在 Configuration Manager 中规划安全性Plan for security in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

本文介绍了使用 Configuration Manager 实现进行安全规划时要考虑的原理。This article describes the concepts for you to consider when planning for security with your Configuration Manager implementation. 它包括以下部分:It includes the following sections:

规划证书(自签名和 PKI)Plan for certificates (self-signed and PKI)

Configuration Manager 组合使用自签名证书和公钥基础结构 (PKI) 证书。Configuration Manager uses a combination of self-signed certificates and public key infrastructure (PKI) certificates.

尽可能使用 PKI 证书。Use PKI certificates whenever possible. 有关详细信息,请参阅 PKI 证书要求For more information, see PKI certificate requirements. Configuration Manager 在移动设备注册期间请求 PKI 证书时,必须使用 Active Directory 域服务和企业证书颁发机构。When Configuration Manager requests PKI certificates during enrollment for mobile devices, you must use Active Directory Domain Services and an enterprise certification authority. 对于所有其他 PKI 证书,请独立于 Configuration Manager 部署和管理它们。For all other PKI certificates, deploy and manage them independently from Configuration Manager.

客户端计算机连接到基于 Internet 的站点系统时,需要 PKI 证书。PKI certificates are required when client computers connect to internet-based site systems. 云管理网关和云分发点的某些方案也需要 PKI 证书。Some scenarios with the cloud management gateway and cloud distribution point also require PKI certificates. 有关详细信息,请参阅在 Internet 上管理客户端For more information, see Manage clients on the internet.

使用 PKI 时,也可以使用 IPsec 帮助保护站点中站点系统之间以及站点之间的服务器对服务器通信,以及计算机之间的其他数据传输。When you use a PKI, you can also use IPsec to help secure the server-to-server communication between site systems in a site, between sites, and for other data transfer between computers. IPsec 的实现独立于 Configuration Manager。Implementation of IPsec is independent from Configuration Manager.

PKI 证书不可用时,Configuration Manager 将自动生成自签名的证书。When PKI certificates aren't available, Configuration Manager automatically generates self-signed certificates. Configuration Manager 中的某些证书始终是自签名证书。Some certificates in Configuration Manager are always self-signed. 在某些情况下,Configuration Manager 会自动管理自签名证书,不必采取任何其他操作。In most cases, Configuration Manager automatically manages the self-signed certificates, and you don't have to take additional action. 其中一个示例是站点服务器签名证书。One example is the site server signing certificate. 该证书始终是自签名证书。This certificate is always self-signed. 它可确保客户端从管理点下载的策略发送自站点服务器,并且未被篡改。It makes sure that the policies that clients download from the management point were sent from the site server and weren't tampered with.

加密:下一代 (CNG) v3 证书Cryptography: Next Generation (CNG) v3 certificates

Configuration Manager 支持加密:下一代 (CNG) v3 证书。Configuration Manager supports Cryptography: Next Generation (CNG) v3 certificates. Configuration Manager 客户端可以通过 CNG 密钥存储提供者 (KSP) 中的私钥使用 PKI 客户端身份验证证书。Configuration Manager clients can use PKI client authentication certificate with private key in CNG Key Storage Provider (KSP). 通过 KSP 支持,Configuration Manager 客户端可支持基于硬件的私钥,如用于 PKI 客户端身份验证证书的 TPM KSP。With KSP support, Configuration Manager clients support hardware-based private key, such as TPM KSP for PKI client authentication certificates. 有关详细信息,请参阅 CNG v3 证书概述For more information, see CNG v3 certificates overview.

增强型 HTTPEnhanced HTTP

建议对于所有 Configuration Manager 通信路径使用 HTTPS 通信,但由于管理 PKI 证书的开销,对一些客户来说颇具挑战性。Using HTTPS communication is recommended for all Configuration Manager communication paths, but is challenging for some customers due to the overhead of managing PKI certificates. Azure Active Directory (Azure AD) 集成的引入可以减少某些证书要求但不是所有证书要求。The introduction of Azure Active Directory (Azure AD) integration reduces some but not all of the certificate requirements. 自版本 1806 开始,可启用此站点以使用“增强型 HTTP” 。Starting in version 1806, you can enable the site to use Enhanced HTTP. 此配置通过结合使用自签名证书和 Azure AD 来支持站点系统上的 HTTPS。This configuration supports HTTPS on site systems by using a combination of self-signed certificates and Azure AD. 此配置不需要 PKI。It doesn't require PKI. 有关详细信息,请参阅增强型 HTTPFor more information, see Enhanced HTTP.

CMG 和 CDP 证书Certificates for CMG and CDP

通过云管理网关 (CMG) 和云分发点 (CDP) 管理 Internet 上的客户端需要使用证书。Managing clients on the internet via the cloud management gateway (CMG) and cloud distribution point (CDP) requires the use of certificates. 证书的数量和类型取决于具体方案。The number and type of certificates varies depending upon your specific scenarios. 有关详细信息,请参阅下列文章:For more information, see the following articles:

规划站点服务器签名证书(自签名)Plan for the site server signing certificate (self-signed)

客户端可以从 Active Directory 域服务和客户端请求安装中安全地获取站点服务器签名证书的副本。Clients can securely get a copy of the site server signing certificate from Active Directory Domain Services and from client push installation. 如果客户端无法通过其中一种机制获取此证书的副本,请在安装客户端时进行安装。If clients can't get a copy of this certificate by one of these mechanisms, install it when you install the client. 如果客户端与站点的第一次通信是通过基于 Internet 的管理点实现的,则此过程尤为重要。This process is especially important if the client's first communication with the site is with an internet-based management point. 由于此服务器连接到不受信任的网络,因此更容易受到攻击。Because this server is connected to an untrusted network, it's more vulnerable to attack. 如果未采取此额外步骤,则客户端会自动从管理点中下载站点服务器签名证书的副本。If you don't take this additional step, clients automatically download a copy of the site server signing certificate from the management point.

在以下情况下,客户端无法安全地获取站点服务器证书的副本:Clients can't securely get a copy of the site server certificate in the following scenarios:

  • 不使用客户端请求安装客户端,并且:You don't install the client by using client push, and:

    • 没有为 Configuration Manager 扩展 Active Directory 架构。You haven't extended the Active Directory schema for Configuration Manager.

    • 尚未将客户端的站点发布到 Active Directory 域服务。You haven't published the client's site to Active Directory Domain Services.

    • 客户端来自不受信任的林或工作组。The client is from an untrusted forest or a workgroup.

  • 正在使用基于 Internet 的客户端管理,并且当客户端位于 Internet 上时安装该客户端。You're using internet-based client management and you install the client when it's on the internet.

安装客户端与站点服务器签名证书的副本To install clients with a copy of the site server signing certificate

  1. 在主站点服务器上找到站点服务器签名证书。Locate the site server signing certificate on the primary site server. 证书存储在 Windows 的 SMS 证书存储中 。The certificate is stored in the SMS certificate store of Windows. 它具有使用者名称“站点服务器”和友好名称“站点服务器签名证书” 。It has the Subject name Site Server and the friendly name, Site Server Signing Certificate.

  2. 导出无私钥的证书,安全地存储文件并只从受保护的通道中访问它。Export the certificate without the private key, store the file securely, and access it only from a secured channel.

  3. 使用以下 client.msi 属性安装客户端:SMSSIGNCERT=<full path and file name>Install the client by using the following client.msi property: SMSSIGNCERT=<full path and file name>

规划 PKI 证书吊销Plan for PKI certificate revocation

将 PKI 证书与 Configuration Manager 配合使用时,请规划证书吊销列表 (CRL) 的使用。When you use PKI certificates with Configuration Manager, plan for use of a certificate revocation list (CRL). 设备使用 CRL 验证连接计算机上的证书。Devices use the CRL to verify the certificate on the connecting computer. CRL 是证书颁发机构 (CA) 创建和签名的文件。The CRL is a file that a certificate authority (CA) creates and signs. 其中包含一系列 CA 曾颁发但已吊销的证书。It has a list of certificates that the CA has issued but revoked. 证书管理员吊销证书时,其指纹将添加到 CRL。When a certificate administrator revokes certificates, its thumbprint is added to the CRL. 例如,如果颁发的证书已确定或者疑似遭盗用,则该证书将被吊销。For example, if an issued certificate is known or suspected to be compromised.

重要

因为在 CA 颁发证书时已经将 CRL 的位置添加到证书中,所以请确保在部署 Configuration Manager 使用的任何 PKI 证书之前先规划 CRL。Because the location of the CRL is added to a certificate when a CA issues it, ensure that you plan for the CRL before you deploy any PKI certificates that Configuration Manager uses.

IIS 始终会检查 CRL 中是否有客户端证书,且无法在 Configuration Manager 中更改此配置。IIS always checks the CRL for client certificates, and you can't change this configuration in Configuration Manager. 默认情况下,Configuration Manager 客户端将始终检查站点系统的 CRL。By default, Configuration Manager clients always check the CRL for site systems. 通过指定站点属性并指定 CCMSetup 属性来禁用此设置。Disable this setting by specifying a site property and by specifying a CCMSetup property.

如果计算机使用证书吊销检查但无法找到 CRL,则会视作证书链中的所有证书均已被吊销。Computers that use certificate revocation checking but can't locate the CRL behave as if all certificates in the certification chain are revoked. 发生此行为是因为他们无法验证这些证书是否存在于证书吊销列表中。This behavior is due to the fact that they can't verify if the certificates are in the certificate revocation list. 在此情况下,需要证书并包含 CRL 检查的所有连接都将失败。In this scenario, all connections fail that require certificates and include CRL checking. 在验证是否可通过浏览到 CRL 的 http 位置访问该 CRL 时,请务必注意 Configuration Manager 客户端应作为本地系统运行。When validating that your CRL is accessible by browsing to its http location, it is important to note that the Configuration Manager client runs as LOCAL SYSTEM. 因此,对使用用户上下文内运行的 Web 浏览器是否能够访问 CRL 的测试才可能会成功,但由于内部 Web 筛选解决方案的原因,在尝试与同一 CRL URL 建立 http 连接时,可能会阻止计算机帐户。Therefore, testing CRL accessibility with a web browser running under user context may succeed, however the computer account may be blocked when attempting to make an http connection to the same CRL URL due to the internal web filtering solution. 在这种情况下,可能需要将将 CRL URL 添加到任何 Web 筛选解决方案的允许列表。Adding the CRL URL to the approved list on any web filtering solutions may be necessary in this situation.

每次使用证书时检查 CRL 可提供更高的安全性,防止使用已吊销的证书。Checking the CRL every time that a certificate is used offers more security against using a certificate that's revoked. 但这会导致客户端上出现连接延迟和额外的处理。Although it introduces a connection delay and additional processing on the client. 组织可能需要对 Internet 或不受信任的网络上的客户端进行此附加安全性检查。Your organization may require this additional security check for clients on the internet or an untrusted network.

在确定 Configuration Manager 客户端是否必须检查 CRL 之前,请咨询 PKI 管理员。Consult your PKI administrators before you decide whether Configuration Manager clients must check the CRL. 然后,在以下两个条件都为 true 时,请考虑在 Configuration Manager 中保持启用此选项:Then consider keeping this option enabled in Configuration Manager when both of the following conditions are true:

  • PKI 基础结构支持 CRL,并且已将其发布到所有 Configuration Manager 客户端都可找到的位置。Your PKI infrastructure supports a CRL, and it's published where all Configuration Manager clients can locate it. 这些客户端可能包括 Internet 上的设备和不受信任的林中的设备。These clients might include devices on the internet, and ones in untrusted forests.

  • 要求检查与站点系统(配置为使用 PKI 证书)的每个连接的 CRL,此要求高于以下要求:The requirement to check the CRL for each connection to a site system that's configured to use a PKI certificate is greater than the following requirements:

    • 连接速度更快Faster connections
    • 在客户端上进行高效处理Efficient processing on the client
    • 如果找不到 CRL,则存在客户端无法连接到服务器的风险The risk of clients failing to connect to servers if the CRL cannot be located

规划 PKI 受信任的根证书和证书颁发者列表Plan for the PKI trusted root certificates and the certificate issuers list

如果 IIS 站点系统使用 PKI 客户端证书通过 HTTP 进行客户端身份验证,或者通过 HTTPS 进行客户端身份验证和加密,则可能必须以站点属性形式导入根 CA 证书。If your IIS site systems use PKI client certificates for client authentication over HTTP, or for client authentication and encryption over HTTPS, you might have to import root CA certificates as a site property. 以下为这两个方案:Here are the two scenarios:

  • 使用 Configuration Manager 部署操作系统,管理点仅接受 HTTPS 客户端连接。You deploy operating systems by using Configuration Manager, and the management points only accept HTTPS client connections.

  • 使用的 PKI 客户端证书未链接到管理点信任的根证书。You use PKI client certificates that don't chain to a root certificate that the management points trust.

    备注

    如果从发放用于管理点的服务器证书的同一 CA 层次结构中发放客户端 PKI 证书,则不必指定此根 CA 证书。When you issue client PKI certificates from the same CA hierarchy that issues the server certificates that you use for management points, you don't have to specify this root CA certificate. 但是,如果使用多个 CA 层次结构,并且不确定它们彼此是否信任,请导入客户端的 CA 层次结构的根 CA。However, if you use multiple CA hierarchies and you aren't sure whether they trust each other, import the root CA for the clients' CA hierarchy.

如果必须为 Configuration Manager 导入根 CA 证书,请从颁发证书的 CA 中或从客户端计算机中导出它们。If you must import root CA certificates for Configuration Manager, export them from the issuing CA or from the client computer. 如果从颁发证书的 CA(也为根 CA)中导出证书,请确保未导出私钥。If you export the certificate from the issuing CA that's also the root CA, make sure you don't export the private key. 将导出的证书文件存储在安全的位置,以防止篡改。Store the exported certificate file in a secure location to prevent tampering. 设置站点时需要访问该文件。You need access to the file when you set up the site. 如果通过网络访问文件,请确保使用 IPsec 来防止通信被篡改。If you access the file over the network, make sure the communication is protected from tampering by using IPsec.

如果续订了导入的任何根 CA 证书,则必须导入续订的证书。If any root CA certificate that you import is renewed, you must import the renewed certificate.

这些导入的根 CA 证书和每个管理点的根 CA 证书会创建证书颁发者列表,Configuration Manager 通过以下方式使用该列表:These imported root CA certificates and the root CA certificate of each management point create the certificate issuers list that Configuration Manager computers use in the following ways:

  • 客户端连接到管理点时,管理点会验证客户端证书是否链接至站点证书颁发者列表中的受信任的根证书。When clients connect to management points, the management point verifies that the client certificate is chained to a trusted root certificate in the site's certificate issuers list. 如果没有,则证书将被拒绝,并且 PKI 连接失败。If it doesn't, the certificate is rejected, and the PKI connection fails.

  • 如果客户端选择 PKI 证书且具有证书颁发者列表,它们会选择链接至证书颁发者列表中受信任的根证书的证书。When clients select a PKI certificate and have a certificate issuers list, they select a certificate that chains to a trusted root certificate in the certificate issuers list. 如果不匹配,则客户端不选择 PKI 证书。If there's no match, the client doesn't select a PKI certificate. 有关详细信息,请参阅规划 PKI 客户端证书选择For more information, see Plan for PKI client certificate selection.

规划 PKI 客户端证书选择Plan for PKI client certificate selection

如果 IIS 站点系统使用 PKI 客户端证书通过 HTTP 进行客户端身份验证,或者通过 HTTPS 进行客户端身份验证和加密,请规划 Windows 客户端选择要用于 Configuration Manager 的证书的方式。If your IIS site systems use PKI client certificates for client authentication over HTTP or for client authentication and encryption over HTTPS, plan for how Windows clients select the certificate to use for Configuration Manager.

备注

某些设备不支持证书选择方法。Some devices don't support a certificate selection method. 而是自动选择满足证书要求的第一个证书。Instead, they automatically select the first certificate that fulfills the certificate requirements. 例如,Mac 计算机上的客户端和移动设备不支持证书选择方法。For example, clients on Mac computers and mobile devices don't support a certificate selection method.

在许多情况下,采用默认配置和行为即可。In many cases, the default configuration and behavior is sufficient. Windows 计算机上的 Configuration Manager 客户端按此顺序使用这些条件筛选多个证书:The Configuration Manager client on Windows computers filters multiple certificates by using these criteria in this order:

  1. 证书颁发者列表:证书链接至管理点信任的根 CA。The certificate issuers list: The certificate chains to a root CA that's trusted by the management point.

  2. 证书在“个人” 默认证书存储中。The certificate is in the default certificate store of Personal.

  3. 该证书有效、没有被吊销,并且尚未过期。The certificate is valid, not revoked, and not expired. 有效性检查还验证私钥是否可访问。The validity check also verifies that the private key is accessible.

  4. 证书具有客户端身份验证功能。The certificate has client authentication capability.

  5. 证书使用者名称将本地计算机名称作为子字符串包含在内。The certificate Subject Name contains the local computer name as a substring.

  6. 证书具有最长有效期。The certificate has the longest validity period.

可使用下列机制将客户端配置为使用证书颁发者列表:Configure clients to use the certificate issuers list by using the following mechanisms:

  • 将其与 Configuration Manager 站点信息一起发布到 Active Directory 域服务。Publish it with Configuration Manager site information to Active Directory Domain Services.

  • 使用客户端请求来安装客户端。Install clients by using client push.

  • 将客户端成功分配给其站点之后,客户端从管理点下载它。Clients download it from the management point after they're successfully assigned to their site.

  • 在客户端安装过程中将其指定为 CCMCERTISSUERS 的 CCMSetup client.msi 属性。Specify it during client installation as a CCMSetup client.msi property of CCMCERTISSUERS.

首次安装时没有证书颁发者列表并且尚未分配到站点的客户端可跳过此检查。Clients that don't have the certificate issuers list when they're first installed and aren't yet assigned to the site skip this check. 当客户端具有证书颁发者列表且没有链接到证书颁发者列表中的受信任根证书的 PKI 证书时,证书选择将失败。When clients do have the certificate issuers list and don't have a PKI certificate that chains to a trusted root certificate in the certificate issuers list, certificate selection fails. 客户端不会继续使用其他证书选择条件。Clients don't continue with the other certificate selection criteria.

在大多数情况下,Configuration Manager 客户端会正确标识唯一适合的 PKI 证书。In most cases, the Configuration Manager client correctly identifies a unique and appropriate PKI certificate. 但是,若情况并非如此,而是根据客户端身份验证功能选择证书时,可设置下列两种替代选择方法:However, when this behavior isn't the case, instead of selecting the certificate based on the client authentication capability, you can set up two alternative selection methods:

  • 在客户端证书的“使用者名称”中进行部分字符串匹配。A partial string match on the client certificate subject name. 此方法不区分大小写。This method is a case-insensitive match. 如果你在使用者字段中使用计算机的完全限定的域名 (FQDN) 并且想基于域后缀(例如 contoso.com )选择证书,则该方法很适用。It's appropriate if you're using the fully qualified domain name (FQDN) of a computer in the subject field and want the certificate selection to be based on the domain suffix, for example contoso.com. 但是,你可使用此选择方法在证书使用者名称中标识任何连续字符串,以将此证书与客户端证书存储中的其他证书区分开来。However, you can use this selection method to identify any string of sequential characters in the certificate subject name that differentiates the certificate from others in the client certificate store.

    备注

    你无法将与使用者可选名称 (SAN) 匹配的部分字符串用作站点设置。You can't use the partial string match with the subject alternative name (SAN) as a site setting. 虽然可使用 CCMSetup 为 SAN 指定部分字符串匹配,但在下列情况下将由站点属性对其进行覆盖:Although you can specify a partial string match for the SAN by using CCMSetup, it'll be overwritten by the site properties in the following scenarios:

    • 客户端检索发布到 Active Directory 域服务的站点信息。Clients retrieve site information that's published to Active Directory Domain Services.

      • 使用客户端请求安装方式安装的客户端。Clients are installed by using client push installation.

      仅当手动安装客户端以及客户端未从 Active Directory 域服务中检索到站点信息时,才在 SAN 中使用部分字符串匹配。Use a partial string match in the SAN only when you install clients manually and when they don't retrieve site information from Active Directory Domain Services. 例如,这些条件适用于仅 Internet 客户端。For example, these conditions apply to internet-only clients.

  • 匹配客户端证书“使用者名称”属性值或“使用者可选名称 (SAN)”属性值。A match on the client certificate subject name attribute values or the subject alternative name (SAN) attribute values. 此方法区分大小写。This method is a case-sensitive match. 使用符合 RFC 3280 标准的 X500 可分辨名称或同等对象标识符 (OID),并希望根据属性值选择证书时,该方法适用。It's appropriate if you're using an X500 distinguished name or equivalent object identifiers (OIDs) in compliance with RFC 3280, and you want the certificate selection to be based on the attribute values. 你可以仅指定唯一识别或验证证书并使证书与证书存储中其他证书区别开来所需的属性及其值。You can specify only the attributes and their values that you require to uniquely identify or validate the certificate and differentiate the certificate from others in the certificate store.

下表显示 Configuration Manager 针对客户端证书选择条件支持的属性值。The following table shows the attribute values that Configuration Manager supports for the client certificate selection criteria.

OID 属性OID Attribute 可分辨名称属性Distinguished name attribute 属性定义Attribute definition
0.9.2342.19200300.100.1.250.9.2342.19200300.100.1.25 DCDC 域组件Domain component
1.2.840.113549.1.9.11.2.840.113549.1.9.1 E 或 E-mailE or E-mail 电子邮件地址Email address
2.5.4.32.5.4.3 CNCN 公用名Common name
2.5.4.42.5.4.4 SNSN 使用者名称Subject name
2.5.4.52.5.4.5 SERIALNUMBERSERIALNUMBER 序列号Serial number
2.5.4.62.5.4.6 CC 国家/地区代码Country code
2.5.4.72.5.4.7 LL 区域Locality
2.5.4.82.5.4.8 S 或 STS or ST 省或自治区名称State or province name
2.5.4.92.5.4.9 STREETSTREET 街道地址Street address
2.5.4.102.5.4.10 OO 组织名称Organization name
2.5.4.112.5.4.11 OUOU 组织单位Organizational unit
2.5.4.122.5.4.12 T 或 TitleT or Title 标题Title
2.5.4.422.5.4.42 G 或 GN 或 GivenNameG or GN or GivenName 给定名称Given name
2.5.4.432.5.4.43 I 或 InitialsI or Initials 缩写Initials
2.5.29.172.5.29.17 (没有值)(no value) 使用者可选名称Subject Alternative Name

备注

如果配置上述任意一种备用证书选择方法,则证书使用者名称不需要包含本地计算机名称。If you configure either of the above alternate certificate selection methods, the certificate Subject Name does not need to contain the local computer name.

如果应用了选择条件之后找到了多个合适的证书,则可以替代默认配置以选择有效期最长的证书,并改为指定不选择证书。If more than one appropriate certificate is located after the selection criteria are applied, you can override the default configuration to select the certificate that has the longest validity period and instead, specify that no certificate is selected. 在此情况下,客户端将无法使用 PKI 证书与 IIS 站点系统通信。In this scenario, the client won't be able to communicate with IIS site systems with a PKI certificate. 客户端将向分配的回退状态点发送一则错误消息,警告你证书选择失败,以便可更改或改进证书选择条件。The client sends an error message to its assigned fallback status point to alert you to the certificate selection failure so that you can change or refine your certificate selection criteria. 客户端行为则取决于失败的连接是通过 HTTPS 还是 HTTP 进行的。The client behavior then depends on whether the failed connection was over HTTPS or HTTP:

  • 如果失败的连接是通过 HTTPS 进行的:则客户端尝试通过 HTTP 进行连接,并使用客户端自签名证书。If the failed connection was over HTTPS: The client tries to connect over HTTP and uses the client self-signed certificate.

  • 如果失败的连接是通过 HTTP 进行的:则客户端尝试使用自签名客户端证书通过 HTTP 再次连接。If the failed connection was over HTTP: The client tries to connect again over HTTP by using the self-signed client certificate.

为了帮助标识唯一的 PKI 客户端证书,也可以指定自定义存储,而不是在“计算机” 存储中指定“个人” 默认值。To help identify a unique PKI client certificate, you can also specify a custom store other than the default of Personal in the Computer store. 但必须独立于 Configuration Manager 创建此存储。However, you must create this store independently from Configuration Manager. 必须能够将证书部署到此自定义存储并在有效期到期之前续订证书。You must be able to deploy certificates to this custom store and renew them before the validity period expires.

有关详细信息,请参阅为客户端 PKI 证书配置设置For more information, see Configure settings for client PKI certificates.

规划 PKI 证书和基于 Internet 的客户端管理的过渡策略Plan a transition strategy for PKI certificates and internet-based client management

利用 Configuration Manager 中灵活的配置选项,可逐步过渡客户端和站点,以使用 PKI 证书帮助保护客户端端点的安全。The flexible configuration options in Configuration Manager let you gradually transition clients and the site to use PKI certificates to help secure client endpoints. PKI 证书提供更好的安全性,通过它还可管理 Internet 客户端。PKI certificates provide better security and enable you to manage internet clients.

由于 Configuration Manager 中配置选项数量的缘故,无法使用单一方法来转换站点以使所有客户端都使用 HTTPS 连接。Because of the number of configuration options and choices in Configuration Manager, there's no single way to transition a site so that all clients use HTTPS connections. 但是,可以按照下列步骤作为指导:However, you can follow these steps as guidance:

  1. 安装 Configuration Manager 站点并对其进行配置,使站点系统接受 HTTPS 和 HTTP 客户端连接。Install the Configuration Manager site and configure it so that site systems accept client connections over HTTPS and HTTP.

  2. 配置站点属性中的“客户端计算机通信” 选项卡,从而“站点系统设置” 为“HTTP 或 HTTPS” ,然后选择“在可用时使用 PKI 客户端证书(客户端身份验证功能)” 。Configure the Client Computer Communication tab in the site properties so that the Site System Settings is HTTP or HTTPS, and select Use PKI client certificate (client authentication capability) when available. 有关详细信息,请参阅为客户端 PKI 证书配置设置For more information, see Configure settings for client PKI certificates.

    备注

    从版本 1906 开始,此选项卡称为“通信安全” 。Starting in version 1906, this tab is called Communication Security.

  3. 试运行客户端证书的 PKI 推出。Pilot a PKI rollout for client certificates. 有关部署示例,请参阅为 Windows 计算机部署客户端证书For an example deployment, see Deploy the client certificate for Windows computers.

  4. 使用客户端请求安装方法安装客户端。Install clients by using the client push installation method. 有关详细信息,请参阅如何使用客户端请求安装 Configuration Manager 客户端For more information, see the How to install Configuration Manager clients by using client push.

  5. 使用 Configuration Manager 控制台中的报表和信息来监视客户端部署和状态。Monitor client deployment and status by using the reports and information in the Configuration Manager console.

  6. 通过查看“设备” 节点的“资产和符合性” 工作区中的“客户端证书” 列,来跟踪使用客户端 PKI 证书的客户端的数目。Track how many clients are using a client PKI certificate by viewing the Client Certificate column in the Assets and Compliance workspace, Devices node.

    还可将 Configuration Manager HTTPS 准备情况评估工具 (cmHttpsReadiness.exe) 部署到计算机 。You can also deploy the Configuration Manager HTTPS Readiness Assessment Tool (cmHttpsReadiness.exe) to computers. 然后,使用这些报表查看可结合使用 Configuration Manager 和客户端 PKI 证书的计算机数量。Then use the reports to view how many computers can use a client PKI certificate with Configuration Manager.

    备注

    安装 Configuration Manager 客户端时,CMHttpsReadiness.exe 工具将安装在 %windir%\CCM 文件夹中 。When you install the Configuration Manager client, it installs the CMHttpsReadiness.exe tool in the %windir%\CCM folder. 运行此工具时可使用以下命令行选项:The following command-line options are available when you run this tool:

    • /Store:<name>:此选项与 CCMCERTSTORE client.msi 属性相同 /Store:<name>: This option is the same as the CCMCERTSTORE client.msi property

    • /Issuers:<list>:此选项与 CCMCERTISSUERS client.msi 属性相同 /Issuers:<list>: This option is the same as the CCMCERTISSUERS client.msi property

    • /Criteria:<criteria>:此选项与 CCMCERTSEL client.msi 属性相同 /Criteria:<criteria>: This option is the same as the CCMCERTSEL client.msi property

    • /SelectFirstCert:此选项与 CCMFIRSTCERT client.msi 属性相同 /SelectFirstCert: This option is the same as the CCMFIRSTCERT client.msi property

      有关详细信息,请参阅关于客户端安装属性For more information, see About client installation properties.

  7. 如果确信足够多的客户端成功使用其客户端 PKI 证书通过 HTTP 进行身份验证,请执行下列步骤:When you're confident that enough clients are successfully using their client PKI certificate for authentication over HTTP, follow these steps:

    1. 将 PKI Web 服务器证书部署到为站点运行其他管理点的成员服务器,并在 IIS 中配置该证书。Deploy a PKI web server certificate to a member server that runs an additional management point for the site, and configure that certificate in IIS. 有关详细信息,请参阅为运行 IIS 的站点系统部署 Web 服务器证书For more information, see Deploy the web server certificate for site systems that run IIS.

    2. 在此服务器上安装管理点角色,并针对“HTTPS” 配置管理点属性中的“客户端连接” 选项。Install the management point role on this server and configure the Client connections option in the management point properties for HTTPS.

  8. 进行监视并使用 HTTPS 验证具有 PKI 证书的客户端是否使用新管理点。Monitor and verify that clients that have a PKI certificate use the new management point by using HTTPS. 可使用 IIS 日志记录或性能计数器进行验证。You can use IIS logging or performance counters to verify.

  9. 将其他站点系统角色重新配置为使用 HTTPS 客户端连接。Reconfigure other site system roles to use HTTPS client connections. 若要在 Internet 上管理客户端,请确保站点系统具有 Internet FQDN。If you want to manage clients on the internet, make sure that site systems have an internet FQDN. 配置各个管理点和分发点以接受来自 Internet 的客户端连接。Configure individual management points and distribution points to accept client connections from the internet.

    重要

    在将站点系统角色设置为接受 Internet 连接之前,请查看基于 Internet 的客户端管理的计划信息和先决条件。Before you set up site system roles to accept connections from the internet, review the planning information and prerequisites for internet-based client management. 有关详细信息,请参阅终结点之间的通信For more information, see Communications between endpoints.

  10. 扩展客户端和运行 IIS 的站点系统的 PKI 证书推出。Extend the PKI certificate rollout for clients and for site systems that run IIS. 根据需要为 HTTPS 客户端连接和 Internet 连接设置站点系统角色。Set up the site system roles for HTTPS client connections and internet connections, as required.

  11. 对于最高安全性:如果确信所有客户端均正在使用客户端 PKI 证书进行身份验证和加密,请将站点属性更改为仅使用 HTTPS。For the highest security: When you're confident that all clients are using a client PKI certificate for authentication and encryption, change the site properties to use HTTPS only.

    该计划引入 PKI 证书,首先仅通过 HTTP 进行身份验证,然后通过 HTTPS 进行身份验证和加密。This plan first introduces PKI certificates for authentication only over HTTP, and then for authentication and encryption over HTTPS. 按照此计划逐步引入这些证书时,可降低客户端不受管理的风险。When you follow this plan to gradually introduce these certificates, you reduce the risk that clients become unmanaged. 此外,还可得益于 Configuration Manager 支持的最高安全性。You'll also benefit from the highest security that Configuration Manager supports.

规划受信任的根密钥Plan for the trusted root key

Configuration Manager 受信任的根密钥提供了一种机制供 Configuration Manager 客户端验证站点系统是否属于其层次结构。The Configuration Manager trusted root key provides a mechanism for Configuration Manager clients to verify site systems belong to their hierarchy. 每个站点服务器都会生成站点交换密钥以与其他站点通信。Every site server generates a site exchange key to communicate with other sites. 层次结构内顶层站点中的站点交换密钥称为受信任的根密钥。The site exchange key from the top-level site in the hierarchy is called the trusted root key.

Configuration Manager 中受信任的根密钥的功能类似于公钥基础结构中的根证书。The function of the trusted root key in Configuration Manager resembles a root certificate in a public key infrastructure. 由受信任的根密钥的私钥签名的任何内容,均将沿层次结构向下受到进一步信任。Anything signed by the private key of the trusted root key is trusted further down the hierarchy. 客户端将受信任的根密钥的副本存储在 root\ccm\locationservices WMI 命名空间中 。Clients store a copy of the site's trusted root key in the root\ccm\locationservices WMI namespace.

例如,站点向管理点颁发证书,该证书使用受信任根密钥的私钥进行签名。For example, the site issues a certificate to the management point, which it signs with the private key of the trusted root key. 该站点与客户端共享其受信任的根密钥的公钥。The site shares with clients the public key of its trusted root key. 然后,客户可区分其层次结构中的管理点和不在其层次结构中的管理点。Then clients can differentiate between management points that are in their hierarchy and management points that aren't in their hierarchy.

客户端使用两种机制自动检索受信任的根密钥的公共副本:Clients automatically retrieve the public copy of the trusted root key by using two mechanisms:

  • 为 Configuration Manager 扩展 Active Directory 架构,并将站点发布到 Active Directory 域服务。You extend the Active Directory schema for Configuration Manager, and publish the site to Active Directory Domain Services. 然后,客户端从全局目录服务器检索此站点信息。Then clients retrieve this site information from a global catalog server. 有关详细信息,请参阅为站点发布准备 Active DirectoryFor more information, see Prepare Active Directory for site publishing.

  • 使用客户端请求安装方法安装客户端时。When you install clients using the client push installation method. 有关详细信息,请参阅客户端请求安装For more information, see Client push installation.

如果客户端无法使用其中一种机制检索受信任的根密钥,则它们信任与其通信的第一个管理点提供的受信任的根密钥。If clients can't retrieve the trusted root key by using one of these mechanisms, they trust the trusted root key that's provided by the first management point that they communicate with. 在此情况下,客户端可能会被错误地定向到攻击者的管理点,在那里,它将接收恶意管理点提供的策略。In this scenario, a client might be misdirected to an attacker's management point where it would receive policy from the rogue management point. 此操作可能需由经验丰富的攻击者执行。This action requires a sophisticated attacker. 此攻击仅限于客户端从有效管理点检索受信任根密钥之前的短时间内发生。This attack is limited to the short time before the client retrieves the trusted root key from a valid management point. 为了降低攻击者将客户端错误定向到恶意管理点的风险,可为客户端预配置受信任的根密钥。To reduce this risk of an attacker misdirecting clients to a rogue management point, pre-provision the clients with the trusted root key.

使用以下过程预先设置并验证 Configuration Manager 客户端的受信任的根密钥:Use the following procedures to pre-provision and verify the trusted root key for a Configuration Manager client:

使用受信任的根密钥和文件来预配置客户端Pre-provision a client with the trusted root key by using a file

  1. 在站点服务器上的文本编辑器中打开以下文件:<Configuration Manager install directory>\bin\mobileclient.tcfOn the site server, open the following file in a text editor: <Configuration Manager install directory>\bin\mobileclient.tcf

  2. 找到 SMSPublicRootKey= 条目 。Locate the entry, SMSPublicRootKey=. 复制该行中的密钥,关闭文件而不进行任何更改。Copy the key from that line, and close the file without any changes.

  3. 创建新文本文件,并粘贴从 mobileclient.tcf 文件中复制的密钥信息。Create a new text file, and paste the key information that you copied from the mobileclient.tcf file.

  4. 将此文件保存在所有计算机都可访问但可保护其不被篡改的位置。Save the file in a location where all computers can access it, but where the file is safe from tampering.

  5. 使用接受 Client.msi 属性的任何安装方法来安装客户端。Install the client by using any installation method that accepts client.msi properties. 指定以下属性:SMSROOTKEYPATH=<full path and file name>Specify the following property: SMSROOTKEYPATH=<full path and file name>

    重要

    在客户端安装期间指定受信任的根密钥时,还要指定站点代码。When you specify the trusted root key during client installation, also specify the site code. 使用以下 client.msi 属性:SMSSITECODE=<site code>Use the following client.msi property: SMSSITECODE=<site code>

使用受信任的根密钥而不使用文件来预配置客户端Pre-provision a client with the trusted root key without using a file

  1. 在站点服务器上的文本编辑器中打开以下文件:<Configuration Manager install directory>\bin\mobileclient.tcfOn the site server, open the following file in a text editor: <Configuration Manager install directory>\bin\mobileclient.tcf

  2. 找到 SMSPublicRootKey= 条目 。Locate the entry, SMSPublicRootKey=. 复制该行中的密钥,关闭文件而不进行任何更改。Copy the key from that line, and close the file without any changes.

  3. 使用接受 Client.msi 属性的任何安装方法来安装客户端。Install the client by using any installation method that accepts client.msi properties. 指定以下 client.msi 属性:SMSPublicRootKey=<key>,其中 <key> 是从 mobileclient.tcf 复制的字符串。Specify the following client.msi property: SMSPublicRootKey=<key> where <key> is the string that you copied from mobileclient.tcf.

    重要

    在客户端安装期间指定受信任的根密钥时,还要指定站点代码。When you specify the trusted root key during client installation, also specify the site code. 使用以下 client.msi 属性:SMSSITECODE=<site code>Use the following client.msi property: SMSSITECODE=<site code>

验证客户端上的受信任的根密钥Verify the trusted root key on a client

  1. 以管理员身份打开 Windows PowerShell 控制台。Open a Windows PowerShell console as an administrator.

  2. 运行以下命令:Run the following command:

    (Get-WmiObject -Namespace root\ccm\locationservices -Class TrustedRootKey).TrustedRootKey
    

返回的字符串是受信任的根密钥。The returned string is the trusted root key. 验证它是否与站点服务器上 mobileclient.tcf 文件中的 SMSPublicRootKey 值匹配 。Verify that it matches the SMSPublicRootKey value in the mobileclient.tcf file on the site server.

删除或替换受信任的根密钥Remove or replace the trusted root key

使用 client.msi 属性 RESETKEYINFORMATION = TRUE 从客户端删除受信任的根密钥 。Remove the trusted root key from a client by using the client.msi property, RESETKEYINFORMATION = TRUE.

若要替换受信任的根密钥,请将客户端与新的受信任根密钥一起重新安装。To replace the trusted root key, reinstall the client together with the new trusted root key. 例如,使用客户端请求或指定 client.msi 属性 SMSPublicRootKey 。For example, use client push, or specify the client.msi property SMSPublicRootKey.

有关这些安装属性的详细信息,请参阅关于客户端安装参数和属性For more information on these installation properties, see About client installation parameters and properties.

规划签名和加密Plan for signing and encryption

使用 PKI 证书进行所有客户端通信时,不必规划签名和加密以帮助保护客户端数据通信。When you use PKI certificates for all client communications, you don't have to plan for signing and encryption to help secure client data communication. 如果将运行 IIS 的任何站点系统设置为允许 HTTP 客户端连接,请确定如何帮助保护站点客户端通信。If you set up any site systems that run IIS to allow HTTP client connections, decide how to help secure the client communication for the site.

为了帮助保护客户端发送到管理点的数据,可要求客户端对数据进行签名。To help protect the data that clients send to management points, you can require clients to sign the data. 还可要求使用 SHA-256 算法进行签名。You can also require the SHA-256 algorithm for signing. 虽然此配置更安全,但除非所有客户端均支持 SHA-256,否则不需要 SHA-256。This configuration is more secure, but don't require SHA-256 unless all clients support it. 许多操作系统都本机支持此算法,但较早的操作系统可能需要更新或修补程序。Many operating systems natively support this algorithm, but older operating systems might require an update or hotfix.

签名有助于保护数据不被篡改,而加密有助于保护数据信息不被透露。While signing helps protect the data from tampering, encryption helps protect the data from information disclosure. 你可以对客户端在某种状态发送到管理点的清单数据和状况消息启用 3DES 加密。You can enable 3DES encryption for the inventory data and state messages that clients send to management points in the site. 无需在客户端上安装任何更新即可支持此选项。You don't have to install any updates on clients to support this option. 客户端和管理点需要额外使用 CPU 以进行加密和解密。Clients and management points require additional CPU usage for encryption and decryption.

有关如何配置签名和加密设置的详细信息,请参阅配置签名和加密For more information about how to configure the settings for signing and encryption, see Configure signing and encryption.

规划基于角色的管理Plan for role-based administration

有关详细信息,请参阅基于角色的管理基础For more information, see Fundamentals of role-based administration.

规划 Azure Active DirectoryPlan for Azure Active Directory

Configuration Manager 与 Azure Active Directory (Azure AD) 集成,使站点和客户端能够使用新式身份验证。Configuration Manager integrates with Azure Active Directory (Azure AD) to enable the site and clients to use modern authentication. 使用 Azure AD 载入站点时,支持以下 Configuration Manager 方案:Onboarding your site with Azure AD supports the following Configuration Manager scenarios:

客户端Client

服务器Server

有关将站点连接到 Azure AD 的详细信息,请参阅配置 Azure 服务For more information on connecting your site to Azure AD, see Configure Azure services.

有关 Azure AD 的详细信息,请参阅 Azure Active Directory 文档For more information about Azure AD, see Azure Active Directory documentation.

规划 SMS 提供程序的身份验证Plan for SMS Provider authentication

从版本 1810 开始,可以为管理员指定访问 Configuration Manager 站点的最低身份验证级别。Starting in version 1810, you can specify the minimum authentication level for administrators to access Configuration Manager sites. 此功能强制管理员以要求的级别登录到 Windows。This feature enforces administrators to sign in to Windows with the required level. 它适用于访问 SMS 提供程序的所有组件。It applies to all components that access the SMS Provider. 例如,Configuration Manager 控制台、SDK 方法和 Windows PowerShell cmdlet。For example, the Configuration Manager console, SDK methods, and Windows PowerShell cmdlets.

此配置是层次结构范围的设置。This configuration is a hierarchy-wide setting. 更改此设置前,请确保所有 Configuration Manager 管理员都能够使用所需的身份验证级别登录到 Windows。Before you change this setting, make sure that all Configuration Manager administrators can sign in to Windows with the required authentication level.

可用的级别如下:The following levels are available:

  • Windows 身份验证:要求使用 Active Directory 域凭据进行身份验证。Windows authentication: Require authentication with Active Directory domain credentials.

  • 证书身份验证:要求使用由受信任的 PKI 证书颁发机构颁发的有效证书进行身份验证。Certificate authentication: Require authentication with a valid certificate that's issued by a trusted PKI certificate authority.

  • Windows Hello 企业版身份验证:要求使用与设备关联并采用生物识别或 PIN 的强双因素身份验证进行身份验证。Windows Hello for Business authentication: Require authentication with strong two-factor authentication that's tied to a device and uses biometrics or a PIN.

有关详细信息,请参阅规划 SMS 提供程序For more information, see Plan for the SMS Provider.

另请参阅See also