將已啟用 Azure Arc 的伺服器連線至 Azure 安全性中心Connect Azure Arc enabled servers to Azure Security Center

本文提供有關如何將已啟用 Azure Arc 的伺服器上架到 azure 資訊安全中心 ) (azure 資訊安全中心的指引。This article provides guidance on how to onboard an Azure Arc enabled server to Azure Security Center (Azure Security Center). 這可協助您開始收集安全性相關設定和事件記錄檔,讓您可以建議動作,並改善整體的 Azure 安全性狀況。This helps you start collecting security-related configurations and event logs so you can recommend actions and improve your overall Azure security posture.

在下列程式中,您會在 Azure 訂用帳戶上啟用及設定 Azure 資訊安全中心標準層。In the following procedures, you enable and configure Azure Security Center Standard tier on your Azure subscription. 這可提供先進的威脅防護 (ATP) 和偵測功能。This provides advanced threat protection (ATP) and detection capabilities. 此程序包括:The process includes:

  • 設定 Log Analytics 工作區,以匯總記錄和事件以進行分析。Setup a Log Analytics workspace where logs and events are aggregated for analysis.
  • 指派安全性中心的預設安全性原則。Assign Security Center's default security policies.
  • 查看 Azure 安全性中心的建議。Review Azure Security Center's recommendations.
  • 使用 快速修正 補救在啟用 Azure Arc 的伺服器上套用建議的設定。Apply recommended configurations on Azure Arc enabled servers using the Quick Fix remediations.

重要

本文中的程式假設您已經部署 Vm,或是在內部部署或其他雲端上執行的伺服器,而且您已將這些 Vm 連線到 Azure Arc。如果您尚未這麼做,下列資訊可協助您將這項工作自動化。The procedures in this article assumes you've already deployed VMs, or servers that are running on-premises or on other clouds, and you have connected them to Azure Arc. If you haven't, the following information can help you automate this.

必要條件Prerequisites

  1. 複製 Azure Arc Jumpstart 存放庫。Clone the Azure Arc Jumpstart repository.

    git clone https://github.com/microsoft/azure_arc
    
  2. 如前文所述,本指南會從您已部署 Vm 或裸機伺服器至 Azure Arc 的點開始。針對此案例,我們會使用已連線到 Azure Arc 的 Google Cloud Platform (GCP) 實例,並在 Azure 中顯示為資源。As mentioned, this guide starts at the point where you already deployed and connected VMs or bare-metal servers to Azure Arc. For this scenario, we use a Google Cloud Platform (GCP) instance that has been already connected to Azure Arc and is visible as a resource in Azure. 如下列螢幕擷取畫面所示:As shown in the following screenshots:

    Azure 入口網站中啟用 Azure Arc 之伺服器的螢幕擷取畫面。

    Azure 入口網站中已啟用 Azure Arc 之伺服器的詳細資料螢幕擷取畫面。

  3. 安裝或更新 AZURE CLIInstall or update Azure CLI. Azure CLI 應執行2.7 版或更新版本。Azure CLI should be running version 2.7 or later. az --version 來檢查您目前安裝的版本。Use az --version to check your current installed version.

  4. 建立 Azure 服務主體。Create an Azure service principal.

    若要將 VM 或裸機伺服器連線至 Azure Arc,必須使用「參與者」角色指派的 Azure 服務主體。To connect a VM or bare-metal server to Azure Arc, Azure service principal assigned with the Contributor role is required. 若要建立它,請登入您的 Azure 帳戶,然後執行下列命令。To create it, sign in to your Azure account and run the following command. 您也可以在 Azure Cloud Shell中執行此命令。You can also run this command in Azure Cloud Shell.

    az login
    az ad sp create-for-rbac -n "<Unique SP Name>" --role contributor
    

    例如:For example:

    az ad sp create-for-rbac -n "http://AzureArcServers" --role contributor
    

    輸出應該看起來像這樣︰Output should look like this:

    {
      "appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "displayName": "AzureArcServers",
      "name": "http://AzureArcServers",
      "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    }
    

注意

強烈建議您將服務主體的範圍設為特定的 Azure 訂用帳戶和資源群組We highly recommend that you scope the service principal to a specific Azure subscription and resource group.

上架 Azure 安全性中心Onboard Azure Security Center

  1. Azure 安全性中心所收集的資料會儲存在 Log Analytics 工作區中。Data collected by Azure Security Center is stored in a Log Analytics workspace. 您可以使用 Azure 安全性中心所建立的預設,或您所建立的自訂帳戶。You can either use the default one created by Azure Security Center or a custom one created by you. 如果您想要建立專用工作區,您可以藉由編輯 Azure Resource Manager 範本 (ARM 範本) 參數檔案,提供工作區的名稱和位置,來將部署自動化:If you want to create a dedicated workspace, you can automate the deployment by editing the Azure Resource Manager template (ARM template) parameters file, provide a name and location for your workspace:

    ARM 範本的螢幕擷取畫面。

  2. 若要部署 ARM 範本,請流覽至 部署資料夾 ,然後執行下列命令:To deploy the ARM template, navigate to the deployment folder and run the following command:

    az deployment group create --resource-group <Name of the Azure resource group> \
    --template-file <The `log_analytics-template.json` template file location> \
    --parameters <The `log_analytics-template.parameters.json` template file location>
    
  3. 如果您想要使用使用者定義的工作區,您應該指示安全性中心使用它,而不是預設的工作區,請使用下列命令:If you are going for an user-defined workspace, you should instruct Security Center to use it instead of the default one, use the following command:

    az security workspace-setting create --name default \
    --target-workspace '/subscriptions/<Your subscription ID>/resourceGroups/<Name of the Azure resource group>/providers/Microsoft.OperationalInsights/workspaces/<Name of the Log Analytics Workspace>'
    
  4. 選取 Azure 安全性中心層。Select the Azure Security Center tier. 預設會在您所有的 Azure 訂用帳戶上啟用免費層,並提供持續的安全性評估和可採取動作的安全性建議。The Free tier is enabled on all your Azure subscriptions by default and will provide continuous security assessment and actionable security recommendations. 在本指南中,您會使用適用于 Azure 虛擬機器的標準層,以擴充這些功能,為混合式雲端工作負載提供統一的安全性管理和威脅防護。In this guide, you use the Standard tier for Azure Virtual Machines that extends these capabilities providing unified security management and threat protection across your hybrid cloud workloads. 若要啟用適用于 Vm 的 Azure 安全性中心標準層,請執行下列命令:To enable the Standard tier of Azure Security Center for VMs, run the following command:

    az security pricing create -n VirtualMachines --tier 'standard'
    
  5. 指派預設的安全中心原則方案。Assign the default Security Center policy initiative. Azure 資訊安全中心會根據原則提出安全性建議。Azure Security Center makes its security recommendations based on policies. 有一個特定的方案會將包含定義識別碼的安全中心原則分組 1f3afdf9-d0c9-4c3d-847f-89da613e70a8There is an specific initiative that groups Security Center policies with the definition ID 1f3afdf9-d0c9-4c3d-847f-89da613e70a8. 下列命令會將 Azure 安全性中心方案指派給您的訂用帳戶。The following command will assign the Azure Security Center initiative to your subscription.

    az policy assignment create --name 'Azure Security Center Default <Your subscription ID>' \
    --scope '/subscriptions/<Your subscription ID>' \
    --policy-set-definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
    

Azure Arc 和 Azure 安全性中心整合Azure Arc and Azure Security Center integration

成功將 Azure 資訊安全中心上線之後,您將會取得協助保護您的資源的建議,包括已啟用 Azure Arc 的伺服器。After you successfully onboard Azure Security Center, you'll get recommendations to help you protect your resources, including your Azure Arc enabled servers. Azure 安全性中心會定期分析 Azure 資源的安全性狀態,以找出潛在的安全性弱點。Azure Security Center will periodically analyze the security state of your Azure resources to identify potential security vulnerabilities.

vm & 伺服器 下的 計算 & Apps 區段中,Azure 安全性中心會概述您 vm 和電腦的所有探索到的安全性建議,包括 azure Vm、azure 傳統 Vm、伺服器和 azure Arc 電腦。In the Compute & Apps section under VM & Servers, Azure Security Center provides an overview of all the discovered security recommendations for your VMs and computers, including Azure VMs, Azure classic VMs, servers, and Azure Arc machines.

Azure 安全性中心的 [計算 & Apps] * * 螢幕擷取畫面。

在啟用 Azure Arc 的伺服器上,Azure 資訊安全中心會建議安裝 Log Analytics 代理程式。On the Azure Arc enabled servers, Azure Security Center recommends installing the Log Analytics agent. 每項建議也包含:Each recommendation also includes:

  • 建議的簡短描述。A short description of the recommendation.
  • 安全分數的影響,在此案例中,狀態為「 」。A secure score impact, in this case, with a status of High.
  • 執行建議所需執行的補救步驟。The remediation steps to carry out in order to implement the recommendation.

針對特定的建議,如下列螢幕擷取畫面所示,您也會取得 快速修正 ,可讓您在多個資源上快速補救建議。For specific recommendations, like in the following screenshot, you will also get a Quick Fix that enables you to quickly remediate a recommendation on multiple resources.

適用于已啟用 Azure Arc 之伺服器的 Azure 安全性中心建議螢幕擷取畫面。

Azure 安全性中心建議安裝 Log Analytics 的螢幕擷取畫面。

下列補救 快速修正 是使用 ARM 範本,在 Azure Arc 電腦上部署 Microsoft Monitoring Agent 擴充功能。The following remediation Quick Fix is using an ARM template to deploy the Microsoft Monitoring Agent extension on the Azure Arc machine.

Azure 安全性中心 * * 快速修正 * * ARM 範本的螢幕擷取畫面。

您可以從 Azure 安全性中心儀表板,選取用於 Azure 安全性中心的 Log Analytics 工作區,然後選擇 [ 補救1資源],以從 Azure 安全性中心儀表板觸發補救。You can trigger the remediation with the ARM template from the Azure Security Center dashboard, by selecting the Log Analytics workspace used for Azure Security Center and then choosing Remediate 1 resource.

如何在 Azure 安全性中心內觸發補救步驟的螢幕擷取畫面。

在啟用 Azure Arc 的伺服器上套用建議之後,資源會標示為狀況良好。After you apply the recommendation on the Azure Arc enabled server, the resource will be marked as healthy.

狀況良好的已啟用 Azure Arc 伺服器螢幕擷取畫面。

清除您的環境Clean up your environment

請完成下列步驟來清除您的環境。Complete the following steps to clean up your environment.

  1. 遵循每個指南的終止指示,從每個環境移除虛擬機器。Remove the virtual machines from each environment by following the teardown instructions from each guide.

  2. 在 Azure CLI 中執行下列腳本,以移除 Log Analytics 工作區。Remove the Log Analytics workspace by executing the following script in Azure CLI. 提供您在建立 Log Analytics 工作區時所使用的工作區名稱。Provide the workspace name you used when creating the Log Analytics workspace.

az monitor log-analytics workspace delete --resource-group <Name of the Azure resource group> --workspace-name <Log Analytics Workspace Name> --yes