加密控制技术参考Cryptographic controls technical reference

适用范围:Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

Configuration Manager 使用签名和加密帮助保护 Configuration Manager 层次结构中的设备的管理。Configuration Manager uses signing and encryption to help protect the management of the devices in the Configuration Manager hierarchy. 借助签名,如果数据在传输过程中发生更改,则会放弃它。With signing, if data has been altered in transit, it's discarded. 加密可帮助阻止攻击者使用网络协议分析器读取数据。Encryption helps prevent an attacker from reading the data by using a network protocol analyzer.

Configuration Manager 用于签名的主要哈希算法是 SHA-256。The primary hashing algorithm that Configuration Manager uses for signing is SHA-256. 当两个 Configuration Manager 站点相互通信时,它们使用 SHA-256 对其通信签名。When two Configuration Manager sites communicate with each other, they sign their communications with SHA-256. Configuration Manager 中实现的主要加密算法是 3DES。The primary encryption algorithm implemented in Configuration Manager is 3DES. 这用于在 Configuration Manager 数据库中存储数据和客户端 HTTP 通信。This is used for storing data in the Configuration Manager database and for client HTTP communication. 通过 HTTPS 使用客户端通信时,可以将私钥基础结构 (PKI) 配置为将 RSA 证书与 PKI 证书要求中记录的最大哈希算法和密钥长度一起使用。When you use client communication over HTTPS, you can configure your public key infrastructure (PKI) to use RSA certificates with the maximum hashing algorithms and key lengths that are documented in PKI certificate requirements.

对于基于 Windows 的操作系统的大多数加密操作来说,Configuration Manager 使用 Windows CryptoAPI 库 rsaenh.dll 中的 SHA-2、3DES 和 AES 以及 RSA 算法。For most cryptographic operations for Windows-based operating systems, Configuration Manager uses SHA-2, 3DES and AES, and RSA algorithms from the Windows CryptoAPI library rsaenh.dll.

重要

有关针对 SSL 漏洞所建议的更改的信息,请参阅有关 SSL 漏洞See information about recommended changes in response to SSL vulnerabilities in About SSL Vulnerabilities.

Configuration Manager 操作的加密控制Cryptographic controls for Configuration Manager operations

Configuration Manager 中的信息可以进行签名和加密,无论你是否将 PKI 证书用于 Configuration Manager。Information in Configuration Manager can be signed and encrypted, whether or not you use PKI certificates with Configuration Manager.

策略签名和加密Policy signing and encryption

客户端策略分配由自签名站点服务器签名证书进行签名,以帮助阻止泄露的管理点发送已遭篡改的策略的安全风险。Client policy assignments are signed by the self-signed site server signing certificate to help prevent the security risk of a compromised management point sending policies that have been tampered with. 这在使用基于 Internet 的客户端管理时十分重要,因为此环境需要暴露在 Internet 通信中的管理点。This is important if you are using Internet-based client management because this environment requires a management point that is exposed to Internet communication.

策略包含敏感数据时,系统使用 3DES 加密策略。Policy is encrypted with 3DES when it contains sensitive data. 包含敏感数据的策略仅发送到授权客户端。Policy that contains sensitive data is sent to authorized clients only. 系统不对没有敏感数据的策略进行加密。Policy that does not have sensitive data is not encrypted.

当策略存储在客户端上时,将使用数据保护应用程序编程接口 (DPAPI) 对其进行加密。When policy is stored on the clients, it is encrypted with Data Protection application programming interface (DPAPI).

策略哈希处理Policy hashing

当 Configuration Manager 客户端请求策略时,它们首先获取一个策略分配,以便它们知道哪些策略适用于它们,然后仅请求那些策略的正文。When Configuration Manager clients request policy, they first get a policy assignment so that they know which policies apply to them, and then they request only those policy bodies. 每个策略分配均包含相应策略正文的已计算哈希。Each policy assignment contains the calculated hash for the corresponding policy body. 客户端检索合适的策略正文,然后计算该正文上的哈希。The client retrieves the applicable policy bodies and then calculates the hash on that body. 如果下载的策略正文上的哈希与策略分配中的哈希不匹配,则客户端会丢弃该策略正文。If the hash on the downloaded policy body does not match the hash in the policy assignment, the client discards the policy body.

策略的哈希算法是 SHA-1 和 SHA-256。The hashing algorithm for policy is SHA-1 and SHA-256.

内容哈希处理Content hashing

站点服务器上的分发管理器服务会对所有包的内容文件进行哈希处理。The distribution manager service on the site server hashes the content files for all packages. 策略提供程序包含软件分发策略中的哈希。The policy provider includes the hash in the software distribution policy. 当 Configuration Manager 客户端下载内容时,客户端会在本地重新生成哈希,并将其与策略中提供的哈希进行比较。When the Configuration Manager client downloads the content, the client regenerates the hash locally and compares it to the one supplied in the policy. 如果哈希匹配,则未修改内容,并且客户端将安装内容。If the hashes match, the content has not been altered and the client installs it. 如果修改了内容的一个字节,则哈希将不匹配,因此将不安装软件。If a single byte of the content has been altered, the hashes will not match and the software will not be installed. 此检查有助于确保安装正确的软件,因为会使用策略对实际内容进行交叉检查。This check helps to ensure that the correct software is installed because the actual content is crosschecked with the policy.

内容的默认哈希算法为 SHA-256。The default hashing algorithm for content is SHA-256.

并非所有设备都可以支持内容哈希处理。Not all devices can support content hashing. 例外包括:The exceptions include:

  • 流式传输 APP-V 内容时的 Windows 客户端。Windows clients when they stream App-V content.

  • Windows Phone 客户端,不过这些客户端会验证受信任的来源签署的应用程序签名。Windows Phone clients, though these clients verify the signature of an application that is signed by a trusted source.

  • Windows RT 客户端,不过这些客户端会验证受信任的来源签署的应用程序签名,并且也使用包完整名称 (PFN) 验证。Windows RT client, though these clients verify the signature of an application that is signed by a trusted source and also use package full name (PFN) validation.

  • 在不支持 SHA-256 的 Linux 和 UNIX 版本上运行的客户端。Clients that run on versions of Linux and UNIX that do not support SHA-256. 有关详细信息,请参阅规划将客户端部署到 Linux 和 UNIX 计算机For more information, see Planning for client deployment to Linux and UNIX computers.

清单签名和加密Inventory signing and encryption

客户端发送给管理点的清单始终由设备签名,无论它们是通过 HTTP 还是 HTTPS 与管理点通信,均不例外。Inventory that clients send to management points is always signed by devices, regardless of whether they communicate with management points over HTTP or HTTPS. 如果它们使用 HTTP,则可以选择加密此数据,这是最佳安全方案。If they use HTTP, you can choose to encrypt this data, which is a security best practice.

状态迁移加密State migration encryption

存储在操作系统部署的状态迁移点上的数据始终由用户状态迁移工具 (USMT) 使用 3DES 进行加密。Data stored on state migration points for operating system deployment is always encrypted by the User State Migration Tool (USMT) by using 3DES.

用于部署操作系统的多播包加密Encryption for multicast packages to deploy operating systems

对于每个操作系统部署包,你可以在使用多播向计算机传输包时启用加密。For every operating system deployment package, you can enable encryption when the package is transferred to computers by using multicast. 加密使用高级加密标准 (AES)。The encryption uses Advanced Encryption Standard (AES). 如果启用加密,则不需要其他证书配置。If you enable encryption, no additional certificate configuration is required. 启用多播的分发点将自动生成对称密钥来加密包。The multicast-enabled distribution point automatically generates symmetric keys for encrypting the package. 每个包都有不同的加密密钥。Each package has a different encryption key. 系统使用标准 Windows API 将密钥存储在启用多播的分发点上。The key is stored on the multicast-enabled distribution point by using standard Windows APIs. 当客户端连接到多播会话时,会通过通道进行密钥交换,通道使用 PKI 颁发的客户端身份验证证书(如果客户端使用 HTTPS)或自签名证书(如果客户端使用 HTTP)进行加密。When the client connects to the multicast session, the key exchange occurs over a channel encrypted with either the PKI-issued client authentication certificate (when the client uses HTTPS) or the self-signed certificate (when the client uses HTTP). 客户端仅在多播会话期间将密钥存储在内存中。The client stores the key in memory only for the duration of the multicast session.

用于部署操作系统的媒体加密Encryption for media to deploy operating systems

使用媒体部署操作系统以及指定密码来保护媒体时,系统使用高级加密标准 (AES) 以及 128 位密钥大小对环境变量进行加密。When you use media to deploy operating systems and specify a password to protect the media, the environment variables are encrypted by using Advanced Encryption Standard (AES) with a 128-bit key size. 系统不加密媒体上的其他数据,包括应用程序的包和内容。Other data on the media, including packages and content for applications, is not encrypted.

基于云的分发点上承载的内容的加密Encryption for content that is hosted on cloud-based distribution points

从 System Center 2012 Configuration Manager SP1 开始,在使用基于云的分发点时,使用高级加密标准 (AES) 以及 256 位密钥大小对上载到这些分发点的内容进行加密。Beginning with System Center 2012 Configuration Manager SP1, when you use cloud-based distribution points, the content that you upload to these distribution points is encrypted by using Advanced Encryption Standard (AES) with a 256-bit key size. 每当对内容进行更新时,都会重新加密内容。The content is re-encrypted whenever you update it. 当客户端下载内容时,会通过 HTTPS 连接来加密和保护内容。When clients download the content, it is encrypted and protected by the HTTPS connection.

在软件更新中签名Signing in software updates

所有软件更新都必须由受信任的发布者进行签名以防止篡改。All software updates must be signed by a trusted publisher to protect against tampering. 在客户端计算机上,Windows 更新代理 (WUA) 会扫描目录中的更新,但如果它在本地计算机上受信任的发布者存储上无法找到数字证书,则将不安装更新。On client computers, the Windows Update Agent (WUA) scans for the updates from the catalog, but will not install the update if it cannot locate the digital certificate in the Trusted Publishers store on the local computer. 如果使用自签名的证书(如 WSUS 发布者自签名的证书)来发布更新目录,则该证书也必须位于本地计算机上受信任的根证书颁发机构的证书存储中,以验证证书的有效性。If a self-signed certificate was used for publishing the updates catalog, such as WSUS Publishers Self-signed, the certificate must also be in the Trusted Root Certification Authorities certificate store on the local computer to verify the validity of the certificate. WUA 还检查是否在本地计算机上启用了“允许来自 Intranet Microsoft 更新服务位置中的签名内容组策略” 设置。WUA also checks whether the Allow signed content from intranet Microsoft update service location Group Policy setting is enabled on the local computer. 必须为 WUA 启用此策略设置,以扫描使用 Updates Publisher 创建和发布的更新。This policy setting must be enabled for WUA to scan for the updates that were created and published with Updates Publisher.

如果在 System Center Updates Publisher 中发布软件更新,则在将软件更新发布到更新服务器时,数字证书会对软件更新签名。When software updates are published in System Center Updates Publisher, a digital certificate signs the software updates when they are published to an update server. 你可以指定 PKI 证书或将 Updates Publisher 配置为生成自签名证书,以对软件更新进行签名。You can either specify a PKI certificate or configure Updates Publisher to generate a self-signed certificate to sign the software update.

符合性设置的签名配置数据Signed configuration data for compliance settings

导入配置数据时,Configuration Manager 会验证文件的数字签名。When you import configuration data, Configuration Manager verifies the file's digital signature. 如果未对文件进行签名,或者数字签名验证检查失败,则会通知并提示你是否继续导入。If the files have not been signed, or if the digital signature verification check fails, you will be warned and prompted whether to continue with the import. 只有在你肯定信任发布者以及文件的完整性时,才继续导入配置数据。Continue to import the configuration data only if you explicitly trust the publisher and the integrity of the files.

客户端通知的加密和哈希处理Encryption and hashing for client notification

如果使用客户端通知,则所有通信都使用服务器和客户端操作系统可以协商的 TLS 和最高加密。If you use client notification, all communication uses TLS and the highest encryption that the server and client operating systems can negotiate. 例如,运行 Windows 7 的客户端计算机和运行 Windows Server 2008 R2 的管理点可以支持 128 位 AES 加密,而与相同管理点相比,运行 Vista 的客户端计算机将进行协商,以将标准降至 3DES 加密。For example, a client computer running Windows 7 and a management point running Windows Server 2008 R2 can support 128-bit AES encryption, whereas a client computer running Vista to the same management point will negotiate down to 3DES encryption. 系统将进行相同的协商,以对客户端通知过程中传输的包进行哈希处理,从而使用 SHA-1 或 SHA-2。The same negotiation occurs for hashing the packets that are transferred during client notification, which uses SHA-1 or SHA-2.

Configuration Manager 使用的证书Certificates used by Configuration Manager

有关 Configuration Manager 可以使用的公钥基础结构 (PKI) 证书、任何特殊要求或限制以及证书的使用方式的列表,请参阅 PKI 证书要求For a list of the public key infrastructure (PKI) certificates that can be used by Configuration Manager, any special requirements or limitations, and how the certificates are used, see PKI certificate requirements. 此列表包含支持的哈希算法和密钥长度。This list includes the supported hash algorithms and key lengths. 大多数证书支持 SHA-256 和 2048 位密钥长度。Most certificates support SHA-256 and 2048 bits key length.

备注

Configuration Manager 使用的所有证书都必须在使用者名称或使用者可选名称中仅包含单字节字符。All certificates that Configuration Manager uses must contain only single-byte characters in the subject name or subject alternative name.

以下情况需要 PKI 证书:PKI certificates are required for the following scenarios:

  • 在 Internet 上管理 Configuration Manager 客户端时。When you manage Configuration Manager clients on the Internet.

  • 在移动设备上管理 Configuration Manager 客户端时。When you manage Configuration Manager clients on mobile devices.

  • 管理 Mac 计算机时。When you manage Mac computers.

  • 使用基于云的分发点时。When you use cloud-based distribution points.

    对于需要证书进行身份验证、签名或加密的大多数其他 Configuration Manager 通信,如果 PKI 证书可用,则 Configuration Manager 会自动使用这些证书。For most other Configuration Manager communications that require certificates for authentication, signing, or encryption, Configuration Manager automatically uses PKI certificates if they are available. 如果这些证书不可用,则 Configuration Manager 会生成自签名证书。If they are not available, Configuration Manager generates self-signed certificates.

    Configuration Manager 在使用 Exchange Server 连接器管理移动设备时不使用 PKI 证书。Configuration Manager does not use PKI certificates when it manages mobile devices by using the Exchange Server connector.

移动设备管理和 PKI 证书Mobile device management and PKI certificates

如果移动运营商尚未锁定移动设备,则可以使用 Configuration Manager 或 Microsoft Intune 请求和安装客户端证书。If the mobile device has not been locked by the mobile operator, you can use Configuration Manager or Microsoft Intune to request and install a client certificate. 此证书在移动设备上的客户端与 Configuration Manager 站点系统或 Microsoft Intune 服务之间提供相互身份验证。This certificate provides mutual authentication between the client on the mobile device and Configuration Manager site systems or Microsoft Intune services. 如果锁定了移动设备,则无法使用 Configuration Manager 或 Intune 部署证书。If your mobile device is locked, you cannot use Configuration Manager or Intune to deploy certificates.

如果启用移动设备硬件清单,则 Configuration Manager 或 Intune 还会清点移动设备上安装的证书。If you enable hardware inventory for mobile devices, Configuration Manager or Intune also inventories the certificates that are installed on the mobile device.

操作系统部署和 PKI 证书Operating system deployment and PKI certificates

当你使用 Configuration Manager 来部署操作系统,并且管理点需要 HTTPS 客户端连接时,客户端计算机还必须具有证书才能与管理点通信,即使在该计算机处于过渡阶段(例如从任务序列媒体或支持 PXE 的分发点中启动)中时也是如此。When you use Configuration Manager to deploy operating systems and a management point requires HTTPS client connections, the client computer must also have a certificate to communicate with the management point, even though it is in a transitional phase such as booting from task sequence media or a PXE-enabled distribution point. 为了支持此方案,你必须创建一个 PKI 客户端身份验证证书,并使用私钥将其导出,然后将该证书导入到站点服务器属性并同时添加管理点的受信任根 CA 证书。To support this scenario, you must create a PKI client authentication certificate and export it with the private key and then import it to the site server properties and also add the management point's trusted root CA certificate.

如果创建可启动媒体,则在创建可启动媒体时导入客户端身份验证证书。If you create bootable media, you import the client authentication certificate when you create the bootable media. 在可启动媒体上配置一个密码,以帮助保护私钥和任务序列中配置的其他敏感数据。Configure a password on the bootable media to help protect the private key and other sensitive data configured in the task sequence. 通过可启动媒体启动的每台计算机将根据需要为客户端功能(例如请求客户端策略)向管理点提供相同的证书。Every computer that boots from the bootable media will present the same certificate to the management point as required for client functions such as requesting client policy.

如果使用 PXE 启动,则会将客户端身份验证证书导入到支持 PXE 的分发点,并且它为通过支持 PXE 的该分发点启动的每个客户端使用相同的证书。If you use PXE boot, you import the client authentication certificate to the PXE-enabled distribution point and it uses the same certificate for every client that boots from that PXE-enabled distribution point. 作为最佳安全方案,请要求将其计算机连接到 PXE 服务的用户提供密码,以帮助保护私钥和任务序列中的其他敏感数据。As a security best practice, require users who connect their computers to a PXE service to supply a password to help protect the private key and other sensitive data in the task sequences.

如果其中任何一个客户端身份验证证书已泄露,请在“管理” 工作区的“安全” 节点内的“证书” 节点中阻止证书。If either of these client authentication certificates is compromised, block the certificates in the Certificates node in the Administration workspace, Security node. 要管理这些证书,你必须具有“管理操作系统部署证书” 权限。To manage these certificates, you must have the Manage operating system deployment certificate right.

部署了操作系统并安装了 Configuration Manager 之后,客户端将需要自己的 PKI 客户端身份验证证书来进行 HTTPS 客户端通信。After the operating system is deployed and the Configuration Manager is installed, the client will require its own PKI client authentication certificate for HTTPS client communication.

ISV 代理解决方案和 PKI 证书ISV proxy solutions and PKI certificates

独立软件供应商 (ISV) 可创建扩展 Configuration Manager 的应用程序。Independent Software Vendors (ISVs) can create applications that extend Configuration Manager. 例如,ISV 可创建扩展来支持非 Windows 客户端平台,例如 Macintosh 或 UNIX 计算机。For example, an ISV could create extensions to support non-Windows client platforms such as Macintosh or UNIX computers. 但是,如果站点系统需要 HTTPS 客户端连接,则这些客户端还必须使用 PKI 证书以与站点进行通信。However, if the site systems require HTTPS client connections, these clients must also use PKI certificates for communication with the site. Configuration Manager 包括将证书分配给启用 ISV 代理客户端与管理点之间的通信的 ISV 代理的功能。Configuration Manager includes the ability to assign a certificate to the ISV proxy that enables communications between the ISV proxy clients and the management point. 如果使用需要 ISV 代理证书的扩展,请查阅该产品的文档。If you use extensions that require ISV proxy certificates, consult the documentation for that product. 有关如何创建 ISV 代理证书的详细信息,请查看 Configuration Manager 软件开发人员工具包 (SDK)。For more information about how to create ISV proxy certificates, see the Configuration Manager Software Developer Kit (SDK).

如果 ISV 证书已泄露,请在“管理” 工作区的“安全” 节点内的“证书” 节点中阻止该证书。If the ISV certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node.

资产智能和证书Asset intelligence and certificates

Configuration Manager 随同资产智能同步点用来连接到 Microsoft 的 X.509 证书一起安装。Configuration Manager installs with an X.509 certificate that the Asset Intelligence synchronization point uses to connect to Microsoft. Configuration Manager 使用此证书从 Microsoft 证书服务请求客户端身份验证证书。Configuration Manager uses this certificate to request a client authentication certificate from the Microsoft certificate service. 客户端身份验证证书安装在资产智能同步点站点系统服务器上,并用于向 Microsoft 验证服务器。The client authentication certificate is installed on the Asset Intelligence synchronization point site system server and it is used to authenticate the server to Microsoft. Configuration Manager 使用客户端身份验证证书来下载资产智能目录和上载软件标题。Configuration Manager uses the client authentication certificate to download the Asset Intelligence catalog and to upload software titles.

此证书的密钥长度为 1024 位。This certificate has a key length of 1024 bits.

基于云的分发点和证书Cloud-based distribution points and certificates

从 System Center 2012 Configuration Manager SP1 开始,基于云的分发点需要你上载到 Microsoft Azure 的管理证书(自签名或 PKI)。Beginning with System Center 2012 Configuration Manager SP1, cloud-based distribution points require a management certificate (self-signed or PKI) that you upload to Microsoft Azure. 此管理证书需要服务器身份验证功能,并且要求证书密钥长度为 2048 位。This management certificate requires server authentication capability and a certificate key length of 2048 bits. 此外,你必须为每个基于云的分发点配置服务证书,该证书不能是自签名证书,但也具有服务器身份验证功能,并且最小证书密钥长度为 2048 位。In addition, you must configure a service certificate for each cloud-based distribution point, which cannot be self-signed but also has server authentication capability and a minimum certificate key length of 2048 bits.

备注

自签名管理证书仅用于测试目的,不要在生产网络上使用。The self-signed management certificate is for testing purposes only and not for use on production networks.

客户端不需要客户端 PKI 证书来使用基于云的分发点;它们使用自签名证书或客户端 PKI 证书来向管理进行验证。Clients do not require a client PKI certificate to use cloud-based distribution points; they authenticate to the management by using either a self-signed certificate or a client PKI certificate. 然后,管理点将 Configuration Manager 访问令牌颁发给客户端,客户端会将该令牌提供给基于云的分发点。The management point then issues a Configuration Manager access token to the client, which the client presents to the cloud-based distribution point. 令牌的有效期为 8 小时。The token is valid for 8 hours.

Microsoft Intune 连接器和证书The Microsoft Intune Connector and certificates

当 Microsoft Intune 注册移动设备时,你可以通过创建 Microsoft Intune 连接器来在 Configuration Manager 中管理这些移动设备。When Microsoft Intune enrolls mobile devices, you can manage these mobile devices in Configuration Manager by creating a Microsoft Intune connector. 连接器使用具有客户端身份验证功能的 PKI 证书向 Microsoft Intune 验证 Configuration Manager,并通过使用 SSL 在它们之间传输所有信息。The connector uses a PKI certificate with client authentication capability to authenticate Configuration Manager to Microsoft Intune and to transfer all information between them by using SSL. 证书密钥大小为 2048 位,并且使用 SHA-1 哈希算法。The certificate key size is 2048 bits and uses the SHA-1 hash algorithm.

安装连接器时,会在站点服务器上为旁加载密钥创建和存储签名证书,在证书注册点上创建和存储加密证书,以对简单证书注册协议 (SCEP) 质询进行加密。When you install the connector, a signing certificate is created and stored on the site server for sideloading keys, and an encryption certificate is created and stored on the certificate registration point to encrypt the Simple Certificate Enrollment Protocol (SCEP) challenge. 这些证书也具有 2048 位的密钥大小,并且使用 SHA-1 哈希算法。These certificates also have a key size of 2048 bits and use the SHA-1 hash algorithm.

当 Intune 注册移动设备时,它将在移动设备上安装 PKI 证书。When Intune enrolls mobile devices, it installs a PKI certificate onto the mobile device. 此证书具有客户端身份验证功能,使用 2048 位的密钥大小,并使用 SHA-1 哈希算法。This certificate has client authentication capability, uses a key size of 2048 bits, and uses the SHA-1 hash algorithm.

Microsoft Intune 会自动请求、生成和安装这些 PKI 证书。These PKI certificates are automatically requested, generated, and installed by Microsoft Intune.

针对 PKI 证书的 CRL 检查CRL checking for PKI certificates

PKI 证书吊销列表 (CRL) 会增加管理和处理开销,但它更安全。A PKI certificate revocation list (CRL) increases administrative and processing overhead but it is more secure. 但是,如果启用了 CRL 检查但无法访问 CRL,则 PKI 连接将失败。However, if CRL checking is enabled but the CRL is inaccessible, the PKI connection fails. 有关详细信息,请参阅 Configuration Manager 的安全性和隐私For more information, see Security and privacy for Configuration Manager.

IIS 中默认情况下启用了证书吊销列表 (CRL) 检查,因此,如果你要将 CRL 与 PKI 部署结合使用,在运行 IIS 的大多数 Configuration Manager 站点系统上无需进行任何其他配置。Certificate revocation list (CRL) checking is enabled by default in IIS, so if you are using a CRL with your PKI deployment, there is nothing additional to configure on most Configuration Manager site systems that run IIS. 例外情况是软件更新,它需要一个手动步骤来启用 CRL 检查以验证软件更新文件上的签名。The exception is for software updates, which requires a manual step to enable CRL checking to verify the signatures on software update files.

对于客户端计算机,当它们使用 HTTPS 客户端连接时,CRL 检查默认情况下已启用。CRL checking is enabled by default for client computers when they use HTTPS client connections. 在 Configuration Manager SP1 或更高版本中,你无法为 Mac 计算机上的客户端禁用 CRL 检查。You cannot disable CRL checking for clients on Mac computers in Configuration Manager SP1 or later.

对于 Configuration Manager 中的下列连接,CRL 检查不受支持:CRL checking is not supported for the following connections in Configuration Manager:

  • 服务器到服务器连接。Server-to-server connections.

  • Configuration Manager 注册的移动设备。Mobile devices that are enrolled by Configuration Manager.

  • Microsoft Intune 注册的移动设备。Mobile devices that are enrolled by Microsoft Intune.

服务器通信的加密控制Cryptographic controls for server communication

Configuration Manager 为服务器通信使用下列加密控制。Configuration Manager uses the following cryptographic controls for server communication.

站点内的服务器通信Server communication within a site

每个站点系统服务器使用证书将数据传输到同一 Configuration Manager 站点中的其他站点系统。Each site system server uses a certificate to transfer data to other site systems in the same Configuration Manager site. 某些站点系统角色也使用证书进行身份验证。Some site system roles also use certificates for authentication. 例如,你将注册代理点安装在一个服务器上,并将注册点安装在另一个服务器上,则它们可通过使用此身份证书相互进行验证。For example, if you install the enrollment proxy point on one server and the enrollment point on another server, they can authenticate one another by using this identity certificate. 当 Configuration Manager 为此通信使用证书时,如果有具有服务器身份验证功能的 PKI 证书可用,则 Configuration Manager 将自动使用该证书;否则 Configuration Manager 将生成自签名证书。When Configuration Manager uses a certificate for this communication, if there is a PKI certificate available that has server authentication capability, Configuration Manager automatically uses it; if not, Configuration Manager generates a self-signed certificate. 此自签名证书具有服务器身份验证功能、使用 SHA-256,并且具有 2048 位的密钥长度。This self-signed certificate has server authentication capability, uses SHA-256, and has a key length of 2048 bits. Configuration Manager 将该证书复制到可能需要信任该站点系统的其他站点系统服务器上的“受信任人”存储。Configuration Manager copies the certificate to the Trusted People store on other site system servers that might need to trust the site system. 然后,站点系统可通过使用这些证书和 PeerTrust 来相互信任。Site systems can then trust one another by using these certificates and PeerTrust.

除了每个站点系统服务器的此证书外,Configuration Manager 还会为大多数站点系统角色生成自签名证书。In addition to this certificate for each site system server, Configuration Manager generates a self-signed certificate for most site system roles. 如果同一站点中有站点系统角色的多个实例,它们将共享相同的证书。When there is more than one instance of the site system role in the same site, they share the same certificate. 例如,你可能在同一站点中有多个管理点或多个注册点。For example, you might have multiple management points or multiple enrollment points in the same site. 此自签名证书也使用 SHA-256,并且密钥长度为 2048 位。This self-signed certificate also uses SHA-256 and has a key length of 2048 bits. 该证书也将复制到可能需要信任它的站点系统服务器上的“受信任人”存储。It is also copied to the Trusted People Store on site system servers that might need to trust it. 下列站点系统角色会生成此证书:The following site system roles generate this certificate:

  • 应用程序目录 Web 服务点Application Catalog web service point

  • 应用程序目录网站点Application Catalog website point

  • 资产智能同步点Asset Intelligence synchronization point

  • 证书注册点Certificate registration point

  • Endpoint Protection 点Endpoint Protection point

  • 注册点Enrollment point

  • 回退状态点Fallback status point

  • 管理点Management point

  • 启用多播的分发点Multicast-enabled distribution point

  • Reporting Services 点Reporting services point

  • 软件更新点Software update point

  • 状态迁移点State migration point

  • Microsoft Intune 连接器Microsoft Intune connector

这些证书由 Configuration Manager 自动管理并会在必要时自动生成。These certificates are managed automatically by Configuration Manager, and where necessary, automatically generated.

Configuration Manager 还使用客户端身份验证证书将状态消息从分发点发送到管理点。Configuration Manager also uses a client authentication certificate to send status messages from the distribution point to the management point. 如果仅针对 HTTPS 客户端连接配置了管理点,则必须使用 PKI 证书。When the management point is configured for HTTPS client connections only, you must use a PKI certificate. 如果管理点接受 HTTP 连接,则你可以使用 PKI 证书,或选择选项以使用具有客户端身份验证功能、使用 SHA-256 并且密钥长度为 2048 位的自签名证书。If the management point accepts HTTP connections, you can use a PKI certificate or select the option to use a self-signed certificate that has client authentication capability, uses SHA-256, and has a key length of 2048 bits.

站点间的服务器通信Server communication between sites

Configuration Manager 通过使用数据库复制和基于文件的复制在站点之间传输数据。Configuration Manager transfers data between sites by using database replication and file-based replication. 有关详细信息,请参阅终结点之间的通信For more information, see Communications between endpoints.

Configuration Manager 自动配置站点之间的数据库复制,并使用具有服务器身份验证功能的 PKI 证书(如果这些证书可用);否则,Configuration Manager 将为服务器身份验证创建自签名证书。Configuration Manager automatically configures the database replication between sites and uses PKI certificates that have server authentication capability if these are available; if not, Configuration Manager creates self-signed certificates for server authentication. 在这两种情况下,站点之间的身份验证都是通过“受信任人”存储(使用 PeerTrust)中的证书建立的。In both cases, authentication between sites is established by using certificates in the Trusted People Store that uses PeerTrust. 此证书存储用于确保只有 Configuration Manager 层次结构使用的 SQL Server 计算机才参与站点间复制。This certificate store is used to ensure that only the SQL Server computers that are used by the Configuration Manager hierarchy participate in site-to-site replication. 尽管主站点和管理中心站点可将配置更改复制到层次结构中的所有站点,但辅助站点只能将配置更改复制到其父站点。Whereas primary sites and the central administration site can replicate configuration changes to all sites in the hierarchy, secondary sites can replicate configuration changes only to their parent site.

站点服务器通过使用自动进行的安全密钥交换来建立站点间通信。Site servers establish site-to-site communication by using a secure key exchange that happens automatically. 发送站点服务器生成哈希,并使用其私钥对该哈希进行签名。The sending site server generates a hash and signs it with its private key. 接收站点服务器通过使用公钥来检查签名,并将哈希与本地生成的值进行比较。The receiving site server checks the signature by using the public key and compares the hash with a locally generated value. 如果它们匹配,则接收站点接受复制的数据。If they match, the receiving site accepts the replicated data. 如果值不匹配,则 Configuration Manager 拒绝复制数据。If the values do not match, Configuration Manager rejects the replication data.

Configuration Manager 中的数据库复制使用 SQL Server Service Broker 通过下列机制在站点之间传输数据:Database replication in Configuration Manager uses the SQL Server Service Broker to transfer data between sites by using the following mechanisms:

  • SQL Server 到 SQL Server 的连接:此机制使用 Windows 凭据进行服务器身份验证,并使用具有 1024 位的自签名证书通过高级加密标准 (AES) 对数据进行签名和加密。SQL Server to SQL Server connection: This uses Windows credentials for server authentication and self-signed certificates with 1024 bits to sign and encrypt the data by using Advanced Encryption Standard (AES). 如果具有服务器身份验证功能的 PKI 证书可用,则将使用这些证书。If PKI certificates with server authentication capability are available, these will be used. 证书必须位于“计算机”证书存储的“个人”存储中。The certificate must be located in the Personal store for the Computer certificate store.

  • SQL Service Broker:此机制使用具有 2048 位的自签名证书进行身份验证,以及通过使用高级加密标准 (AES) 对数据进行签名和加密。SQL Service Broker: This uses self-signed certificates with 2048 bits for authentication and to sign and encrypt the data by using Advanced Encryption Standard (AES). 证书必须位于 SQL Server master 数据库中。The certificate must be located in the SQL Server master database.

    基于文件的复制使用服务器消息块 (SMB) 协议,并使用 SHA-256 对未加密但不包含任何敏感数据的此数据进行签名。File-based replication uses the Server Message Block (SMB) protocol, and uses SHA-256 to sign this data that is not encrypted but does not contain any sensitive data. 如果要对此数据进行加密,你可以使用 IPsec,并且必须独立于 Configuration Manager 实现这一点。If you want to encrypt this data, you can use IPsec and must implement this independently from Configuration Manager.

使用站点系统 HTTPS 通信的客户端的加密控制Cryptographic controls for clients that use HTTPS communication to site systems

当站点系统角色接受客户端通信时,你可以将它们配置为接受 HTTPS 和 HTTP 连接,或仅接受 HTTPS 连接。When site system roles accept client connections, you can configure them to accept HTTPS and HTTP connections, or only HTTPS connections. 接受来自 Internet 的连接的站点系统角色仅接受通过 HTTPS 进行的客户端连接。Site system roles that accept connections from the Internet only accept client connections over HTTPS.

通过 HTTPS 进行的客户端连接通过与公钥基础结构 (PKI) 集成来帮助保护客户端到服务器通信,从而可提供较高级别的安全性。Client connections over HTTPS offer a higher level of security by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. 但是,如果在未透彻理解 PKI 规划、部署和操作的情况下配置 HTTPS 客户端连接,将仍可能会使你易于受到攻击。However, configuring HTTPS client connections without a thorough understanding of PKI planning, deployment, and operations could still leave you vulnerable. 例如,你不保护根 CA 的安全,攻击者可能会危害整个 PKI 基础结构的信任。For example, if you do not secure your root CA, attackers could compromise the trust of your entire PKI infrastructure. 如果未能使用受控和受保护的过程来部署和管理 PKI 证书,则可能会产生无法接收关键软件更新或包的不受管理的客户端。Failing to deploy and manage the PKI certificates by using controlled and secured processes might result in unmanaged clients that cannot receive critical software updates or packages.

重要

用于客户端通信的 PKI 证书仅保护客户端和某些站点系统之间的通信。The PKI certificates that are used for client communication protect the communication only between the client and some site systems. 它们不保护站点服务器和站点系统之间或站点服务器之间的信道。They do not protect the communication channel between the site server and site systems or between site servers.

客户端使用 HTTPS 通信时未加密的通信Communication that is unencrypted when clients use HTTPS communication

当客户端使用 HTTPS 与站点系统通信时,通常会通过 SSL 对通信进行加密。When clients communicate with site systems by using HTTPS, communications are usually encrypted over SSL. 但是,在下列情况中,客户端会在不使用加密的情况下与站点系统通信:However, in the following situations, clients communicate with site systems without using encryption:

  • 客户端无法在 Intranet 上建立 HTTPS 连接并回退为使用 HTTP(如果站点系统允许此配置)Client fails to make an HTTPS connection on the intranet and fall back to using HTTP when site systems allow this configuration

  • 与下列站点系统角色的通信:Communication to the following site system roles:

    • 客户端将状态消息发送到回退状态点Client sends state messages to the fallback status point

    • 客户端将 PXE 请求发送到支持 PXE 的分发点Client sends PXE requests to a PXE-enabled distribution point

    • 客户端将通知数据发送到管理点Client sends notification data to a management point

    Reporting Services 点配置为独立于客户端通信模式使用 HTTP 或 HTTPS。Reporting services points are configured to use HTTP or HTTPS independently from the client communication mode.

使用站点系统 HTTP 通信的客户端的加密控制Cryptographic controls for clients chat use HTTP communication to site systems

当客户端使用与站点系统角色的 HTTP 通信时,它们可使用 PKI 证书进行客户端身份验证,或使用 Configuration Manager 生成的自签名证书。When clients use HTTP communication to site system roles, they can use PKI certificates for client authentication, or self-signed certificates that Configuration Manager generates. 当 Configuration Manager 生成自签名证书时,这些证书具有用于签名和加密的自定义对象标识符,并且用于唯一标识客户端。When Configuration Manager generates self-signed certificates, they have a custom object identifier for signing and encryption, and these certificates are used to uniquely identify the client. 对于除 Windows Server 2003 之外的所有受支持的操作系统,这些自签名证书使用 SHA-256,并且其密钥长度为 2048 位。For all supported operating systems except Windows Server 2003, these self-signed certificates use SHA-256, and have a key length of 2048 bits. 对于 Windows Server 2003,则使用 SHA1,且其密钥长度为 1024 位。For Windows Server 2003, SHA1 is used with a key length of 1024 bits.

操作系统部署和自签名证书Operating system deployment and self-signed certificates

当你使用 Configuration Manager 来部署包含自签名证书的操作系统时,客户端计算机还必须具有证书才能与管理点通信,即使在该计算机处于过渡阶段(例如从任务序列媒体或支持 PXE 的分发点中启动)中时也是如此。When you use Configuration Manager to deploy operating systems with self-signed certificates, a client computer must also have a certificate to communicate with the management point, even if the computer is in a transitional phase such as booting from task sequence media or a PXE-enabled distribution point. 为了针对 HTTP 客户端连接支持此方案,Configuration Manager 会生成自签名证书,这些证书具有用于签名和加密的自定义对象标识符,并且用于唯一标识客户端。To support this scenario for HTTP client connections, Configuration Manager generates self-signed certificates that have a custom object identifier for signing and encryption, and these certificates are used to uniquely identify the client. 对于除 Windows Server 2003 之外的所有受支持的操作系统,这些自签名证书使用 SHA-256,并且其密钥长度为 2048 位。For all supported operating systems except Windows Server 2003, these self-signed certificates use SHA-256, and have a key length of 2048 bits. 对于 Windows Server 2003,则使用 SHA1,且其密钥长度为 1024 位。For Windows Server 2003, SHA1 is used with a key length of 1024 bits. 如果这些自签名证书已泄露,为了防止攻击者使用这些证书来模拟受信任的客户端,请在“管理” 工作区的“安全” 节点内的“证书” 节点中阻止证书。If these self-signed certificates are compromised, to prevent attackers from using them to impersonate trusted clients, block the certificates in the Certificates node in the Administration workspace, Security node.

客户端和服务器身份验证Client and server authentication

在客户端通过 HTTP 连接时,它们使用 Active Directory 域服务或 Configuration Manager 受信任的根密钥对管理点进行身份验证。When clients connect over HTTP, they authenticate the management points by using either Active Directory Domain Services or by using the Configuration Manager trusted root key. 客户端不会对其他站点系统角色(例如状态迁移点或软件更新点)进行身份验证。Clients do not authenticate other site system roles, such as state migration points or software update points.

在管理点使用自签名客户端证书第一次对客户端进行身份验证时,此机制提供最低的安全性,因为任何计算机都能生成自签名证书。When a management point first authenticates a client by using the self-signed client certificate, this mechanism provides minimal security because any computer can generate a self-signed certificate. 在这种情况下,必须利用批准手段来强化客户端标识过程。In this scenario, the client identity process must be augmented by approval. 只应批准受信任的计算机 - 由 Configuration Manager 自动批准或由管理用户手动批准。Only trusted computers must be approved, either automatically by Configuration Manager, or manually, by an administrative user. 有关详细信息,请参阅终结点之间的通信中的“审批”部分。For more information, see the approval section in Communications between endpoints.

有关 SSL 漏洞About SSL vulnerabilities

若要提高 Configuration Manager 客户端和服务器的安全性,请执行以下操作:To improve the security of your Configuration Manager clients and servers, do the following:

有关详细信息,请参阅如何限制使用特定的加密算法和 Schannel.dll 中的协议以及 Prioritizing Schannel Cipher Suites(以优先顺序排列 Schannel 密码套件)。For more information, see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll and Prioritizing Schannel Cipher Suites. 这些操作不会影响 Configuration Manager 的功能。These procedures do not affect Configuration Manager functionality.