保护 Active Directory 联合身份验证服务的最佳实践Best practices for securing Active Directory Federation Services

本文档提供了 Active Directory 联合身份验证服务 (AD FS) 和 Web 应用程序代理安全规划和部署的最佳实践。This document provides best practices for the secure planning and deployment of Active Directory Federation Services (AD FS) and Web Application Proxy. 它包含有关这些组件的默认行为的信息,以及针对具有特定用例和安全要求的组织的其他安全配置的建议。It contains information about the default behaviors of these components and recommendations for additional security configurations for an organization with specific use cases and security requirements.

本文档适用于 Windows Server 2012 R2 和 Windows Server 2016 (preview) AD FS 和 WAP。This document applies to AD FS and WAP in Windows Server 2012 R2 and Windows Server 2016 (preview). 无论基础结构部署在本地网络中,还是部署在 Microsoft Azure 的云托管环境中,都可以使用这些建议。These recommendations can be used whether the infrastructure is deployed in an on premises network or in a cloud hosted environment such as Microsoft Azure.

标准部署拓扑Standard deployment topology

对于本地环境中的部署,建议使用一个标准部署拓扑,该拓扑包含内部企业网络中的一个或多个 AD FS 服务器,其中包含一个或多个 Web 应用程序代理 (在 DMZ 或 extranet 网络中的 WAP) 服务器。For deployment in on-premises environments, we recommend a standard deployment topology consisting of one or more AD FS servers on the internal corporate network, with one or more Web Application Proxy (WAP) servers in a DMZ or extranet network. 在每个层,AD FS 和 WAP,硬件或软件负载平衡器置于服务器场的前面,并处理流量路由。At each layer, AD FS and WAP, a hardware or software load balancer is placed in front of the server farm and handles traffic routing. 防火墙在每个 (FS 和代理) 场前面的负载均衡器的外部 IP 地址的前面放置。Firewalls are placed as required in front of the external IP address of the load balancer in front of each (FS and proxy) farm.

描述标准 A D F S 拓扑的关系图。

备注

AD FS 需要一个完全可写域控制器才能运行,而不是 Read-Only 域控制器。AD FS requires a full writable Domain Controller to function as opposed to a Read-Only Domain Controller. 如果计划的拓扑包含 Read-Only 域控制器,则 Read-Only 域控制器可用于身份验证,但 LDAP 声明处理将需要与可写域控制器建立连接。If a planned topology includes a Read-Only Domain controller, the Read-Only domain controller can be used for authentication but LDAP claims processing will require a connection to the writable domain controller.

需要的端口Ports required

下图描述了在 AD FS 和 WAP 部署的组件之间必须启用的防火墙端口。The below diagram depicts the firewall ports that must be enabled between and amongst the components of the AD FS and WAP deployment. 如果部署不包括 Azure AD/Office 365,则可忽略同步要求。If the deployment does not include Azure AD / Office 365, the sync requirements can be disregarded.

请注意,仅当使用用户证书身份验证时才需要端口49443,对于 Azure AD 和 Office 365 是可选的。Note that port 49443 is only required if user certificate authentication is used, which is optional for Azure AD and Office 365.

显示某个 D F S 部署所需的端口和协议的关系图。

备注

端口 808 (Windows Server 2012R2) 或端口 1501 (Windows Server 2016 +) 是 Net.tcp 端口 AD FS 用于本地 WCF 终结点,以将配置数据传输到服务进程和 Powershell。Port 808 (Windows Server 2012R2) or port 1501 (Windows Server 2016+) is the Net.TCP port AD FS uses for the local WCF endpoint to transfer configuration data to the service process and Powershell. 可以通过运行 Get-AdfsProperties 来查看此端口 |选择 NetTcpPort。This port can be seen by running Get-AdfsProperties | select NetTcpPort. 这是一个本地端口,无需在防火墙中打开,但会在端口扫描中显示。This is a local port that will not need to be opened in the firewall but will be displayed in a port scan.

Azure AD Connect 和联合服务器/WAPAzure AD Connect and Federation Servers/WAP

此表描述了 Azure AD Connect 服务器与 联合服务器/WAP 服务器之间通信所需的端口和协议。This table describes the ports and protocols that are required for communication between the Azure AD Connect server and Federation/WAP servers.

协议Protocol 端口Ports 说明Description
HTTPHTTP 80 (TCP/UDP)80 (TCP/UDP) 用于下载 CRL(证书吊销列表)以验证 SSL 证书。Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates.
HTTPSHTTPS 443 (TCP/UDP)443(TCP/UDP) 用来与 Azure AD 同步。Used to synchronize with Azure AD.
WinRMWinRM 59855985 WinRM 侦听器WinRM Listener

WAP 和联合服务器WAP and Federation Servers

此表描述了联合服务器与 WAP 服务器之间通信所需的端口和协议。This table describes the ports and protocols that are required for communication between the Federation servers and WAP servers.

协议Protocol 端口Ports 说明Description
HTTPSHTTPS 443 (TCP/UDP)443(TCP/UDP) 用于身份验证。Used for authentication.

WAP 和用户WAP and Users

此表描述了用户与 WAP 服务器之间通信所需的端口和协议。This table describes the ports and protocols that are required for communication between users and the WAP servers.

协议Protocol 端口Ports 说明Description
HTTPSHTTPS 443 (TCP/UDP)443(TCP/UDP) 用于设备身份验证。Used for device authentication.
TCPTCP 49443 (TCP)49443 (TCP) 用于证书身份验证。Used for certificate authentication.

有关混合部署所需的端口和协议的其他信息,请参阅 此处的文档。For additional information on required ports and protocols required for hybrid deployments see the document here.

有关 Azure AD 和 Office 365 部署所需的端口和协议的详细信息,请参阅 此处的文档。For detailed information about ports and protocols required for an Azure AD and Office 365 deployment, see the document here.

终结点已启用Endpoints enabled

安装 AD FS 和 WAP 后,联合身份验证服务和代理上会启用一组默认的 AD FS 终结点。When AD FS and WAP are installed, a default set of AD FS endpoints are enabled on the federation service and on the proxy. 这些默认值是根据最常用的方案选择的,并且不需要更改它们。These defaults were chosen based on the most commonly required and used scenarios and it is not necessary to change them.

可有可无为 Azure AD/Office 365 启用的终结点代理的最小集[Optional] Min set of endpoints proxy enabled for Azure AD / Office 365

仅对 Azure AD 和 Office 365 方案部署 AD FS 和 WAP 的组织可以进一步限制在代理上启用的 AD FS 终结点数,以实现更小的攻击面。Organizations deploying AD FS and WAP only for Azure AD and Office 365 scenarios can limit even further the number of AD FS endpoints enabled on the proxy to achieve a more minimal attack surface. 下面是在这些情况下,必须在代理上启用的终结点列表:Below is the list of endpoints that must be enabled on the proxy in these scenarios:

终结点Endpoint 目标Purpose
/adfs/ls/adfs/ls 基于浏览器的身份验证流和当前版本的 Microsoft Office 将此终结点用于 Azure AD 和 Office 365 身份验证Browser based authentication flows and current versions of Microsoft Office use this endpoint for Azure AD and Office 365 authentication
/adfs/services/trust/2005/usernamemixed/adfs/services/trust/2005/usernamemixed 用于与 Office 2013 以前版本的 Office 客户端进行的 Exchange Online 2015 更新。Used for Exchange Online with Office clients older than Office 2013 May 2015 update. 更高版本的客户端使用被动 \adfs\ls 终结点。Later clients use the passive \adfs\ls endpoint.
/adfs/services/trust/13/usernamemixed/adfs/services/trust/13/usernamemixed 用于与 Office 2013 以前版本的 Office 客户端进行的 Exchange Online 2015 更新。Used for Exchange Online with Office clients older than Office 2013 May 2015 update. 更高版本的客户端使用被动 \adfs\ls 终结点。Later clients use the passive \adfs\ls endpoint.
/adfs/oauth2/adfs/oauth2 此应用程序用于 (本地或云中的任何现代应用) 你已配置为直接通过 AAD 进行身份验证 AD FS (即不通过 AAD) This one is used for any modern apps (on-prem or in cloud) you have configured to authenticate directly to AD FS (i.e. not through AAD)
/adfs/services/trust/mex/adfs/services/trust/mex 用于与 Office 2013 以前版本的 Office 客户端进行的 Exchange Online 2015 更新。Used for Exchange Online with Office clients older than Office 2013 May 2015 update. 更高版本的客户端使用被动 \adfs\ls 终结点。Later clients use the passive \adfs\ls endpoint.
/adfs/ls/federationmetadata/2007-06/federationmetadata.xml/adfs/ls/federationmetadata/2007-06/federationmetadata.xml 任何被动流的要求;并供 Office 365/Azure AD 用来检查 AD FS 证书。Requirement for any passive flows; and used by Office 365 / Azure AD to check AD FS certificates.

可以使用以下 PowerShell cmdlet 在代理上禁用 AD FS 终结点:AD FS endpoints can be disabled on the proxy using the following PowerShell cmdlet:

Set-AdfsEndpoint -TargetAddressPath <address path> -Proxy $false

例如:For example:

Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/certificatemixed -Proxy $false

身份验证的扩展保护Extended protection for authentication

针对身份验证的扩展保护是一项功能,可在 (MITM) 攻击的中间进行缓解,并在默认情况下使用 AD FS 启用。Extended protection for authentication is a feature that mitigates against man in the middle (MITM) attacks and is enabled by default with AD FS.

若要验证设置,可以执行以下操作:To verify the settings, you can do the following:

可以使用以下 PowerShell cmdlet 验证设置。The setting can be verified using the below PowerShell cmdlet.

Get-ADFSProperties

属性为 ExtendedProtectionTokenCheckThe property is ExtendedProtectionTokenCheck. 默认设置为 "允许",因此无需考虑与不支持功能的浏览器的兼容性问题即可实现安全优势。The default setting is Allow, so that the security benefits can be achieved without the compatibility concerns with browsers that do not support the capability.

用于保护联合身份验证服务的拥塞控制Congestion control to protect the federation service

(WAP) 的联合身份验证服务代理提供拥塞控制,以保护 AD FS 服务免受大量请求的攻击。The federation service proxy (part of the WAP) provides congestion control to protect the AD FS service from a flood of requests. 如果通过 Web 应用程序代理与联合服务器之间的延迟检测到,则 Web 应用程序代理将拒绝外部客户端身份验证请求。The Web Application Proxy will reject external client authentication requests if the federation server is overloaded as detected by the latency between the Web Application Proxy and the federation server. 默认情况下,此功能配置为建议的延迟阈值级别。This feature is configured by default with a recommended latency threshold level.

若要验证设置,可以执行以下操作:To verify the settings, you can do the following:

  1. 在 Web 应用程序代理计算机上,启动一个提升的命令窗口。On your Web Application Proxy computer, start an elevated command window.
  2. 导航到 ADFS 目录,网址为%WINDIR%\adfs\config。Navigate to the ADFS directory, at %WINDIR%\adfs\config.
  3. 将拥塞控制设置从其默认值更改为 <congestionControl latencyThresholdInMSec="8000" minCongestionWindowSize="64" enabled="true" />Change the congestion control settings from its default values to <congestionControl latencyThresholdInMSec="8000" minCongestionWindowSize="64" enabled="true" />.
  4. 保存并关闭该文件。Save and close the file.
  5. 通过依次运行 net stop adfssrvnet start adfssrv 重新启动 AD FS 服务。Restart the AD FS service by running net stop adfssrv and then net start adfssrv. 有关参考,可在 此处找到有关此功能的指南。For your reference, guidance on this capability can be found here.

在代理中检查标准 HTTP 请求Standard HTTP request checks at the proxy

代理还对所有流量执行以下标准检查:The proxy also performs the following standard checks against all traffic:

  • FS-P 本身通过短期证书对 AD FS 进行身份验证。The FS-P itself authenticates to AD FS via a short lived certificate. 在怀疑外围服务器泄露的情况下,AD FS 可以 "撤消代理信任",使其不再信任来自可能泄露的代理的任何传入请求。In a scenario of suspected compromise of dmz servers, AD FS can "revoke proxy trust" so that it no longer trusts any incoming requests from potentially compromised proxies. 撤消代理信任会吊销每个代理的证书,使其无法成功地针对 AD FS 服务器的任何目的进行身份验证Revoking the proxy trust revokes each proxy`s own certificate so that it cannot successfully authenticate for any purpose to the AD FS server
  • FS-P 终止所有连接,并创建与内部网络上的 AD FS 服务的新 HTTP 连接。The FS-P terminates all connections and creates a new HTTP connection to the AD FS service on the internal network. 这会在外部设备与 AD FS 服务之间提供会话级缓冲区。This provides a session-level buffer between external devices and the AD FS service. 外部设备从不直接连接到 AD FS 服务。The external device never connects directly to the AD FS service.
  • FS-P 执行 HTTP 请求验证,该验证专门筛选出 AD FS 服务不需要的 HTTP 标头。The FS-P performs HTTP request validation that specifically filters out HTTP headers that are not required by AD FS service.

确保所有 AD FS 和 WAP 服务器都能接收最新的更新,对于您的 AD FS 基础结构,最重要的安全建议是确保您有一种方法,用于使您的 AD FS 和 WAP 服务器最新,并提供所有安全更新以及指定为此页上 AD FS 重要的可选更新。Ensure all AD FS and WAP servers receive the most current updates The most important security recommendation for your AD FS infrastructure is to ensure you have a means in place to keep your AD FS and WAP servers current with all security updates, as well as those optional updates specified as important for AD FS on this page.

Azure AD 客户监视和保持当前基础结构的推荐方式是通过 Azure AD Connect Health AD FS Azure AD Premium 的一项功能。The recommended way for Azure AD customers to monitor and keep current their infrastructure is via Azure AD Connect Health for AD FS, a feature of Azure AD Premium. Azure AD Connect Health 包括 AD FS 或 WAP 计算机是否缺少专门用于 AD FS 和 WAP 的重要更新之一时触发的监视器和警报。Azure AD Connect Health includes monitors and alerts that trigger if an AD FS or WAP machine is missing one of the important updates specifically for AD FS and WAP.

有关为 AD FS 安装 Azure AD Connect Health 的信息,请参阅 此处Information on installing Azure AD Connect Health for AD FS can be found here.

其他安全配置Additional security configurations

可以根据需要配置以下附加功能,为默认部署中提供的这些功能提供额外的保护。The following additional capabilities can be configured optionally to provide additional protections to those offered in the default deployment.

适用于帐户的 Extranet "软" 锁定保护Extranet "soft" lockout protection for accounts

使用 Windows Server 2012 R2 中的 extranet 锁定功能,AD FS 管理员可以设置允许的失败身份验证请求的最大数量, (ExtranetLockoutThreshold) 和 observation window (ExtranetObservationWindow) 的时间段。With the extranet lockout feature in Windows Server 2012 R2, an AD FS administrator can set a maximum allowed number of failed authentication requests (ExtranetLockoutThreshold) and an observation windows time period (ExtranetObservationWindow). 达到 (ExtranetLockoutThreshold) 身份验证请求的最大数目时,AD FS 将停止尝试针对设置时间段 (ExtranetObservationWindow) 的 AD FS 进行身份验证。When this maximum number (ExtranetLockoutThreshold) of authentication requests is reached, AD FS stops trying to authenticate the supplied account credentials against AD FS for the set time period (ExtranetObservationWindow). 此操作可防止此帐户受到 AD 帐户锁定,换言之,它可以防止此帐户失去对依赖于用户身份验证 AD FS 的公司资源的访问权限。This action protects this account from an AD account lockout, in other words, it protects this account from losing access to corporate resources that rely on AD FS for authentication of the user. 这些设置适用于 AD FS 服务可以进行身份验证的所有域。These settings apply to all domains that the AD FS service can authenticate.

你可以使用以下 Windows PowerShell 命令来设置 AD FS extranet 锁定 (示例) :You can use the following Windows PowerShell command to set the AD FS extranet lockout (example):

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow ( new-timespan -Minutes 30 )

此处提供了此功能的公开文档以供参考。For reference, the public documentation of this feature is here.

禁用代理上的 WS-Trust Windows 终结点,即从 extranetDisable WS-Trust Windows endpoints on the proxy i.e. from extranet

(/adfs/services/trust/2005/windowstransport/Adfs/services/trust/13/windowstransport) WS-Trust Windows 终结点仅适用于使用 HTTPS 上的 WIA 绑定的面向 intranet 的终结点。WS-Trust Windows endpoints (/adfs/services/trust/2005/windowstransport and /adfs/services/trust/13/windowstransport) are meant only to be intranet facing endpoints that use WIA binding on HTTPS. 向 extranet 公开它们可能会允许对这些终结点的请求绕过锁定保护。Exposing them to extranet could allow requests against these endpoints to bypass lockout protections. 应在代理上禁用这些终结点, (即禁用了 extranet) 使用以下 PowerShell 命令保护 AD 帐户锁定。These endpoints should be disabled on the proxy (i.e. disabled from extranet) to protect AD account lockout by using following PowerShell commands. 在代理上禁用这些终结点不会影响已知的最终用户。There is no known end user impact by disabling these endpoints on the proxy.

Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/windowstransport -Proxy $false
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/windowstransport -Proxy $false

区分 intranet 和 extranet 访问的访问策略Differentiate access policies for intranet and extranet access

AD FS 能够区分源自本地企业网络的请求的访问策略,以及通过代理从 internet 传入的请求。AD FS has the ability to differentiate access policies for requests that originate in the local, corporate network vs requests that come in from the internet via the proxy. 这可以按应用程序或全局执行。This can be done per application or globally. 对于具有敏感或个人身份信息的高业务价值应用程序或应用程序,请考虑需要多重身份验证。For high business value applications or applications with sensitive or personally identifiable information, consider requiring multi factor authentication. 可以通过 "AD FS 管理" 管理单元完成此操作。This can be done via the AD FS management snap-in.

需要多重身份验证 (MFA) Require Multi factor authentication (MFA)

AD FS 可以配置为要求强身份验证 (例如多重身份验证) 专用于通过代理传入的请求、针对单个应用程序的请求,以及针对 Azure AD/Office 365 和本地资源的条件访问。AD FS can be configured to require strong authentication (such as multi factor authentication) specifically for requests coming in via the proxy, for individual applications, and for conditional access to both Azure AD / Office 365 and on premises resources. MFA 支持的方法包括 Microsoft Azure MFA 和第三方提供程序。Supported methods of MFA include both Microsoft Azure MFA and third party providers. 系统将提示用户提供附加信息 (例如) 包含一次时间代码的短信文本,AD FS 与提供程序的特定插件一起使用以允许访问。The user is prompted to provide the additional information (such as an SMS text containing a one time code), and AD FS works with the provider specific plug-in to allow access.

支持的外部 MFA 提供程序包括 页中列出的那些提供程序以及 HDI Global。Supported external MFA providers include those listed in this page, as well as HDI Global.

硬件安全模块 (HSM)Hardware Security Module (HSM)

在默认配置中,AD FS 用来对令牌进行签名的密钥永远不会将联合服务器保留在 intranet 上。In its default configuration, the keys AD FS uses to sign tokens never leave the federation servers on the intranet. 它们永远不会出现在 DMZ 或代理计算机上。They are never present in the DMZ or on the proxy machines. 可以选择提供其他保护,可以在附加到 AD FS 的硬件安全模块中保护这些密钥。Optionally to provide additional protection, these keys can be protected in a hardware security module attached to AD FS. Microsoft 不会生成 HSM 产品,但是有几个在市场上支持 AD FS。Microsoft does not produce an HSM product, however there are several on the market that support AD FS. 若要实现此建议,请按照供应商指南创建用于签名和加密的 X509 证书,然后使用 AD FS 安装 powershell commandlet,指定自定义证书,如下所示:In order to implement this recommendation, follow the vendor guidance to create the X509 certs for signing and encryption, then use the AD FS installation powershell commandlets, specifying your custom certificates as follows:

Install-AdfsFarm -CertificateThumbprint <String> -DecryptionCertificateThumbprint <String> -FederationServiceName <String> -ServiceAccountCredential <PSCredential> -SigningCertificateThumbprint <String>

其中:where:

  • CertificateThumbprint 是你的 SSL 证书CertificateThumbprint is your SSL certificate
  • SigningCertificateThumbprint 签名证书是否 (带有 HSM 保护的密钥) SigningCertificateThumbprint is your signing certificate (with HSM protected key)
  • DecryptionCertificateThumbprint 加密证书 (带有 HSM 保护的密钥) DecryptionCertificateThumbprint is your encryption certificate (with HSM protected key)