配置 Microsoft 365 租户以提升安全性Configure your Microsoft 365 tenant for increased security

重要

改进的 Microsoft 365 安全中心现已提供公共预览版。The improved Microsoft 365 security center is now available in public preview. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new. 本主题可能同时适用于 Microsoft Defender for Office 365 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. 请参阅 适用对象 部分,并查找本文中可能存在差异的特定标注。Refer to the Applies To section and look for specific call-outs in this article where there might be differences.

适用对象Applies to

本主题将指导你完成影响 Microsoft 365 环境安全性的租户范围内设置的建议配置。This topic walks you through recommended configuration for tenant-wide settings that affect the security of your Microsoft 365 environment. 你的安全需求可能需要更多或更少的安全性。Your security needs might require more or less security. 使用这些建议作为起点。Use these recommendations as a starting point.

检查 Office 365 安全分数Check Office 365 Secure Score

Office 365 安全分数根据常规活动和安全设置分析组织的安全性,并分配分数。Office 365 Secure Score analyzes your organization's security based on your regular activities and security settings and assigns a score. 首先记下当前分数。Begin by taking note of your current score. 调整一些租户范围的设置将增加你的分数。Adjusting some tenant-wide settings will increase your score. 目标不是获得最大分数,而是注意保护环境的机会,这些机会不会对用户的工作效率产生负面影响。The goal is not to achieve the max score, but to be aware of opportunities to protect your environment that do not negatively affect productivity for your users. 请参阅 Microsoft 安全分数See Microsoft Secure Score.

在 Microsoft 365 安全中心调整威胁管理策略Tune threat management policies in the Microsoft 365 security center

Microsoft 365 安全中心包含用于保护环境的功能。The Microsoft 365 security center includes capabilities that protect your environment. 它还包括可用于监视和采取措施的报告和仪表板。It also includes reports and dashboards you can use to monitor and take action. 某些区域具有默认策略配置。Some areas come with default policy configurations. 某些区域不包括默认策略或规则。Some areas do not include default policies or rules. 访问威胁管理下的这些策略,以调整威胁管理设置,以创建更安全的环境。Visit these policies under threat management to tune threat management settings for a more secure environment.


区域Area 包括默认策略Includes a default policy 建议Recommendation
防钓鱼Anti-phishing Yes 如果你有自定义域,请配置默认的防钓鱼策略来保护你的最有价值用户的电子邮件帐户,例如 CEO,并保护你的域。If you have a custom domain, configure the default anti-phishing policy to protect the email accounts of your most valuable users, such as your CEO, and to protect your domain.

查看 Office 365 中的反网络钓鱼策略,并参阅在 EOP 中配置防钓鱼策略或在 Microsoft Defender for Office 365中配置防钓鱼策略。Review Anti-phishing policies in Office 365 and see Configure anti-phishing policies in EOP or Configure anti-phishing policies in Microsoft Defender for Office 365.

反恶意软件引擎Anti-Malware Engine Yes 编辑默认策略:Edit the default policy:
  • 常见附件类型筛选器:选择"打开"Common Attachment Types Filter: Select On

您还可以创建自定义恶意软件筛选器策略,并应用于组织中指定的用户、组或域。You can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization.

详细信息:More information:

Microsoft Defender for Office 365 中的安全附件Safe Attachments in Microsoft Defender for Office 365 No 在安全附件主页上,单击" 全局设置 "并启用此设置:On the main page for Safe Attachments, click Global settings and turn on this setting:
  • 启用适用于 SharePoint、OneDrive 和 Microsoft Teams 的 Defender for Office 365Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams

使用这些设置创建安全附件策略:Create a Safe Attachments policy with these settings:

  • 阻止:选择 "阻止 "作为未知恶意软件响应。Block: Select Block as the unknown malware response.
  • 启用重定向:选中此框并输入电子邮件地址,例如管理员或隔离帐户。Enable redirect: Check this box and enter an email address, such as an admin or quarantine account.
  • 如果恶意软件扫描附件出现时间过或出现错误,请 应用上述选择:选中此框。Apply the above selection if malware scanning for attachments times out or error occurs: Check this box.
  • *应用于收件人域是选择 > 你的域。*Applied to: The recipient domain is > select your domain.

详细信息 :SharePoint、OneDrive 和 Microsoft Teams 的安全附件 和设置安全附件策略More information: Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Set up Safe Attachments policies

Microsoft Defender for Office 365 中的安全链接Safe Links in Microsoft Defender for Office 365 Yes 在安全链接主页上,单击"全局设置":On the main page for Safe Links, click Global settings:
  • Use Safe Links in: Office 365 applications: Verify this setting is turned on.Use Safe Links in: Office 365 applications: Verify this setting is turned on.
  • Do not track when users click Safe Links: Turn this setting off to track user clicks.Do not track when users click Safe Links: Turn this setting off to track user clicks.

使用这些设置创建安全链接策略:Create a Safe Links policy with these settings:

  • 选择邮件中未知潜在恶意 URL 的操作:验证此设置为 "打开"。Select the action for unknown potentially malicious URLs in messages: Verify this setting is On.
  • 选择 Microsoft Teams 中未知或 潜在恶意 URL 的操作:验证此设置为 "打开"。Select the action for unknown or potentially malicious URLs within Microsoft Teams: Verify this setting is On.
  • 对指向文件的可疑链接应用实时 URL 扫描:选中此框。Apply real-time URL scanning for suspicious links and links that point to files: Check this box.
  • 等待 URL 扫描完成,然后再传递消息:选中此框。Wait for URL scanning to complete before delivering the message: Check this box.
  • 将安全链接应用于在组织内部发送的电子邮件:选中此框Apply Safe Links to email messages sent within the organization: Check this box
  • 不允许用户单击到原始 URL: 选中此框。Do not allow users to click through to original URL: Check this box.
  • 应用于收件人域是选择 > 你的域。Applied To: The recipient domain is > select your domain.

详细信息: 设置安全链接策略More information: Set up Safe Links policies.

反垃圾邮件 (邮件筛选)Anti-Spam (Mail filtering) Yes 要关注哪些方面:What to watch for:
  • 垃圾邮件过多 — 选择"自定义"设置并编辑"默认垃圾邮件筛选器"策略。Too much spam — Choose the Custom settings and edit the Default spam filter policy.
  • 欺骗智能 — 审查欺骗你的域的发件人。Spoof intelligence — Review senders that are spoofing your domain. 阻止或允许这些发件人。Block or allow these senders.

详细信息 :Microsoft 365 电子邮件反垃圾邮件保护More information: Microsoft 365 Email Anti-Spam Protection.

电子邮件身份验证Email Authentication Yes 电子邮件身份验证使用域名系统 (DNS) 向电子邮件添加有关电子邮件发件人的可验证信息。Email authentication uses a Domain Name System (DNS) to add verifiable information to email messages about the sender of an email. Microsoft 365 为默认域设置电子邮件 (onmicrosoft.com) ,但 Microsoft 365 管理员还可以对自定义域使用电子邮件身份验证。Microsoft 365 sets up email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also use email authentication for custom domains. 使用三种身份验证方法:Three authentication methods are used:

备注

对于 SPF 的非标准部署、混合部署和故障排除 :Microsoft 365如何使用发件人策略框架 (SPF) 防止欺骗。For non-standard deployments of SPF, hybrid deployments, and troubleshooting: How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing.

查看安全与合规中心中的仪表板和报告View dashboards and reports in the security and compliance centers

访问这些报告和仪表板,详细了解环境的运行状况。Visit these reports and dashboards to learn more about the health of your environment. 随着组织使用 Office 365 服务,这些报告的数据将变得更加丰富。The data in these reports will become richer as your organization uses Office 365 services. 现在,请熟悉可以监视和采取操作的操作。For now, be familiar with what you can monitor and take action on. 有关详细信息,请参阅 :Microsoft 365 安全与合规中心中的报告For more information, see : Reports in the Microsoft 365 security and compliance centers.


仪表板Dashboard 说明Description
威胁管理仪表板Threat management dashboard 在安全中心的"威胁管理"部分,使用此仪表板查看已处理的威胁,并作为向业务决策者报告已执行的威胁调查和响应功能以确保业务安全的方便工具。In the Threat management section of the security center, use this dashboard to see threats that have already been handled, and as a handy tool for reporting out to business decision makers on what threat investigation and response capabilities have already done to secure your business.
威胁资源管理器(或实时检测)Threat Explorer (or real-time detections) 这同样位于 安全中心的" 威胁管理"部分。This is also in the Threat management section of the security center. 如果你正在调查或遇到对租户的攻击,请使用资源管理器 (或实时检测) 分析威胁。If you are investigating or experiencing an attack against your tenant, use Explorer (or real-time detections) to analyze threats. 资源管理器 (实时检测报告) 显示一段时间的攻击量,并且你可以按威胁系列、攻击者基础结构等分析此数据。Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. 您还可以为"事件"列表标记任何可疑电子邮件。You can also mark any suspicious email for the Incidents list.
报表 — 仪表板Reports — Dashboard 在安全 中心的" 报告"部分,查看 SharePoint Online 和 Exchange Online 组织的审核报告。In the Reports section of security center, view audit reports for your SharePoint Online and Exchange Online organizations. 还可以从查看报告 (访问 Azure Active Directory) Azure AD) 用户登录报告、用户活动报告和 Azure AD 审核日志 Azure AD 帐户You can also access Azure Active Directory (Azure AD) user sign-in reports, user activity reports, and the Azure AD audit log from the View reports page.

安全中心仪表板

配置其他 Exchange Online 租户范围设置Configure additional Exchange Online tenant-wide settings

Exchange 管理中心中的许多安全和保护控件也包含在安全中心中。Many of the controls for security and protection in the Exchange admin center are also included in the security center. 无需在这两处配置它们。You do not need to configure these in both places. 下面是一些建议的其他设置。Here are a couple of additional settings that are recommended.


区域Area 包括默认策略Includes a default policy 建议Recommendation
邮件 ( 流规则,也称为传输规则) Mail Flow (mail flow rules, also known as transport rules) No 添加邮件流规则,通过阻止可执行文件类型和包含宏的 Office 文件类型来帮助防范勒索软件。Add a mail flow rule to help protect against ransomware by blocking executable file types and Office file types that contain macros. 有关详细信息,请参阅使用 邮件流规则检查 Exchange Online 中的邮件附件For more information, see Use mail flow rules to inspect message attachments in Exchange Online.

请参阅以下其他主题:See these additional topics:

创建邮件流规则以防止电子邮件自动转发到外部域。Create a mail flow rule to prevent auto-forwarding of email to external domains. 有关详细信息,请参阅使用安全分数缓解客户端 外部转发规则For more information, see Mitigating Client External Forwarding Rules with Secure Score.

详细信息: 邮件流规则 (Exchange Online) 传输规则More information: Mail flow rules (transport rules) in Exchange Online

启用新式验证Enable modern authentication No 新式验证是使用多重身份验证和 MFA (的先决条件) 。Modern authentication is a prerequisite for using multi-factor authentication (MFA). 建议使用 MFA 来保护对云资源(包括电子邮件)的访问。MFA is recommended for securing access to cloud resources, including email.

请参阅以下主题:See these topics:

默认情况下,为 Office 2016 客户端、SharePoint Online 和 OneDrive for Business 启用新式验证。Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business.

详细信息: 新式验证如何适用于 Office 2013 和 Office 2016 客户端应用More information: How modern authentication works for Office 2013 and Office 2016 client apps

在 SharePoint 管理中心配置租户范围的共享策略Configure tenant-wide sharing policies in SharePoint admin center

Microsoft 建议从基线保护开始,在保护级别提高时配置 SharePoint 团队网站。Microsoft recommendations for configuring SharePoint team sites at increasing levels of protection, starting with baseline protection. 有关详细信息,请参阅用于保护 SharePoint 网站和文件的策略建议For more information, see Policy recommendations for securing SharePoint sites and files.

在基线级别配置的 SharePoint 团队网站允许使用匿名访问链接与外部用户共享文件。SharePoint team sites configured at the baseline level allow sharing files with external users by using anonymous access links. 建议采用这种方法,而不是通过电子邮件发送文件。This approach is recommended instead of sending files in email.

若要支持基线保护的目标,请配置租户范围的共享策略,如此处所建议。To support the goals for baseline protection, configure tenant-wide sharing policies as recommended here. 与租户范围策略不同,单个网站的共享设置可能更加严格,但不允许。Sharing settings for individual sites can be more restrictive than this tenant-wide policy, but not more permissive.


区域Area 包括默认策略Includes a default policy 建议Recommendation
共享 (SharePoint Online 和 OneDrive for Business) Sharing (SharePoint Online and OneDrive for Business) Yes 默认情况下启用外部共享。External sharing is enabled by default. 建议使用这些设置:These settings are recommended:
  • 允许与经过身份验证的外部用户共享和使用匿名访问 (默认设置) 。Allow sharing to authenticated external users and using anonymous access links (default setting).
  • 匿名访问链接将在这几天内过期。Anonymous access links expire in this many days. 如果需要,请输入一个数字,如 30 天。Enter a number, if desired, such as 30 days.
  • 默认链接类型 - 选择"内部 (仅组织内部) "Default link type — select Internal (people in the organization only). 希望使用匿名链接共享的用户必须从共享菜单中选择此选项。Users who wish to share using anonymous links must choose this option from the sharing menu.

详细信息: 外部共享概述More information: External sharing overview

SharePoint 管理中心和 OneDrive for Business 管理中心包含相同的设置。SharePoint admin center and OneDrive for Business admin center include the same settings. 任一管理中心中的设置均适用于这两者。The settings in either admin center apply to both.

在 Azure Active Directory 中配置设置Configure settings in Azure Active Directory

请务必访问 Azure Active Directory 中的这两个区域,以完成租户范围的设置,以创建更安全的环境。Be sure to visit these two areas in Azure Active Directory to complete tenant-wide setup for more secure environments.

在条件访问 (配置命名) Configure named locations (under conditional access)

如果你的组织包括具有安全网络访问权限的办事处,将受信任的 IP 地址范围添加到 Azure Active Directory 作为命名位置。If your organization includes offices with secure network access, add the trusted IP address ranges to Azure Active Directory as named locations. 此功能有助于减少登录风险事件报告的误报数。This feature helps reduce the number of reported false positives for sign-in risk events.

请参阅 :Azure Active Directory 中的命名位置See: Named locations in Azure Active Directory

阻止不支持新式验证的应用Block apps that don't support modern authentication

多重身份验证需要支持新式验证的应用。Multi-factor authentication requires apps that support modern authentication. 不支持新式身份验证的应用无法使用条件访问规则阻止。Apps that do not support modern authentication cannot be blocked by using conditional access rules.

对于安全环境,请确保对不支持新式验证的应用禁用身份验证。For secure environments, be sure to disable authentication for apps that do not support modern authentication. 可以使用即将推出的控制在 Azure Active Directory 中完成此操作。You can do this in Azure Active Directory with a control that is coming soon.

同时,使用下列方法之一为 SharePoint Online 和 OneDrive for Business 完成此操作:In the meantime, use one of the following methods to accomplish this for SharePoint Online and OneDrive for Business:

  • 使用 PowerShell,请参阅 阻止在 ADAL 应用中不使用新式 () 。Use PowerShell, see Block apps that do not use modern authentication (ADAL).

  • 在 SharePoint 管理中心中的"设备访问"页面"控制不使用新式验证的应用的访问"中对此进行配置。Configure this in the SharePoint admin center on the "device access' page — "Control access from apps that don't use modern authentication." 选择"阻止"。Choose Block.

Cloud App Security 或 Office 365 Cloud App Security 入门Get started with Cloud App Security or Office 365 Cloud App Security

使用 Office 365 云应用安全评估风险,对可疑活动发出警报,并自动采取措施。Use Office 365 Cloud App Security to evaluate risk, to alert on suspicious activity, and to automatically take action. 需要 Office 365 E5 计划。Requires Office 365 E5 plan.

或者,使用 Microsoft Cloud App Security 在授予访问权限后获得更深层次的可见性、全面的控件以及针对所有云应用程序(包括 Office 365)的改进保护。Or, use Microsoft Cloud App Security to obtain deeper visibility even after access is granted, comprehensive controls, and improved protection for all your cloud applications, including Office 365.

由于此解决方案建议使用 EMS E5 计划,因此我们建议你从 Cloud App Security 开始,以便你可以将它用于环境中的其他 SaaS 应用程序。Because this solution recommends the EMS E5 plan, we recommend you start with Cloud App Security so you can use this with other SaaS applications in your environment. 从默认策略和设置开始。Start with default policies and settings.

详细信息:More information:

Cloud App Security 仪表板

其他资源Additional resources

这些文章和指南提供了用于保护 Microsoft 365 环境的其他说明性信息:These articles and guides provide additional prescriptive information for securing your Microsoft 365 environment: