您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

安全框架:审核和日志记录 | 缓解措施Security Frame: Auditing and Logging | Mitigations

产品/服务Product/Service 文章Article
Dynamics CRMDynamics CRM
Web 应用程序Web Application
数据库Database
Azure 存储Azure Storage
WCFWCF
Web APIWeb API
IoT 现场网关IoT Field Gateway
IoT 云网关IoT Cloud Gateway

识别解决方案中的敏感实体并实现更改审核Identify sensitive entities in your solution and implement change auditing

标题Title 详细信息Details
组件Component Dynamics CRMDynamics CRM
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 识别应用程序中包含敏感数据的实体,并针对这些实体和字段实现更改审核Identify entities in your solution containing sensitive data and implement change auditing on those entities and fields

确保在应用程序中强制实施审核与日志记录Ensure that auditing and logging is enforced on the application

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps 在所有组件中启用审核与日志记录。Enable auditing and logging on all components. 审核日志应捕获用户上下文。Audit logs should capture user context. 识别所有重要事件并记录这些事件。Identify all important events and log those events. 实现集中式日志记录Implement centralized logging

确保实施日志轮转和分离Ensure that log rotation and separation are in place

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps

日志轮转是系统管理中使用的一种自动化过程,在此过程中,陈旧的日志文件会存档。Log rotation is an automated process used in system administration in which dated log files are archived. 运行大型应用程序的通常服务器通常会记录每个请求:日志变得庞大后,可以借助日志轮转来限制日志的总大小,同时仍可允许分析最近的事件。Servers which run large applications often log every request: in the face of bulky logs, log rotation is a way to limit the total size of the logs while still allowing analysis of recent events.

简单而言,日志分离是指将日志文件存储在运行 OS/应用程序的不同分区中,避免出现拒绝服务攻击或应用程序性能降级Log separation basically means that you have to store your log files on a different partition as where your OS/application is running on in order to avert a Denial of service attack or the downgrading of your application its performance

确保应用程序不会记录敏感的用户数据Ensure that the application does not log sensitive user data

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps

检查是否未记录用户在站点中提交的敏感数据。Check that you do not log any sensitive data that a user submits to your site. 检查设计问题造成的有意而为的日志记录及其负面影响。Check for intentional logging as well as side effects caused by design issues. 敏感数据的示例包括:Examples of sensitive data include:

  • 用户凭据User Credentials
  • 身份证号或其他身份信息Social Security number or other identifying information
  • 信用卡号或其他财务信息Credit card numbers or other financial information
  • 运行状况信息Health information
  • 私钥,或者其他可用于解密已加密信息的数据Private keys or other data that could be used to decrypt encrypted information
  • 可以用来增强应用程序攻击效果的系统信息或应用程序信息System or application information that can be used to more effectively attack the application

确保对审核与日志文件限制访问Ensure that Audit and Log Files have Restricted Access

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps

确保正确设置对日志文件的访问权限。Check to ensure access rights to log files are appropriately set. 应用程序帐户应该提供只写访问权限,根据需要为操作员与支持人员提供只读访问权限。Application accounts should have write-only access and operators and support personnel should have read-only access as needed.

应该只有管理员帐户才拥有完全访问权限。Administrators accounts are the only accounts which should have full access. 检查日志文件中的 Windows ACL,确保 ACL 得到适当的限制:Check Windows ACL on log files to ensure they are properly restricted:

  • 应用程序帐户应该拥有只写访问权限Application accounts should have write-only access
  • 应该根据需要为操作员和支持人员提供只读访问权限Operators and support personnel should have read-only access as needed
  • 应该只有管理员帐户才拥有完全访问权限Administrators are the only accounts that should have full access

确保记录用户管理事件Ensure that User Management Events are Logged

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps

确保应用程序监视用户管理事件,例如用户登录成功与失败状态、密码重置、密码更改、帐户锁定和用户注册。Ensure that the application monitors user management events such as successful and failed user logins, password resets, password changes, account lockout, user registration. 这些措施可帮助检测潜在的可疑行为并对其做出反应。Doing this helps to detect and react to potentially suspicious behavior. 此外,还能实现操作数据的收集;例如,跟踪谁正在访问应用程序It also enables to gather operations data; for example, to track who is accessing the application

确保在系统中针对滥用提供内置防御机制Ensure that the system has inbuilt defenses against misuse

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase BuildBuild
适用的技术Applicable Technologies 泛型Generic
属性Attributes 不可用N/A
参考References 不可用N/A
步骤Steps

应该实施相应的控制,以便在发生应用程序滥用时引发安全异常。Controls should be in place which throw security exception in case of application misuse. 例如,如果已实施输入验证,而攻击者尝试注入与正则表达式不匹配的恶意代码,则可以引发异常,指明可能出现了系统滥用E.g., If input validation is in place and an attacker attempts to inject malicious code that does not match the regex, a security exception can be thrown which can be an indicative of system misuse

例如,建议针对以下问题记录安全异常并采取措施:For example, it is recommended to have security exceptions logged and actions taken for the following issues:

  • 输入验证Input validation
  • CSRF 冲突CSRF violations
  • 暴力破解(每个资源的每个用户请求数上限)Brute force (upper limit for number of requests per user per resource)
  • 文件上传冲突File upload violations

    在 Azure 应用服务中启用 Web 应用的诊断日志记录Enable diagnostics logging for web apps in Azure App Service

    标题Title 详细信息Details
    组件Component Web 应用程序Web Application
    SDL 阶段SDL Phase BuildBuild
    适用的技术Applicable Technologies 泛型Generic
    属性Attributes EnvironmentType - AzureEnvironmentType - Azure
    参考References 不可用N/A
    步骤Steps

    Azure 提供内置诊断功能,可帮助调试应用服务 Web 应用。Azure provides built-in diagnostics to assist with debugging an App Service web app. 该功能也适用于 API 应用和移动应用。It also applies to API apps and mobile apps. 应用服务 Web 应用为 Web 服务器和 Web 应用程序中的日志记录信息提供诊断功能。App Service web apps provide diagnostic functionality for logging information from both the web server and the web application.

    这些诊断功能按逻辑分为 Web 服务器诊断和应用程序诊断。These are logically separated into web server diagnostics and application diagnostics

    确保在 SQL Server 中启用登录审核Ensure that login auditing is enabled on SQL Server

    标题Title 详细信息Details
    组件Component 数据库Database
    SDL 阶段SDL Phase BuildBuild
    适用的技术Applicable Technologies 泛型Generic
    属性Attributes 不可用N/A
    参考References 配置登录审核Configure Login Auditing
    步骤Steps

    必须启用数据库服务器登录审核,以检测/确认密码猜测攻击。Database Server login auditing must be enabled to detect/confirm password guessing attacks. 必须捕获失败的登录尝试。It is important to capture failed login attempts. 捕获成功和失败的登录尝试可在取证调查期间提供额外的优势Capturing both successful and failed login attempts provides additional benefit during forensic investigations

    在 Azure SQL 中启用威胁检测Enable Threat detection on Azure SQL

    标题Title 详细信息Details
    组件Component 数据库Database
    SDL 阶段SDL Phase BuildBuild
    适用的技术Applicable Technologies SQL AzureSQL Azure
    属性Attributes SQL 版本 - V12SQL Version - V12
    参考References SQL 数据库威胁检测入门Get Started with SQL Database Threat Detection
    步骤Steps

    威胁检测会检测异常的数据库活动,指出数据库有潜在的安全威胁。Threat Detection detects anomalous database activities indicating potential security threats to the database. 威胁检测提供新的安全层,在发生异常活动时提供安全警报,让客户检测潜在威胁并做出响应。It provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities.

    用户可以使用 Azure SQL 数据库审核来探查可疑事件,判断这些可疑事件是否是因为有人尝试访问、破坏或利用数据库中的数据而生成的。Users can explore the suspicious events using Azure SQL Database Auditing to determine if they result from an attempt to access, breach or exploit data in the database.

    不必是安全专家,也不需要管理先进的安全监视系统,就能使用威胁检测轻松解决数据库的潜在威胁。Threat Detection makes it simple to address potential threats to the database without the need to be a security expert or manage advanced security monitoring systems

    使用 Azure 存储分析来审核对 Azure 存储的访问Use Azure Storage Analytics to audit access of Azure Storage

    标题Title 详细信息Details
    组件Component Azure 存储Azure Storage
    SDL 阶段SDL Phase 部署Deployment
    适用的技术Applicable Technologies 泛型Generic
    属性Attributes 不可用N/A
    参考References 使用存储分析来监视授权类型Using Storage Analytics to monitor authorization type
    步骤Steps

    对于每个存储帐户,可以启用 Azure 存储分析来执行日志记录和存储指标数据。For each storage account, one can enable Azure Storage Analytics to perform logging and store metrics data. 存储分析日志提供重要的信息,例如,某人在访问存储时使用的身份验证方法。The storage analytics logs provide important information such as authentication method used by someone when they access storage.

    如果要严密监视存储的访问,这真的很有用。This can be really helpful if you are tightly guarding access to storage. 例如,在 Blob 存储中,可以将所有容器设置为专用,并通过应用程序实现 SAS 服务的用法。For example, in Blob Storage you can set all of the containers to private and implement the use of an SAS service throughout your applications. 然后可以定期检查日志,以了解 Blob 是否是使用存储帐户密钥访问的(这可能表示出现安全违规),或者 Blob 是公共的但它们不应该是公共的。Then you can check the logs regularly to see if your blobs are accessed using the storage account keys, which may indicate a breach of security, or if the blobs are public but they shouldn’t be.

    实现充分的日志记录Implement sufficient Logging

    标题Title 详细信息Details
    组件Component WCFWCF
    SDL 阶段SDL Phase BuildBuild
    适用的技术Applicable Technologies .NET Framework.NET Framework
    属性Attributes 不可用N/A
    参考References MSDN巩固王国MSDN, Fortify Kingdom
    步骤Steps

    发生安全事件后缺少适当的审核线索可能会给取证工作造成阻碍。The lack of a proper audit trail after a security incident can hamper forensic efforts. Windows Communication Foundation (WCF) 提供记录成功和/或失败身份验证尝试的功能。Windows Communication Foundation (WCF) offers the ability to log successful and/or failed authentication attempts.

    记录失败的身份验证尝试可以警示管理员发生了潜在的暴力破解攻击。Logging failed authentication attempts can warn administrators of potential brute-force attacks. 同样,记录成功身份验证事件可在合法帐户遭到入侵时提供有用的审核线索。Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised. 启用 WCF 的服务安全审核功能Enable WCF's service security audit feature

    示例Example

    下面是启用了审核的示例配置The following is an example configuration with auditing enabled

    <system.serviceModel>
        <behaviors>
            <serviceBehaviors>
                <behavior name=""NewBehavior"">
                    <serviceSecurityAudit auditLogLocation=""Default""
                    suppressAuditFailure=""false"" 
                    serviceAuthorizationAuditLevel=""SuccessAndFailure""
                    messageAuthenticationAuditLevel=""SuccessAndFailure"" />
                    ...
                </behavior>
            </servicebehaviors>
        </behaviors>
    </system.serviceModel>
    

    实现充分的审核失败处理Implement sufficient Audit Failure Handling

    标题Title 详细信息Details
    组件Component WCFWCF
    SDL 阶段SDL Phase BuildBuild
    适用的技术Applicable Technologies .NET Framework.NET Framework
    属性Attributes 不可用N/A
    参考References MSDN巩固王国MSDN, Fortify Kingdom
    步骤Steps

    开发的解决方案配置为在无法写入审核日志时不生成异常。Developed solution is configured not to generate an exception when it fails to write to an audit log. 如果 WCF 配置为在无法写入审核日志时不引发异常,则程序将不知道发生了失败,并且无法对关键的安全事件进行审核。If WCF is configured not to throw an exception when it is unable to write to an audit log, the program will not be notified of the failure and auditing of critical security events may not occur.

    示例Example

    以下 WCF 配置文件中的 <behavior/> 元素指示在 WCF 无法写入审核日志时,WCF 不要通知应用程序。The <behavior/> element of the WCF configuration file below instructs WCF to not notify the application when WCF fails to write to an audit log.

    <behaviors>
        <serviceBehaviors>
            <behavior name="NewBehavior">
                <serviceSecurityAudit auditLogLocation="Application"
                suppressAuditFailure="true"
                serviceAuthorizationAuditLevel="Success"
                messageAuthenticationAuditLevel="Success" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
    

    请将 WCF 配置为每当无法写入审核日志时,就会通知程序。Configure WCF to notify the program whenever it is unable to write to an audit log. 应在程序中实施替代的通知方案,告知组织没有维护审核线索。The program should have an alternative notification scheme in place to alert the organization that audit trails are not being maintained.

    确保在 Web API 中强制实施审核与日志记录Ensure that auditing and logging is enforced on Web API

    标题Title 详细信息Details
    组件Component Web APIWeb API
    SDL 阶段SDL Phase BuildBuild
    适用的技术Applicable Technologies 泛型Generic
    属性Attributes 不可用N/A
    参考References 不可用N/A
    步骤Steps 在 Web API 中启用审核与日志记录。Enable auditing and logging on Web APIs. 审核日志应捕获用户上下文。Audit logs should capture user context. 识别所有重要事件并记录这些事件。Identify all important events and log those events. 实现集中式日志记录Implement centralized logging

    确保在现场网关中强制实施适当的审核与日志记录Ensure that appropriate auditing and logging is enforced on Field Gateway

    标题Title 详细信息Details
    组件Component IoT 现场网关IoT Field Gateway
    SDL 阶段SDL Phase BuildBuild
    适用的技术Applicable Technologies 泛型Generic
    属性Attributes 不可用N/A
    参考References 不可用N/A
    步骤Steps

    当多个设备连接到现场网关时,请确保记录各个设备的连接尝试和身份验证状态(成功或失败),并在现场网关中维护这些信息。When multiple devices connect to a Field Gateway, ensure that connection attempts and authentication status (success or failure) for individual devices are logged and maintained on the Field Gateway.

    此外,如果现场网关维护各个设备的 IoT 中心凭据,请确保在检索这些凭据时执行审核。开发一个过程用于定期将日志上传到 Azure IoT 中心/存储供长期保留。Also, in cases where Field Gateway is maintaining the IoT Hub credentials for individual devices, ensure that auditing is performed when these credentials are retrieved.Develop a process to periodically upload the logs to Azure IoT Hub/storage for long term retention.

    确保在云网关中强制实施适当的审核与日志记录Ensure that appropriate auditing and logging is enforced on Cloud Gateway

    标题Title 详细信息Details
    组件Component IoT 云网关IoT Cloud Gateway
    SDL 阶段SDL Phase BuildBuild
    适用的技术Applicable Technologies 泛型Generic
    属性Attributes 不可用N/A
    参考References IoT 中心操作监视简介Introduction to IoT Hub operations monitoring
    步骤Steps

    规划如何通过 IoT 中心操作监视收集和存储审核数据。Design for collecting and storing audit data gathered through IoT Hub Operations Monitoring. 启用以下监视类别:Enable the following monitoring categories:

    • 设备标识操作Device identity operations
    • 设备到云的通信Device-to-cloud communications
    • 云到设备的通信Cloud-to-device communications
    • 连接Connections
    • 文件上传File uploads