在 Configuration Manager 中的 OS 部署的安全和隐私Security and privacy for OS deployment in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

本文包含 Configuration Manager 中 OS 部署功能的安全和隐私信息。This article contains security and privacy information for the OS deployment feature in Configuration Manager.

OS 部署的安全最佳做法Security best practices for OS deployment

在使用 Configuration Manager 部署操作系统时,请使用以下最佳安全方案:Use the following security best practices for when you deploy operating systems with Configuration Manager:

实现访问控制来保护可启动媒体Implement access controls to protect bootable media

创建可启动媒体时,请始终分配密码来帮助保护该媒体。When you create bootable media, always assign a password to help secure the media. 即使使用密码,也只是对包含敏感信息的文件进行加密,并且可以覆盖所有文件。Even with a password, it only encrypts files that contain sensitive information, and all files can be overwritten.

请控制对媒体的物理访问,以阻止攻击者使用密码攻击获取客户端身份验证证书。Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate.

为了阻止客户端安装已被篡改的内容或内容策略,内容将进行哈希处理并与原始策略一起使用。To help prevent a client from installing content or client policy that has been tampered with, the content is hashed and must be used with the original policy. 如果内容哈希失败,或者关于内容是否与策略匹配的检查失败,则客户端将不使用可启动的媒体。If the content hash fails or the check that the content matches the policy, the client won't use the bootable media. 只对内容进行哈希处理。Only the content is hashed. 该策略未进行哈希处理,但在指定密码时会对其进行加密和保护。The policy isn't hashed, but it's encrypted and secured when you specify a password. 此行为使攻击者更难以成功修改策略。This behavior makes it more difficult for an attacker to successfully modify the policy.

创建 OS 映像媒体时使用安全的位置Use a secure location when you create media for OS images

如果未经授权的用户有权访问该位置,他们则可以篡改你创建的文件。If unauthorized users have access to the location, they can tamper with the files that you create. 他们还可以使用所有可用磁盘空间,从而导致创建媒体失败。They can also use all the available disk space so that the media creation fails.

保护证书文件Protect certificate files

使用强密码保护证书文件 (.pfx)。Protect certificate files (.pfx) with a strong password. 如果将文件存储在网络上,请在将它们导入 Configuration Manager 中时保护网络通道的安全If you store them on the network, secure the network channel when you import them into Configuration Manager

当你需要密码来导入用于可启动的媒体的客户端身份验证证书时,此配置可帮助保护证书免受攻击者的攻击。When you require a password to import the client authentication certificate that you use for bootable media, this configuration helps to protect the certificate from an attacker.

在网络位置和站点服务器之间使用 SMB 签名或 IPsec 以防止攻击者篡改证书文件。Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the certificate file.

阻止或撤消任何受到破坏的证书Block or revoke any compromised certificates

如果客户端证书已泄露,请从 Configuration Manager 阻止此证书。If the client certificate is compromised, block the certificate from Configuration Manager. 如果是 PKI 证书,请将其撤销。If it's a PKI certificate, revoke it.

若要使用可启动的媒体和 PXE 启动来部署 OS,必须指定一个具有私钥的客户端身份验证证书。To deploy an OS by using bootable media and PXE boot, you must have a client authentication certificate with a private key. 如果泄露了该证书,请在“管理” 工作区“安全” 节点内“证书” 节点中阻止该证书。If that certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node.

保护站点服务器与 SMS 提供程序之间的信道Secure the communication channel between the site server and the SMS Provider

当 SMS 提供程序远离站点服务器时,请保护通信通道的安全以保护启动映像。When the SMS Provider is remote from the site server, secure the communication channel to protect boot images.

如果修改了启动映像,并且 SMS 提供程序在非站点服务器的服务器上运行,则启动映像易受到攻击。When you modify boot images and the SMS Provider is running on a server that isn't the site server, the boot images are vulnerable to attack. 使用 SMB 签名或 IPsec 保护这些计算机之间的网络通道。Protect the network channel between these computers by using SMB signing or IPsec.

只在安全的网络段上为 PXE 客户端通信启用分发点Enable distribution points for PXE client communication only on secure network segments

当客户端发送 PXE 启动请求时,你无法确保启用 PXE 的有效分发点可满足请求。When a client sends a PXE boot request, you have no way to make sure that the request is serviced by a valid PXE-enabled distribution point. 此方案有下列安全风险:This scenario has the following security risks:

  • 响应 PXE 请求的恶意分发点可能会向客户端提供篡改过的映像。A rogue distribution point that responds to PXE requests could provide a tampered image to clients.

  • 攻击者可能会针对 PXE 使用的 TFTP 协议发起中间人攻击。An attacker could launch a man-in-the-middle attack against the TFTP protocol that is used by PXE. 此攻击可能会发送带有 OS 文件的恶意代码。This attack could send malicious code with the OS files. 攻击者还可能会创建一个流氓客户端,直接向分发点发出 TFTP 请求。The attacker could also create a rogue client to make TFTP requests directly to the distribution point.

  • 攻击者可以使用恶意客户端对分发点启动拒绝服务攻击。An attacker could use a malicious client to launch a denial of service attack against the distribution point.

使用深度防御来保护网络段,客户端将在这些网络段中访问启用 PXE 的分发点。Use defense in depth to protect the network segments where clients access PXE-enabled distribution points.

警告

由于这些安全风险的缘故,当分发点在不受信任的网络(如外围网络)中时,请不要为 PXE 通信启用该分发点。Because of these security risks, don't enable a distribution point for PXE communication when it's in an untrusted network, such as a perimeter network.

将启用 PXE 的分发点配置为仅在指定的网络接口上响应 PXE 请求Configure PXE-enabled distribution points to respond to PXE requests only on specified network interfaces

如果允许分发点在所有网络接口上响应 PXE 请求,则此配置可能会向不受信任的网络公开 PXE 服务If you allow the distribution point to respond to PXE requests on all network interfaces, this configuration might expose the PXE service to untrusted networks

PXE 启动需要密码Require a password to PXE boot

如果你要求提供密码来进行 PXE 启动,则此配置会为 PXE 启动过程额外添加一层安全保护。When you require a password for PXE boot, this configuration adds an extra level of security to the PXE boot process. 此配置可以帮助预防恶意客户端加入 Configuration Manager 层次结构。This configuration helps safeguard against rogue clients joining the Configuration Manager hierarchy.

限制用于 PXE 启动或多播的 OS 映像中的内容Restrict content in OS images used for PXE boot or multicast

请勿将包含敏感数据的业务线应用程序或软件纳入到用于 PXE 启动或多播的映像。Don't include line-of-business applications or software that contains sensitive data in an image that you use for PXE boot or multicast.

由于与 PXE 启动或多播相关的固有安全风险的缘故,因此,如果恶意计算机下载 OS 映像,请减小风险。Because of the inherent security risks involved with PXE boot and multicast, reduce the risks if a rogue computer downloads the OS image.

限制任务序列变量安装的内容Restrict content installed by task sequence variables

请勿将包含敏感数据的业务线应用程序或软件纳入到使用任务序列变量安装的应用程序包。Don't include line-of-business applications or software that contains sensitive data in packages of applications that you install by using task sequences variables.

如果使用任务序列变量部署软件,则可以在计算机上或者为无权接收该软件的用户安装该软件。When you deploy software by using task sequences variables, it might be installed on computers and to users who aren't authorized to receive that software.

迁移用户状态时保护网络通道的安全Secure the network channel when migrating user state

迁移用户状态时,使用 SMB 签名或 IPsec 保护客户端与状态迁移点之间的网络通道。When you migrate user state, secure the network channel between the client and the state migration point by using SMB signing or IPsec.

通过 HTTP 初次连接后,会使用 SMB 传输用户状态迁移数据。After the initial connection over HTTP, user state migration data is transferred by using SMB. 如果未保护网络通道的安全,则攻击者可能会读取和修改此数据。If you don't secure the network channel, an attacker can read and modify this data.

使用最新版本的 USMTUse the latest version of USMT

使用 Configuration Manager 支持的最新版本的用户状态迁移工具 (USMT)。Use the latest version of the User State Migration Tool (USMT) that Configuration Manager supports.

最新版本的 USMT 提供了安全增强功能,并且加强了对用户状态数据的迁移时间的控制。The latest version of USMT provides security enhancements and greater control for when you migrate user state data.

对状态迁移点上的文件夹解除授权后手动删除这些文件夹Manually delete folders on state migration points when you decommission them

在 Configuration Manager 控制台中的状态迁移点属性上删除状态迁移点文件夹时,该站点不会删除物理文件夹。When you remove a state migration point folder in the Configuration Manager console on the state migration point properties, the site doesn't delete the physical folder. 为了防止用户状态迁移数据信息泄露,请手动删除网络共享并删除文件夹。To protect the user state migration data from information disclosure, manually remove the network share and delete the folder.

请勿将删除策略配置为立即删除用户状态Don't configure the deletion policy to immediately delete user state

如果将状态迁移点上的删除策略配置为立即删除标记为要删除的数据,并且如果攻击者在有效计算机检索用户状态数据之前设法执行了此操作,则将立即删除用户状态数据。If you configure the deletion policy on the state migration point to immediately remove data that's marked for deletion, and if an attacker manages to retrieve the user state data before the valid computer does, the site immediately deletes the user state data. 将“在下列时间之后删除” 间隔设置得足够长,以验证是否成功还原了用户状态数据。Set the Delete after interval to be long enough to verify the successful restore of user state data.

手动删除计算机关联项Manually delete computer associations

在完成并验证了用户状态迁移数据还原之后手动删除计算机关联项。Manually delete computer associations when the user state migration data restore is complete and verified.

Configuration Manager 不会自动删除计算机关联项。Configuration Manager doesn't automatically remove computer associations. 通过手动删除不再需要的计算机关联项来帮助保护用户状态数据的标识。Help to protect the identity of user state data by manually deleting computer associations that are no longer required.

在状态迁移点上手动备份用户状态迁移数据Manually back up the user state migration data on the state migration point

Configuration Manager 备份未包括站点备份中的用户状态迁移数据。Configuration Manager Backup doesn't include the user state migration data in the site backup.

实现访问控制来保护预留的媒体Implement access controls to protect the prestaged media

请控制对媒体的物理访问,以阻止攻击者使用密码攻击获取客户端身份验证证书和敏感数据。Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate and sensitive data.

实现访问控制来保护引用计算机映像过程Implement access controls to protect the reference computer imaging process

请确保用于捕获 OS 映像的引用计算机位于安全的环境中。Make sure the reference computer you use to capture OS images is in a secure environment. 使用适当的访问控制,以便无法安装意外或恶意软件,并且不会无意中将其包含在捕获的映像中。Use appropriate access controls so that unexpected or malicious software can't be installed and inadvertently included in the captured image. 捕获映像时,请确保目标网络位置安全。When you capture the image, make sure the destination network location is secure. 此过程有助于确保在捕获图像后图像不会被篡改。This process helps make sure the image can't be tampered with after you capture it.

始终在引用计算机上安装最新安全更新Always install the most recent security updates on the reference computer

如果引用计算机具有当前安全更新,则它有助于在首次启动新计算机时缩小新计算机的漏洞窗口。When the reference computer has current security updates, it helps to reduce the window of vulnerability for new computers when they first start up.

在将 OS 部署到未知计算机时实施访问控制Implement access controls when deploying an OS to an unknown computer

如果必须将 OS 部署到未知计算机,请实现访问控制以防止未授权的计算机连接到网络。If you must deploy an OS to an unknown computer, implement access controls to prevent unauthorized computers from connecting to the network.

预配未知计算机提供了一种按需部署新计算机的便捷方法。Provisioning unknown computers provides a convenient method to deploy new computers on demand. 但它也可能让攻击者有效地成为网络上的可信客户端。But it can also allow an attacker to efficiently become a trusted client on your network. 限制对网络的物理访问,并监视客户端以检测未授权的计算机。Restrict physical access to the network, and monitor clients to detect unauthorized computers.

响应 PXE 启动的 OS 部署的计算机可能会在此过程中销毁所有数据。Computers responding to a PXE-initiated OS deployment might have all data destroyed during the process. 此行为可能导致无意中重格式化的系统的可用性损失。This behavior could result in a loss of availability of systems that are inadvertently reformatted.

启用多播包加密Enable encryption for multicast packages

对于每个 OS 部署包,你都可以在 Configuration Manager 使用多播传输包时启用加密。For every OS deployment package, you can enable encryption when Configuration Manager transfers the package by using multicast. 此配置有助于防止恶意计算机加入多播会话。This configuration helps prevent rogue computers from joining the multicast session. 它还有助于防止攻击者篡改传输。It also helps prevent attackers from tampering with the transmission.

监视启用多播的未经授权分发点Monitor for unauthorized multicast-enabled distribution points

如果攻击者可以访问你的网络,则他们可以将恶意多播服务器配置为欺骗 OS 部署。If attackers can gain access to your network, they can configure rogue multicast servers to spoof OS deployment.

当你将任务序列导出到网络位置时,请保护该位置和网络通道的安全。When you export task sequences to a network location, secure the location and secure the network channel

限制可访问网络文件夹的人员。Restrict who can access the network folder.

在网络位置和站点服务器之间使用 SMB 签名或 IPsec 以防止攻击者篡改导出的任务序列。Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the exported task sequence.

如果使用任务序列运行方式帐户,请采取额外的安全措施If you use the task sequence run as account, take additional security precautions

如果使用任务序列运行方式帐户,请采取以下预防措施:If you use the task sequence run as account, take the following precautionary steps:

  • 使用具有最低权限的帐户。Use an account with the least possible permissions.

  • 请勿将网络访问帐户用于此帐户。Don't use the network access account for this account.

  • 切勿使此帐户成为域管理员。Never make the account a domain administrator.

  • 切勿为此帐户配置漫游配置文件。Never configure roaming profiles for this account. 在任务序列运行时,它会下载此帐户的漫游配置文件,从而导致很容易就能在本地计算机上访问该配置文件。When the task sequence runs, it downloads the roaming profile for the account, which leaves the profile vulnerable to access on the local computer.

  • 要限制此帐户的作用域。Limit the scope of the account. 例如,为每个任务序列创建不同的任务序列运行方式帐户。For example, create different task sequence run as accounts for each task sequence. 如果一个帐户受到侵害,则只会损害该帐户有权访问的客户端计算机。If one account is compromised, only the client computers to which that account has access are compromised. 如果命令行需要计算机上的管理访问权限,请考虑为任务序列运行方式帐户创建本地管理员帐户。If the command line requires administrative access on the computer, consider creating a local administrator account solely for the task sequence run as account. 在运行该任务序列的所有计算机上创建此本地帐户,并在不再需要时立即删除该帐户。Create this local account on all computers that run the task sequence, and delete the account as soon as it's no longer required.

限制和监视被授予 OS 部署管理员安全角色的管理用户Restrict and monitor the administrative users who are granted the OS deployment manager security role

被授予“OS 部署管理器”安全角色的管理用户可以创建自签名证书 。Administrative users who are granted the OS deployment manager security role can create self-signed certificates. 然后,可以使用这些证书模拟客户端并从 Configuration Manager获取客户端策略。These certificates can then be used to impersonate a client and obtain client policy from Configuration Manager.

使用增强型 HTTP 可减少对网络访问帐户的需求Use Enhanced HTTP to reduce the need for a network access account

从 1806 版开始,当启用增强型 HTTP 时,多个 OS 部署方案不需要网络访问帐户即可从分发点下载内容。Starting in version 1806, when you enable Enhanced HTTP, several OS deployment scenarios don't require a network access account to download content from a distribution point. 有关详细信息,请参阅任务序列和网络访问帐户For more information, see Task sequences and the network access account.

OS 部署的安全问题Security issues for OS deployment

虽然 OS 部署可能是为网络上的计算机部署最安全操作系统和配置的一种方便的方法,但它具有以下安全风险:Although OS deployment can be a convenient way to deploy the most secure operating systems and configurations for computers on your network, it does have the following security risks:

信息泄露和拒绝服务Information disclosure and denial of service

如果攻击者可以获得对 Configuration Manager 基础结构的控件,则可以运行任何任务序列。If an attacker can obtain control of your Configuration Manager infrastructure, they could run any task sequences. 此过程可能包括格式化所有客户端计算机的硬盘驱动器。This process might include formatting the hard drives of all client computers. 可以将任务序列配置为包含敏感信息,如有权加入域的帐户和批量许可密钥。Task sequences can be configured to contain sensitive information, such as accounts that have permissions to join the domain and volume licensing keys.

特权的模拟和提升Impersonation and elevation of privileges

任务序列可以将计算机加入到域中,这可能会为恶意计算机提供经过身份验证的网络访问权限。Task sequences can join a computer to domain, which can provide a rogue computer with authenticated network access.

保护用于可启动的任务序列媒体和 PXE 启动部署的客户端身份验证证书。Protect the client authentication certificate that's used for bootable task sequence media and for PXE boot deployment. 捕获客户端身份验证证书时,此过程使攻击者有机会获取证书中的私钥。When you capture a client authentication certificate, this process gives an attacker an opportunity to obtain the private key in the certificate. 此证书允许他们模拟网络上的有效客户端。This certificate lets them impersonate a valid client on the network. 在此情况下,恶意计算机可以下载策略,此策略可能包含敏感数据。In this scenario, the rogue computer can download policy, which can contain sensitive data.

如果客户端使用网络访问帐户来访问存储在状态迁移点上的数据,则这些客户端将有效地共享相同的标识。If clients use the network access account to access data stored on the state migration point, these clients effectively share the same identity. 他们可以从使用网络访问帐户的其他客户端访问状态迁移数据。They could access state migration data from another client that uses the network access account. 系统会对此数据进行加密,以便只有原始客户端才能读取该数据,但此数据可能会被篡改或删除。The data is encrypted so only the original client can read it, but the data could be tampered with or deleted.

通过使用管理点颁发的 Configuration Manager 令牌对连接到状态迁移点的客户端进行身份验证。Client authentication to the state migration point is achieved by using a Configuration Manager token that is issued by the management point.

Configuration Manager 不会限制或管理存储在状态迁移点上的数据量。Configuration Manager doesn't limit or manage the amount of data that's stored on the state migration point. 攻击者可能会填满可用磁盘空间并导致拒绝服务。An attacker could fill up the available disk space and cause a denial of service.

如果使用集合变量,本地管理员可以读取可能敏感的信息If you use collection variables, local administrators can read potentially sensitive information

虽然集合变量提供了灵活地部署操作系统的方法,但此功能可能会导致信息泄露。Although collection variables offer a flexible method to deploy operating systems, this feature might result in information disclosure.

OS 部署的隐私信息Privacy information for OS deployment

Configuration Manager 除可用于将 OS 部署到没有操作系统的计算机之外,它还可用于在计算机之间迁移用户的文件和设置。In addition to deploying an OS to computers without one, Configuration Manager can be used to migrate users' files and settings from one computer to another. 管理员配置要转移的信息,包括个人数据文件、配置的设置和浏览器 Cookie。The administrator configures which information to transfer, including personal data files, configuration settings, and browser cookies.

Configuration Manager 将信息存储在状态迁移点上,并在传输和存储期间对其进行加密。Configuration Manager stores the information on a state migration point, and encrypts it during transmission and storage. 只有与状态信息相关联的新计算机可以检索存储的信息。Only the new computer associated with the state information can retrieve the stored information. 如果新计算机丢失了用于检索这些信息的密钥,则具有计算机关联实例对象的“查看恢复信息”权限的 Configuration Manager 管理员可以访问这些信息,并将它们与新计算机关联 。If the new computer loses the key to retrieve the information, a Configuration Manager administrator with the View Recovery Information right on computer association instance objects can access the information and associate it with a new computer. 在新计算机还原状态信息后,默认情况下它会在一天后删除这些数据。After the new computer restores the state information, it deletes the data after one day, by default. 你可以配置状态迁移点何时删除标记为要删除的数据。You can configure when the state migration point removes data marked for deletion. Configuration Manager 不会将状态迁移信息存储在站点数据库中,也不会将其发送给 Microsoft。Configuration Manager doesn't store the state migration information in the site database, and doesn't send it to Microsoft.

如果使用启动媒体来部署 OS 映像,请始终使用默认的选项(要设置密码)来保护启动媒体。If you use boot media to deploy OS images, always use the default option to password-protect the boot media. 密码对任务序列中存储的任何变量进行加密,但不存储在变量中的任何信息可能会容易泄露。The password encrypts any variables stored in the task sequence, but any information not stored in a variable might be vulnerable to disclosure.

在部署过程中,OS 部署可以使用任务序列来执行许多不同的任务,包括安装应用程序和软件更新等。OS deployment can use task sequences to perform many different tasks during the deployment process, which includes installing applications and software updates. 在配置任务序列时,还应注意到安装软件对隐私的影响。When you configure task sequences, you should also be aware of the privacy implications of installing software.

默认情况下,Configuration Manager 不会实现 OS 部署。Configuration Manager doesn't implement OS deployment by default. 在你收集用户状态信息或者创建任务序列或启动映像之前,它需要执行几个配置步骤。It requires several configuration steps before you collect user state information or create task sequences or boot images.

在配置 OS 部署之前,请考虑你的隐私要求。Before you configure OS deployment, consider your privacy requirements.

另请参阅See also

诊断和使用情况数据Diagnostics and usage data

Configuration Manager 安全和隐私Security and privacy for Configuration Manager