Azure 中 IaaS 工作負載的安全性最佳作法Security best practices for IaaS workloads in Azure

本文說明適用於 VM 和作業系統的最佳做法。This article describes security best practices for VMs and operating systems.

最佳作法是根據共識的意見,並使用目前的 Azure 平台功能及功能集。The best practices are based on a consensus of opinion, and they work with current Azure platform capabilities and feature sets. 由於意見和技術會隨著時間改變,因此我們會更新本文以反映這些變化。Because opinions and technologies can change over time, this article will be updated to reflect those changes.

在大部分的基礎結構即服務 (IaaS) 案例中,Azure 虛擬機器 (VM) 對於使用雲端運算的組織來說是主要工作負載。In most infrastructure as a service (IaaS) scenarios, Azure virtual machines (VMs) are the main workload for organizations that use cloud computing. 在組織想要慢慢地將工作負載移轉至雲端的混合式案例中,這個情況相當明顯。This fact is evident in hybrid scenarios where organizations want to slowly migrate workloads to the cloud. 在這種情況下,請遵循 IaaS 的一般安全性考量,並將安全性最佳作法套用到您所有的 VM。In such scenarios, follow the general security considerations for IaaS, and apply security best practices to all your VMs.

共同責任Shared responsibility

您的安全性責任是根據雲端服務的類型。Your responsibility for security is based on the type of cloud service. 下表摘要說明 Microsoft 與您所擔負之責任的平衡:The following chart summarizes the balance of responsibility for both Microsoft and you:

責任範圍

安全性需求會取決於多項因素而有所不同,包括不同的工作負載類型。Security requirements vary depending on a number of factors including different types of workloads. 任何其中一個最佳作法均無法獨自保護您的系統。Not one of these best practices can by itself secure your systems. 如同任何其他安全性項目,您必須選擇適當的選項,以及了解解決方案如何藉由滿足不足之處來彼此互補。Like anything else in security, you have to choose the appropriate options and see how the solutions can complement each other by filling gaps.

使用驗證和存取控制來保護 VMProtect VMs by using authentication and access control

保護 VM 的第一個步驟是確保只有已獲授權的使用者能設定新的 VM 和存取 VM。The first step in protecting your VMs is to ensure that only authorized users can set up new VMs and access VMs.

注意

若要改善 Azure Linux Vm 上的安全性,您可以整合 Azure AD 驗證。To improve the security of Linux VMs on Azure, you can integrate with Azure AD authentication. 當您使用適用於 Linux Vm 的 Azure AD 驗證,集中控制和強制執行原則,允許或拒絕存取的 vm。When you use Azure AD authentication for Linux VMs, you centrally control and enforce policies that allow or deny access to the VMs.

最佳做法:控制 VM 存取。Best practice: Control VM access.
詳細資料:使用 Azure 原則為組織資源制定慣例及建立自訂原則。Detail: Use Azure policies to establish conventions for resources in your organization and create customized policies. 將這些原則套用到資源,例如資源群組Apply these policies to resources, such as resource groups. 屬於某資源群組的 VM 會繼承其原則。VMs that belong to a resource group inherit its policies.

如果貴組織有多個訂用帳戶,您可能需要一個方法來有效率地管理這些訂用帳戶的存取、原則和相容性。If your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure 管理群組可以提供訂用帳戶之上的範圍層級。Azure management groups provide a level of scope above subscriptions. 您可將訂用帳戶整理到管理群組 (容器) 中,並將治理條件套用至這些群組。You organize subscriptions into management groups (containers) and apply your governance conditions to those groups. 管理群組內的所有訂用帳戶都會自動繼承套用到該群組的條件。All subscriptions within a management group automatically inherit the conditions applied to the group. 無論具有何種類型的訂用帳戶,管理群組都可為您提供企業級的大規模管理功能。Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have.

最佳做法:降低 VM 設定和部署的變化性。Best practice: Reduce variability in your setup and deployment of VMs.
詳細資料:使用 Azure Resource Manager 範本強化部署選項,更輕鬆了解及清查環境中的 VM。Detail: Use Azure Resource Manager templates to strengthen your deployment choices and make it easier to understand and inventory the VMs in your environment.

最佳做法:保護特殊權限存取。Best practice: Secure privileged access.
詳細資料:使用最低權限的方法和內建的 Azure 角色來讓使用者存取和設定 VM:Detail: Use a least privilege approach and built-in Azure roles to enable users to access and set up VMs:

  • 虛擬機器參與者:可以管理 VM,但是無法管理它們連接的虛擬網路或儲存體帳戶。Virtual Machine Contributor: Can manage VMs, but not the virtual network or storage account to which they are connected.
  • 傳統虛擬機器參與者:可以管理使用傳統的部署模型建立的 VM,但無法管理 VM 連接的虛擬網路或儲存體帳戶。Classic Virtual Machine Contributor: Can manage VMs created by using the classic deployment model, but not the virtual network or storage account to which the VMs are connected.
  • 安全性系統管理員:僅限資訊安全中心:可檢視安全性原則、檢視安全性狀態、編輯安全性原則、檢視警示和建議、關閉警示和建議。Security Admin: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations.
  • DevTest Labs 使用者:可以檢視所有項目,並連接、啟動、重新啟動和關閉 VM。DevTest Labs User: Can view everything and connect, start, restart, and shut down VMs.

訂用帳戶管理員和共同管理員可變更此設定,使其成為訂用帳戶中所有 VM 的系統管理員。Your subscription admins and coadmins can change this setting, making them administrators of all the VMs in a subscription. 請確認您信任所有訂用帳戶管理員和共同管理員登入您的任何機器。Be sure that you trust all of your subscription admins and coadmins to log in to any of your machines.

注意

我們建議將具有相同生命週期的 VM 合併到相同的資源群組中。We recommend that you consolidate VMs with the same lifecycle into the same resource group. 藉由使用資源群組,您可以部署、監視和彙總資源的計費成本。By using resource groups, you can deploy, monitor, and roll up billing costs for your resources.

控制 VM 存取及設定的組織可改善其整體 VM 安全性。Organizations that control VM access and setup improve their overall VM security.

使用多部 VM 以提高可用性Use multiple VMs for better availability

如果您的 VM 會執行需要具備高可用性的重要應用程式,則強烈建議您使用多個 VM。If your VM runs critical applications that need to have high availability, we strongly recommend that you use multiple VMs. 若要提高可用性,請使用可用性設定組For better availability, use an availability set.

可用性設定組是一種可在 Azure 中使用的邏輯群組,用以確保其中所放置的 VM 資源在部署到 Azure 資料中心時會彼此隔離。An availability set is a logical grouping that you can use in Azure to ensure that the VM resources you place within it are isolated from each other when they’re deployed in an Azure datacenter. Azure 可確保您在可用性設定組中所放置的 VM,會橫跨多部實體伺服器、計算機架、儲存體單位和網路交換器來執行。Azure ensures that the VMs you place in an availability set run across multiple physical servers, compute racks, storage units, and network switches. 如果硬體或 Azure 軟體發生故障,只有 VM 的子集會受到影響,整體的應用程式則可供客戶繼續使用。If a hardware or Azure software failure occurs, only a subset of your VMs are affected, and your overall application continues to be available to your customers. 如果您想要建置可靠的雲端解決方案,可用性設定組是不可或缺的重要功能。Availability sets are an essential capability when you want to build reliable cloud solutions.

抵禦惡意程式碼Protect against malware

您應安裝反惡意程式碼軟體,以協助識別及移除病毒、間諜軟體和其他惡意軟體。You should install antimalware protection to help identify and remove viruses, spyware, and other malicious software. 您可安裝 Microsoft Antimalware 或 Microsoft 合作夥伴的端點保護解決方案 (Trend MicroSymantecMcAfeeWindows DefenderSystem Center Endpoint Protection)。You can install Microsoft Antimalware or a Microsoft partner’s endpoint protection solution (Trend Micro, Symantec, McAfee, Windows Defender, and System Center Endpoint Protection).

Microsoft Antimalware 包含下列功能:即時防護、排程掃描、惡意程式碼補救、簽章更新、引擎更新、範例報告和排除事件收集。Microsoft Antimalware includes features like real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, and exclusion event collection. 對於與您的生產環境分開裝載的環境,您可以使用反惡意程式碼擴充功能來協助保護 VM 和雲端服務。For environments that are hosted separately from your production environment, you can use an antimalware extension to help protect your VMs and cloud services.

您可以將 Microsoft Antimalware 和合作夥伴解決方案與 Azure 資訊安全中心整合,以方便部署和執行內建偵測 (警示與事件)。You can integrate Microsoft Antimalware and partner solutions with Azure Security Center for ease of deployment and built-in detections (alerts and incidents).

最佳做法:安裝反惡意程式碼解決方案以抵禦惡意程式碼。Best practice: Install an antimalware solution to protect against malware.
詳細資料安裝 Microsoft 合作夥伴解決方案或 Microsoft AntimalwareDetail: Install a Microsoft partner solution or Microsoft Antimalware

最佳做法:整合反惡意程式碼解決方案與資訊安全中心,確實監視您的防護狀態。Best practice: Integrate your antimalware solution with Security Center to monitor the status of your protection.
詳細資料透過資訊安全中心管理端點保護問題Detail: Manage endpoint protection issues with Security Center

管理您的 VM 更新Manage your VM updates

Azure VM 就跟所有內部部署 VM 一樣,受控於使用者。Azure VMs, like all on-premises VMs, are meant to be user managed. Azure 不會向使用者推送 Windows 更新。Azure doesn't push Windows updates to them. 您需自行管理 VM 更新。You need to manage your VM updates.

最佳做法:讓 VM 保持最新狀態。Best practice: Keep your VMs current.
詳細資料:使用 Azure 自動化中的更新管理解決方案,以便管理 Azure、內部部署環境或其他雲端提供者中所部署 Windows 和 Linux 電腦的作業系統更新。Detail: Use the Update Management solution in Azure Automation to manage operating system updates for your Windows and Linux computers that are deployed in Azure, in on-premises environments, or in other cloud providers. 您可以快速評估所有代理程式電腦上可用更新的狀態,並管理為伺服器安裝必要更新的程序。You can quickly assess the status of available updates on all agent computers and manage the process of installing required updates for servers.

「更新管理」所管理的電腦會使用下列設定來執行評估和更新部署:Computers that are managed by Update Management use the following configurations to perform assessment and update deployments:

  • 適用於 Windows 或 Linux 的 Microsoft Monitoring Agent (MMA)Microsoft Monitoring Agent (MMA) for Windows or Linux
  • 適用於 Linux 的 PowerShell 預期狀態組態 (DSC)PowerShell Desired State Configuration (DSC) for Linux
  • 自動化 Hybrid Runbook WorkerAutomation Hybrid Runbook Worker
  • 適用於 Windows 電腦的 Microsoft Update 或 Windows Server Update Services (WSUS)Microsoft Update or Windows Server Update Services (WSUS) for Windows computers

若您使用 Windows Update,請讓自動安裝 Windows Update 設定保持啟用狀態。If you use Windows Update, leave the automatic Windows Update setting enabled.

最佳做法:部署時確認您建置的映像包含最新一輪的 Windows 更新。Best practice: Ensure at deployment that images you built include the most recent round of Windows updates.
詳細資料:檢查並安裝所有 Windows 更新是每次部署的第一個步驟。Detail: Check for and install all Windows updates as a first step of every deployment. 在部署來自您或您自己的程式庫之映像時,套用此量值特別重要。This measure is especially important to apply when you deploy images that come from either you or your own library. 雖然從 Azure Marketplace 取得的映像會自動更新,但根據預設,在公開發行之後可能會有一段延隔時間 (最多數週)。Although images from the Azure Marketplace are updated automatically by default, there can be a lag time (up to a few weeks) after a public release.

最佳做法:定期重新部署 VM 以強制執行最新版的作業系統。Best practice: Periodically redeploy your VMs to force a fresh version of the OS.
詳細資料:使用 Azure Resource Manager 範本來定義 VM,以便輕鬆重新部署。Detail: Define your VM with an Azure Resource Manager template so you can easily redeploy it. 使用範本可讓您在需要時取得經過修補的安全 VM。Using a template gives you a patched and secure VM when you need it.

最佳做法:快速套用至 Vm 的安全性更新。Best practice: Rapidly apply security updates to VMs.
詳細資料:啟用 Azure 資訊安全中心 (免費層或標準層次)識別遺漏的安全性更新,並將其套用Detail: Enable Azure Security Center (Free tier or Standard tier) to identify missing security updates and apply them.

最佳做法:安裝最新的安全性更新。Best practice: Install the latest security updates.
詳細資料:客戶移至 Azure 的第一批工作負載中包括實驗室和對外系統。Detail: Some of the first workloads that customers move to Azure are labs and external-facing systems. 如果 Azure VM 會裝載需要開放網際網路存取的應用程式或服務,請對修補作業保持警戒。If your Azure VMs host applications or services that need to be accessible to the internet, be vigilant about patching. 作業系統之外的修補。Patch beyond the operating system. 合作夥伴應用程式上未修補的弱點也可能造成問題,但只要妥善管理修補程式即可避免這類問題。Unpatched vulnerabilities on partner applications can also lead to problems that can be avoided if good patch management is in place.

最佳做法:部署和測試備份解決方案。Best practice: Deploy and test a backup solution.
詳細資料:備份的處理方式必須和任何其他作業的處理方式相同。Detail: A backup needs to be handled the same way that you handle any other operation. 您生產環境中延伸至雲端的系統很適合採用這種作法。This is true of systems that are part of your production environment extending to the cloud.

測試和開發系統都必須遵循備份策略,而這些備份策略能夠根據使用者的內部部署環境經驗,為使用者提供他們已經習慣的類似還原功能。Test and dev systems must follow backup strategies that provide restore capabilities that are similar to what users have grown accustomed to, based on their experience with on-premises environments. 可能的話,移至 Azure 的生產工作負載應該與現有的備份解決方案整合。Production workloads moved to Azure should integrate with existing backup solutions when possible. 或者,您可以使用 Azure 備份來協助您滿足備份需求。Or, you can use Azure Backup to help address your backup requirements.

未強制執行軟體更新原則的組織會更容易遭受利用已知的先前已修正弱點威脅的攻擊。Organizations that don't enforce software-update policies are more exposed to threats that exploit known, previously fixed vulnerabilities. 為了遵守業界法規,公司必須證明自己盡心盡力,並使用正確的安全性控制項來協助確保其位於雲端上的工作負載安全無虞。To comply with industry regulations, companies must prove that they are diligent and using correct security controls to help ensure the security of their workloads located in the cloud.

傳統資料中心的軟體更新最佳做法和 Azure IaaS 有許多相似之處。Software-update best practices for a traditional datacenter and Azure IaaS have many similarities. 建議您評估目前的軟體更新原則來包含位於 Azure 中的 VM。We recommend that you evaluate your current software update policies to include VMs located in Azure.

管理您的 VM 安全性狀態Manage your VM security posture

網路威脅日新月異。Cyberthreats are evolving. 保護您的 VM 需仰賴監視功能,以便快速偵測到威脅、防止未經授權存取您的資源、觸發警示,以及減少誤判。Safeguarding your VMs requires a monitoring capability that can quickly detect threats, prevent unauthorized access to your resources, trigger alerts, and reduce false positives.

若要監視 WindowsLinux VM 的安全狀態,請使用 Azure 資訊安全中心To monitor the security posture of your Windows and Linux VMs, use Azure Security Center. 請利用資訊安全中心的下列功能保護您的 VM:In Security Center, safeguard your VMs by taking advantage of the following capabilities:

  • 套用具有建議組態規則的 OS 安全性設定。Apply OS security settings with recommended configuration rules.
  • 找出並下載可能遺失的系統安全性和重大更新。Identify and download system security and critical updates that might be missing.
  • 部署針對端點反惡意程式碼保護的建議項目。Deploy recommendations for endpoint antimalware protection.
  • 驗證磁碟加密。Validate disk encryption.
  • 評估和修復弱點。Assess and remediate vulnerabilities.
  • 偵測威脅。Detect threats.

資訊安全中心可以主動監視威脅,並將可能的威脅公開於安全性警示之下。Security Center can actively monitor for threats, and potential threats are exposed in security alerts. 相互關聯的威脅將彙總於稱為安全性事件的單一檢視畫面中。Correlated threats are aggregated in a single view called a security incident.

資訊安全中心將資料儲存在Azure 監視器記錄Security Center stores data in Azure Monitor logs. Azure 監視器記錄檔提供查詢語言和分析引擎,可讓您深入了解您的應用程式和資源的作業。Azure Monitor logs provides a query language and analytics engine that gives you insights into the operation of your applications and resources. 也會從 Azure 監視器、管理解決方案,以及安裝在雲端或內部部署環境中虛擬機器上的代理程式收集資料。Data is also collected from Azure Monitor, management solutions, and agents installed on virtual machines in the cloud or on-premises. 此共用功能可協助您完全了解整個環境。This shared functionality helps you form a complete picture of your environment.

組織若未針對其 VM 強制執行強式安全性,將一概無法得知未經授權的使用者可能嘗試規避安全性控制項。Organizations that don't enforce strong security for their VMs remain unaware of potential attempts by unauthorized users to circumvent security controls.

監視 VM 效能Monitor VM performance

當 VM 程序比所應消耗更多的資源時,可能會產生資源不當使用的問題。Resource abuse can be a problem when VM processes consume more resources than they should. VM 的效能問題可能會導致服務中斷,違反可用性的安全性原則。Performance issues with a VM can lead to service disruption, which violates the security principle of availability. 這對於裝載 IIS 或其他 Web 伺服器的 VM 而言尤其重要,因為高 CPU 或記憶體使用量可能表示發生拒絕服務 (DoS) 攻擊。This is particularly important for VMs that are hosting IIS or other web servers, because high CPU or memory usage might indicate a denial of service (DoS) attack. 請務必了解,不只需要在發生問題時以反應性方式監視 VM 存取,還必須主動監視正常作業期間測量的基準效能。It’s imperative to monitor VM access not only reactively while an issue is occurring, but also proactively against baseline performance as measured during normal operation.

建議您使用 Azure 監視器來查看您的資源健康狀態。We recommend that you use Azure Monitor to gain visibility into your resource’s health. Azure 監視器功能:Azure Monitor features:

未監視 VM 效能的組織無法判斷效能模式中的特定變更為正常還是不正常。Organizations that don't monitor VM performance can’t determine whether certain changes in performance patterns are normal or abnormal. 若 VM 消耗的資源比平常還多,可能表示發生來自外部資源的攻擊,或是在此 VM 中執行的程序遭入侵。A VM that’s consuming more resources than normal might indicate an attack from an external resource or a compromised process running in the VM.

加密虛擬硬碟檔案Encrypt your virtual hard disk files

建議您加密虛擬硬碟 (VHD),以協助保護開機磁碟區和儲存體中的待用資料磁碟區,還有加密金鑰與密碼。We recommend that you encrypt your virtual hard disks (VHDs) to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets.

Azure 磁碟加密可協助您為 Windows 和 Linux IaaS 虛擬機器磁碟加密。Azure Disk Encryption helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure 磁碟加密使用 Windows 的業界標準 BitLocker 功能和 Linux 的 DM-Crypt 功能,為作業系統和資料磁碟提供磁碟區加密。Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. 此解決方案與 Azure Key Vault 整合,協助您控制及管理金鑰保存庫訂用帳戶中的磁碟加密金鑰與密碼。The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. 此解決方案也可確保虛擬機器磁碟上的所有待用資料都會在 Azure 儲存體中加密。The solution also ensures that all data on the virtual machine disks are encrypted at rest in Azure Storage.

以下是使用 Azure 磁碟加密的最佳做法:Following are best practices for using Azure Disk Encryption:

最佳做法:在 VM 上啟用加密。Best practice: Enable encryption on VMs.
詳細資料:Azure 磁碟加密會產生加密金鑰並將其寫入金鑰保存庫。Detail: Azure Disk Encryption generates and writes the encryption keys to your key vault. 在金鑰保存庫中管理加密金鑰需要 Azure AD 驗證。Managing encryption keys in your key vault requires Azure AD authentication. 基於此目的,請建立 Azure AD 應用程式。Create an Azure AD application for this purpose. 針對驗證目的,您可以使用用戶端密碼式驗證或用戶端憑證式 Azure AD 驗證For authentication purposes, you can use either client secret-based authentication or client certificate-based Azure AD authentication.

最佳做法:使用金鑰加密金鑰 (KEK) 來為加密金鑰額外添加一層安全性。Best practice: Use a key encryption key (KEK) for an additional layer of security for encryption keys. 將 KEK 新增至金鑰保存庫。Add a KEK to your key vault.
詳細資料:使用新增 AzKeyVaultKey cmdlet 來建立金鑰保存庫中的金鑰加密金鑰。Detail: Use the Add-AzKeyVaultKey cmdlet to create a key encryption key in the key vault. 您也可以從內部部署硬體安全性模組 (HSM) 匯入 KEK 以管理金鑰。You can also import a KEK from your on-premises hardware security module (HSM) for key management. 如需詳細資訊,請參閱 Key Vault 文件For more information, see the Key Vault documentation. 若指定了金鑰加密金鑰,Azure 磁碟加密會先使用該金鑰包裝加密祕密,再寫入 Key Vault。When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault. 將此金鑰的委付複本保存在內部部署金鑰管理 HSM,可提供額外保護,以防意外刪除金鑰。Keeping an escrow copy of this key in an on-premises key management HSM offers additional protection against accidental deletion of keys.

最佳做法:在將磁碟加密前製作快照集和/或進行備份。Best practice: Take a snapshot and/or backup before disks are encrypted. 如果在加密期間發生非預期的失敗,備份可提供復原選項。Backups provide a recovery option if an unexpected failure happens during encryption.
詳細資料:具有受控磁碟的 VM 需要有備份,才能進行加密。Detail: VMs with managed disks require a backup before encryption occurs. 會建立備份之後,您可以使用組 AzVMDiskEncryptionExtension cmdlet 來加密受控的磁碟,藉由指定 -skipVmBackup參數。After a backup is made, you can use the Set-AzVMDiskEncryptionExtension cmdlet to encrypt managed disks by specifying the -skipVmBackup parameter. 如需如何備份和還原已加密 VM 的詳細資訊,請參閱 Azure 備份一文。For more information about how to back up and restore encrypted VMs, see the Azure Backup article.

最佳做法:為了確保加密密碼不會跨出區域界限,Azure 磁碟加密需要將金鑰保存庫和 VM 置於相同區域。Best practice: To make sure the encryption secrets don’t cross regional boundaries, Azure Disk Encryption needs the key vault and the VMs to be located in the same region.
詳細資料:請在與所要加密 VM 相同的區域中建立並使用 Key Vault。Detail: Create and use a key vault that is in the same region as the VM to be encrypted.

套用 Azure 磁碟加密時,可滿足下列業務需求:When you apply Azure Disk Encryption, you can satisfy the following business needs:

  • 系統會透過業界標準的加密技術保護 IaaS VM 安全無虞,解決組織的安全性與法務遵循需求。IaaS VMs are secured at rest through industry-standard encryption technology to address organizational security and compliance requirements.
  • 開啟 IaaS VM 受到客戶控制的金鑰和原則限制,且您可以在金鑰保存庫中稽核其使用狀況。IaaS VMs start under customer-controlled keys and policies, and you can audit their usage in your key vault.

限制直接網際網路連線Restrict direct internet connectivity

監控並限制 VM 直接網際網路連線。Monitor and restrict VM direct internet connectivity. 攻擊者經常會掃描開放管理連接埠的公用雲端 IP 範圍,並嘗試 「 簡單 」 的攻擊,例如常見的密碼和已知的未修補的弱點。Attackers constantly scan public cloud IP ranges for open management ports and attempt “easy” attacks like common passwords and known unpatched vulnerabilities. 下表列出以協助防範這些攻擊的最佳作法:The following table lists best practices to help protect against these attacks:

最佳做法:防止不慎暴露於網路路由與安全性。Best practice: Prevent inadvertent exposure to network routing and security.
詳細資料:您可以使用 RBAC,請確定只有中央網路群組具有網路資源的權限。Detail: Use RBAC to ensure that only the central networking group has permission to networking resources.

最佳做法:找出並修復公開允許從 「 任何 」 來源 IP 位址存取的 Vm。Best practice: Identify and remediate exposed VMs that allow access from “any” source IP address.
詳細資料:使用 Azure 資訊安全中心。Detail: Use Azure Security Center. 資訊安全中心會建議您限制透過網際網路面向端點的存取,如果任何網路安全性群組有一或多個輸入的規則,允許從 「 任何 」 來源 IP 位址的存取。Security Center will recommend that you restrict access through internet-facing endpoints if any of your network security groups has one or more inbound rules that allow access from “any” source IP address. 資訊安全中心會建議您編輯這些輸入的規則,以限制存取實際上需要存取的來源 IP 位址。Security Center will recommend that you edit these inbound rules to restrict access to source IP addresses that actually need access.

最佳做法:限制 (RDP、 SSH) 的管理連接埠。Best practice: Restrict management ports (RDP, SSH).
詳細資料在 just-in-time (JIT) VM 存取可以用來鎖定 Azure vm,減少攻擊面,同時提供簡易存取連線至 Vm 時所需的輸入流量。Detail: Just-in-time (JIT) VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. 啟用 JIT 時,資訊安全中心藉此鎖定進入 Azure Vm 的流量建立網路安全性群組規則。When JIT is enabled, Security Center locks down inbound traffic to your Azure VMs by creating a network security group rule. 系統會鎖定選取的 VM 連接埠的輸入流量。You select the ports on the VM to which inbound traffic will be locked down. 這些連接埠是由 JIT 解決方案控制。These ports are controlled by the JIT solution.

後續步驟Next steps

如需更多安全性最佳做法,請參閱 Azure 安全性最佳做法與模式,以便在使用 Azure 設計、部署和管理雲端解決方案時使用。See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.

下列資源可提供更多有關 Azure 安全性和相關 Microsoft 服務的一般資訊:The following resources are available to provide more general information about Azure security and related Microsoft services: