Azure 信息保护的安全最佳实践Security Best Practices for Azure Information Protection

Azure 信息保护 (AIP) 软件开发工具包 (SDK) 提供可靠的系统,用于发布和使用所有类型的受保护信息。The Azure Information Protection (AIP) Software Development Kit (SDK) provides a robust system for publishing and consuming protected information of all types. 为了帮助 AIP 系统尽可能的强大,启用 AIP 的应用程序必须使用 AIP 最佳实践进行构建。To help an AIP system be as strong as possible, AIP enabled applications must be built using AIP best practices. 启用 AIP 的应用程序共同分担责任,帮助维持此生态系统的安全。AIP enabled applications share responsibility for helping to maintain the security of this ecosystem. 识别安全风险,并为应用程序开发期间引入的风险提供缓解,在最大程度上减小不安全的软件实现的可能性。Identifying security risks and providing mitigations for those risks introduced during application development helps to minimize the likelihood of a less secure software implementation.

使用 Azure 信息保护软件开发工具包 (SDK) 实现应用程序的最佳实践包括以下类别的建议:Best practices for implementing applications by using the Azure Information Protection Software Development Kit (SDK) include the following categories of suggestions:

此信息补充了必须签署的法律协议,以获取使用 AIP SDK 实现应用程序所需的数字证书。This information supplements the legal agreement that must be signed in order to obtain the digital certificates needed to implement applications using the AIP SDK.

这些主题中不包括使用者的相关内容Subjects Not Covered in These Topics

这些主题简要说明了以下问题,这些问题在尝试创建开发环境和安全应用程序时至关重要:These topics briefly describe the following issues, which are significant when attempting to create both a development environment and a secure application:

  • 软件开发过程管理 - 包括配置管理、保护源代码、在最大程度上减少对已调试代码的访问以及为 Bug 分配优先级的相关信息。Software development process management — Includes information about configuration management, securing source code, minimizing access to debugged code, and assigning priority to bugs. 对一些客户而言,拥有更安全的软件开发过程至关重要。For some of your customers, having a more secure software development process is of paramount importance to them. 有些客户甚至会规定开发过程。Some customers even prescribe a development process.
  • 常见编码错误 - 包括避免缓冲区溢出的相关信息。Common coding errors — Includes information about avoiding buffer overruns. 建议使用 Michael Howard 和 David LeBlanc 最新版本的编写安全代码 (Microsoft Press, 2002) 查看这些一般威胁和缓解。We recommend the latest version of Writing Secure Code by Michael Howard and David LeBlanc (Microsoft Press, 2002) to review these generic threats and mitigations.
  • 社会工程 - 包含过程化和结构化安全措施的相关信息,这些措施有助于防止开发人员或制造商组织内部的其他人员私自利用代码。Social engineering — Includes information about procedural and structural safeguards that help protect against exploitation of code by developers or others within the manufacturer's organization.
  • 物理安全性 - 包括锁定对代码基和签名证书的访问权限的相关信息。Physical security — Includes information about locking down access to your code base and signing certificates.
  • 预发行软件的部署或分发 - 包括分发 Beta 版本软件的相关信息。Deployment or distribution of prerelease software — Includes information about distributing your beta software.
  • 网络管理 - 包括物理网络上入侵检测系统的相关信息。Network management — Includes information about intrusion-detection systems on your physical networks.

威胁模型和缓解Threat Models and Mitigations

数字信息所有者需要能够评估其资产在其中解密的环境。Digital information owners need to be able to evaluate the environments in which their assets will be decrypted. 最低安全标准的声明可以为信息所有者提供一个框架,用于理解和评估他们向其委托信息的应用程序的安全级别。A statement of minimum security standards can provide information owners with a framework for understanding and assessing the security level of the applications to which they entrust their information.

某些行业(如政府和卫生保健行业)拥有可能适用于产品的证书以及认证过程和标准。Some industries, such as government and health care, have certification and accreditation processes and standards that may apply to your product. 满足这些最低安全建议并不能替代客户独特的认证需求。Meeting these minimum security recommendations is not a substitute for the unique accreditation needs of your customers. 然而,安全标准的目的在于帮助你做好应对客户目前和未来需求的准备,并且有助于使在开发周期初期进行的任何投资有益于应用程序。However, the intent of the security standards is to help you prepare for current and future customer requirements, and any investment you make early in the development cycle will benefit your application. 这些都只是建议,并不是正式的 Microsoft 认证计划。These are recommendations, not a formal Microsoft certification program.

权限管理服务系统中存在以下几个主要的漏洞类别,包括:There are several major categories of vulnerabilities in a rights management services system including:

  • 泄露 - 信息出现在未经授权的位置。Leakage — Information appears in unauthorized locations.
  • 损坏 - 软件或数据以未经授权的方式被修改。Corruption — Software or data is modified in an unauthorized manner.
  • 拒绝 - 计算资源不可用。Denial — A computing resource is not available for use.

这些主题重点关注“泄漏”问题。These topics focus primarily on leakage issues. API 系统的完整性依赖于随着时间的推移其保护信息的能力,即仅允许访问指定的实体。The integrity of a API system depends upon its ability, over time, to protect information, enabling access only to designated entities. 这些主题也会涉及“损坏”问题。These topics also touch upon corruption issues. 不包括任何“拒绝”问题。Denial issues are not covered.

Microsoft 不会测试或审查与满足最低标准相关的测试结果;完全由合作伙伴来确保满足最低标准。Microsoft does not test or review test results related to meeting the minimum standard; it is entirely up to the partner to ensure the minimum standards are met. Microsoft 提供两个附加级别的建议,以帮助缓解常见威胁。Microsoft provides two additional levels of recommendations to help mitigate common threats. 一般情况下,这些建议都是添加的;例如,除非另外指定,否则如果符合首选建议,则假设已满足了最低标准(如适用)。In general, these suggestions are additive; for example, meeting preferred recommendations assumes that you have met minimum standards, where applicable, unless otherwise specified.

标准级别Standard level 描述Description
最低标准Minimum standard 必须先确定处理 AIP 受保护信息的应用程序满足最低标准,才能使用从 Microsoft 收到的生产证书对该应用程序进行签名。An application that handles AIP protected information must be determined to meet the minimum standard before the application can be signed with the production certificate received from Microsoft. 通常情况下,合作伙伴只有在自己的内部测试已验证应用程序满足此最低标准后最终发行软件时,才会使用生产层次结构证书。Partners generally use the production hierarchy certificate only at the time of final release of the software when partners' own internal tests have verified that the application meets this minimum standard. 满足最低标准并不是,并且也不应被认为是 Microsoft 提供的安全保证。Meeting the minimum standard is not, and should not be construed as, a guarantee of security by Microsoft. Microsoft 不测试或审查与满足最低标准相关的测试结果;完全由合作伙伴确保满足最低标准。Microsoft does not test or review test results related to meeting the minimum standard; it is entirely up to the partner to ensure the minimum is met.
建议的标准Recommended standard 建议的准则既描绘了改进应用程序安全性的途径,又指出了在实现更多安全条件的同时 AIP 可能会如何发展。Recommended guidelines both chart a path to improved application security and provide an indication of how AIP may evolve as more security criteria are implemented. 供应商可能会尝试通过构建此更高级别的安全准则来区分其应用程序。Vendors might attempt to differentiate their applications by building to this higher level of security guidelines.
首选标准Preferred standard 这是当前定义的最高安全类别。This is the highest category of security currently defined. 开发被标记为高度安全的应用程序的供应商应以此标准为目标。Vendors who develop applications marketed as highly secure should aim for this standard. 遵循此标准的应用程序可能最不容易受到攻击。Applications that adhere to this standard are likely to be the least vulnerable to attack.

恶意软件Malicious Software

Microsoft 已定义了应用程序必须满足的最低要求标准,以保护内容免受恶意软件的攻击。Microsoft has defined minimum required standards that your application must meet to protect content from malicious software.

使用地址表导入恶意软件Importing Malicious Software by Using Address Tables

AIP 不支持在运行时修改代码或修改导入地址表 (IAT)。AIP does not support code modification at run time or modification of the import address table (IAT). 会为加载在进程空间中的每个 DLL 创建一个导入地址表。An import address table is created for every DLL loaded in your process space. 它指定应用程序导入的所有函数的地址。It specifies the addresses of all functions that your application imports. 一个常见的攻击是修改应用程序中的 IAT 条目,例如将其修改为指向恶意软件。One common attack is to modify the IAT entries within an application to, for example, point to malicious software. AIP 在检测到此类攻击时会停止应用程序。AIP stops the application when it detects this type of attack.

最低标准Minimum standard

  • 无法在执行期间修改应用程序进程中的导入地址表。You cannot modify the import address table in the application process during execution. - 应用程序指定许多在运行时通过使用地址表调用的函数,无法在运行时期间或之后更改这些函数。- Your application specifies many of the functions called at run time by using address tables, and these cannot be altered during or after run time. 除此之外,这意味着无法对通过使用生产证书签名的应用程序执行代码分析。Among other things, this means you cannot perform code-profiling on an application signed by using the production certificate.
  • 无法从清单中指定的任何 DLL 内调用 DebugBreak 函数。You cannot call the DebugBreak function from within any DLL specified in the manifest.
  • 无法调用具有 DONT_RESOLVE_DLL_REFERENCES 标志设置的 LoadLibraryYou cannot call LoadLibrary with the DONT_RESOLVE_DLL_REFERENCES flag set. 此标志会指示加载器跳过绑定到导入的模块,因此修改了导入地址表。This flag tells the loader to skip binding to the imported modules, thereby modifying the import address table.
  • 无法通过对 /DELAYLOAD 链接器开关执行运行时或后续更改来更改延迟加载。You cannot alter delayed loading by making run-time or subsequent changes to the /DELAYLOAD linker switch.
  • 无法通过提供自己拥有的 Delayimp.lib helper 函数版本来更改延迟加载。You cannot alter delayed loading by providing your own version of the Delayimp.lib helper function.
  • 存在 AIP 环境时,无法卸载由已通过验证的模块延迟加载的模块。You cannot unload modules that have been delay-loaded by authenticated modules while the AIP environment exists.
  • 无法使用 /DELAY:UNLOAD 链接器开关启用延迟模块卸载。You cannot use the /DELAY:UNLOAD linker switch to enable unloading of delayed modules.

错误地解释许可证权限Incorrectly Interpreting License Rights

如果应用程序没有正确地解释并强制执行 AIP 发行许可证中所表达的权限,则可能会以信息所有者不希望的方式提供信息。If your application does not correctly interpret and enforce the rights expressed in the AIP issuance license, you may make information available in ways that the information owner did not intend. 该情况的一个示例是在发行许可证仅授予查看信息权限的情况下,应用程序允许用户将未加密的信息保存到新的介质。An example of this is when an application allows a user to save unencrypted information to new media when the issuance license only confers the right to view the information.

AIP 系统将权限编为几组。The AIP system organizes rights a few groupings. 有关详细信息,请参阅 Configuring usage rights for Azure Rights Management(为 Azure Rights Management 配置使用权限)。For more information, see Configuring usage rights for Azure Rights Management.

Azure Information ProtectionAzure Information Protection

API 允许用户解密或不解密信息;该信息没有任何固有保护。API allows a user to either decrypt information or not; the information does not have any inherent protection. 如果用户有权解密信息,API 则允许此操作,并且在解密完成后,应用程序会负责管理或保护该信息。If a user has the right to decrypt information, the API permits it, and the application is responsible for managing or protecting that information after it is in the clear. 应用程序负责管理其环境和接口,以防止未经授权使用信息的行为;例如,如果许可证仅授予“播放”权限,则会禁用“打印”和“复制”按钮。An application is responsible for managing its environment and interface to prevent the unauthorized use of information; for example, disabling the Print and Copy buttons if a license only grants the PLAY right. 测试套件应验证应用程序是否根据其所识别的所有许可证权限进行正确地操作。Your test suite should verify that your application acts correctly on all the license rights that it recognizes.

最低标准Minimum standard

  • 如 XrML 规范中所述,XrML v.1.2 权限的客户实现应与这些权限的定义相一致,可在 XrML 网站 (http://www.xrml.org)) 上查看这些规范。The customer implementation of XrML v.1.2 rights should be consistent with the definitions of these rights, as described in the XrML specifications, which are available at the XrML Web site (http://www.xrml.org). 必须为所有对应用程序感兴趣的实体定义特定于应用程序的权限。Any rights that are specific to your application must be defined for all entities that have an interest in your application.
  • 测试套件和测试过程应验证应用程序是否根据应用程序所支持的权限进行正确地操作,并且没有根据不受支持的权限进行操作。Your test suite and test process should verify that your application executes properly against the rights that the application supports and that it does not act upon unsupported rights.
  • 如果要构建发布应用程序,则必须提供可用的信息,这些信息说明发布应用程序支持和不支持的内部权限,以及如何解释这些权限。If you are building a publishing application, you must make information available that explains which intrinsic rights are and are not supported by the publishing application and how these rights should be interpreted. 此外,用户界面应向最终用户说明每个权限授予或拒绝个别信息的含义。In addition, the user interface should make clear to the end user what the implications are of each right granted or denied an individual piece of information.

  • 需要将由应用程序实现的新权限中包含的内容所抽象化的任何权限映射到新的术语。Any rights that are abstracted by inclusion in new rights implemented by an application need to be mapped to the new terminology. 例如,名为 MANAGER 的新权限可能将 PRINT、COPY 和 EDIT 权限包括为抽象权限。For example, a new right called MANAGER might include as abstracted rights the PRINT, COPY, and EDIT rights. 建议标准(暂时没有)。Recommended standard None at this time. 首选标准(暂时没有)。Preferred standard None at this time.