配置具有基线保护的团队Configure teams with baseline protection

本文将介绍如何部署具有基线保护级别的团队。In this article, we look at how to deploy teams with a baseline level of protection. 通过此级别,用户可通过多种方式进行协作,同时提升权限管理,并针对过度共享提供基本保护。This level allows users a wide range of options for collaboration while enhancing permissions management and providing basic protection against oversharing. 此级别的建议保护包括标识和设备访问策略和恶意软件保护。Recommended protections for this level include identity and device access policies and protection against malware. 此外,可以根据需要应用条件访问策略和数据丢失保护。Additionally, you can apply conditional access policies and data loss protections as needed.

初始保护Initial protections

第一步,我们建议配置基本身份和设备访问策略。As a first step, we recommend that you configure basic identity and device-access policies. 有关详细信息,请参阅保护 Teams 聊天、组和文件的策略建议See Policy recommendations for securing Teams chats, groups, and files for details.

建议启用基本的 Defender for Office 365 功能,防范文档、附件和链接中的恶意软件。We also recommend turning on basic Defender for Office 365 features to guard against malware in documents, attachments, and links. 我们建议启用下表中的每个选项。We recommend turning on each of the options in the following table.

选项Option 信息Information
适用于 SPO、OneDrive 和 Teams 的安全附件Safe Attachments for SPO, OneDrive and Teams 安全附件Safe Attachments
Defender for Office 365 - SharePoint、OneDrive 和 Microsoft TeamsDefender for Office 365 - SharePoint, OneDrive, and Microsoft Teams
安全文档Safe Documents Microsoft Defender for Office 365 中的安全文档Safe Documents in Microsoft Defender for Office 365
适用于 Teams 的安全链接Safe Links for Teams Teams 中 Office 365 安全链接Office 365 Safe Links in Teams
安全链接Safe Links

团队来宾共享Teams guest sharing

在每层中,我们都可以选择与组织外部人员共享。In each of the tiers, we have the option of sharing with people outside your organization. 对于敏感和高度敏感层,我们可以选择使用敏感度标签在团队级别关闭来宾共享。For the sensitive and highly sensitive tiers, we will have the option to turn guest sharing off at the team level by using sensitivity labels. 但必须启用“组织级别的来宾共享设置”,以使来宾共享在 Teams 中均可正常工作。But the organization-level guest sharing setting must be turned on for guest sharing to work at all in Teams.

Teams 来宾访问切换的屏幕截图

设定 Teams 来宾访问设置To set Teams guest access settings

  1. 访问 https://admin.microsoft.com 登录到 Microsoft 365 管理中心。Log in to the Microsoft 365 admin center at https://admin.microsoft.com.
  2. 在左侧导航中,单击“显示全部”。In the left navigation, click Show all.
  3. 在“管理中心”下,单击“团队”。Under Admin centers, click Teams.
  4. 在 Teams 管理中心左侧导航中,展开“组织范围的设置”,然后单击“来宾访问”。In the Teams admin center, in the left navigation, expand Org-wide settings and click Guest access.
  5. 确保 在 Teams 中允许来宾访问 设置为“”。Ensure that Allow guest access in Teams is set to On.
  6. 对其他来宾设置进行任何所需的更改,然后单击“保存”。Make any desired changes to the additional guest settings, and then click Save.

备注

启用后,Teams 来宾设置最多可能需要二十四个小时才能生效。It may take up to twenty-four hours for the Teams guest setting to become active after you turn it on.

默认情况下,Office 365 组和 SharePoint 启用了来宾共享,但如果以前已更改了组织的任何来宾共享设置,建议参阅在团队中与来宾协作,以确保来宾共享在 Teams 中可用。Guest sharing is turned on by default for Office 365 groups and SharePoint, however if you have previously changed any of the guest sharing settings for your organization, we recommend that you review Collaborate with guests in a team to ensure that guest sharing will be available in Teams.

网站和文件共享Site and file sharing

为了降低意外与组织外部人员共享文件或文件夹的风险,建议将 SharePoint 的默认共享链接更改为“仅限组织中的人员”。To reduce the risk of accidentally sharing files or folders with people outside your organization, we recommend changing the default sharing link for SharePoint to Only people in your organization. (如果用户需要在外部共享,并且启用了来宾共享,他们在共享时仍可以更改链接类型。)(If users need to share externally, and you have enabled guest sharing, they can still change the link type when they share.)

更改默认共享链接To change the default sharing link

  1. 打开 SharePoint 管理中心Open the SharePoint admin center.
  2. 在“策略”下,单击“共享”。Under Policies, click Sharing.
  3. 在“文件和文件夹链接”下,选中“仅限组织中的人员”。Under File and folder links, select Only people in your organization.
  4. 单击“保存”。Click Save.

为了获得最佳的来宾共享体验,我们还建议你启用 SharePoint 和 OneDrive与 Azure AD B2B 集成For the best guest sharing experience, we also recommend that you enable SharePoint and OneDrive integration with Azure AD B2B.

创建团队Create a team

基线保护级别的其他配置在与团队相关联的 SharePoint 网站中完成。Additional configuration for the baseline level of protection is done in the SharePoint site associated with a team. 创建公共或私人团队,然后再继续进行下一部分。Create a public or private team before proceeding to the next section.

网站共享设置Site sharing settings

默认情况下,SharePoint 网站的成员可以邀请其他人加入该网站。By default, members of a SharePoint site can invite others to the site. 网站是团队的一部分时,团队成员将作为网站成员包括在内。When a site is part of a team, team members are included as site members. 但是,直接添加到网站的人员不能访问团队的其他成员。However, people added directly to the site don't have access to the rest of the team. 因此,我们建议仅通过团队来管理权限。For this reason, we recommend managing permissions exclusively through the team.

为了帮助进行权限管理,我们建议将关联的站点配置为仅允许所有者自己共享该站点。To help with permissions management, we recommend configuring the associated site to only allow owners to share the site by itself. 这简化了权限管理,有助于阻止团队所有者不知道的人员访问。This simplifies permissions management and helps prevent access by people without a team owner's knowledge. 对需要基线保护的每个团队执行此操作。Do this for each team that requires baseline protection.

更新网站共享设置To update the site sharing settings

  1. 在团队的工具栏中,单击“文件”。In the tool bar for the team, click Files.
  2. 单击“在 SharePoint 中打开”。Click Open in SharePoint.
  3. 在 SharePoint 网站的工具栏中,依次单击设置图标和“网站权限”。In the tool bar of the SharePoint site, click the settings icon, and then click Site permissions.
  4. 在“网站权限”窗格的“网站共享”下方,单击“更改成员共享方式”。In the Site permissions pane, under Site sharing, click Change how members can share.
  5. 在“共享权限”下,选择选择“网站所有者和成员以及拥有编辑权限的人员可共享文件和文件夹,但只有网站所有者才可共享网站”,然后单击“保存”。Under Sharing permissions, choose Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site, and then click Save.

附加保护Additional protections

Microsoft 365 提供了其他用于保护内容的方法。Microsoft 365 offers additional methods for securing your content. 考虑以下选项是否有助于提高组织的安全性。Consider if the following options would help improve security for your organization.

另请参阅See Also

管理 Teams 中的会议策略Manage meeting policies in Teams

内部风险管理入门Get started with insider risk management