Azure Stack HCI 安全性考慮Azure Stack HCI security considerations

適用于: Azure Stack HCI、版本 20H2;Windows Server 2019Applies to: Azure Stack HCI, version 20H2; Windows Server 2019

本主題提供與 Azure Stack HCI 作業系統相關的安全性考慮和建議:This topic provides security considerations and recommendations related to the Azure Stack HCI operating system:

  • 第1部分涵蓋基本的安全性工具和技術,可強化作業系統,並保護資料和身分識別,以有效率地為您的組織打造安全的基礎。Part 1 covers basic security tools and technologies to harden the operating system, and protect data and identities to efficiently build a secure foundation for your organization.
  • 第2部分涵蓋可透過 Azure 資訊安全中心取得的資源。Part 2 covers resources available through the Azure Security Center.
  • 第3部分涵蓋更先進的安全性考慮,以進一步強化您組織在這些領域的安全性狀態。Part 3 covers more advanced security considerations to further strengthen the security posture of your organization in these areas.

為什麼安全性考慮很重要?Why are security considerations important?

安全性會影響您組織中的所有人,使其不會向資訊工作者進行高層級管理。Security affects everyone in your organization from upper-level management to the information worker. 安全性不足對組織來說是一項真正的風險,因為安全性缺口可能會中斷所有正常業務,並讓您的組織停止運作。Inadequate security is a real risk for organizations, as a security breach can potentially disrupt all normal business and bring your organization to a halt. 您可以更快偵測到潛在的攻擊,進而降低安全性的危害。The sooner that you can detect a potential attack, the faster you can mitigate any compromise in security.

在研究環境的弱點來利用它們之後,攻擊者通常會在24至48小時內的初始入侵升級許可權,以控制網路上的系統。After researching an environment's weak points to exploit them, an attacker can typically within 24 to 48 hours of the initial compromise escalate privileges to take control of systems on the network. 良好的安全性措施強化了環境中的系統,讓攻擊者有機會透過封鎖攻擊者的移動時間,從數小時到數周甚至幾個月來掌控。Good security measures harden the systems in the environment to extend the time it takes an attacker to potentially take control from hours to weeks or even months by blocking the attacker's movements. 在本主題中實施安全性建議,讓您的組織能夠儘快偵測和回應這類攻擊。Implementing the security recommendations in this topic position your organization to detect and respond to such attacks as fast as possible.

第1部分:打造安全的基礎Part 1: Build a secure foundation

下列各節建議安全性工具和技術,為在您的環境中執行 Azure Stack HCI 作業系統的伺服器建立安全的基礎。The following sections recommend security tools and technologies to build a secure foundation for the servers running the Azure Stack HCI operating system in your environment.

強化環境Harden the environment

本節討論如何保護在作業系統上執行) (Vm 的服務和虛擬機器:This section discusses how to protect services and virtual machines (VMs) running on the operating system:

  • Azure Stack HCI 認證的硬體 可提供一致的安全開機、UEFI 和 TPM 設定。Azure Stack HCI certified hardware provides consistent Secure Boot, UEFI, and TPM settings out of the box. 結合虛擬化型安全性和認證硬體,可協助保護安全性敏感的工作負載。Combining virtualization-based security and certified hardware helps protect security-sensitive workloads. 您也可以將此受信任的基礎結構連線到 Azure 資訊安全中心,以啟用行為分析和報告,以針對快速變更的工作負載和威脅進行考慮。You can also connect this trusted infrastructure to Azure Security Center to activate behavioral analytics and reporting to account for rapidly changing workloads and threats.

    • 安全開機」是由電腦產業開發的安全性標準,可協助確保裝置只會使用原始設備製造商所信任的軟體來開機 (OEM) 。Secure boot is a security standard developed by the PC industry to help ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). 若要深入瞭解,請參閱 安全開機To learn more, see Secure boot.
    • 可延伸的*固件介面 (UEFI) *控制伺服器的開機進程,然後將控制權傳遞給 Windows 或其他作業系統。United Extensible Firmware Interface (UEFI) controls the booting process of the server, and then passes control to either Windows or another operating system. 若要深入瞭解,請參閱 UEFI 固件需求To learn more, see UEFI firmware requirements.
    • *信賴平臺模組 (TPM) * 技術提供以硬體為基礎、安全性相關的功能。Trusted Platform Module (TPM) technology provides hardware-based, security-related functions. TPM 晶片是安全的密碼編譯處理器,可產生、儲存和限制密碼編譯金鑰的使用。A TPM chip is a secure crypto-processor that generates, stores, and limits the use of cryptographic keys. 若要深入瞭解,請參閱可 信賴平臺模組技術總覽To learn more, see Trusted Platform Module Technology Overview.

    若要深入瞭解 Azure Stack HCI 認證的硬體提供者,請參閱 Azure Stack HCI 解決方案 網站。To learn more about Azure Stack HCI certified hardware providers, see the Azure Stack HCI solutions website.

  • Device guardCredential GuardDevice Guard and Credential Guard. Device Guard 可防止惡意程式碼沒有已知的簽章、未簽署的程式碼,以及可取得核心存取權來捕捉機密資訊或損毀系統的惡意程式碼。Device Guard protects against malware with no known signature, unsigned code, and malware that gains access to the kernel to either capture sensitive information or damage the system. Windows Defender Credential Guard 使用以虛擬化為基礎的安全性來隔離祕密,只有具特殊權限的系統軟體才能進行存取。Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.

    若要深入瞭解,請參閱 管理 Windows Defender Credential Guard 以及下載 Device Guard 和 Credential Guard 硬體就緒性工具To learn more, see Manage Windows Defender Credential Guard and download the Device Guard and Credential Guard hardware readiness tool.

  • Windows固件 更新在叢集、伺服器 ((包括來賓 vm) 和電腦)上很重要,可協助確保作業系統和系統硬體都受到攻擊者的保護。Windows and firmware updates are essential on clusters, servers (including guest VMs), and PCs to help ensure that both the operating system and system hardware are protected from attackers. 您可以使用 Windows Admin Center 更新 工具,將更新套用至個別系統。You can use the Windows Admin Center Updates tool to apply updates to individual systems. 如果您的硬體提供者包含取得驅動程式、固件和解決方案更新的 Windows Admin Center 支援,您可以在 Windows update 的同時取得這些更新,否則請直接從您的廠商取得這些更新。If your hardware provider includes Windows Admin Center support for getting driver, firmware, and solution updates, you can get these updates at the same time as Windows updates, otherwise get them directly from your vendor.

    若要深入瞭解,請參閱 更新叢集。To learn more, see Update the cluster.

    若要一次管理多個叢集和伺服器上的更新,請考慮訂閱與 Windows Admin Center 整合的選用 Azure 更新管理服務。To manage updates on multiple clusters and servers at a time, consider subscribing to the optional Azure Update Management service, which is integrated with Windows Admin Center. 如需詳細資訊,請參閱 使用 Windows Admin Center 的 Azure 更新管理For more information, see Azure Update Management using Windows Admin Center.

保護資料Protect data

本節討論如何使用 Windows Admin Center 來保護作業系統上的資料和工作負載:This section discusses how to use Windows Admin Center to protect data and workloads on the operating system:

  • 儲存空間的 BitLocker 可保護待用資料。BitLocker for Storage Spaces protects data at rest. 您可以使用 BitLocker 來加密作業系統上儲存空間資料磁片區的內容。You can use BitLocker to encrypt the contents of Storage Spaces data volumes on the operating system. 使用 BitLocker 保護資料可協助組織符合政府、區域及業界特定標準(例如 FIPS 140-2 和 HIPAA)的規範。Using BitLocker to protect data can help organizations stay compliant with government, regional, and industry-specific standards such as FIPS 140-2, and HIPAA.

    若要深入瞭解如何在 Windows Admin Center 中使用 BitLocker,請參閱 啟用磁片區加密、重復資料刪除和壓縮To learn more about using BitLocker in Windows Admin Center, see Enable volume encryption, deduplication, and compression

  • 適用于 Windows 網路的SMB加密可保護傳輸中的資料。SMB encryption for Windows networking protects data in transit. *伺服器訊息區 (SMB) * 是一種網路檔案共用通訊協定,可讓電腦上的應用程式讀取和寫入檔案,以及從電腦網路上的伺服器程式要求服務。Server Message Block (SMB) is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs on a computer network.

    若要啟用 SMB 加密,請參閱 smb 安全性增強功能To enable SMB encryption, see SMB security enhancements.

  • Windows Admin Center 中的Windows Defender 防毒軟體可保護用戶端和伺服器上的作業系統免于病毒、惡意程式碼、間諜軟體和其他威脅。Windows Defender Antivirus in Windows Admin Center protects the operating system on clients and servers against viruses, malware, spyware, and other threats. 若要深入瞭解,請參閱 Windows Server 2016 和2019上的 Microsoft Defender 防毒軟體To learn more, see Microsoft Defender Antivirus on Windows Server 2016 and 2019.

保護身分識別Protect identities

本節討論如何使用 Windows Admin Center 來保護特殊許可權身分識別:This section discusses how to use Windows Admin Center to protect privileged identities:

  • 存取控制 可以改善您管理環境的安全性。Access control can improve the security of your management landscape. 如果您使用 Windows Admin Center 伺服器 (與在 Windows 10 電腦) 上執行,您可以控制 Windows Admin Center 本身的兩種存取層級:閘道使用者和閘道系統管理員。If you're using a Windows Admin Center server (vs. running on a Windows 10 PC), you can control two levels of access to Windows Admin Center itself: gateway users and gateway administrators. 閘道系統管理員識別提供者選項包括:Gateway administrator identity provider options include:

    • Active Directory 或本機電腦群組以強制執行智慧卡驗證。Active Directory or local machine groups to enforce smartcard authentication.
    • Azure Active Directory 強制執行條件式存取和多重要素驗證。Azure Active Directory to enforce conditional access and multifactor authentication.

    若要深入瞭解,請參閱 使用 Windows Admin Center 的使用者存取選項 ,以及 設定使用者存取控制和許可權To learn more, see User access options with Windows Admin Center and Configure User Access Control and Permissions.

  • 指向 Windows Admin Center 的瀏覽器流量會使用 HTTPS。Browser traffic to Windows Admin Center uses HTTPS. 從 Windows Admin Center 到受管理伺服器的流量會使用標準的 PowerShell 和 Windows Management Instrumentation (WMI) over Windows 遠端管理 (WinRM) 。Traffic from Windows Admin Center to managed servers uses standard PowerShell and Windows Management Instrumentation (WMI) over Windows Remote Management (WinRM). Windows Admin Center 支援區域系統管理員密碼解決方案 (LAPS) 、以資源為基礎的限制委派、使用 Active Directory (AD) 或 Microsoft Azure Active Directory (Azure AD) 的閘道存取控制,以及用來管理目標伺服器的角色型存取控制 (RBAC) 。Windows Admin Center supports the Local Administrator Password Solution (LAPS), resource-based constrained delegation, gateway access control using Active Directory (AD) or Microsoft Azure Active Directory (Azure AD), and role-based access control (RBAC) for managing target servers.

    Windows Admin Center 支援 Microsoft Edge (Windows 10、1709版或更新版本) 、Google Chrome,以及 Microsoft Edge 內部 Windows 10。Windows Admin Center supports Microsoft Edge (Windows 10, version 1709 or later), Google Chrome, and Microsoft Edge Insider on Windows 10. 您可以在 Windows 10 電腦或 Windows server 上安裝 Windows Admin Center。You can install Windows Admin Center on either a Windows 10 PC or a Windows server.

    如果您在伺服器上安裝 Windows Admin Center,其會以閘道的形式執行,且主機伺服器上不會有 UI。If you install Windows Admin Center on a server it runs as a gateway, with no UI on the host server. 在此案例中,系統管理員可以透過 HTTPS 會話(由主機上的自我簽署安全性憑證來保護)來登入伺服器。In this scenario, administrators can log on to the server via an HTTPS session, secured by a self-signed security certificate on the host. 不過,最好是使用來自受信任憑證授權單位單位的適當 SSL 憑證來進行登入程式,因為支援的瀏覽器會將自我簽署連線視為不安全,即使是透過受信任 VPN 的本機 IP 位址連線也是如此。However, it's better to use an appropriate SSL certificate from a trusted certificate authority for the sign-on process, because supported browsers treat a self-signed connection as unsecure, even if the connection is to a local IP address over a trusted VPN.

    若要深入瞭解您組織的安裝選項,請參閱 何種安裝類型最適合您?To learn more about installation options for your organization, see What type of installation is right for you?.

  • CredSSP 是一種驗證提供者,Windows Admin Center 在少數情況下用來將認證傳遞給您要管理的特定伺服器以外的電腦。CredSSP is an authentication provider that Windows Admin Center uses in a few cases to pass credentials to machines beyond the specific server you are targeting to manage. Windows Admin Center 目前需要 CredSSP 才能:Windows Admin Center currently requires CredSSP to:

    • 建立新叢集。Create a new cluster.
    • 存取 更新 工具,以使用容錯移轉叢集或叢集感知更新功能。Access the Updates tool to use either the Failover clustering or Cluster-Aware Updating features.
    • 管理 Vm 中的分類式 SMB 儲存體。Manage disaggregated SMB storage in VMs.

    若要深入瞭解,請參閱 Windows Admin Center 是否使用 CredSSP?To learn more, see Does Windows Admin Center use CredSSP?

  • Windows Admin Center 中的**角色型存取控制 (RBAC) **可讓使用者存取他們所需管理的伺服器,而不是讓使用者擁有完整的本機系統管理員。Role-based access control (RBAC) in Windows Admin Center allows users limited access to the servers they need to manage instead of making them full local administrators. 若要在 Windows Admin Center 中使用 RBAC,您可以使用 PowerShell 來設定每個受管理的伺服器,只需足夠的管理端點。To use RBAC in Windows Admin Center, you configure each managed server with a PowerShell Just Enough Administration endpoint.

    若要深入瞭解,請參閱 角色型存取控制剛好足夠的管理To learn more, see Role-based access control and Just Enough Administration.

  • Windows Admin Center 中可用來管理及保護身分識別的安全性工具,包括 Active Directory、憑證、防火牆、本機使用者和群組等等。Security tools in Windows Admin Center that you can use to manage and protect identities include Active Directory, Certificates, Firewall, Local Users and Groups, and more.

    若要深入瞭解,請參閱 使用 Windows Admin Center 管理伺服器To learn more, see Manage Servers with Windows Admin Center.

第2部分:使用 Azure 資訊安全中心Part 2: Use Azure Security Center

Azure 資訊安全中心 是統一的基礎結構安全性管理系統,可強化資料中心的安全性狀態,並在雲端和內部部署的混合式工作負載中提供先進的威脅防護。Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud and on premises. 「安全性中心」提供您工具來評估網路的安全性狀態、保護工作負載、引發安全性警示,並遵循特定建議來補救攻擊,並解決未來的威脅。Security Center provides you with tools to assess the security status of your network, protect workloads, raise security alerts, and follow specific recommendations to remediate attacks and address future threats. 在雲端中,安全中心會以高速的方式執行所有這些服務,而不會透過使用 Azure 服務的自動布建和保護來產生額外的負擔。Security Center performs all of these services at high speed in the cloud with no deployment overhead through auto-provisioning and protection with Azure services.

資訊安全中心會在這些資源上安裝 Log Analytics 代理程式,以保護 Windows 伺服器和 Linux 伺服器的 Vm。Security Center protects VMs for both Windows servers and Linux servers by installing the Log Analytics agent on these resources. Azure 會將代理程式所收集的事件相互關聯至建議 (強化工作,) 您為了確保工作負載的安全而執行的作業。Azure correlates events that the agents collect into recommendations (hardening tasks) that you perform to make your workloads secure. 以安全性最佳作法為基礎的強化工作包括管理和強制執行安全性原則。The hardening tasks based on security best practices include managing and enforcing security policies. 然後,您可以追蹤結果,並透過安全性中心監視來管理合規性和治理,同時減少所有資源的受攻擊面。You can then track the results and manage compliance and governance over time through Security Center monitoring while reducing the attack surface across all of your resources.

管理哪些人員可以存取 Azure 資源和訂用帳戶是 Azure 控管策略中很重要的一環。Managing who can access your Azure resources and subscriptions is an important part of your Azure governance strategy. Azure 角色型存取控制 (RBAC) 是對 Azure 中的存取進行管理的主要方法。Azure role-based access control (RBAC) is the primary method of managing access in Azure. 若要深入瞭解,請參閱 使用角色型存取控制來管理 Azure 環境的存取權To learn more, see Manage access to your Azure environment with role-based access control.

透過 Windows Admin Center 使用「安全性中心」需要 Azure 訂用帳戶。Working with Security Center through Windows Admin Center requires an Azure subscription. 若要開始使用,請參閱 整合 Azure 資訊安全中心與 Windows Admin CenterTo get started, see Integrate Azure Security Center with Windows Admin Center.

註冊之後,存取 Windows Admin Center 中的資訊安全中心:在 [ 所有 連線] 頁面上,選取伺服器或 VM,在 [ 工具] 底下選取 [ Azure 資訊安全中心],然後選取 [登 入 Azure]。After registering, access Security Center in Windows Admin Center: On the All Connections page, select a server or VM, under Tools, select Azure Security Center, and then select Sign into Azure.

若要深入瞭解,請參閱 什麼是 Azure 資訊安全中心?To learn more, see What is Azure Security Center?

第3部分:新增 advanced securityPart 3: Add advanced security

下列各節建議先進的安全性工具和技術,進一步強化在您的環境中執行 Azure Stack HCI 作業系統的伺服器。The following sections recommend advanced security tools and technologies to further harden servers running the Azure Stack HCI operating system in your environment.

強化環境Harden the environment

  • Microsoft 安全性基準 是以 microsoft 的安全性建議為基礎,透過與商業組織及美國政府(例如防線部門)的合作關係取得。Microsoft security baselines are based on security recommendations from Microsoft obtained through partnership with commercial organizations and the US government, such as the Department of Defense. 安全性基準包括 Windows 防火牆、Windows Defender 和其他許多的建議安全性設定。The security baselines include recommended security settings for Windows Firewall, Windows Defender, and many others.

    安全性基準是以群組原則物件 (GPO) 備份的形式提供,您可以將其匯入 Active Directory Domain Services (AD DS) ,然後部署至已加入網域的伺服器以強化環境。The security baselines are provided as Group Policy Object (GPO) backups that you can import into Active Directory Domain Services (AD DS), and then deploy to domain-joined servers to harden the environment. 您也可以使用本機腳本工具,設定獨立 (未加入網域) 具有安全性基準的伺服器。You can also use Local Script tools to configure standalone (non domain-joined) servers with security baselines. 若要開始使用安全性基準,請下載 Microsoft 安全性合規性工具組 1.0To get started using the security baselines, download the Microsoft Security Compliance Toolkit 1.0.

    若要深入瞭解,請參閱 Microsoft 安全性基準To learn more, see Microsoft Security Baselines.

保護資料Protect data

  • 強化 hyper-v 環境 需要強化在 VM 上執行的 Windows Server,就像您要強化在實體伺服器上執行的作業系統一樣。Hardening the Hyper-V environment requires hardening Windows Server running on a VM just as you would harden the operating system running on a physical server. 由於虛擬環境通常會有多個共用相同實體主機的 Vm,因此務必保護實體主機和其上執行的 Vm。Because virtual environments typically have multiple VMs sharing the same physical host, it is imperative to protect both the physical host and the VMs running on it. 入侵主機的攻擊者可能會影響多個 Vm,並對工作負載和服務產生更大的影響。An attacker who compromises a host can affect multiple VMs with a greater impact on workloads and services. 本節將討論您可以用來在 Hyper-v 環境中強化 Windows Server 的下列方法:This section discusses the following methods that you can use to harden Windows Server in a Hyper-V environment:

    • 受防護的網狀架構和受防護的 vm 會防止攻擊者修改 VM 檔案,進而強化在 hyper-v 環境中執行之 vm 的安全性。Guarded fabric and shielded VMs strengthen the security for VMs running in Hyper-V environments by preventing attackers from modifying VM files. 受防護網狀 架構 包含 (HGS) 的主機守護者服務,通常是三個節點的叢集、一或多個受防護主機,以及一組受防護的 vm。A guarded fabric consists of a Host Guardian Service (HGS) that is typically a cluster of three nodes, one or more guarded hosts, and a set of shielded VMs. 證明服務會評估主機要求的有效性,而金鑰保護服務會決定是否要釋放受防護主機可用來啟動受防護 VM 的金鑰。The Attestation Service evaluates the validity of hosts requests, while the Key Protection Service determines whether to release keys that the guarded hosts can use to start the shielded VM.

      若要深入瞭解,請參閱 受防護網狀架構與受防護的 vm 總覽To learn more, see Guarded fabric and shielded VMs overview.

    • 在 Windows Server 中** (vTPM) 的虛擬信賴平臺模組**支援 TPM 的 vm,可讓您使用 advanced security 技術,例如 vm 中的 BitLocker。Virtual Trusted Platform Module (vTPM) in Windows Server supports TPM for VMs, which lets you use advanced security technologies, such as BitLocker in VMs. 您可以使用 Hyper-v 管理員或 Windows PowerShell Cmdlet,在任何第2代 Hyper-v VM 上啟用 TPM 支援 Enable-VMTPMYou can enable TPM support on any Generation 2 Hyper-V VM by using either Hyper-V Manager or the Enable-VMTPM Windows PowerShell cmdlet.

      若要深入瞭解,請參閱 啟用-VMTPMTo learn more, see Enable-VMTPM.

    • **軟體定義的網路功能 (SDN) ** 在 Azure Stack HCI 和 Windows Server 集中設定及管理資料中心內的實體和虛擬網路裝置,例如路由器、交換器和閘道。Software Defined Networking (SDN) in Azure Stack HCI and Windows Server centrally configures and manages physical and virtual network devices, such as routers, switches, and gateways in your datacenter. 虛擬網路元素(例如 Hyper-v 虛擬交換器、Hyper-v 網路虛擬化和 RAS 閘道)設計為 SDN 基礎結構的整數元素。Virtual network elements, such as Hyper-V Virtual Switch, Hyper-V Network Virtualization, and RAS Gateway are designed to be integral elements of your SDN infrastructure.

      若要深入瞭解,請參閱 軟體定義的網路 (SDN) To learn more, see Software Defined Networking (SDN).

保護身分識別Protect identities

  • **區域系統管理員密碼解決方案 (LAPS) ** 是一種輕量機制,適用于 Active Directory 加入網域的系統,這些系統會定期將每部電腦的本機系統管理員帳戶密碼設定為新的隨機和唯一值。Local Administrator Password Solution (LAPS) is a lightweight mechanism for Active Directory domain-joined systems that periodically sets each computer’s local admin account password to a new random and unique value. 密碼會儲存在 Active Directory 中對應電腦物件上的安全機密屬性中,其中只有明確授權的使用者可以取出它們。Passwords are stored in a secured confidential attribute on the corresponding computer object in Active Directory, where only specifically-authorized users can retrieve them. LAPS 使用本機帳戶進行遠端電腦管理,其提供的優點優於使用網域帳戶。LAPS uses local accounts for remote computer management in a way that offers some advantages over using domain accounts. 若要深入瞭解,請參閱 本機帳戶的遠端使用: LAPS 變更所有專案To learn more, see Remote Use of Local Accounts: LAPS Changes Everything.

    若要開始使用 LAPS,請下載 區域系統管理員密碼解決方案 (LAPS) To get started using LAPS, download Local Administrator Password Solution (LAPS).

  • **Microsoft Advanced 威脅分析 (ATA) ** 是內部部署產品,可讓您用來協助偵測嘗試危害特殊許可權身分識別的攻擊者。Microsoft Advanced Threat Analytics (ATA) is an on-premises product that you can use to help detect attackers attempting to compromise privileged identities. ATA 會剖析驗證、授權和資訊收集通訊協定(例如 Kerberos 和 DNS)的網路流量。ATA parses network traffic for authentication, authorization, and information gathering protocols, such as Kerberos and DNS. ATA 會使用這些資料來建立使用者的行為設定檔,以及網路上的其他實體,以偵測異常和已知的攻擊模式。ATA uses the data to build behavioral profiles of users and other entities on the network to detect anomalies and known attack patterns.

    若要深入瞭解,請參閱 什麼是 Advanced 威脅分析?To learn more, see What is Advanced Threat Analytics?.

  • Windows Defender Remote Credential Guard 會藉由將 Kerberos 要求重新導向回要求連線的裝置,以透過遠端桌面連線來保護認證。Windows Defender Remote Credential Guard protects credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. 它也會為遠端桌面會話提供單一登入 (SSO) 。It also provides single sign-on (SSO) for Remote Desktop sessions. 在遠端桌面會話中,如果目標裝置遭到入侵,則不會公開您的認證,因為認證和認證衍生都不會透過網路傳遞到目標裝置。During a Remote Desktop session, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.

    若要深入瞭解,請參閱 管理 Windows Defender Credential GuardTo learn more, see Manage Windows Defender Credential Guard.

後續步驟Next steps

如需安全性和法規合規性的詳細資訊,請參閱:For more information on security and regulatory compliance, see also: