Configuration Manager 中合規性設定的安全性與隱私權Security and privacy for compliance settings in Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

相容性設定的安全性最佳做法Security best practices for compliance settings

安全性最佳做法Security best practice 更多資訊More information
不要監視機密資料。Do not monitor sensitive data. 為了避免資訊外洩,請不要將組態項目設定為監視可能的機密資訊。To help avoid information disclosure, do not configure configuration items to monitor potentially sensitive information.
不要設定使用一般使用者可以修改之資料的相容性規則。Do not configure compliance rules that use data that can be modified by end users. 如果您建立的相容性規則是以使用者可以修改的資料為依據,例如用於組態選擇的登錄設定,則相容性結果的可靠性就無法受到保證。If you create a compliance rule based on data that users can modify, such as registry settings for configuration choices, the compliance results will not be reliable.
僅有當外部來源具備受信任發行者的有效數位簽章時,才由該外部來源匯入 Microsoft System Center 組態套件和其他組態資料。Import Microsoft System Center configuration packs and other configuration data from external sources only if they have a valid digital signature from a trusted publisher. 您可為已發行的組態資料進行數位簽署,以驗證發佈來源並確保資料未遭到竄改。Published configuration data can be digitally signed so that you can verify the publishing source and ensure that the data has not been tampered with. 若數位簽章驗證檢查失敗,就會向您發出警告,並提示您是否要繼續匯入。If the digital signature verification check fails, you are warned and prompted to continue with the import. 如果您無法確認來源和資料的完整性,請不要匯入未簽署的資料。Do not import unsigned data if you cannot verify the source and integrity of the data.
實作用於保護參照電腦的存取控制。Implement access controls to protect reference computers. 請確認在系統管理使用者瀏覽至參照電腦以設定登錄或檔案系統設定時,該參照電腦未遭入侵。Ensure that when an administrative user configures a registry or file system setting by browsing to a reference computer, the reference computer had not been compromised.
瀏覽至參照電腦時,確保通訊通道的安全。Secure the communication channel when you browse to a reference computer. 在透過網路傳送資料時,為避免資料遭到竄改,請在執行 Configuration Manager 主控台的電腦及參照電腦之間,使用網際網路通訊協定安全性 (IPsec) 或伺服器訊息區 (SMB)。To prevent tampering of the data when it is transferred over the network, use Internet Protocol security (IPsec) or server message block (SMB) between the computer that runs the Configuration Manager console and the reference computer.
限制並監視已獲得「相容性設定管理員」安全性角色的系統管理使用者。Restrict and monitor the administrative users who are granted the Compliance Settings Manager role-based security role. 具有 「相容性設定管理員」 角色的系統管理使用者可將組態項目部署到階層中的所有裝置與使用者。Administrative users who are granted the Compliance Settings Manager role can deploy configuration items to all devices and all users in the hierarchy. 組態項目可能影響非常強大,包括指令碼和登錄重新組態之類的項目。Configuration items can be very powerful and can include, for example, scripts and registry reconfiguration.

相容性設定的隱私權資訊Privacy information for compliance settings

您可以使用相容性設定,來評估用戶端裝置是否與您在組態基準中部署的組態項目相容。You can use compliance settings to evaluate whether your client devices are compliant with configuration items that you deploy in configuration baselines. 某些設定可以在不相容的情況下自動進行補救。Some settings can be automatically remediated if they out of compliance. 相容性資訊會由管理點傳送至站台伺服器並且儲存在站台資料庫中。Compliance information is sent to the site server by the management point and stored in the site database. 當裝置將此資訊傳送至管理點時會進行加密,但不會以加密格式儲存在站台資料庫內。The information is encrypted when devices send it to the management point, but it is not stored in encrypted format in the site database. 資訊會保留在資料庫中,直到每 90 天由站台維護工作 [刪除過時設定管理資料] 將它刪除為止。Information is retained in the database until the site maintenance task Delete Aged Configuration Management Data deletes it every 90 days. 您可以設定刪除間隔。You can configure the deletion interval. 不會將相容性資訊傳送給 Microsoft。Compliance information is not sent to Microsoft.

依預設,裝置不會評估相容性設定。By default, devices do not evaluate compliance settings. 此外,您必須先進行組態項目和組態基準的設定,然後將其部署至裝置。In addition, you must configure the configuration items and configuration baselines, and then deploy them to devices.