您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

了解 Azure 安全中心资源建议Understand Azure Security Center resource recommendations

建议Recommendations

使用下表作为参考,以帮助你了解可用的计算和应用服务建议以及每个建议在应用时的作用。Use the tables below as a reference to help you understand the available Compute and App services recommendations and what each one does if you apply it.

计算机Computers

建议Recommendation DescriptionDescription
为订阅启用数据收集Enable data collection for subscriptions 建议为每个订阅和订阅中的所有虚拟机 (VM) 开启安全策略中的数据收集。Recommends that you turn on data collection in the security policy for each of your subscriptions and all virtual machines (VMs) in your subscriptions.
为 Azure 存储帐户启用加密Enable encryption for Azure Storage Account 建议为静态数据启用 Azure 存储服务加密。Recommends that you enable Azure Storage Service Encryption for data at rest. 存储服务加密 (SSE) 的工作原理是,在将数据写入 Azure 存储时对数据进行加密,以及在检索前对数据进行解密。Storage Service Encryption (SSE) works by encrypting the data when it is written to Azure storage and decrypts before retrieval. SSE 当前仅适用于 Azure Blob 服务,并可用于块 blob、页 blob 和追加 blob。SSE is currently available only for the Azure Blob service and can be used for block blobs, page blobs, and append blobs. 若要了解详细信息,请参阅静态数据的存储服务加密To learn more, see Storage Service Encryption for data at rest.
只有 Resource Manager 存储帐户支持 SSE。SSE is only supported on Resource Manager storage accounts. 目前不支持经典存储帐户。Classic storage accounts are currently not supported. 若要了解经典部署模型和 Resource Manager 部署模型,请参阅 Azure 部署模型To understand the classic and Resource Manager deployment models, see Azure deployment models.
修正安全配置Remediate security configurations 建议使用推荐的安全配置规则调整 OS 配置,例如不允许保存密码。Recommends that you align your OS configurations with the recommended security configuration rules, e.g. do not allow passwords to be saved.
应用系统更新Apply system updates 建议在 VM 上部署缺少的系统安全和重要更新。Recommends that you deploy missing system security and critical updates to VMs.
应用实时网络访问控制Apply a Just-In-Time network access control 建议应用实时 VM 访问。Recommends that you apply just in time VM access. 实时功能处于预览状态,并在安全中心的标准层上可用。The just in time feature is in preview and available on the Standard tier of Security Center. 请参阅定价,详细了解安全中心的定价层。See Pricing to learn more about Security Center's pricing tiers.
在系统更新后重启Reboot after system updates 建议重启 VM 以完成应用系统更新的过程。Recommends that you reboot a VM to complete the process of applying system updates.
安装终结点保护Install Endpoint Protection 建议在 VM(仅 Windows VM)上预配反恶意程序。Recommends that you provision antimalware programs to VMs (Windows VMs only).
启用 VM 代理Enable VM Agent 使你能够查看需要 VM 代理的 VM。Enables you to see which VMs require the VM Agent. 若要设置修补程序扫描、基线扫描以及反恶意程序,则必须在 VM 上安装 VM 代理。The VM Agent must be installed on VMs in order to provision patch scanning, baseline scanning, and antimalware programs. 对于从 Azure 市场部署的 VM,默认安装 VM 代理。The VM Agent is installed by default for VMs that are deployed from the Azure Marketplace. 文章 VM 代理和扩展 - 第 2 部分提供有关如何安装 VM 代理的信息。The article VM Agent and Extensions – Part 2 provides information on how to install the VM Agent.
应用磁盘加密Apply disk encryption 建议使用 Azure 磁盘加密(Windows 和 Linux VM)对 VM 磁盘进行加密。Recommends that you encrypt your VM disks using Azure Disk Encryption (Windows and Linux VMs). 对于 VM 上的 OS 和数据卷,建议使用加密。Encryption is recommended for both the OS and data volumes on your VM.
更新 OS 版本Update OS version 建议将云服务的操作系统 (OS) 版本更新为 OS 系列可用的最新版本。Recommends that you update the operating system (OS) version for your Cloud Service to the most recent version available for your OS family. 若要了解有关云服务的详细信息,请参阅云服务概述To learn more about Cloud Services, see the Cloud Services overview.
未安装漏洞评估Vulnerability assessment not installed 建议在 VM 上安装漏洞评估解决方案。Recommends that you install a vulnerability assessment solution on your VM.
修正漏洞Remediate vulnerabilities 使你可以查看由安装在 VM 上的漏洞评估解决方案检测到的系统和应用程序漏洞。Enables you to see system and application vulnerabilities detected by the vulnerability assessment solution installed on your VM.

应用程序服务App services

建议Recommendation DescriptionDescription
应该只能通过 HTTPS 访问应用服务App Service should only be accessible over HTTPS 建议你限制为仅通过 HTTPS 访问应用服务。Recommends that you limit access of App Service over HTTPS only.
应为 Web 应用程序禁用 Web 套接字Web Sockets should be disabled for Web Application 建议你仔细检查 Web 应用程序中 Web 套接字的使用。Recommends that you carefully review the use of Web Sockets within web applications. Web 套接字协议容易受到不同类型的安全威胁的攻击。The Web Sockets protocol is vulnerable to different types of security threats.
对 Web 应用程序使用自定义域Use custom domains for your Web Application 建议使用自定义域保护 Web 应用程序免受常见攻击(钓鱼和其他 DNS 相关攻击)的威胁。Recommends that you use custom domains to protect a web application from common attacks such as phishing and other DNS-related attacks.
为 Web 应用程序配置 IP 限制Configure IP restrictions for Web Application 建议你定义允许访问应用程序的 IP 地址列表。Recommends that you define a list of IP addresses that are allowed to access your application. 使用 IP 限制保护 Web 应用程序免受常见攻击的威胁。Use of IP restrictions protects a web application from common attacks.
不允许所有 ('*') 资源访问你的应用程序Do not allow all ('*') resources to access your application 建议不要将 WEBSITE_LOAD_CERTIFICATES 参数设置为“”。将参数设置为“”表示所有证书都将加载到 Web 应用程序个人证书存储。Recommends that you do not set WEBSITE_LOAD_CERTIFICATES parameter to ‘’. Setting the parameter to ‘’ means that all certificates will be loaded to your web applications personal certificate store. 这可能导致滥用最小特权原则,因为站点在运行时不太可能需要访问所有证书。This can lead to abuse of the principle of least privilege as it is unlikely that the site needs access to all certificates at runtime.
CORS 不应允许所有资源都能访问你的应用程序CORS should not allow every resource to access your application 建议你仅允许必需的域与 Web 应用程序进行交互。Recommends that you allow only required domains to interact with your web application. 跨源资源共享 (CORS) 不应允许所有域都能访问你的 Web 应用程序。Cross origin resource sharing (CORS) should not allow all domains to access your web application.
对 Web 应用程序使用受支持的最新版 .NET FrameworkUse the latest supported .NET Framework for Web Application 建议使用最新的 .NET Framework 版本以使用最新安全类。Recommends that you use the latest .NET Framework version for the latest security classes. 使用较旧的类和类型可能会使应用程序易受攻击。Using older classes and types can make your application vulnerable.
对 Web 应用程序使用受支持的最新版 JavaUse the latest supported Java version for Web Application 建议使用最新的 Java 版本以使用最新安全类。Recommends that you use the latest Java version for the latest security classes. 使用较旧的类和类型可能会使应用程序易受攻击。Using older classes and types can make your application vulnerable.
对 Web 应用程序使用受支持的最新版 PHPUse the latest supported PHP version for Web Application 建议使用最新的 PHP 版本以使用最新安全类。Recommends that you use the latest PHP version for the latest security classes. 使用较旧的类和类型可能会使应用程序易受攻击。Using older classes and types can make your application vulnerable.
添加 Web 应用程序防火墙Add a web application firewall 建议部署 web 终结点的 Web 应用程序防火墙 (WAF)。Recommends that you deploy a web application firewall (WAF) for web endpoints. 为任何面向公众的 IP(实例级 IP 或负载均衡 IP)显示 WAF 建议,该 IP 具有与开放入站 Web 端口 (80,443) 关联的网络安全组。A WAF recommendation is shown for any public facing IP (either Instance Level IP or Load Balanced IP) that has an associated network security group with open inbound web ports (80,443).
安全中心建议设置 WAF,有助于防范针对虚拟机和应用服务环境上 Web 应用程序的攻击。Security Center recommends that you provision a WAF to help defend against attacks targeting your web applications on virtual machines and on App Service Environment. 应用服务环境 (ASE) 是 Azure 应用服务的高级服务计划选项,可提供完全隔离和专用的环境,以便安全地运行 Azure 应用服务应用。An App Service Environment (ASE) is a Premium service plan option of Azure App Service that provides a fully isolated and dedicated environment for securely running Azure App Service apps. 若要了解有关 ASE 的详细信息,请参阅应用服务环境文档To learn more about ASE, see the App Service Environment Documentation.

可以通过将应用程序添加到现有的 WAF 部署来保护安全中心中的多个 Web 应用程序。You can protect multiple web applications in Security Center by adding these applications to your existing WAF deployments.
完成应用程序保护Finalize application protection 若要完成 WAF 配置,则流量必须重新路由到 WAF 设备。To complete the configuration of a WAF, traffic must be rerouted to the WAF appliance. 遵循此建议,完成必要的安装程序更改。Following this recommendation completes the necessary setup changes.
对 Web 应用程序使用受支持的最新版 Node.jsUse the latest supported Node.js version for Web Application 建议使用最新的 Node.js 版本以使用最新安全类。Recommends that you use the latest Node.js version for the latest security classes. 使用较旧的类和类型可能会使应用程序易受攻击。Using older classes and types can make your application vulnerable.
CORS 不应允许所有资源都能访问函数应用CORS should not allow every resource to access your Function App 建议你仅允许必需的域与 Web 应用程序进行交互。Recommends that you allow only required domains to interact with your web application. 跨源资源共享 (CORS) 不应允许所有域都能访问你的函数应用程序。Cross origin resource sharing (CORS) should not allow all domains to access your function application.
对函数应用使用自定义域Use custom domains for Function App 建议使用自定义域保护函数应用免受常见攻击(钓鱼和其他 DNS 相关攻击)的威胁。Recommends that you use custom domains to protect a function app from common attacks such as phishing and other DNS-related attacks.
对函数应用配置 IP 限制Configure IP restrictions for Function App 建议你定义允许访问应用程序的 IP 地址列表。Recommends that you define a list of IP addresses that are allowed to access your application. 使用 IP 限制保护函数应用免受常见攻击的威胁。Use of IP restrictions protects a function app from common attacks.
应该只能通过 HTTPS 访问函数应用Function App should only be accessible over HTTPS 建议你限制为仅通过 HTTPS 访问函数应用。Recommends that you limit access of Function apps over HTTPS only.
应对函数应用禁用远程调试Remote debugging should be turned off for Function App 如果不再需要使用函数应用调试,建议禁用该功能。Recommends that you turn off debugging for Function App if you no longer need to use it. 远程调试需要在函数应用上打开入站端口。Remote debugging requires inbound ports to be opened on a Function App.
应对函数应用禁用 Web 套接字Web Sockets should be disabled for Function App 建议你仔细检查函数应用中 Web 套接字的使用。Recommends that you carefully review the use of Web Sockets within Function Apps. Web 套接字协议容易受到不同类型的安全威胁的攻击。The Web Sockets protocol is vulnerable to different types of security threats.

后续步骤Next steps

若要了解有关适用于其他 Azure 资源类型的建议的详细信息,请参阅以下内容:To learn more about recommendations that apply to other Azure resource types, see the following:

若要了解有关安全中心的详细信息,请参阅以下文章:To learn more about Security Center, see the following: