对资源的访问控制Access control to resources

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

已使用 Active Directory 对用户进行身份验证和授权的组织已管理对特定资源的访问权限,方法是使用 Active Directory 中的组来划分和控制对资源的访问。Organizations that already use Active Directory to authenticate and authorize users already manage access control to specific resources, by using groups in Active Directory to segment and control access to resources.

若要管理对特定资源的控制,你首先对用户的访问进行身份验证和授权,然后验证用户对目标资源所具有的控制类型。To manage control to specific resources, you first authenticate and authorize access for the user, and then validate the type of control the user has on the target resource. 在下图中,为访问文件夹的用户 Bob 显示了此操作。In the figure below, this is shown for user Bob accessing a folder.

身份验证流

基本身份验证和授权流Basic authentication and authorization flow

传统的访问控制列表 (ACL) 非常有限,并且不会考虑用户状态的其他方面,例如他尝试访问此资源时所在的位置。The traditional Access Control List (ACL) is very limited and doesn’t take into consideration other aspects of the user’s state, such as where he is located when trying to access this resource. 如果你的组织在授予对资源的访问权限之前需要包含更多的变量,可以使用在 Windows Server 2012 中本地提供的动态访问控制If your organization needs to include more variables before granting access to a resource, you can use Dynamic Access Control, which is natively available in Windows Server 2012. Windows 10 支持运行状况证明,这在提供数据访问权限之前有助于 IT 人员控制设备的运行状况的状态。Windows 10 supports health attestation, which helps IT to control the health state of the device prior to provide access to the data. 远程运行状况证明服务执行一系列测量检查。Remote health attestation service performs a series of checks on the measurements. 它验证安全相关的数据点,包括启动状态(安全启动、调试模式等),以及管理安全性的组件状态(BitLocker、设备保护等)。It validates security related data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage security (BitLocker, Device Guard, and so on). 然后,它通过向设备发回运行状况加密的 blob 来传递设备的运行状况状态。It then conveys the health state of the device by sending a health encrypted blob back to the device. 有关详细信息,请参阅控制基于 Windows 10 的设备运行状况Read Control the health of Windows 10-based devices for more information.

Intune 管理员可以在 Intune 管理控制台中查看 Windows 10 设备运行状况证明的状态。Intune administrators can view the status of Windows 10 Device Health Attestation in the Intune Admin console. 设备运行状况证明让管理员能够确保客户端计算机具有可信 BIOS、TPM 和启动软件配置。Device health attestation lets the administrator ensure that client computers have trustworthy BIOS, TPM, and boot software configurations. 为了支持设备运行状况证明,客户端设备必须运行 Windows 10 并启用 TPM 2。To support device health attestation, client devices must be running Windows 10 with TPM 2 enabled.

对于许多自行充当云提供商(通过使用允许他们拥有私有云的技术)的公司,另一个选项是使用基于角色的访问控制 (RBAC)。With many companies acting as a cloud provider themselves by using technologies that allow them to have a private cloud, another option is to use Role Based Access Control (RBAC). Azure AD 允许 IT 人员使用 RBAC 控制对资源的访问权限。Azure AD allows IT to use RBAC to control access to resources. 并且由于 Azure AD 可以与本地 Active Directory 集成,所以你可以同时使用它们,以确定用户访问资源的方式。And since Azure AD can be integrated with your Active Directory on-premises, you can use them together to determine how users access resources.

资源也可以是应用,这意味着若要实现对资源的访问控制,你的 MDM 解决方案还必须能够控制如何安装和访问应用。A resource can also be an app, which means that to implement access control to resources, your MDM solution must also be able to control how apps are installed and accessed. Intune 中的移动应用程序管理策略可使你修改所部署的应用的功能,以帮助确保它们符合公司合规性和安全策略。Mobile application management policies in Intune let you modify the functionality of apps that you deploy to help make sure that they comply with your company compliance and security policies.

使用下表作为参考协助你选择最符合组织的访问控制要求的 MDM 选项。Use the table below as a reference to assist you choosing the MDM option that best fits your organization’s access control requirements.

Intune(独立版)Intune (standalone)

优点Advantages

  • 应用的访问控制(安装和管理)Access control (installation and management) for apps
  • 运行状况证明服务的条件访问Conditional access with health attestation service

缺点Disadvantages

  • 如果缺少与当前本地 MDM 平台的集成,将引入一个附加的管理接口供你使用Lack of integration with current on-premises MDM platform will introduce an additional management interface for you to use
  • 某些策略可能不适用于某些移动平台Some policies may not be available for some mobile platforms

Office 365 的 MDMMDM for Office 365

优点Advantages

  • 对电子邮件、Office Mobile、Office 应用和 OneDrive for Business 的访问控制Access control to email, Office Mobile, Office apps, and OneDrive for Business

缺点Disadvantages

  • 只允许对资源进行一小部分的访问控制Only allows a small subset of access control to resources
  • 如果缺少与当前本地 MDM 平台的集成,将引入一个附加的管理接口供你使用Lack of integration with current on-premises MDM platform will introduce an additional management interface for you to use
  • 某些策略可能不适用于某些移动平台Some policies may not be available for some mobile platforms

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • 应用的访问控制(安装和管理)Access control (installation and management) for apps
  • 运行状况证明服务的条件访问Conditional access with health attestation service

缺点Disadvantages

  • 当你购买 Intune 订阅时,不包含 Azure AD 云服务Azure AD cloud service is not included when you purchase Intune subscription

企业移动性 + 安全性Enterprise Mobility + Security

优点Advantages

  • 应用的访问控制(安装和管理)Access control (installation and management) for apps
  • 利用 Azure AD Premium 提供基于 RBAC 的访问控制Leverages Azure AD Premium to provide RBAC based access control
  • 运行状况证明服务的条件访问Conditional access with health attestation service

缺点Disadvantages

  • 如果组织没有当前本地 ConfigMgr 基础结构,则需在集成前规划、安装和配置此平台If the organization does not have a current on-premises ConfigMgr infrastructure, it will require to plan, install and configure this platform prior to the integration