SharePoint 2013 中的行動安全性與驗證Mobile security and authentication in SharePoint 2013

摘要:了解如何協助保護 SharePoint 行動基礎結構,以及了解 SharePoint Server 2013 中支援的不同驗證類型。Summary: Learn how to help secure a SharePoint mobile infrastructure, and learn about the different authentication types supported in SharePoint Server 2013.

本文提供的安全性指導和建議來協助確保該存取 SharePoint Server 2013 和 SharePoint 中的特定資料不危害行動裝置上。本文也會詳細說明選取裝置支援的驗證類型和 SharePoint 新聞摘要應用程式的驗證特定資訊。This article provides security guidance and recommendations to help ensure that access to SharePoint Server 2013 and specific data in SharePoint is not compromised on a mobile device. This article also details the supported authentication types for select devices, and authentication specifics for the SharePoint Newsfeed App.

行動裝置的安全性Security for mobile devices

本節提供使用公司網路外部裝置的安全性建議。裝置遺失或遭竊可能會損害組織的許多層面。因此,您必須具備因應危害情況的必要措施。This section provides security recommendations for using devices that are external to your corporate network. A lost or stolen device could be devastating to an organization on many levels. Therefore, necessary measures must be put in place if one were to be compromised.

一般安全性考量包括:General security considerations include the following:

  • 行動裝置可以包含機密資料或文件。由於可以遺失或竊行動裝置,因此建議您設定行動裝置能夠協助保護機密資料與文件周圍的原則。它可以包含保護行動裝置使用 PIN 或鎖定,並確保您可以從遠端擦去資料行動裝置上。使用 [程式和功能會由行動裝置而有所不同。如需可行的方法在組織中實作這些原則的詳細資訊,請參閱本文後述的Exchange ActiveSyncMobile devices can contain sensitive data or documents. Because mobile devices can be lost or stolen, we recommend that you set policies around mobile devices to help protect sensitive data and documents. This can include securing the mobile device by using a PIN or lock, and ensuring that you can remotely wipe the data on the mobile device. Available programs and features vary by mobile device. For more information about a possible method to implement these policies in your organization, see Exchange ActiveSync later in this article.

  • 您可以教育使用者如何有助於保護其使用者認證。其中包括在完成時登出網站、不要啟用會保持登入狀態的任何選項,或是記得其密碼,並經常刪除行動瀏覽器中的 Cookie。如果他們的行動裝置遺失或遭竊,這有助於防止其他人利用他們的使用者認證登入 SharePoint 網站。You can educate users about how they can help protect their user credentials. This can include signing out of sites when they have finished, not enabling any option that keeps them signed in or remembers their password, and frequently deleting cookies in the mobile browser. This can help prevent others from using their user credentials to log on to a SharePoint site if their mobile device is lost or stolen.

  • 我們建議您啟用 SSL 以協助保護行動瀏覽器與電腦是執行 SharePoint Server 2013 之間的通訊。如需關於如何使用反向 proxy 伺服器,例如 Forefront Unified Access Gateway (UAG),以協助保護通訊,請參閱 < Forefront Unified Access Gateway (UAG) Forefront 技術文件庫中。We recommend that you enable SSL to help secure communication between mobile browsers and the computer that is running SharePoint Server 2013. For more information about how to use a reverse proxy server, such as Forefront Unified Access Gateway (UAG), to help secure communication, see Forefront Unified Access Gateway (UAG) in the Forefront Technical Library.

Exchange ActiveSyncExchange ActiveSync

Microsoft Exchange ActiveSync 是透過無線、 電子郵件訊息,讓行動裝置存取通訊協定排程的資料、 連絡人及工作。Exchange ActiveSync 是可在 Windows Phone 與協力廠商電話並已啟用 Exchange ActiveSync 例如 Apple iPhone slates。其中一個在組織中實作 Exchange ActiveSync 的優點是戶端裝置的安全性與原則強制執行透過管理。如果外部網路拓撲中部署 SharePoint Server 2013,行動裝置存取透過公開網站 URL 執行 SharePoint Server 2013 的電腦。如果成為遺失或竊行動裝置,就必須確定 SharePoint 資料不會遭到入侵。例如,使用 Exchange ActiveSync SharePoint 設定,例如遠端清除之裝置的資料內容或強制執行在避免未經授權的存取 [鎖定] 畫面上的複雜密碼。Microsoft Exchange ActiveSync is a communications protocol that enables mobile access, over the air, to e-mail messages, scheduling data, contacts, and tasks. Exchange ActiveSync is available on Windows Phone and third-party phones and slates that are enabled for Exchange ActiveSync such as the Apple iPhone. One of the benefits of implementing Exchange ActiveSync in your organization is device-side security, and administration through policy enforcement. If SharePoint Server 2013 is deployed in an extranet topology, mobile devices access the computer that is running SharePoint Server 2013 via a public-facing URL. If the mobile device were to become lost or stolen, it is necessary to ensure that SharePoint data is not compromised. For example, by using Exchange ActiveSync you can wipe data contents from the device remotely, such as SharePoint configurations, or enforce a complex password at the lock screen to help prevent unauthorized access.

下表列出您可以套用至某些裝置的 Exchange ActiveSync 功能和原則選項。The following table lists a selection of Exchange ActiveSync features and policies that you can apply to some devices.

表: 行動裝置適用的 Exchange ActiveSync 原則Table: Exchange ActiveSync policies for mobile devices

Exchange ActiveSync 原則Exchange ActiveSync policy 描述Description
遠端抹除 (這是功能,不是 Exchange ActiveSync 原則)Remote wipe (this is a feature and not an Exchange ActiveSync policy)
在行動電話中斷時,竊、 或否則危害,您可以發出遠端抹除命令從 Exchange 電腦或從任何 web 瀏覽器使用 Outlook Web App。此命令將裝置還原為原廠預設值。If a mobile phone is lost, stolen, or otherwise compromised, you can issue a remote wipe command from the Exchange computer or from any web browser by using Outlook Web App. This command restores the device to factory defaults.
> [!IMPORTANT]> 遠端裝置抹除發生之後,資料復原是很難。但沒有資料移除程序時,它會新增會保留為以殘餘資料,從可用的裝置。復原資料從裝置可能仍可以使用複雜的工具。> [!IMPORTANT]> After a remote device wipe has occurred, data recovery is very difficult. However, no data removal process leaves a device as free from residual data as when it is new. Recovery of data from a device may still be possible using sophisticated tools.
在裝置上強制執行密碼 (DevicePasswordEnabled)Enforce password on device (DevicePasswordEnabled)
此設定啟用行動電話密碼。This setting enables the mobile phone password.
密碼長度下限 (MinDevicePasswordLength)Minimum password length (MinDevicePasswordLength)
此選項指定行動電話密碼的長度。預設長度為 4 個字元,但是最多可包含 18 個字元。This option specifies the length of the password for the mobile phone. The default length is 4 characters, but as many as 18 can be included.
需要英數字元密碼 (AlphanumericDevicePasswordRequired)Require alphanumeric password (AlphanumericDevicePasswordRequired)
此設定需要密碼包含數字和非數字字元。This setting requires that a password contains numeric and non-numeric characters.
允許簡單密碼 (AllowSimpleDevicePassword)Allow simple password (AllowSimpleDevicePassword)
此設定啟用或停用簡單密碼 (例如 1234) 功能。This setting enables or disables the ability to use a simple password such as 1234.
非使用中狀態時間上限鎖定 (MaxInactivityTimeDeviceLock)Maximum inactivity time lock (MaxInactivityTimeDeviceLock)
此選項決定行動電話必須在非使用中狀態的時間,在這之後,系統會提示使用者輸入密碼以解除鎖定行動電話。This option determines how long the mobile phone must be inactive before the user is prompted for a password to unlock the mobile phone.

重要

Exchange ActiveSync 原則可用的選取範圍可能會不同裝置的裝置為基礎。如需受特定裝置平台,例如 Windows Phone 與 Apple iPhone 支援原則的詳細資訊請參閱了解 Exchange ActiveSync 信箱原則The selection of Exchange ActiveSync policies that can be used might differ on a device-by-device basis. For more information about which policies are supported on a specific device platform, such as Windows Phone and Apple iPhone, see Understanding Exchange ActiveSync Mailbox Policies.

尋找遺失的裝置Finding a lost device

當裝置遺失或遭竊時,可用於尋找該裝置的位置,並且能夠視需要抹除所有資料內容。有多種協力廠商服務和解決方案提供此功能。例如,Windows Phone [尋找我的電話] 服務可透過鎖定位置輕鬆找回行動裝置,或防止其他人在未經過您同意的情況下使用行動裝置。When a device is lost or stolen it may be useful to find the location of that device, and be able to wipe all data contents if it is necessary. There are various third-party services and solutions that can provide this functionality. An example is the Windows Phone Find My Phone service that can make it easier to recover your mobile device by locating it, or prevent someone from using it without your consent.

此服務可提供下列功能:The functionality this service can provide includes the following:

  • 對應行動裝置位置。Map your mobile device location.

  • 讓行動裝置響鈴。Make your mobile device ring.

  • 鎖定行動裝置並顯示訊息。Lock your mobile device and show a message.

  • 抹除行動裝置資料。Wipe your mobile device data.

注意

若要深入了解 Windows Phone 的 [尋找我的電話服務,請參閱尋找遺失的電話To learn more about the Find My Phone service for Windows Phone, see Find a lost phone.

行動裝置的驗證Authentication for mobile devices

SharePoint Server 2013 支援多個驗證方法及驗證模式。並非所有的行動瀏覽器與裝置使用所有可用的驗證方法。當您規劃行動裝置存取功能時,您必須執行下列動作:SharePoint Server 2013 supports multiple authentication methods and authentication modes. Not all mobile browsers and devices work with all the available authentication methods. When you plan for mobile device access, you must do the following:

  • 決定您必須支援的行動裝置。然後了解行動裝置所支援的驗證方法。此資訊會因製造廠商而不同。Determine the mobile devices that you must support. Then, learn the authentication methods that are supported by the mobile devices. This information varies by manufacturer.

  • 決定您要讓行動裝置使用者使用的網站。Determine the sites that you want to make available to your mobile device users.

  • 決定在公司防火牆外使用行動裝置時,是否要讓該裝置使用 SharePoint 網站。如果是,則您用以啟用外部存取的方法也會影響行動裝置驗證。Determine whether you want to make SharePoint sites available for mobile devices when the devices are used outside the corporate firewall. If you do, the method that you use to enable external access can also affect mobile device authentication.

下表詳細說明瀏覽器、 OneDrive for Business,及 Office Hub Windows Phone 功能在 SharePoint Server 2013 中的支援的驗證類型。針對下面的 OrgID 指的是 Microsoft Online Services 識別碼 for Office 365 身分識別提供者。此外,MSOFBA 參照 Microsoft Office 表單型驗證。The following tables detail the authentication types supported for browsers, OneDrive for Business, and the Office Hub Windows Phone experience in SharePoint Server 2013. For the below, OrgID refers to Microsoft Online Services ID, the identity provider for Office 365. Also, MSOFBA refers to Microsoft Office Forms Based Authentication.

表格: SharePoint 瀏覽器的行動驗證支援Table: Mobile authentication support for SharePoint browsers

SharePoint 基礎結構SharePoint Infrastructure 行動裝置Mobile Devices
驗證類型Authentication Type
驗證通訊協定Authentication Protocol
Windows 驗證Windows Authentication
NTLMNTLM
基本驗證Basic Authentication
Active DirectoryActive Directory
表單型驗證 (fba) (英文)Forms-Based Authentication (FBA)
FBAFBA
FBAFBA
OrgIDOrgID
SAML (Token 型)SAML (Token-based)
SAMLSAML

表︰ Onedrive for Business 應用程式支援的驗證類型Table: Supported authentication types for the OneDrive for Business app

驗證類型Authentication type 描述Description 支援Supported 管理員類型所需的設定Administrator type required for configuration
Org IDOrg-ID
使用不含任何同盟 Office 365 或 SharePoint Online 租用戶組織。Organizations with an Office 365 or SharePoint Online tenant without any federation.
Yes
全域管理員Global admin
ADFS 和 Org ID 同盟ADFS and Org-ID federation
從內部部署目錄同盟與混合式 Office 365 或 SharePoint Online 租用與使用者的組織。Organizations with a hybrid Office 365 or SharePoint Online tenant with users federated from an on-premises directory.
Yes
全域管理員加上在內部網路管理員以及 SharePoint 管理員Global admin plus the on-premises network administrator plus the SharePoint administrator
Windows 驗證 (NTLM)Windows authentication (NTLM)
具有設定為允許 NTLM 宣告式 Windows 驗證在 SharePoint 環境的組織。Organizations with a SharePoint environment configured to allow NTLM claims-based Windows authentication.
Yes
SharePoint 管理員SharePoint administrator
表單型驗證 (fba) (英文)Forms-based authentication (FBA)
具有設定為允許表單型驗證或透過標準 web 控制項其他相容宣告式驗證在 SharePoint 環境的組織。Organizations with a SharePoint environment configured to allow Forms-based authentication or other compatible claims-based authentication via a standard web control.
Yes
SharePoint 管理員SharePoint administrator
完整的非 ADFS 身分識別提供者Qualified non-ADFS identity providers
設定以允許使用者登入同盟身分識別提供者與 Office 365 或 SharePoint Online 環境的組織適用的豐富型用戶端與 Office 365-Identity 程式的運作中。Organizations with an Office 365 or SharePoint Online environment configured to allow user sign-in that is federated with an identity provider qualified for rich clients in the Works with Office 365 - Identity program.
Yes
SharePoint 管理員加上的內部網路系統管理員或全域管理員 (在某些組織全域系統是必要項,而不是選項)。SharePoint administrator plus the on-premises Network administrator or Global admin (in some organizations the Global admin is a requirement, not an option.)
所有其他非 ADFS 身分識別提供者All other non-ADFS identity providers
具有 SharePoint 環境設定以允許非 ADFS 身分識別提供者的組織。Organizations with a SharePoint environment configured to allow a non-ADFS identity provider.
No
SharePoint 管理員加上在內部網路系統管理員SharePoint administrator plus the on-premises network administrator
Kerberos 驗證Kerberos authentication
具有設定為支援 Kerberos 驗證在 SharePoint 環境的組織。Organizations with a SharePoint environment configured to support Kerberos authentication.
No
SharePoint 管理員加上在內部網路系統管理員SharePoint administrator plus the on-premises network administrator
基本驗證Basic authentication
具有設定為支援基本驗證在 SharePoint 環境的組織。Organizations with a SharePoint environment configured to support Basic authentication.
No
SharePoint 管理員加上在內部網路系統管理員SharePoint administrator plus the on-premises network administrator

注意

如果您是 Office 365 多承租人使用者您可以從 OneDrive for Business 包括 Wi-fi 和行動電話資料任何網路環境中的應用程式連線。如果您不使用多承租人 Office 365,您可以連線只有當使用您的組織對現場 Wi-fi 網路時。如果您不確定符合您的哪些使用者,連絡 SharePoint 管理員。If you're an Office 365 multi-tenant user you can connect from the OneDrive for Business app in any network environment including Wi-Fi and cellular data. If you're not using multi-tenant Office 365, you can connect only when using your organization's on-site Wi-Fi network. Contact your SharePoint administrator if you're unsure which user you are.

表: 行動驗證支援矩陣的 Office HubTable: Mobile authentication support matrix for Office Hub

SharePoint 基礎結構SharePoint Infrastructure 用戶端Client side 行動裝置Mobile devices
驗證類型Authentication Type
驗證通訊協定Authentication Protocol
識別碼提供者ID Provider
Windows 驗證Windows Authentication
NTLMNTLM
Active DirectoryActive Directory
基本驗證Basic Authentication
Active DirectoryActive Directory
內部部署、外部網路On-premises, extranet
表單型驗證 (fba) (英文)Forms-Based Authentication (FBA)
FBAFBA
Active Directory、LDAP、SQLActive Directory, LDAP, SQL
FBAFBA
OrgIDOrgID
SharePoint Online、混合型案例SharePoint Online, hybrid -based scenarios
FBAFBA
OrgIDOrgID
SharePoint Online、混合型案例SharePoint Online, hybrid -based scenarios
SAML (token 型)SAML (token-based)
SAMLSAML
WS-Federation 1.1 相容的身分識別提供者WS-Federation 1.1 compatible Identity Provider
SAMLSAML
WS-Federation 1.1 相容的身分識別提供者WS-Federation 1.1 compatible Identity Provider
內部部署、SharePoint Online、混合型案例On-premises, SharePoint Online, hybrid -based scenarios

注意

為了讓行動裝置可以與 SharePoint 伺服器通訊,您必須停用伺服器上的網際網路通訊協定安全性 (IPSec)。這是因為行動裝置未加入網域,所以必須執行此動作。In order for mobile devices to communicate with SharePoint servers, Internet Protocol Security (IPSec) must be disabled on the servers. The reason this must be done is that mobile devices are not domain-joined.

SharePoint 新聞摘要應用程式的驗證Authentication for the SharePoint Newsfeed App

本節提供 SharePoint 新聞摘要應用程式的驗證指引和考量。其中包括內部部署型和 SharePoint Online 型部署的資訊。This section provides authentication guidance and considerations for the SharePoint Newsfeed app. This includes information for on-premises based deployments, and using SharePoint Online.

SharePoint 新聞摘要應用程式的驗證支援Authentication support for the SharePoint Newsfeed App

下表詳細資料的驗證類型支援 SharePoint Server 2013 中 SharePoint 新聞摘要應用程式。針對下面的 OrgID 指的是 Microsoft Online Services 識別碼 for Office 365 身分識別提供者。此外,MSOFBA 參照 Microsoft Office 表單型驗證。The following table details the authentication types supported for the SharePoint Newsfeed App in SharePoint Server 2013. For the below, OrgID refers to Microsoft Online Services ID, the identity provider for Office 365. Also, MSOFBA refers to Microsoft Office Forms Based Authentication.

表: 行動驗證支援矩陣 SharePoint 新聞摘要應用程式Table: Mobile authentication support matrix for the SharePoint Newsfeed App

SharePoint 基礎結構SharePoint Infrastructure 用戶端Client side 行動裝置Mobile devices
驗證類型Authentication Type
驗證通訊協定Authentication Protocol
識別碼提供者ID Provider
Windows 驗證Windows Authentication
NTLMNTLM
Active DirectoryActive Directory
基本驗證Basic Authentication
Active DirectoryActive Directory
內部部署、外部網路On-premises, extranet
表單型驗證 (fba) (英文)Forms-Based Authentication (FBA)
FBAFBA
Active Directory、LDAP、SQLActive Directory, LDAP, SQL
FBAFBA
OrgIDOrgID
SharePoint Online、混合型案例SharePoint Online, hybrid -based scenarios
FBAFBA
OrgIDOrgID
SharePoint Online、混合型案例SharePoint Online, hybrid -based scenarios
SAML (token 型)SAML (token-based)
SAMLSAML
WS-Federation 1.1 相容的身分識別提供者WS-Federation 1.1 compatible Identity Provider
SAMLSAML
WS-Federation 1.1 相容的身分識別提供者WS-Federation 1.1 compatible Identity Provider
內部部署、SharePoint Online、混合型案例On-premises, SharePoint Online, hybrid -based scenarios

重要

在 SharePoint Online 中的同盟案例,支援僅 Active Directory Federation Services (ADFS) 2.0。在設定過程中會需要支援被動同盟驗證 URI 的: "urn: oasis: 名稱: 繁體中文: SAML:2.0:ac:classes:Password"For federated scenarios in SharePoint Online, only Active Directory Federation Services (ADFS) 2.0 is supported. During the setup process it is necessary to support a passive federation authentication URI of: "urn:oasis:names:tc:SAML:2.0:ac:classes:Password" .

驗證工作流程Authentication Workflows

在內部部署與 SharePoint Online 中皆支援使用SharePoint 新聞摘要應用程式。每個選項皆可能在使用者驗證工作流程方面呈現差異。例如,下表提供每種實作類型的驗證體驗範例。The SharePoint Newsfeed App is supported for both on-premises and SharePoint Online use. Each option can present differences with end user authentication workflow. For example, this table provides sample authentication experiences for each type of implementation.

部署Deployment 工作流程Workflow 詳細資料Details
內部部署On-premises
SPNewsfeed 內部部署 支援的驗證類型Supported Authentication Types
Windows 驗證Windows Authentication
表單型驗證Forms Based Authentication
SAMLSAML
SharePoint OnlineSharePoint Online
SPNewsfeed SPO 支援的驗證類型Supported Authentication Types
表單型驗證Forms Based Authentication
SAMLSAML

如需有關如何部署 SharePoint 新聞摘要應用程式在您網路中,包括設定跨防火牆存取,請參閱 < Configure SharePoint Server 中的行動裝置的外部存取For more information on how to deploy the SharePoint Newsfeed App in your network, including configuring cross-firewall access, see Configure external access for mobile devices in SharePoint Server.

另請參閱See also

概念Concepts

SharePoint Server 2013 的行動裝置概觀 (英文)Overview of mobile devices and SharePoint Server 2013