Contoso Corporation 的 Microsoft 365 企业安全摘要Summary of Microsoft 365 for enterprise security for the Contoso Corporation

为了获得批准以部署 Microsoft 365 企业版,Contoso IT 安全部门进行了周密的安全审查。To get approval to deploy Microsoft 365 for enterprise, the Contoso IT security department conducted a thorough security review. 他们确定了云的以下安全要求:They identified the following security requirements for the cloud:

  • 对员工访问云资源使用最强身份验证方法。Use the strongest methods of authentication for employee access to cloud resources.
  • 确保电脑和移动设备以安全的方式连接和访问应用程序。Ensure that PCs and mobile devices connect and access applications in secure ways.
  • 保护电脑和电子邮件免受恶意软件的攻击。Protect PCs and email from malware.
  • 对基于云的数字资产的权限定义谁可以访问哪些内容以及他们可以做什么,并且专为最小特权访问设计Permissions on cloud-based digital assets define who can access what and what they can do, and are designed for least-privilege access
  • 敏感和高度管控的数字资产在安全位置进行标记、加密和存储。Sensitive and highly regulated digital assets are labeled, encrypted, and stored in secure locations.
  • 高度管控的数字资产受到其他加密和权限的保护。Highly regulated digital assets are protected with additional encryption and permissions.
  • IT 安全人员可以从中央仪表板监视当前安全状态,并获取有关安全事件的通知,以便快速响应和缓解。IT security staff can monitor the current security posture from central dashboards and get notified of security events for quick response and mitigation.

Microsoft 365 安全准备的 Contoso 路径The Contoso path to Microsoft 365 security readiness

Contoso 按照以下步骤为 Microsoft 365 企业版部署准备其安全性:Contoso followed these steps to prepare their security for their deployment of Microsoft 365 for enterprise:

  1. 限制云的管理员帐户Limit administrator accounts for the cloud

    Contoso 对现有的 Active Directory 域服务 (AD DS) 管理员帐户进行了广泛审查,并设置了一系列专用云管理员帐户和组。Contoso did an extensive review of its existing Active Directory Domain Services (AD DS) administrator accounts and set up series of dedicated cloud administrator accounts and groups.

  2. 将数据分为三个安全级别Classify data into three security levels

    Contoso 仔细审阅并确定了三个级别,这三个级别用于标识 Microsoft 365 企业版功能以保护最有价值的数据。Contoso did a careful review and determined the three levels, which were used to identify the Microsoft 365 for enterprise features to protect the most valuable data.

  3. 确定数据级别的访问、保留和信息保护策略Determine access, retention, and information protection policies for data levels

    Contoso 根据数据级别确定了限定移动到云的未来 IT 工作负载的详细要求。Based on the data levels, Contoso determined detailed requirements to qualify future IT workloads that are moved to the cloud.

为了遵循安全最佳做法和 Microsoft 365 企业版部署要求,Contoso 安全管理员及其 IT 部门部署了许多安全特性和功能,如以下各节所述。To follow security best practices and Microsoft 365 for enterprise deployment requirements, Contoso security administrators and its IT department deployed many security features and capabilities, as described in the following sections.

标识和访问管理Identity and access management

  • 使用 MFA 和 PIM 的专用全局管理员帐户Dedicated global administrator accounts with MFA and PIM

    Contoso 创建了三个使用强密码的专用全局管理员帐户,而不是将全局管理员角色分配给日常用户帐户。Rather than assign the global admin role to everyday user accounts, Contoso created three dedicated global administrator accounts with strong passwords. 帐户受 Azure AD 多重身份验证 (MFA) 和 Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 保护。The accounts are protected by Azure AD Multi-Factor Authentication (MFA) and Azure Active Directory (Azure AD) Privileged Identity Management (PIM). PIM 仅在 Microsoft 365 E5 中提供。PIM is only available with Microsoft 365 E5.

    使用全局管理员帐户登录仅适用于特定的管理任务。Signing in with a global administrator account is only done for specific administrative tasks. 密码仅对指定员工已知,并且只能在 Azure AD PIM 中配置的时段内使用。The passwords are only known to designated staff and can only be used within a time period that's configured in Azure AD PIM.

    Contoso 安全管理员为适合 IT 工作者的工作职能的帐户分配了较低管理员角色。Contoso security administrators assigned lesser admin roles to accounts that are appropriate to that IT worker's job function.

    有关详细信息,请参阅关于 Microsoft 365 管理员角色For more information, see About Microsoft 365 admin roles.

  • 用于所有用户帐户的 MFAMFA for all user accounts

    MFA 为登录过程添加了一层额外的保护。MFA adds an additional layer of protection to the sign-in process. 它要求用户在正确输入密码后确认智能手机上的电话呼叫、短信或应用通知。It requires users to acknowledge a phone call, text message, or app notification on their smart phone after correctly entering their password. 通过 MFA,Azure AD 用户帐户受到保护,防止未经授权的登录,即使帐户密码受到威胁。With MFA, Azure AD user accounts are protected against unauthorized sign-in, even if an account password is compromised.

    • 若要防止 Microsoft 365 订阅泄露,Contoso 要求在所有全局管理员帐户上执行 MFA。To protect against compromise of the Microsoft 365 subscription, Contoso requires MFA on all global administrator accounts.
    • 为防止钓鱼攻击(攻击者会泄露组织中受信任的个人的凭据并发送恶意电子邮件),Contoso 对所有用户帐户(包括经理和行政人员)都启用了 MFA。To protect against phishing attacks, in which an attacker compromises the credentials of a trusted person in the organization and sends malicious emails, Contoso enabled MFA on all user accounts, including managers and executives.
  • 使用条件访问策略更安全地访问设备和应用程序Safer device and application access with Conditional Access policies

    Contoso 将条件访问策略用于标识、设备、Exchange Online 和 SharePoint。标识条件访问策略包括要求针对高风险用户进行密码更改,以及阻止客户端使用不支持新式验证的应用。设备条件策略包括定义批准的应用和要求使用合规的电脑和移动设备。Exchange Online 条件访问策略包括阻止 ActiveSync 客户端和设置 Office 365 邮件加密。SharePoint 条件访问策略包括对敏感和高度管控的网站提供额外的保护。Contoso is using Conditional Access policies for identity, devices, Exchange Online, and SharePoint. Identity Conditional Access policies include requiring password changes for high-risk users and blocking clients from using apps that don't support modern authentication. Device policies include the definition of approved apps and requiring compliant PCs and mobile devices. Exchange Online Conditional Access policies include blocking ActiveSync clients and setting up Office 365 message encryption. SharePoint Conditional Access policies include additional protection for sensitive and highly regulated sites.

  • Windows Hello 企业版Windows Hello for Business

    Contoso 部署了 Windows Hello 企业版 ,以通过运行 Windows 10 企业版电脑和移动设备的强双因素身份验证最终消除对密码的需要。Contoso deployed Windows Hello for Business to eventually eliminate the need for passwords through strong two-factor authentication on PCs and mobile devices running Windows 10 Enterprise.

  • Windows Defender Credential GuardWindows Defender Credential Guard

    若要使用管理权限阻止在操作系统中运行的目标攻击和恶意软件,Contoso 通过 AD DS Windows Defender启用 Credential Guard。To block targeted attacks and malware running in the operating system with administrative privileges, Contoso enabled Windows Defender Credential Guard through AD DS group policy.

威胁防护Threat protection

  • 使用 Windows Defender 防病毒防止恶意软件的攻击Protection from malware with Windows Defender Antivirus

    Contoso 使用 Windows Defender 防病毒对运行 Windows 10 企业版的电脑和设备进行恶意软件保护和反恶意软件管理。Contoso is using Windows Defender Antivirus for malware protection and anti-malware management for PCs and devices running Windows 10 Enterprise.

  • 使用 Microsoft Defender for Office 365 保护电子邮件流和邮箱审核日志记录Secure email flow and mailbox audit logging with Microsoft Defender for Office 365

    Contoso 使用 Exchange Online Protection 和 Defender for Office 365 防止通过电子邮件传输的未知恶意软件、病毒和恶意 URL。Contoso is using Exchange Online Protection and Defender for Office 365 to protect against unknown malware, viruses, and malicious URLs transmitted through emails.

    Contoso 还启用了邮箱审核日志记录,以标识登录到用户邮箱、发送邮件以及执行由邮箱所有者、委派用户或管理员执行的其他活动的用户。Contoso also enabled mailbox audit logging to identify who logs in to user mailboxes, sends messages, and does other activities performed by the mailbox owner, a delegated user, or an administrator.

  • 使用 Office 365 威胁调查和响应进行威胁监控和防护Attack monitoring and prevention with Office 365 threat investigation and response

    Contoso 使用 Office 365 威胁调查和响应来保护用户,使其轻松识别和处理攻击,并防止未来攻击。Contoso uses Office 365 threat investigation and response to protect users by making it easy to identify and address attacks, and to prevent future attacks.

  • 使用 Advanced Threat Analytics 防止复杂攻击Protection from sophisticated attacks with Advanced Threat Analytics

    Contoso 使用 Advanced Threat Analytics (ATA) 保护自己免受高级目标攻击。ATA 自动分析、学习和标识正常和异常实体(用户、设备和资源)行为。Contoso is using Advanced Threat Analytics (ATA) to protect itself from advanced targeted attacks. ATA automatically analyzes, learns, and identifies normal and abnormal entity (user, devices, and resources) behavior.

信息保护Information protection

  • 使用 Azure 信息保护标签来保护敏感和高度管控的数字资产Protect sensitive and highly regulated digital assets with Azure Information Protection labels

    Contoso 确定了三个级别的数据保护,并部署了用户应用于数字资产的 Microsoft 365 敏感度标签。Contoso determined three levels of data protection and deployed Microsoft 365 sensitivity labels that users apply to digital assets. 对于商业秘密和其他知识产权,Contoso 对高度管控数据使用敏感度子标签。For its trade secrets and other intellectual property, Contoso uses sensitivity sublabels for highly regulated data. 此过程对内容进行加密,并限制对特定用户帐户和组的访问。This process encrypts content and restricts access to specific user accounts and groups.

  • 使用数据丢失防护功能阻止 Intranet 数据泄露Prevent intranet data leaks with Data Loss Prevention

    Contoso Exchange Online、SharePoint 和 OneDrive for Business 配置了数据丢失防护策略,以防止用户意外或有意共享敏感数据。Contoso configured Data Loss Prevention policies for Exchange Online, SharePoint, and OneDrive for Business to prevent users from accidentally or intentionally sharing sensitive data.

  • 使用 Windows 信息保护防止设备数据泄露Prevent device data leaks Windows Information Protection

    Contoso 使用 Windows 信息保护 (WIP) 防止数据通过基于 Internet 的应用和服务、企业拥有的设备以及员工带到工作的个人设备上的数据泄露。Contoso is using Windows Information Protection (WIP) to protect against data leakage through internet-based apps and services and enterprise apps and data on enterprise-owned devices and personal devices that employees bring to work.

  • 使用 Microsoft Cloud App Security 进行云监视Cloud monitoring with Microsoft Cloud App Security

    Contoso 使用 Microsoft Cloud App Security 来映射其云环境、监视其使用情况,并检测安全事件和事件。Contoso is using Microsoft Cloud App Security to map their cloud environment, monitor its usage, and detect security events and incidents. Microsoft Cloud App Security 仅在 Microsoft 365 E5 中提供。Microsoft Cloud App Security is only available with Microsoft 365 E5.

  • 使用 Microsoft Intune 的设备管理Device management with Microsoft Intune

    Contoso 使用 Microsoft Intune 来注册、管理和配置对移动设备及其上运行的应用的访问权限。基于设备的条件访问策略还要求使用获得批准的应用和合规的电脑及移动设备。Contoso uses Microsoft Intune to enroll, manage, and configure access to mobile devices and the apps that run on them. Device-based Conditional Access policies also require approved apps and compliant PCs and mobile devices.

安全管理Security management

  • 使用 Azure Defender 的 IT 中心安全仪表板Central security dashboard for IT with Azure Defender

    Contoso 使用 Azure Defender 提供统一的安全和威胁防护视图,跨其工作负载管理安全策略,并响应网络攻击。Contoso uses the Azure Defender to present a unified view of security and threat protection, to manage security policies across its workloads, and to respond to cyberattacks.

  • Windows Defender 安全中心适用于用户的安全中心仪表板Central security dashboard for users with Windows Defender Security Center

    Contoso 将 Windows 安全 应用部署到运行 Windows 10 企业版电脑和设备,以便用户可以一目了然地查看其安全状况并采取措施。Contoso deployed the Windows Security app to its PCs and devices running Windows 10 Enterprise so that users can see their security posture at a glance and take action.