設定您的 Microsoft 365 租使用者以提高安全性Configure your Microsoft 365 tenant for increased security
重要
改良的 Microsoft 365 安全性中心現在可供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能。Learn what's new. 本主題僅適合適用於 Office 365 的 Microsoft Defender 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. 請參閱 適用於 區段,並且尋找此文章中可能有所不同的特定圖說文字。Refer to the Applies To section and look for specific call-outs in this article where there might be differences.
適用於Applies to
- Exchange Online ProtectionExchange Online Protection
- 適用於 Office 365 的 Microsoft Defender 方案 1 和方案 2Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 DefenderMicrosoft 365 Defender
本主題將針對影響 Microsoft 365 環境安全性的全租使用者設定,引導您進行建議的設定。This topic walks you through recommended configuration for tenant-wide settings that affect the security of your Microsoft 365 environment. 您的安全性需求可能會高於或低於建議設定,Your security needs might require more or less security. 請使用這些建議做為調整的起始點。Use these recommendations as a starting point.
檢查 Office 365 安全分數Check Office 365 Secure Score
Office 365 安全分數會根據您的定期活動和安全性設定來分析貴組織的安全性,並指定分數。Office 365 Secure Score analyzes your organization's security based on your regular activities and security settings and assigns a score. 請先記下您目前的分數。Begin by taking note of your current score. 調整某些全租用戶將能提高您的分數。Adjusting some tenant-wide settings will increase your score. 您的目標不是達到滿分,而是要留意能保護您的環境,又不會對使用者的生產力造成負面影響的機會。The goal is not to achieve the max score, but to be aware of opportunities to protect your environment that do not negatively affect productivity for your users. 請參閱 Microsoft 安全分數。See Microsoft Secure Score.
調整 Microsoft 365 安全性中心的威脅管理原則Tune threat management policies in the Microsoft 365 security center
Microsoft 365 安全性中心包含的功能能夠保護您的環境。The Microsoft 365 security center includes capabilities that protect your environment. 同時,您也可以使用其中的報告和儀表板來進行監控並採取行動。It also includes reports and dashboards you can use to monitor and take action. 其中某些區域擁有預設的原則設定,Some areas come with default policy configurations. 某些區域則不包含預設原則或規則。Some areas do not include default policies or rules. 請在威脅管理底下瀏覽以下原則,來調整威脅管理設定以營造更安全的環境。Visit these policies under threat management to tune threat management settings for a more secure environment.
| 範圍Area | 包含預設原則Includes a default policy | 建議Recommendation |
|---|---|---|
| 防網路釣魚Anti-phishing | 是Yes | 如果您有自訂網域,請設定預設的反網路釣魚原則,以保護您最有價值之使用者的電子郵件帳戶,例如 CEO,並保護您的網域。If you have a custom domain, configure the default anti-phishing policy to protect the email accounts of your most valuable users, such as your CEO, and to protect your domain. 在 office 365 中查看反網路釣魚原則,並參閱設定 EOP 中的反網路釣魚原則或設定 Microsoft Defender for Office 365 中的反網路釣魚原則。Review Anti-phishing policies in Office 365 and see Configure anti-phishing policies in EOP or Configure anti-phishing policies in Microsoft Defender for Office 365. |
| 反惡意程式碼引擎Anti-Malware Engine | 是Yes | 編輯預設原則:Edit the default policy:
您也可以建立自訂的惡意程式碼篩選原則,並將其套用至貴組織中的指定使用者、群組或網域。You can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization. 詳細資訊:More information: |
| Microsoft Defender for Office 365 中的安全附件Safe Attachments in Microsoft Defender for Office 365 | 否No | 在 [安全附件] 的主要頁面上,按一下 [ 通用設定 ],然後開啟此設定:On the main page for Safe Attachments, click Global settings and turn on this setting:
使用下列設定來建立安全附件原則:Create a Safe Attachments policy with these settings:
詳細資訊: SharePoint、OneDrive 和 Microsoft 小組的安全附件 ,並 設定安全附件原則More information: Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Set up Safe Attachments policies |
| Microsoft Defender for Office 365 中的安全連結Safe Links in Microsoft Defender for Office 365 | 是Yes | 在 [安全連結] 的主要頁面上,按一下 [ 通用設定]。On the main page for Safe Links, click Global settings:
使用下列設定建立安全連結原則:Create a Safe Links policy with these settings:
詳細資訊: 設定安全連結原則。More information: Set up Safe Links policies. |
| 反垃圾郵件 (郵件篩選)Anti-Spam (Mail filtering) | 是Yes | 想要處理的情況:What to watch for:
詳細資訊: Microsoft 365 電子郵件 Anti-Spam 保護。More information: Microsoft 365 Email Anti-Spam Protection. |
| 電子郵件驗證Email Authentication | 是Yes | 電子郵件驗證使用網域名稱系統 (DNS) 將可驗證的資訊新增到某電子郵件寄件者的電子郵件。Email authentication uses a Domain Name System (DNS) to add verifiable information to email messages about the sender of an email. Microsoft 365 會為其預設網域 (onmicrosoft.com) 設定電子郵件驗證,但 Microsoft 365 系統管理員也可以使用自訂網域的電子郵件驗證。Microsoft 365 sets up email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also use email authentication for custom domains. 使用的三種驗證方法:Three authentication methods are used:
|
注意
在非標準部署的 SPF、混合式部署及疑難排解中: Microsoft 365 如何使用寄件者原則框架 (SPF) 以避免欺騙。For non-standard deployments of SPF, hybrid deployments, and troubleshooting: How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing.
請檢視安全性與合規性中心的儀表板和報告View dashboards and reports in the security and compliance centers
請瀏覽以下報告與儀表板來深入了解您環境的健康狀況。Visit these reports and dashboards to learn more about the health of your environment. 若您的組織使用 Office 365 服務,這些報告中的資料會變得更豐富。The data in these reports will become richer as your organization uses Office 365 services. 現在,請先熟悉您可以監控與採取動作的項目。For now, be familiar with what you can monitor and take action on. 如需詳細資訊,請參閱:Microsoft 365 安全性與合規性中心的報告。For more information, see : Reports in the Microsoft 365 security and compliance centers.
| 儀表板Dashboard | 描述Description |
|---|---|
| 威脅管理儀表板Threat management dashboard | 在安全性中心的 [威脅管理] 區段中,使用此儀表板來查看已經處理過的威脅,並將它視為一項實用工具,以此向商業決策者報告威脅調查和回應功能做了哪些舉動來保護貴企業。In the Threat management section of the security center, use this dashboard to see threats that have already been handled, and as a handy tool for reporting out to business decision makers on what threat investigation and response capabilities have already done to secure your business. |
| 威脅總管 (或即時偵測)Threat Explorer (or real-time detections) | 此功能同樣位於安全性中心的 [威脅管理] 區段中。This is also in the Threat management section of the security center. 如果您要調查或遭受對租使用者的攻擊,請使用 Explorer (或即時偵測) 來分析威脅。If you are investigating or experiencing an attack against your tenant, use Explorer (or real-time detections) to analyze threats. 總管 (或即時偵測) 能顯示隨時間受到的攻擊量,而您可以依照威脅系列、攻擊者的基礎結構等項目來分析這份資料。Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. 您也可以將任何可疑的電子郵件標記為 [事件清單]。You can also mark any suspicious email for the Incidents list. |
| 報告 - 儀表板Reports — Dashboard | 在安全性中心的 [報告] 區段中,檢視您的 SharePoint Online 和 Exchange Online 組織的報告。In the Reports section of security center, view audit reports for your SharePoint Online and Exchange Online organizations. 您也可以從 [檢視報告] 頁面存取 Azure Active Directory (Azure AD) 使用者登入報告、使用者活動報告和 Azure AD 稽核記錄。You can also access Azure Active Directory (Azure AD) user sign-in reports, user activity reports, and the Azure AD audit log from the View reports page. |
設定其他 Exchange Online 全租用戶設定Configure additional Exchange Online tenant-wide settings
Exchange 系統管理中心中有許多安全性與保護控制項同時也包含在安全性中心中。Many of the controls for security and protection in the Exchange admin center are also included in the security center. 您不需要在這兩個地方都進行設定。You do not need to configure these in both places. 以下是建議的設定。Here are a couple of additional settings that are recommended.
| 範圍Area | 包含預設原則Includes a default policy | 建議Recommendation |
|---|---|---|
| 郵件流程 (郵件流程規則,又稱為傳輸規則)Mail Flow (mail flow rules, also known as transport rules) | 否No | 透過封鎖可執行檔案類型和包含宏的 Office 檔案類型,新增郵件流程規則,以協助抵禦勒索軟體。Add a mail flow rule to help protect against ransomware by blocking executable file types and Office file types that contain macros. 如需詳細資訊,請參閱 在 Exchange Online 中使用郵件流程規則檢查郵件附件。For more information, see Use mail flow rules to inspect message attachments in Exchange Online. 請參閱下列其他主題:See these additional topics:
建立郵件流程規則來防止郵件自動轉寄至外部網域。Create a mail flow rule to prevent auto-forwarding of email to external domains. 如需詳細資訊,請參閱含有安全分數的用戶端外部轉寄降低風險規則 (英文)。For more information, see Mitigating Client External Forwarding Rules with Secure Score. 其他資訊:Exchange Online 中的郵件流程規則 (傳輸規則)More information: Mail flow rules (transport rules) in Exchange Online |
| 啟用新式驗證Enable modern authentication | 否No | 新式驗證是使用多重要素驗證 (MFA) 的必要條件。Modern authentication is a prerequisite for using multi-factor authentication (MFA). MFA 是保護雲端資源存取權 (包括電子郵件) 的建議選項。MFA is recommended for securing access to cloud resources, including email. 請參閱這些主題:See these topics:
Office 2016 用戶端、SharePoint Online 和商務用 OneDrive 預設會啟用新式驗證。Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business. 其他資訊:Office 2013 和 Office 2016 用戶端應用程式的新式驗證運作方式More information: How modern authentication works for Office 2013 and Office 2016 client apps |
設定 SharePoint 系統管理中心的全租用戶共用原則Configure tenant-wide sharing policies in SharePoint admin center
Microsoft 建議您從基礎保護開始,逐漸提高 SharePoint 小組網站的保護層級設定。Microsoft recommendations for configuring SharePoint team sites at increasing levels of protection, starting with baseline protection. 如需詳細資訊,請參閱 保護 SharePoint 網站和檔案的原則建議。For more information, see Policy recommendations for securing SharePoint sites and files.
設定為基礎層級的 SharePoint 小組網站可讓您使用匿名存取連結,來與所有外部使用者共用檔案。SharePoint team sites configured at the baseline level allow sharing files with external users by using anonymous access links. 建議您採用此方法,而不要在電子郵件中傳送檔案。This approach is recommended instead of sending files in email.
為了支援基礎保護達到目標,請依以下建議設定全租用戶共用原則。To support the goals for baseline protection, configure tenant-wide sharing policies as recommended here. 請為個別網站設定比此全租用戶原則更嚴格 (而非更寬鬆) 的共用設定。Sharing settings for individual sites can be more restrictive than this tenant-wide policy, but not more permissive.
| 範圍Area | 包含預設原則Includes a default policy | 建議Recommendation |
|---|---|---|
| 共用 (SharePoint Online 和商務用 OneDrive)Sharing (SharePoint Online and OneDrive for Business) | 是Yes | 外部共用預設為啟用狀態。External sharing is enabled by default. 這些為建議設定:These settings are recommended:
其他資訊:外部共用概觀More information: External sharing overview |
SharePoint 系統管理中心與商務用 OneDrive 系統管理中心包含同樣的設定。SharePoint admin center and OneDrive for Business admin center include the same settings. 任一系統管理中心內的設定都適用於兩者。The settings in either admin center apply to both.
在 Azure Active Directory 中進行設定Configure settings in Azure Active Directory
請務必在 Azure Active Directory 中瀏覽以下兩個區域以完成全租用戶設定,以獲得更安全的環境。Be sure to visit these two areas in Azure Active Directory to complete tenant-wide setup for more secure environments.
設定具名位置 (使用條件式存取)Configure named locations (under conditional access)
如果貴組織內有辦公室擁有安全網路存取權,請將信任的 IP 位址範圍新增為 Azure Active Directory 中的具名位置。If your organization includes offices with secure network access, add the trusted IP address ranges to Azure Active Directory as named locations. 這項功能可協助減少誤判為登入風險事件的次數。This feature helps reduce the number of reported false positives for sign-in risk events.
請參閱:Azure Active Directory 中的具名位置See: Named locations in Azure Active Directory
封鎖不支援新式驗證的應用程式Block apps that don't support modern authentication
應用程式必須支援新式驗證才能使用多重要素驗證。Multi-factor authentication requires apps that support modern authentication. 您無法使用條件式存取規則來封鎖不支援新式驗證的 App。Apps that do not support modern authentication cannot be blocked by using conditional access rules.
為了環境安全,請務必停用不支援新式驗證之 App 的驗證。For secure environments, be sure to disable authentication for apps that do not support modern authentication. 您可以在 Azure Active Directory 中使用即將推出的控制項完成這項作業。You can do this in Azure Active Directory with a control that is coming soon.
在此同時,請使用下列其中一項方法,來為 SharePoint Online 和商務用 OneDrive 完成這項作業:In the meantime, use one of the following methods to accomplish this for SharePoint Online and OneDrive for Business:
使用 PowerShell,請參閱 封鎖未使用新式驗證的應用程式 (ADAL) 。Use PowerShell, see Block apps that do not use modern authentication (ADAL).
請在 SharePoint 系統管理中心內的 [裝置存取權] 頁面 - [控制不使用新式驗證的應用程式存取權] 進行此設定。Configure this in the SharePoint admin center on the "device access' page — "Control access from apps that don't use modern authentication." 選擇 [封鎖]。Choose Block.
開始使用雲端 App 安全性或 Office 365 雲端 App 安全性Get started with Cloud App Security or Office 365 Cloud App Security
使用 Office 365 雲端 App 安全性來評估風險、警示可疑活動,並自動採取行動。Use Office 365 Cloud App Security to evaluate risk, to alert on suspicious activity, and to automatically take action. 需要 Office 365 E5 方案。Requires Office 365 E5 plan.
或使用 Microsoft Cloud App Security,讓您即便在授與存取權後,也能讓所有雲端應用程式獲得更清楚的檢視、綜合性的控制權與更好的保護,包括 Office 365。Or, use Microsoft Cloud App Security to obtain deeper visibility even after access is granted, comprehensive controls, and improved protection for all your cloud applications, including Office 365.
由於此解決方案建議使用 EMS E5 方案,我們建議您開始使用雲端 App 安全性,以便您可以搭配環境中的其他 SaaS 應用程式使用此功能。Because this solution recommends the EMS E5 plan, we recommend you start with Cloud App Security so you can use this with other SaaS applications in your environment. 請以預設原則與設定開始使用。Start with default policies and settings.
詳細資訊:More information:
其他資源Additional resources
這些文章和指南提供加強 Microsoft 365 環境安全的其他規範性資訊:These articles and guides provide additional prescriptive information for securing your Microsoft 365 environment:
適用於政治活動、非營利組織和其他彈性組織的 Microsoft 安全性指南 (您可以在任何環境中使用這些建議,特別是僅使用雲端的環境)Microsoft security guidance for political campaigns, nonprofits, and other agile organizations (you can use these recommendation in any environment, especially cloud-only environments)
適用於身分識別與裝置的建議安全原則與設定 (這些建議包括 AD FS 環境說明)Recommended security policies and configurations for identities and devices (these recommendations include help for AD FS environments)