設定您的 Microsoft 365 租使用者以提高安全性Configure your Microsoft 365 tenant for increased security

重要

改良的 Microsoft 365 安全性中心現在可供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new. 本主題僅適合適用於 Office 365 的 Microsoft Defender 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. 請參閱 適用於 區段,並且尋找此文章中可能有所不同的特定圖說文字。Refer to the Applies To section and look for specific call-outs in this article where there might be differences.

適用於Applies to

本主題將針對影響 Microsoft 365 環境安全性的全租使用者設定,引導您進行建議的設定。This topic walks you through recommended configuration for tenant-wide settings that affect the security of your Microsoft 365 environment. 您的安全性需求可能會高於或低於建議設定,Your security needs might require more or less security. 請使用這些建議做為調整的起始點。Use these recommendations as a starting point.

檢查 Office 365 安全分數Check Office 365 Secure Score

Office 365 安全分數會根據您的定期活動和安全性設定來分析貴組織的安全性,並指定分數。Office 365 Secure Score analyzes your organization's security based on your regular activities and security settings and assigns a score. 請先記下您目前的分數。Begin by taking note of your current score. 調整某些全租用戶將能提高您的分數。Adjusting some tenant-wide settings will increase your score. 您的目標不是達到滿分,而是要留意能保護您的環境,又不會對使用者的生產力造成負面影響的機會。The goal is not to achieve the max score, but to be aware of opportunities to protect your environment that do not negatively affect productivity for your users. 請參閱 Microsoft 安全分數See Microsoft Secure Score.

調整 Microsoft 365 安全性中心的威脅管理原則Tune threat management policies in the Microsoft 365 security center

Microsoft 365 安全性中心包含的功能能夠保護您的環境。The Microsoft 365 security center includes capabilities that protect your environment. 同時,您也可以使用其中的報告和儀表板來進行監控並採取行動。It also includes reports and dashboards you can use to monitor and take action. 其中某些區域擁有預設的原則設定,Some areas come with default policy configurations. 某些區域則不包含預設原則或規則。Some areas do not include default policies or rules. 請在威脅管理底下瀏覽以下原則,來調整威脅管理設定以營造更安全的環境。Visit these policies under threat management to tune threat management settings for a more secure environment.


範圍Area 包含預設原則Includes a default policy 建議Recommendation
防網路釣魚Anti-phishing Yes 如果您有自訂網域,請設定預設的反網路釣魚原則,以保護您最有價值之使用者的電子郵件帳戶,例如 CEO,並保護您的網域。If you have a custom domain, configure the default anti-phishing policy to protect the email accounts of your most valuable users, such as your CEO, and to protect your domain.

在 office 365 中查看反網路釣魚原則,並參閱設定 EOP 中的反網路釣魚原則或設定 Microsoft Defender for Office 365 中的反網路釣魚原則。Review Anti-phishing policies in Office 365 and see Configure anti-phishing policies in EOP or Configure anti-phishing policies in Microsoft Defender for Office 365.

反惡意程式碼引擎Anti-Malware Engine Yes 編輯預設原則:Edit the default policy:
  • 常見附件類型篩選:選取Common Attachment Types Filter: Select On

您也可以建立自訂的惡意程式碼篩選原則,並將其套用至貴組織中的指定使用者、群組或網域。You can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization.

詳細資訊:More information:

Microsoft Defender for Office 365 中的安全附件Safe Attachments in Microsoft Defender for Office 365 No 在 [安全附件] 的主要頁面上,按一下 [ 通用設定 ],然後開啟此設定:On the main page for Safe Attachments, click Global settings and turn on this setting:
  • 針對 SharePoint、OneDrive 和 Microsoft Teams 開啟適用於 Office 365 的 DefenderTurn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams

使用下列設定來建立安全附件原則:Create a Safe Attachments policy with these settings:

  • 封鎖:選取 [ 封鎖 ] 作為未知的惡意程式碼回應。Block: Select Block as the unknown malware response.
  • 啟用重新導向:請選取此方塊並輸入電子郵件地址,例如系統管理員或隔離帳戶。Enable redirect: Check this box and enter an email address, such as an admin or quarantine account.
  • 若惡意程式碼掃描附件超時或發生錯誤,請套用上述選取範圍:請選取此方塊。Apply the above selection if malware scanning for attachments times out or error occurs: Check this box.
  • *適用 于: 收件者網域是 > 選取您的網域。*Applied to: The recipient domain is > select your domain.

詳細資訊: SharePoint、OneDrive 和 Microsoft 小組的安全附件 ,並 設定安全附件原則More information: Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Set up Safe Attachments policies

Microsoft Defender for Office 365 中的安全連結Safe Links in Microsoft Defender for Office 365 Yes 在 [安全連結] 的主要頁面上,按一下 [ 通用設定]。On the main page for Safe Links, click Global settings:
  • 使用下列專案中的安全連結: Office 365 應用程式:確認已開啟此設定。Use Safe Links in: Office 365 applications: Verify this setting is turned on.
  • 當使用者按一下安全連結時,請勿追蹤:關閉此設定以追蹤使用者按一下。Do not track when users click Safe Links: Turn this setting off to track user clicks.

使用下列設定建立安全連結原則:Create a Safe Links policy with these settings:

  • 在郵件中選取未知可能惡意 URLs 的動作:確認此設定為 開啟Select the action for unknown potentially malicious URLs in messages: Verify this setting is On.
  • 選取 Microsoft 小組中未知或可能惡意的 URLs 的動作:確認此設定已 開啟Select the action for unknown or potentially malicious URLs within Microsoft Teams: Verify this setting is On.
  • 對指向檔案的可疑連結和連結套用即時 URL 掃描:請選取此方塊。Apply real-time URL scanning for suspicious links and links that point to files: Check this box.
  • 等候 URL 掃描完成後,才能傳遞郵件:請選取此方塊。Wait for URL scanning to complete before delivering the message: Check this box.
  • 套用 安全連結至組織內傳送的電子郵件:複選此方塊Apply safe links to email messages sent within the organization: Check this box
  • 不允許使用者依序按一下原始 URL:請選取此方塊。Do not allow users to click through to original URL: Check this box.
  • 適用 于: 收件者網域是 > 選取您的網域。Applied To: The recipient domain is > select your domain.

詳細資訊: 設定安全連結原則More information: Set up Safe Links policies.

反垃圾郵件 (郵件篩選)Anti-Spam (Mail filtering) Yes 想要處理的情況:What to watch for:
  • 太多垃圾郵件—選擇 [自訂設定],然後編輯預設的垃圾郵件篩選原則。Too much spam — Choose the Custom settings and edit the Default spam filter policy.
  • 哄騙情報-查看哄騙您網域的寄件者。Spoof intelligence — Review senders that are spoofing your domain. 封鎖或允許這些寄件者。Block or allow these senders.

詳細資訊: Microsoft 365 電子郵件 Anti-Spam 保護More information: Microsoft 365 Email Anti-Spam Protection.

電子郵件驗證Email Authentication Yes 電子郵件驗證使用網域名稱系統 (DNS) 將可驗證的資訊新增到某電子郵件寄件者的電子郵件。Email authentication uses a Domain Name System (DNS) to add verifiable information to email messages about the sender of an email. Microsoft 365 會為其預設網域 (onmicrosoft.com) 設定電子郵件驗證,但 Microsoft 365 系統管理員也可以使用自訂網域的電子郵件驗證。Microsoft 365 sets up email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also use email authentication for custom domains. 使用的三種驗證方法:Three authentication methods are used:

注意

在非標準部署的 SPF、混合式部署及疑難排解中: Microsoft 365 如何使用寄件者原則框架 (SPF) 以避免欺騙For non-standard deployments of SPF, hybrid deployments, and troubleshooting: How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing.

請檢視安全性與合規性中心的儀表板和報告View dashboards and reports in the security and compliance centers

請瀏覽以下報告與儀表板來深入了解您環境的健康狀況。Visit these reports and dashboards to learn more about the health of your environment. 若您的組織使用 Office 365 服務,這些報告中的資料會變得更豐富。The data in these reports will become richer as your organization uses Office 365 services. 現在,請先熟悉您可以監控與採取動作的項目。For now, be familiar with what you can monitor and take action on. 如需詳細資訊,請參閱:Microsoft 365 安全性與合規性中心的報告For more information, see : Reports in the Microsoft 365 security and compliance centers.


儀表板Dashboard 描述Description
威脅管理儀表板Threat management dashboard 在安全性中心的 [威脅管理] 區段中,使用此儀表板來查看已經處理過的威脅,並將它視為一項實用工具,以此向商業決策者報告威脅調查和回應功能做了哪些舉動來保護貴企業。In the Threat management section of the security center, use this dashboard to see threats that have already been handled, and as a handy tool for reporting out to business decision makers on what threat investigation and response capabilities have already done to secure your business.
威脅總管 (或即時偵測)Threat Explorer (or real-time detections) 此功能同樣位於安全性中心的 [威脅管理] 區段中。This is also in the Threat management section of the security center. 如果您要調查或遭受對租使用者的攻擊,請使用 Explorer (或即時偵測) 來分析威脅。If you are investigating or experiencing an attack against your tenant, use Explorer (or real-time detections) to analyze threats. 總管 (或即時偵測) 能顯示隨時間受到的攻擊量,而您可以依照威脅系列、攻擊者的基礎結構等項目來分析這份資料。Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. 您也可以將任何可疑的電子郵件標記為 [事件清單]。You can also mark any suspicious email for the Incidents list.
報告 - 儀表板Reports — Dashboard 在安全性中心的 [報告] 區段中,檢視您的 SharePoint Online 和 Exchange Online 組織的報告。In the Reports section of security center, view audit reports for your SharePoint Online and Exchange Online organizations. 您也可以從 [檢視報告] 頁面存取 Azure Active Directory (Azure AD) 使用者登入報告、使用者活動報告和 Azure AD 稽核記錄。You can also access Azure Active Directory (Azure AD) user sign-in reports, user activity reports, and the Azure AD audit log from the View reports page.

安全性中心儀表板

設定其他 Exchange Online 全租用戶設定Configure additional Exchange Online tenant-wide settings

Exchange 系統管理中心中有許多安全性與保護控制項同時也包含在安全性中心中。Many of the controls for security and protection in the Exchange admin center are also included in the security center. 您不需要在這兩個地方都進行設定。You do not need to configure these in both places. 以下是建議的設定。Here are a couple of additional settings that are recommended.


範圍Area 包含預設原則Includes a default policy 建議Recommendation
郵件流程 (郵件流程規則,又稱為傳輸規則)Mail Flow (mail flow rules, also known as transport rules) No 透過封鎖可執行檔案類型和包含宏的 Office 檔案類型,新增郵件流程規則,以協助抵禦勒索軟體。Add a mail flow rule to help protect against ransomware by blocking executable file types and Office file types that contain macros. 如需詳細資訊,請參閱 在 Exchange Online 中使用郵件流程規則檢查郵件附件For more information, see Use mail flow rules to inspect message attachments in Exchange Online.

請參閱下列其他主題:See these additional topics:

建立郵件流程規則來防止郵件自動轉寄至外部網域。Create a mail flow rule to prevent auto-forwarding of email to external domains. 如需詳細資訊,請參閱含有安全分數的用戶端外部轉寄降低風險規則 (英文)。For more information, see Mitigating Client External Forwarding Rules with Secure Score.

其他資訊:Exchange Online 中的郵件流程規則 (傳輸規則)More information: Mail flow rules (transport rules) in Exchange Online

啟用新式驗證Enable modern authentication No 新式驗證是使用多重要素驗證 (MFA) 的必要條件。Modern authentication is a prerequisite for using multi-factor authentication (MFA). MFA 是保護雲端資源存取權 (包括電子郵件) 的建議選項。MFA is recommended for securing access to cloud resources, including email.

請參閱這些主題:See these topics:

Office 2016 用戶端、SharePoint Online 和商務用 OneDrive 預設會啟用新式驗證。Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business.

其他資訊:Office 2013 和 Office 2016 用戶端應用程式的新式驗證運作方式More information: How modern authentication works for Office 2013 and Office 2016 client apps

設定 SharePoint 系統管理中心的全租用戶共用原則Configure tenant-wide sharing policies in SharePoint admin center

Microsoft 建議您從基礎保護開始,逐漸提高 SharePoint 小組網站的保護層級設定。Microsoft recommendations for configuring SharePoint team sites at increasing levels of protection, starting with baseline protection. 如需詳細資訊,請參閱 保護 SharePoint 網站和檔案的原則建議For more information, see Policy recommendations for securing SharePoint sites and files.

設定為基礎層級的 SharePoint 小組網站可讓您使用匿名存取連結,來與所有外部使用者共用檔案。SharePoint team sites configured at the baseline level allow sharing files with external users by using anonymous access links. 建議您採用此方法,而不要在電子郵件中傳送檔案。This approach is recommended instead of sending files in email.

為了支援基礎保護達到目標,請依以下建議設定全租用戶共用原則。To support the goals for baseline protection, configure tenant-wide sharing policies as recommended here. 請為個別網站設定比此全租用戶原則更嚴格 (而非更寬鬆) 的共用設定。Sharing settings for individual sites can be more restrictive than this tenant-wide policy, but not more permissive.


範圍Area 包含預設原則Includes a default policy 建議Recommendation
共用 (SharePoint Online 和商務用 OneDrive)Sharing (SharePoint Online and OneDrive for Business) Yes 外部共用預設為啟用狀態。External sharing is enabled by default. 這些為建議設定:These settings are recommended:
  • 允許共用已驗證的外部使用者,並使用匿名存取連結 (預設設定) 。Allow sharing to authenticated external users and using anonymous access links (default setting).
  • 匿名存取連結會在數天后到期。Anonymous access links expire in this many days. 如有需要,請輸入一個數字,例如 30 天。Enter a number, if desired, such as 30 days.
  • 預設連結類型—選取 [只) 組織中的內部 (人員]。Default link type — select Internal (people in the organization only). 想要以匿名連結進行共用的使用者必須從共用功能表中選擇此選項。Users who wish to share using anonymous links must choose this option from the sharing menu.

其他資訊:外部共用概觀More information: External sharing overview

SharePoint 系統管理中心與商務用 OneDrive 系統管理中心包含同樣的設定。SharePoint admin center and OneDrive for Business admin center include the same settings. 任一系統管理中心內的設定都適用於兩者。The settings in either admin center apply to both.

在 Azure Active Directory 中進行設定Configure settings in Azure Active Directory

請務必在 Azure Active Directory 中瀏覽以下兩個區域以完成全租用戶設定,以獲得更安全的環境。Be sure to visit these two areas in Azure Active Directory to complete tenant-wide setup for more secure environments.

設定具名位置 (使用條件式存取)Configure named locations (under conditional access)

如果貴組織內有辦公室擁有安全網路存取權,請將信任的 IP 位址範圍新增為 Azure Active Directory 中的具名位置。If your organization includes offices with secure network access, add the trusted IP address ranges to Azure Active Directory as named locations. 這項功能可協助減少誤判為登入風險事件的次數。This feature helps reduce the number of reported false positives for sign-in risk events.

請參閱:Azure Active Directory 中的具名位置See: Named locations in Azure Active Directory

封鎖不支援新式驗證的應用程式Block apps that don't support modern authentication

應用程式必須支援新式驗證才能使用多重要素驗證。Multi-factor authentication requires apps that support modern authentication. 您無法使用條件式存取規則來封鎖不支援新式驗證的 App。Apps that do not support modern authentication cannot be blocked by using conditional access rules.

為了環境安全,請務必停用不支援新式驗證之 App 的驗證。For secure environments, be sure to disable authentication for apps that do not support modern authentication. 您可以在 Azure Active Directory 中使用即將推出的控制項完成這項作業。You can do this in Azure Active Directory with a control that is coming soon.

在此同時,請使用下列其中一項方法,來為 SharePoint Online 和商務用 OneDrive 完成這項作業:In the meantime, use one of the following methods to accomplish this for SharePoint Online and OneDrive for Business:

開始使用雲端 App 安全性或 Office 365 雲端 App 安全性Get started with Cloud App Security or Office 365 Cloud App Security

使用 Office 365 雲端 App 安全性來評估風險、警示可疑活動,並自動採取行動。Use Office 365 Cloud App Security to evaluate risk, to alert on suspicious activity, and to automatically take action. 需要 Office 365 E5 方案。Requires Office 365 E5 plan.

或使用 Microsoft Cloud App Security,讓您即便在授與存取權後,也能讓所有雲端應用程式獲得更清楚的檢視、綜合性的控制權與更好的保護,包括 Office 365。Or, use Microsoft Cloud App Security to obtain deeper visibility even after access is granted, comprehensive controls, and improved protection for all your cloud applications, including Office 365.

由於此解決方案建議使用 EMS E5 方案,我們建議您開始使用雲端 App 安全性,以便您可以搭配環境中的其他 SaaS 應用程式使用此功能。Because this solution recommends the EMS E5 plan, we recommend you start with Cloud App Security so you can use this with other SaaS applications in your environment. 請以預設原則與設定開始使用。Start with default policies and settings.

詳細資訊:More information:

Cloud App Security 儀表板

其他資源Additional resources

這些文章和指南提供加強 Microsoft 365 環境安全的其他規範性資訊:These articles and guides provide additional prescriptive information for securing your Microsoft 365 environment: