保护 SharePoint Online 网站和文件Secure SharePoint Online sites and files

本文介绍了如何配置 SharePoint Online 团队网站并对通过轻松协作权衡安全性的文件保护提供了相关建议。This article provides recommendations for configuring SharePoint Online team sites and file protection that balances security with ease of collaboration. 本文定义了四个不同的配置,首先介绍的是具有最开放的共享策略的组织内的公共网站。This article defines four different configurations, starting with a public site within your organization with the most open sharing policies. 每个额外配置均表示有意义的保护设置,但对资源的访问和协作被限定为一组相关用户。Each additional configuration represents a meaningful step up in protection, but the ability to access and collaborate on resources is reduced to the relevant set of users.

使用这些建议作为起点并调整配置,以满足组织的需求。Use these recommendations as a starting point and adjust the configurations to meet the needs of your organization.

本文中的配置符合 Microsoft 针对数据、标识和设备的三层保护的建议:The configurations in this article align with Microsoft's recommendations for three tiers of protection for data, identities, and devices:

  • 基线保护Baseline protection
  • 敏感保护Sensitive protection
  • 高度机密保护Highly confidential protection

有关这些保护层以及针对每层建议的功能的详细信息,请参阅以下资源。For more information about these tiers and capabilities recommended for each tier, see the following resources.

功能概述Capability overview

针对各种 Office 365 功能的 SharePoint Online 团队网站绘制的建议。Recommendations for SharePoint Online team sites draw on a variety of Office 365 capabilities. 对于高度机密的网站,建议使用 Azure 信息保护。For highly confidential sites, Azure Information Protection is recommended. 这包括在企业移动性 + 安全性 (EMS) 中。This is included in Enterprise Mobility + Security (EMS).

下图显示了针对四个 SharePoint Online 团队网站的建议配置。This diagram shows the recommended configurations for four SharePoint Online team sites.

建议的 SharePoint 配置

如图所示:As illustrated:

  • 基线保护包含针对 SharePoint Online 团队网站的两个选项 - 公共网站和专用网站。Baseline protection includes two options for SharePoint Online team sites — a public site and private site. 组织中的任何人均可发现和访问公共网站。Public sites can be discovered and accessed by anybody in the organization. 只有网站成员可以发现和访问专用网站。Private sites can only be discovered and accessed by members of the site. 这两个网站配置均允许组外共享。Both of these site configurations allow for sharing outside the group.
  • 敏感保护和高度机密的保护的网站是专用网站,只有特定组的成员才具有相关访问权限。Sites for sensitive and highly confidential protection are private sites with access limited only to members of specific groups.
  • Office 365 标签提供根据所需保护级别对数据进行分类的方法。Office 365 labels provide a way to classify data with a needed protection level. 每个 SharePoint Online 团队网站均被配置为使用网站的默认标签自动标记文档库中的文件。Each of the SharePoint Online team sites are configured to automatically label files in document libraries with a default label for the site. 与四个网站配置相对应,此示例中的标签分别为内部公开、专用、敏感和高度机密。Corresponding to the four site configurations, the labels in this example are Internal Public, Private, Sensitive, and Highly Confidential. 用户可以更改标签,但此配置可确保所有文件均接收默认的标签。Users can change the labels, but this configuration ensures all files receive a default label.
  • 为敏感和高度机密 Office 365 标签配置数据丢失防护 (DLP),在其试图向组织外部发送这些类型的文件时警告或阻止用户。Data loss prevention (DLP) policies are configured for the Sensitive and Highly Confidential Office 365 labels to either warn or prevent users when they attempt to send these types of files outside the organization.
  • 对于配置有高度机密保护的网站,Azure 信息保护将对文件进行加密,并授予相应权限。For sites configured with highly confidential protection, Azure Information Protection encrypts and grants permissions for files.

SharePoint Online 和 OneDrive for Business 的租户范围内设置Tenant-wide settings for SharePoint Online and OneDrive for Business

SharePoint Online 和 OneDrive for Business 包括影响所有网站和用户的租户范围内设置。SharePoint Online and OneDrive for Business include tenant-wide settings that affect all sites and users. 其中一些设置也可在网站级别进行调整,使其更具有(而不是更不具有)限制性。Some of these settings can also be adjusted at the site level to be more restrictive (but not less). 本部分讨论影响安全性和协作的租户范围内设置。This section discusses tenant-wide settings that affect security and collaboration.

共享Sharing

对于此解决方案,建议使用以下租户范围内设置:For this solution, we recommend the following tenant-wide settings:

  • 保留允许所有与所有帐户类型共享(包括匿名共享)的默认共享策略。Keep the default sharing policy that allows all sharing with all account types, including anonymous sharing.
  • 如果需要,请将匿名链接设置为过期。Set anonymous links to expire, if desired.
  • 将共享的默认链接类型更改为“内部”。Change the default link type for sharing to Internal. 这有助于防止数据意外泄露到组织外部。This helps prevent accidental data leakage outside your organization.

虽然允许外部共享可能看起来有悖常理,但相较于通过电子邮件发送文件,此方法可更好地控制文件共享。While it might seem counterintuitive to allow external sharing, this approach provides more control over file sharing compared to sending files in email. SharePoint Online 和 Outlook 彼此协作,提供安全的文件协作。SharePoint Online and Outlook work together to provide secure collaboration on files.

  • 默认情况下,Outlook 共享文件链接,而不是通过电子邮件发送文件。By default, Outlook shares a link to a file instead of sending the file in email.
  • SharePoint Online 和 OneDrive for Business 可轻松实现与组织内部和外部的参与者共享文件链接。SharePoint Online and OneDrive for Business make it easy to share links to files with contributors who are both inside and outside your organization.

用户还可进行控制,帮助管理外部共享。You also have controls to help govern external sharing. 例如,你能够:For example, you can:

  • 禁用匿名来宾链接。Disable an anonymous guest link.
  • 撤销用户对网站的访问权限。Revoke user access to a site.
  • 查看谁有权访问特定网站或文档。See who has access to a specific site or document.
  • 将匿名共享链接设置为过期(租户设置)。Set anonymous sharing links to expire (tenant setting).
  • 限制可与之共享的组织外部用户(租户设置)。Limit who can share outside your organization (tenant setting).

配合使用外部共享与数据丢失预防 (DLP)Use external sharing together with data loss prevention (DLP)

如果不允许外部共享,则有业务需求的用户需要寻找备用工具和方法。If you don’t allow external sharing, users with a business need will find alternate tools and methods. Microsoft 建议结合使用外部共享和 DLP 策略,保护敏感和高度机密文件。Microsoft recommends you combine external sharing with DLP policies to protect sensitive and highly confidential files.

设备访问设置Device access settings

SharePoint Online 和 OneDrive for Business 的设备访问设置可确定是否已将访问权限限制为仅限浏览器(不能下载文件)或访问被阻止。Device access settings for SharePoint Online and OneDrive for Business let you determine whether access is limited to browser only (files can’t be downloaded) or if access is blocked. 这些设置当前处于首次发布状态,仅应用于租户范围内。These settings are currently in First Release and apply tenant-wide. 即将推出以网站级别配置设备访问策略的功能。Coming soon is the ability to configure device access policies at the site level. 对于此解决方案,建议不要使用应用于租户范围内的设备访问设置。For this solution, we recommend not using device access settings that apply tenant-wide.

要使用处于首次发布状态的设备访问设置,请参阅:在 Office 365 中设置标准发布或首次发布选项To use device access settings while these are in first release: Set up the Standard or First Release Options in Office 365.

OneDrive for BusinessOneDrive for Business

访问这些设置,确定是否要更改 OneDrive for Business 网站的默认设置。Visit these settings to decide if you want to change the default settings for OneDrive for Business sites. 目前,共享和设备访问设置与 SharePoint Online 管理中心重复,并适用于这两个环境。Currently, the sharing and device access settings are duplicated from the SharePoint Online admin center and apply to both environments.

SharePoint 团队网站配置SharePoint team site configuration

下表总结了本文前面所述的每个团队网站的配置。The following table summarizes the configuration for each of the team sites described earlier in this article. 使用这些配置作为起点建议并调整网站类型和配置,以满足组织的需求。Use these configurations as starting point recommendations and adjust the site types and configurations to meet the needs of your organization. 不是每个组织都需要每种类型的网站。Not every organization needs every type of site. 只有少许组织需要高度机密的保护。Only a small number of organizations require highly confidential protection.

基线保护 #1Baseline protection #1 基线保护 #2Baseline protection #2 敏感保护Sensitive protection 高度机密Highly confidential
描述Description 组织内的开放式发现和协作。Open discovery and collaboration within the organization. 允许在组外部共享的专用网站和组。Private site and group with sharing allowed outside the group. 独立网站,该网站中的访问级别由特定组中的成员身份进行定义。Isolated site, in which levels of access are defined by membership in specific groups. 仅允许网站成员进行共享。Sharing is only allowed to members of the site. DLP 在用户试图向组织外发送文件时警告用户。DLP warns users when attempting to send files outside the organization. 启用 Azure 信息保护的独立网站和文件及权限。Isolated site + file encryption and permissions with Azure Information Protection. DLP 阻止用户向组织外发送文件。DLP prevents users from sending files outside the organization.
专用或公用团队网站Private or public team site 公用Public PrivatePrivate PrivatePrivate PrivatePrivate
谁可以访问?Who has access? 组织中的任何人,包括 B2B 用户和来宾用户。Everybody in the organization, including B2B users and guest users. 仅限网站成员。Members of the site only. 其他人可以请求访问。Others can request access. 仅限网站成员。Members of the site only. 其他人可以请求访问。Others can request access. 仅限成员。Members only. 其他人无法请求访问。Others cannot request access.
网站级共享控制Site-level sharing controls 允许与任何人共享。Sharing allowed with anybody. 默认设置。Default settings. 允许与任何人共享。Sharing allowed with anybody. 默认设置。Default settings. 成员无法共享对网站的访问权限。Members cannot share access to the site.
非成员可以请求访问该网站,但需要由网站管理员对这些请求进行寻址。Non-members can request access to the site, but these requests need to be addressed by a site administrator.
成员无法共享对网站的访问权限。Members cannot share access to the site.
非成员无法请求访问网站或内容。Non-members cannot request access to the site or contents.
网站级别的设备访问控制Site-level device access controls 无任何额外控制。No additional controls. 无任何额外控制。No additional controls. 即将推出网站级别控制,可防止用户将文件下载到不符合或未加入域的设备。Site-level controls are coming soon, which prevents users from downloading files to non-compliant or non-domain joined devices. 使所有其他设备仅限浏览器访问。This allows browser-only access from all other devices. 即将推出网站级别控制,可阻止将文件下载到不符合或未加入域的设备。Site-level controls are coming soon, which blocks downloading of files to non-compliant or non-domain joined devices.
Office 365 标签Office 365 labels 内部公用Internal Public PrivatePrivate 敏感Sensitive 高度机密Highly Confidential
DLP 策略DLP policies 在用户向组织外发送标记为“敏感”的文件时进行警告。Warn users when sending files that are labeled as Sensitive outside the organization.
要阻止外部共享敏感数据类型,如信用卡号或其他个人数据,可以针对这些数据类型(包括所配置的自定义数据类型)配置其他 DLP 策略。To block external sharing of sensitive data types, such as credit card numbers or other personal data, you can configure additional DLP policies for these data types (including custom data types you configure).
阻止用户向组织外发送标记为“高度机密”的文件。Block users from sending files that are labeled as highly confidential outside organization. 允许用户通过提供他们与之共享的对象等理由来替代此行为。Allow users to override this by providing justification, including who they are sharing the file with.
Azure 信息保护Azure Information Protection 使用 Azure 信息保护自动加密文件,并授予相应的权限。Use Azure Information Protection to automatically encrypt and grant permissions to files. 此保护将始终伴随文件,以防其泄露。This protection travels with the files in case they are leaked. Office 365 无法读取使用 Azure 信息保护加密的文件。Office 365 cannot read files encrypted with Azure Information Protection. 此外,DLP 策略只适用于元数据(包括标签),但并不适用于这些文件的内容(如文件内的信用卡号)。Additionally, DLP policies can only work with the metadata (including labels) but not the contents of these files (such as credit card numbers within files).

有关如何部署此解决方案中四种不同类型的 SharePoint Online 团队网站的步骤,请参阅部署具有三层保护的网站For the steps to deploy the four different types of SharePoint Online team sites in this solution, see Deploy sites for three tiers of protection.

有关如何针对演示、概念证明或开发/测试进行设置的分步说明,请参阅在开发/测试环境中保护 SharePoint Online 网站For step-by-step instructions to set this up for demonstration, proof of concept, or dev/test, see Secure SharePoint Online sites in a dev/test environment.

Office 365 分类和标签Office 365 classification and labels

建议对含敏感数据的环境使用 Office 365 标签。Using Office 365 labels is recommended for environments with sensitive data. 配置并发布 Office 365 标签后,可以:After you configure and publish Office 365 labels, you can:

  • 将默认标签应用于 SharePoint Online 团队网站中的文档库,以便该库中的所有文档都能获取默认标签。Apply a default label to a document library in a SharePoint Online team site, so that all documents in that library get the default label.
  • 只要标签与特定条件匹配,就会自动应用到内容。Apply labels to content automatically if it matches specific conditions.
  • 创建基于 Office 365 标签的 DLP 策略。Create DLP policies that are based on Office 365 labels.
  • 组织中的用户可手动将标签应用于 Outlook 网页版、Outlook 2010 及更高版本、OneDrive for Business、SharePoint Online 以及 Office 365 组。Enable people in your organization to apply a label manually to content in Outlook on the web, Outlook 2010 and later, OneDrive for Business, SharePoint Online, and Office 365 groups. 用户通常都很了解他们处理的内容类型,以便可以对其进行分类并应用相应的 DLP 策略。Users often know best what type of content they’re working with, so they can classify it and have the appropriate DLP policy applied.

    Office 365 标签

如图所示,此解决方案包括创建以下标签:As illustrated, this solution includes creating the following labels:

  • 高度机密Highly Confidential
  • 敏感Sensitive
  • PrivatePrivate
  • 内部公用Internal Public

这些标签均映射到示意图和本文前面所述图标中的建议网站。These labels are mapped to the recommended sites in the illustrations and charts earlier in this article. 本解决方案建议配置 DLP 策略,帮助防止在组织外部泄露标记为“敏感”和“高度机密”的文件。This solution recommends configuring DLP policies to help prevent the leakage of files labeled as Sensitive and Highly Confidential outside the organization.

有关如何配置此解决方案中的 Office 365 标签和 DLP 策略的步骤,请参阅使用 Office 365 标签和 DLP 保护 SharePoint Online 文件For the steps to configure Office 365 labels and DLP policies in this solution, see Protect SharePoint Online files with Office 365 labels and DLP.

有关如何针对演示、概念证明或开发/测试进行设置的分步说明,请参阅在开发/测试环境中保护 SharePoint Online 网站For step-by-step instructions to set this up for demonstration, proof of concept, or dev/test, see Secure SharePoint Online sites in a dev/test environment.

Azure 信息保护Azure Information Protection

使用 Azure 信息保护应用标签和与文件如影随形的保护。Use Azure Information Protection to apply labels and protections that follow the files wherever they go. 对于此解决方案,建议使用作用域内 Azure 信息保护策略和“高度机密”标签的子标签来加密需要最高级别安全性保护的文件并授予相应权限。For this solution, we recommend you use a scoped Azure Information Protection policy and a sub-label of the Highly Confidential label to encrypt and grant permissions to files that need to be protected with the highest level of security.

请注意,将 Azure 信息保护加密应用于 Office 365 中存储的文件时,该服务无法处理这些文件的内容。Be aware that when Azure Information Protection encryption is applied to files stored in Office 365, the service cannot process the contents of these files. 共同创作、电子数据展示、搜索、Delve 和其他协作功能将无法正常使用。Co-authoring, eDiscovery, search, Delve, and other collaborative features do not work. DLP 策略只适用于元数据(包括 Office 365 标签),但并不适用于这些文件的内容(如文件内的信用卡号)。DLP policies can only work with the metadata (including Office 365 labels) but not the contents of these files (such as credit card numbers within files).

Office 365 标签

如图所示:As illustrated:

  • 在 Microsoft Azure 门户中,配置 Azure 信息保护策略和标签。You configure Azure Information Protection policies and labels in the Microsoft Azure portal. 建议配置作用域内策略的子标签。Configuring a sub-label of a scoped policy is recommended.
  • Azure 信息保护标签在 Office 应用程序中以“信息保护”栏的形式显示。Azure Information Protection labels show up as a Information protection bar in Office applications.

添加外部用户的权限Adding permissions for external users

可通过两种方式授予使用 Azure 信息保护进行保护的文件的外部用户访问权限。There are two ways you can grant external users access to files protected with Azure Information Protection. 在这两种情况下,外部用户均须具有 Azure AD 帐户。In both these cases, external users must have an Azure AD account. 如果外部用户不是使用 Azure AD 的组织的成员,他们可以通过使用此注册页面以个人身份获得 Azure AD 帐户:https://aka.ms/aip-signupIf external users aren’t members of an organization that uses Azure AD, they can obtain an Azure AD account as an individual by using this sign-up page: https://aka.ms/aip-signup.

  • 将外部用户添加到用于为标签配置保护的 Azure AD 组。Add external users to an Azure AD group that is used to configure protection for a label. 首先需要将帐户添加为目录中的 B2B 用户。You’ll need to first add the account as a B2B user in your directory. 通过 Azure Rights Management 缓存组成员身份可能需要数小时。It can take a couple of hours for group membership caching by Azure Rights Management. 使用此方法,即可向使用标签进行保护的所有现有文件(甚至在用户添加到 Azure AD 组之前受到保护的文件)授予权限。With this method, permissions are granted to all existing files protected with the label (even files protected before a user is added to the Azure AD group).

  • 将外部用户直接添加到标签包含。Add external users directly to the label protection. 可以添加组织(例如 Fabrikam.com)、Azure AD 组(例如组织内的财务组)中的所有用户或单个用户。You can add all users from an organization (e.g. Fabrikam.com), an Azure AD group (such as a finance group within an organization), or an individual user. 例如,可以将管理机构的外部团队添加到标签保护。For example, you can add an external team of regulators to the protection for a label. 使用此方法,将仅向在外部实体添加到保护后使用标签进行保护的文件授予权限。With this method, permissions are granted only to files protected with the label after the external entity is added to the protection.

部署并使用 Azure 信息保护Deploying and using Azure Information Protection

有关配置此解决方案中的 Azure 信息保护的步骤,请参阅使用 Azure 信息保护来保护 SharePoint Online 文件For the steps to configure Azure Information Protection in this solution, see Protect SharePoint Online files with Azure Information Protection.

有关如何针对演示、概念证明或开发/测试进行设置的分步说明,请参阅在开发/测试环境中保护 SharePoint Online 网站For step-by-step instructions to set this up for demonstration, proof of concept, or dev/test, see Secure SharePoint Online sites in a dev/test environment.

后续步骤Next steps

部署站点以实现三层保护Deploy sites for three tiers of protection