支持在家工作的安全团队的 12 大任务Top 12 tasks for security teams to support working from home

如果你与 Microsoft 类似 突然发现自己主要支持在家办公的员工,我们希望帮助你确保你的组织尽可能安全工作。If you are like Microsoft and suddenly find yourself supporting a primarily home-based workforce, we want to help you ensure your organization is working as securely as possible. 本文确定任务的优先级,以帮助安全团队尽快实现最重要的安全功能。This article prioritizes tasks to help security teams implement the most important security capabilities as quickly as possible.

执行这些首要任务以支持在家工作。

如果你是使用 Microsoft 业务计划之一的中小型组织,请改为参阅以下资源:If you are a small or medium-size organization using one of Microsoft's business plans, see these resources instead:

对于使用企业计划的客户,Microsoft 建议你完成下表中列出的适用于你的服务计划的任务。For customers using our enterprise plans, Microsoft recommends you complete the tasks listed in the following table that apply to your service plan. 如果不购买 Microsoft 365 企业版计划,而是合并订阅,请注意以下事项:If, instead of purchasing a Microsoft 365 enterprise plan, you are combining subscriptions, note the following:

  • Microsoft 365 E3 包括企业移动性 + 安全性 (EMS) E3 和 Azure AD P1Microsoft 365 E3 includes Enterprise Mobility + Security (EMS) E3 and Azure AD P1
  • Microsoft 365 E5 包括 EMS E5 和 Azure AD P2Microsoft 365 E5 includes EMS E5 and Azure AD P2

步骤Step 任务Task 所有 Office 365 企业版计划All Office 365 Enterprise plans Microsoft 365 E3Microsoft 365 E3 Microsoft 365 E5Microsoft 365 E5
11 启用 Azure AD 多重身份验证 (MFA) Enable Azure AD Multi-Factor Authentication (MFA) Included Included Included
22 威胁防护Protect against threats Included Included Included
33 配置 Microsoft Defender for Office 365Configure Microsoft Defender for Office 365 Included
4 4 为标识配置 Microsoft DefenderConfigure Microsoft Defender for Identity Included
5 5 打开 Microsoft 365 DefenderTurn on Microsoft 365 Defender Included
6 6 为手机和平板电脑配置 Intune 移动应用保护Configure Intune mobile app protection for phones and tablets Included Included
7 7 为来宾配置 MFA 和条件访问,包括 Intune 应用保护Configure MFA and conditional access for guests, including Intune app protection Included Included
8 8 将电脑注册到设备管理中,并需要兼容电脑Enroll PCs into device management and require compliant PCs Included Included
9 9 针对云连接优化网络Optimize your network for cloud connectivity Included Included Included
10 10 培训用户Train users Included Included Included
1111 Microsoft Cloud App Security 入门Get started with Microsoft Cloud App Security Included
12 12 监视威胁并采取措施Monitor for threats and take action Included Included Included

开始之前,请查看 Microsoft 365 安全中心中的 Microsoft 365 安全分数。Before you begin, check your Microsoft 365 Secure Score in the Microsoft 365 security center. 通过集中式仪表板,你可以监视和提高 Microsoft 365 标识、数据、应用、设备和基础结构的安全性。From a centralized dashboard, you can monitor and improve the security for your Microsoft 365 identities, data, apps, devices, and infrastructure. 您将获得配置建议安全功能、执行与安全相关的任务 (如查看报告) ,或者使用第三方应用程序或软件解决建议。You are given points for configuring recommended security features, performing security-related tasks (such as viewing reports), or addressing recommendations with a third-party application or software. 本文中推荐的任务将提高分数。The recommended tasks in this article will raise your score.

Microsoft 安全分数的屏幕截图

1:启用 Azure AD 多重身份验证 (MFA) 1: Enable Azure AD Multi-Factor Authentication (MFA)

为在家工作的员工提高安全性,你可以做的一个最好操作是打开 MFA。The single best thing you can do to improve security for employees working from home is to turn on MFA. 如果还没有流程,请看做紧急试点,并确保支持人员已准备好帮助遇到问题的员工。If you don't already have processes in place, treat this as an emergency pilot and make sure you have support folks ready to help employees who get stuck. 由于你可能不会分发硬件安全设备,因此请使用 Windows Hello 生物识别以及 Microsoft Authenticator 等智能手机身份验证应用。As you probably can't distribute hardware security devices, use Windows Hello biometrics and smartphone authentication apps like Microsoft Authenticator.

通常,Microsoft 建议在要求 MFA 前为用户提供 14 天时间,以注册其设备进行多重身份验证。Normally, Microsoft recommends you give users 14 days to register their device for Multi-Factor Authentication before requiring MFA. 但是,如果你的员工突然在家工作,请继续操作,要求将 MFA 作为安全优先级,并准备好帮助需要它的用户。However, if your workforce is suddenly working from home, go ahead and require MFA as a security priority and be prepared to help users who need it.

应用这些策略只需几分钟,但请准备好在几天内为用户提供支持。Applying these policies will take only a few minutes, but be prepared to support your users over the next several days.


计划Plan 建议Recommendation
Microsoft 365 计划 (Azure AD P1 或 P2) Microsoft 365 plans (without Azure AD P1 or P2) 在 Azure AD 中启用安全性默认值Enable Security defaults in Azure AD. Azure AD 中的安全性默认值于用户和管理员的 MFA。Security defaults in Azure AD include MFA for users and administrators.
Microsoft 365 E3 (Azure AD P1) Microsoft 365 E3 (with Azure AD P1) 使用常用条件访问策略配置以下策略:Use Common Conditional Access policies to configure the following policies:
- 要求对管理员执行 MFA- Require MFA for administrators
- 要求对所有用户执行 MFA- Require MFA for all users
- 阻止传统身份验证- Block legacy authentication
Microsoft 365 E5 (Azure AD P2) Microsoft 365 E5 (with Azure AD P2) 利用 Azure AD 标识保护,通过创建以下两个策略开始实施 Microsoft 推荐的一组条件访问和相关策略Taking advantage of Azure AD Identity Protection, begin to implement Microsoft's recommended set of conditional access and related policies by creating these two policies:
- 要求在登录风险为“中等”或“高”时执行 MFA- Require MFA when sign-in risk is medium or high
- 阻止不支持新式身份验证的客户端- Block clients that don't support modern authentication
- 高风险用户必须更改密码- High risk users must change password

2:防范威胁2: Protect against threats

所有 Microsoft 365 计划都包括各种威胁防护功能。All Microsoft 365 plans include a variety of threat protection features. 为这些功能加强保护只需几分钟。Bumping up protection for these features takes just a few minutes.

  • 反恶意软件保护Anti-malware protection
  • 防止恶意 URL 和文件Protection from malicious URLs and files
  • 防钓鱼保护Anti-phishing protection
  • 反垃圾邮件保护Anti-spam protection

请参阅 防止 Office 365 中的威胁,了解可以用作起始点的指南。See Protect against threats in Office 365 for guidance you can use as a starting point.

3:为 Office 365 配置 Microsoft Defender3: Configure Microsoft Defender for Office 365

Microsoft 365 E5 和 Office 365 E5 中包含的 Microsoft Defender for Office 365 可保护您的组织免受电子邮件、链接 (URL) 和协作工具造成的恶意威胁。Microsoft Defender for Office 365, included with Microsoft 365 E5 and Office 365 E5, safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. 这可能需要几个小时进行配置。This can take several hours to configure.

Microsoft Defender for Office 365:Microsoft Defender for Office 365:

  • 使用可检查附件和链接中是否有恶意内容的智能系统,实时保护组织免受未知电子邮件威胁。Protects your organization from unknown email threats in real-time by using intelligent systems that inspect attachments and links for malicious content. 这些自动化系统包括可靠的爆炸平台、启发式和机器学习模型。These automated systems include a robust detonation platform, heuristics, and machine learning models.
  • 当用户协作和共享文件时,通过识别和阻止工作组网站和文档库中的恶意文件来保护你的组织。Protects your organization when users collaborate and share files, by identifying and blocking malicious files in team sites and document libraries.
  • 应用机器学习模型和高级模拟检测算法来防范网络钓鱼攻击。Applies machine learning models and advanced impersonation-detection algorithms to avert phishing attacks.

有关概述(包括计划摘要),请参阅 Defender for Office 365。For an overview, including a summary of plans, see Defender for Office 365.

全局管理员可以配置以下保护:Your Global Administrator can configure these protections:

你需要与 Exchange Online 管理员和 SharePoint Online 管理员一起为这些工作负载配置适用于 Office 365 的 Defender:You'll need to work with your Exchange Online administrator and SharePoint Online administrator to configure Defender for Office 365 for these workloads:

4:为标识配置 Microsoft Defender4: Configure Microsoft Defender for Identity

Microsoft Defender for Identity 是一种基于云的安全解决方案,可利用本地 Active Directory 信号来识别、检测和调查针对组织的高级威胁、已遭入侵标识和恶意内部行为。Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. 下一步请关注这一点,因为它可保护你的地场和云基础结构,没有依赖关系或先决条件,并且可以提供直接的好处。Focus on this next because it protects your on-prem and your cloud infrastructure, has no dependencies or prerequisites, and can provide immediate benefit.

5:打开 Microsoft 365 Defender5: Turn on Microsoft 365 Defender

现在,你已配置 Microsoft Defender for Office 365 和 Microsoft Defender for Identity,可以在一个仪表板中查看这些功能的组合信号。Now that you have Microsoft Defender for Office 365 and Microsoft Defender for Identity configured, you can view the combined signals from these capabilities in one dashboard. Microsoft 365 Defender 将警报、事件、自动调查和响应以及跨工作负载的高级搜寻 (Microsoft Defender for Identity、Defender for Office 365、Microsoft Defender for Endpoint 和 Microsoft Cloud App Security) 汇集到 security.microsoft.com 的单个 窗格中Microsoft 365 Defender brings together alerts, incidents, automated investigation and response, and advanced hunting across workloads (Microsoft Defender for Identity, Defender for Office 365, Microsoft Defender for Endpoint, and Microsoft Cloud App Security) into a single pane at security.microsoft.com.

MTP 仪表板图示

配置一个或多个 Defender for Office 365 服务后,打开 MTP。After you have configured one or more of your Defender for Office 365 services, turn on MTP. 新功能不断添加到 MTP;考虑选择接收预览功能。New features are added continually to MTP; consider opting in to receive preview features.

6:为手机和平板电脑配置 Intune 移动应用保护6: Configure Intune mobile app protection for phones and tablets

Microsoft Intune 移动应用 (MAM) 允许你管理和保护电话和平板电脑上的组织数据,而无需管理这些设备。Microsoft Intune Mobile Application Management (MAM) allows you to manage and protect your organization's data on phones and tablets without managing these devices. 以下是相应的工作方式:Here's how it works:

  • 创建应用保护策略 (APP) ,确定设备上管理哪些应用以及允许哪些行为 (例如阻止将托管应用的数据复制到非托管应用) 。You create an App Protection Policy (APP) that determines which apps on a device are managed and what behaviors are allowed (such as preventing data from a managed app from being copied to an unmanaged app). 你可以为 iOS、Android (的每个平台创建一) 。You create one policy for each platform (iOS, Android).
  • 创建应用保护策略后,通过创建 Azure AD 中的条件访问规则来强制执行这些策略,以要求批准的应用和应用数据保护。After creating the app protection policies, you enforce these by creating a conditional access rule in Azure AD to require approved apps and APP data protection.

应用保护策略包括许多设置。APP protection policies include many settings. 幸运的是,无需了解每个设置并权衡选项。Fortunately, you don't need to learn about every setting and weigh the options. Microsoft 通过推荐起始点,可以轻松应用设置配置。Microsoft makes it easy to apply a configuration of settings by recommending starting points. 使用 应用保护策略的 数据保护框架包括三个可以选择的级别。The Data protection framework using app protection policies includes three levels you can choose from.

更好的是,Microsoft 通过一组条件访问和相关策略协调此应用保护框架,我们建议所有组织都用作起点。Even better, Microsoft coordinates this app protection framework with a set of conditional access and related policies we recommend all organizations use as a starting point. 如果你已使用本文中的指南实现 MFA,则说明你已实现 MFA!If you've implemented MFA using the guidance in this article, you're half way there!

若要配置移动应用保护,请使用常见标识和设备访问 策略中的指南To configure mobile app protection, use the guidance in Common identity and device access policies:

  1. 使用 应用应用数据保护策略指南 创建适用于 iOS 和 Android 的策略。Use the Apply APP data protection policies guidance to create policies for iOS and Android. 建议为 (保护) 级别 2 和增强的数据保护级别。Level 2 (enhanced data protection) is recommended for baseline protection.
  2. 创建条件访问规则,以 要求批准的应用和应用保护Create a conditional access rule to Require approved apps and APP protection.

7:为来宾配置 MFA 和条件访问,包括 Intune 移动应用保护7: Configure MFA and conditional access for guests, including Intune mobile app protection

接下来,让我们确保你可以继续协作并与来宾合作。Next, let's ensure you can continue to collaborate and work with guests. 如果你使用的是 Microsoft 365 E3 计划,并且你为所有用户实现了 MFA,则你已设置。If you're using the Microsoft 365 E3 plan and you implemented MFA for all users, you're set.

如果你使用的是 Microsoft 365 E5 计划,并且正在利用 Azure Identity Protection 进行基于风险的 MFA,则需要对 (做一些调整,因为 Azure AD Identity protection 不会扩展到来宾) :If you're using the Microsoft 365 E5 plan and you're taking advantage of Azure Identity Protection for risk-based MFA, you need to make a couple of adjustments (because Azure AD Identity protection doesn't extend to guests):

  • 创建新的条件访问规则,要求始终对来宾和外部用户执行 MFA。Create a new conditional access rule to require MFA always for guests and external users.
  • 更新基于风险的 MFA 条件访问规则以排除来宾和外部用户。Update the risk-based MFA conditional access rule to exclude guests and external users.

使用更新常见策略中的指南 允许 和保护来宾和外部访问,以了解来宾访问如何与 Azure AD 一起运行,并更新受影响的策略。Use the guidance in Updating the common policies to allow and protect guest and external access to understand how guest access works with Azure AD and to update the affected policies.

你创建的 Intune 移动应用保护策略以及要求批准的应用和应用保护的条件访问规则适用于来宾帐户,并且有助于保护你的组织数据。The Intune mobile app protection policies you created, together with the conditional access rule to require approved apps and APP protection, apply to guests accounts and will help protect your organization data.

备注

如果你已经将电脑注册到设备管理中以要求使用合规电脑,你还需要从强制执行设备符合性的条件访问规则中排除来宾帐户。If you've already enrolled PCs into device management to require compliant PCs, you'll also need to exclude guest accounts from the conditional access rule that enforces device compliance.

8:将电脑注册到设备管理中,并需要兼容电脑8: Enroll PCs into device management and require compliant PCs

有几种方法可以注册员工的设备。There are several methods to enroll your workforce's devices. 每个方法取决于设备的所有权(个人或公司)、设备类型(iOS、Windows、Android)和管理要求(重置、相关性、锁定)。Each method depends on the device's ownership (personal or corporate), device type (iOS, Windows, Android), and management requirements (resets, affinity, locking). 这可能需要一些时间才能排序。请参阅: 在 Microsoft Intune 中注册设备This can take a bit of time to sort out. See: Enroll devices in Microsoft Intune.

最简单的方法就是设置 Windows 10 设备的自动注册The quickest way to get going is to Set up automatic enrollment for Windows 10 devices.

还可以充分利用以下教程:You can also take advantage of these tutorials:

注册设备后,使用通用标识和设备访问 策略中的指南 创建这些策略:After enrolling devices, use the guidance in Common identity and device access policies to create these policies:

  • 定义设备合规性策略 — Windows 10 的建议设置包括要求防病毒保护。Define device-compliance policies — The recommended settings for Windows 10 include requiring antivirus protection. 如果你有 Microsoft 365 E5,请使用 Microsoft Defender for Endpoint 监视员工设备的运行状况。If you have Microsoft 365 E5, use Microsoft Defender for Endpoint to monitor the health of employee devices. 确保其他操作系统的合规性策略包括防病毒保护和终点保护软件。Be sure compliance policies for other operating systems include antivirus protection and end-point protection software.
  • 需要合规电脑 — 这是 Azure AD 中强制执行设备合规性策略的条件访问规则。Require compliant PCs — This is the conditional access rule in Azure AD that enforces the device compliance policies.

只有一个组织可以管理设备,因此请确保从 Azure AD 的条件访问规则中排除来宾帐户。Only one organization can manage a device, so be sure to exclude guest accounts from the conditional access rule in Azure AD. 如果不从要求设备符合性的策略中排除来宾和外部用户,这些策略将阻止这些用户。If you don't exclude guest and external users from policies that require device compliance, these policies will block these users. 有关详细信息,请参阅 更新通用策略以允许和保护来宾和外部访问For more information, see Updating the common policies to allow and protect guest and external access.

9:针对云连接优化网络9: Optimize your network for cloud connectivity

如果你正在快速使大多数员工在家工作,这种突然的连接模式切换会对企业网络基础结构产生显著影响。If you are rapidly enabling the bulk of your employees to work from from home, this sudden switch of connectivity patterns can have a significant impact on the corporate network infrastructure. 许多网络在采用云服务之前进行了扩展和设计。Many networks were scaled and designed before cloud services were adopted. 在许多情况下,网络可容忍远程工作者,但并非设计为由所有用户同时远程使用。In many cases, networks are tolerant of remote workers, but were not designed to be used remotely by all users simultaneously.

网络元素(如 VPN 主控器、中央网络出口设备 (如代理和数据丢失防护设备) 、中央 Internet 带宽、回程 MPLS 电路、NAT 功能等)突然因使用它们的整个业务负载而变得极大压力。Network elements such as VPN concentrators, central network egress equipment (such as proxies and data loss prevention devices), central internet bandwidth, backhaul MPLS circuits, NAT capability and so on are suddenly put under enormous strain due to the load of the entire business using them. 最终结果是性能和工作效率不佳,加上适应在家工作的用户的用户体验不佳。The end result is poor performance and productivity coupled with a poor user experience for users who are adapting to working from home.

过去通过公司网络路由回流量提供的一些保护由用户访问的云应用提供。Some of the protections that have traditionally been provided by routing traffic back through a corporate network are provided by the cloud apps your users are accessing. 如果你已到达本文中的此步骤,则你已经为 Microsoft 365 服务和数据实现了一组复杂的云安全控件。If you've reached this step in this article, you've implemented a set of sophisticated cloud security controls for Microsoft 365 services and data. 借助这些控件,你可以准备好将远程用户的流量直接路由到 Office 365。With these controls in place, you may be ready to route remote users' traffic directly to Office 365. 如果仍然需要 VPN 链接才能访问其他应用程序,可以通过实现拆分隧道大大提高性能和用户体验。If you still require a VPN link for access to other applications, you can greatly improve your performance and user experience by implementing split tunneling. 在组织中达成一致后,一个协调良好的网络团队可以在一天内完成此操作。Once you achieve agreement in your organization, this can be accomplished within a day by a well-coordinated network team.

有关详细信息,请参阅 Docs 上的以下资源:See these resources on Docs for more information:

有关此主题的最新博客文章:Recent blog articles on this topic:

10:培训用户10: Train users

培训用户可以节省用户和安全运营团队大量时间和沮丧。Training users can save your users and security operations team a lot of time and frustration. 不为人知的用户不太可能打开可疑电子邮件中的附件或单击链接,并且他们更有可能避免可疑网站。Savvy users are less likely to open attachments or click links in questionable email messages, and they are more likely to avoid suspicious websites.

该学院网络安全 宣传活动 手册提供了有关在组织中建立强大安全意识文化的指导,包括培训用户识别网络钓鱼攻击。The Harvard Kennedy School Cybersecurity Campaign Handbook provides excellent guidance on establishing a strong culture of security awareness within your organization, including training users to identify phishing attacks.

Microsoft 365 提供以下资源来帮助通知贵组织的用户:Microsoft 365 provides the following resources to help inform users in your organization:


概念Concept 资源Resources
Microsoft 365Microsoft 365 可自定义的学习路径Customizable learning pathways

这些资源可帮助您将针对组织中最终用户的培训整合在一起These resources can help you put together training for end users in your organization

Microsoft 365 安全中心Microsoft 365 security 学习模块:使用 Microsoft 365 的内置智能安全性保护组织Learning module: Secure your organization with built-in, intelligent security from Microsoft 365

本模块使您能够描述 Microsoft 365 安全功能如何协同工作,并阐明这些安全功能的好处。This module enables you to describe how Microsoft 365 security features work together and to articulate the benefits of these security features.

多重身份验证Multi-factor authentication 两步验证:什么是附加验证页面?Two-step verification: What is the additional verification page?

本文帮助最终用户了解什么是多重身份验证以及为什么在组织中使用的多重身份验证。This article helps end users understand what multi-factor authentication is and why it's being used at your organization.

除了本指南之外,Microsoft 还建议你的用户执行本文中所述的操作:保护你的帐户和设备免受黑客和 恶意软件的攻击In addition to this guidance, Microsoft recommends that your users take the actions described in this article: Protect your account and devices from hackers and malware. 这些操作包括:These actions include:

  • 使用强密码Using strong passwords
  • 保护设备Protecting devices
  • 在 Windows 10 和 Mac PC 上为非托管 (启用安全功能) Enabling security features on Windows 10 and Mac PCs (for unmanaged devices)

Microsoft 还建议用户采取以下文章中建议的操作来保护其个人电子邮件帐户:Microsoft also recommends that users protect their personal email accounts by taking the actions recommended in the following articles:

11:Microsoft Cloud App Security 入门11: Get started with Microsoft Cloud App Security

Microsoft Cloud App Security 提供丰富的可见性、对数据旅行的控制以及复杂的分析,以识别和防御所有云服务中的网络威胁。Microsoft Cloud App Security provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. 开始使用 Cloud App Security 后,将自动启用异常检测策略,但 Cloud App Security 的初始学习期为七天,在此期间并非所有异常检测警报都会引发。Once you get started with Cloud App Security, anomaly detection policies are automatically enabled, but Cloud App Security has an initial learning period of seven days during which not all anomaly detection alerts are raised.

现在开始使用 Cloud App Security。Get started with Cloud App Security now. 稍后,您可以设置更复杂的监视和控件。Later you can set up more sophisticated monitoring and controls.

12:监视威胁并采取措施12: Monitor for threats and take action

Microsoft 365 包括多种监视状态和采取适当操作的方法。Microsoft 365 includes several ways to monitor status and take appropriate actions. 最佳起点是 Microsoft 365 安全中心 () ,你可以在这里查看组织的 Microsoft 安全分数以及任何需要你注意的警报或 https://security.microsoft.com 实体。 Your best starting point is the Microsoft 365 security center (https://security.microsoft.com), where you can view your organization's Microsoft Secure Score, and any alerts or entities that require your attention.

后续步骤Next steps

恭喜!Congratulations! 您快速实施了一些最重要的安全保护,并且您的组织更加安全。You have quickly implemented some of the most important security protections and your organization is much more secure. 现在,你可以进一步使用威胁防护功能 (包括 Microsoft Defender for Endpoint) 、数据分类和保护功能,以及保护管理帐户。Now you're ready to go even further with threat protection capabilities (including Microsoft Defender for Endpoint), data classification and protection capabilities, and securing administrative accounts. 有关针对 Microsoft 365 的更深入、有条理的安全建议集,请参阅 Microsoft 365 商业版决策者 (BDM) 。For a deeper, methodical set of security recommendations for Microsoft 365, see Microsoft 365 Security for Business Decision Makers (BDMs).

另请访问 Microsoft 的新安全中心,docs.microsoft.com/security。Also visit Microsoft's new security center on docs.microsoft.com/security.