您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

保护 Azure 安全中心中的虚拟机Protecting your virtual machines in Azure Security Center

Azure 安全中心可分析 Azure 资源的安全状态。Azure Security Center analyzes the security state of your Azure resources. 在安全中心识别潜在的安全漏洞时,它会创建一些建议,这些建议会指导完成配置所需控件的过程。When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls. 适用于 Azure 资源类型的建议:虚拟机 (VM)、网络、SQL,以及应用程序。Recommendations apply to Azure resource types: virtual machines (VMs), networking, SQL, and applications.

本文介绍适用于 VM 的建议。This article addresses recommendations that apply to VMs. 数据收集、应用系统更新、设置反恶意软件、加密 VM 磁盘等的 VM 建议中心。VM recommendations center around data collection, applying system updates, provisioning antimalware, encrypting your VM disks, and more. 使用下表作为参考来帮助了解可用的 VM 建议,以及应用建议后,每个建议的做法。Use the table below as a reference to help you understand the available VM recommendations and what each one will do if you apply it.

可用的 VM 建议Available VM recommendations

建议Recommendation 说明Description
为订阅启用数据收集Enable data collection for subscriptions 建议为每个订阅和订阅中的所有虚拟机 (VM) 开启安全策略中的数据收集。Recommends that you turn on data collection in the security policy for each of your subscriptions and all virtual machines (VMs) in your subscriptions.
为 Azure 存储帐户启用加密Enable encryption for Azure Storage Account 建议为静态数据启用 Azure 存储服务加密。Recommends that you enable Azure Storage Service Encryption for data at rest. 存储服务加密 (SSE) 的工作原理是,在将数据写入 Azure 存储时对数据进行加密,以及在检索前对数据进行解密。Storage Service Encryption (SSE) works by encrypting the data when it is written to Azure storage and decrypts before retrieval. SSE 当前仅适用于 Azure Blob 服务,并可用于块 blob、页 blob 和追加 blob。SSE is currently available only for the Azure Blob service and can be used for block blobs, page blobs, and append blobs. 若要了解详细信息,请参阅静态数据的存储服务加密To learn more, see Storage Service Encryption for data at rest.
只有 Resource Manager 存储帐户支持 SSE。SSE is only supported on Resource Manager storage accounts. 目前不支持经典存储帐户。Classic storage accounts are currently not supported. 若要了解经典部署模型和 Resource Manager 部署模型,请参阅 Azure 部署模型To understand the classic and Resource Manager deployment models, see Azure deployment models.
修正 OS 漏洞Remediate OS vulnerabilities 建议 OS 配置匹配推荐的配置规则,例如不允许保存密码。Recommends that you align your OS configurations with the recommended configuration rules, e.g. do not allow passwords to be saved.
应用系统更新Apply system updates 建议在 VM 上部署缺少的系统安全和重要更新。Recommends that you deploy missing system security and critical updates to VMs.
应用实时网络访问控制Apply a Just-In-Time network access control 建议应用实时 VM 访问。Recommends that you apply just in time VM access. 实时功能处于预览状态,并在安全中心的标准层上可用。The just in time feature is in preview and available on the Standard tier of Security Center. 请参阅定价,详细了解安全中心的定价层。See Pricing to learn more about Security Center's pricing tiers.
在系统更新后重启Reboot after system updates 建议重启 VM 以完成应用系统更新的过程。Recommends that you reboot a VM to complete the process of applying system updates.
安装终结点保护Install Endpoint Protection 建议在 VM(仅 Windows VM)上预配反恶意程序。Recommends that you provision antimalware programs to VMs (Windows VMs only).
启用 VM 代理Enable VM Agent 使你能够查看需要 VM 代理的 VM。Enables you to see which VMs require the VM Agent. 若要设置修补程序扫描、基线扫描以及反恶意程序,则必须在 VM 上安装 VM 代理。The VM Agent must be installed on VMs in order to provision patch scanning, baseline scanning, and antimalware programs. 对于从 Azure Marketplace 部署的 VM,默认安装 VM 代理。The VM Agent is installed by default for VMs that are deployed from the Azure Marketplace. 文章 VM 代理和扩展 - 第 2 部分提供有关如何安装 VM 代理的信息。The article VM Agent and Extensions – Part 2 provides information on how to install the VM Agent.
应用磁盘加密Apply disk encryption 建议使用 Azure 磁盘加密(Windows 和 Linux VM)对 VM 磁盘进行加密。Recommends that you encrypt your VM disks using Azure Disk Encryption (Windows and Linux VMs). 对于 VM 上的 OS 和数据卷,建议使用加密。Encryption is recommended for both the OS and data volumes on your VM.
更新 OS 版本Update OS version 建议将云服务的操作系统 (OS) 版本更新为 OS 系列可用的最新版本。Recommends that you update the operating system (OS) version for your Cloud Service to the most recent version available for your OS family. 若要了解有关云服务的详细信息,请参阅云服务概述To learn more about Cloud Services, see the Cloud Services overview.
未安装漏洞评估Vulnerability assessment not installed 建议在 VM 上安装漏洞评估解决方案。Recommends that you install a vulnerability assessment solution on your VM.
修正漏洞Remediate vulnerabilities 使你可以查看由安装在 VM 上的漏洞评估解决方案检测到的系统和应用程序漏洞。Enables you to see system and application vulnerabilities detected by the vulnerability assessment solution installed on your VM.

另请参阅See also

若要了解有关适用于其他 Azure 资源类型的建议的详细信息,请参阅以下内容:To learn more about recommendations that apply to other Azure resource types, see the following:

若要了解有关安全中心的详细信息,请参阅以下文章:To learn more about Security Center, see the following: