使用安全性原則Working with security policies

這篇文章說明如何設定安全性原則,以及如何在資訊安全中心中檢視它們。This article explains how security policies are configured, and how to view them in Security Center. Azure 資訊安全中心會自動為每個上架的訂用帳戶指派內建的安全性原則Azure Security Center automatically assigns its built-in security policies on each subscription that is onboarded. 您可以在 Azure 原則中設定它們,這也使您可以跨管理群組和多個訂用帳戶設定原則。You can configure them in Azure Policy, which also enables you to set policies across Management groups and across multiple subscriptions.

如需有關如何使用 PowerShell 設定原則的指示,請參閱快速入門:使用 Azure PowerShell 模組建立原則指派,以識別不符合規範的資源For instructions on how to set policies using PowerShell, see Quickstart: Create a policy assignment to identify non-compliant resources using the Azure PowerShell module.

注意

資訊安全中心已開始進行其與 Azure 原則的整合。Security Center started its integration with Azure Policy. 現有客戶會自動遷移至 Azure 原則中新的內建方案,而不是資訊安全中心先前的安全性原則。Existing customers will be automatically migrated to the new built-in initiative in Azure Policy, instead of the previous security policies in Security Center. 除了 Azure 原則中新方案的目前狀態以外,這項變更不會影響您的資源或環境。This change will not affect your resources or environment except the presence of the new initiative in Azure Policy.

什麼是安全性原則?What are security policies?

安全性原則會定義工作負載的所需設定,並且協助確保符合公司或法規安全性需求。A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. 在 Azure 原則中,您可以為 Azure 訂用帳戶定義原則,並按照工作負載的類型或資料的機密性訂定這些原則。In Azure Policy, you can define policies for your Azure subscriptions and tailor them to your type of workload or the sensitivity of your data. 例如,對於使用個人識別資訊等規範資料的應用程式,其需要的安全性層級可能比工作負載還高。For example, applications that use regulated data, such as personally identifiable information, might require a higher level of security than other workloads. 若要跨訂用帳戶或針對管理群組設定原則,請在 Azure 原則中設定。To set a policy across subscriptions or on Management groups, set them in Azure Policy.

您的安全性原則會推動您在 Azure 資訊安全中心中取得的安全性建議。Your security policies drive the security recommendations you get in Azure Security Center. 您可以監視它們的合規性,以幫助您識別潛在的弱點並減輕威脅。You can monitor compliance with them to help you identify potential vulnerabilities and mitigate threats. 如需如何決定哪個選項適合您的詳細資訊,請參閱內建安全性原則的清單。For more information about how to determine the option that is appropriate for you, see the list of built-in security policies.

當您啟用資訊安全中心時,內建到資訊安全中心的安全性原則會反映在 Azure 原則中,並作為資訊安全中心類別下的內建方案。When you enable Security Center, the security policy built-in to Security Center is reflected in Azure Policy as a built-in initiative under the category Security Center. 內建方案會自動指派給所有註冊資訊安全中心的訂用帳戶 (免費或標準層)。The built-in initiative is automatically assigned to all Security Center registered subscriptions (Free or Standard tiers). 內建方案僅包含稽核原則。The built-in initiative contains only Audit policies.

管理群組Management groups

如果貴組織有多個訂用帳戶,您可能需要一個方法來有效率地管理這些訂用帳戶的存取、原則和相容性。If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure 管理群組會提供上述訂用帳戶的範圍層級。Azure Management Groups provides a level of scope above subscriptions. 您要將訂用帳戶整理到稱為「管理群組」的容器中,並將治理原則套用至管理群組。You organize subscriptions into containers called "management groups" and apply your governance policies to the management groups. 管理群組內的所有訂用帳戶都會自動繼承套用到管理群組的原則。All subscriptions within a management group automatically inherit the policies applied to the management group. 每個目錄會都會有一個最上層管理群組,名為「根」管理群組。Each directory is given a single top-level management group called the "root" management group. 這個根管理群組會建置於階層內,讓所有的管理群組和訂用帳戶摺疊於其中。This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. 這個根管理群組可讓全域原則和 RBAC 指派在目錄層級套用。This root management group allows for global policies and RBAC assignments to be applied at the directory level. 若要設定可搭配 Azure 資訊安全中心使用的管理群組,請遵循取得 Azure 資訊安全中心的全租用戶可見度中的指示。To set up management groups for use with Azure Security Center, follow the instructions in Gain tenant-wide visibility for Azure Security Center.

注意

請務必了解管理群組和訂用帳戶的階層。It’s important that you understand the hierarchy of management groups and subscriptions. 若要深入了解管理群組、根管理和管理群組存取,請參閱使用 Azure 管理群組來組織資源See Organize your resources with Azure Management Groups to learn more about management groups, root management, and management group access.

安全性原則的運作方式How security policies work

資訊安全中心會為每個 Azure 訂用帳戶自動建立預設安全性原則。Security Center automatically creates a default security policy for each of your Azure subscriptions. 您可以編輯 Azure 原則中的原則,或執行下列動作:You can edit the policies in Azure Policy to do the following things:

  • 建立新原則定義。Create new policy definitions.
  • 將原則指派給代表整個組織或組織內業務單位的各個管理群組和訂用帳戶。Assign policies across management groups and subscriptions, which can represent an entire organization or a business unit within the organization.
  • 監視原則相容性。Monitor policy compliance.

如需 Azure 原則的詳細資訊,請參閱建立和管理原則來強制執行合規性For more information about Azure Policy, see Create and manage policies to enforce compliance.

Azure 原則由下列元件組成:An Azure policy consists of the following components:

  • 原則是一個規則。A policy is a rule.
  • 方案是原則的集合。An initiative is a collection of policies.
  • 指派是將方案或原則套用至特定範圍 (管理群組、訂用帳戶或資源群組)。An assignment is the application of an initiative or a policy to a specific scope (management group, subscription, or resource group).

檢視安全性原則View security policies

若要在資訊安全中心檢視安全性原則:To view your security policies in Security Center:

  1. 在 [資訊安全中心] 儀表板上,選取 [安全性解決方案] 。In the Security Center dashboard, select Security policy.

    原則管理窗格

    在 [原則管理] 畫面中,您可以看到管理群組、訂用帳戶和工作區數目,以及您的管理群組結構。In the Policy management screen, you can see the number of management groups, subscriptions, and workspaces as well as your management group structure.

    注意

    • 資訊安全中心儀表板在 [訂用帳戶涵蓋範圍] 之下顯示的訂用帳戶數目,比在 [原則管理] 之下顯示的訂用帳戶數目還要多。The Security Center dashboard may show a higher number of subscriptions under Subscription coverage than the number of subscriptions shown under Policy management. 訂用帳戶涵蓋範圍會顯示標準、免費和「未涵蓋」的訂用帳戶數目。Subscription coverage shows the number of Standard, Free, and “not covered” subscriptions. 「未涵蓋」訂用帳戶並未啟用資訊安全中心,而且不會顯示在 [原則管理] 之下。The “not covered” subscriptions do not have Security Center enabled and are not displayed under Policy management.

    資料表中的資料行會顯示:The columns in the table display:

    • 原則方案指派 – 資訊安全中心內建的原則和方案,已指派給訂用帳戶或管理群組。Policy initiative assignment – Security Center built-in policies and initiatives that are assigned to a subscription or management group.
    • 涵蓋範圍 - 識別執行管理群組、訂用帳戶或工作區的定價層 (免費或標準)。Coverage – Identifies the pricing tier, Free or Standard, that the management group, subscription, or workspace is running on. 若要深入了解資訊安全中心的定價層,請參閱價格See Pricing to learn more about Security Center's pricing tiers.
    • 設定 – 訂用帳戶具有 [編輯設定] 連結。Settings – Subscriptions have the link Edit settings. 選取 [編輯設定] 可讓您更新每個訂用帳戶或管理群組的資訊安全中心設定Selecting Edit settings lets you update your Security Center settings for each subscription or management group.
    • 安全分數 - 安全分數可供測量您工作負載的安全性狀態,並協助您排列改進建議的優先順序。Secure score - The Secure score provides a measure of how secure your workload security posture and helps you prioritize recommendations for improvement.
  2. 選取要檢視其原則的訂用帳戶或管理群組。Select the subscription or management group whose policies you want to view.

    • [安全性原則] 畫面反映了在您選取的訂用帳戶或管理群組上指派的原則所採取的動作。The Security policy screen reflects the action taken by the policies assigned on the subscription or management group you selected.
    • 在頂端,使用提供的連結開啟套用於訂用帳戶或管理群組的每個原則指派At the top, use the links provided to open each policy assignment that applies on the subscription or management group. 您可以使用連結存取指派,並編輯或停用原則。You can use the links to access the assignment and edit or disable the policy. 例如,如果您看到特定原則指派有效地拒絕端點保護,則可以使用該連結來存取原則,以及編輯或停用原則。For example, if you see that a particular policy assignment is effectively denying endpoint protection, you can use the link to access the policy and edit or disable it.
    • 在原則清單中,您可以在訂用帳戶或管理群組中查看原則的有效應用。In the list of policies, you can see the effective application of the policy on your subscription or management group. 這表示套用至範圍之每個原則的設定會納入考量,並向您提供原則採取之動作的累加結果。This means that the settings of each policy that apply to the scope are taken into consideration and you are provided with the cumulative outcome of what action is taken by the policy. 例如,如果原則在一個指派中已停用,但在另一個指派中它被設定為 AuditIfNotExist,則累加的效果就會套用 AuditIfNotExist。For example, if in one assignment the policy is disabled, but in another it is set to AuditIfNotExist, then the cumulative effect applies AuditIfNotExist. 更積極的效果一律會優先使用。The more active effect always takes precedence.
    • 原則的效果可以是:Append、Audit、AuditIfNotExists、Deny、DeployIfNotExists、Disabled。The policies' effect can be: Append, Audit, AuditIfNotExists, Deny, DeployIfNotExists, Disabled. 如需如何套用效果的相關詳細資訊,請參閱了解原則效果For more information on how effects are applied, see Understand Policy effects.

    [原則] 畫面

注意

  • 檢視指派的原則時,您可以看到多個指派,您可以看到每個指派如何自行設定。When you view assigned policies, you can see multiple assignments and you can see how each assignment is configured on its own.

編輯安全性原則Edit security policies

您可以在 Azure 原則內,編輯每個 Azure 訂用帳戶和管理群組的預設安全性原則。You can edit the default security policy for each of your Azure subscriptions and management groups in Azure Policy. 若要修改安全性原則,您必須是該訂用帳戶或所在管理群組的擁有者、參與者或安全性系統管理員。To modify a security policy, you must be an owner, contributor, or security administrator of the subscription or the containing management group.

如需如何編輯 Azure 原則中的安全性原則的指示,請參閱建立和管理原則來強制執行合規性For instructions on how to edit a security policy in Azure Policy, see and Create and manage policies to enforce compliance.

您可以透過 Azure 原則入口網站、透過 REST API 或使用 Windows PowerShell 編輯安全性原則。You can edit security policies through the Azure Policy portal, via REST API or using Windows PowerShell. 下列範例提供使用 REST API 編輯的指示。The following example provides instructions for editing using REST API.

停用安全性原則Disable security policies

如果預設的安全性原則要產生您的環境無關的建議,您可以藉由停用傳送建議的原則定義中將它停止。If the default security policy is generating a recommendation that is not relevant for your environment, you can stop it by disabling the policy definition that sends the recommendation. 如需建議的詳細資訊,請參閱管理的安全性建議For further information about recommendations, see Managing security recommendations.

  1. 在資訊安全中心中,從原則與合規性區段中,按一下安全性原則In the Security Center, from the Policy & Compliance section, click Security policy.

    原則管理

  2. 按一下您要停用建議的訂用帳戶或管理群組。Click the subscription or management group for which you want to disable the recommendation.

    注意

    請記住,管理群組就會套用其原則至其訂用帳戶。Remember that a management group applies its policies to its subscriptions. 因此,如果您停用訂用帳戶的原則,而且訂用帳戶所屬的管理群組仍使用相同的原則,則您會繼續接收建議的原則。Therefore, if you disable a subscription's policy, and the subscription belongs to a management group that still uses the same policy, then you will continue to receive the policy recommendations. 仍會從管理層級套用原則,仍會產生建議。The policy will still be applied from the management level and the recommendations will still be generated.

  3. 按一下 指派的原則。Click the assigned policy.

    停用原則

  4. 參數區段中,搜尋您想要停用,建議會叫用的原則,並從下拉式清單中,選取已停用In the PARAMETERS section, search for the policy that invokes the recommendation that you want to disable, and from the dropdown list, select Disabled

    停用原則

  5. 按一下 [檔案] 。Click Save.

    注意

    停用原則變更可能需要 12 小時的時間才會生效。The disable policy changes can take up to 12 hours to take effect.

使用 REST API 設定安全性原則Configure a security policy using the REST API

Azure 資訊安全中心與 Azure 原則的原生整合可讓您充分利用 Azure 原則的 REST API 來建立原則指派。As part of the native integration with Azure Policy, Azure Security Center enables you to take advantage Azure Policy’s REST API to create policy assignments. 下列指示會引導您完成建立原則指派,以及自訂現有的指派。The following instructions walk you through creation of policy assignments, as well as customization of existing assignments.

Azure 原則中的重要概念:Important concepts in Azure Policy:

  • *原則定義* 是規則A policy definition is a rule

  • *方案* 是原則定義 (規則) 的集合An initiative is a collection of policy definitions (rules)

  • *指派*是將方案或原則套用至特定範圍 (管理群組、訂用帳戶等等)An assignment is an application of an initiative or a policy to a specific scope (management group, subscription, etc.)

資訊安全中心有內建的方案,其中包含所有其安全性原則。Security Center has a built-in initiative that includes all of its security policies. 若要評估 Azure 資源上的資訊安全中心原則,您應該建立管理群組的指派,或您想要評估的訂用帳戶。In order to assess Security Center’s policies on your Azure resources, you should create an assignment on the management group, or subscription you want to assess.

內建的方案都有預設啟用的所有資訊安全中心原則。The built-in initiative has all of Security Center’s policies enabled by default. 您可以選擇停用內建方案的特定原則,例如,您可以藉由將原則的效果參數值變更為已停用來套用所有資訊安全中心的原則,除了 Web 應用程式防火牆You can choose to disable certain policies from the built-in initiative, for example you can apply all of Security Center’s policies except web application firewall, by changing the value of the policy’s effect parameter to Disabled.

API 範例API examples

在下列範例中,更換這些變數:In the following examples, replace these variables:

  • {scope} 輸入您要套用原則的管理群組名稱或訂用帳戶名稱。{scope} enter the name of the management group or subscription you are applying the policy to.
  • {policyAssignmentName} 輸入相關原則指派的名稱{policyAssignmentName} enter the name of the relevant policy assignment.
  • {name} 輸入您的名稱,或已核准原則變更的系統管理員名稱。{name} enter your name, or the name of the administrator who approved the policy change.

此範例將示範如何對於訂用帳戶或管理群組指派內建的資訊安全中心方案This example shows you how to assign the built-in Security Center initiative on a subscription or management group

PUT  
https://management.azure.com/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 

Request Body (JSON) 

{ 

  "properties":{ 

"displayName":"Enable Monitoring in Azure Security Center", 

"metadata":{ 

"assignedBy":"{Name}" 

}, 

"policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", 

"parameters":{}, 

} 

} 

此範例將示範如何對於已停用下列原則的訂用帳戶,指派內建的資訊安全中心方案:This example shows you how to assign the built-in Security Center initiative on a subscription, with the following policies disabled:

  • 系統更新 (「systemUpdatesMonitoringEffect」)System updates (“systemUpdatesMonitoringEffect”)

  • 安全性設定 (「systemConfigurationsMonitoringEffect」)Security configurations ("systemConfigurationsMonitoringEffect")

  • 端點保護 (「endpointProtectionMonitoringEffect」)Endpoint protection ("endpointProtectionMonitoringEffect")

    PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01

    要求本文 (JSON)Request Body (JSON)

    {{

    "properties":{ 
    

    "displayName":"啟用 Azure 資訊安全中心監視 」,"displayName":"Enable Monitoring in Azure Security Center",

    「 中繼資料 」: {"metadata":{

    "assignedBy":"{Name}""assignedBy":"{Name}"

    },},

    "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",

    "parameters":{"parameters":{

    「 systemUpdatesMonitoringEffect": {"value":"Disabled"},"systemUpdatesMonitoringEffect":{"value":"Disabled"},

    「 systemConfigurationsMonitoringEffect": {"value":"Disabled"},"systemConfigurationsMonitoringEffect":{"value":"Disabled"},

    「 endpointProtectionMonitoringEffect": {"value":"Disabled"},"endpointProtectionMonitoringEffect":{"value":"Disabled"},

    },},

    }}

    }}

此範例會示範如何移除指派:This example shows you how to remove an assignment:

DELETE   
https://management.azure.com/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 

原則名稱參考 Policy names reference

資訊安全中心中的原則名稱Policy name in Security Center Azure 原則中顯示的原則名稱Policy name displayed in Azure Policy 原則效果參數名稱Policy effect parameter name
SQL 加密SQL Encryption 在 Azure 資訊安全中心中監視未加密的 SQL 資料庫Monitor unencrypted SQL database in Azure Security Center sqlEncryptionMonitoringEffectsqlEncryptionMonitoringEffect
SQL 稽核SQL Auditing 在 Azure 資訊安全中心中監視未加密的 SQL 資料庫Monitor unaudited SQL database in Azure Security Center sqlAuditingMonitoringEffectsqlAuditingMonitoringEffect
系統更新System updates 在 Azure 資訊安全中心中監視缺少的系統更新Monitor missing system updates in Azure Security Center systemUpdatesMonitoringEffectsystemUpdatesMonitoringEffect
儲存體加密Storage encryption 稽核 Blob 未加密的儲存體帳戶Audit missing blob encryption for storage accounts storageEncryptionMonitoringEffectstorageEncryptionMonitoringEffect
JIT 網路存取JIT Network access 監視 Azure 資訊安全中心中可能的網路 Just-In-Time (JIT) 存取Monitor possible network Just In Time (JIT) access in Azure Security Center jitNetworkAccessMonitoringEffectjitNetworkAccessMonitoringEffect
自適性應用程式控制Adaptive application controls 在 Azure 資訊安全中心中監視可能的應用程式允許清單Monitor possible app Whitelisting in Azure Security Center adaptiveApplicationControlsMonitoringEffectadaptiveApplicationControlsMonitoringEffect
網路安全性群組Network security groups 在 Azure 資訊安全中心中監視寬鬆的網路存取Monitor permissive network access in Azure Security Center networkSecurityGroupsMonitoringEffectnetworkSecurityGroupsMonitoringEffect
安全性設定Security configurations 在 Azure 資訊安全中心中監視 OS 弱點Monitor OS vulnerabilities in Azure Security Center systemConfigurationsMonitoringEffectsystemConfigurationsMonitoringEffect
端點保護Endpoint protection 在 Azure 資訊安全中心中監視缺少的 Endpoint ProtectionMonitor missing Endpoint Protection in Azure Security Center endpointProtectionMonitoringEffectendpointProtectionMonitoringEffect
磁碟加密Disk encryption 在 Azure 資訊安全中心中監視未加密的 VM 磁碟Monitor unencrypted VM Disks in Azure Security Center diskEncryptionMonitoringEffectdiskEncryptionMonitoringEffect
弱點評估Vulnerability assessment 在 Azure 資訊安全中心中監視 VM 的弱點Monitor VM Vulnerabilities in Azure Security Center vulnerabilityAssessmentMonitoringEffectvulnerabilityAssessmentMonitoringEffect
Web 應用程式防火牆Web application firewall 在 Azure 資訊安全中心中監視未受保護的 Web 應用程式Monitor unprotected web application in Azure Security Center webApplicationFirewallMonitoringEffectwebApplicationFirewallMonitoringEffect
新一代防火牆Next generation firewall 在 Azure 資訊安全中心中監視未保護的網路端點Monitor unprotected network endpoints in Azure Security Center

誰可以編輯安全性原則?Who can edit security policies?

資訊安全中心會使用角色型存取控制 (RBAC),以提供可在 Azure 中指派給使用者、群組與服務的內建角色。Security Center uses Role-Based Access Control (RBAC), which provides built-in roles that can be assigned to users, groups, and services in Azure. 使用者開啟資訊安全中心時,只能看到與自己能夠存取之資源相關的資訊。When users open Security Center, they see only information that's related to resources they have access to. 這表示會為使用者指派資源所屬訂用帳戶或資源群組的擁有者、參與者或讀取者角色。Which means that users are assigned the role of owner, contributor, or reader to the subscription or resource group that a resource belongs to. 除了這些角色,有兩個特定的資訊安全中心角色:In addition to these roles, there are two specific Security Center roles:

  • 安全性讀取者:擁有資訊安全中心的檢視權限 (包括建議、警示、原則和健康情況),但無法進行變更。Security reader: Have view rights to Security Center, which includes recommendations, alerts, policy, and health, but they can't make changes.
  • 安全性系統管理員:擁有與安全性讀取者相同的檢視權限,而且還可以更新安全性原則,並解除建議和警示。Security admin: Have the same view rights as security reader, and they can also update the security policy and dismiss recommendations and alerts.

後續步驟Next steps

在本文中,您已了解如何在 Azure 原則中編輯安全性原則。In this article, you learned how to edit security policies in Azure Policy. 如要深入了解資訊安全中心,請參閱下列文章:To learn more about Security Center, see the following articles:

若要深入了解 Azure 原則,請參閱什麼是 Azure 原則?To learn more about Azure Policy, see What is Azure Policy?