工作階段原則Session policies

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

重要

Microsoft 的威脅防護產品名稱即將變更。Threat protection product names from Microsoft are changing. 如需有關此變更的詳細資訊與其他更新,請參閱這裡Read more about this and other updates here. 我們將在不久的將來更新產品與文件中的名稱。We'll be updating names in products and in the docs in the near future.

Microsoft Cloud App Security 工作階段原則可讓您執行即時工作階段層級監視,讓您更清楚雲端應用程式,以及讓您根據您針對使用者工作階段設定的原則採取不同的動作。Microsoft Cloud App Security session policies enable real-time session-level monitoring, affording you granular visibility into cloud apps and the ability to take different actions depending on the policy you set for a user session. 使用工作階段控制可以在允許存取的同時,利用條件式存取應用程式控制的反向 Proxy 功能監視工作階段及/或限制特定的工作階段活動,而不是完全允許或完全封鎖存取Instead of allowing or blocking access completely, with session control you can allow access while monitoring the session and/or limit specific session activities using the reverse proxy capabilities of Conditional Access App Control.

例如,您可以決定要從受控裝置或針對來自特定位置的工作階段,允許使用者存取應用程式,但限制下載機密檔案或要求某些文件的下載保護。For example, you can decide that from unmanaged devices, or for sessions coming from specific locations, you want to allow the user to access the app but also limit the download of sensitive files or require that certain documents be protected upon download. 工作階段原則可讓您設定這些使用者工作階段控制和允許存取,並讓您可以:Session policies enable you to set these user-session controls and allow access and enables you to:

使用工作階段原則的必要條件Prerequisites to using session policies

建立 Cloud App Security 工作階段原則Create a Cloud App Security session policy

若要建立新的工作階段原則,請遵循此程序︰To create a new session policy, follow this procedure:

  1. 在入口網站中,選取後面跟著 [原則]**** 的 [控制]****。In the portal, select Control followed by Policies.

  2. 在 [原則]**** 頁面中,按一下 [建立原則]****,然後選取 [工作階段原則]****。In the Policies page, click Create policy and select Session policy.

  3. 在 [工作階段原則]**** 視窗中,指派原則的名稱,例如「封鎖下載 Box 行銷使用者機密文件」**。In the Session policy window, assign a name for your policy, such as Block Download of Sensitive Documents in Box for Marketing Users.

  4. 在 [工作階段控制項類型]**** 欄位中:In the Session control type field:

    1. 如果您只想要依使用者監視活動,請選取 [僅監視]****。Select Monitor only if you only want to monitor activities by users. 此選取項目會為您選取的應用程式建立 [僅監視] 原則,在其中將下載所有登入、啟發式下載項目及活動類型。This selection will create a Monitor only policy for the apps you selected where all sign-ins, heuristic downloads, and Activity types will be downloaded.

    2. 如果您想要監視使用者活動,請選取 [ 使用檢查) 控制檔案下載 ( ]。Select Control file download (with inspection) if you want to monitor user activities. 您可以採取其他動作,例如封鎖或保護使用者下載。You can take additional actions like block or protect downloads for users.

    3. 選取 [ 封鎖活動 ] 以封鎖特定活動,您可以使用 [ 活動類型 ] 篩選來選取這些活動。Select Block activities to block specific activities, which you can select using the Activity type filter. 所選取應用程式的所有活動都會受到監視 (並在活動記錄中回報)。All activities from selected apps will be monitored (and reported in the Activity log). 如果您選取 [封鎖]**** 動作,系統將封鎖您選取的特定活動。The specific activities you select will be blocked if you select the Block action. 如果您選取 [測試]**** 動作並開啟警示,您選取的特定活動就會引發警示。The specific activities you selected will raise alerts if you select the Test action and have alerts turned on.

  5. 在 [Activities matching all of the following] (符合下列所有條件的活動)**** 區段的 [活動來源]**** 下,選取要套用至原則的其他活動篩選。Under Activity source in the Activities matching all of the following section, select additional activity filters to apply to the policy. 這些篩選可包含下列選項:These filters can include the following options:

    • 裝置標記:用以篩選識別受管理的裝置。Device tags: Use this filter to identify unmanaged devices.

    • 位置:用以篩選識別不明 (所以有風險) 的位置。Location: Use this filter to identify unknown (and therefore risky) locations.

    • IP 位址:用這個篩選依 IP 位址篩選,或使用之前指派的 IP 位址標記篩選。IP address: Use this filter to filter per IP addresses or use previously assigned IP address tags.

    • 使用者代理程式標記:用以篩選啟用啟發學習法,以識別行動裝置及桌面應用程式。User agent tag: Use this filter to enable the heuristic to identify mobile and desktop apps. 此篩選可設為等於或不等於原生用戶端This filter can be set to equals or doesn't equal Native client. 建議您為每個雲端應用程式,針對您的行動應用程式和傳統型應用程式測試此篩選。This filter should be tested against your mobile and desktop apps for each cloud app.

    注意

    會話原則不支援行動裝置和桌面應用程式。Session policies don't support mobile and desktop apps. 透過建立存取原則,也可以封鎖或允許行動應用程式和桌面應用程式。Mobile apps and desktop apps can also be blocked or allowed by creating an access policy.

  6. 如果您選取了 使用檢查來控制檔案下載 ( 的選項) :If you selected the option to Control file download (with inspection):

    1. 在 [Files matching all of the following] (符合下列所有條件的檔案)**** 區段的 [活動來源]**** 下,選取要套用至原則的其他檔案篩選。Under Activity source in the Files matching all of the following section, select additional file filters to apply to the policy. 這些篩選可包含下列選項:These filters can include the following options:

      • 分類標籤 -如果您的組織使用 Azure 資訊保護,且您的資料受到其分類標籤的保護,請使用此篩選器。Classification label - Use this filter if your organization uses Azure Information Protection and your data has been protected by its Classification labels. 您可以根據檔案套用的分類標籤篩選檔案。You can filter files based on the Classification label you applied to them. 如需與 Azure 資訊保護整合的詳細資訊,請參閱 Azure 資訊保護整合For more information about integration with Azure Information Protection, see Azure Information Protection integration.

      • 檔案名稱 - 使用此篩選將原則套用至特定的檔案。File name - Use this filter to apply the policy to specific files.

      • 檔案類型 - 使用此篩選將原則套用至特定的檔案類型,例如,封鎖下載所有的 .xls 檔案。File type - Use this filter to apply the policy to specific file types, for example, block download for all .xls files.

    2. 在 [內容檢查]**** 區段中,設定是否啟用 DLP 引擎掃描文件及檔案內容。In the Content inspection section, set whether you want to enable the DLP engine to scan documents and file content.

    3. 在 [動作]**** 下選取下列其中一個項目:Under Actions, select one of the following items:

      • 測試 (監視所有活動):設定此動作,根據您設定的原則篩選明確允許下載。Test (Monitor all activities): Set this action to explicitly allow download according to the policy filters you set.

      • 封鎖 (封鎖檔案下載並監視所有活動):設定此動作,根據您設定的原則篩選明確封鎖下載。Block (Block file download and monitor all activities): Set this action to explicitly block download according to the policy filters you set. 如需詳細資訊,請參閱封鎖下載的運作方式For more information, see How block download works.

      • **保護 (套用分類標籤以下載及監視所有活動) **:只有當您在 [會話原則] 底下選取 [具有檢查) 的控制檔案下載 ( ] 時,才能使用此選項。Protect (Apply classification label to download and monitor all activities): This option is only available if you selected Control file download (with inspection) under Session policy. 如果您的組織使用 Azure 資訊保護,您可以設定 [動作]****,將您在 Azure 資訊保護中設定的分類標籤套用到檔案。If your organization uses Azure Information Protection, you can set an Action to apply a classification label set in Azure Information Protection to the file. 如需詳細資訊,請參閱保護下載的運作方式For more information, see How protect download works.

  7. 您可以為每個符合原則嚴重性的事件建立警示,並設定警示限制。You can Create an alert for each matching event with the policy's severity and set an alert limit. 請選取您要以電子郵件還是簡訊傳送警示,或者兩種都使用。Select whether you want the alert as an email, a text message, or both.

監視所有活動Monitor all activities

當您建立工作階段原則時,每個符合原則的使用者工作階段都會重新導向至工作階段控制,而不是直接導向至應用程式。When you create a session policy, each user session that matches the policy is redirected to session control rather than to the app directly. 使用者會看到監視通知,知道他們的工作階段受到監視。The user will see a monitoring notice to let them know that their sessions are being monitored.

如果您不想要通知使用者告知他們受到監視,您可以停用通知訊息。If you don't want to notify the user that they're being monitored, you can disable the notification message.

  1. 在設定齒輪下,選取 [一般設定]****。Under the settings cog, select General settings.

  2. 然後,在 [條件式存取應用程式控制]**** 下,選取 [使用者監視]**** 並取消選取 [通知使用者]**** 核取方塊。Then, under Conditional Access App Control select User monitoring and unselect the Notify users checkbox.

為了讓使用者留在工作階段中,條件式存取應用程式控制會使用 Microsoft Cloud App Security URL 取代應用程式工作階段內所有相關的 URL、Java 指令碼和 Cookie。To keep the user within the session, Conditional Access App Control replaces all the relevant URLs, Java scripts, and cookies within the app session with Microsoft Cloud App Security URLs. 例如,如果應用程式傳回的頁面具有以 myapp.com 結尾的網域連結,條件式存取應用程式控制會以類似的網域來取代連結 myapp.com.mcas.msFor example, if the app returns a page with links whose domains end with myapp.com, Conditional Access App Control replaces the links with domains ending with something like myapp.com.mcas.ms. 這樣 Microsoft Cloud App Security 就可以監視整個工作階段。This way the entire session is monitored by Microsoft Cloud App Security.

條件式存取應用程式控制會記錄每個經它路由的使用者工作階段流量記錄。Conditional Access App Control records the traffic logs of every user session that is routed through it. 流量記錄包含時間、IP、使用者代理程式、前往過的 URL,以及上傳和下載的位元組數。The traffic logs include the time, IP, user agent, URLs visited, and the number of bytes uploaded and downloaded. 這些記錄將進行分析,且連續報表 (Cloud App Security 條件式存取應用程式控制) 會新增至 Cloud Discovery 儀表板中的 Cloud Discovery 報表清單。These logs are analyzed and a continuous report, Cloud App Security Conditional Access App Control, is added to the list of Cloud Discovery reports in the Cloud Discovery dashboard.

匯出這些記錄:To export these logs:

  1. 前往設定齒輪,然後按一下 [Conditional Access App Control] (條件式存取應用程式控制)****。Go to the settings cog and click Conditional Access App Control.

  2. 在資料表的右側按一下 [匯出] 按鈕。On the right side of the table, click the export button.

    匯出按鈕

  3. 選取報表的範圍,然後按一下 [匯出]****。Select the range of the report and click Export. 此程序可能需要一些時間。This process may take some time.

下載匯出的記錄:To download the exported log:

  1. 準備好報表之後,請移至 [設定]****,然後 [匯出報表]****。After the report is ready, go to Settings and then Exported reports.

  2. 在資料表中,從 [條件式存取應用程式控制流量記錄]**** 清單中選取相關報表,然後按一下 [下載]。In the table, select the relevant report from the list of Conditional Access App Control traffic logs and click download.

    [下載] 按鈕

封鎖所有下載Block all downloads

Block 設定為您想要在 Cloud App Security 會話原則中採取的 動作 時,條件式存取應用程式控制會防止使用者根據原則的檔案篩選器下載檔案。When Block is set as the Action you want to take in the Cloud App Security session policy, Conditional Access App Control prevents a user from downloading a file per the policy's file filters. 當使用者開始下載時,Microsoft Cloud App Security 會為每個應用程式辨識下載的事件。A download event is recognized by Microsoft Cloud App Security for each app when a user starts a download. 條件式存取應用程式控制可即時介入以防止執行。Conditional Access App Control intervenes in real time to prevent it from running. 收到使用者已起始下載的訊號時,條件式存取應用程式控制會將下載限制訊息傳回給使用者,並以文字檔案取代下載的檔案。When the signal is received that a user has initiated a download, Conditional Access App Control returns a Download restricted message to the user and replaces the downloaded file with a text file. 您可以從工作階段原則,設定及自訂傳送給使用者的文字檔訊息。The text file's message to the user can be configured and customized from the session policy.

封鎖特定活動Block specific activities

當 [封鎖活動]**** 設定為 [活動類型]**** 時,您可以選取要在特定應用程式中封鎖的特定活動。When Block activities is set as the Activity type, you can select specific activities to block in specific apps. 所選應用程式的所有活動都受到監視,且會在活動記錄中回報。All activities from selected apps will be monitored and reported in the Activity log. 如果您選取 [封鎖]**** 動作,系統將封鎖您選取的特定活動。The specific activities you select will be blocked if you select the Block action. 如果您選取 [測試]**** 動作並開啟警示,您選取的特定活動就會引發警示。The specific activities you selected will raise alerts if you select the Test action and have alerts turned on.

封鎖特定活動並將其套用至特定群組,以針對您的組織建立全面的唯讀模式。Block specific activities and apply it to specific groups to create a comprehensive read-only mode for your organization.

在下載時保護檔案Protect files on download

選取 [封鎖活動]**** 以封鎖特定活動,您可以使用 [活動類型]**** 篩選來找出要封鎖的活動。Select Block activities to block specific activities, which you can find using the Activity type filter. 所選應用程式的所有活動都受到監視,且會在活動記錄中回報。All activities from selected apps will be monitored (and reported in the Activity log). 如果您選取 [封鎖]**** 動作,系統將封鎖您選取的特定活動。The specific activities you select will be blocked if you select the Block action. 如果您選取 [測試]**** 動作並開啟警示,您選取的特定活動就會引發警示。The specific activities you selected will raise alerts if you select the Test action and have alerts turned on.

當 [ 保護 ] 設定為要在 Cloud App Security 會話原則中採取的 動作 時,條件式存取應用程式控制會根據原則的檔案篩選,強制執行檔案的標記和後續保護。When Protect is set as the Action to be taken in the Cloud App Security session policy, Conditional Access App Control enforces the labeling and subsequent protection of a file per the policy's file filters. 標籤是在 Azure 資訊保護主控台中設定,必須在標籤內選取 [保護]****,Cloud App Security 原則才會將該標籤顯示為選項。Labels are configured in the Azure Information Protection console and Protect must be selected within the label for it to appear as an option in the Cloud App Security policy. 在符合 Cloud App Security 原則的準則下,選取標籤並下載檔案時,檔案會在下載時套用標籤及對應的保護 (具有權限)。When a label is selected, and a file is downloaded that meets the criteria of the Cloud App Security policy, the label, and corresponding protection (with permissions) is applied to the file upon download. 原始檔案仍保持在雲端應用程式中的狀況,而下載的檔案受到保護。The original file remains as-is in the cloud app while the downloaded file is now protected. 嘗試存取該檔案的使用者必須符合套用保護所決定的權限需求。Users who try to access the file must meet the permission requirements determined by the protection applied.

Cloud App Security 目前支援對下列檔案類型套用 Azure 資訊保護分類標籤Cloud App Security currently supports applying Azure Information Protection classification labels for the following file types:

  • Word:docm、docx、dotm、dotxWord: docm, docx, dotm, dotx
  • Excel:xlam、xlsm、xlsx、xltxExcel: xlam, xlsm, xlsx, xltx
  • PowerPoint:potm、potx、ppsx、ppsm、pptm、pptxPowerPoint: potm, potx, ppsx, ppsm, pptm, pptx
  • PDFPDF

    注意

    針對 PDF,您必須使用統一標籤。For PDF, you must use unified labels.

保護機密檔案的上傳Protect uploads of sensitive files

使用檢查) 的控制檔案上傳 ( 設定為 Cloud App Security 會話原則中的 會話控制項類型 時,條件式存取應用程式控制會防止使用者根據原則的檔案篩選上傳檔案。When Control file upload (with inspection) is set as the Session Control type in the Cloud App Security session policy, Conditional Access App Control prevents a user from uploading a file per the policy's file filters. 當上傳事件被辨識時,會即時條件式存取應用程式控制才,以判斷檔案是否為敏感並需要保護。When an upload event is recognized, Conditional Access App Control intervenes in real time to determine whether the file is sensitive and needs protection. 如果檔案有機密資料且沒有適當的標籤,則會封鎖檔案上傳。If the file has sensitive data and does not have a proper label, the file upload is blocked.

例如,您可以建立一項原則來掃描檔案內容,以判斷它是否包含敏感性內容相符,例如社會安全號碼。For example, you can create a policy that scans the content of a file to determine if it contains a sensitive content match such as a social security number. 如果它包含機密內容,而且未標示 Azure 資訊保護的機密標籤,則會封鎖檔案上傳。If it contains sensitive content and is not labeled with an Azure Information Protection confidential label, the file upload is blocked. 當檔案遭到封鎖時,您可以 向使用者顯示自訂訊息 ,指示他們如何標記檔案,以便上傳檔案。When the file is blocked, you can display a custom message to the user instructing them on how to label the file in order to upload it. 如此一來,您就能確保儲存在雲端應用程式中的檔案符合您的原則。By doing so, you ensure that files stored in your cloud apps comply with your policies.

在上傳時封鎖惡意程式碼Block malware on upload

當 控制檔案上傳 (與檢查) **   設定為 會話控制項類型,而惡意程式碼偵測設定為 Cloud App Security 會話原則中的檢查方法**時,條件式存取應用程式控制會防止使用者在偵測到惡意程式碼時,即時上傳檔案。When Control file upload (with inspection) is set as the Session Control type and Malware Detection is set as the Inspection Method in the Cloud App Security session policy, Conditional Access App Control prevents a user from uploading a file in real time if malware is detected. 使用 Microsoft 威脅情報引擎來掃描檔案。Files are scanned using the Microsoft threat intelligence engine.

您可以使用活動記錄檔中偵測 到的潛在惡意 代碼篩選器,來查看標示為潛在惡意程式碼的檔案。You can view the files flagged as potential malware using the Potential Malware Detected filter in the activity log.

您也可以設定會話原則,以在下載時封鎖惡意程式碼。You can also configure session policies to block malware on download.

教育使用者保護機密檔案Educate users to protect sensitive files

當使用者違反原則時,請務必教育使用者,讓他們瞭解如何符合您的組織原則。It is important to educate users when they are in violation of a policy so that they learn how to comply with your organizational policies. 由於每個企業都有獨特的需求和原則,Cloud App Security 可讓您自訂原則的篩選,以及在偵測到違規時向使用者顯示的訊息。Since every enterprise has unique needs and policies, Cloud App Security allows you to customize a policy's filters and the message it displays to the user when a violation is detected. 您可以對使用者提供特定的指引,例如提供如何適當標記檔案的指示,或如何註冊非受控裝置,以確保檔案已成功上傳。You can give specific guidance to your users such as providing instructions on how to appropriately label a file, or how to enroll an unmanaged device, to ensure files are uploaded successfully.

例如,如果使用者上傳的檔案沒有 Azure 資訊保護標籤,則會顯示訊息,說明該檔案包含需要適當標籤的敏感內容。For example, if a user uploads a file without an Azure Information Protection label, a message can be displayed explaining that the file contains sensitive content that requires an appropriate label. 同樣地,如果使用者嘗試從未受管理的裝置上傳檔,則會顯示一則訊息,其中包含如何註冊該裝置的指示,或可提供進一步說明裝置必須註冊原因的指示。Similarly, if a user attempts to upload a document from an unmanaged device, a message with instructions on how to enroll that device or one that provides further explanation of why the device must be enrolled, can be displayed.

下一步Next steps

另請參閱See also

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.