第一道防线Protect at the Front Door

传统的安全解决方案在过去足以保护你的业务。Traditional security solutions used to be enough to protect your business. 但随着移动性行业的发展,攻击风险日益增大,而向云端的过渡使得员工与其他用户、设备、应用和数据的交互变得更加复杂。But that was before the mobility industry grew, which created a larger attack landscape, and the transition to the cloud made employees' interactions with other users, devices, apps, and data more complex. 现在为了切实地保护公司,需要采用更加全面和创新的安全性策略,一种可以防止、检测和应对本地和云端的各种威胁的策略。To truly protect your business now, you need to take a more holistic and innovative approach to security, one that can protect, detect, and respond to threats of all kinds on-premises as well as in the cloud.

在超过 63% 的数据泄露中,攻击者通过安全性弱、采用默认设置或者被盗的用户凭据获取公司网络的访问权限。In more than 63 percent of data breaches, attackers gain corporate network access through weak, default, or stolen user credentials. Microsoft 标识驱动安全着眼于用户凭据,通过管理和保护标识(包括特权和非特权标识)杜绝凭据盗用。Microsoft Identity-Driven Security focuses on user credentials, slamming the door shut on credential theft by managing and protecting your identities, including your privileged and non-privileged identities.

企业移动性 + 安全性可提供哪些帮助?How can Enterprise Mobility + Security help you?

企业移动性 + 安全性 (EMS) 安全策略首先采用一个受保护的常用标识,通过基于风险的条件访问安全访问本地和云端的所有公司资源。Enterprise Mobility + Security (EMS) security approach starts with one protected common identity for secure access to all corporate resources on-premises and in the cloud with risk-based conditional access. 通过此策略,IT 可使用新颖高级的基于风险的条件访问为公司资源建立第一道防线。By using this approach, IT can safeguard their company’s resources at the front door with innovative and advanced risk-based conditional accesses. EMS 为访问数千的应用提供一个受保护的常用标识,有助于 IT 管理和保护特权标识。EMS provides one protected common identity for accessing thousands of apps, which helps IT to manage and protect privileged identities.

为了满足此方案的要求,EMS 使用 Azure AD Identity ProtectionAzure AD Privileged Identity ManagementTo address the requirements of this scenario, EMS uses Azure AD Identity Protection and Azure AD Privileged Identity Management. 通过实施这些技术,组织将能够:By implementing these technologies, organizations will be able to:

  • 从基于机器学习的威胁检测的合并视图中获得见解Gain insights from a consolidated view of machine learning-based threat detection
  • 修正建议Remediate recommendations
  • 执行风险严重性计算Perform risk severity calculation
  • 执行基于风险的条件访问可自动阻止可疑登录和被盗用的凭据Perform risk-based conditional access automatically to protect against suspicious logins and compromised credentials
  • 若有需要,强制执行按需实时管理访问Enforce on-demand, just-in-time administrative access when needed
  • 使用“警报”、“审核报告”和“访问评审”Use Alert, Audit Reports, and Access Review

下图总结了此方案涉及的功能以及如何使用这些功能保护资源:The following diagram summarizes the capabilities involved in this scenario and how they are used to protect your resources:

保护资源

实现本解决方案的方式How to implement this solution

请按照以下步骤实施 Azure AD Identity Protection 和 Azure AD Privileged Identity Management:Follow these steps to implement Azure AD Identity Protection and Azure AD Privileged Identity Management:

  • 步骤 1:启用 Azure AD Identity ProtectionStep 1: Enable Azure AD Identity Protection
  • 步骤 2:配置 Azure AD Identity ProtectionStep 2: Configure Azure AD Identity Protection
  • 步骤 3:监视对资源的访问Step 3: Monitor access to resources
  • 步骤 4:启用 Azure AD Privileged Identity ManagementStep 4: Enable Azure AD Privileged Identity Management
  • 步骤 5:配置 Azure AD Privileged Identity ManagementStep 5: Configure Azure AD Privileged Identity Management
  • 步骤 6:Privileged Identity Management 操作Step 6: Privileged Identity Management operations

如何建立资源保护的第一道防线How to Protect your Resources at the Front Door

不同组织对事件优先级有不同的理解。Different organizations will have different perceptions regarding incident priority. 对某个行业至关重要的事件可能对另一个行业并不重要。What is critical for one line of business might not be for another. 因此,应该首先了解 Azure AD Identity Protection 如何划分风险级别,即风险事件的严重性指示(“高”、“中”或“低”)。For this reason, you should first learn how Azure AD Identity Protection categorizes the risk level, which is an indication (High, Medium, or Low) of the severity of the risk event. Azure AD Identity Protection 还可评估用户标识被盗用的可能性并分配其自己的风险级别,称为用户的风险级别Azure AD Identity Protection also evaluates the likelihood that a user’s identity was compromised, and assigns its own risk level, which is called user’s risk level. Azure AD Identity Protection 将识别漏洞并为其分配风险级别。Azure AD Identity Protection will identity a vulnerability and assign a risk level to it. 风险有不同类型,每一种风险根据其重要程度划分级别。There are different types of risks, and each one is ranked according to its criticality. 按照第 1 到 3 步执行操作,使用 Azure AD Identity Protection 启用、实施和监视资源。Follow steps 1 to 3 to enable, implement and monitor resources using Azure AD Identity Protection.

此解决方案的第二阶段(第 4 到 6 步)将实施 Azure Active Directory (AD) Privileged Identity Management 以发现、限制和监视特权标识。The second stage of this solution (steps 4 to 6) will implement Azure Active Directory (AD) Privileged Identity Management to discover, restrict, and monitor privileged identities. 使用 Azure 的组织可在 Azure AD 中分配角色,Azure AD Privileged Identity Management 可管理其中一些角色Organizations using Azure can assign roles in Azure AD, and Azure AD Privileged Identity Management is able to manage some of these roles.

步骤 1:启用 Azure AD Identity ProtectionStep 1: Enable Azure AD Identity Protection

实施此解决方案前,请确保 Azure AD Premium 许可证已分配给最终用户。Before implementing this solution, ensure that an Azure AD Premium license is assigned to the end user. 如果使用联合域且要在云中强制执行密码更改以将密码写回本地,需要启用密码写回In case you are using a federated domain and you want to enforce password change in the cloud to be written back on-premises, you need to enable password writeback. 查看完这些要求后,从应用商店安装 Azure AD Identity Protection,以启用 Azure AD Identity ProtectionAfter finishing reviewing these requirements, enable Azure AD Identity Protection by installing it from Marketplace. 完成安装后,将拥有对 Azure AD Identity Protection 仪表板的访问权,此仪表板可能会显示为空,如下图所示。After finishing this installation, you will have access to the Azure AD Identity Protection dashboard, which may appear empty as shown in the following image.

Azure AD Identity Protection

步骤 2:配置 Azure AD Identity ProtectionStep 2: Configure Azure AD Identity Protection

计划实施 Azure AD Identity Protection 时,必须首先定义以下策略:When planning to implement Azure AD Identity Protection, you must start by defining the following policies:

这些策略位于“配置”部分下的 Azure AD Identity Protection 仪表板中,如下面屏幕所示:These policies are located at the Azure AD Identity Protection dashboard, under the Configure section as shown in the following screen:

策略

除了配置安全策略外,还可自定义哪些用户将收到警报。In addition to configure security policies, you can also customize which users will receive alerts. 应使用 Azure AD Identity Protection 仪表板中的“设置”部分下的“警报”选项,如下图所示:You should use the Alerts option under the Settings section in the Azure AD Identity Protection dashboard as shown in the following image:

警报

请注意:在此配置中,仅当用户风险级别为“高”时,用户才会收到警报。Noticed that in this configuration, these users are going to receive alerts only if the user risk level is High.

步骤 3:监视和修正Step 3: Monitor and remediation

连续监视是任何安全操作的必要组成部分。Continuous monitoring is an integral part of any secure operations. 通过采用 Azure AD Identity Protection 调查功能,IT 将通过通知和修正建议获得对基于机器学习的威胁检测的见解。By leveraging Azure AD Identity Protection investigation capabilities, IT will gain an insights view of machine learning-based threat detection with notifications and remediation recommendations. 可使用 Azure AD Identity Protection 仪表板快速访问当前环境并根据重要程度轻松识别应处理的问题。You can use Azure AD Identity Protection dashboard to quickly assess your current environment and easily identify issues that should be addressed according to their criticality. 或者,可在 Azure AD Identity Protection 仪表板中的“调查”部分下的以下区域中缩小调查范围:Or you can narrow your investigation in the following areas located under the investigate section in the Azure AD Identity Protection dashboard:

调查

开始调查每个区域时,管理员可对风险用户登录事件执行风险缓解操作。Upon investigation of each one of those areas, administrators can take actions to mitigate users at risk, or mitigate sign-in events. 例如,如果识别不可能前往异常位置(下面屏幕中的第二个事件)等安全事件,可执行操作(例如通过强制重置密码)以修正此威胁。For example, if you identify a security event such as the impossible travel to atypical locations (the second event in the following screen), you can take actions to remediate this threat, for example by forcing the password to be reset.

风险事件

也可利用Azure AD Premium 访问和使用情况报告获取有关用户行为和潜在威胁的详细信息。You can also leverage Azure AD Premium access and usage reports to obtain more information regarding a user’s behavior and potential threats.

步骤 4:启用 Azure AD Privileged Identity ManagementStep 4: Enable Azure AD Privileged Identity Management

若要获得对 Azure AD Privileged Identity Management 的访问权限,必须首先从应用商店安装它To have access to Azure AD Privileged Identity Management you must first install it from Marketplace. Azure AD Privileged Identity Management 和 Azure 多重身份验证 (MFA) 配合使用有助于 IT 管理访问权限以保护应用程序和服务。Azure AD Privileged Identity Management and Azure Multi-Factor Authentication (MFA) work together to help IT manage access to secure applications and services. 安装 Azure AD Privileged Identity Management 后,将执行测试以验证是否可使用 MFA。After installing Azure AD Privileged Identity Management, a test will be done to verify if you're able to use MFA. 单击此选项验证帐户时,将重定向到一个网页,你需要在此网页上键入凭据。When you click the option to verify your account, you will be redirected to a web page where you need to type your credentials. 如果帐户未启用 MFA,将出现类似于以下屏幕的消息:If your account is not MFA enabled yet, you will see a similar message as shown in the following screen:

登录屏幕

单击“立即设置”,然后执行向导操作。Click Set it up now and follow the wizard. 需要键入手机或电话号码用于验证。You need to type your mobile or telephone number for verification purpose. 完成此向导后,将看到验证完成消息:Once you finish this wizard, you will see the verification completed message:

验证

步骤 5:配置 Azure AD Privileged Identity ManagementStep 5: Configure Azure AD Privileged Identity Management

初始配置通过使用安全向导执行,其具有三个阶段,如“保护组织”边栏选项卡所示:The initial configuration is performed using a Security Wizard, which has three stages as shown in the Protect your organization blade:

安全向导

在第一个阶段中,将查看 Azure AD Privileged Identity Management 发现的特权角色In the first stage you will review the privileged roles that were discovered by Azure AD Privileged Identity Management. 第二个阶段的目的是减少组织中分配有永久特权角色的用户数量,可最大程度地直接减少安全漏洞。The second stage has the intent to reduce the number of users in your organization who have permanent privileged role assignments, which directly minimizes your vulnerability to security breaches. 在最后一个阶段,用户可查看特权角色中对用户进行的更改。The last stage allows you to review the changes to your users in privileged roles.

如果在此流程中,将管理角色授予其他用户,则此用户有资格执行此角色任务,也就是说,在需要执行此角色所需任务时,可激活此角色If during this process you granted another user an administrative role, you made that user eligible to perform on that role, which means that you can activate that role when you need to perform a task that requires for that role.

步骤 6:Privileged Identity Management 操作Step 6: Privileged Identity Management operations

安装和配置 Azure AD Privileged Identity Management 后,可执行初始评估以验证当前角色架构和警报。Now that you have Azure AD Privileged Identity Management installed and configured, you can perform the initial assessment to verify your current role schema and alerts. 在“特权标识管理”边栏选项卡中单击“管理特权角色”,将看到类似于下图所示的仪表板:In the Privilege Identity Management blade click Manage privileged roles and you will see a similar dashboard as shown in the following image:

特权角色

在此仪表板中,可看到当前活动,例如安全警报访问评审In this dashboard, you can see the current activity, such as security alerts and access review. 还可使用此仪表板添加删除一个或多个对 Azure AD Privileged Identity Management 的用户访问权限。You can also use this dashboard to add or remove one or more users' access to Azure AD Privileged Identity Management.