.0-preview
应启用 Azure DDoS 防护标准Azure DDoS Protection Standard should be enabled 应为属于应用程序网关且具有公共 IP 子网的所有虚拟网络启用 DDoS 保护标准。DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 3.0.03.0.0

1.5:记录网络数据包1.5: Record network packets

指南:监视通过安全中心发送到应用服务应用的请求和响应。Guidance: Monitors requests and responses that are sent to and from App Service apps with Security Center. 可以通过使用具有 Web 应用程序防火墙的实时应用程序网关来监视对 web 应用程序的攻击,通过 Azure Monitor 的集成日志记录功能来跟踪 Web 应用程序防火墙警报并轻松监视趋势。Attacks against a web application can be monitored by using a real-time Application Gateway that has Web Application Firewall, enabled with integrated logging from Azure Monitor to track Web Application Firewall alerts and easily monitor trends.

责任:客户Responsibility: Customer

Azure 安全中心监视azure 安全基准 是安全中心的默认策略计划,是 安全中心建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure 策略定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要 Azure Defender 计划相关服务。Alerts related to this control may require an Azure Defender plan for the related services.

Azure 策略内置定义-MicrosoftAzure Policy built-in definitions - Microsoft.Network:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用网络观察程序Network Watcher should be enabled 网络观察程序是一个区域性服务,可用于在网络方案级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. 使用方案级别监视可以诊断端到端网络级别视图的问题。Scenario level monitoring enables you to diagnose problems at an end to end network level view. 借助网络观察程序随附的网络诊断和可视化工具,可以了解、诊断和洞察 Azure 中的网络。Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

1.7:管理发往 Web 应用程序的流量1.7: Manage traffic to web applications

指南:管理应用服务环境中的应用的流量:Guidance: Manage traffic for an app in an App Service Environment:

  • 按照锁定应用服务环境中的说明保护应用服务环境Secure the App Service Environment as described in Locking down an App Service Environment
  • 在面向 internet 的应用程序前面部署具有 Azure Web 应用程序防火墙的应用程序网关Deploy an Application Gateway that has an Azure Web Application Firewall in front of your internet facing apps
  • 将应用设置为仅可通过 HTTPS 访问Set the app to only be accessible over HTTPS

在多租户应用服务中管理可访问 internet 的应用的流量, (不在隔离层) :Manage traffic for an internet accessible app in the multi-tenant App Service (not in the isolated tier):

  • 部署在面向 internet 的应用前面启用了 Azure Web 应用程序防火墙的应用程序网关Deploy an Application Gateway that has Azure Web Application Firewall enabled in front of your internet facing apps

  • 使用访问限制或服务终结点来保护 Web 应用程序防火墙的入站流量。Use access restrictions or service endpoints to secure inbound traffic to the Web Application Firewall. 访问限制功能适用于所有应用服务托管的工作负载,包括 Web 应用、API 应用、Linux 应用、Linux 容器应用和功能。The access restrictions capability works with all App Service hosted work loads including Web Apps, API Apps, Linux apps, Linux container apps, and Functions.

  • 将应用设置为只能通过 HTTPS 访问Set the app to be accessible only over HTTPS

  • 使用静态 IP 限制来限制对应用服务应用的访问权限,以便它仅接收来自应用程序网关上的 VIP 的流量,作为唯一具有访问权限的地址。Limit access to your App Service app with static IP restrictions so that it only receives traffic from the VIP on an application gateway as the only address with access.

查看引用的链接以获取其他信息。Review the referenced links for additional information.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

1.8:最大程度地降低网络安全规则的复杂性和管理开销1.8: Minimize complexity and administrative overhead of network security rules

指南:应用服务有多个用于管理服务的终结点。Guidance: App Service has a number of endpoints that are used to manage the service. 这些终结点地址也包含在 AppServiceManagement IP 服务标记中。These endpoint addresses are also included in the AppServiceManagement IP service tag. AppServiceManagement 标记仅与应用服务环境一起使用,以允许此类流量。The AppServiceManagement tag is only used with an App Service Environment to allow such traffic.

您可以通过在规则的相应 "源" 或 "目标" 字段中指定服务标记名称来允许或拒绝相应服务的流量。You can allow or deny the traffic for the corresponding service by specifying the service tag name in the appropriate source or destination field of a rule. 在 AppService IP 服务标记中跟踪应用服务的入站地址。App Service inbound addresses are tracked in the AppService IP service tag. 没有任何 IP 服务标记包含应用服务使用的出站地址。There is no IP service tag that contains the outbound addresses used by App Service.

Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

1.9:维护网络设备的标准安全配置1.9: Maintain standard security configurations for network devices

指南:定义和实现与应用服务应用相关的网络设置的标准安全配置。Guidance: Define and implement standard security configurations for network settings related to your App Service apps.

使用 "Microsoft" 和 "Microsoft" 命名空间中的 Azure 策略别名维护安全配置。Maintain security configurations using Azure Policy aliases in the "Microsoft.Web" and "Microsoft.Network" namespaces. 创建自定义策略,以便审核或强制实施应用服务应用的网络配置。Create custom policies to audit or enforce the network configuration of your App Service apps.

使用应用服务的内置策略定义,例如:Use built-in policy definitions for App Service, such as:

  • 应用应使用虚拟网络服务终结点The app should use a virtual network service endpoint
  • 应用只能通过 HTTPS 访问The app should only be accessible over HTTPS
  • 将最低 TLS 版本设置为最新版本Set the minimum TLS version to the current version

查看引用的链接以获取其他信息。Review the referenced links for additional information.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

1.10:阐述流量配置规则1.10: Document traffic configuration rules

指南:对网络安全组和其他相关资源使用标记,包括应用服务中的流量。Guidance: Use tags for network security groups and other related resources, including traffic flow in App Service.

指定 "业务需求"、"持续时间" 等,其中包含任何规则的 "描述" 字段,这些规则允许来自网络的流量或来自网络的流量用于单个网络安全组规则。Specify business need, duration, and so on, with the "Description" field for any rules, which allow traffic to or from a network for individual network security groups rules.

应用与标记效果相关的任何内置 Azure 策略定义(如 "需要标记和值"),以确保使用标记创建所有资源并通知所有现有未标记资源。Apply any of the built-in Azure Policy definitions related to tagging effects, such as "Require tag and its value", to ensure that all resources are created with tags and to notify you of any existing untagged resources. 使用 Azure PowerShell 或 Azure CLI,基于资源的标记查找资源或对其执行操作。Use Azure PowerShell or Azure CLI to look up or perform actions on resources based on their tags.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

1.11:使用自动化工具来监视网络资源配置和检测更改1.11: Use automated tools to monitor network resource configurations and detect changes

指南:使用 Azure 活动日志监视网络资源配置,并检测对网络设置以及与应用服务相关的任何资源所做的更改。Guidance: Use Azure Activity log to monitor network resource configurations, and detect changes to network settings and to any resources related to App Service.

应用应用服务的多个 Azure 策略内置定义之一,例如审核应用以使用虚拟网络终结点服务的策略。Apply one of the several Azure Policy built-in definitions for App Service, such as a policy that audits apps for the use of virtual network endpoint service. 在 Azure Monitor 中创建警报,以便在对关键网络设置或资源进行更改时触发。Create alerts within Azure Monitor to trigger when changes to critical network settings or resources take place.

在安全中心、门户或通过编程工具查看详细的安全警报和建议。Review detailed security alerts and recommendations in Security Center, at the portal or through programmatic tools. 导出此信息,或将其发送到你的环境中的其他监视工具。Export this information or send it to other monitoring tools in your environment. 这些工具可用于以手动方式或以持续的方式导出警报和建议。Tools are available to export alerts and recommendations either manually or in an ongoing and continuous fashion. 借助这些工具,你可以:With these tools, you can:

  • 持续导出到 Log Analytics 工作区Continuously export to a Log Analytics workspace
  • 将内容连续导出到 Azure 事件中心(适用于与第三方 SIEM 的集成)Continuously export to Azure Event Hubs (for integrations with third-party SIEMs)
  • 导出到 CSV 文件 (一次) Export to a CSV file (one time)

建议使用自动工具创建一个过程来监视网络资源配置并快速检测更改。It is recommended that you create a process with automated tools to monitor network resource configurations and quickly detect changes.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

日志记录和监视Logging and Monitoring

有关详细信息,请参阅 Azure 安全基线: 日志记录和监视For more information, see the Azure Security Benchmark: Logging and Monitoring.

2.2:配置中心安全日志管理2.2: Configure central security log management

指南:将应用服务环境 (ASE) 与 Azure Monitor 集成,以便将日志发送到 azure 存储、Azure 事件中心或 Log Analytics。Guidance: Integrate your App Service Environment (ASE) with Azure Monitor to send logs to Azure Storage, Azure Event Hubs, or Log Analytics. 启用控制平面审核日志记录的 Azure 活动日志诊断设置。Enable Azure Activity log diagnostic settings for control plane audit logging. 安全中心的安全警报发布到 Azure 活动日志。Security alerts from Security Center are published to the Azure Activity log. 审核 Azure 活动日志数据,这让你可以确定在 Azure App Service 和其他 Azure 资源的控制平面级别执行任何写入操作的 "操作内容、操作人员和操作时间") (。Audit Azure Activity log data, which let’s you determine the "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level for Azure App Service and other Azure resources. 保存查询以供将来使用,将查询结果固定到 Azure 仪表板,并创建日志警报。Save your queries for future use, pin query results to Azure Dashboards, and create log alerts. 此外,还可以使用 Application Insights 中的数据访问 REST API 以编程方式访问遥测数据。Also, use the Data Access REST API in Application Insights to access your telemetry programmatically.

根据你的业务需求,使用 Microsoft Azure Sentinel,这是一个可缩放的云本机安全信息事件管理 (SIEM) 可用于连接到各种数据源和连接器。Use Microsoft Azure Sentinel, a scalable, cloud-native, security information event management (SIEM) available to connect to various data sources and connectors, based on your business requirements. 你还可以在 SIEM) 系统(如 Azure Marketplace 中的 Barracuda)上启用和数据到第三方安全信息事件管理 (。You can also enable and on-board data to a third-party security information event management (SIEM) system, such as Barracuda in Azure Marketplace.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.3:为 Azure 资源启用审核日志记录2.3: Enable audit logging for Azure resources

指南:启用应用服务的控制平面审核日志记录的 Azure 活动日志诊断设置。Guidance: Enable Azure Activity log diagnostic settings for control plane audit logging of App Service. 将日志发送到 Log Analytics 工作区、Azure 事件中心或 Azure 存储帐户。Send the logs to a Log Analytics workspace, Azure Event Hub, or an Azure Storage account.

可以使用应用服务和其他 Azure 资源的 Azure 活动日志数据,确定任何写入操作 (PUT、POST、DELETE) 在控制平面级别执行的 "操作内容、操作人员和操作时间"。The "what, who, and when" for any write operations (PUT, POST, DELETE) performed at the control plane level can be determined using Azure Activity log data for App Service and other Azure resources.

此外,Azure Key Vault 通过访问策略和审核历史记录提供集中式密钥管理。Additionally, Azure Key Vault provides centralized secret management with access policies and audit history.

责任:客户Responsibility: Customer

Azure 安全中心监视azure 安全基准 是安全中心的默认策略计划,是 安全中心建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure 策略定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要 Azure Defender 计划相关服务。Alerts related to this control may require an Azure Defender plan for the related services.

Azure 策略内置定义-MicrosoftAzure Policy built-in definitions - Microsoft.Web:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应启用应用程序服务中的诊断日志Diagnostic logs in App Services should be enabled 审核确认已在应用上启用诊断日志。Audit enabling of diagnostic logs on the app. 如果发生安全事件或网络遭泄露,这样便可以重新创建活动线索用于调查目的。This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

2.5:配置安全日志存储保留期2.5: Configure security log storage retention

指南:在 Azure Monitor 中,根据组织的符合性规定,设置与应用服务资源关联的 Log Analytics 工作区的日志保持期。Guidance: In Azure Monitor, set the log retention period for the Log Analytics workspaces associated with your App Service resources according to your organization's compliance regulations.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.6:监视和查看日志2.6: Monitor and review logs

指南:在应用服务资源中查看 Azure 活动日志诊断设置,并将日志发送到 Log Analytics 工作区。Guidance: Review the Azure Activity log diagnostic settings in your App Service resources with the logs being sent to a Log Analytics workspace. 在 Log Analytics 中执行查询,以搜索字词、识别趋势、分析模式,并根据收集的数据提供许多其他见解。Perform queries in Log Analytics to search terms, identify trends, analyze patterns, and provide many other insights based on the collected data.

使用应用服务应用的 Application Insights,并收集日志、性能和错误数据。Use Application Insights for your App Service apps and to collect log, performance, and error data. 查看 Azure 门户中 Application Insights 收集的遥测数据。View the telemetry data collected by Application Insights within the Azure portal.

如果已部署 Web 应用程序防火墙 (WAF) ,则可以使用实时 Web 应用程序防火墙日志监视对应用服务应用的攻击。If you have deployed a Web Application Firewall (WAF), you can monitor attacks against your App Service apps by using a real-time Web Application Firewall log. 日志与 Azure Monitor 集成,以跟踪 Web 应用程序防火墙警报并轻松监视趋势。The log is integrated with Azure Monitor to track Web Application Firewall alerts and easily monitor trends.

根据要求,使用 Azure Sentinel (一种可缩放的云和本机安全信息事件管理) (SIEM) ,与各种数据源和连接器集成。Use Azure Sentinel, a scalable and cloud-native security information event management (SIEM), to integrate with various data sources and connectors, as per requirements. 在 Azure Marketplace 中,可以选择启用和将数据到第三方安全信息事件管理解决方案。Optionally, enable and on-board data to a third-party security information event management solution in the Azure Marketplace.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

2.7:针对异常活动启用警报2.7: Enable alerts for anomalous activities

指南:在 Azure 订阅中配置安全中心,并查看生成的警报。Guidance: Configure Security Center in your Azure subscription and review the generated alerts. 使用 Azure Monitor 将活动日志数据获取到事件中心,该中心可供安全信息事件管理 (SIEM) 解决方案(例如 Azure Sentinel)读取。Use Azure Monitor to get your Activity log data to an Event Hub where it can be read by a security information event management (SIEM) solution, such as Azure Sentinel.

通过使用已部署的 Azure Web 应用程序防火墙 (WAF) 的实时 Web 应用程序防火墙日志监视对应用服务应用的攻击。Monitor attacks against your App Service apps by using a real-time Web Application Firewall log with a deployed Azure Web Application Firewall (WAF). 该日志与 Azure Monitor 集成,以跟踪 Web 应用程序防火墙 (WAF) 警报并轻松监视趋势。The log is integrated with Azure Monitor to track Web Application Firewall (WAF) alerts and easily monitor trends.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

标识和访问控制Identity and Access Control

有关详细信息,请参阅 Azure 安全基线: 标识和访问控制For more information, see the Azure Security Benchmark: Identity and Access Control.

3.1:维护管理帐户的清单3.1: Maintain an inventory of administrative accounts

指南: Azure Active Directory (Azure AD) 的内置角色必须明确分配并可查询。Guidance: Azure Active Directory (Azure AD) has built-in roles that must be explicitly assigned and query-able. 使用 Azure AD PowerShell 模块执行即席查询,以发现属于管理组成员的帐户。Use the Azure AD PowerShell module to perform ad hoc queries to discover accounts that are members of administrative groups.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.2:在适用的情况下更改默认密码3.2: Change default passwords where applicable

指导:Azure Active Directory (Azure AD) 没有默认密码的概念。Guidance: Azure Active Directory (Azure AD) does not have the concept of default passwords. 它为应用服务提供控制平面访问权限。It provides control plane access to App Service.

通常,在构建自己的应用时,应避免实现用户访问的默认密码。Generally, avoid implementing default passwords for user access when building your own apps. 使用应用服务默认可用的标识提供程序之一,例如 Azure AD、Microsoft 帐户、Facebook、Google 或 Twitter。Use one of the identity providers available by default for App Service, such as Azure AD, Microsoft Account, Facebook, Google, or Twitter.

禁用匿名访问,除非你需要对其进行支持。Disable anonymous access, unless you need to support it.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.3:使用专用管理帐户3.3: Use dedicated administrative accounts

指南:围绕专用管理帐户的使用创建标准操作程序。Guidance: Create standard operating procedures around the use of dedicated administrative accounts. 使用安全中心的标识和访问管理功能来监视和跟踪管理帐户的数量。Use the Identity and Access Management features in Security Center to monitor and track the number of administrative accounts.

使用安全中心或内置 Azure 策略中的建议,例如:Use recommendations from Security Center or built-in Azure policies, such as:

  • 应该有多个所有者分配给你的订阅。There should be more than one owner assigned to your subscription.
  • 应从订阅中删除拥有所有者权限的已弃用帐户Deprecated accounts with owner permissions should be removed from your subscription
  • 应从订阅中删除拥有所有者权限的外部帐户External accounts with owner permissions should be removed from your subscription

创建一个进程来监视网络资源配置,并检测对管理帐户所做的更改。Create a process to monitor network resource configurations, and detect changes to administrative accounts.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.4:使用 Azure Active Directory 单一登录 (SSO)3.4: Use Azure Active Directory single sign-on (SSO)

指南:通过 (Azure AD) Azure Active Directory 验证应用服务。Guidance: Authenticate App Service through Azure Active Directory (Azure AD). 它为标识提供者提供 OAuth 2.0 服务,并允许对移动和 web 应用程序进行授权访问。It provides an OAuth 2.0 service for your identity provider and enables authorized access to mobile and web applications.

应用服务应用使用联合标识,其中第三方标识提供者为你管理用户标识和身份验证流。App Service apps use federated identity, in which a third-party identity provider manages the user identities and authentication flow for you. 默认情况下,可以使用以下标识提供程序:These identity providers are available by default:

  • Azure ADAzure AD

  • Microsoft 帐户Microsoft Account

  • FacebookFacebook

  • GoogleGoogle

  • TwitterTwitter

对其中一个提供程序启用身份验证和授权时,其登录终结点可用于用户身份验证,以及验证来自提供程序的身份验证令牌。When you enable authentication and authorization with one of these providers, its sign-in endpoint is available for user authentication and for validation of authentication tokens from the provider.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.5:对所有基于 Azure Active Directory 的访问使用多重身份验证3.5: Use multi-factor authentication for all Azure Active Directory-based access

指南:在 Azure Active Directory () Azure AD 中启用多重身份验证功能,并遵循安全中心的标识和访问管理建议。Guidance: Enable the multifactor authentication feature in Azure Active Directory (Azure AD) and follow Identity and Access Management recommendations in Security Center.

为 Azure AD 实施多重身份验证。Implement multifactor authentication for Azure AD. 管理员需要确保门户中的订阅帐户受到保护。Administrators need to ensure that the subscription accounts in the portal are protected. 订阅容易受到攻击,因为它管理你创建的资源。The subscription is vulnerable to attacks because it manages the resources that you created.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.6:使用由 Azure 管理的安全工作站执行管理任务3.6: Use secure, Azure-managed workstations for administrative tasks

指南:通过配置为登录和配置 Azure 资源的多重身份验证,使用特权访问工作站 (PAW) 。Guidance: Use Privileged Access Workstations (PAW) with multifactor authentication configured to log into and configure Azure resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.7:记录来自管理帐户的可疑活动并对其发出警报3.7: Log and alert on suspicious activities from administrative accounts

指南:在环境中发生可疑或不安全活动时,使用 PRIVILEGED IDENTITY MANAGEMENT (PIM) Azure Active Directory (Azure AD) 生成日志和警报。Guidance: Use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD) for generation of logs and alerts when suspicious or unsafe activities occur in the environment.

此外,还可使用 Azure AD 风险检测来查看警报和报告有风险的用户行为。In addition, use Azure AD risk detections to view alerts and reports on risky user behavior.

安全中心的威胁防护为你的环境提供了综合防御,其中包括对 Azure 计算资源(例如 Windows 计算机、Linux 计算机、应用服务和 Azure 容器)的威胁保护。Threat protection in Security Center provides comprehensive defenses for your environment, which includes threat protection for Azure compute resources such as Windows machines, Linux machines, App Service, and Azure containers.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.8:仅从批准的位置管理 Azure 资源3.8: Manage Azure resources from only approved locations

指南:使用条件访问命名位置,以仅允许从 IP 地址范围、国家或地区的特定逻辑分组访问 Azure 门户。Guidance: Use Conditional Access Named Locations to allow access to the Azure portal from only specific logical groupings of IP address ranges, countries, or regions.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.9:使用 Azure Active Directory3.9: Use Azure Active Directory

指南:使用 Azure Active Directory (Azure AD) 作为应用服务应用的中央身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system for your App Service apps. Azure AD 通过对静态数据和传输中数据使用强加密以及加盐、哈希处理和安全存储用户凭据来保护数据。Azure AD protects data by using strong encryption for data at rest and in transit and also salts, hashes, and securely stores user credentials.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.10:定期审查和协调用户访问3.10: Regularly review and reconcile user access

指南:使用 Azure Active Directory (Azure AD) 中的日志发现过期帐户。Guidance: Discover stale accounts with the logs provided by Azure Active Directory (Azure AD). 使用 Azure 标识访问评审有效地管理组成员身份和对企业应用程序的访问权限,以及角色分配。Use Azure Identity Access Reviews to efficiently manage group memberships and access to enterprise applications, as well as role assignments. 定期查看用户访问权限,以确保只有预期的用户才能继续访问。Review user access periodically to make sure only the intended users have continued access.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.11:监视尝试访问已停用凭据的行为3.11: Monitor attempts to access deactivated credentials

指南:使用 Azure Active Directory (Azure AD) 作为应用服务应用的中央身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system for your App Service apps. Azure AD 通过对静态数据和传输中的数据使用强加密、salts、哈希,并安全地存储用户凭据来保护数据。Azure AD protects data by using strong encryption for data at rest and in-transit, salts, hashes, and securely stores user credentials.

Azure AD 登录活动、审核和风险事件日志源的访问权限,可用于与 Azure Sentinel 或第三方安全信息事件管理 (SIEM) 解决方案集成。Access to Azure AD sign-in activity, audit, and risk event log sources allow you to integrate with Azure Sentinel or a third-party security information event management (SIEM) solution. 通过创建 Azure AD 用户帐户的诊断设置,并将审核和登录日志发送到 Log Analytics 工作区,简化此过程。Streamline the process by creating diagnostic settings for Azure AD user accounts and sending the audit and sign in logs to a Log Analytics workspace. 可在 Log Analytics 中配置所需的日志警报。Desired log alerts can be configured within Log Analytics.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.12:针对帐户登录行为偏差发出警报3.12: Alert on account sign-in behavior deviation

指南:使用 Azure Active Directory (Azure AD) 作为应用服务应用的中央身份验证和授权系统。Guidance: Use Azure Active Directory (Azure AD) as the central authentication and authorization system for your App Service apps.

使用 Azure AD Identity Protection 配置自动响应,以检测与用户标识相关的可疑操作,如使用 Azure 门户控制平面上的帐户登录行为偏差。Use Azure AD Identity Protection to configure automated responses to detected suspicious actions related to user identities, such as account login behavior deviation on the control plane with the Azure portal. 还可将数据引入 Azure Sentinel 以做进一步调查。You can also ingest data into Azure Sentinel for further investigation.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

3.13:在支持场合下为 Microsoft 提供对相关客户数据的访问权限3.13: Provide Microsoft with access to relevant customer data during support scenarios

指南:不可用;Azure App Service 不支持客户密码箱。Guidance: Not available; Customer Lockbox is not supported for Azure App Service.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

数据保护Data Protection

有关详细信息,请参阅 Azure 安全基线: 数据保护For more information, see the Azure Security Benchmark: Data Protection.

4.1:维护敏感信息的清单4.1: Maintain an inventory of sensitive Information

指南:使用标记帮助跟踪存储或处理敏感信息的应用服务资源。Guidance: Use tags to assist in tracking App Service resources that store or process sensitive information.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

4.2:隔离存储或处理敏感信息的系统4.2: Isolate systems storing or processing sensitive information

指南:对于应用服务环境,可为开发、测试和生产环境实施单独的订阅和/或管理组。Guidance: For an App Service Environment, implement separate subscriptions, management groups, or both, for development, test, and production environments. 可以采用相同的方式将处理来自其他应用的敏感信息的应用隔离开来。You can Isolate apps that process sensitive information from other apps in the same manner. 将应用服务应用部署到虚拟网络。Deploy your App Service app into a Virtual Network. 使用网络安全组和子网进一步实现应用程序隔离。Use network security groups and subnets for further application isolation.

(ASE) 的应用服务环境有两种部署类型。There are two deployment types for an App Service environment (ASE). 这两种方法都可让你根据业务需求隔离流量。Both let you isolate the traffic based on your business requirements.

  • 外部应用程序服务环境-在可通过 internet 访问的 IP 地址上公开应用服务环境托管的应用。External Application Service Environment - Exposes the App Service Environment hosted apps on an internet-accessible IP address.

  • 内部负载均衡器 (ILB) 应用程序服务环境-在虚拟网络中的 IP 地址上公开应用服务环境托管的应用。internal load balancer (ILB) Application Service Environment - Exposes the App Service Environment hosted apps on an IP address inside your Virtual Network. 内部终结点是一个内部负载均衡器 (ILB) ,这就是所谓 ILB ASE 的原因。The internal endpoint is an internal load balancer (ILB), which is why it is called an ILB ASE.

对于多租户应用服务 (不在隔离层) 中的应用,请使用虚拟网络集成,以便应用访问虚拟网络中的资源。For the multi-tenant App Service (an app not in the Isolated tier), use Virtual Network Integration for your app's access to resources in your Virtual network. 使用 "专用站点访问" 使应用只能从专用网络(例如 Azure 虚拟网络中的一个)访问。Use private site access to make an app accessible only from a private network, such as one from within an Azure Virtual network. 虚拟网络集成仅用于从应用到虚拟网络的出站调用。Virtual Network Integration is used only to make outbound calls from your app into your Virtual Network. 如果虚拟网络集成功能适用于同一区域中的虚拟网络和其他区域中的虚拟网络,则其行为方式有所不同。The Virtual Network Integration feature behaves differently when it is used with a virtual network in the same region and with virtual networks in other regions.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

4.3:监视和阻止未经授权的敏感信息传输4.3: Monitor and block unauthorized transfer of sensitive information

指南:尽管应用服务尚不支持数据标识、分类和丢失防护功能,但你可以通过删除目标对 Internet 或 Azure 服务使用 "标记" 的所有规则来减少数据渗透的风险。Guidance: While data identification, classification, and loss prevention features are not yet available for App Service, you can reduce the data exfiltration risk from the virtual network by removing all rules where the destination uses a 'tag' for Internet or Azure services.

Microsoft 管理应用服务的底层基础结构,并实施了严格控制来防止数据丢失或泄露。Microsoft manages the underlying infrastructure for App Service and has implemented strict controls to prevent the loss or exposure of your data.

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

4.4:加密传输中的所有敏感信息4.4: Encrypt all sensitive information in transit

指南:使用 TLS/SSL 设置中配置的默认最低版本的 tls 1.2 加密传输中的所有信息。Guidance: Use the default minimum version of TLS 1.2, configured in TLS/SSL settings, for encrypting all information in transit. 还要确保将所有 HTTP 连接请求重定向到 HTTPS。Also ensure that all HTTP connection requests are redirected to HTTPS.

责任:客户Responsibility: Customer

Azure 安全中心监视azure 安全基准 是安全中心的默认策略计划,是 安全中心建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure 策略定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要 Azure Defender 计划相关服务。Alerts related to this control may require an Azure Defender plan for the related services.

Azure 策略内置定义-MicrosoftAzure Policy built-in definitions - Microsoft.Web:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
只能通过 HTTPS 访问 API 应用API App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
应仅在 API 应用中需要 FTPSFTPS only should be required in your API App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在函数应用中要求使用 FTPSFTPS only should be required in your Function App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应仅在 Web 应用中要求使用 FTPSFTPS should be required in your Web App 启用 FTPS 强制以实现增强的安全性Enable FTPS enforcement for enhanced security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0
应在 API 应用中使用最新的 TLS 版本Latest TLS version should be used in your API App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在函数应用中使用最新的 TLS 版本Latest TLS version should be used in your Function App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 Web 应用中使用最新的 TLS 版本Latest TLS version should be used in your Web App 升级到最新的 TLS 版本Upgrade to the latest TLS version AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
只能通过 HTTPS 访问 Web 应用程序Web Application should only be accessible over HTTPS 使用 HTTPS 可确保执行服务器/服务身份验证服务,并保护传输中的数据不受网络层窃听攻击威胁。Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit、DisabledAudit, Disabled 1.0.01.0.0

4.5:使用有效的发现工具识别敏感数据4.5: Use an active discovery tool to identify sensitive data

指南:当前不可用。Guidance: Currently not available. 数据标识、分类和丢失防护功能尚不可用于应用服务。Data identification, classification, and loss prevention features are not yet available for App Service.

标记可能正在处理敏感信息的应用服务应用。Tag App Service apps that may be processing sensitive information. 实现第三方解决方案(如有必要)以实现符合性。Implement third-party solution, if necessary for compliance purposes.

Microsoft 管理底层平台,并将所有客户数据视为敏感数据,并在很大程度上防范客户数据丢失和公开。Microsoft manages the underlying platform and treats all customer data as sensitive and goes to great lengths to guard against customer data loss and exposure. 为了确保 Azure 中的客户数据保持安全,Microsoft 实施并维护了一套可靠的数据保护控制措施和功能。To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

4.6:使用 Azure RBAC 控制对资源的访问4.6: Use Azure RBAC to control access to resources

指南:使用 azure 中基于角色的访问控制 (azure RBAC) 中 Azure Active Directory (Azure AD) 来控制对 Azure 门户上的应用服务控制平面的访问。Guidance: Use Azure role-based access control (Azure RBAC) in Azure Active Directory (Azure AD) to control access to the App Service control plane at the Azure portal.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

4.8:静态加密敏感信息4.8: Encrypt sensitive information at rest

指南:应用服务应用中的网站内容(如文件)存储在 Azure 存储中,后者会自动加密静态内容。Guidance: Web site content in an App Service app, such as files, are stored in Azure Storage, which automatically encrypts the content at rest. 选择将应用程序机密存储在 Key Vault 中,并在运行时检索它们。Choose to store application secrets in Key Vault and retrieve them at runtime.

客户提供的机密在存储在应用服务配置数据库中时静态加密。Customer supplied secrets are encrypted at rest while stored in App Service configuration databases.

请注意,虽然本地附加的磁盘可以由网站作为临时存储( (例如 D:\local 和% TMP% ) )使用,但它们不会静态加密。Note that while locally attached disks can be used optionally by websites as temporary storage, (for example, D:\local and %TMP%), they are not encrypted at rest.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

4.9:记录对关键 Azure 资源的更改并对此类更改发出警报4.9: Log and alert on changes to critical Azure resources

指南:将 Azure Monitor 与 Azure 活动日志结合使用,以便在对生产应用服务应用和其他关键或相关资源进行任何更改时创建警报。Guidance: Use Azure Monitor with Azure Activity log to create alerts upon any changes to production App Service apps and other critical or related resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

漏洞管理Vulnerability Management

有关详细信息,请参阅 Azure 安全基线: 漏洞管理。For more information, see the Azure Security Benchmark: Vulnerability Management.

5.1:运行自动漏洞扫描工具5.1: Run automated vulnerability scanning tools

指南:采用 DevSecOps 做法来确保应用服务应用的安全,并在生命周期的整个持续时间内保持安全。Guidance: Adopt a DevSecOps practice to ensure that your App Service apps are secure and remain secured throughout the duration of their lifecycle. DevSecOps 将你的组织的安全团队及其功能合并到你的 DevOps 做法中,从而确保团队中每个人的责任。DevSecOps incorporates your organization's security team and their capabilities into your DevOps practices making security the responsibility of everyone on the team.

查看并遵循安全中心提供的建议,确保应用服务应用的安全。Review and follow recommendations from Security Center for securing your App Service apps.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

5.5:使用风险评级过程来确定已发现漏洞的修正措施的优先级5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

指南: Microsoft 对支持应用服务的基础系统执行漏洞管理。Guidance: Microsoft performs vulnerability management on the underlying systems that support App Service. 不过,你可以使用安全中心内的建议的严重性以及安全分数来衡量你的环境中的风险。However, you can use the severity of the recommendations within Security Center as well as the Secure Score to measure risk within your environment. 安全分数以您已缓解的安全中心建议的数量为基础。Your Secure Score is based on how many Security Center recommendations you have mitigated. 若要确定首先要解决的建议的优先级,请考虑每个建议的严重性。To prioritize the recommendations to resolve first, consider the severity of each.

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

清单和资产管理Inventory and Asset Management

有关详细信息,请参阅 Azure 安全基线: 清单和资产管理For more information, see the Azure Security Benchmark: Inventory and Asset Management.

6.1:使用自动化资产发现解决方案6.1: Use automated asset discovery solution

指南:使用 Azure 资源关系图可查询或发现订阅中的所有资源 (如计算、存储、网络、端口、协议等) 。Guidance: Use Azure Resource Graph to query or discover all resources (such as compute, storage, network, ports, protocols, and so on) within your subscriptions. 确保对租户应用适当的权限,并且可以枚举所有 Azure 订阅以及订阅中的资源。Ensure appropriate permissions are applied to your tenant and you can enumerate all Azure subscriptions as well as resources within your subscriptions.

尽管可以通过 Resource Graph 发现经典 Azure 资源,但我们强烈建议你今后还是创建并使用 Azure 资源管理器资源。Although classic Azure resources may be discovered via Resource Graph, it is highly recommended to create and use Azure Resource Manager resources going forward.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.2:维护资产元数据6.2: Maintain asset metadata

指南:使用元数据将标记应用于 Azure 资源,以逻辑方式将它们组织到分类。Guidance: Apply tags to Azure resources using metadata to logically organize them into a taxonomy.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.3:删除未经授权的 Azure 资源6.3: Delete unauthorized Azure resources

指南:根据需要使用标记、管理组和单独的订阅来组织和跟踪 Azure 资源。Guidance: Use tagging, management groups, and separate subscriptions as appropriate, to organize and track Azure resources. 定期协调清点,并确保在此过程中从订阅中删除未经授权的资源。Reconcile inventory on a regular basis and ensure unauthorized resources are removed from your subscriptions as part of this process.

使用以下内置策略定义,选择 "Azure 策略",对可在客户订阅中创建的资源类型施加限制:Choose Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions, by using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types
  • 允许的资源类型Allowed resource types

查看引用的链接以获取其他信息。Review the referenced links for additional information.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.4:定义并维护已批准的 Azure 资源的清单6.4: Define and maintain inventory of approved Azure resources

指南:根据组织需求为计算资源创建已批准的 Azure 资源和批准的软件的清单。Guidance: Create an inventory of approved Azure resources and approved software for compute resources based on your organizational needs.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.5:监视未批准的 Azure 资源6.5: Monitor for unapproved Azure resources

指导:使用 Azure Policy 对可以在订阅中创建的资源类型施加限制。Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions.

使用 Azure 资源关系图可以在其订阅中查询或发现资源。Use Azure Resource Graph to query or discover resources within their subscriptions. 确保环境中存在的所有 Azure 资源已获得批准。Ensure that all Azure resources present in the environment are approved.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.6:监视计算资源中未批准的软件应用程序6.6: Monitor for unapproved software applications within compute resources

指南:使用 Azure 资源关系图可查询或发现订阅中的资源,并确保基于你的组织策略批准发现的 Azure 资源。Guidance: Use Azure Resource Graph to query or discover resources within your subscriptions and ensure that the discovered Azure resources are approved based on your organizational policies.

使用应用服务中的 Web 作业监视在计算资源中部署的未批准的软件应用程序。Use WebJobs in App Service to Monitor for unapproved software applications that are deployed within compute resources. 使用 web 作业在与 web 应用、API 应用或移动应用相同的实例中运行程序或脚本。Use WebJobs to run a program or script in the same instance as a web app, API app, or mobile app. 定义 Web 作业配置和通过日志进行监视。Define WebJob configurations and monitoring with logs. 在“Web 作业运行详细信息”页中,选择“切换输出”查看日志内容的文本。 In the WebJob Run Details page, select Toggle Output to see the text of the log contents. 请注意,Linux 上的应用服务尚不支持 Web 作业。Note that WebJobs are not yet supported for App Service on Linux.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.7:删除未批准的 Azure 资源和软件应用程序6.7: Remove unapproved Azure resources and software applications

指南:确保环境中存在的所有 Azure 资源都已获得批准。Guidance: Ensure that all Azure resources present in the environment are approved. 使用 Azure 策略限制可在订阅中创建的资源类型。Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions. 删除任何已部署的未按组织策略批准的软件应用程序。Remove any deployed software applications that have not been approved per your organizational policies.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.8:仅使用已批准的应用程序6.8: Use only approved applications

指南:确保环境中存在的所有 Azure 资源都已获得批准。Guidance: Ensure that all Azure resources present in the environment are approved. 使用 Azure 策略限制可在订阅中创建的资源类型。Use Azure Policy to put restrictions on the type of resources that can be created in your subscriptions. 删除任何已部署的未按组织策略批准的软件应用程序。Remove any deployed software applications that have not been approved per your organizational policies.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.9:仅使用已批准的 Azure 服务6.9: Use only approved Azure services

指南:创建一个流程以定期查看未经授权的 azure 服务,以确保仅在订阅中使用已授权的 azure 服务。Guidance: Create a process to review unauthorized Azure services on a periodic basis to ensure only authorized Azure services are used in your subscriptions.

使用此过程中的 Azure 资源关系图来查询或发现其订阅中的资源。Use Azure Resource Graph, within this process, to query or discover resources within their subscriptions. 确保环境中存在的所有 Azure 资源已获得批准。Ensure that all Azure resources present in the environment are approved.

使用以下内置策略定义,将 Azure 策略配置为对可在订阅中创建的资源类型施加限制:Configure Azure Policy to put restrictions on the type of resources that can be created in your subscriptions by using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

使用应用服务中的 Web 作业监视在计算机资源中部署的未批准的软件应用程序。Use WebJobs in App Service to monitor for unapproved software applications deployed within computer resources. 使用 web 作业在与 web 应用、API 应用或移动应用相同的实例中运行程序或脚本。Use WebJobs to run a program or script in the same instance as a web app, API app, or mobile app. 定义 Web 作业配置和通过日志进行监视。Define WebJob configurations and monitoring with logs. 在“Web 作业运行详细信息”页中,选择“切换输出”查看日志内容的文本。 In the WebJob Run Details page, select Toggle Output to see the text of the log contents. 请注意,Linux 上的应用服务尚不支持 Web 作业。Note that WebJobs are not yet supported for App Service on Linux.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.10:维护已获批软件的清单6.10: Maintain an inventory of approved software titles

指南:实施一个过程来定期清点和查看订阅中的软件标题,以确保仅在订阅中使用已授权的 Azure 服务。Guidance: Implement a process to inventory and review software titles in your subscriptions on a periodic basis to ensure only authorized Azure services are used in your subscriptions.

使用此过程中的 Azure 资源关系图来查询或发现订阅中的资源。Use Azure Resource Graph, within this process, to query or discover resources within your subscriptions. 确保在环境中发现的所有 Azure 资源都已获得批准。Ensure that all Azure resources discovered in the environment are approved.

使用以下内置策略定义,将 Azure 策略配置为对可在客户订阅中创建的资源类型施加限制:Configure Azure Policy to put restrictions on the type of resources that can be created in customer subscriptions using the following built-in policy definitions:

  • 不允许的资源类型Not allowed resource types

  • 允许的资源类型Allowed resource types

同样,使用应用服务中的 Web 作业来清点计算机资源中部署的未批准的软件应用程序。Similarly, use WebJobs in App Service to inventory unapproved software applications deployed within computer resources. 定义日志的配置和监视。Define their configuration and monitoring with logs. 在“Web 作业运行详细信息”页中,选择“切换输出”查看日志内容的文本。 In the WebJob Run Details page, select Toggle Output to see the text of the log contents. 请注意,Linux 上的应用服务尚不支持 Web 作业。Note that WebJobs are not yet supported for App Service on Linux.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.11:限制用户与 Azure 资源管理器进行交互的能力6.11: Limit users' ability to interact with Azure Resource Manager

指南:通过为 "Microsoft Azure 管理" 应用配置 "阻止访问",配置 azure 条件性访问,以限制用户与 Azure 资源管理器的交互能力。Guidance: Configure Azure Conditional Access to limit the ability of users to interact with Azure Resource Manager, by configuring "Block access" for the "Microsoft Azure Management" App.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.12:限制用户在计算资源中执行脚本的功能6.12: Limit users' ability to execute scripts within compute resources

指南:应用服务中的 web 作业使客户能够在与 web 应用、API 应用或移动应用相同的实例中运行程序或脚本。Guidance: WebJobs in App Service enable customers to run a program or script in the same instance as a web app, API app, or mobile app. 你负责定义你的配置,以限制或限制组织不允许的任何脚本。You are responsible for defining your configuration to restrict or limit any scripts, which are not allowed by the organization. 应用服务不提供一种机制来限制本机执行脚本。App Service does not provide a mechanism to limit script execution natively. 请注意,Linux 上的应用服务尚不支持 Web 作业。Note that WebJobs are not yet supported for App Service on Linux.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

6.13:以物理或逻辑方式隔离高风险应用程序6.13: Physically or logically segregate high risk applications

指南:实施单独的订阅或管理组,以便为高风险应用服务应用提供隔离。Guidance: Implement separate subscriptions or management groups to provide isolation for high risk App Service apps. 将较高风险的应用部署到其自己的虚拟网络中,因为应用服务中的外围安全性是通过虚拟网络的使用来实现的。Deploy a higher risk app into its own Virtual Network, since perimeter security in App Service is achieved through the usage of virtual networks. 应用服务环境是将应用服务部署到 Azure 虚拟网络中的子网中。The App Service Environment is a deployment of App Service into a subnet in your Azure Virtual Network.

存在两种类型的应用程序服务环境、外部应用程序服务环境和 ILB (内部负载均衡器) 应用程序服务环境。There are two types of Application Service Environment, External Application Service Environment, and ILB (Internal Load Balancer) Application Service Environment. 根据你的需求选择最佳体系结构。Choose the best architecture based on your requirements.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

安全配置Secure Configuration

有关详细信息,请参阅 Azure 安全基线: 安全配置For more information, see the Azure Security Benchmark: Secure Configuration.

7.1:为所有 Azure 资源建立安全配置7.1: Establish secure configurations for all Azure resources

指南:通过 Azure 策略为应用服务部署的应用定义和实施标准安全配置。Guidance: Define and implement standard security configurations for your App Service deployed apps with Azure Policy.

使用 "Microsoft Web" 命名空间中的 Azure 策略别名创建自定义策略,以审核或强制实施应用服务 Web 应用的配置。Use Azure Policy aliases in the "Microsoft.Web" namespace to create custom policies to audit or enforce the configuration of your App Service Web Apps.

应用内置策略定义,例如:Apply built-in policy definitions such as:

  • 应用服务应使用虚拟网络服务终结点App Service should use a virtual network service endpoint

  • 只能通过 HTTPS 访问 Web 应用程序Web Applications should only be accessible over HTTPS

  • 在应用中使用最新的 TLS 版本Use the latest TLS version in your apps

建议将此过程记录为应用用于标准化使用的内置策略定义。It is recommended that you document the process to apply the built-in policy definitions for standardized usage.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.3:维护安全的 Azure 资源配置7.3: Maintain secure Azure resource configurations

指南:使用 Azure 策略 [拒绝] 和 [部署(如果不存在])影响跨 Azure App Service 应用执行安全设置。Guidance: Use Azure Policy [deny] and [deploy if not exist] effects to enforce secure settings across your Azure App Service apps.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.5:安全存储 Azure 资源的配置7.5: Securely store configuration of Azure resources

指南:若要在使用自定义 azure 策略定义时安全地存储和管理代码,请选择 "Azure DevOps" 或 "Azure Repos"。Guidance: Choose Azure DevOps or Azure Repos to securely store and manage your code when using custom Azure Policy definitions.

使用现有的持续集成 (CI) 和持续交付 (CD) 管道部署已知安全的配置。Use your existing Continuous Integration (CI) and Continuous Delivery (CD) pipeline to deploy a known-secure configuration.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.7:部署 Azure 资源的配置管理工具7.7: Deploy configuration management tools for Azure resources

指南:使用内置的 azure 策略定义以及 "Microsoft" 命名空间中的 azure 策略别名创建自定义策略,以对系统配置进行警报、审核和强制执行。Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.Web" namespace to create custom policies to alert, audit, and enforce system configurations. 开发一个用于管理策略例外的流程和管道。Develop a process and pipeline for managing policy exceptions.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.9:为 Azure 资源实施自动配置监视7.9: Implement automated configuration monitoring for Azure resources

指南:使用内置的 azure 策略定义以及 "Microsoft" 命名空间中的 azure 策略别名创建自定义策略,以对系统配置进行警报、审核和强制执行。Guidance: Use built-in Azure Policy definitions as well as Azure Policy aliases in the "Microsoft.Web" namespace to create custom policies to alert, audit, and enforce system configurations.

应用 Azure 策略 [audit]、[拒绝] 和 [部署(如果不存在),以自动强制执行 Azure 资源的配置。Apply Azure Policy [audit], [deny], and [deploy if not exist], effects to automatically enforce configurations for your Azure resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.11:安全管理 Azure 机密7.11: Manage Azure secrets securely

指南:使用托管标识,通过 Azure Active Directory (Azure AD) 中的自动托管标识提供应用服务应用。Guidance: Use Managed Identities to provide your App Service apps with an automatically managed identity in Azure Active Directory (Azure AD). 使用托管标识,你的应用可以对任何支持 Azure AD 身份验证的服务进行身份验证,包括 Key Vault,而无需在代码中提供任何凭据。Managed Identities enable your apps to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. 确保在 Azure Key Vault 中启用软删除。Ensure soft delete is enabled in Azure Key Vault.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

7.12:安全自动管理标识7.12: Manage identities securely and automatically

指南:使用托管标识向应用服务部署的应用提供 Azure Active Directory (Azure AD) 中的自动托管标识。Guidance: Use Managed Identities to provide your App Service-deployed apps with an automatically managed identity in Azure Active Directory (Azure AD). 通过托管标识,你的应用可以对任何支持 Azure AD 身份验证的服务进行身份验证,包括 Key Vault,而无需在代码中提供任何凭据。Managed Identities enables your apps to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

责任:客户Responsibility: Customer

Azure 安全中心监视azure 安全基准 是安全中心的默认策略计划,是 安全中心建议的基础。Azure Security Center monitoring: The Azure Security Benchmark is the default policy initiative for Security Center and is the foundation for Security Center's recommendations. 安全中心会自动启用与此控件相关的 Azure 策略定义。The Azure Policy definitions related to this control are enabled automatically by Security Center. 与此控件相关的警报可能需要 Azure Defender 计划相关服务。Alerts related to this control may require an Azure Defender plan for the related services.

Azure 策略内置定义-MicrosoftAzure Policy built-in definitions - Microsoft.Web:

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 API 应用中使用的托管标识Managed identity should be used in your API App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在函数应用中使用的托管标识Managed identity should be used in your Function App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应在 Web 应用中使用的托管标识Managed identity should be used in your Web App 使用托管标识以实现增强的身份验证安全性Use a managed identity for enhanced authentication security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

7.13:消除意外的凭据透露7.13: Eliminate unintended credential exposure

指南:实施凭据扫描程序来识别代码中的凭据。Guidance: Implement Credential Scanner to identify credentials within code. 凭据扫描程序还会建议将发现的凭据转移到更安全的位置,例如 Azure Key Vault。Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

数据恢复Data Recovery

有关详细信息,请参阅 Azure 安全基线: 数据恢复For more information, see the Azure Security Benchmark: Data Recovery.

9.1:确保定期执行自动备份9.1: Ensure regular automated back-ups

指南:通过应用服务中的备份和还原功能,可以轻松地手动或按计划创建应用备份。Guidance: The Backup and Restore feature in App Service lets you easily create app backups manually or on a schedule. 可以将备份配置为无限期保留。You can configure the backups to be retained up to an indefinite amount of time. 通过覆盖现有应用或还原为另一应用可将应用还原为先前状态的快照。You can restore the app to a snapshot of a previous state by overwriting the existing app or restoring to another app.

应用服务可将以下信息备份到 Azure 存储帐户和容器,你已将应用配置为使用:App Service can back up the following information to an Azure storage account and container, which you have configured your app to use:

  • 应用配置App configuration
  • 文件内容File content
  • 连接到应用的数据库Database connected to your app

确保定期和自动备份按组织策略定义的频率进行。Ensure that regular and automated back-ups are occurring at a frequency as defined by your organizational policies.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

9.2:执行完整系统备份,并备份客户管理的所有密钥9.2: Perform complete system backups and backup any customer-managed keys

指南:使用应用服务的备份和还原功能来备份应用程序。Guidance: Use the backup and restore feature of App Service to back up your applications. 备份功能需要使用 Azure 存储帐户来存储应用程序的备份信息。The backup features require an Azure Storage Account to store your application's backup information.

  • Azure 存储提供静态加密-使用系统提供的密钥或你自己的客户管理的密钥。Azure Storage provides encryption at rest - Use system-provided keys or your own, customer-managed keys. 当应用程序数据未在 Azure 中的 web 应用中运行时,会将其存储在其中。This is where your application data is stored when it is not running in a web app in Azure.

  • 从部署包运行是应用服务的部署功能。Running from a deployment package is a deployment feature of App Service. 借助此功能可以使用共享访问签名 (SAS) URL 从 Azure 存储帐户部署站点内容。It allows you to deploy your site content from an Azure Storage Account using a Shared Access Signature (SAS) URL.

  • Key Vault 引用是应用服务的一项安全功能。Key Vault references are a security feature of App Service. 借助此功能可以在运行时将机密作为应用程序设置导入。It allows you to import secrets at runtime as application settings. 使用此机密可以加密 Azure 存储帐户的 SAS URL。Use this to encrypt the SAS URL of your Azure Storage Account.

有关详细信息,请参阅引用的链接。More information is available at the referenced links.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

9.3:验证所有备份,包括客户管理的密钥9.3: Validate all backups including customer-managed keys

指南:对应用服务应用程序的任何备份定期测试还原过程。Guidance: Periodically test the restore process for any backups of your App Service applications.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

9.4:确保保护备份和客户管理的密钥9.4: Ensure protection of backups and customer-managed keys

指南:应用服务备份存储在 Azure 存储帐户中。Guidance: App Service backups are stored within an Azure Storage account. Azure 存储中的数据将使用 256 位 AES 加密法(可用的最强大块加密法之一)以透明方式进行加密和解密,并符合 FIPS 140-2 规范。Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure 存储加密法类似于 Windows 上的 BitLocker 加密法。Azure Storage encryption is similar to BitLocker encryption on Windows.

已为所有存储帐户(包括资源管理器和经典存储帐户)启用 Azure 存储加密。Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. 无法禁用 Azure 存储加密。Azure Storage encryption cannot be disabled. 由于数据默认受到保护,因此无需修改代码或应用程序,即可利用 Azure 存储加密。Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

默认情况下,存储帐户中的数据使用 Microsoft 托管的密钥进行加密。By default, data in a storage account is encrypted with Microsoft-managed keys. 可以依赖于使用 Microsoft 托管的密钥来加密数据,也可以使用你自己的密钥来管理加密。You can rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys. 确保在 Azure Key Vault 中启用软删除。Ensure soft delete is enabled in Azure Key Vault.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

事件响应Incident Response

有关详细信息,请参阅 Azure 安全基线: 事件响应For more information, see the Azure Security Benchmark: Incident Response.

10.1:创建事件响应指导10.1: Create an incident response guide

指南:为组织制定事件响应指南。Guidance: Build out an incident response guide for your organization. 确保在书面的事件响应计划中定义人员职责,以及事件处理/管理从检测到事件后审查的各个阶段。Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.2:创建事件评分和优先级设定过程10.2: Create an incident scoring and prioritization procedure

指南:安全中心向每个警报分配一个严重性,帮助你优先处理应首先调查的警报。Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. 严重性取决于安全中心对调查结果或用于发出警报的分析的确信程度,以及对导致警报的活动背后存在恶意意图的确信程度。The severity is based on how confident Security Center is in the finding or the analytics used to issue the alert as well as the confidence level that there was malicious intent behind the activity that led to the alert.

此外,还可以清楚地标记订阅 (例如,生产、非生产) ,并创建一个命名系统来明确识别和分类 Azure 资源。Additionally, clearly mark subscriptions (for example, production, non-production) and create a naming system to clearly identify and categorize Azure resources.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.3:测试安全响应过程10.3: Test security response procedures

指南:执行练习以测试系统的事件响应功能是否定期发生。Guidance: Conduct exercises to test your system's incident response capabilities on a regular cadence. 识别弱点和差距,并根据需要修改计划。Identify weak points and gaps and revise plan as needed.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.4:提供安全事件联系人详细信息,并针对安全事件配置警报通知10.4: Provide security incident contact details and configure alert notifications for security incidents

指南:如果 Microsoft 安全响应中心 (MSRC) 发现非法或未经授权的某方访问了客户的数据,Microsoft 将使用安全事件联系人信息与你取得联系。Guidance: Security incident contact information will be used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that the customer's data has been accessed by an unlawful or unauthorized party. 事后审查事件,确保问题得到解决。Review incidents after the fact to ensure that issues are resolved.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.5:将安全警报整合到事件响应系统中10.5: Incorporate security alerts into your incident response system

指导:使用连续导出功能导出安全中心警报和建议。Guidance: Export your Security Center alerts and recommendations using the Continuous Export feature. 使用连续导出可以手动导出或者持续导出警报和建议。Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. 根据业务需要,使用安全中心数据连接器将警报流式传输到 Azure Sentinel。Use the Security Center data connector to stream the alerts to Azure Sentinel as per business needs.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

10.6:自动响应安全警报10.6: Automate the response to security alerts

指导:使用安全中心内的工作流自动化功能可以通过“逻辑应用”针对安全警报和建议自动触发响应。Guidance: Use the Workflow Automation feature in Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations.

责任:客户Responsibility: Customer

Azure 安全中心监视:无Azure Security Center monitoring: None

渗透测试和红队练习Penetration Tests and Red Team Exercises

有关详细信息,请参阅 Azure 安全基线: 渗透测试和红队演练For more information, see the Azure Security Benchmark: Penetration Tests and Red Team Exercises.

11.1:定期对 Azure 资源执行渗透测试,确保修正所有发现的关键安全问题11.1: Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

指导:请遵循 Microsoft 云渗透测试互动规则,确保你的渗透测试不违反 Microsoft 政策。Guidance: Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. 使用 Microsoft 红队演练策略和执行,以及针对 Microsoft 托管云基础结构、服务和应用程序执行现场渗透测试。Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

责任:共享Responsibility: Shared

Azure 安全中心监视:无Azure Security Center monitoring: None

后续步骤Next steps