您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Azure 安全中心设置安全策略Set security policies in Azure Security Center

本文介绍了如何在安全中心配置安全策略。This article helps you configure security policies in Security Center.

安全策略工作原理How security policies work

安全中心自动为每个 Azure 订阅创建默认的安全策略。Security Center automatically creates a default security policy for each of your Azure subscriptions. 可以在安全中心编辑该策略并监视策略遵循情况。In Security Center, you can edit the policies and monitor policy compliance.

备注

现在可以使用 Azure 策略来扩展安全中心策略。You can now extend Security Center policies by using Azure Policy. 有关详细信息,请参阅集成安全中心安全策略与 Azure 策略For more information, see Integrate Security Center security policies with Azure Policy.

开发或测试用资源的安全要求可能不同于生产应用型资源。The security requirements for resources that are used for development or test might vary from the requirements for resources that are used for production applications. 使用管控数据(例如个人身份信息)的应用程序可能需要更高级别的安全性。Applications that use regulated data, such as personally identifiable information, might require a higher level of security. 在 Azure 安全中心启用的安全策略可以通过安全建议和监视帮助用户确定可能的漏洞并缓解威胁造成的危害。Security policies that are enabled in Azure Security Center drive security recommendations and monitoring to help you identify potential vulnerabilities and mitigate threats. 若要详细了解如何确定适当的选项,请参阅 Azure 安全中心规划和操作指南For more information about how to determine the option that is appropriate for you, see Azure Security Center planning and operations guide.

编辑安全策略Edit security policies

可以在安全中心为每个 Azure 订阅编辑默认的安全策略。You can edit the default security policy for each of your Azure subscriptions in Security Center. 若要修改安全策略,你必须是订阅的所有者、参与者或安全管理员。To modify a security policy, you must be an owner, contributor, or security administrator of the subscription. 若要配置安全中心的安全策略,请执行以下操作:To configure security policies in Security Center, do the following:

  1. 登录到 Azure 门户。Sign in to the Azure portal.

  2. 在“安全中心”仪表板的“通用”下选择“安全策略”。On the Security Center dashboard, under General, select Security policy.

  3. 选择要为其启用安全策略的订阅。Select the subscription that you want to enable a security policy for.

  4. 在“策略组件”部分选择“安全策略”。In the Policy Components section, select Security policy.
    这是安全中心分配的默认策略。This is the default policy that's assigned by Security Center. 可以打开或关闭可用的安全建议。You can turn on or off the available security recommendations.

  5. 编辑完后,选择“保存”。When you finish editing, select Save.

可用的安全策略定义Available security policy definitions

若要了解默认安全策略中提供的策略定义,请参考下表:To understand the policy definitions that are available in the default security policy, refer to the following table:

策略Policy 策略的用途What the policy does
系统更新System updates 从 Windows 更新或 Windows Server Update Services 检索包含可用安全更新和关键更新的每日列表。Retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. 检索的列表取决于为虚拟机配置的服务,并且会建议用户应用缺少的更新。The retrieved list depends on the service that's configured for your virtual machines, and it recommends that missing updates be applied. 对于 Linux 系统,该策略会使用发行版提供的包管理系统确定包含可用更新的包。For Linux systems, the policy uses the distro-provided package-management system to determine packages that have available updates. 此外还会查看是否存在 Azure 云服务 虚拟机提供的安全更新和关键更新。It also checks for security and critical updates from Azure Cloud Services virtual machines.
安全配置Security configurations 每天分析操作系统配置,确定可能导致虚拟机受攻击的问题。Analyzes operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack. 此策略还建议通过配置更改解决这些漏洞。The policy also recommends configuration changes to address these vulnerabilities. 若要详细了解受监视的具体配置,请参阅建议的基准配置列表For more information about the specific configurations that are being monitored, see the list of recommended baselines. (目前不对 Windows Server 2016 提供完全支持。)(At this time, Windows Server 2016 is not fully supported.)
终结点保护Endpoint protection 建议为所有 Windows 虚拟机 (VM) 设置终结点保护,以便确定并删除病毒、间谍软件以及其他恶意软件。Recommends that endpoint protection be set up for all Windows virtual machines (VMs) to help identify and remove viruses, spyware, and other malicious software.
磁盘加密Disk encryption 建议在所有虚拟机中启用磁盘加密,增强静态数据保护。Recommends enabling disk encryption in all virtual machines to enhance data protection at rest.
网络安全组Network security groups 建议配置 网络安全组 ,控制具有公共终结点的 VM 的入站和出站流量。Recommends that network security groups be configured to control inbound and outbound traffic to VMs that have public endpoints. 除非另行指定,否则,为子网配置的网络安全组会被所有虚拟机网络接口继承。Network security groups that are configured for a subnet are inherited by all virtual-machine network interfaces unless otherwise specified. 除了查看网络安全组是否已配置,此策略还会评估入站安全规则,确定允许传入流量的规则。In addition to checking to see whether a network security group has been configured, this policy assesses inbound security rules to identify rules that allow incoming traffic.
Web 应用程序防火墙Web application firewall 建议以下之一为 true 时在虚拟机上设置 Web 应用程序防火墙:Recommends that a web application firewall be set up on virtual machines when either of the following is true:
  • 使用了实例层级公共 IP,配置了关联网络安全组的入站安全规则以允许访问端口 80/443。An instance-level public IP is used, and the inbound security rules for the associated network security group are configured to allow access to port 80/443.
  • 使用了负载均衡 IP,配置了关联负载均衡和入站网络地址转换 (NAT) 规则以允许访问端口 80/443。A load-balanced IP is used, and the associated load balancing and inbound network address translation (NAT) rules are configured to allow access to port 80/443. 有关详细信息,请参阅 Azure 资源管理器对负载均衡器的支持For more information, see Azure Resource Manager support for Load Balancer.
下一代防火墙Next generation firewall 将网络保护扩展到内置到 Azure 中的网络安全组以外。Extends network protections beyond network security groups, which are built into Azure. 安全中心会发现那些需要安装下一代防火墙的部署,并允许你设置虚拟设备。Security Center discovers deployments for which a next generation firewall is recommended, and then you can set up a virtual appliance.
SQL 审核和威胁检测SQL auditing and threat detection 建议允许审核对 SQL 数据库的访问权限,确保合规性;并启用高级威胁检测以便进行调查。Recommends that auditing of access to your SQL database be enabled for both compliance and advanced threat detection, for investigation purposes.
SQL 加密SQL encryption 建议为 SQL 数据库、关联的备份和事务日志文件启用静态加密。Recommends that encryption at rest be enabled for your SQL database, associated backups, and transaction log files. 即使数据被侵犯,入侵者也无法读取这些数据。Even if your data is breached, it is not readable.
漏洞评估Vulnerability assessment 建议在 VM 上安装漏洞评估解决方案。Recommends that you install a vulnerability assessment solution on your VM.
存储加密Storage encryption 目前,此功能仅适用于 Blob 和 Azure 文件。Currently, this feature is available for blobs and Azure Files. 在启用存储服务加密以后,只会加密新数据,该存储帐户中的任何现有文件仍会保持不加密状态。After you enable Storage Service Encryption, only new data is encrypted, and any existing files in this storage account remain unencrypted.
JIT 网络访问JIT network access 当启用了实时网络访问时,安全中心会通过创建网络安全组规则来锁定发往 Azure VM 的入站流量。When just-in-time network access is enabled, Security Center locks down inbound traffic to your Azure VMs by creating a network security group rule. 需要选择应锁定 VM 上的哪些端口的入站流量。You select the ports on the VM to which inbound traffic should be locked down. 有关详细信息,请参阅使用恰时功能管理虚拟机访问For more information, see Manage virtual machine access using just in time.

后续步骤Next steps

本文中已经介绍了如何在安全中心配置安全策略。In this article, you learned how to configure security policies in Security Center. 若要详细了解安全中心,请参阅以下文章:To learn more about Security Center, see the following articles:

若要了解有关 Azure 策略的详细信息,请参阅什么是 Azure 策略?To learn more about Azure Policy, see What is Azure Policy?