用于保护 SharePoint 网站和文件的策略建议Policy recommendations for securing SharePoint Sites and files

通用标识与访问策略建议用于保护电子邮件的策略建议外,还提供了以下建议。The following recommendations are provided in addition to the common identity and access policy recommendations and policy recommendations for securing email. 要保护 SharePoint Online 文件,必须创建新策略,并修改现有策略,如下所述。To safeguard SharePoint Online files, new policies must be created, and existing policies amended, as described here.

以下建议基于三种针对 SharePoint 文件不同的安全层和保护层,可以根据需求粒度应用适当的层:基线、敏感及高度管控。The following recommendations are based on three different tiers of security and protection for SharePoint files that can be applied based on the granularity of your needs: baseline, sensitive, and highly regulated. 有关这些建议引用的安全层和推荐客户端操作系统的详细信息,请参阅推荐的安全策略和配置说明You can learn more about these security tiers, and the recommended client operating systems, referenced by these recommendations in the recommended security policies and configurations introduction.

备注

在这些建议中创建的所有安装组都必须在创建时启用 Office 功能。All security groups created as part of these recommendations must be created with Office features enabled. 在 SharePoint 中保护文档时,这一点对于部署 AIP 尤为重要。This is specifically important for the deployment of AIP when securing documents in SharePoint.

为安全组启用 Office 功能

BaselineBaseline

中等及以上风险需要进行 MFAMedium and above risk requires MFA

对应用用于保护电子邮件的策略建议时创建的 CA 策略进行如下更改:Make the following changes to the existing CA policy created when applying policy recomendations to secure email:

CategoryCategory 类型Type 属性Properties Values 注意Notes
分配Assignments 云应用Cloud apps 包括Include 选择应用:Select apps:
Office 365 Exchange OnlineOffice 365 Exchange Online
Office 365 SharePoint OnlineOffice 365 SharePoint Online
选择两者Select both

需要一个兼容或已加入域的设备Require a compliant or domain joined device

要为 SharePoint Online 创建新的 Intune 条件访问策略,请使用管理员凭据登录 Microsoft 管理门户,并导航至“策略”>“条件访问”>“SharePoint Online 策略” > > 。To create a new Intune Conditional Access Policy for SharePoint Online, log in to the Microsoft Management portal with your administrator credentials and then navigate to Policy > Conditional Access > SharePoint Online Policy.

SharePoint Online 策略

必须在 Intune 管理门户中为 SharePoint Online 设置特定的条件访问策略,即设置为需要一个兼容或已加入域的设备。You must set a Conditional Access policy specifically for SharePoint Online in the Intune Management portal to require a compliant or domain joined device.

CategoryCategory 类型Type 属性Properties Values 注意Notes
应用程序访问Application access OneDrive for Business 和使用新式验证的其他应用OneDrive for Business and other apps that user modern authentication 所有平台All platforms TrueTrue 已选择Selected
Windows 必须满足以下要求Windows must meet the following requirement 设备必须已加入域或必须是兼容设备Device must be domain joined or compliant 已选择(列表)Selected (List)
特定平台Specific platforms FalseFalse
SharePoint 和 OneDrive for Business 的浏览器访问权限Browser access to SharePoint and OneDrive for Business 在与 OneDrive for Business 相同的平台上阻止不符合的设备Block non-compliant devices on same platform as OneDrive for Business TrueTrue CheckCheck
策略部署Policy deployment 目标组Targeted groups 选择此策略要面向的 Active Directory 组Select the Active Directory groups to target with this policy
所有用户All users FalseFalse
所选安全组Selected security groups TrueTrue 已选择Selected
修改Modify 选择包含目标用户的特定安全组。Select specific security group containing targeted users.
被免除的组Exempt groups 选择要从此策略免除的 Active Directory 组(替代目标组列表的成员)Select the Active Directory groups to exempt from this policy (overrides members of the Targeted Groups list).
无免除用户No exempt users TrueTrue 已选择Selected
所选安全组Selected security groups FalseFalse

用于 SharePoint Online 的移动应用管理条件访问Mobile application management conditional access for SharePoint Online

必须在 Intune 管理门户中为 SharePoint Online 设置特定的条件访问策略,以便管理移动应用。You must set a Conditional Access policy specifically for SharePoint Online in the Intune Management portal to manage mobile apps.

要管理移动应用,请使用管理员凭据登录到 Microsoft Azure 门户,然后导航到“Intune 应用保护” > “设置” > “条件访问” > “SharePoint Online”。To manage mobile apps, log in to the Microsoft Azure portal with your administrator credentials, and then navigate to Intune App Protection > Settings > Conditional Access > SharePoint Online.

CategoryCategory 类型Type 属性Properties Values 注意Notes
应用访问App access 允许的应用Allowed apps 启用应用访问Enable app access 允许支持 Intune 应用策略的应用Allow apps that support Intune app policies 已选择(列表)- 生成 Intune 应用策略支持的应用/平台组合列表。Selected (list) – This results in a list of apps/platform combinations supported by Intune app policies.
用户访问User access 受限用户组Restricted user groups 添加用户组 - 选择包含目标用户的特定安全组。Add user groups – Select specific security group containing targeted users. 从包含试点用户的安全组开始。Start with security group including pilot users.
被免除用户组Exempt user groups 例外安全组Exception security groups

应用于Apply to

完成试点项目后,应对组织中的所有用户应用这些策略。Once your pilot project has been completed, these policies should be applied to all users in your organization.

敏感Sensitive

较低及以上风险需要进行 MFALow and above risk requires MFA

对应用用于保护电子邮件的策略建议时创建的 CA 策略进行如下更改:Make the following changes to the existing CA policy created when applying policy recomendations to secure email:

CategoryCategory 类型Type 属性Properties Values 注意Notes
分配Assignments 云应用Cloud apps 包括Include 选择应用:Select apps:
Office 365 Exchange OnlineOffice 365 Exchange Online
Office 365 SharePoint OnlineOffice 365 SharePoint Online
选择两者Select both

需要一个兼容或已加入域的设备Require a compliant or domain joined device

(请参阅基线说明)(See baseline instructions)

用于 SharePoint Online 的移动应用管理条件访问Mobile application management conditional access for SharePoint online

(请参阅基线说明)(See baseline instructions)

高度管控Highly regulated

需要进行 MFAMFA required

对应用用于保护电子邮件的策略建议时创建的 CA 策略进行如下更改:Make the following changes to the existing CA policy created when applying policy recomendations to secure email:

CategoryCategory 类型Type 属性Properties Values 注意Notes
分配Assignments 云应用Cloud apps 包括Include 选择应用:Select apps:
Office 365 Exchange OnlineOffice 365 Exchange Online
Office 365 SharePoint OnlineOffice 365 SharePoint Online
选择两者Select both

需要一个兼容或已加入域的设备Require a compliant or domain joined device

(请参阅基线说明)(See baseline instructions)

用于 SharePoint Online 的移动应用管理条件访问Mobile application management conditional access for SharePoint online

(请参阅基线说明)(See baseline instructions)

其他配置Additional configurations

除上述策略外,还必须锁定不支持新式验证的旧协议。In addition to the above policies, you must also lock down legacy protocols that do not support modern authentication.

锁定旧协议Lock down legacy protocols

条件访问策略使用新式验证保护通过浏览器流程和应用的访问,比如受支持平台列表中的 Office 2016 和应用。Conditional access policies protect access through browser flows and apps using modern authentication; like Office 2016 and the apps on the supported platform list. 对于较旧的 Office 桌面应用程序(如 Office 2010),条件访问策略不适用。For older Office desktop applications, like Office 2010, conditional access policy is not applied.

不使用新式验证的旧版应用可使用 OneDrive 管理门户进行阻止。Older apps that don’t use modern authentication can be blocked using the OneDrive admin portal. 此外,可以使用 SharePoint 管理员 PowerShell cmdlet 来禁用 SharePoint 旧协议。The SharePoint admin PowerShell cmdlet can also be used to disable SharePoint legacy protocols. 要使用 PowerShell,只需运行 Set-SPOTenant cmdlet 并将 -LegacyAuthProtocolsEnabled 设置为 $false。To use PowerShell, just run the Set-SPOTenant cmdlet and set -LegacyAuthProtocolsEnabled to $false. 完成设置后,将禁用旧协议支持,并且将阻止使用旧客户端应用程序对 SharePoint 的所有访问。Once set, legacy protocol support is disabled and all access to SharePoint using older client applications will be blocked.

后续步骤Next steps

了解有关 Microsoft 365 服务的详细信息Learn more about Microsoft 365 services