有关如何配置受保护帐户的指南Guidance about how to configure protected accounts

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

通过哈希传递 (PtH) 攻击,攻击者可以使用用户密码(或其他凭据派生对象)的基础 NTLM 哈希针对远程服务器或服务验证自己的身份。Through Pass-the-hash (PtH) attacks, an attacker can authenticate to a remote server or service by using the underlying NTLM hash of a user's password (or other credential derivatives). Microsoft 之前 发布了指南 以缓解传递哈希攻击。Microsoft has previously published guidance to mitigate pass-the-hash attacks. Windows Server 2012 R2 包含有助于进一步缓解此类攻击的新功能。Windows Server 2012 R2 includes new features to help mitigate such attacks further. 有关其他帮助防止凭据被盗的安全功能的详细信息,请参阅 凭据保护和管理For more information about other security features that help protect against credential theft, see Credentials Protection and Management. 本主题介绍了如何配置以下新功能:This topic explains how to configure the following new features:

Windows 8.1 和 Windows Server 2012 R2 中内置了其他缓解措施,以帮助防止凭据被盗,如以下主题中所述:There are additional mitigations built in to Windows 8.1 and Windows Server 2012 R2 to help protect against credential theft, which are covered in the following topics:

Protected UsersProtected Users

Protected Users 是一个新的全局安全组,你可以向该组添加新用户或现有用户。Protected Users is a new global security group to which you can add new or existing users. Windows 8.1 设备和 Windows Server 2012 R2 主机对此组的成员具有特殊行为,以提供更好的保护,防止凭据被盗。Windows 8.1 devices and Windows Server 2012 R2 hosts have special behavior with members of this group to provide better protection against credential theft. 对于组的成员,Windows 8.1 设备或 Windows Server 2012 R2 主机不会缓存受保护用户不支持的凭据。For a member of the group, a Windows 8.1 device or a Windows Server 2012 R2 host does not cache credentials that are not supported for Protected Users. 如果此组的成员登录到运行早于 Windows 8.1 的 Windows 版本的设备,则没有其他保护。Members of this group have no additional protection if they are logged on to a device that runs a version of Windows earlier than Windows 8.1.

登录到 Windows 8.1 设备和 Windows Server 2012 R2 主机的受保护用户组的成员 不能再 使用:Members of the Protected Users group who are signed-on to Windows 8.1 devices and Windows Server 2012 R2 hosts can no longer use:

  • 默认凭据委派 (CredSSP) - 不会缓存纯文本凭据,即使在启用了 允许委派默认凭据 策略时也是如此Default credential delegation (CredSSP) - plaintext credentials are not cached even when the Allow delegating default credentials policy is enabled

  • Windows 摘要 - 不会缓存纯文本凭据,即使在启用了它们时也是如此Windows Digest - plaintext credentials are not cached even when they are enabled

  • NTLM - 不会缓存 NTOWFNTLM - NTOWF is not cached

  • Kerberos 长期密钥 - Kerberos 票证授予票证 (TGT) 在登录时获取,无法自动重新获取Kerberos long term keys - Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-acquired automatically

  • 脱机登录 - 不会创建缓存的登录验证程序Sign-on offline - the cached logon verifier is not created

如果域功能级别为 Windows Server 2012 R2,则组成员将无法再执行以下操作:If the domain functional level is Windows Server 2012 R2 , members of the group can no longer:

  • 使用 NTLM 身份验证进行身份验证Authenticate by using NTLM authentication

  • 在 Kerberos 预身份验证中使用数据加密标准 (DES) 或 RC4 密码套件Use Data Encryption Standard (DES) or RC4 cipher suites in Kerberos pre-authentication

  • 使用不受约束或约束委派进行委派Be delegated by using unconstrained or constrained delegation

  • 在超出最初的 4 小时生存期后续订用户票证 (TGT)Renew user tickets (TGTs) beyond the initial 4-hour lifetime

若要将用户添加到该组,可以使用 UI 工具 (如 ACTIVE DIRECTORY 管理中心 (ADAC) 或 Active Directory 用户和计算机)或命令行工具(如 Dsmod 组)或 Windows PowerShelladd-adgroupmember cmdlet。To add users to the group, you can use UI tools such as Active Directory Administrative Center (ADAC) or Active Directory Users and Computers, or a command-line tool such as Dsmod group, or the Windows PowerShellAdd-ADGroupMember cmdlet. 服务和计算机的帐户 不应 是受保护用户组的成员。Accounts for services and computers should not be members of the Protected Users group. 这些帐户的成员身份不提供本地保护,因为密码或证书在主机上始终可用。Membership for those accounts provides no local protections because the password or certificate is always available on the host.

警告

身份验证限制没有规避方法,这意味着权限较高的组(例如 Enterprise Admins 组或 Domain Admins 组)的成员受到的限制与 Protected Users 组的其他成员一样。The authentication restrictions have no workaround, which means that members of highly privileged groups such as the Enterprise Admins group or the Domain Admins group are subject to the same restrictions as other members of the Protected Users group. 如果此类组的所有成员都添加到受保护的用户组中,则可以锁定所有这些帐户。在全面测试潜在影响之前,永远不应将所有权限较高的帐户添加到受保护的用户组中。If all members of such groups are added to the Protected Users group, it is possible for all of those accounts to be locked out. You should never add all highly privileged accounts to the Protected Users group until you have thoroughly tested the potential impact.

Protected Users 组的成员必须能够使用高级加密标准 (AES) 的 Kerberos 进行身份验证。Members of the Protected Users group must be able to authenticate by using Kerberos with Advanced Encryption Standards (AES). 对于 Active Directory 中的帐户,此方法需要 AES 密钥。This method requires AES keys for the account in Active Directory. 内置管理员不具有 AES 密钥,除非在运行 Windows Server 2008 或更高版本的域控制器上更改了密码。The built-in Administrator does not have an AES key unless the password was changed on a domain controller that runs Windows Server 2008 or later. 此外,在运行早期版本 Windows Server 的域控制器上更改的任何帐户都将被锁定。因此,请遵循以下最佳做法:Additionally, any account, which has a password that was changed at a domain controller that runs an earlier version of Windows Server, is locked out. Therefore, follow these best practices:

  • 不要在域中进行测试,除非 所有域控制器都运行 Windows Server 2008 或更高版本Do not test in domains unless all domain controllers run Windows Server 2008 or later .

  • 针对创建该域 。Change password for all domain accounts that were created before the domain was created. 否则,这些帐户无法进行身份验证。Otherwise, these accounts cannot be authenticated.

  • 在将帐户添加到受保护的用户组之前更改每个用户的 密码 ,或者确保最近在运行 Windows Server 2008 或更高版本的域控制器上更改了密码。Change password for each user before adding the account to the Protected Users group or ensure that the password was changed recently on a domain controller that runs Windows Server 2008 or later.

关于使用受保护帐户的要求Requirements for using protected accounts

受保护帐户具有以下部署要求:Protected accounts have the following deployment requirements:

  • 若要为受保护用户提供客户端限制,主机必须运行 Windows 8.1 或 Windows Server 2012 R2。To provide client-side restrictions for Protected Users, hosts must run Windows 8.1 or Windows Server 2012 R2 . 用户仅需使用作为 Protected Users 组成员的帐户进行登录。A user only has to sign-on with an account that is a member of a Protected Users group. 在这种情况下,可以通过将 主域控制器 (PDC) 模拟器角色传输 到运行 Windows Server 2012 R2 的域控制器来创建受保护的用户组。In this case, the Protected Users group can be created by transferring the primary domain controller (PDC) emulator role to a domain controller that runs Windows Server 2012 R2 . 将该组对象复制到其他域控制器后,PDC 模拟器角色可以托管在运行较早版本的 Windows Server 的域控制器上。After that group object is replicated to other domain controllers, the PDC emulator role can be hosted on a domain controller that runs an earlier version of Windows Server.

  • 若要为受保护用户提供域控制器端限制(即限制使用 NTLM 身份验证)和其他限制,域功能级别必须是 Windows Server 2012 R2。To provide domain controller-side restrictions for Protected Users, that is to restrict usage of NTLM authentication, and other restrictions, the domain functional level must be Windows Server 2012 R2 . 有关功能级别的详细信息,请参阅 了解 Active Directory 域服务 (AD DS) 功能级别For more information about functional levels, see Understanding Active Directory Domain Services (AD DS) Functional Levels.

本部分介绍了有助于对受保护用户的相关事件进行疑难解答的新日志,并介绍了受保护用户如何影响更改以解决票证授予票证 (TGT) 过期或委派问题。This section covers new logs to help troubleshoot events that are related to Protected Users and how Protected Users can impact changes to troubleshoot either ticket-granting tickets (TGT) expiration or delegation issues.

用于受保护用户的新日志New logs for Protected Users

提供两个新的操作管理日志,以帮助对受保护用户的相关事件进行疑难解答:受保护的用户-客户端日志和受保护用户故障-域控制器日志。Two new operational administrative logs are available to help troubleshoot events that are related to Protected Users: Protected User - Client Log and Protected User Failures - Domain Controller Log. 这些新日志位于在事件查看器中,并且在默认情况下处于禁用状态。These new logs are located in Event Viewer and are disabled by default. 若要启用日志,请依次单击“应用程序和服务日志” 、“Microsoft” 、“Windows” 、“身份验证” ,然后单击该日志的名称并单击“操作” (或右键单击该日志)和“启用日志” 。To enable a log, click Applications and Services Logs , click Microsoft , click Windows , click Authentication , and then click the name of the log and click Action (or right-click the log) and click Enable Log .

有关这些日志中事件的详细信息,请参阅 身份验证策略和身份验证策略接收器For more information about events in these logs, see Authentication Policies and Authentication Policy Silos.

解决 TGT 过期问题Troubleshoot TGT expiration

通常,域控制器根据域策略设置 TGT 生存期和续订,如下面“组策略管理编辑器”窗口中所示。Normally, the domain controller sets the TGT lifetime and renewal based on the domain policy as shown in the following Group Policy Management Editor window.

受保护帐户

对于“Protected Users” ,以下设置是硬编码的:For Protected Users , the following settings are hard-coded:

  • 用户票证的最长生存期:240 分钟Maximum lifetime for user ticket: 240 minutes

  • 用户票证续订的最长生存期:240 分钟Maximum lifetime for user ticket renewal: 240 minutes

解决委派问题Troubleshoot delegation issues

以前,如果使用 Kerberos 委派的技术失败,则会检查客户端帐户,以查看是否设置了“敏感帐户,不能被委派” 。Previously, if a technology that uses Kerberos delegation was failing, the client account was checked to see if Account is sensitive and cannot be delegated was set. 但是,如果帐户是“Protected Users” 的成员,它可能不会在 Active Directory 管理中心 (ADAC) 中配置此设置。However, if the account is a member of Protected Users , it might not have this setting configured in Active Directory Administrative Center (ADAC). 因此,在解决委派问题时,请检查设置和组成员身份。As a result, check the setting and group membership when you troubleshoot delegation issues.

受保护帐户

审核身份验证尝试Audit authentication attempts

若要为“Protected Users” 组的成员显式审核身份验证尝试,你可以继续收集安全日志审核事件或在新操作管理日志中收集数据。To audit authentication attempts explicitly for the members of the Protected Users group, you can continue to collect security log audit events or collect the data in the new operational administrative logs. 有关这些事件的详细信息,请参阅 身份验证策略和身份验证策略接收器For more information about these events, see Authentication Policies and Authentication Policy Silos

为服务和计算机提供 DC 端保护Provide DC-side protections for services and computers

服务和计算机的帐户不能是“Protected Users” 的成员。Accounts for services and computers cannot be members of Protected Users . 本部分说明了可以向这些帐户提供哪些基于域控制器的保护:This section explains which domain controller-based protections can be offered for these accounts:

  • 拒绝 NTLM 身份验证:仅可通过 NTLM 块策略进行配置Reject NTLM authentication: Only configurable via NTLM block policies

  • 拒绝 Kerberos 预身份验证中的数据加密标准 (DES) : Windows Server 2012 R2 域控制器不会接受计算机帐户的 DES,除非仅为 DES 配置了 DES,因为随 Kerberos 一起发布的每个版本的 Windows 还支持 RC4。Reject Data Encryption Standard (DES) in Kerberos pre-authentication: Windows Server 2012 R2 domain controllers do not accept DES for computer accounts unless they are configured for DES only because every version of Windows released with Kerberos also supports RC4.

  • 在 Kerberos 预身份验证中拒绝 RC4:不可配置。Reject RC4 in Kerberos pre-authentication: not configurable.

    备注

    尽管可以 更改支持的加密类型的配置,但如果未在目标环境中进行测试,不建议针对计算机帐户更改这些设置。Although it is possible to change the configuration of supported encryption types, it is not recommended to change those settings for computer accounts without testing in the target environment.

  • 将用户票证 (TGT) 限制为初始 4 小时生存期:使用身份验证策略。Restrict user tickets (TGTs) to an initial 4-hour lifetime: Use Authentication Policies.

  • 使用不受约束或约束委派拒绝委派:若要限制帐户,请打开 Active Directory 管理中心 (ADAC),然后选中“敏感帐户,不能被委派” 复选框。Deny delegation with unconstrained or constrained delegation: To restrict an account, open Active Directory Administrative Center (ADAC) and select the Account is sensitive and cannot be delegated check box.

    受保护帐户

身份验证策略Authentication policies

身份验证策略是 AD DS 中包含身份验证策略对象的一个新容器。Authentication Policies is a new container in AD DS that contains authentication policy objects. 身份验证策略可以指定帮助减少凭据被盗风险的设置,例如限制帐户的 TGT 生存期或添加其他与声明相关的条件。Authentication policies can specify settings that help mitigate exposure to credential theft, such as restricting TGT lifetime for accounts or adding other claims-related conditions.

在 Windows Server 2012 中,动态访问控制引入了名为 "中心访问策略" Active Directory 林范围的对象类,以提供一种跨组织配置文件服务器的简单方式。In Windows Server 2012 , Dynamic Access Control introduced an Active Directory forest-scope object class called Central Access Policy to provide an easy way to configure file servers across an organization. 在 Windows Server 2012 R2 中,名为 "身份验证策略" 的新对象类 (objectClass Msds-authnpolicies) 可用于将身份验证配置应用到 Windows Server 2012 R2 域中的帐户类。In Windows Server 2012 R2 , a new object class called Authentication Policy (objectClass msDS-AuthNPolicies) can be used to apply authentication configuration to account classes in Windows Server 2012 R2 domains. Active Directory 帐户类包括:Active Directory account classes are:

  • 用户User

  • ComputerComputer

  • 托管服务帐户和组托管服务帐户 (GMSA)Managed Service Account and group Managed Service Account (GMSA)

快速 Kerberos 刷新程序Quick Kerberos refresher

Kerberos 身份验证协议包括三种类型的交换(也称为子协议):The Kerberos authentication protocol consists of three types of exchanges, also known as subprotocols:

受保护帐户

  • 身份验证服务 (AS) 交换 (KRB_AS_*)The Authentication Service (AS) Exchange (KRB_AS_*)

  • 票证授予服务 (TGS) 交换 (KRB_TGS_*)The Ticket-Granting Service (TGS) Exchange (KRB_TGS_*)

  • 客户端/服务器 (AP) 交换 (KRB_AP_*)The Client/Server (AP) Exchange (KRB_AP_*)

作为 exchange 的客户端使用帐户的密码或私钥创建预身份验证器,以请求票证授予票证 (TGT) 。The AS exchange is where the client uses the account's password or private key to create a pre-authenticator to request a ticket-granting ticket (TGT). 此情况在用户登录或首次需要服务票证时发生。This happens at user sign-on or the first time a service ticket is needed.

在 TGS 交换中,帐户的 TGT 用于创建身份验证器,以请求服务票证。The TGS exchange is where the account's TGT is used to create an authenticator to request a service ticket. 此情况在需要经过验证的连接时发生。This happens when an authenticated connection is needed.

AP 交换的发生频率与应用程序协议的中数据相同,并且不受应用程序协议的影响。The AP exchange occurs as typically as data inside the application protocol and is not impacted by authentication policies.

有关详细信息,请参阅 Kerberos 版本 5 身份验证协议的工作原理For more detailed information, see How the Kerberos Version 5 Authentication Protocol Works.

概述Overview

通过提供一种用于将可配置限制应用到帐户的方法,并且通过为服务和计算机的帐户提供限制,身份验证策略可补充受保护用户。Authentication policies complement Protected Users by providing a way to apply configurable restrictions to accounts and by providing restrictions for accounts for services and computers. 在 AS 交换或 TGS 交换期间强制执行身份验证策略。Authentication policies are enforced during either the AS exchange or the TGS exchange.

通过配置以下内容可限制初始身份验证或 AS 交换:You can restrict initial authentication or the AS exchange by configuring:

  • TGT 生存期A TGT lifetime

  • 用于限制用户登录的访问控制条件,从其中进行 AS 交换的设备必须满足这些条件Access control conditions to restrict user sign-on, which must be met by devices from which the AS exchange is coming

受保护帐户

通过配置以下内容,可通过票证授予服务 (TGS) 交换来限制服务票证请求:You can restrict service ticket requests through a ticket-granting service (TGS) exchange by configuring:

  • 访问控制条件,从其中进行 TGS 交换的客户端(用户、服务、计算机)或设备必须满足这些条件Access control conditions which must be met by the client (user, service, computer) or device from which the TGS exchange is coming

关于使用身份验证策略的要求Requirements for using authentication policies

策略Policy 要求Requirements
提供自定义 TGT 生存期Provide custom TGT lifetimes Windows Server 2012 R2 域功能级别帐户域Windows Server 2012 R2 domain functional level account domains
限制用户登录Restrict user sign-on -Windows Server 2012 R2 域功能级别帐户域,支持动态访问控制- Windows Server 2012 R2 domain functional level account domains with Dynamic Access Control support
-支持动态访问控制的 windows 8、Windows 8.1、Windows Server 2012 或 Windows Server 2012 R2 设备- Windows 8, Windows 8.1, Windows Server 2012 or Windows Server 2012 R2 devices with Dynamic Access Control support
限制基于用户帐户和安全组的服务票证颁发Restrict service ticket issuance that is based on user account and security groups Windows Server 2012 R2 域功能级别资源域Windows Server 2012 R2 domain functional level resource domains
限制基于用户声明或设备帐户、安全组或者声明的服务票证分发Restrict service ticket issuance based on user claims or device account, security groups, or claims 支持动态访问控制的 Windows Server 2012 R2 域功能级别资源域Windows Server 2012 R2 domain functional level resource domains with Dynamic Access Control support

将用户帐户限制到特定设备和主机Restrict a user account to specific devices and hosts

具有管理权限的高价值帐户应该是“Protected Users” 组的成员。A high-value account with administrative privilege should be a member of the Protected Users group. 默认情况下,所有帐户都不是“Protected Users” 组的成员。By default, no accounts are members of the Protected Users group. 将帐户添加到该组之前,配置域控制器支持并创建审核策略,以确保不存在阻止问题。Before you add accounts to the group, configure domain controller support and create an audit policy to ensure that there are no blocking issues.

配置域控制器支持Configure domain controller support

用户的帐户域必须位于 Windows Server 2012 R2 域功能级别 (DFL) 。The user's account domain must be at Windows Server 2012 R2 domain functional level (DFL). 确保所有域控制器都为 Windows Server 2012 R2,然后使用 Active Directory 域和信任关系将 DFL 提升 为 windows Server 2012 R2。Ensure all the domain controllers are Windows Server 2012 R2 , and then use Active Directory Domains and Trusts to raise the DFL to Windows Server 2012 R2 .

配置对动态访问控制的支持的步骤To configure support for Dynamic Access Control

  1. 在默认域控制器策略中,单击“已启用” ,以在计算机配置 | 管理模板 | 系统 | KDC 中启用“密钥发行中心 (KDC) 客户端支持声明、复合身份验证和 Kerberos 保护” 。In the Default Domain Controllers Policy, click Enabled to enable Key Distribution Center (KDC) client support for claims, compound authentication and Kerberos armoring in Computer Configuration | Administrative Templates | System | KDC.

    受保护帐户

  2. 在“选项” 下的下拉列表框中,选择“始终提供声明” 。Under Options , in the drop-down list box, select Always provide claims .

    备注

    还可以配置 受支持 的,但由于域在 Windows Server 2012 R2 DFL 上,因此,如果在使用非声明感知设备和主机连接到声明感知服务时,dc 始终提供声明将允许进行基于用户声明的访问检查。Supported can also be configured, but because the domain is at Windows Server 2012 R2 DFL, having the DCs always provide claims will allow user claims-based access checks to occur when using non-claims aware devices and hosts to connect to claims-aware services.

    受保护帐户

    警告

    配置 " 失败未保护身份验证请求 " 将导致任何不支持 Kerberos 保护的操作系统中的身份验证失败,例如 windows 7 和早期版本的操作系统,或从 windows 8 开始的操作系统(未显式配置为支持它)。Configuring Fail unarmored authentication requests will result in authentication failures from any operating system which does not support Kerberos armoring, such as Windows 7 and previous operating systems, or operating systems beginning with Windows 8, which have not been explicitly configured to support it.

使用 ADAC 为身份验证策略创建用户帐户审核Create a user account audit for authentication policy with ADAC

  1. 打开 Active Directory 管理中心 (ADAC)。Open Active Directory Administrative Center (ADAC).

    受保护帐户

    备注

    对于 Windows Server 2012 R2 DFL 上的域,所选的 身份验证 节点可见。The selected Authentication node is visible for domains which are at Windows Server 2012 R2 DFL. 如果未出现该节点,则使用 Windows Server 2012 R2 DFL 上的域中的域管理员帐户重试。If the node does not appear, then try again by using a domain administrator account from a domain that is at Windows Server 2012 R2 DFL.

  2. 单击“身份验证策略” ,然后单击“新建” 以创建新策略。Click Authentication Policies , and then click New to create a new policy.

    受保护帐户

    身份验证策略必须具有一个显示名称,并且在默认情况下强制执行。Authentications Policies must have a display name and are enforced by default.

  3. 若要创建仅用于审核的策略,请单击“仅审核策略限制” 。To create an audit-only policy, click Only audit policy restrictions .

    受保护帐户

    根据 Active Directory 帐户类型应用身份验证策略。Authentication policies are applied based on the Active Directory account type. 通过为每种类型配置设置,可将单个策略应用到全部三个帐户类型。A single policy can apply to all three account types by configuring settings for each type. 帐户类型包括:Account types are:

    • 用户User

    • ComputerComputer

    • 托管服务帐户和组托管服务帐户Managed Service Account and Group Managed Service Account

    如果你已通过由密钥发行中心 (KDC) 使用的新主体扩展架构,则从最近的派生帐户类型中分类出新帐户类型。If you have extended the schema with new principals that can be used by the Key Distribution Center (KDC), then the new account type is classified from the closest derived account type.

  4. 若要配置用户帐户的 TGT 生存期,请选择“为用户帐户指定票证授予票证生存期” 复选框,然后输入时间(以分钟为单位)。To configure a TGT lifetime for user accounts, select the Specify a Ticket-Granting Ticket lifetime for user accounts check box and enter the time in minutes.

    受保护帐户

    例如,如果你需要的 TGT 生存期上限为 10 小时,请按显示输入 600For example, if you want a 10-hour maximum TGT lifetime, enter 600 as shown. 如果没有配置 TGT 生存期,则当帐户是 Protected Users 组的成员时,TGT 生存期和续订时间为 4 小时。If no TGT lifetime is configured, then if the account is a member of the Protected Users group, the TGT lifetime and renewal is 4 hours. 否则,对于具有默认设置的域,TGT 生存期和续订时间基于域策略,如以下“组策略管理编辑器”窗口中所示。Otherwise, TGT lifetime and renewal are based on the domain policy as seen in the following Group Policy Management Editor window for a domain with default settings.

    受保护帐户

  5. 若要限制用户帐户选择设备,请单击“编辑” 以定义设备所需的条件。To restrict the user account to select devices, click Edit to define the conditions that are required for the device.

    受保护帐户

  6. 在“编辑访问控制条件” 窗口中,单击“添加条件” 。In the Edit Access Control Conditions window, click Add a condition .

    受保护帐户

添加计算机帐户或组条件Add computer account or group conditions
  1. 若要配置计算机帐户或组,请在下拉列表中,选中下拉列表框“每个组的成员” 并更改为“任何组的成员” 。To configure computer accounts or groups, in the drop-down list, select the drop-down list box Member of each and change to Member of any .

    受保护帐户

    备注

    此访问控制定义用户从中登录的设备或主机的条件。This access control defines the conditions of the device or host from which the user signs on. 在访问控制术语中,设备或主机的计算机帐户是用户,这就是“用户” 是唯一选项的原因。In access control terminology, the computer account for the device or host is the user, which is why User is the only option.

  2. 单击“添加项目” 。Click Add items .

    受保护帐户

  3. 若要更改对象类型,请单击“对象类型” 。To change object types, click Object Types .

    受保护帐户

  4. 若要在 Active Directory 中选择计算机对象,请单击“计算机” ,然后单击“确定” 。To select computer objects in Active Directory, click Computers , and then click OK .

    受保护帐户

  5. 键入计算机的名称以限制该用户,然后单击“检查名称” 。Type the name of the computers to restrict the user, and then click Check Names .

    受保护帐户

  6. 单击“确定”,并为计算机帐户创建任何其他条件。Click OK and create any other conditions for the computer account.

    受保护帐户

  7. 完成后,单击“确定” ,将为计算机帐户显示定义的条件。When done, then click OK and the defined conditions will appear for the computer account.

    受保护帐户

添加计算机声明条件Add computer claim conditions
  1. 若要配置计算机声明,下拉“组”以选择该声明。To configure computer claims, drop-down Group to select the claim.

    受保护帐户

    声明仅在林中进行了设置后才可用。Claims are only available if they are already provisioned in the forest.

  2. 键入 OU 的名称,应该限制登录用户帐户。Type the name of OU, the user account should be restricted to sign on.

    受保护帐户

  3. 完成后,单击“确定”,该框将显示所定义的条件。When done, then click OK and the box will show the conditions defined.

    受保护帐户

解决丢失计算机声明的问题Troubleshoot missing computer claims

如果已设置该声明,但不可用,则可能仅针对“计算机” 类配置了它。If the claim has been provisioned, but is not available, it might only be configured for Computer classes.

假设你想要基于计算机上已配置的组织单位 (OU) 来限制身份验证,但仅适用于 计算机 类。Let's say you wanted to restrict authentication based on the organizational unit (OU) of the computer, which was already configured, but only for Computer classes.

受保护帐户

为了使声明可用于限制用户登录设备,请选择“用户” 复选框。For the claim to be available to restrict User sign-on to the device, select the User check box.

受保护帐户

使用 ADAC 设置具有身份验证策略的用户帐户Provision a user account with an authentication policy with ADAC

  1. 从“用户” 帐户中,单击“策略” 。From the User account, click Policy .

    受保护帐户

  2. 选中“将身份验证策略分配给此帐户” 复选框。Select the Assign an authentication policy to this account check box.

    受保护帐户

  3. 然后选择要应用到该用户的身份验证策略。Then select the authentication policy to apply to the user.

    受保护帐户

在设备和主机上配置动态访问控制支持Configure Dynamic Access Control support on devices and hosts

你可以在不配置动态访问控制 (DAC) 的情况下配置 TGT 生存期。You can configure TGT lifetimes without configuring Dynamic Access Control (DAC). 只有在检查 AllowedToAuthenticateFrom 和 AllowedToAuthenticateTo 时需要 DAC。DAC is only needed for checking AllowedToAuthenticateFrom and AllowedToAuthenticateTo.

通过使用组策略或本地组策略编辑器,在计算机配置 | 管理模板 | 系统 | Kerberos 中启用“Kerberos 客户端支持声明、复合身份验证和 Kerberos 保护” :Using either Group Policy or Local Group Policy Editor, enable Kerberos client support for claims, compound authentication and Kerberos armoring in Computer Configuration | Administrative Templates | System | Kerberos:

受保护帐户

解决关于身份验证策略的问题Troubleshoot Authentication Policies

确定直接分配身份验证策略的帐户Determine the accounts that are directly assigned an Authentication Policy

身份验证策略中的帐户部分显示了已直接应用该策略的帐户。The accounts section in the Authentication Policy shows the accounts that have directly applied the policy.

受保护帐户

使用身份验证策略失败-域控制器管理日志Use the Authentication Policy Failures - Domain Controller administrative log

新的 身份验证策略失败- 应用程序和服务日志 下的域控制器管理日志已 > 创建 Microsoft > Windows > 身份验证 ,以便更轻松地发现由于身份验证策略导致的失败。A new Authentication Policy Failures - Domain Controller administrative log under Applications and Services Logs > Microsoft > Windows > Authentication has been created to make it easier to discover failures due to Authentication Policies. 默认情况下,该日志处于禁用状态。The log is disabled by default. 若要启用它,请右键单击日志名称,然后单击“启用日志” 。To enable it, right-click the log name and click Enable Log . 新事件中的内容与现有 Kerberos TGT 和服务票证审核事件中的内容非常相似。The new events are very similar in content to the existing Kerberos TGT and service ticket auditing events. 有关这些事件的详细信息,请参阅 身份验证策略和身份验证策略接收器For more information about these events, see Authentication Policies and Authentication Policy Silos.

使用 Windows PowerShell 管理身份验证策略Manage authentication policies by using Windows PowerShell

此命令创建名为 TestAuthenticationPolicy 的身份验证策略。This command creates an authentication policy named TestAuthenticationPolicy . UserAllowedToAuthenticateFrom 参数可指定一些设备,用户可从中通过名为 someFile.txt 的文件中的 SDDL 字符串进行身份验证。The UserAllowedToAuthenticateFrom parameter specifies the devices from which users can authenticate by an SDDL string in the file named someFile.txt.

PS C:\> New-ADAuthenticationPolicy testAuthenticationPolicy -UserAllowedToAuthenticateFrom (Get-Acl .\someFile.txt).sddl

此命令将获取与 Filter 参数指定的筛选器相匹配的所有身份验证策略。This command gets all authentication policies that match the filter that the Filter parameter specifies.

PS C:\> Get-ADAuthenticationPolicy -Filter "Name -like 'testADAuthenticationPolicy*'" -Server Server02.Contoso.com

此命令将修改指定身份验证策略的说明和 UserTGTLifetimeMins 属性。This command modifies the description and the UserTGTLifetimeMins properties of the specified authentication policy.

PS C:\> Set-ADAuthenticationPolicy -Identity ADAuthenticationPolicy1 -Description "Description" -UserTGTLifetimeMins 45

此命令将删除 Identity 参数指定的身份验证策略。This command removes the authentication policy that the Identity parameter specifies.

PS C:\> Remove-ADAuthenticationPolicy -Identity ADAuthenticationPolicy1

此命令将结合使用 Get-ADAuthenticationPolicy cmdlet 和 Filter 参数,以获取不会强制执行的所有身份验证策略。This command uses the Get-ADAuthenticationPolicy cmdlet with the Filter parameter to get all authentication policies that are not enforced. 该结果集通过管道传送给 Remove-ADAuthenticationPolicy cmdlet。The result set is piped to the Remove-ADAuthenticationPolicy cmdlet.

PS C:\> Get-ADAuthenticationPolicy -Filter 'Enforce -eq $false' | Remove-ADAuthenticationPolicy

身份验证策略接收器Authentication policy silos

身份验证策略接收器是 AD DS 中用于用户、计算机和服务帐户的一个新容器 (objectClass msDS-AuthNPolicySilos)。Authentication Policy Silos is a new container (objectClass msDS-AuthNPolicySilos) in AD DS for user, computer, and service accounts. 它们可帮助保护高价值帐户。They help protect high-value accounts. 当所有组织需要保护 Enterprise Admins、Domain Admins 和 Schema Admins 组中的成员(因为攻击者可能使用这些帐户访问林中的任何内容)时,可能还需要保护其他帐户。While all organizations need to protect members of Enterprise Admins, Domain Admins and Schema Admins groups because those accounts could be used by an attacker to access anything in the forest, other accounts may also need protection.

通过创建独特于工作负载的帐户,并通过应用组策略来限制本地和远程交互式登录和管理权限,某些组织可隔离这些工作负载。Some organizations isolate workloads by creating accounts that are unique to them and by applying Group Policy settings to limit local and remote interactive logon and administrative privileges. 通过创建一种用于定义用户、计算机和托管服务帐户之间的关系的方式,身份验证策略接收器可补充此工作。Authentication policy silos complement this work by creating a way to define a relationship between User, Computer and managed Service accounts. 帐户只能属于一个接收器。Accounts can only belong to one silo. 你可以为每种类型的帐户配置身份验证策略,以便控制以下内容:You can configure authentication policy for each type of account in order to control:

  1. 不可续订的 TGT 生存期Non-renewable TGT lifetime

  2. 用于返回 TGT 的访问控制条件(注意:无法应用到系统,因为需要 Kerberos 保护)Access control conditions for returning TGT (Note: cannot apply to systems because Kerberos armoring is required)

  3. 用于返回服务票证的访问控制条件Access control conditions for returning service ticket

此外,身份验证策略接收器中的帐户具有接收器声明,声明感知资源(例如文件服务器)可使用该声明来控制访问权限。Additionally, accounts in an authentication policy silo have a silo claim, which can be used by claims-aware resources such as file servers to control access.

可以配置新的安全描述符以基于以下内容控制服务票证的分发:A new security descriptor can be configured to control issuing service ticket based on:

  • 用户、用户的安全组和/或用户的声明User, user's security groups, and/or user's claims

  • 设备、设备的安全组和/或设备的声明Device, device's security group, and/or device's claims

将此信息获取到资源的 Dc 需要动态访问控制:Getting this information to the resource's DCs requires Dynamic Access Control:

  • 用户声明:User claims:

    • 支持动态访问控制的 Windows 8 和更高版本客户端Windows 8 and later clients supporting Dynamic Access Control

    • 帐户域支持动态访问控制和声明Account domain supports Dynamic Access Control and claims

  • 设备和/或设备安全组:Device and/or device security group:

    • 支持动态访问控制的 Windows 8 和更高版本客户端Windows 8 and later clients supporting Dynamic Access Control

    • 为复合身份验证配置的资源Resource configured for compound authentication

  • 设备声明:Device claims:

    • 支持动态访问控制的 Windows 8 和更高版本客户端Windows 8 and later clients supporting Dynamic Access Control

    • 设备域支持动态访问控制和声明Device domain supports Dynamic Access Control and claims

    • 为复合身份验证配置的资源Resource configured for compound authentication

身份验证策略可应用到身份验证策略接收器的所有成员(而非单个帐户),或者单独身份验证策略可应用到接收器内不同类型的帐户。Authentication policies can be applied to all members of an authentication policy silo instead of to individual accounts, or separate authentication policies can be applied to different types of accounts within a silo. 例如,一个身份验证策略可应用到权限较高的用户帐户,而另一个策略可应用到服务帐户。For example, one authentication policy can be applied to highly privileged user accounts, and a different policy can be applied to services accounts. 必须至少创建一个身份验证策略,然后才能创建身份验证策略接收器。At least one authentication policy must be created before an authentication policy silo can be created.

备注

身份验证策略可应用到身份验证策略接收器的成员,或者可以独立于接收器应用该策略以限制特定帐户作用域。An authentication policy can be applied to members of an authentication policy silo, or it can be applied independently of silos to restrict specific account scope. 例如,若要保护单个帐户或一个小的帐户集,可以在这些帐户上设置策略,而无需将帐户添加到接收器。For example, to protect a single account or a small set of accounts, a policy can be set on those accounts without adding the accounts to a silo.

可以通过使用 Active Directory 管理中心或 Windows PowerShell 来创建身份验证策略接收器。You can create an authentication policy silo by using Active Directory Administrative Center or Windows PowerShell. 默认情况下,身份验证策略接收器仅审核接收器策略,这等同于在 Windows PowerShell cmdlet 中指定 WhatIf 参数。By default, an authentication policy silo only audits silo policies, which is equivalent to specifying the WhatIf parameter in Windows PowerShell cmdlets. 在这种情况下,不应用策略接收器限制,但生成审核以指示应用限制时是否发生故障。In this case, policy silo restrictions do not apply, but audits are generated to indicate whether failures occur if the restrictions are applied.

使用 Active Directory 管理中心创建身份验证策略接收器的步骤To create an authentication policy silo by using Active Directory Administrative Center

  1. 打开“Active Directory 管理中心” ,单击“身份验证” ,右键单击“身份验证策略接收器” ,单击“新建” ,然后单击“身份验证策略接收器” 。Open Active Directory Administrative Center , click Authentication , right-click Authentication Policy Silos , click New , and then click Authentication Policy Silo .

    受保护帐户

  2. 在“显示名称” 中,键入接收器的名称。In Display name , type a name for the silo. 在“允许的帐户” 中,单击“添加” 、键入帐户的名称,然后单击“确定” 。In Permitted Accounts , click Add , type the names of the accounts, and then click OK . 你可以指定用户、计算机或服务帐户。You can specify users, computers, or service accounts. 然后指定是针对所有主体使用单个策略,还是针对每个类型的主体使用单独的策略,并指定单个或多个策略的名称。Then specify whether to use a single policy for all principals or a separate policy for each type of principal, and the name of the policy or policies.

    受保护帐户

使用 Windows PowerShell 管理身份验证策略接收器Manage authentication policy silos by using Windows PowerShell

此命令将创建身份验证策略接收器对象并强制执行它。This command creates an authentication policy silo object and enforces it.

PS C:\>New-ADAuthenticationPolicySilo -Name newSilo -Enforce

此命令将获取与由 Filter 参数指定的筛选器相匹配的所有身份验证策略接收器。This command gets all the authentication policy silos that match the filter that is specified by the Filter parameter. 输出随后将传递到 Format-Table cmdlet,以显示该策略的名称以及每个策略上 Enforce 的值。The output is then passed to the Format-Table cmdlet to display the name of the policy and the value for Enforce on each policy.

PS C:\>Get-ADAuthenticationPolicySilo -Filter 'Name -like "*silo*"' | Format-Table Name, Enforce -AutoSize

Name  Enforce
----  -------
silo     True
silos   False

此命令将结合使用 Get-ADAuthenticationPolicySilo cmdlet 和 Filter 参数,以获取不会强制执行的所有身份验证策略接收器,并通过管道将筛选器结果传送给 Remove-ADAuthenticationPolicySilo cmdlet。This command uses the Get-ADAuthenticationPolicySilo cmdlet with the Filter parameter to get all authentication policy silos that are not enforced and pipe the result of the filter to the Remove-ADAuthenticationPolicySilo cmdlet.

PS C:\>Get-ADAuthenticationPolicySilo -Filter 'Enforce -eq $False' | Remove-ADAuthenticationPolicySilo

此命令将向名为 User01 的用户帐户授予对名为 Silo 的身份验证策略接收器的访问权限。This command grants access to the authentication policy silo named Silo to the user account named User01 .

PS C:\>Grant-ADAuthenticationPolicySiloAccess -Identity Silo -Account User01

此命令将吊销名为 User01 的用户帐户对名为 Silo 的身份验证策略接收器的访问权限。This command revokes access to the authentication policy silo named Silo for the user account named User01 . 因为 Confirm 参数已设置为 $False ,因此不显示任何确认消息。Because the Confirm parameter is set to $False , no confirmation message appears.

PS C:\>Revoke-ADAuthenticationPolicySiloAccess -Identity Silo -Account User01 -Confirm:$False

此示例首先使用 Get-ADComputer cmdlet 来获取与 Filter 参数指定的筛选器相匹配的所有计算机帐户。This example first uses the Get-ADComputer cmdlet to get all computer accounts that match the filter that the Filter parameter specifies. 此命令的输出将传递给 Set-ADAccountAuthenticatinPolicySilo ,以将名为 Silo 的身份验证策略接收器和名为 AuthenticationPolicy02 的身份验证策略分配给它们。The output of this command is passed to Set-ADAccountAuthenticatinPolicySilo to assign the authentication policy silo named Silo and the authentication policy named AuthenticationPolicy02 to them.

PS C:\>Get-ADComputer -Filter 'Name -like "newComputer*"' | Set-ADAccountAuthenticationPolicySilo -AuthenticationPolicySilo Silo -AuthenticationPolicy AuthenticationPolicy02