為小組設定基準保護Configure teams with baseline protection

在本文中,我們將說明如何使用基準層級的保護來部署小組。In this article, we look at how to deploy teams with a baseline level of protection. 此層級可讓使用者獲得廣泛的共同作業選項,同時又能增強權限管理功能並針對過度共用提供基本防護。This level allows users a wide range of options for collaboration while enhancing permissions management and providing basic protection against oversharing. 這個層級的建議保護包括身分識別和裝置存取原則,以及惡意程式碼防護。Recommended protections for this level include identity and device access policies and protection against malware. 此外,您也可以視需要套用條件式存取原則和資料外洩防護。Additionally, you can apply conditional access policies and data loss protections as needed.

初始保護Initial protections

我們所建議的第一個步驟是設定基本身分識別和裝置存取原則。As a first step, we recommend that you configure basic identity and device-access policies. 如需詳細資訊,請參閱用來保護 Teams 聊天、群組和檔案的原則建議See Policy recommendations for securing Teams chats, groups, and files for details.

我們也建議您開啟基本的適用於 Office 365 的 Defender 功能,以防範文件、附件和連結中的惡意程式碼。We also recommend turning on basic Defender for Office 365 features to guard against malware in documents, attachments, and links. 建議您開啟下表中的每個選項。We recommend turning on each of the options in the following table.

選項Option 資訊Information
適用於 SPO、OneDrive 和 Teams 的安全附件Safe Attachments for SPO, OneDrive and Teams 安全附件Safe Attachments
適用於 Office 365 的 Defender - SharePoint、OneDrive 和 Microsoft TeamsDefender for Office 365 - SharePoint, OneDrive, and Microsoft Teams
安全文件Safe Documents 適用於 Office 365 的 Microsoft Defender 中的安全文件Safe Documents in Microsoft Defender for Office 365
適用於 Teams 的安全連結Safe Links for Teams Teams 中的 Office 365 安全連結Office 365 Safe Links in Teams
安全連結Safe Links

Teams 來賓共用Teams guest sharing

在每一層中,我們都有可讓您與組織外部的人員共用的選項。In each of the tiers, we have the option of sharing with people outside your organization. 針對敏感度和高敏感度層,我們會有選項可供您使用敏感度標籤在小組層級關閉來賓共用。For the sensitive and highly sensitive tiers, we will have the option to turn guest sharing off at the team level by using sensitivity labels. 但必須開啟組織層級的來賓共用設定,才能讓來賓共用在 Teams 中完全生效。But the organization-level guest sharing setting must be turned on for guest sharing to work at all in Teams.

Teams 來賓存取切換的螢幕擷取畫面

設定 Teams 來賓存取設定To set Teams guest access settings

  1. 登入 https://admin.microsoft.com 的 Microsoft 365 系統管理中心。Log in to the Microsoft 365 admin center at https://admin.microsoft.com.
  2. 在左側導覽窗格中,按一下 [顯示全部]。In the left navigation, click Show all.
  3. 在 [系統管理中心] 底下,按一下 [Teams]。Under Admin centers, click Teams.
  4. 在 Teams 系統管理中心的左側導覽中展開 [全組織設定],然後按一下 [來賓存取]。In the Teams admin center, in the left navigation, expand Org-wide settings and click Guest access.
  5. 確定 [在 Teams 中允許來賓存取] 已設定為 [開啟]。Ensure that Allow guest access in Teams is set to On.
  6. 對其他來賓設定進行所需的變更,然後按一下 [儲存]。Make any desired changes to the additional guest settings, and then click Save.

注意

Teams 來賓設定在開啟後,最慢可能需要 24 小時才會生效。It may take up to twenty-four hours for the Teams guest setting to become active after you turn it on.

Office 365 群組和 SharePoint 預設會開啟來賓共用功能,但是如果您先前已變更組織的任何來賓共用設定,則建議您檢閱在小組中與來賓共同作業,以確保 Teams 中可以使用來賓共用。Guest sharing is turned on by default for Office 365 groups and SharePoint, however if you have previously changed any of the guest sharing settings for your organization, we recommend that you review Collaborate with guests in a team to ensure that guest sharing will be available in Teams.

網站和檔案共用Site and file sharing

為了降低不小心與組織外的人員共用檔案和資料夾的風險,建議您將 SharePoint 的預設共用連結變更為 [只有貴組織中的人員]。To reduce the risk of accidentally sharing files or folders with people outside your organization, we recommend changing the default sharing link for SharePoint to Only people in your organization. (如果使用者需要對外共用,且您已啟用來賓共用,其仍可在共用時變更連結類型)。(If users need to share externally, and you have enabled guest sharing, they can still change the link type when they share.)

變更預設的共用連結To change the default sharing link

  1. 開啟 SharePoint 系統管理中心Open the SharePoint admin center.
  2. 在 [原則] 底下,按一下 [共用]。Under Policies, click Sharing.
  3. 在 [檔案與資料夾連結] 下,選取 [只有貴組織中的人員]。Under File and folder links, select Only people in your organization.
  4. 按一下 [儲存]。Click Save.

為了獲得最佳的來賓共用體驗,建議您啟用 SharePoint 和 OneDrive 與 Azure AD B2B 整合For the best guest sharing experience, we also recommend that you enable SharePoint and OneDrive integration with Azure AD B2B.

建立小組Create a team

在與小組相關聯的 SharePoint 網站中,還會執行另外的基準層級保護設定。Additional configuration for the baseline level of protection is done in the SharePoint site associated with a team. 請先建立公用或私人小組,再繼續進行下一節。Create a public or private team before proceeding to the next section.

網站共用設定Site sharing settings

根據預設,SharePoint 網站的成員可以邀請其他人加入網站。By default, members of a SharePoint site can invite others to the site. 當網站屬於小組時,小組成員便會納入為網站成員。When a site is part of a team, team members are included as site members. 不過,直接新增至網站的人員無法存取小組的其他資源。However, people added directly to the site don't have access to the rest of the team. 因此,建議您透過小組來專門管理權限。For this reason, we recommend managing permissions exclusively through the team.

為了有助於管理權限,建議您將相關聯的網站設定為只允許擁有者可自行共用網站。To help with permissions management, we recommend configuring the associated site to only allow owners to share the site by itself. 這可簡化權限管理工作,並有助於防止有人在小組擁有者不知情的情況下進行存取。This simplifies permissions management and helps prevent access by people without a team owner's knowledge. 請為需要基準保護的每個小組執行此動作。Do this for each team that requires baseline protection.

更新網站共用設定To update the site sharing settings

  1. 在小組的工具列中,按一下 [檔案]。In the tool bar for the team, click Files.
  2. 按一下 [在 SharePoint 中開啟]。Click Open in SharePoint.
  3. 在 SharePoint 網站的工具列中,按一下設定圖示,然後按一下 [網站權限]。In the tool bar of the SharePoint site, click the settings icon, and then click Site permissions.
  4. [網站權限] 窗格的 [網站共用] 下,按一下 [變更成員可以使用的共用方式]In the Site permissions pane, under Site sharing, click Change how members can share.
  5. 在 [共用權限] 底下,選擇 [網站擁有者和成員,以及擁有編輯權限的人員可以共用檔案與資料夾,但只有網站擁有者可以共用網站],然後按一下 [儲存]。Under Sharing permissions, choose Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site, and then click Save.

其他保護Additional protections

Microsoft 365 提供了其他方法來保護您的內容。Microsoft 365 offers additional methods for securing your content. 請想想下列選項是否有助於改善貴組織的安全性。Consider if the following options would help improve security for your organization.

另請參閱See Also

管理 Teams 中的會議原則Manage meeting policies in Teams

開始使用測試人員風險管理Get started with insider risk management