Contoso Corporation 之 Microsoft 365 for enterprise security 的摘要Summary of Microsoft 365 for enterprise security for the Contoso Corporation

若要取得部署 Microsoft 365 for enterprise 的核准,Contoso IT 安全性部已執行徹底的安全性審查。To get approval to deploy Microsoft 365 for enterprise, the Contoso IT security department conducted a thorough security review. 他們識別雲端的下列安全性需求:They identified the following security requirements for the cloud:

  • 使用最強的驗證方法,以供員工存取雲端資源。Use the strongest methods of authentication for employee access to cloud resources.
  • 確定電腦和行動裝置會以安全的方式連線和存取應用程式。Ensure that PCs and mobile devices connect and access applications in secure ways.
  • 保護電腦及電子郵件免受惡意程式碼攻擊。Protect PCs and email from malware.
  • 以雲端為基礎的數位資產許可權定義誰可以存取哪些專案、可以進行哪些動作,以及專為最低許可權存取而設計Permissions on cloud-based digital assets define who can access what and what they can do, and are designed for least-privilege access
  • 機密和高管制數位資產會標示、加密,並儲存在安全的位置。Sensitive and highly regulated digital assets are labeled, encrypted, and stored in secure locations.
  • 高管制數位資產會以額外的加密和許可權加以保護。Highly regulated digital assets are protected with additional encryption and permissions.
  • IT 安全性人員可以從中央儀表板監控目前的安全性狀況,並取得安全性事件的通知,以進行快速回應及緩解。IT security staff can monitor the current security posture from central dashboards and get notified of security events for quick response and mitigation.

Microsoft 365 安全性準備就緒的 Contoso 路徑The Contoso path to Microsoft 365 security readiness

Contoso 遵循這些步驟來準備其安全性,以供部署 Microsoft 365 for enterprise:Contoso followed these steps to prepare their security for their deployment of Microsoft 365 for enterprise:

  1. 限制雲端的系統管理員帳戶Limit administrator accounts for the cloud

    Contoso 已大量複查其現有的 Active Directory 網域服務 (AD DS) 系統管理員帳戶,並設定專門的雲端系統管理員帳戶和群組的系列。Contoso did an extensive review of its existing Active Directory Domain Services (AD DS) administrator accounts and set up series of dedicated cloud administrator accounts and groups.

  2. 將資料分類至三個安全性層級Classify data into three security levels

    Contoso 已認真檢查並決定三個層級,用來識別適用于企業功能的 Microsoft 365,以保護最有價值的資料。Contoso did a careful review and determined the three levels, which were used to identify the Microsoft 365 for enterprise features to protect the most valuable data.

  3. 決定資料層級的存取、保留和資訊保護原則Determine access, retention, and information protection policies for data levels

    Contoso 根據資料層級,確定將未來 IT 工作負載移至雲端的詳細要求。Based on the data levels, Contoso determined detailed requirements to qualify future IT workloads that are moved to the cloud.

為了遵循安全性最佳作法和 Microsoft 365 的企業部署需求,Contoso security administrators 和其 IT 部門部署了許多安全性功能,如下列各節所述。To follow security best practices and Microsoft 365 for enterprise deployment requirements, Contoso security administrators and its IT department deployed many security features and capabilities, as described in the following sections.

身分識別和存取管理Identity and access management

  • 專用的全域管理員帳戶 (具有 MFA 和 PIM)Dedicated global administrator accounts with MFA and PIM

    Contoso 建立了三個具有強式密碼的專屬全域管理員帳戶,而不是將全域系統管理員角色指派給日常使用者帳戶。Rather than assign the global admin role to everyday user accounts, Contoso created three dedicated global administrator accounts with strong passwords. 使用 Azure AD Multi-Factor 驗證 (MFA) 和 Azure Active Directory (Azure AD) 特權身分識別管理 (PIM) 來保護帳戶。The accounts are protected by Azure AD Multi-Factor Authentication (MFA) and Azure Active Directory (Azure AD) Privileged Identity Management (PIM). PIM 僅在 Microsoft 365 E5 中提供。PIM is only available with Microsoft 365 E5.

    以全域系統管理員帳戶登入只會對特定的管理工作執行。Signing in with a global administrator account is only done for specific administrative tasks. 僅限指定的人員知道密碼,而且只能在 Azure AD PIM 所設定的時段內使用。The passwords are only known to designated staff and can only be used within a time period that's configured in Azure AD PIM.

    Contoso 安全性管理員指派較低的系統管理員角色給適當于該 IT 工作者工作職能的帳戶。Contoso security administrators assigned lesser admin roles to accounts that are appropriate to that IT worker's job function.

    如需詳細資訊,請參閱關於 Microsoft 365 系統管理員角色For more information, see About Microsoft 365 admin roles.

  • 適用於所有使用者帳戶的 MFAMFA for all user accounts

    MFA 會為登入處理常式新增其他的保護層。MFA adds an additional layer of protection to the sign-in process. 在正確輸入密碼後,它需要使用者在其 smart phone 上承認通話、文字訊息或代理程式更新。It requires users to acknowledge a phone call, text message, or app notification on their smart phone after correctly entering their password. 透過 MFA,Azure AD 使用者帳戶會受到保護,防止未經授權的登入,即使帳戶密碼遭到破壞也是一樣。With MFA, Azure AD user accounts are protected against unauthorized sign-in, even if an account password is compromised.

    • 為了防止破壞 Microsoft 365 訂閱,Contoso 需要在所有全域管理員帳戶上進行 MFA。To protect against compromise of the Microsoft 365 subscription, Contoso requires MFA on all global administrator accounts.
    • 為了防範網路釣魚攻擊,在此類攻擊中攻擊者會入侵組織中受信任人員的認證,並且傳送惡意電子郵件,Contoso 在所有使用者帳戶上啟用了 MFA,包括經理和決策階層。To protect against phishing attacks, in which an attacker compromises the credentials of a trusted person in the organization and sends malicious emails, Contoso enabled MFA on all user accounts, including managers and executives.
  • 使用條件式存取原則獲得更安全的裝置和應用程式存取Safer device and application access with Conditional Access policies

    Contoso 針對身分識別、裝置、Exchange Online 和 SharePoint 使用條件式存取原則。身分識別條件式存取原則包含針對高風險使用者要求密碼變更,並且阻止用戶端使用未支援新式驗證的應用程式。裝置存取原則包含已核准應用程式的定義,會要求相容的電腦和行動裝置。Exchange Online 條件式存取原則包含封鎖 ActiveSync 用戶端並設定 Office 365 訊息加密。SharePoint 條件式存取原則包含機密和高管制網站的額外保護。Contoso is using Conditional Access policies for identity, devices, Exchange Online, and SharePoint. Identity Conditional Access policies include requiring password changes for high-risk users and blocking clients from using apps that don't support modern authentication. Device policies include the definition of approved apps and requiring compliant PCs and mobile devices. Exchange Online Conditional Access policies include blocking ActiveSync clients and setting up Office 365 message encryption. SharePoint Conditional Access policies include additional protection for sensitive and highly regulated sites.

  • Windows Hello 企業版Windows Hello for Business

    Contoso 已部署 Windows Hello 企業版 ,最後在執行 Windows 10 企業版的電腦和行動裝置上,透過強雙因素驗證,以消除密碼的需求。Contoso deployed Windows Hello for Business to eventually eliminate the need for passwords through strong two-factor authentication on PCs and mobile devices running Windows 10 Enterprise.

  • Windows Defender Credential GuardWindows Defender Credential Guard

    若要以系統管理許可權封鎖在作業系統中執行的目標攻擊和惡意程式碼,Contoso 已透過 AD DS 群組原則啟用 Windows Defender 身分憑證防護To block targeted attacks and malware running in the operating system with administrative privileges, Contoso enabled Windows Defender Credential Guard through AD DS group policy.

威脅防護Threat protection

  • 使用 Windows Defender 防毒軟體防護惡意程式碼Protection from malware with Windows Defender Antivirus

    Contoso 使用 Windows Defender 防毒軟體,針對執行 Windows 10 企業版的電腦和裝置執行惡意程式碼防護和反惡意程式碼管理。Contoso is using Windows Defender Antivirus for malware protection and anti-malware management for PCs and devices running Windows 10 Enterprise.

  • 使用 Microsoft Defender for Office 365 保護電子郵件流程和信箱審核記錄Secure email flow and mailbox audit logging with Microsoft Defender for Office 365

    Contoso 使用 Exchange Online Protection 和 Defender For Office 365 ,以防禦透過電子郵件傳輸的未知惡意程式碼、病毒和惡意 URLs。Contoso is using Exchange Online Protection and Defender for Office 365 to protect against unknown malware, viruses, and malicious URLs transmitted through emails.

    Contoso 也啟用信箱審核記錄,以識別登入使用者信箱的人員、傳送郵件,以及由信箱擁有者、委派的使用者或系統管理員所執行的其他活動。Contoso also enabled mailbox audit logging to identify who logs in to user mailboxes, sends messages, and does other activities performed by the mailbox owner, a delegated user, or an administrator.

  • 使用 Office 365 威脅調查及回應來進行攻擊監視和防護Attack monitoring and prevention with Office 365 threat investigation and response

    Contoso 使用 Office 365 威脅調查和回應 來保護使用者,方法是讓使用者輕鬆識別並處理攻擊,並避免未來的攻擊。Contoso uses Office 365 threat investigation and response to protect users by making it easy to identify and address attacks, and to prevent future attacks.

  • 使用 Advanced Threat Analytics 來防護縝密的攻擊Protection from sophisticated attacks with Advanced Threat Analytics

    Contoso 使用 Advanced Threat Analytics (ATA),來保護自身免於進階設定目標的攻擊。ATA 會自動分析、學習及識別正常和異常實體 (使用者、裝置及資源) 行為。Contoso is using Advanced Threat Analytics (ATA) to protect itself from advanced targeted attacks. ATA automatically analyzes, learns, and identifies normal and abnormal entity (user, devices, and resources) behavior.

資訊保護Information protection

  • 使用 Azure 資訊保護標籤來保護機密和高管制數位資產Protect sensitive and highly regulated digital assets with Azure Information Protection labels

    Contoso 判斷出三種資料保護層級,並部署了使用者套用至數位資產的 Microsoft 365 敏感度標籤Contoso determined three levels of data protection and deployed Microsoft 365 sensitivity labels that users apply to digital assets. 對於其商業機密和其他智慧財產權,Contoso 使用敏感度分組進行高管制的資料。For its trade secrets and other intellectual property, Contoso uses sensitivity sublabels for highly regulated data. 此程式會加密內容,並限制特定使用者帳戶和群組的存取權。This process encrypts content and restricts access to specific user accounts and groups.

  • 使用資料外洩防護來防止內部網路資料外洩Prevent intranet data leaks with Data Loss Prevention

    Contoso 設定 Exchange Online、SharePoint 及 OneDrive 的 資料遺失防護 原則,以防止使用者意外或故意共用機密資料。Contoso configured Data Loss Prevention policies for Exchange Online, SharePoint, and OneDrive for Business to prevent users from accidentally or intentionally sharing sensitive data.

  • 使用 Windows 資訊保護來防止裝置資料外洩Prevent device data leaks Windows Information Protection

    Contoso 使用 Windows 資訊保護 (WIP) ,以防止資料洩漏,透過網際網路型應用程式和服務、企業應用程式,以及員工可運作的個人裝置上的資料。Contoso is using Windows Information Protection (WIP) to protect against data leakage through internet-based apps and services and enterprise apps and data on enterprise-owned devices and personal devices that employees bring to work.

  • 使用 Microsoft Cloud App Security 來進行雲端監視Cloud monitoring with Microsoft Cloud App Security

    Contoso 使用 Microsoft Cloud App Security,來對應其雲端環境、監視其使用量,以及偵測安全性事件。Contoso is using Microsoft Cloud App Security to map their cloud environment, monitor its usage, and detect security events and incidents. Microsoft 雲端 App 安全性僅在 Microsoft 365 E5 中提供。Microsoft Cloud App Security is only available with Microsoft 365 E5.

  • 使用 Microsoft Intune 來進行裝置管理Device management with Microsoft Intune

    Contoso 使用 Microsoft Intune 來註冊、管理及設定對於行動裝置及在其上執行之應用程式的存取權。裝置型條件式存取原則也會要求核准的應用程式和相容的電腦和行動裝置。Contoso uses Microsoft Intune to enroll, manage, and configure access to mobile devices and the apps that run on them. Device-based Conditional Access policies also require approved apps and compliant PCs and mobile devices.

安全性管理Security management

  • 使用 Azure Defender 時使用的中央安全性儀表板Central security dashboard for IT with Azure Defender

    Contoso 使用 Azure Defender 來呈現安全和威脅防護的統一視圖、管理其工作負載的安全性原則,以及回應 cyberattacks。Contoso uses the Azure Defender to present a unified view of security and threat protection, to manage security policies across its workloads, and to respond to cyberattacks.

  • 適用於具有 Windows Defender 資訊安全中心之使用者的中央安全性儀表板Central security dashboard for users with Windows Defender Security Center

    Contoso 將 Windows 安全性應用程式 部署至其電腦與執行 Windows 10 企業版的裝置,讓使用者可以立即查看其安全性狀況,並採取行動。Contoso deployed the Windows Security app to its PCs and devices running Windows 10 Enterprise so that users can see their security posture at a glance and take action.