数据访问和保护注意事项Data access and protection considerations

任何公司都面临着丢失敏感数据的操作风险,随着 BYOD 的出现,信息将驻留在比以往更多的位置。Loss of sensitive data is an operation risk for any company, and with the advent of BYOD, information resides in more places than ever before. 这将带来更大的威胁和更高的风险,必须正确地将其缓解。This translates to a bigger threat landscape and higher risks that must be correctly mitigated. 由于一系列司法、公司和行业规定管理着对于敏感数据的保护,因此数据保护是一个复杂的过程。Because of a range of legislative, corporate, and industry regulations that governs the protection of sensitive data, data protection can be a complex process. 请务必考虑到这些法律要求、公司内部政策以及行业规定。It is important to take these legal requirements, internal corporate policies, and industry regulations into account. 作为 BYOD 基础结构战略的一部分,在定义策略和数据分类之后,必须将数据以物理方式放置在适当的分类级别,并应用适当的安全设置,这点十分重要。As part of the BYOD infrastructure strategy it is essential that after the policies and data classifications have been defined, the data must be physically located, placed in proper classification levels, and have the appropriate security settings applied. IT 需要通过一种方法来验证用户的身份,并且希望针对能够访问公司提供的信息和应用的设备类型应用其他条件。IT needs a way to validate users’ identities and may wish to apply additional conditions on the types of devices that are able to access the information and apps provided by the company.


在用户设备中存储数据的方式直接影响你选择如何为 BYOD 处理数据访问和保护。How data will be stored in users’ devices can directly impact how you choose to address data access and protection for BYOD. 必须考虑数据加密,并且设备必须允许 IT 控制何时启用数据加密以及对哪些类型的数据启用数据加密。Data encryption must be considered, and devices must allow IT to control when data encryption is enabled and for which types of data. 公司必须查看其策略和规定,以了解允许哪些类型的数据离开数据中心并存放在远程设备的存储中。Companies must review their policies and regulations to understand which types of data are allowed to leave the datacenter and be at rest in remote devices’ storage. 对数据中心的存储中存放的数据进行加密至关重要。Data encryption at rest in the datacenter’s storage is crucial. 如果你的公司尚未执行此任务,则它必须作为 BYOD 基础结构战略的一部分加以考虑。If your company is not yet performing this task, it must be considered as part of the strategy for a BYOD infrastructure. 理想情况下,应该在整个路径中对数据进行加密。Ideally, the data should be encrypted throughout the path.

借助 Windows Server 2012 R2,就可能在用户的设备中通过使用“工作文件夹”来加密存放的数据。With Windows Server 2012 R2, it is possible to encrypt data at rest in users’ devices by using Work Folders. IT 管理员可以使用工作文件夹更好地控制公司数据和用户设备并集中工作数据,以便他们能够应用适当的过程和工具保证公司的符合性。IT administrators can use Work Folders to gain more control over corporate data and users’ devices, and centralize work data so that they can apply the appropriate processes and tools to keep their company in compliance. 该范围从在用户离开公司时保留数据副本这一简单功能到广泛的各种功能,如备份、保留、分类和自动化加密。This can range from simply having a copy of the data if the user leaves the company to a wide range of capabilities such as backup, retention, classification, and automated encryption. 如果你决定使用工作文件夹,请确保将要托管同步共享的服务器在性能方面经过周密的规划。If you decide to use Work Folders, ensure that the servers that will host the sync shares are well planned from the performance perspective. 若要获取详细信息,请阅读工作文件夹部署的性能注意事项Read Performance Considerations for Work Folders Deployments for more information.

如果你将存储视为内容的容器,则保护对该内容的消耗将带来很大的价值。If you think of storage as a container of content, great value comes with protecting the consumption of that content. 通过强制执行那些影响最终用户对存储中内容的使用方式的策略,可以防止数据泄露。Data leakage can be prevented by enforcing policies that will affect how the content that resides in the storage will be used by the end user. 可使用 Active Directory Rights Management Services (AD RMS) 通过保护使用信息权限管理 (IRM) 的文档来加强贵组织的安全策略。Active Directory Rights Management Services (AD RMS) can be used to augment the security strategy for your organization by protecting documents that use information rights management (IRM). AD RMS 允许个人和管理员通过 IRM 策略指定对文档、工作簿和演示文稿的访问权限。AD RMS allows individuals and administrators through IRM policies to specify access permissions to documents, workbooks, and presentations. 这就有助于防止敏感信息被未经授权的人打印、转发或复制。This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. 在使用 IRM 限制对文件的权限之后,无论信息在什么位置都会强制执行访问和使用限制,因为对文件的权限存储在该文件自身中。After permission for a file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the file itself.

如果公司想要使用基于云的解决方案执行文件保护,那么还可以使用 Azure 信息保护If your company wants to use a cloud based solution for file protection, they can also use Azure Information Protection. Azure 信息保护使用加密、标识和授权策略来帮助保护文件和电子邮件,使公司的敏感信息得到保护,它可以在多种设备(手机、平板电脑和 PC)中运行。Azure Information Protection can protect company’s sensitive information using encryption, identity, and authorization policies to help secure files and email, and it works across multiple devices—phones, tablets, and PCs. 可以保护组织内外的信息,因为该保护保留在数据中,即使数据离开了组织的边界,也是如此。Information can be protected both within the organization and outside the organization because that protection remains with the data, even when it leaves the organization’s boundaries.

Windows 操作系统中可用的其他存储技术还可用于增强对数据的总体保护,例如,用于驱动器加密的 BitLocker 和用于文件加密的加密文件系统 (EFS)Other storage technologies available in the Windows operating system can also be used to enhance the overall protection of the data, such as BitLocker for drive encryption and Encrypting File System (EFS) for file encryption. 使用下表查看存储保护的优缺点。Use the following table to see the advantages and disadvantage for storage protection. 请记住,这些选项并不相互排斥。Keep in mind that these options are not mutually exclusive. 换言之,你的设计决策可能推断出你在 BYOD 基础架构解决方案中需要以下所有选项来进行存储保护。In other words, your design decision might conclude that you need all of these options in your BYOD infrastructure solution for storage protection.

存储保护选项 - 优点和缺点Storage protection options — advantages and disadvantages

使用以下列表了解每个存储保护选项的优缺点:Use the list below to understand the advantages and disadvantages of each storage protection option:

  • 加密文件系统 (EFS)Encrypting File System (EFS)
    • 优点Advantages
      • 提供文件级别的加密Provides file-level encryption
      • 加密过程对用户是透明的,因为加密不会发生在应用级别(它发生在文件系统级别)Encryption process is transparent to users because the encryption does not happen at the app level (it happens at the file-system level)
      • 通过密钥恢复代理提供备份功能Provides backup capability with a key recovery agent
      • 在所有受支持版本的 Windows 操作系统中可用Available in all supported versions of the Windows operating system
      • 可以通过使用组策略启用Can be enabled by using Group Policy
      • 符合美国国家安全局为满足美国政府机构保护保密信息的需求而定义的 Suite B 加密要求Compliant with Suite B cryptography requirements as defined by the National Security Agency to meet the needs of United States government agencies for protecting classified information
    • 缺点Disadvantages
      • 如果联系不到数据所有者,并且你没有密钥恢复代理,则不能解密 EFS 文件If the data owner is unavailable and you do not have the key recovery agent, you cannot decrypt an EFS file
      • 证书管理必须到位,才能管理与恢复证书关联的私钥Certificate management must be in place to manage the private keys that are associated with recovery certificates
      • 在 Windows 之外的其他平台上不可用Not available on other platforms that are not Windows
  • BitLockerBitLocker
    • 优点Advantages
      • 提供驱动器加密功能Provides drive encryption capability
      • 通过利用受信任的平台模块 (TPM) 提供系统完整性和验证Provides system integrity and verification by leveraging Trusted Platform Module (TPM)
      • 增强保护以减少基于软件的离线攻击Enhances protection to mitigate offline software-based attacks
      • 提供一种检查是否保持了早期启动文件完整性的方法Provides a method to check that early boot file integrity has been maintained
    • 缺点Disadvantages
      • 并不在 Windows 的所有版本中提供Not available in all versions of Windows
      • 要求 TPM 1.2 版Requires TPM version 1.2
      • 要求系统 BIOS(适用于 TPM 计算机和非 TPM 计算机)支持 USB 大容量存储设备类Requires that the system BIOS (for TPM computers and non-TPM computers) support the USB mass storage device class
      • 对于 Windows Server 2012 之前的群集不可用Not available for clusters prior to Windows Server 2012
  • 工作文件夹Work Folders
    • 优点Advantages
      • 利用 EFS 进行文件加密。Leverages EFS for file encryption.
      • 使 IT 能够在用户的设备中加密存放的数据Allows IT to encrypt data at rest in users’ devices
      • 可以使用组策略为每位用户或每个设备启用该选项Can be enabled by using Group Policy on a per-user or per-device basis
      • 可与 Microsoft Intune 集成,这允许你选择性地擦除用户设备上位于工作文件夹中的数据Integration with Microsoft Intune, which allows selective wipe for data located in Work Folders on users’ devices
      • 可以强制用户在重新进行身份验证之后,才能访问工作文件夹中的数据Can force users to reauthenticate before they can access data located in Work Folders
      • 支持与 Microsoft 信息保护服务集成以进行数据分类Enables integration with Microsoft Information Protection services for data classification
    • 缺点Disadvantages
      • 仅适用于 Windows 8.1、Windows RT 8.1 和 Windows 10Available only for Windows 8.1, Windows RT 8.1 and Windows 10
      • 需要利用 Windows Server 2012 R2 托管同步共享Requires Windows Server 2012 R2 for hosting the sync shares
  • Active Directory 权限管理服务 (AD RMS)Active Directory Rights Management Services (AD RMS)
    • 优点Advantages
      • 防止未经授权的受限内容收件人转发、复制、修改、打印、传真或粘贴内容进行未经授权的使用Prevent an authorized recipient of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content for unauthorized use
      • 支持文件过期,这样文档中的内容在经过指定时间段后就不能再被查看Support file expiration so that content in documents can no longer be viewed after a specified period of time
      • 防止通过使用 Microsoft Windows 中的打印屏幕功能复制受限内容Prevent restricted content from being copied by using the Print Screen feature in Microsoft Windows
    • 缺点Disadvantage
      • 需要部署新的服务器角色 (AD RMS)Requires the deployment of a new server role (AD RMS)
      • 不限制使用第三方屏幕捕获程序复制内容Does not restrict content from being copied by using third-party screen-capture programs
      • 不会阻止由计算机病毒操作导致的内容丢失或损坏Does not prevent content from being lost or corrupted because of the actions of computer viruses


要考虑使用户能够使用他们的设备,以及使数据在数据中心(本地)或云与用户设备之间的整条路径上保持安全所涉及到的各个因素,这一点至关重要。It is essential to consider the factors involved in enabling users to use their devices and for data to be secure through the entire path between datacenter (on-premises) or cloud and users’ devices. 这些因素在下图中突出显示:These factors are highlighted in the figure below:


此关系图突出显示了关键的区域,其中必须针对 BYOD 基础结构考虑数据保护。This diagram highlights the critical areas where data protection must be considered for a BYOD infrastructure. 下节将更加详细地介绍这些区域。These areas are described in more detail in the following section.

数据保护 - 位置和注意事项Data protection — locations and considerations

根据数据位置,使用下面的列表来了解有关数据保护的注意事项。Use the list below to understand the considerations regarding data protection according to the data location. 以下列表中的数字对应于上面的关系图:The numbers in the list below correspond to the previous diagram:

  • (1) 在数据中心存放的数据(1) Data at rest in the datacenter
    • 存储加密:考虑支持加密的存储解决方案Storage encryption: consider a storage solution that supports encryption
    • 密钥管理:应备份用于加密存储的密钥,而且应该提供密钥恢复代理,以便在你需要时使用它Key management: the key used to encrypt storage should be backed up, and a key recovery agent should be available, in case you need it
  • (2) 正从数据中心传输到企业网络边缘的数据(2) Data in flight from the datacenter to the edge of the corporate network
    • 网络加密:考虑使用标准 Web 协议(如 SSL)进行加密Network encryption: consider using a standard web protocol for encryption, such as SSL
    • 公钥基础结构 (PKI):如果你的公司有 PKI,可以使用它来加密此通信通道Public key infrastructure (PKI): if your company has a PKI, you can use it to encrypt this communication channel
  • (3) 正从企业网络边缘传输到用户设备的数据(3) Data in flight from the edge of the corporate network to users’ devices
    • 网络加密:考虑使用标准 Web 协议(如 SSL)进行加密Network encryption: consider using a standard web protocol for encryption, such as SSL
    • PKI:由于此通道将由使用个人设备的用户访问,所以应该考虑使用用户设备很可能已信任的公用证书PKI: because this channel will be accessed by users using their personal devices, you should consider using a public certificate, which will likely be already trusted by users’ devices
  • (3.1) 正从企业网络边缘传输到云服务提供商的数据(可选 - 仅在贵公司为 BYOD 使用云服务时适用)(3.1) Data in flight from the edge of the corporate network to the cloud service provider (optional—applies only if your company is using cloud services for BYOD)
    • 网络加密:考虑使用标准 Web 协议(如 SSL)进行加密。Network encryption: consider using a standard web protocol for encryption, such as SSL.
    • PKI:由于此通道将由使用个人设备的用户访问,所以请考虑使用用户设备很可能已信任的公用证书PKI: because this channel will be accessed by users using their personal devices, consider using a public certificate, which will likely be already trusted by users’ devices
    • 点对点 VPN:如果你具有使用云服务连接的混合云基础架构,请考虑使用点对点 VPN 来向用户设备上的应用提供安全通道Site-to-site VPN: if you have a hybrid cloud infrastructure that is connected with Cloud Services, consider using site-to-site VPN to keep the secure channel available for use by apps located on users’ devices
  • (3.2) 在云服务提供商的数据中心存放的数据(可选 - 仅在贵公司为 BYOD 使用云服务时适用)(3.2) Data at rest in the cloud service provider’s datacenter (optional—applies only if your company is using cloud services for BYOD)
    • 云服务提供商:考虑云服务提供商可提供的用于加密存放的数据的选项Cloud service provider: consider the options that the cloud service provider can offer to encrypt data at rest
    • 密钥管理:与云服务提供商验证如何处理密钥管理以及备份过程如何发生。Key management: verify with the cloud service provider how key management is handled and how the backup process occurs. 还应考虑云服务与本地密钥管理系统之间的集成 (4) 在用户的设备中存放的数据Also consider integration between cloud services with an on-premises key management system (4) Data at rest in users’ devices
    • 存储加密:考虑支持加密的存储解决方案Storage encryption: consider a storage solution that supports encryption
    • 密钥管理:应备份用于加密存储的密钥,而且应该提供密钥恢复代理,以便在你需要时使用它Key management: the key used to encrypt storage should be backed up, and a key recovery agent should be available, in case you need it
    • 远程擦除:在必要时可以远程删除驻留在用户设备上的数据Remote wipe: the data that resides on users’ devices can be deleted remotely, in case it is necessary

Windows Server 2012 R2 允许在网络传输中通过 Web 应用程序代理使用 HTTPS 发布资源来保护数据。Windows Server 2012 R2 enables the use of HTTPS to publish resources via Web Application Proxy to protect data while in transit through the network. 此外,后端服务器之间的通信也可以使用 IPsecSMB 加密进行加密,条件是网络流量纯粹基于 SMB 协议Communication between back-end servers can also be encrypted using IPsec or SMB Encryption, if the network traffic is purely based on SMB protocol. 使用下表评估哪个网络保护选项可以最好地满足你对后端服务器通信的设计要求。Use the following table to evaluate which network protection option best fits your design requirements for back-end server communication.

使用下一节评估哪个网络保护选项可以最好地满足你对后端服务器通信的设计要求。Use the next section to evaluate which network protection option best fits your design requirements for back-end server communication.

网络保护选项 - 优点和缺点Network protection options — advantages and disadvantages

使用以下列表了解每个网络保护选项的优缺点:Use the list below to understand the advantages and disadvantages of each network protection option:

    • 优点Advantage
      • 多种设备均可支持Wide range of supportability from many devices
      • 强身份验证、消息隐私和完整性。Strong authentication, message privacy, and integrity
      • 互操作性Interoperability
    • 缺点Disadvantage
      • 除非你使用公用 SSL 证书,否则需要证书基础结构Requires a certificate infrastructure, unless you use public SSL certificates
  • IPSecIPSec
    • 优点Advantages
      • 提供对整个 IP 数据报的加密Provides encryption of the entire IP datagram
      • 提供计算机级别的身份验证Provides computer-level authentication
      • 在许多平台上广受支持,并在支持 Windows 的所有版本中可用Widely supported on many platforms and available in all Windows-supported versions
      • 用于限制对受信任计算机的网络访问的 Internet 密钥交换 (IKE) 身份验证Internet Key Exchange (IKE) authentication to limit network access to trusted computers
    • 缺点Disadvantages
      • 除非你使用预先共享的密钥,否则需要证书基础结构Requires a certificate infrastructure, unless you use a preshared key
      • 由于 IPsec 在主机级别上发生,因此不能在应用级别控制它IPsec happens at the host level, so it cannot be controlled at the app level
      • 难以进行疑难解答Difficult to troubleshoot
  • SMB 加密SMB Encryption
    • 优点Advantages
      • 使用 SMB 协议对传输中的数据进行加密Encrypts data in transit using SMB protocol
      • 可轻松地在 UI 中通过 Windows PowerShell 实现Easy to implement in the UI and via Windows PowerShell
      • 因为可以为每个服务器或每次共享实现该选项,所以它十分灵活Flexible because it can be implemented per server or per share
    • 缺点Disadvantage
      • 它仅适用于 Windows 8 和更高版本的客户端计算机以及 Windows Server 2012 和更高版本的服务器计算机It works only for Windows 8 and later for client computers and Windows Server 2012 and later for server computers


用户属性应存储在目录中,这使 IT 能够轻松查询诸如角色和组等用户信息。User attributes should be stored in the directory, allowing IT to easily query for user information such as roles and groups. 此外,你还应该考虑如何跟踪用户和设备之间的关系。You should also consider how the relationship between users and devices will be tracked. 每个由 IT 从未知转变为已知或可管理的设备都应该在管理数据库或目录中有一条记录,它使 IT 可以审核该设备。Every unknown device that becomes known or manageable by IT also should have a record in the management database or in the directory that allows IT to audit the device.

在混合环境中,将存在不同的身份验证存储库,各公司应考虑如何使用户能够使用相同的凭据进行身份验证,而不考虑他们的位置和应用的位置。In hybrid environments where there will be different authentication repositories, companies should consider how to enable users to authenticate using the same credential regardless of where they are located and where the apps are located. 如果你要在本地集中身份验证而不是通过云服务提供商复制目录,请考虑使用 Active Directory 联合身份验证服务 (AD FS)。Consider using Active Directory Federation Services (AD FS) if you want to centralize the authentication on-premises instead of replicating the directory with the cloud service provider. 使用下一节来评估用于 BYOD 基础结构的目录选项。Use the next section to evaluate the directory options for a BYOD infrastructure.

目录选项 - 优点和缺点Directory options — advantages and disadvantages

使用以下列表了解每个目录保护选项的优缺点:Use the list below to understand the advantages and disadvantages of each directory protection option:

  • 在本地集中验证Centralized on-premises
    • 优点Advantage
      • 所有安全控制都以物理方式位于本地,并且 IT 部门具有完全控制权All security controls are physically located on-premises, and IT has full control
      • IT 可以对保存目录角色的服务器执行强化IT can perform hardening of the server that holds the directory role
      • 更丰富的审核和日志记录功能Richer auditing and logging capabilities
    • 缺点Disadvantage
      • 与云服务相比,维护成本更高Higher cost to maintain when compared to cloud services
      • 缺乏与云服务的集成Lack of integration with cloud services
  • 在云中集中验证Centralized in the cloud
    • 优点Advantages
      • 与本地解决方案相比,维护成本更低Lower cost to maintain when compared to an on-premises solution
      • 与本地解决方案相比,更易于管理Easier to manage when compared to an on-premises solution
    • 缺点Disadvantages
      • 缺少自定义Lack of customization
      • 依靠云服务提供商来获取审核和日志记录数据Depends on the cloud service provider to obtain auditing and logging data
  • 本地和云之间的目录同步Directory Synchronization between on-premises and cloud
    • 优点Advantages
      • 在本地和云目录中集成Integrated on-premises and in the cloud directory
      • 为用户启用单一登录Enables single sign-on for users
      • IT 仍可以在本地对保存目录角色的服务器执行强化IT can still perform hardening of the server that holds the directory role on-premises
      • 为用户提供无缝登录体验Seamless login experience for users
    • 缺点Disadvantages
      • 需要密码哈希同步Requires password hash synchronization
      • 需要签名服务Requires a signature service
  • 在本地和云之间联合Federated between on-premises and the cloud
    • 优点Advantages
      • 集成本地和云中的目录。Integrated on-premises and in the cloud directory.
      • 为用户启用单一登录。Enables single sign-on for users.
      • IT 仍可以在本地对保存目录角色的服务器执行强化。IT can still perform hardening of the server that holds the directory role on-premises.
      • 为用户提供无缝登录体验。Seamless login experience for users.
      • 对于需要与其他目录服务集成的解决方案,该选项更可靠。More robust for solutions that need integration with other directory services. 需要同步,但不会同步密码-Requires synchronization, but does not sync passwords.
    • 缺点Disadvantages
      • 需要签名服务。Requires a signature service.
      • 需要针对联合的服务器基础结构。Requires a server infrastructure for federation.
      • 需要证书以确保联合服务器和云服务之间的通信安全。Requires certificate to secure the communication between the federation server and the cloud service.

要求用户从自己的设备连接到云服务的混合环境可以利用 Azure Active Directory 和 Active Directory 域服务 (AD DS) 之间的集成。Hybrid environments that require users to have connectivity with cloud services from their own devices can take advantage of the integration between Azure Active Directory and Active Directory Domain Services (AD DS). 混合身份方案中,要保持无缝用户身份验证的公司可以从以下选项中进行选择:In a hybrid identity scenario, companies that want to preserve seamless user authentication can choose from the following options:

  • 目录同步与密码同步:在 AD DS 和 Azure AD 之间结合使用目录同步和密码哈希同步Directory Synchronization with Password Sync: using DirSync with password hash sync between AD DS and Azure AD.
  • 使用单一登录的联合身份验证:使用目录同步来同步用户属性。Federated authentication with single sign-on: user attributes are synchronized using DirSync. 身份验证将通过联合 (AD FS) 传回,并针对 AD DS 完成。Authentication is passed back through federation (AD FS) and completed against AD DS.

在 Windows 8.1 中使用设备注册服务时,证书安装在用户的设备中,并且将在 AD DS 中创建一条带有证书指纹编号的设备记录。When using Device Registration Service in Windows 8.1, a certificate is installed in a user’s device and a device record is created in AD DS with the certificate’s thumbprint number. 设备和用户之间的这一链接使 IT 可以跟踪每个用户注册了哪些设备。This link between the device and the user allows IT to track which devices are getting registered by each user. 此功能不要求企业 PKI。This capability does not require an Enterprise PKI. 设备注册同样在 Windows 10 和 Azure AD 中可用。Device registration is also available in Azure AD for Windows 10. 有关使用 Azure AD 和 Windows 10 进行设备注册的详细信息,请参阅 Azure Active Directory 设备注册入门Read Get started with Azure Active Directory Device Registration for more information about Device Registration using Azure AD and Windows 10.

身份验证和授权Authentication and authorization

使用户能够从他们的设备访问应用和数据的决策必须保证通过可靠的身份验证过程对用户进行识别,并保证用户有权使用请求的资源。The decision to enable users to access apps and data from their devices must guarantee that users are identified in a trustworthy authentication process and also that users are authorized to use the resources that are requested. 公司应该查看其当前的身份验证和授权策略,并考虑以下问题:Companies should review their current authentication and authorization policies and consider the following questions:

  • 要使用户能够从他们的设备远程访问公司应用,需要符合哪些身份验证要求?What are the authentication requirements for users to be able to remotely access company apps from their devices?
  • 当前平台是否可以为每个用户和每个应用强制授权,而不必重写应用?Is the current platform able to enforce authorization per user and per app without having to rewrite the apps?
  • 是否可能根据用户的位置强制实施多重身份验证?Is it possible to enforce Multi-Factor Authentication according to a user’s location?

由与 AD DS 相关的 AD FS 处理身份验证和授权。Authentication and authorization are handled by AD FS in connection with AD DS. 在连接文件服务器角色和身份验证服务时,在数据中心内传输的数据也会使用 HTTPS 协议。The data in flight in the datacenter will also use the HTTPS protocol when connecting with the File Server role and Authentication Services.

若要强制使用 Multi-Factor Authentication,公司可以使用 AD FS 中的内置功能或使用 Azure Multi-Factor Authentication (MFA)To enforce Multi-Factor Authentication, companies can use the built-in capabilities in AD FS or use Azure Multi-Factor Authentication (MFA). 利用 Azure 的这一功能,IT 可以对通过 Internet 访问公司资源的用户强制实施多重身份验证。By leveraging this capability in Azure, IT has the ability to enforce multi-factor authentication for users who are accessing company resources from the Internet. 有关多重身份验证的详细信息,请参阅使用适用于敏感应用程序的附加多重身份验证管理风险For more information about multi-factor authentication, see Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.

若要针对从外部或内部网络访问应用的用户强制为每个应用授权,IT 可以利用 Web 应用程序代理。To enforce authorization per app on users who are accessing apps either from an external or internal network, IT can leverage Web Application Proxy. 通过使用 Web 应用程序代理,IT 部门可以创建特定规则以结合 AD FS 强制执行身份验证和授权。By using Web Application Proxy, IT can create specific rules to enforce authentication and authorization in conjunction with AD FS. Web 应用程序代理发布适用于任何用户设备;它们可以使用个人便携式计算机、平板电脑或智能手机。Web Application Proxy publishing works for any user device; they can use personal laptops, tablets, or smartphones. 此外,用户无需在设备上安装任何其他软件,即可访问已发布的应用。In addition, users are not required to install any additional software on their devices to access published apps. Web 应用程序代理可用作通过它发布的任何应用的反向代理,因此用户体验与用户设备直接连接到应用时相同。Web Application Proxy serves as a reverse proxy for any apps published through it, and as such, the user experience is the same as if users’ devices were connected directly to the apps. 有关 Web 应用程序代理的详细信息,请参阅 Web 应用程序代理概述For more information about Web Application Proxy, see Web Application Proxy Overview.


如果你采用混合方案,且需要体验无缝的用户身份验证和授权,请参阅混合标识设计注意事项指南If you a hybrid scenario and you need to have a seamlessly user’s authentication and authorization experience, read the Hybrid Identity Design Considerations Guide.

策略和合规性Policy and compliance

在采用 BYOD 的任何战略中,都应该优先考虑策略和符合性注意事项。Policy and compliance considerations should be a priority of any strategy that embraces BYOD. 一些公司可能存在硬性要求,它们由于业务规定而不能适应此模型。Some companies might have hard requirements that will not fit into this model because of business regulations. 转向以人为中心战略的公司必须了解当前策略,以及这些策略在采用 BYOD 时将受到什么影响。The company that is moving to a people-centric strategy must understand current policies and how these policies will be affected by embracing BYOD. 考虑有关数据分类的要求以及 IT 可用于控制数据分类的方式,即使数据正存放在设备存储中。Consider the requirements regarding data classification and how IT can have control of the data classification, even when the data is at rest in the device storage. 在考虑数据分类时,能够在进行某些操作(如编辑文件)的同时对数据进行分类非常重要。When thinking of data classification, it is important to be able to classify the data while some operations (such as editing a file) are taking place.

应该从一个集中的位置执行策略,以便 IT 在发生影响所有用户的临时更改时能够快速响应。Policies should be enforced from a centralized location to enable IT to rapidly respond in case of ad hoc changes that will affect all users. 还应考虑移动设备可靠的审核能力。Also consider robust auditing capabilities for mobile devices. 如果违反了策略,IT 应该可以跟踪哪个策略已被违反、违反它的人以及发生的时间 - 这点至关重要。If a breach occurs, it is essential that IT is able to track which policy was infringed, who infringed upon it, and when it happened.

策略和符合性 - 功能和注意事项Policy and compliance—capabilities and considerations

使用以下列表了解有关策略和合规性功能的注意事项:Use the list below to understand the considerations for policy and compliance capabilities:

  • 数据分类Data classification
    • 在保存内容和更改内容时应用数据分类Apply data classification as the content is saved and as it changes
    • IT 必须能够对存放在数据中心和用户设备中的数据进行分类IT must be able to classify data at rest in the datacenter and in users’ device
  • 集中式管理Centralized management
    • IT 必须能够从单个位置管理数据分类,即使数据位于多个设备上也是如此IT must be able to manage data classification from a single location, even if the data is located in multiple devices
    • 混合 IT 环境应能够管理本地和云中的资源Hybrid IT environments should be able to manage resources located on-premises and in the cloud
  • 与目录服务集成Integration with directory services
    • IT 应该能够将当前的目录服务用作身份存储库IT should be able to leverage its current directory service as the identity repository
  • 审核和日志记录Audit and logging
    • IT 应该可以审核对资源的访问并增强日志记录功能(在必要时)。IT should be able to audit access to resources and increase logging capability, when necessary.

跨文件服务器应用数据管理来控制可以访问信息的人并审核已访问信息的人,这是 BYOD 的一个关键要素。Applying data governance across file servers to control who can access information and to audit who has accessed information is a key element for BYOD. 在 Windows Server 2012 R2 中,可以使用动态访问控制执行该操作;动态访问控制基于可由合作伙伴和业务线应用程序使用的基础架构投资。In Windows Server 2012 R2, this can be performed by using Dynamic Access Control, which is based on infrastructure investments that can be used by partners and line-of-business applications. 动态访问控制的功能可以为使用 Active Directory 域服务的组织提供极大的价值。The features of Dynamic Access Control can provide great value for organizations that use Active Directory Domain Services.

当利用动态访问控制功能时,可以使用文件的自动和手动分类来标识数据。When leveraging Dynamic Access Control capabilities, you can identify data by using automatic and manual classification of files. 例如,你可以在整个组织内的文件服务器中标记数据。For example, you can tag data in file servers across the organization. 还可以通过应用采用中央访问策略的网络安全策略来控制对文件的访问。It is also possible to control access to files by applying safety-net policies that use central access policies. 动态访问控制还会通过对敏感文档使用自动 RMS 加密来利用权限管理服务 (RMS) 保护。Dynamic Access Control also leverages Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive documents. 例如,你可以配置 RMS 对包含“健康保险流通与责任法案 (HIPAA)”信息的所有文档进行加密。For example, you can configure RMS to encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information. 对于取证调查和审核,你可以利用中心审核策略进行符合性报告和取证分析。For forensic investigation and auditing, you can leverage the central audit policies for compliance reporting and forensic analysis. 你可以识别谁访问了高度敏感的信息。You can identify who has accessed highly sensitive information.

动态访问控制是文件服务器角色的一种功能,使 IT 具有上表所示的能力。Dynamic Access Control, a function of the File Server role, enables IT with the capabilities shown in the preceding table. 有关动态访问控制的详细信息,请参阅动态访问控制:方案概述For more information about Dynamic Access Control, see Dynamic Access Control: Scenario Overview.