附录 I:为 Active Directory 中受保护的帐户和组创建管理帐户Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在实现不依赖于高特权组中的永久成员身份的 Active Directory 模型时,其中一项难题是,当需要组中的临时成员身份时,必须有一种机制来填充这些组。One of the challenges in implementing an Active Directory model that does not rely on permanent membership in highly privileged groups is that there must be a mechanism to populate these groups when temporary membership in the groups is required. 某些特权标识管理解决方案要求在林中的每个域的组(如 DA 或管理员)中授予软件的服务帐户永久成员身份。Some privileged identity management solutions require that the software's service accounts are granted permanent membership in groups such as DA or Administrators in each domain in the forest. 不过,从技术上讲,Privileged Identity Management (PIM) 解决方案,以便在这种高度特权的上下文中运行服务。However, it is technically not necessary for Privileged Identity Management (PIM) solutions to run their services in such highly privileged contexts.

本附录提供了可用于本机实现的或第三方 PIM 解决方案的信息,用于创建具有有限权限且可得到控制的帐户,但当需要临时提升时,可用于填充 Active Directory 中的特权组。This appendix provides information that you can use for natively implemented or third-party PIM solutions to create accounts that have limited privileges and can be stringently controlled, but can be used to populate privileged groups in Active Directory when temporary elevation is required. 如果要将 PIM 作为本机解决方案来实现,则管理人员可能会使用这些帐户来执行临时组填充,如果你要通过第三方软件实现 PIM,则可以改编这些帐户以用作服务帐户。If you are implementing PIM as a native solution, these accounts may be used by administrative staff to perform the temporary group population, and if you're implementing PIM via third-party software, you might be able to adapt these accounts to function as service accounts.

备注

本附录中描述的过程提供了一种方法来管理 Active Directory 中的高特权组。The procedures described in this appendix provide one approach to the management of highly privileged groups in Active Directory. 您可以根据需要修改这些过程,添加其他限制,或者省略此处所述的某些限制。You can adapt these procedures to suit your needs, add additional restrictions, or omit some of the restrictions that are described here.

为 Active Directory 中受保护的帐户和组创建管理帐户Creating Management Accounts for Protected Accounts and Groups in Active Directory

创建可用于管理特权组的成员身份的帐户,而无需授予管理帐户过多的权限和权限,这包括下面的分步说明中描述的四个常规活动:Creating accounts that can be used to manage the membership of privileged groups without requiring the management accounts to be granted excessive rights and permissions consists of four general activities that are described in the step-by-step instructions that follow:

  1. 首先,您应创建一个将管理帐户的组,因为这些帐户应由一组有限的受信任的用户进行管理。First, you should create a group that will manage the accounts, because these accounts should be managed by a limited set of trusted users. 如果你还没有 OU 结构可用于从域中的常规填充中分离特权和受保护的帐户和系统,则应该创建一个。If you do not already have an OU structure that accommodates segregating privileged and protected accounts and systems from the general population in the domain, you should create one. 尽管此附录中未提供特定说明,但屏幕截图显示了此类 OU 层次结构的示例。Although specific instructions are not provided in this appendix, screenshots show an example of such an OU hierarchy.

  2. 创建管理帐户。Create the management accounts. 应将这些帐户创建为 "常规" 用户帐户,并授予除默认情况下已授予给用户的权限以外的任何用户权限。These accounts should be created as "regular" user accounts and granted no user rights beyond those that are already granted to users by default.

  3. 对管理帐户实施限制,使其仅用于创建它们的专用目的,以及控制谁可以启用和使用在第一步中创建的组 () 的帐户。Implement restrictions on the management accounts that make them usable only for the specialized purpose for which they were created, in addition to controlling who can enable and use the accounts (the group you created in the first step).

  4. 在每个域中的 AdminSDHolder 对象上配置权限,以允许管理帐户更改域中特权组的成员身份。Configure permissions on the AdminSDHolder object in each domain to allow the management accounts to change the membership of the privileged groups in the domain.

在生产环境中实施这些过程之前,应全面测试所有这些过程并根据环境需要对其进行修改。You should thoroughly test all of these procedures and modify them as needed for your environment before implementing them in a production environment. 还应验证所有设置是否按预期工作 (本附录) 中提供了一些测试过程,并且应测试灾难恢复方案,在此方案中,管理帐户不能用于填充受保护的组以进行恢复。You should also verify that all settings work as expected (some testing procedures are provided in this appendix), and you should test a disaster recovery scenario in which the management accounts are not available to be used to populate protected groups for recovery purposes. 有关备份和还原 Active Directory 的详细信息,请参阅 AD DS 备份和恢复循序渐进指南For more information about backing up and restoring Active Directory, see the AD DS Backup and Recovery Step-by-Step Guide.

备注

通过实施此附录中所述的步骤,你将创建可管理每个域中所有受保护组的成员身份的帐户,而不仅是最高特权 Active Directory 组(如 EAs、DAs 和 BAs)。By implementing the steps described in this appendix, you will create accounts that will be able to manage the membership of all protected groups in each domain, not only the highest-privilege Active Directory groups like EAs, DAs and BAs. 有关 Active Directory 中的受保护组的详细信息,请参阅 附录 C: Active Directory 中的受保护帐户和组For more information about protected groups in Active Directory, see Appendix C: Protected Accounts and Groups in Active Directory.

为受保护组创建管理帐户的分步说明Step-by-Step Instructions for Creating Management Accounts for Protected Groups

创建组以启用和禁用管理帐户Creating a Group to Enable and Disable Management Accounts

管理帐户应在每次使用时重置密码,并应在需要这些帐户的活动完成后将其禁用。Management accounts should have their passwords reset at each use and should be disabled when activities requiring them are complete. 尽管你可能还会考虑为这些帐户实现智能卡登录要求,但它是一个可选配置,并且这些说明假定管理帐户将使用用户名和长而复杂的密码(作为最小控件)进行配置。Although you might also consider implementing smart card logon requirements for these accounts, it is an optional configuration and these instructions assume that the management accounts will be configured with a user name and long, complex password as minimum controls. 在此步骤中,你将创建一个有权在管理帐户上重置密码以及启用和禁用帐户的组。In this step, you will create a group that has permissions to reset password on the management accounts and to enable and disable the accounts.

若要创建一个组以启用和禁用管理帐户,请执行以下步骤:To create a group to enable and disable management accounts, perform the following steps:

  1. 在将存放管理帐户的 OU 结构中,右键单击要在其中创建组的 OU,单击 " 新建 ",然后单击 " "。In the OU structure where you will be housing the management accounts, right-click the OU where you want to create the group, click New and click Group.

    创建管理帐户

  2. 在 " 新建对象-组 " 对话框中,输入组的名称。In the New Object - Group dialog box, enter a name for the group. 如果计划使用此组来 "激活" 林中的所有管理帐户,请将其设为通用安全组。If you plan to use this group to "activate" all management accounts in your forest, make it a universal security group. 如果你有单域林,或者计划在每个域中创建组,则可以创建一个全局安全组。If you have a single-domain forest or if you plan to create a group in each domain, you can create a global security group. 单击****“确定”以创建组。Click OK to create the group.

    创建管理帐户

  3. 右键单击刚创建的组,单击 " 属性",然后单击 " 对象 " 选项卡。在组的 " 对象属性 " 对话框中,选择 " 防止对象被意外删除",这不仅会阻止以其他方式授权的用户删除组,而且还会将其移动到另一个 OU (除非首先取消选择该属性)。Right-click the group you just created, click Properties, and click the Object tab. In the group's Object property dialog box, select Protect object from accidental deletion, which will not only prevent otherwise-authorized users from deleting the group, but also from moving it to another OU unless the attribute is first deselected.

    创建管理帐户

    备注

    如果已在组的父 Ou 上配置了权限,以限制对一组有限的用户进行管理,则可能无需执行以下步骤。If you have already configured permissions on the group's parent OUs to restrict administration to a limited set of users, you may not need to perform the following steps. 此处提供了这些内容,即使你尚未对创建此组的 OU 结构实现有限的管理控制,你也可以保护组不受未经授权的用户的修改。They are provided here so that even if you have not yet implemented limited administrative control over the OU structure in which you've created this group, you can secure the group against modification by unauthorized users.

  4. 单击 " 成员 " 选项卡,并添加团队成员的帐户,这些帐户将负责启用管理帐户或在必要时填充受保护的组。Click the Members tab, and add the accounts for members of your team who will be responsible for enabling management accounts or populating protected groups when necessary.

    创建管理帐户

  5. 如果尚未执行此操作,请在 " Active Directory 用户和计算机 " 控制台中,单击 " 查看 ",然后选择 " 高级功能"。If you have not already done so, in the Active Directory Users and Computers console, click View and select Advanced Features. 右键单击刚创建的组,单击 " 属性",然后单击 " 安全 " 选项卡。在 " 安全 " 选项卡上,单击 " 高级"。Right-click the group you just created, click Properties, and click the Security tab. On the Security tab, click Advanced.

    创建管理帐户

  6. 在 " [组] 的高级安全设置 " 对话框中,单击 " 禁用继承"。In the Advanced Security Settings for [Group] dialog box, click Disable Inheritance. 出现提示时,单击 " 将继承权限转换为对此对象的显式权限",然后单击 "确定" 以返回到组的 " 安全性 " 对话框。When prompted, click Convert inherited permissions into explicit permissions on this object, and click OK to return to the group's Security dialog box.

    创建管理帐户

  7. 在 " 安全 " 选项卡上,删除不允许访问此组的组。On the Security tab, remove groups that should not be permitted to access this group. 例如,如果不想让经过身份验证的用户能够读取组的 "名称" 和 "常规" 属性,则可以删除该 ACE。For example, if you do not want Authenticated Users to be able to read the group's name and general properties, you can remove that ACE. 你还可以删除 Ace,如用于帐户操作员和 Windows 2000 以前的 Windows Server 兼容访问的 Ace。You can also remove ACEs, such as those for account operators and pre-Windows 2000 Server compatible access. 但是,您应该保留一组最小的对象权限。You should, however, leave a minimum set of object permissions in place. 保留以下 Ace 不变:Leave the following ACEs intact:

    • SELFSELF

    • SYSTEMSYSTEM

    • 域管理员Domain Admins

    • 企业管理员Enterprise Admins

    • 管理员Administrators

    • Windows 授权访问组 ((如果适用)) Windows Authorization Access Group (if applicable)

    • 企业域控制器ENTERPRISE DOMAIN CONTROLLERS

    尽管在 Active Directory 中允许最高特权组来管理此组,但实现这些设置的目标并不是阻止这些组的成员进行授权更改。Although it may seem counterintuitive to allow the highest privileged groups in Active Directory to manage this group, your goal in implementing these settings is not to prevent members of those groups from making authorized changes. 相反,其目的是确保在需要非常高的权限级别时,授权的更改将会成功。Rather, the goal is to ensure that when you have occasion to require very high levels of privilege, authorized changes will succeed. 出于此原因,不建议更改默认的特权组嵌套、权限和权限。It is for this reason that changing default privileged group nesting, rights, and permissions are discouraged throughout this document. 通过保持默认结构不变并在目录中清空最高权限组的成员身份,你可以创建仍按预期方式工作的更安全的环境。By leaving default structures intact and emptying the membership of the highest privilege groups in the directory, you can create a more secure environment that still functions as expected.

    创建管理帐户

    备注

    如果尚未为创建此组的 OU 结构中的对象配置审核策略,则应将审核配置为记录更改此组。If you have not already configured audit policies for the objects in the OU structure where you created this group, you should configure auditing to log changes this group.

  8. 你已完成了组的配置,该配置将用于在需要时 "查看" 管理帐户,并在其活动完成时 "签入" 帐户。You have completed configuration of the group that will be used to "check out" management accounts when they are needed and "check in" the accounts when their activities have been completed.

创建管理帐户Creating the Management Accounts

你应该至少创建一个用于管理 Active Directory 安装中特权组的成员身份的帐户,并最好创建一个用于作为备份的第二个帐户。You should create at least one account that will be used to manage the membership of privileged groups in your Active Directory installation, and preferably a second account to serve as a backup. 无论你选择在林中的单个域中创建管理帐户并为所有域的受保护组授予管理功能,还是选择在林中的每个域中实施管理帐户,这些过程都是相同的。Whether you choose to create the management accounts in a single domain in the forest and grant them management capabilities for all domains' protected groups, or whether you choose to implement management accounts in each domain in the forest, the procedures are effectively the same.

备注

本文档中的步骤假设您尚未实现 Active Directory 的基于角色的访问控制和特权标识管理。The steps in this document assume that you have not yet implemented role-based access controls and privileged identity management for Active Directory. 因此,某些过程必须由其帐户是所述域的 Domain Admins 组成员的用户执行。Therefore, some procedures must be performed by a user whose account is a member of the Domain Admins group for the domain in question.

使用具有 DA 权限的帐户时,可以登录到域控制器以执行配置活动。When you are using an account with DA privileges, you can log on to a domain controller to perform the configuration activities. 不需要 DA 权限的步骤可以通过登录到管理工作站的不太特权帐户来执行。Steps that do not require DA privileges can be performed by less-privileged accounts that are logged on to administrative workstations. 显示以较浅蓝色显示的对话框的屏幕截图表示可在域控制器上执行的活动。Screen shots that show dialog boxes bordered in the lighter blue color represent activities that can be performed on a domain controller. 以较深蓝色显示对话框的屏幕截图表示可以在具有有限特权的帐户的管理工作站上执行的活动。Screen shots that show dialog boxes in the darker blue color represent activities that can be performed on administrative workstations with accounts that have limited privileges.

若要创建管理帐户,请执行以下步骤:To create the management accounts, perform the following steps:

  1. 使用作为域的 DA 组成员的帐户登录到域控制器。Log on to a domain controller with an account that is a member of the domain's DA group.

  2. 启动 Active Directory 的用户和计算机 ,然后导航到要在其中创建管理帐户的 OU。Launch Active Directory Users and Computers and navigate to the OU where you will be creating the management account.

  3. 右键单击 OU,然后单击 " 新建 ",然后单击 " 用户"。Right-click the OU and click New and click User.

  4. 在 " 新建对象-用户 " 对话框中,输入所需的帐户命名信息,然后单击 " 下一步"。In the New Object - User dialog box, enter your desired naming information for the account and click Next.

    创建管理帐户

  5. 为用户帐户提供初始密码,清除 " 用户在下次登录时必须更改密码",选择 " 用户不能更改密码帐户已禁用",然后单击 " 下一步"。Provide an initial password for the user account, clear User must change password at next logon, select User cannot change password and Account is disabled, and click Next.

    创建管理帐户

  6. 验证帐户详细信息是否正确,然后单击 " 完成"。Verify that the account details are correct and click Finish.

  7. 右键单击刚创建的用户对象,然后单击 " 属性"。Right-click the user object you just created and click Properties.

  8. 单击“帐户”选项卡 。Click the Account tab.

  9. 在 " 帐户选项 " 字段中,选择 " 敏感帐户,不能被委派 " 标志,选择 " 此帐户支持 kerberos aes 128 位加密 " 和/或 " 此帐户支持 kerberos aes 256 加密 标志",然后单击 "确定"In the Account Options field, select the Account is sensitive and cannot be delegated flag, select the This account supports Kerberos AES 128 bit encryption and/or the This account supports Kerberos AES 256 encryption flag, and click OK.

    创建管理帐户

    备注

    由于此帐户与其他帐户类似,因此,帐户只应在安全的管理主机上使用。Because this account, like other accounts, will have a limited, but powerful function, the account should only be used on secure administrative hosts. 对于环境中的所有安全管理主机,应考虑实施组策略设置 " 网络安全:配置 Kerberos 允许的加密类型 ",只允许安全主机实现最安全的加密类型。For all secure administrative hosts in your environment, you should consider implementing the Group Policy setting Network Security: Configure Encryption types allowed for Kerberos to allow only the most secure encryption types you can implement for secure hosts.

    尽管为主机实现更安全的加密类型不能减少凭据被盗攻击,但安全主机的适当使用和配置也是如此。Although implementing more secure encryption types for the hosts does not mitigate credential theft attacks, the appropriate use and configuration of the secure hosts does. 为仅由特权帐户使用的主机设置更强的加密类型只是减少了计算机的整体攻击面。Setting stronger encryption types for hosts that are only used by privileged accounts simply reduces the overall attack surface of the computers.

    有关在系统和帐户上配置加密类型的详细信息,请参阅 " Kerberos 支持的加密类型的 Windows 配置"。For more information about configuring encryption types on systems and accounts, see Windows Configurations for Kerberos Supported Encryption Type.

    只有运行 Windows Server 2012、Windows Server 2008 R2、Windows 8 或 Windows 7 的计算机才支持这些设置。These settings are supported only on computers running Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7.

  10. 在 " 对象 " 选项卡上,选择 " 防止对象被意外删除"。On the Object tab, select Protect object from accidental deletion. 这不仅会阻止) (删除对象,而且还会阻止将其移到 AD DS 层次结构中的不同 OU,除非用户第一次清除该复选框,并且有权更改属性。This will not only prevent the object from being deleted (even by authorized users), but will prevent it from being moved to a different OU in your AD DS hierarchy, unless the check box is first cleared by a user with permission to change the attribute.

    创建管理帐户

  11. 单击 " 远程控制 " 选项卡。Click the Remote control tab.

  12. 清除 " 启用远程控制 " 标志。Clear the Enable remote control flag. 如果支持人员连接到此帐户的会话以实现修补程序,则决不需要此方法。It should never be necessary for support staff to connect to this account's sessions to implement fixes.

    创建管理帐户

    备注

    Active Directory 中的每个对象都应具有指定的 IT 所有者和指定的业务所有者,如 规划折衷中所述。Every object in Active Directory should have a designated IT owner and a designated business owner, as described in Planning for Compromise. 如果要跟踪 Active Directory (中 AD DS 对象的所有权,而不是外部数据库) ,则应在此对象的属性中输入相应的所有权信息。If you are tracking ownership of AD DS objects in Active Directory (as opposed to an external database), you should enter appropriate ownership information in this object's properties.

    在这种情况下,业务所有者很可能是 IT 部门,andthere 对企业所有者也不是 IT 所有者。In this case, the business owner is most likely an IT division, andthere is no prohibition on business owners also being IT owners. 建立对象所有权的点是允许您在需要对对象进行更改时确定联系人,这可能是由于最初创建的年份。The point of establishing ownership of objects is to allow you to identify contacts when changes need to be made to the objects, perhaps years from their initial creation.

  13. 单击 " 组织 " 选项卡。Click on the Organization tab.

  14. 输入 AD DS 对象标准中所需的任何信息。Enter any information that is required in your AD DS object standards.

    创建管理帐户

  15. 单击 " 拨入 " 选项卡。Click on the Dial-in tab.

  16. 在 " 网络访问权限 " 字段中,选择 " 拒绝访问"。此帐户永远不需要通过远程连接进行连接。In the Network Access Permission field, select Deny access.This account should never need to connect over a remote connection.

    创建管理帐户

    备注

    不太可能使用此帐户登录到环境中 (Rodc) 的只读域控制器。It is unlikely that this account will be used to log on to read-only domain controllers (RODCs) in your environment. 但是,如果需要使用该帐户登录到 RODC,则应将此帐户添加到 "拒绝的 RODC 密码复制组",以使其密码不会缓存在 RODC 上。However, should circumstance ever require the account to log on to an RODC, you should add this account to the Denied RODC Password Replication Group so that its password is not cached on the RODC.

    尽管应在每次使用后重置帐户的密码,并且应禁用该帐户,但实现此设置并不会对帐户产生产生负面影响,在某些情况下,管理员忘记密码地重置帐户密码并禁用密码。Although the account's password should be reset after each use and the account should be disabled, implementing this setting does not have a deleterious effect on the account, and it might help in situations in which an administrator forgets to reset the account's password and disable it.

  17. 单击 “隶属于” 选项卡。Click the Member Of tab.

  18. 单击“添加”。Click Add.

  19. 在 "选择用户、联系人、计算机" 对话框中,键入 "拒绝的 RODC 密码复制组",然后单击 "检查名称"。Type Denied RODC Password Replication Group in the Select Users, Contacts, Computers dialog box and click Check Names. 在对象选取器中为组的名称加下划线后,单击 "确定" ,然后验证该帐户是否为以下屏幕截图中显示的两个组的成员。When the name of the group is underlined in the object picker, click OK and verify that the account is now a member of the two groups displayed in the following screenshot. 不要将该帐户添加到任何受保护的组。Do not add the account to any protected groups.

  20. 单击“确定”。Click OK.

    创建管理帐户

  21. 单击 " 安全 " 选项卡,然后单击 " 高级"。Click the Security tab and click Advanced.

  22. 在 " 高级安全设置 " 对话框中,单击 " 禁用继承 " 并将继承的权限复制为显式权限,然后单击 " 添加"。In the Advanced Security Settings dialog box, click Disable inheritance and copy the inherited permissions as explicit permissions, and click Add.

    创建管理帐户

  23. 在 " [帐户] 的权限条目 " 对话框中,单击 " 选择主体 ",并添加在前面的过程中创建的组。In the Permission Entry for [Account] dialog box, click Select a principal and add the group you created in the previous procedure. 滚动到对话框的底部,然后单击 " 全部清除 " 以删除所有默认权限。Scroll to the bottom of the dialog box and click Clear all to remove all default permissions.

    创建管理帐户

  24. 滚动到 " 权限条目 " 对话框的顶部。Scroll to the top of the Permission Entry dialog box. 确保 " 类型 " 下拉列表设置为 " 允许",然后在 " 应用于 " 下拉列表中,选择 " 仅此对象"。Ensure that the Type drop-down list is set to Allow, and in the Applies to drop-down list, select This object only.

  25. 在 " 权限 " 字段中,选择 " 读取所有属性"、" 读取权限" 和 " 重置密码"。In the Permissions field, select Read all properties, Read permissions, and Reset password.

    创建管理帐户

  26. 在 " 属性 " 字段中,选择 " 读取 userAccountControl写入 useraccountcontrol"。In the Properties field, select Read userAccountControl and Write userAccountControl.

  27. 单击 "高级安全设置" 对话框中的 "确定",再次单击 "确定"。Click OK, OK again in the Advanced Security Settings dialog box.

    创建管理帐户

    备注

    UserAccountControl属性控制多个帐户配置选项。The userAccountControl attribute controls multiple account configuration options. 向属性授予写入权限时,不能授予仅更改某些配置选项的权限。You cannot grant permission to change only some of the configuration options when you grant write permission to the attribute.

  28. 在 "安全" 选项卡的 "组或用户名" 字段中,删除不允许访问或管理帐户的所有组。In the Group or user names field of the Security tab, remove any groups that should not be permitted to access or manage the account. 请勿删除任何已配置 "拒绝" Ace 的组,如 "Everyone" 组和 "自行计算的帐户" (在创建帐户期间启用 " 用户不能更改密码 " 标志时设置了 ACE。Do not remove any groups that have been configured with Deny ACEs, such as the Everyone group and the SELF computed account (that ACE was set when the user cannot change password flag was enabled during creation of the account. 同时,不要删除刚添加的组、系统帐户或组(如 EA、DA、BA 或 Windows 授权访问组)。Also do not remove the group you just added, the SYSTEM account, or groups such as EA, DA, BA, or the Windows Authorization Access Group.

    创建管理帐户

  29. 单击 " 高级 ",并验证 "高级安全设置" 对话框是否与以下屏幕截图类似。Click Advanced and verify that the Advanced Security Settings dialog box looks similar to the following screenshot.

  30. 单击 "确定",然后再次单击 "确定" 以关闭帐户的属性对话框。Click OK, and OK again to close the account's property dialog box.

    创建管理帐户

  31. 第一个管理帐户的设置现已完成。Setup of the first management account is now complete. 你将在后面的过程中测试该帐户。You will test the account in a later procedure.

创建其他管理帐户Creating Additional Management Accounts

可以通过重复上述步骤来创建其他管理帐户,方法是复制刚创建的帐户,或者创建一个脚本来创建具有所需配置设置的帐户。You can create additional management accounts by repeating the previous steps, by copying the account you just created, or by creating a script to create accounts with your desired configuration settings. 但请注意,如果复制刚刚创建的帐户,则很多自定义设置和 Acl 将不会复制到新帐户,你将需要重复大多数配置步骤。Note, however, that if you copy the account you just created, many of the customized settings and ACLs will not be copied to the new account and you will have to repeat most of the configuration steps.

您可以改为创建一个组,以向其委派填充和 unpopulate 受保护组的权限,但需要保护该组和您在其中放置的帐户。You can instead create a group to which you delegate rights to populate and unpopulate protected groups, but you will need to secure the group and the accounts you place in it. 由于目录中应该有很少的帐户被授予管理受保护组成员身份的能力,因此创建单个帐户可能是最简单的方法。Because there should be very few accounts in your directory that are granted the ability to manage the membership of protected groups, creating individual accounts might be the simplest approach.

不管你如何选择创建一个将管理帐户放置到其中的组,都应确保按前面所述保护每个帐户。Regardless of how you choose to create a group into which you place the management accounts, you should ensure that each account is secured as described earlier. 还应考虑实现 GPO 限制,这与在 Active Directory 中保护内置管理员帐户的附录 D:保护内置管理员帐户的步骤类似。You should also consider implementing GPO restrictions similar to those described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

审核管理帐户Auditing Management Accounts

应将审核配置为至少记录所有写入帐户的帐户。You should configure auditing on the account to log, at minimum, all writes to the account. 这样,你不仅可以识别成功启用帐户并在授权使用期间重置其密码,还可以确定未经授权的用户操纵帐户的尝试。This will allow you to not only identify successful enabling of the account and resetting of its password during authorized uses, but to also identify attempts by unauthorized users to manipulate the account. 应在安全信息和事件监视中捕获对帐户的失败写入 (SIEM) 系统 ((如果) 适用),并触发警报,向负责调查潜在损害的人员提供通知。Failed writes on the account should be captured in your Security Information and Event Monitoring (SIEM) system (if applicable), and should trigger alerts that provide notification to the staff responsible for investigating potential compromises.

SIEM 解决方案从涉及的安全源中获取事件信息 (例如,事件日志、应用程序数据、网络流、反恶意软件产品和入侵检测源) 、对数据进行分页,并尝试建立智能视图和主动操作。SIEM solutions take event information from involved security sources (for example, event logs, application data, network streams, antimalware products, and intrusion detection sources), collate the data, and try to make intelligent views and proactive actions. 有很多商业 SIEM 解决方案,许多企业创建专用实现。There are many commercial SIEM solutions, and many enterprises create private implementations. 设计良好且适当实现的 SIEM 可以显著增强安全监视和事件响应功能。A well designed and appropriately implemented SIEM can significantly enhance security monitoring and incident response capabilities. 但解决方案之间的功能和准确性会有所不同。However, capabilities and accuracy vary tremendously between solutions. Siem 超出了本文的范围,但任何 SIEM 实施者都应该考虑到包含的特定事件建议。SIEMs are beyond the scope of this paper, but the specific event recommendations contained should be considered by any SIEM implementer.

有关域控制器的建议审核配置设置的详细信息,请参阅 监视 Active Directory 是否有泄露迹象For more information about recommended audit configuration settings for domain controllers, see Monitoring Active Directory for Signs of Compromise. 监视 Active Directory 中提供了特定于域控制器的配置设置 ,以应对泄露迹象Domain controller-specific configuration settings are provided in Monitoring Active Directory for Signs of Compromise.

启用管理帐户以修改受保护组的成员身份Enabling Management Accounts to Modify the Membership of Protected Groups

在此过程中,你将配置对域的 AdminSDHolder 对象的权限,以允许新创建的管理帐户修改域中受保护组的成员身份。In this procedure, you will configure permissions on the domain's AdminSDHolder object to allow the newly created management accounts to modify the membership of protected groups in the domain. 不能通过图形用户界面 (GUI) 来执行此过程。This procedure cannot be performed via a graphical user interface (GUI).

附录 C:受保护的帐户和 Active Directory 中的组中所述,在 SDProp 任务运行时,域的 AdminSDHolder 对象上的 ACL 将被有效地 "复制" 到受保护的对象。As discussed in Appendix C: Protected Accounts and Groups in Active Directory, the ACL on a domain's AdminSDHolder object is effectively "copied" to protected objects when the SDProp task runs. 受保护的组和帐户不会从 AdminSDHolder 对象继承其权限;它们的权限显式设置为匹配 AdminSDHolder 对象上的权限。Protected groups and accounts do not inherit their permissions from the AdminSDHolder object; their permissions are explicitly set to match those on the AdminSDHolder object. 因此,修改 AdminSDHolder 对象上的权限时,必须对其进行修改,使其适用于目标为受保护对象的类型。Therefore, when you modify permissions on the AdminSDHolder object, you must modify them for attributes that are appropriate to the type of the protected object you are targeting.

在这种情况下,你将授予新创建的管理帐户,使其能够读取和写入组对象上的成员属性。In this case, you will be granting the newly created management accounts to allow them to read and write the members attribute on group objects. 但是,AdminSDHolder 对象不是组对象,并且不会在图形 ACL 编辑器中公开组属性。However, the AdminSDHolder object is not a group object and group attributes are not exposed in the graphical ACL editor. 出于此原因,你将通过 Dsacls 命令行实用工具实现权限更改。It is for this reason that you will implement the permissions changes via the Dsacls command-line utility. 若要向 (禁用) 管理帐户修改受保护组成员身份的权限,请执行以下步骤:To grant the (disabled) management accounts permissions to modify the membership of protected groups, perform the following steps:

  1. 登录到域控制器,最好是保留 PDC 仿真器 (PDCE) 角色的域控制器,以及已成为域中的 DA 组成员的用户帐户的凭据。Log on to a domain controller, preferably the domain controller holding the PDC Emulator (PDCE) role, with the credentials of a user account that has been made a member of the DA group in the domain.

    创建管理帐户

  2. 右键单击 " 命令提示符 ",然后单击 "以 管理员身份运行",以打开提升的命令提示符。Open an elevated command prompt by right-clicking Command Prompt and click Run as administrator.

    创建管理帐户

  3. 当提示批准提升时,单击 "是"When prompted to approve the elevation, click Yes.

    创建管理帐户

    备注

    有关 Windows 中 (UAC) 的提升和用户帐户控制的详细信息,请参阅 TechNet 网站上的 Uac 进程和交互For more information about elevation and user account control (UAC) in Windows, see UAC Processes and Interactions on the TechNet website.

  4. 在命令提示符下,键入 (替换特定于域的信息) Dsacls [域中 AdminSDHolder 对象的可分辨名称]/g [管理帐户 UPN]: RPWP; memberAt the Command Prompt, type (substituting your domain-specific information) Dsacls [distinguished name of the AdminSDHolder object in your domain] /G [management account UPN]:RPWP;member.

    创建管理帐户

    前面的命令 (不区分大小写) 的工作方式如下所示:The previous command (which is not case-sensitive) works as follows:

    • Dsacls 设置或显示目录对象上的 AceDsacls sets or displays ACEs on directory objects

    • CN = AdminSDHolder,CN = System,DC = Azure-tailspintoys,DC = msft 标识要修改的对象CN=AdminSDHolder,CN=System,DC=TailSpinToys,DC=msft identifies the object to be modified

    • /G 指示正在配置 grant ACE/G indicates that a grant ACE is being configured

    • PIM001@tailspintoys.msft 要向其授予 Ace 的安全主体 (UPN) 的用户主体名称PIM001@tailspintoys.msft is the User Principal Name (UPN) of the security principal to which the ACEs will be granted

    • RPWP 授予 "读取属性" 和 "写入属性" 权限RPWP grants read property and write property permissions

    • Member 是要在其上设置权限的属性 (属性的名称) Member is the name of the property (attribute) on which the permissions will be set

    有关使用 Dsacls的详细信息,请在命令提示符处键入 Dsacls,不使用任何参数。For more information about use of Dsacls, type Dsacls without any parameters at a command prompt.

    如果已为域创建了多个管理帐户,则应为每个帐户运行 Dsacls 命令。If you have created multiple management accounts for the domain, you should run the Dsacls command for each account. 在 AdminSDHolder 对象上完成 ACL 配置后,应强制 SDProp 运行,或等待其计划的运行完成。When you have completed the ACL configuration on the AdminSDHolder object, you should force SDProp to run, or wait until its scheduled run completes. 有关强制 SDProp 运行的信息,请参阅 附录 C: Active Directory 中的受保护帐户和组中的 "手动运行 SDProp"。For information about forcing SDProp to run, see "Running SDProp Manually" in Appendix C: Protected Accounts and Groups in Active Directory.

    运行 SDProp 时,你可以验证你对 AdminSDHolder 对象所做的更改是否已应用于域中的受保护组。When SDProp has run, you can verify that the changes you made to the AdminSDHolder object have been applied to protected groups in the domain. 由于前面所述的原因,你无法通过查看 AdminSDHolder 对象上的 ACL 来验证这一点,但你可以通过查看受保护组的 Acl 来验证是否已应用这些权限。You cannot verify this by viewing the ACL on the AdminSDHolder object for the reasons previously described, but you can verify that the permissions have been applied by viewing the ACLs on protected groups.

  5. Active Directory 用户和计算机"中,验证是否已启用 高级功能In Active Directory Users and Computers, verify that you have enabled Advanced Features. 为此,请单击 " 查看",找到 " 域管理员 " 组,右键单击该组,然后单击 " 属性"。To do so, click View, locate the Domain Admins group, right-click the group and click Properties.

  6. 单击 " 安全 " 选项卡,然后单击 " 高级 " 以打开 " 域管理员的高级安全设置 " 对话框。Click the Security tab and click Advanced to open the Advanced Security Settings for Domain Admins dialog box.

    创建管理帐户

  7. 为管理帐户选择 "允许 ACE" ,然后单击 "编辑"。Select Allow ACE for the management account and click Edit. 验证该帐户是否已被授予对 DA 组的 " 读取成员 " 和 " 写入成员 " 权限,然后单击 "确定"Verify that the account has been granted only Read Members and Write Members permissions on the DA group, and click OK.

  8. 在 "高级安全设置" 对话框中单击 "确定" ,然后再次单击 "确定" 以关闭 DA 组的 "属性" 对话框。Click OK in the Advanced Security Settings dialog box, and click OK again to close the property dialog box for the DA group.

    创建管理帐户

  9. 可以对域中的其他受保护组重复前面的步骤;所有受保护的组的权限都应该相同。You can repeat the previous steps for other protected groups in the domain; the permissions should be the same for all protected groups. 你现在已经完成了在此域中创建和配置受保护组的管理帐户。You have now completed creation and configuration of the management accounts for the protected groups in this domain.

    备注

    在 Active Directory 中有权写入组成员身份的任何帐户也可以将其自身添加到组。Any account that has permission to write membership of a group in Active Directory can also add itself to the group. 此行为是设计的,不能禁用。This behavior is by design and cannot be disabled. 出于此原因,在不使用管理帐户时应始终将其禁用,并应在帐户被禁用和使用时对其进行密切监视。For this reason, you should always keep management accounts disabled when not in use, and should closely monitor the accounts when they're disabled and when they're in use.

正在验证组和帐户配置设置Verifying Group and Account Configuration Settings

现在,你已创建并配置了可修改域中受保护组的成员身份 (的管理帐户,其中包括) 的最高特权的 EA、DA 和 BA 组,你应验证是否已正确创建帐户和其管理组。Now that you have created and configured management accounts that can modify the membership of protected groups in the domain (which includes the most highly privileged EA, DA, and BA groups), you should verify that the accounts and their management group have been created properly. 验证包含以下常规任务:Verification consists of these general tasks:

  1. 测试可以启用和禁用管理帐户的组,以验证组的成员是否可以启用和禁用帐户并重置其密码,但不能在管理帐户上执行其他管理活动。Test the group that can enable and disable management accounts to verify that members of the group can enable and disable the accounts and reset their passwords, but cannot perform other administrative activities on the management accounts.

  2. 测试管理帐户,验证它们是否可以在域中的受保护组中添加和删除成员,但不能更改受保护帐户和组的任何其他属性。Test the management accounts to verify that they can add and remove members to protected groups in the domain, but cannot change any other properties of protected accounts and groups.

测试将启用和禁用管理帐户的组Test the Group that Will Enable and Disable Management Accounts
  1. 若要测试如何启用管理帐户并重置其密码,请使用 " 附录 I:在 Active Directory 中创建受保护帐户和组的管理帐户" 中创建的组的成员帐户登录到安全管理工作站。To test enabling a management account and resetting its password, log on to a secure administrative workstation with an account that is a member of the group you created in Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory.

    创建管理帐户

  2. 打开 Active Directory 用户和计算机",右键单击管理帐户,然后单击" 启用帐户"。Open Active Directory Users and Computers, right-click the management account, and click Enable Account.

    创建管理帐户

  3. 应显示一个对话框,确认已启用该帐户。A dialog box should display, confirming that the account has been enabled.

    创建管理帐户

  4. 接下来,请重置管理帐户的密码。Next, reset the password on the management account. 为此,请再次右键单击该帐户,然后单击 " 重置密码"。To do so, right-click the account again and click Reset Password.

    创建管理帐户

  5. 在 " 新密码 " 和 " 确认密码 " 字段中为该帐户键入一个新密码,然后单击 "确定"Type a new password for the account in the New password and Confirm password fields, and click OK.

    创建管理帐户

  6. 应该会出现一个对话框,确认帐户的密码已重置。A dialog box should appear, confirming that the password for the account has been reset.

    创建管理帐户

  7. 现在尝试修改管理帐户的其他属性。Now attempt to modify additional properties of the management account. 右键单击该帐户并单击 " 属性",然后单击 " 远程控制 " 选项卡。Right-click the account and click Properties, and click the Remote control tab.

  8. 选择 " 启用远程控制 ",然后单击 " 应用"。Select Enable remote control and click Apply. 操作应失败并且应显示 " 访问被拒绝 " 错误消息。The operation should fail and an Access Denied error message should display.

    创建管理帐户

  9. 单击帐户的 " 帐户 " 选项卡,尝试更改帐户的名称、登录时间或登录工作站。Click the Account tab for the account and attempt to change the account's name, logon hours, or logon workstations. 所有这些都应该会失败,并且不由 userAccountControl 属性控制的帐户选项应显示为灰色且不可修改。All should fail, and account options that are not controlled by the userAccountControl attribute should be grayed out and unavailable for modification.

    创建管理帐户

  10. 尝试将管理组添加到受保护的组,如 DA 组。Attempt to add the management group to a protected group such as the DA group. 单击 "确定" 后,将显示一条消息,通知您无权修改该组。When you click OK, a message should appear, informing you that you do not have permissions to modify the group.

    创建管理帐户

  11. 根据需要执行其他测试,以验证你是否无法针对管理帐户配置任何内容( userAccountControl 设置和密码重置除外)。Perform additional tests as required to verify that you cannot configure anything on the management account except userAccountControl settings and password resets.

    备注

    UserAccountControl属性控制多个帐户配置选项。The userAccountControl attribute controls multiple account configuration options. 向属性授予写入权限时,不能授予仅更改某些配置选项的权限。You cannot grant permission to change only some of the configuration options when you grant write permission to the attribute.

测试管理帐户Test the Management Accounts

现在您已启用了一个或多个帐户,该帐户可以更改受保护组的成员身份,您可以对这些帐户进行测试,以确保它们能够修改受保护的组成员身份,但不能对受保护的帐户和组执行其他修改。Now that you have enabled one or more accounts that can change the membership of protected groups, you can test the accounts to ensure that they can modify protected group membership, but cannot perform other modifications on protected accounts and groups.

  1. 以第一个管理帐户的身份登录到安全的管理主机。Log on to a secure administrative host as the first management account.

    创建管理帐户

  2. 启动 Active Directory "用户和计算机 ",然后找到 " 域管理员" 组Launch Active Directory Users and Computers and locate the Domain Admins group.

  3. 右键单击 " 域管理员 " 组,然后单击 " 属性"。Right-click the Domain Admins group and click Properties.

    创建管理帐户

  4. 在 " 域管理员" 属性中,单击 " 成员 " 选项卡,然后 单击 "添加"。In the Domain Admins Properties, click the Members tab and click Add. 输入将拥有临时域管理员权限的帐户的名称,然后单击 " 检查名称"。Enter the name of an account that will be given temporary Domain Admins privileges and click Check Names. 当帐户的名称带有下划线时,单击 "确定" 返回到 " 成员 " 选项卡。When the name of the account is underlined, click OK to return to the Members tab.

    创建管理帐户

  5. 在 "域管理员属性" 对话框的 "成员" 选项卡上,单击 "应用"。On the Members tab for the Domain Admins Properties dialog box, click Apply. 单击 " 应用" 后,该帐户应保留 DA 组的成员,并且不会收到错误消息。After clicking Apply, the account should stay a member of the DA group and you should receive no error messages.

    创建管理帐户

  6. 单击 "域管理员属性" 对话框中的 "管理者" 选项卡,验证你不能在任何字段中输入文本并且所有按钮均灰显。Click the Managed By tab in the Domain Admins Properties dialog box and verify that you cannot enter text in any fields and all buttons are grayed out.

    创建管理帐户

  7. 单击 "域管理员属性" 对话框中的 "常规" 选项卡,然后验证是否无法修改该选项卡的任何相关信息。Click the General tab in the Domain Admins Properties dialog box and verify that you cannot modify any of the information about that tab.

    创建管理帐户

  8. 根据需要为其他受保护的组重复这些步骤。Repeat these steps for additional protected groups as needed. 完成后,使用一个帐户登录到安全管理主机,该帐户是创建的组的成员,用于启用和禁用管理帐户。When you have finished, log on to a secure administrative host with an account that is a member of the group you created to enable and disable the management accounts. 然后重置刚刚测试的管理帐户的密码并禁用该帐户。Then reset the password on the management account you just tested and disable the account. 您已经完成了管理帐户和负责启用和禁用帐户的组的设置。You have completed setup of the management accounts and the group that will be responsible for enabling and disabling the accounts.