教學課程:使用 Azure 資訊安全中心保護您的資源Tutorial: Protect your resources with Azure Security Center

資訊安全中心使用存取和應用程式控制原則來阻擋惡意活動,以限制您暴露於威脅的風險。Security Center limits your exposure to threats by using access and application controls to block malicious activity. Just-in-Time (JIT) 虛擬機器 (VM) 存取透過讓您拒絕對 VM 的持續存取,進而減少您暴露於攻擊的風險。Just-in-Time (JIT) virtual machine (VM) access reduces your exposure to attacks by enabling you to deny persistent access to VMs. 不過,您可以只在需要的時候,提供對 VM 的受控制及稽核的存取。Instead, you provide controlled and audited access to VMs only when needed. 自適性應用程式控制透過控制可在 VM 上執行的應用程式,進而協助強化 VM 以抵禦惡意軟體。Adaptive application controls help harden VMs against malware by controlling which applications can run on your VMs. 資訊安全中心會利用機器學習服務來分析在 VM 中執行的程序,並協助您利用此情報來套用列入允許清單規則。Security Center uses machine learning to analyze the processes running in the VM and helps you apply whitelisting rules using this intelligence.

在本教學課程中,您將了解如何:In this tutorial you learn how to:

  • 設定 Just-In-Time VM 存取原則Configure a just in time VM access policy
  • 設定應用程式控制原則Configure an application control policy

如果您沒有 Azure 訂用帳戶,請在開始前建立免費帳戶If you don’t have an Azure subscription, create a free account before you begin.

必要條件Prerequisites

若要逐步執行本教學課程中涵蓋的功能,您必須是在資訊安全中心的標準定價層。To step through the features covered in this tutorial, you must be on Security Center’s Standard pricing tier. 您可以免費試用資訊安全中心標準層。You can try Security Center Standard at no cost. 若要深入了解,請參閱價格頁面To learn more, see the pricing page. 將 Azure 訂用帳戶上架到資訊安全中心標準定價層快速入門會為您逐步解說如何升級至「標準」定價層。The quickstart Onboard your Azure subscription to Security Center Standard walks you through how to upgrade to Standard.

管理 VM 存取Manage VM access

JIT VM 存取可用於鎖定 Azure VM 的連入流量,進而降低暴露於攻擊的風險,同時讓您視需要輕鬆地連線至 VM。JIT VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

管理連接埠不需要隨時保持開啟。Management ports do not need to be open at all times. 只有在連線至 VM 時 (例如進行執行管理或維修工作),才需要將管理連接埠開啟。They only need to be open while you are connected to the VM, for example to perform management or maintenance tasks. 啟用 Just-In-Time 之後,資訊安全中心會使用「網路安全性群組」(NSG) 規則,以限制對管理連接埠的存取,讓攻擊者無法將這些連接埠作為攻擊目標。When just in time is enabled, Security Center uses Network Security Group (NSG) rules, which restrict access to management ports so they cannot be targeted by attackers.

  1. 在資訊安全中心的主功能表中,選取 [進階雲端防禦] 下的 [Just-in-Time VM 存取]。In the Security Center main menu, select Just-in-Time VM access under ADVANCED CLOUD DEFENSE.

    Just-In-Time 虛擬機器存取

    [Just-In-Time VM 存取] 會提供 VM 狀態的相關資訊:Just-in-Time VM access provides information on the state of your VMs:

    • [已設定] - 已設定為支援 Just-In-Time VM 存取的 VM。Configured - VMs that have been configured to support just in time VM access.

    • [建議] - 可支援但未設定 Just-In-Time VM 存取的 VM。Recommended - VMs that can support just in time VM access but have not been configured to.

    • [不建議] - 可能會導致不建議 VM 進行設定的原因如下:No recommendation - Reasons that can cause a VM not to be recommended are:

      • 缺少 NSG - Just-In-Time 解決方案需要 NSG。Missing NSG - The just in time solution requires an NSG to be in place.
      • 傳統 VM - 資訊安全中心 Just-In-Time VM 存取目前僅支援透過 Azure Resource Manager 部署的 VM。Classic VM - Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager.
      • 其他 - 如果訂用帳戶或資源群組的安全性原則已關閉 Just-In-Time 解決方案,或 VM 缺少公用 IP 且未設定 NSG,則該 VM 也屬於此類別。Other - A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn't have an NSG in place.
  2. 選取建議的 VM 並按一下 [在 1 VM 上啟用 JIT],來為該 VM 設定 Just-In-Time 原則:Select a recommended VM and click Enable JIT on 1 VM to configure a just in time policy for that VM:

    您可以儲存資訊安全中心建議的預設連接埠,或是新增並設定您要在其上啟用 Just-In-Time 解決方案的連接埠。You can save the default ports that Security Center recommends or you can add and configure a new port on which you want to enable the just in time solution. 在本教學課程中,讓我們選取 [新增] 來新增連接埠。In this tutorial, let’s add a port by selecting Add.

    新增連接埠設定

  3. 您可以在 [新增連接埠設定] 下看到:Under Add port configuration, you identify:

    • 連接埠The port
    • 通訊協定類型The protocol type
    • 允許的來源 IP - 收到核准的要求時允許取得存取權的 IP 範圍Allowed source IPs - IP ranges allowed to get access upon an approved request
    • 要求時間上限 - 開啟特定連接埠的時間範圍上限Maximum request time - maximum time window that a specific port can be opened
  4. 選取 [確定] 以儲存。Select OK to save.

強化 VM 以抵禦惡意軟體Harden VMs against malware

自適性應用程式控制可協助您定義一組可以在設定之資源群組上執行的應用程式,再加上其他的好處可共同協助強化您的 VM 以抵禦惡意軟體。Adaptive application controls help you define a set of applications that are allowed to run on configured resource groups, which among other benefits helps harden your VMs against malware. 資訊安全中心會利用機器學習服務來分析在 VM 中執行的程序,並協助您利用此情報來套用列入允許清單規則。Security Center uses machine learning to analyze the processes running in the VM and helps you apply whitelisting rules using this intelligence.

此功能只適用於 Windows 電腦。This feature is only available for Windows machines.

  1. 返回 [資訊安全中心] 主功能表。Return to the Security Center main menu. 在 [進階雲端防禦] 下,選取 [自適性應用程式控制]。Under ADVANCED CLOUD DEFENSE, select Adaptive application controls.

    自適性應用程式控制

    [資源群組] 區段包含三個索引標籤:The Resource groups section contains three tabs:

    • 已設定:內含已設定應用程式控制之 VM 的資源群組清單。Configured: List of resource groups containing the VMs that were configured with application control.
    • 建議:建議採用應用程式控制的資源群組清單。Recommended: List of resource groups for which application control is recommended.
    • 無建議:內含無任何應用程式控制建議之 VM 的資源群組清單。No recommendation: List of resource groups containing VMs without any application control recommendations. 例如,其上的應用程式一直改變且尚未達到穩定狀態的 VM。For example, VMs on which applications are always changing, and haven’t reached a steady state.
  2. 選取 [建議] 索引標籤以顯示具有應用程式控制建議的資源群組清單。Select the Recommended tab for a list of resource groups with application control recommendations.

    應用程式控制建議

  3. 選取資源群組以開啟 [建立應用程式控制規則] 選項。Select a resource group to open the Create application control rules option. 在 [選取 VM] 中,檢閱建議的 VM 清單,並取消選取任何不想套用應用程式控制的 VM。In the Select VMs, review the list of recommended VMs and uncheck any you do not want to apply application control to. 在 [選取列入允許清單規則的程序] 中,檢閱建議的應用程式清單,並取消選取任何不想套用的規則。In the Select processes for whitelisting rules, review the list of recommended applications, and uncheck any you do not want to apply. 此清單包括:The list includes:

    • 名稱:完整應用程式路徑NAME: The full application path
    • 處理序:每個路徑內有多少個應用程式PROCESSES: How many applications reside within every path
    • 通用:[是] 表示這些處理序已在此資源群組中的大部分 VM 上執行COMMON: "Yes" indicates that these processes have been executed on most VMs in this resource group
    • 可利用進行攻擊:警告圖示將會指出攻擊者是否可能使用應用程式來略過應用程式允許清單。EXPLOITABLE: A warning icon indicates if the applications could be used by an attacker to bypass application whitelisting. 建議您在核准之前檢閱這些應用程式。It is recommended to review these applications prior to their approval.
  4. 一旦完成您的選擇,請選取 [建立]。Once you finish your selections, select Create.

清除資源Clean up resources

此集合中的其他快速入門和教學課程會以本快速入門為基礎。Other quickstarts and tutorials in this collection build upon this quickstart. 如果您打算繼續處理後續的快速入門和教學課程,請繼續執行標準層,並保持將自動佈建維持為啟用狀態。If you plan to continue on to work with subsequent quickstarts and tutorials, continue running the Standard tier and keep automatic provisioning enabled. 如果您不打算繼續,或是要返回免費層:If you do not plan to continue or wish to return to the Free tier:

  1. 返回 [資訊安全中心] 主功能表,並選取 [安全性原則]。Return to the Security Center main menu and select Security Policy.
  2. 選取您需要返回免費層的訂用帳戶或原則。Select the subscription or policy that you want to return to Free. [安全性原則] 隨即開啟。Security policy opens.
  3. 在 [原則元件] 下,選取 [定價層]。Under POLICY COMPONENTS, select Pricing tier.
  4. 選取 [免費] 以將訂用帳戶從標準層變更為免費層。Select Free to change subscription from Standard tier to Free tier.
  5. 選取 [ 儲存]。Select Save.

如果您需要停用自動佈建:If you wish to disable automatic provisioning:

  1. 返回 [資訊安全中心] 主功能表,並選取 [安全性原則]。Return to the Security Center main menu and select Security policy.
  2. 選取您想要停用自動佈建的訂用帳戶。Select the subscription that you wish to disable automatic provisioning.
  3. 在 [安全性原則 - 資料收集] 下,選取 [上架] 底下的 [關閉] 以停用自動佈建。Under Security policy – Data Collection, select Off under Onboarding to disable automatic provisioning.
  4. 選取 [ 儲存]。Select Save.

注意

停用自動佈建不會從已佈建代理程式的 Azure VM 移除 Microsoft Monitoring Agent。Disabling automatic provisioning does not remove the Microsoft Monitoring Agent from Azure VMs where the agent has been provisioned. 停用自動佈建會限制對資源的安全性監視。Disabling automatic provisioning limits security monitoring for your resources.

後續步驟Next steps

在本教學課程中,您已了解如何透過下列方式限制暴露於威脅的風險:In this tutorial, you learned how to limit your exposure to threats by:

  • 設定 Just-In-Time VM 存取原則,以只在需要時提供對 VM 的受控制及稽核的存取Configuring a just in time VM access policy to provide controlled and audited access to VMs only when needed
  • 設定自適性應用程式控制原則,以控制哪些應用程式可在您 VM 上執行Configuring an adaptive application controls policy to control which applications can run on your VMs

請前進到下一個教學課程,以了解如何回應安全性事件。Advance to the next tutorial to learn about responding to security incidents.