Configuration Manager 安全性的基础知识Fundamentals of security for Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

本文总结了任何 Configuration Manager 环境的以下基本安全组件:This article summarizes the following fundamental security components of any Configuration Manager environment:

安全层Security layers

Configuration Manager 的安全性包括以下层:Security for Configuration Manager consists of the following layers:

Windows OS 和网络安全Windows OS and network security

第一层是 Windows 为 OS 和网络提供的安全功能。The first layer is provided by Windows security features for both the OS and the network. 该层包括以下组件:This layer includes the following components:

  • 用于在 Configuration Manager 组件之间传输文件的文件共享File sharing to transfer files between Configuration Manager components

  • 帮助保护文件和注册表项的访问控制列表 (ACL)Access Control Lists (ACLs) to help secure files and registry keys

  • 帮助保护通信的 Internet 协议安全性 (IPsec)Internet Protocol Security (IPsec) to help secure communications

  • 用于设置安全策略的组策略Group Policy to set security policy

  • 用于分布式应用程序的分布式组件对象模型 (DCOM) 权限,例如 Configuration Manager 控制台Distributed Component Object Model (DCOM) permissions for distributed applications, like the Configuration Manager console

  • 用于存储安全主体的 Active Directory 域服务Active Directory Domain Services to store security principals

  • Windows 帐户安全,包括 Configuration Manager 在安装期间创建的一些组Windows account security, including some groups that Configuration Manager creates during setup

网络基础结构Network infrastructure

附加的安全组件(如防火墙和入侵检测)帮助为整个环境提供防御。Additional security components, like firewalls and intrusion detection, help provide defense for the whole environment. 由行业标准的公钥基础结构 (PKI) 实现所颁发的证书帮助提供身份验证、签名和加密。Certificates issued by industry standard public key infrastructure (PKI) implementations help provide authentication, signing, and encryption.

Configuration Manager 安全控件Configuration Manager security controls

除了 Windows Server 和网络基础结构提供的安全性之外,Configuration Manager 还以多种方式控制对其控制台和资源的访问。In addition to security provided by the Windows server and network infrastructure, Configuration Manager controls access to its console and resources in several ways. 默认情况下,只有本地管理员才有权访问 Configuration Manager 控制台需在安装它的计算机上使用的文件和注册表项。By default, only local administrators have rights to the files and registry keys that the Configuration Manager console requires on computers where you install it.

SMS 提供程序SMS Provider

下一个安全层建立在通过 Windows Management Instrumentation (WMI)(具体指 SMS 提供程序)进行的访问的基础上。The next layer of security is based on access through Windows Management Instrumentation (WMI), specifically the SMS Provider. SMS 提供程序是一种 Configuration Manager 组件,它授予用户访问权限以查询站点数据库中的信息。The SMS Provider is a Configuration Manager component that grants a user access to query the site database for information. 默认情况下,只有本地 SMS 管理员组的成员才能访问该提供程序。By default, access to the provider is restricted to members of the local SMS Admins group. 此组最初仅包含安装了 Configuration Manager 的用户。This group at first contains only the user who installed Configuration Manager. 若要向其他帐户授予对通用信息模型 (CIM) 存储库和 SMS 提供程序的权限,请将这些帐户添加到 SMS 管理员组中。To grant other accounts permission to the Common Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS Admins group.

从版本 1810 开始,可以为管理员指定访问 Configuration Manager 站点的最低身份验证级别。Starting in version 1810, you can specify the minimum authentication level for administrators to access Configuration Manager sites. 此功能强制管理员以要求的级别登录到 Windows。This feature enforces administrators to sign in to Windows with the required level.

有关详细信息,请参阅规划 SMS 提供程序For more information, see Plan for the SMS Provider.

站点数据库权限Site database permissions

最后一个安全层基于与站点数据库中的对象有关的权限。The final layer of security is based on permissions to objects in the site database. 默认情况下,本地系统帐户和用于安装 Configuration Manager 的用户帐户可以管理站点数据库中的所有对象。By default, the Local System account and the user account that you used to install Configuration Manager can administer all objects in the site database. 在 Configuration Manager 控制台中使用基于角色的管理向其他管理用户授予权限和限制其权限。Grant and restrict permissions to additional administrative users in the Configuration Manager console by using role-based administration.

基于角色的管理Role-based administration

Configuration Manager 使用基于角色的管理来帮助保护对象(如集合、部署和站点)。Configuration Manager uses role-based administration to help secure objects like collections, deployments, and sites. 此管理模式为所有站点和站点设置集中定义及管理层次结构范围的安全访问设置。This administration model centrally defines and manages hierarchy-wide security access settings for all sites and site settings.

管理员将“安全角色”分配给管理用户和组权限 。An administrator assigns security roles to administrative users and group permissions. 权限连接到不同的 Configuration Manager 对象类型,用于创建或更改客户端设置等。The permissions are connected to different Configuration Manager object types, for example, to create or change client settings.

管理用户负责管理的特定于“安全作用域”组的对象实例,如安装 Microsoft 365 Apps 的应用程序。Security scopes group specific instances of objects that an administrative user is responsible to manage, like an application that installs Microsoft 365 Apps.

安全角色、安全作用域和集合的组合定义管理用户可以查看和管理的对象。The combination of security roles, security scopes, and collections define the objects that an administrative user can view and manage. Configuration Manager 为典型的管理任务安装某些默认安全角色。Configuration Manager installs some default security roles for typical management tasks. 创建自己的安全角色来满足特定业务需求。Create your own security roles to support your specific business requirements.

有关详细信息,请参阅配置基于角色的管理For more information, see Configure role-based administration.

保护客户端终结点Securing client endpoints

Configuration Manager 通过使用自签名/PKI 证书或 Azure Active Directory (Azure AD) 令牌来保护客户端与站点系统角色的通信。Configuration Manager secures client communication to site system roles by using either self-signed or PKI certificates, or Azure Active Directory (Azure AD) tokens. 某些方案需要使用 PKI 证书。Some scenarios require the use of PKI certificates. 例如,基于 Internet 的客户端管理以及移动设备客户端For example, internet-based client management, and for mobile device clients.

可以为 HTTPS 或 HTTP 客户端通信配置客户端连接的站点系统角色。You can configure the site system roles to which clients connect for either HTTPS or HTTP client communication. 客户端计算机始终使用可用的最安全方法进行通信。Client computers always communicate by using the most secure method that's available. 只有在具有允许 HTTP 通信的站点系统角色时,客户端计算机才会回退使用不太安全的通信方法。Client computers only fall back to using the less secure communication method if you have site systems roles that allow HTTP communication.

有关详细信息,请参阅安全规划For more information, see Plan for security.

Configuration Manager 帐户和组Configuration Manager accounts and groups

Configuration Manager 使用本地系统帐户来执行大部分站点操作。Configuration Manager uses the Local System account for most site operations. 某些管理任务可能需要创建和维护其他帐户。Some management tasks might require you to create and maintain additional accounts. 在安装过程中,Configuration Manager 会创建几个默认的组和 SQL Server 角色。Configuration Manager creates several default groups and SQL Server roles during setup. 可能要手动将计算机或用户帐户添加到默认的组和 SQL Server 角色中。You might have to manually add computer or user accounts to the default groups and SQL Server roles.

有关详细信息,请参阅 Configuration Manager 中使用的帐户For more information, see Accounts used in Configuration Manager.

隐私Privacy

实施 Configuration Manager 前,请考虑隐私要求。Before you implement Configuration Manager, consider your privacy requirements. 尽管企业管理产品因其可有效地管理大量客户端而提供了许多优点,但此软件可能会影响组织中用户的隐私。Although enterprise management products offer many advantages because they can effectively manage lots of clients, this software might affect the privacy of users in your organization. Configuration Manager 包括很多用于收集数据和监视设备的工具。Configuration Manager includes many tools to collect data and monitor devices. 一些工具可能在组织中存在隐私方面的隐患。Some tools might raise privacy concerns in your organization.

例如,在安装 Configuration Manager 客户端时,默认情况下会启用许多管理设置。For example, when you install the Configuration Manager client, it enables many management settings by default. 此配置会导致客户端软件向 Configuration Manager 站点发送信息。This configuration causes the client software to send information to the Configuration Manager site. 该站点将客户端信息存储在站点数据库中。The site stores client information in the site database. 不会将客户端信息直接发送给 Microsoft。The client information isn't directly sent to Microsoft. 有关详细信息,请参阅诊断和使用情况数据For more information, see Diagnostics and usage data.

另请参阅See also