密碼編譯控制項技術參考Cryptographic controls technical reference

適用於:Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

Configuration Manager 使用簽署和加密來協助保護 Configuration Manager 階層中的裝置管理。Configuration Manager uses signing and encryption to help protect the management of the devices in the Configuration Manager hierarchy. 使用簽署時,如果資料在轉換時遭到變更,則會予以捨棄。With signing, if data has been altered in transit, it's discarded. 加密則可藉由使用網路通訊協定解析程式,協助防止攻擊者讀取資料。Encryption helps prevent an attacker from reading the data by using a network protocol analyzer.

Configuration Manager 用來簽署的主要雜湊演算法是 SHA-256。The primary hashing algorithm that Configuration Manager uses for signing is SHA-256. 當兩個 Configuration Manager 站台彼此通訊時,會使用 SHA-256 來簽署其通訊。When two Configuration Manager sites communicate with each other, they sign their communications with SHA-256. Configuration Manager 中實作的主要加密演算法是 3DES。The primary encryption algorithm implemented in Configuration Manager is 3DES. 這個演算法用於將資料儲存於 Configuration Manager 資料庫中,也用於進行用戶端 HTTP 通訊。This is used for storing data in the Configuration Manager database and for client HTTP communication. 當您使用透過 HTTPS 的用戶端通訊時,可將公開金鑰基礎結構 (PKI) 設定為使用 RSA 憑證,該憑證具備 PKI 憑證需求中所記錄的最大雜湊演算法和金鑰長度。When you use client communication over HTTPS, you can configure your public key infrastructure (PKI) to use RSA certificates with the maximum hashing algorithms and key lengths that are documented in PKI certificate requirements.

針對大多數 Windows 作業系統的密碼編譯作業,Configuration Manager 使用取自 Windows CryptoAPI 程式庫 rsaenh.dll 的 SHA-2、3DES 和 AES 以及 RSA 演算法。For most cryptographic operations for Windows-based operating systems, Configuration Manager uses SHA-2, 3DES and AES, and RSA algorithms from the Windows CryptoAPI library rsaenh.dll.

重要

有關因應 SSL 弱點的建議變更資訊,請參閱關於 SSL 弱點See information about recommended changes in response to SSL vulnerabilities in About SSL Vulnerabilities.

Configuration Manager 作業的密碼編譯控制項Cryptographic controls for Configuration Manager operations

無論您是否搭配使用 PKI 憑證與 Configuration Manager,都可以簽署與加密 Configuration Manager 中的資訊。Information in Configuration Manager can be signed and encrypted, whether or not you use PKI certificates with Configuration Manager.

原則簽署和加密Policy signing and encryption

用戶端原則指派是由自我簽署的網站伺服器簽署憑證來進行簽署,以防止出現遭入侵的管理點寄送已被竄改的原則的安全性風險。Client policy assignments are signed by the self-signed site server signing certificate to help prevent the security risk of a compromised management point sending policies that have been tampered with. 如果您正在使用網際網路用戶端管理,這就十分重要,原因是這種環境會要求在網際網路通訊中公開的管理點。This is important if you are using Internet-based client management because this environment requires a management point that is exposed to Internet communication.

包含敏感性資料的原則會使用 3DES 加密。Policy is encrypted with 3DES when it contains sensitive data. 包含敏感性資料的原則只會寄給獲授權的用戶端。Policy that contains sensitive data is sent to authorized clients only. 沒有敏感性資料的原則不會加密。Policy that does not have sensitive data is not encrypted.

儲存在用戶端的原則會使用資料保護應用程式開發介面 (DPAPI) 加密。When policy is stored on the clients, it is encrypted with Data Protection application programming interface (DPAPI).

原則雜湊Policy hashing

Configuration Manager 用戶端要求原則時,首先會收到原則指派,如此用戶端才會知道其套用的原則是哪一種,然後只要求這些原則的本文。When Configuration Manager clients request policy, they first get a policy assignment so that they know which policies apply to them, and then they request only those policy bodies. 每種原則指派都包含相對應原則本文的計算雜湊。Each policy assignment contains the calculated hash for the corresponding policy body. 用戶端會擷取適用的原則本文,然後計算本文上的雜湊。The client retrieves the applicable policy bodies and then calculates the hash on that body. 若下載原則本文上的雜湊與原則指派中的雜湊不相符,用戶端會捨棄該原則本文。If the hash on the downloaded policy body does not match the hash in the policy assignment, the client discards the policy body.

原則的雜湊演算法是 SHA-1 和 SHA-256。The hashing algorithm for policy is SHA-1 and SHA-256.

內容雜湊Content hashing

網站伺服器上的發佈管理員服務會針對所有封裝雜湊內容檔案。The distribution manager service on the site server hashes the content files for all packages. 原則提供者會將雜湊納入軟體發佈原則中。The policy provider includes the hash in the software distribution policy. Configuration Manager 用戶端下載內容時,用戶端會在本機重新產生雜湊,並與原則中提供的雜湊進行比對。When the Configuration Manager client downloads the content, the client regenerates the hash locally and compares it to the one supplied in the policy. 若雜湊相符,表示內容並未遭到變更,用戶端會安裝內容。If the hashes match, the content has not been altered and the client installs it. 只要內容中有一個位元遭到變更,雜湊就不相符,也不會安裝軟體。If a single byte of the content has been altered, the hashes will not match and the software will not be installed. 這項檢查有助於確保安裝正確的軟體,因為是利用原則進行實際內容的交叉檢查。This check helps to ensure that the correct software is installed because the actual content is crosschecked with the policy.

內容的預設雜湊演算法是 SHA-256。The default hashing algorithm for content is SHA-256.

並非所有裝置都支援內容雜湊。Not all devices can support content hashing. 例外狀況包括:The exceptions include:

  • Windows 用戶端串流 APP-V 內容時。Windows clients when they stream App-V content.

  • Windows Phone 用戶端:但這些用戶端會驗證經由信任來源簽署之應用程式的簽章。Windows Phone clients, though these clients verify the signature of an application that is signed by a trusted source.

  • Windows RT 用戶端:但這些用戶端會驗證經由信任來源簽署之應用程式的簽章,同時也使用套件完整名稱 (PFN) 驗證。Windows RT client, though these clients verify the signature of an application that is signed by a trusted source and also use package full name (PFN) validation.

  • 在不支援 SHA-256 的 Linux 和 UNIX 版本上執行的用戶端。Clients that run on versions of Linux and UNIX that do not support SHA-256. 如需詳細資訊,請參閱規劃將用戶端部署至 Linux 和 UNIX 電腦For more information, see Planning for client deployment to Linux and UNIX computers.

清查簽署和加密Inventory signing and encryption

無論裝置是透過 HTTP 或 HTTPS 與管理點通訊,都是由裝置簽署用戶端傳送至管理點的清查。Inventory that clients send to management points is always signed by devices, regardless of whether they communicate with management points over HTTP or HTTPS. 若使用 HTTP,您可以選擇加密此資料,這是安全性的最佳作法。If they use HTTP, you can choose to encrypt this data, which is a security best practice.

狀態移轉加密State migration encryption

儲存在作業系統部署之狀態移轉點的資料,一律都是由使用者狀態移轉工具 (USMT) 使用 3DES 來加密。Data stored on state migration points for operating system deployment is always encrypted by the User State Migration Tool (USMT) by using 3DES.

加密多點傳送套件以部署作業系統Encryption for multicast packages to deploy operating systems

針對每個作業系統部署套件,您可以在使用多點傳送將套件傳輸至電腦時啟用加密。For every operating system deployment package, you can enable encryption when the package is transferred to computers by using multicast. 加密使用進階加密標準 (AES)。The encryption uses Advanced Encryption Standard (AES). 若啟用加密,就不需要額外的憑證設定。If you enable encryption, no additional certificate configuration is required. 啟用多點傳送的發佈點會自動產生對稱金鑰,以便加密套件。The multicast-enabled distribution point automatically generates symmetric keys for encrypting the package. 每個套件都有不同的加密金鑰。Each package has a different encryption key. 金鑰會經由使用標準 Windows API,儲存在啟用多點傳送的發佈點。The key is stored on the multicast-enabled distribution point by using standard Windows APIs. 用戶端連線至多點傳送工作階段時,會在使用 PKI 發行之用戶端驗證憑證 (用戶端使用 HTTPS 時) 或自我簽署憑證 (用戶端使用 HTTP 時) 加密的通道上產生金鑰交換。When the client connects to the multicast session, the key exchange occurs over a channel encrypted with either the PKI-issued client authentication certificate (when the client uses HTTPS) or the self-signed certificate (when the client uses HTTP). 用戶端會將金鑰儲存於記憶體中,僅用於多點傳送工作階段。The client stores the key in memory only for the duration of the multicast session.

加密媒體以部署作業系統Encryption for media to deploy operating systems

使用媒體部署作業系統並指定密碼來保護媒體時,會使用具有 128 位元金鑰大小的進階加密標準 (AES) 來加密環境變數。When you use media to deploy operating systems and specify a password to protect the media, the environment variables are encrypted by using Advanced Encryption Standard (AES) with a 128-bit key size. 媒體上的其他資料,包括應用程式的套件與內容,則不會加密。Other data on the media, including packages and content for applications, is not encrypted.

將裝載於雲端發佈點的內容加密Encryption for content that is hosted on cloud-based distribution points

從 System Center 2012 Configuration Manager SP1 開始,使用雲端發佈點時,會使用具備 256 位元金鑰大小的進階加密標準 (AES) 來加密您上傳至這些發佈點的內容。Beginning with System Center 2012 Configuration Manager SP1, when you use cloud-based distribution points, the content that you upload to these distribution points is encrypted by using Advanced Encryption Standard (AES) with a 256-bit key size. 只要您更新內容,就會將內容重新加密。The content is re-encrypted whenever you update it. 用戶端下載內容時,會以 HTTPS 連線來進行加密與保護。When clients download the content, it is encrypted and protected by the HTTPS connection.

在軟體更新中簽署Signing in software updates

所有軟體更新都必須由信任的發行者來簽署,以避免遭到竄改。All software updates must be signed by a trusted publisher to protect against tampering. 在用戶端電腦上,Windows Update 代理程式 (WUA) 會掃描類別目錄的更新,但如果在本機電腦的 [信任的發行者] 存放區中找不到數位憑證,就不會安裝更新。On client computers, the Windows Update Agent (WUA) scans for the updates from the catalog, but will not install the update if it cannot locate the digital certificate in the Trusted Publishers store on the local computer. 若使用自我簽署憑證 (如 WSUS 發行者自我簽署) 來發行更新類別目錄,則憑證也必須在本機電腦的「受信任的根憑證授權單位」憑證存放區中,以驗證該憑證是否有效。If a self-signed certificate was used for publishing the updates catalog, such as WSUS Publishers Self-signed, the certificate must also be in the Trusted Root Certification Authorities certificate store on the local computer to verify the validity of the certificate. WUA 也會檢查本機電腦上是否啟用 [允許來自內部網路 Microsoft 更新服務位置的已簽署內容群組原則] 設定。WUA also checks whether the Allow signed content from intranet Microsoft update service location Group Policy setting is enabled on the local computer. 必須為 WUA 啟用此原則設定,以掃描使用更新發行者建立與發行的更新。This policy setting must be enabled for WUA to scan for the updates that were created and published with Updates Publisher.

在 System Center 更新發行者中發行軟體更新時,只要軟體更新發行至某部更新伺服器,數位憑證就會簽署該軟體更新。When software updates are published in System Center Updates Publisher, a digital certificate signs the software updates when they are published to an update server. 您可以指定 PKI 憑證,或設定更新發行者產生自我簽署憑證,來簽署軟體更新。You can either specify a PKI certificate or configure Updates Publisher to generate a self-signed certificate to sign the software update.

相容性設定的已簽署設定資料Signed configuration data for compliance settings

匯入設定資料時,Configuration Manager 會驗證檔案的數位簽章。When you import configuration data, Configuration Manager verifies the file's digital signature. 若尚未簽署檔案,或數位簽章驗證檢查失敗,就會向您發出警告,並提示您是否要繼續匯入。If the files have not been signed, or if the digital signature verification check fails, you will be warned and prompted whether to continue with the import. 除非您明確信任發行者與檔案的完整性,否則請不要繼續匯入設定資料。Continue to import the configuration data only if you explicitly trust the publisher and the integrity of the files.

用戶端通知的加密和雜湊Encryption and hashing for client notification

若您使用用戶端通知,則所有通訊都會使用 TLS,以及伺服器與用戶端作業系統可以交涉的最高等級加密。If you use client notification, all communication uses TLS and the highest encryption that the server and client operating systems can negotiate. 例如,執行 Windows 7 的用戶端電腦與執行 Windows Server 2008 R2 的管理點可以支援 128 位元 AES 加密,而執行 Vista 的用戶端電腦與相同的管理點會向下交涉至 3DES 加密。For example, a client computer running Windows 7 and a management point running Windows Server 2008 R2 can support 128-bit AES encryption, whereas a client computer running Vista to the same management point will negotiate down to 3DES encryption. 同樣的交涉會發生在雜湊於用戶端通知期間 (使用 SHA-1 或 SHA-2) 傳輸的封包上。The same negotiation occurs for hashing the packets that are transferred during client notification, which uses SHA-1 or SHA-2.

Configuration Manager 使用的憑證Certificates used by Configuration Manager

如需 Configuration Manager 可用的公開金鑰基礎結構 (PKI) 憑證清單、任何特殊需求或限制,以及憑證使用方式,請參閱 PKI 憑證需求For a list of the public key infrastructure (PKI) certificates that can be used by Configuration Manager, any special requirements or limitations, and how the certificates are used, see PKI certificate requirements. 這份清單包含受支援的雜湊演算法和金鑰長度。This list includes the supported hash algorithms and key lengths. 大部分憑證支援 SHA-256 和 2048 位元金鑰長度。Most certificates support SHA-256 and 2048 bits key length.

注意

Configuration Manager 使用的所有憑證,其主體名稱或主體別名都必須只能包含單一位元組字元。All certificates that Configuration Manager uses must contain only single-byte characters in the subject name or subject alternative name.

以下案例中需要 PKI 憑證:PKI certificates are required for the following scenarios:

  • 管理網際網路上的 Configuration Manager 用戶端時。When you manage Configuration Manager clients on the Internet.

  • 管理行動裝置上的 Configuration Manager 用戶端時。When you manage Configuration Manager clients on mobile devices.

  • 管理 Mac 電腦時。When you manage Mac computers.

  • 使用雲端發佈點時。When you use cloud-based distribution points.

    針對需要憑證進行驗證、簽署或加密的大多數其他 Configuration Manager 通訊,Configuration Manager 會自動使用 PKI 憑證 (若憑證可用)。For most other Configuration Manager communications that require certificates for authentication, signing, or encryption, Configuration Manager automatically uses PKI certificates if they are available. 若不可用,Configuration Manager 會產生自我簽署憑證。If they are not available, Configuration Manager generates self-signed certificates.

    Configuration Manager 使用 Exchange Server 連接器管理行動裝置時,不使用 PKI 憑證。Configuration Manager does not use PKI certificates when it manages mobile devices by using the Exchange Server connector.

行動裝置管理和 PKI 憑證Mobile device management and PKI certificates

若行動電信業者並未鎖定行動裝置,您可以使用 Configuration Manager 或 Microsoft Intune 來要求並安裝用戶端憑證。If the mobile device has not been locked by the mobile operator, you can use Configuration Manager or Microsoft Intune to request and install a client certificate. 此憑證可提供行動裝置上的用戶端與 Configuration Manager 站台系統或 Microsoft Intune 服務間的相互驗證。This certificate provides mutual authentication between the client on the mobile device and Configuration Manager site systems or Microsoft Intune services. 如果行動裝置遭到鎖定,就不能使用 Configuration Manager 或 Intune 部署憑證。If your mobile device is locked, you cannot use Configuration Manager or Intune to deploy certificates.

如果您啟用行動裝置的硬體清查,Configuration Manager 或 Intune 也會清查安裝在行動裝置上的憑證。If you enable hardware inventory for mobile devices, Configuration Manager or Intune also inventories the certificates that are installed on the mobile device.

作業系統部署和 PKI 憑證Operating system deployment and PKI certificates

使用 Configuration Manager 部署作業系統,且管理點需要 HTTPS 用戶端連線時,即使用戶端電腦是在轉換階段 (如從工作順序媒體或支援 PXE 的發佈點開機),也必須有憑證才能與管理點通訊。When you use Configuration Manager to deploy operating systems and a management point requires HTTPS client connections, the client computer must also have a certificate to communicate with the management point, even though it is in a transitional phase such as booting from task sequence media or a PXE-enabled distribution point. 為支援此案例,您必須建立 PKI 用戶端驗證憑證,並連同私密金鑰匯出,然後將其匯入站台伺服器內容,同時新增管理點的受信任根 CA 憑證。To support this scenario, you must create a PKI client authentication certificate and export it with the private key and then import it to the site server properties and also add the management point's trusted root CA certificate.

如果您建立可開機媒體,在您建立可開機媒體時需匯入用戶端驗證憑證。If you create bootable media, you import the client authentication certificate when you create the bootable media. 在可開機媒體上設定密碼,有助於保護在工作順序中設定的私密金鑰與其他敏感性資料。Configure a password on the bootable media to help protect the private key and other sensitive data configured in the task sequence. 經由可開機媒體開機的每部電腦都會對用戶端功能 (如請求用戶端原則) 所需的管理點出示相同的憑證。Every computer that boots from the bootable media will present the same certificate to the management point as required for client functions such as requesting client policy.

如果您使用 PXE 開機,則要將用戶端驗證憑證匯入支援 PXE 的發佈點,且針對從該支援 PXE 的發佈點開機的每個用戶端使用相同的憑證。If you use PXE boot, you import the client authentication certificate to the PXE-enabled distribution point and it uses the same certificate for every client that boots from that PXE-enabled distribution point. 作為安全性最佳作法,請要求將電腦連線至 PXE 服務的使用者提供密碼,以協助保護工作順序中的私密金鑰和其他敏感性資料。As a security best practice, require users who connect their computers to a PXE service to supply a password to help protect the private key and other sensitive data in the task sequences.

如果這些用戶端驗證憑證的任何一個遭到入侵,請在 [系統管理] 工作區的 [憑證] 節點、[安全性] 節點封鎖憑證。If either of these client authentication certificates is compromised, block the certificates in the Certificates node in the Administration workspace, Security node. 若要管理這些憑證,您必須擁有 [管理作業系統部署憑證] 權限。To manage these certificates, you must have the Manage operating system deployment certificate right.

部署作業系統並安裝 Configuration Manager 後,用戶端會要求本身擁有的 PKI 用戶端驗證憑證來進行 HTTPS 用戶端通訊。After the operating system is deployed and the Configuration Manager is installed, the client will require its own PKI client authentication certificate for HTTPS client communication.

ISV Proxy 解決方案和 PKI 憑證ISV proxy solutions and PKI certificates

獨立軟體廠商 (ISV) 可以建立延伸 Configuration Manager 的應用程式。Independent Software Vendors (ISVs) can create applications that extend Configuration Manager. 例如,ISV 可建立擴充功能以支援非 Windows 用戶端平台 (如 Macintosh 或 UNIX 電腦)。For example, an ISV could create extensions to support non-Windows client platforms such as Macintosh or UNIX computers. 不過,如果站台系統需要 HTTPS 用戶端連線,這些用戶端也必須使用 PKI 憑證與站台進行通訊。However, if the site systems require HTTPS client connections, these clients must also use PKI certificates for communication with the site. Configuration Manager 包含將憑證指派給 ISV Proxy 的功能,讓 ISV Proxy 用戶端和管理點之間能夠進行通訊。Configuration Manager includes the ability to assign a certificate to the ISV proxy that enables communications between the ISV proxy clients and the management point. 如果您使用需要 ISV Proxy 憑證的擴充功能,請參閱該產品的說明文件。If you use extensions that require ISV proxy certificates, consult the documentation for that product. 如需如何建立 ISV Proxy 憑證的詳細資訊,請參閱 Configuration Manager 軟體開發商套件 (SDK)。For more information about how to create ISV proxy certificates, see the Configuration Manager Software Developer Kit (SDK).

若 ISV 憑證遭到入侵,請在 [系統管理] 工作區的 [憑證] 節點、[安全性] 節點封鎖憑證。If the ISV certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node.

Asset Intelligence 和憑證Asset intelligence and certificates

Configuration Manager 會安裝 Asset Intelligence 同步處理點所使用的 X.509 憑證以連線至 Microsoft。Configuration Manager installs with an X.509 certificate that the Asset Intelligence synchronization point uses to connect to Microsoft. Configuration Manager 使用此憑證來向 Microsoft 憑證服務中心要求用戶端驗證憑證。Configuration Manager uses this certificate to request a client authentication certificate from the Microsoft certificate service. 用戶端驗證憑證會安裝在 Asset Intelligence 同步處理點網站系統伺服器上,用來驗證連線至 Microsoft 的伺服器。The client authentication certificate is installed on the Asset Intelligence synchronization point site system server and it is used to authenticate the server to Microsoft. Configuration Manager 會使用用戶端驗證憑證來下載 Asset Iintelligence 類別目錄和上傳軟體標題。Configuration Manager uses the client authentication certificate to download the Asset Intelligence catalog and to upload software titles.

此憑證的金鑰長度為 1024 位元。This certificate has a key length of 1024 bits.

雲端發佈點和憑證Cloud-based distribution points and certificates

從 System Center 2012 Configuration Manager SP1 開始,雲端發佈點需要您上傳至 Microsoft Azure 的管理憑證 (自我簽署或 PKI)。Beginning with System Center 2012 Configuration Manager SP1, cloud-based distribution points require a management certificate (self-signed or PKI) that you upload to Microsoft Azure. 這個管理憑證需要伺服器驗證功能和長度為 2048 位元的憑證金鑰。This management certificate requires server authentication capability and a certificate key length of 2048 bits. 此外,您必須針對每個雲端發佈點設定服務憑證 (這不能自我簽署),並且也必須擁有伺服器驗證功能和長度至少為 2048 位元的憑證金鑰。In addition, you must configure a service certificate for each cloud-based distribution point, which cannot be self-signed but also has server authentication capability and a minimum certificate key length of 2048 bits.

注意

自我簽署的管理憑證僅供測試用,不可用在產品網路上。The self-signed management certificate is for testing purposes only and not for use on production networks.

用戶端不需要用戶端 PKI 憑證即可使用雲端發佈點;它們使用自我簽署憑證或用戶端 PKI 憑證來針對管理進行驗證。Clients do not require a client PKI certificate to use cloud-based distribution points; they authenticate to the management by using either a self-signed certificate or a client PKI certificate. 管理點接著會向用戶端發出 Configuration Manager 存取權杖,用戶端必須向雲端發佈點出示該權杖。The management point then issues a Configuration Manager access token to the client, which the client presents to the cloud-based distribution point. 權杖的有效時間為 8 小時。The token is valid for 8 hours.

Microsoft Intune 連接器和憑證The Microsoft Intune Connector and certificates

當 Microsoft Intune 註冊行動裝置時,您可以藉由建立 Microsoft Intune 連接器,在 Configuration Manager 中管理這些行動裝置。When Microsoft Intune enrolls mobile devices, you can manage these mobile devices in Configuration Manager by creating a Microsoft Intune connector. 連接器使用具備用戶端驗證功能的 PKI 憑證,來驗證 Configuration Manager 至 Microsoft Intune,並使用 SSL 在這兩者間傳輸所有資訊。The connector uses a PKI certificate with client authentication capability to authenticate Configuration Manager to Microsoft Intune and to transfer all information between them by using SSL. 憑證金鑰大小為 2048 位元,並使用 SHA-1 雜湊演算法。The certificate key size is 2048 bits and uses the SHA-1 hash algorithm.

安裝連接器時,系統會在網站伺服器上建立及儲存側載金鑰的簽署憑證,並在憑證登錄點上建立及儲存加密憑證,以便對簡單憑證註冊通訊協定 (SCEP) 挑戰進行加密。When you install the connector, a signing certificate is created and stored on the site server for sideloading keys, and an encryption certificate is created and stored on the certificate registration point to encrypt the Simple Certificate Enrollment Protocol (SCEP) challenge. 這些憑證的金鑰大小也是 2048 位元,並使用 SHA-1 雜湊演算法。These certificates also have a key size of 2048 bits and use the SHA-1 hash algorithm.

Intune 註冊行動裝置時,會將 PKI 憑證安裝至行動裝置。When Intune enrolls mobile devices, it installs a PKI certificate onto the mobile device. 憑證具備用戶端驗證功能,使用大小為 2048 位元的金鑰,並使用 SHA-1 雜湊演算法。This certificate has client authentication capability, uses a key size of 2048 bits, and uses the SHA-1 hash algorithm.

Microsoft Intune 會自動要求、產生並安裝這些 PKI 憑證。These PKI certificates are automatically requested, generated, and installed by Microsoft Intune.

PKI 憑證的 CRL 檢查CRL checking for PKI certificates

PKI 憑證撤銷清單 (CRL) 會增加系統管理和處理的負荷,但是更為安全。A PKI certificate revocation list (CRL) increases administrative and processing overhead but it is more secure. 不過,如果啟用了 CRL 檢查,但無法存取 CRL,則 PKI 連線會失敗。However, if CRL checking is enabled but the CRL is inaccessible, the PKI connection fails. 如需詳細資訊,請參閱 Configuration Manager 的安全性和隱私權For more information, see Security and privacy for Configuration Manager.

根據預設,憑證撤銷清單 (CRL) 檢查在 IIS 中為啟用狀態,因此,如果您搭配 PKI 部署使用 CRL,就不需要在大部分執行 IIS 的 Configuration Manager 站台系統上進行其他設定。Certificate revocation list (CRL) checking is enabled by default in IIS, so if you are using a CRL with your PKI deployment, there is nothing additional to configure on most Configuration Manager site systems that run IIS. 例外的是軟體更新,這需要手動步驟來啟用 CRL 檢查,以驗證軟體更新檔案上的簽章。The exception is for software updates, which requires a manual step to enable CRL checking to verify the signatures on software update files.

根據預設,當用戶端電腦使用 HTTPS 用戶端連線時,就會針對用戶端電腦啟用 CRL 檢查。CRL checking is enabled by default for client computers when they use HTTPS client connections. 在 Configuration Manager SP1 或更新版本中,您無法對 Mac 電腦上的用戶端停用 CRL 檢查。You cannot disable CRL checking for clients on Mac computers in Configuration Manager SP1 or later.

在 Configuration Manager 中的以下連線,並不支援 CRL 檢查:CRL checking is not supported for the following connections in Configuration Manager:

  • 伺服器對伺服器連線。Server-to-server connections.

  • Configuration Manager 註冊的行動裝置。Mobile devices that are enrolled by Configuration Manager.

  • 由 Microsoft Intune 註冊的行動裝置。Mobile devices that are enrolled by Microsoft Intune.

伺服器通訊的密碼編譯控制項Cryptographic controls for server communication

Configuration Manager 會針對伺服器通訊使用以下密碼編譯控制項。Configuration Manager uses the following cryptographic controls for server communication.

站台內的伺服器通訊Server communication within a site

每個站台系統伺服器都會使用憑證將資料傳輸到相同 Configuration Manager 站台內的其他站台系統。Each site system server uses a certificate to transfer data to other site systems in the same Configuration Manager site. 某些網站系統角色也會使用憑證進行驗證。Some site system roles also use certificates for authentication. 例如,若您在一部伺服器上安裝了註冊 Proxy 點,在另一部伺服器上安裝註冊點,它們可使用此身分識別憑證來彼此驗證。For example, if you install the enrollment proxy point on one server and the enrollment point on another server, they can authenticate one another by using this identity certificate. Configuration Manager 使用憑證進行此種通訊時,若有具備伺服器驗證功能的 PKI 憑證可用,Configuration Manager 就會自動使用該憑證;如果沒有,則 Configuration Manager 會產生自我簽署的憑證。When Configuration Manager uses a certificate for this communication, if there is a PKI certificate available that has server authentication capability, Configuration Manager automatically uses it; if not, Configuration Manager generates a self-signed certificate. 此自我簽署的憑證擁有伺服器驗證功能,並使用 SHA-256,且具有 2048 位元的金鑰長度。This self-signed certificate has server authentication capability, uses SHA-256, and has a key length of 2048 bits. Configuration Manager 會將憑證複製到可能需要信任該站台系統之其他站台系統伺服器上的「受信任的人」存放區。Configuration Manager copies the certificate to the Trusted People store on other site system servers that might need to trust the site system. 如此,網站系統就可以使用這些憑證和 PeerTrust 彼此信任。Site systems can then trust one another by using these certificates and PeerTrust.

除了每部站台系統伺服器上的此一憑證之外,Configuration Manager 還會針對大部分站台系統角色產生自我簽署憑證。In addition to this certificate for each site system server, Configuration Manager generates a self-signed certificate for most site system roles. 在相同網站中出現一個以上的網站系統角色執行個體時,則會共用相同憑證。When there is more than one instance of the site system role in the same site, they share the same certificate. 例如,在相同網站中,您可能有多個管理點或多個註冊點。For example, you might have multiple management points or multiple enrollment points in the same site. 這種自我簽署憑證也使用 SHA-256,金鑰長度同樣為 2048 位元。This self-signed certificate also uses SHA-256 and has a key length of 2048 bits. 此外,憑證也會複製到可能需要信任該憑證之網站系統伺服器上的受信任人存放區。It is also copied to the Trusted People Store on site system servers that might need to trust it. 以下網站系統角色會產生此種憑證:The following site system roles generate this certificate:

  • 應用程式類別目錄 Web 服務點Application Catalog web service point

  • 應用程式類別目錄網站點Application Catalog website point

  • Asset Intelligence 同步處理點Asset Intelligence synchronization point

  • 憑證登錄點Certificate registration point

  • Endpoint Protection 點Endpoint Protection point

  • 註冊點Enrollment point

  • 後援狀態點Fallback status point

  • 管理點Management point

  • 啟用多點傳送的發佈點Multicast-enabled distribution point

  • Reporting Services 點Reporting services point

  • 軟體更新點Software update point

  • 狀態移轉點State migration point

  • Microsoft Intune 連接器Microsoft Intune connector

Configuration Manager 會自動管理這些憑證,並且必要時會自動產生這些憑證。These certificates are managed automatically by Configuration Manager, and where necessary, automatically generated.

Configuration Manager 也會使用用戶端驗證憑證,從發佈點傳送狀態訊息至管理點。Configuration Manager also uses a client authentication certificate to send status messages from the distribution point to the management point. 若僅針對 HTTPS 用戶端連線設定管理點,則必須使用 PKI 憑證。When the management point is configured for HTTPS client connections only, you must use a PKI certificate. 如果管理點接受 HTTPS 連線,您可以使用 PKI 憑證或選取選項以使用自我簽署憑證 (該憑證具備用戶端驗證功能、使用 SHA-256,且金鑰長度為 2048 位元)。If the management point accepts HTTP connections, you can use a PKI certificate or select the option to use a self-signed certificate that has client authentication capability, uses SHA-256, and has a key length of 2048 bits.

站台間的伺服器通訊Server communication between sites

Configuration Manager 使用資料庫複寫和檔案為基礎的複寫在網站之間傳送資料。Configuration Manager transfers data between sites by using database replication and file-based replication. 如需詳細資訊,請參閱端點間的通訊For more information, see Communications between endpoints.

Configuration Manager 會自動在站台間設定資料庫複寫,並且若有具備伺服器驗證功能的 PKI 憑證,便會使用這些憑證;如果沒有,則 Configuration Manager 會建立自我簽署憑證來進行伺服器驗證。Configuration Manager automatically configures the database replication between sites and uses PKI certificates that have server authentication capability if these are available; if not, Configuration Manager creates self-signed certificates for server authentication. 無論是哪一種狀況,都會經由使用 PeerTrust 之受信任人存放區的憑證來建立網站間的驗證。In both cases, authentication between sites is established by using certificates in the Trusted People Store that uses PeerTrust. 這個憑證存放區是用來確保只有 Configuration Manager 階層使用的 SQL Server 電腦會參與站台對站台複寫。This certificate store is used to ensure that only the SQL Server computers that are used by the Configuration Manager hierarchy participate in site-to-site replication. 由於主要網站與管理中心網站可以將設定變更複寫至階層中的所有網站,因此次要網站只能將設定變更複寫到其父網站。Whereas primary sites and the central administration site can replicate configuration changes to all sites in the hierarchy, secondary sites can replicate configuration changes only to their parent site.

網站伺服器會使用自動出現的安全金鑰交換來建立網站對網站通訊。Site servers establish site-to-site communication by using a secure key exchange that happens automatically. 傳送端的網站伺服器會產生雜湊,並以其私密金鑰簽署。The sending site server generates a hash and signs it with its private key. 接收端的網站伺服器會使用公開金鑰檢查簽章,並以本機產生的數值比對雜湊。The receiving site server checks the signature by using the public key and compares the hash with a locally generated value. 如果相符,接收端的網站會接受複寫的資料。If they match, the receiving site accepts the replicated data. 如果值不相符,Configuration Manager 會拒絕複寫資料。If the values do not match, Configuration Manager rejects the replication data.

Configuration Manager 中的資料庫複寫使用 SQL Server Service Broker,經由以下機制在站台間傳輸資料:Database replication in Configuration Manager uses the SQL Server Service Broker to transfer data between sites by using the following mechanisms:

  • SQL Server 對 SQL Server 的連線:此機制經由進階加密標準 (AES) 使用 Windows 認證進行伺服器驗證,並使用長度為 1024 位元的自我簽署憑證簽署並加密資料。SQL Server to SQL Server connection: This uses Windows credentials for server authentication and self-signed certificates with 1024 bits to sign and encrypt the data by using Advanced Encryption Standard (AES). 若有具備伺服器驗證功能的 PKI 憑證可用,則會使用這些憑證。If PKI certificates with server authentication capability are available, these will be used. 憑證必須放在電腦憑證存放區的個人存放區內。The certificate must be located in the Personal store for the Computer certificate store.

  • SQL Service Broker:此機制經由進階加密標準 (AES) 使用長度為 2048 位元的自我簽署憑證進行驗證,以及簽署與加密資料。SQL Service Broker: This uses self-signed certificates with 2048 bits for authentication and to sign and encrypt the data by using Advanced Encryption Standard (AES). 憑證必須放在 SQL Server Master 資料庫中。The certificate must be located in the SQL Server master database.

    以檔案為基礎的複寫會使用伺服器訊息區 (SMB) 通訊協定,並使用 SHA-256 簽署未加密但也未包含任何敏感性資料的此資料。File-based replication uses the Server Message Block (SMB) protocol, and uses SHA-256 to sign this data that is not encrypted but does not contain any sensitive data. 如果您要加密此資料,可以使用 IPsec,且必須獨立於 Configuration Manager 來執行。If you want to encrypt this data, you can use IPsec and must implement this independently from Configuration Manager.

針對使用 HTTPS 與站台系統通訊的用戶端的密碼編譯控制項Cryptographic controls for clients that use HTTPS communication to site systems

網站系統角色接受用戶端連線時,您可以將其設定為接受 HTTPS 與 HTTP 連線,或僅接受 HTTPS 連線。When site system roles accept client connections, you can configure them to accept HTTPS and HTTP connections, or only HTTPS connections. 接受網際網路連線的網站系統角色僅接受透過 HTTPS 的用戶端連線。Site system roles that accept connections from the Internet only accept client connections over HTTPS.

透過 HTTPS 的用戶端連線能整合公開金鑰基礎結構 (PKI),提供更高等級的安全性,以協助保護用戶端至伺服器的通訊。Client connections over HTTPS offer a higher level of security by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. 不過,設定 HTTPS 用戶端連線時若對 PKI 規劃、部署和作業沒有透徹了解,則還是無濟於事。However, configuring HTTPS client connections without a thorough understanding of PKI planning, deployment, and operations could still leave you vulnerable. 例如,如果您未保護根 CA 的安全,攻擊者就可以入侵破壞整個 PKI 基礎結構的信任。For example, if you do not secure your root CA, attackers could compromise the trust of your entire PKI infrastructure. 使用受控制與受保護的程序卻無法部署和管理 PKI 憑證,可能會導致出現無法接受重大軟體更新或封包的未受管理用戶端。Failing to deploy and manage the PKI certificates by using controlled and secured processes might result in unmanaged clients that cannot receive critical software updates or packages.

重要

用於用戶端通訊的 PKI 憑證僅保護用戶端與部份網站系統間的通訊,The PKI certificates that are used for client communication protect the communication only between the client and some site systems. 該憑證不會保護網站伺服器與網站系統間或網站伺服器間的通訊通道。They do not protect the communication channel between the site server and site systems or between site servers.

用戶端使用 HTTPS 通訊時未加密的通訊Communication that is unencrypted when clients use HTTPS communication

用戶端使用 HTTPS 與網站系統通訊時,通常透過 SSL 加密通訊。When clients communicate with site systems by using HTTPS, communications are usually encrypted over SSL. 不過,在以下狀況中,用戶端可以不使用加密,就與網站系統進行通訊:However, in the following situations, clients communicate with site systems without using encryption:

  • 網站系統允許此設定時,用戶端無法在內部網路建立 HTTPS 連線,退而求其次使用 HTTPClient fails to make an HTTPS connection on the intranet and fall back to using HTTP when site systems allow this configuration

  • 與以下網站系統角色的通訊:Communication to the following site system roles:

    • 用戶端傳送狀態訊息至後援狀態點Client sends state messages to the fallback status point

    • 用戶端向支援 PXE 的發佈點傳送 PXE 要求Client sends PXE requests to a PXE-enabled distribution point

    • 用戶端傳送通知資料至管理點Client sends notification data to a management point

    設定 Reporting Services 點獨立於用戶端通訊節點,使用 HTTP 或 HTTPS。Reporting services points are configured to use HTTP or HTTPS independently from the client communication mode.

針對使用 HTTP 與站台系統通訊的用戶端的密碼編譯控制項Cryptographic controls for clients chat use HTTP communication to site systems

用戶端對站台系統角色使用 HTTP 通訊時,可以使用 PKI 憑證或 Configuration Manager 產生的自我簽署憑證進行用戶端驗證。When clients use HTTP communication to site system roles, they can use PKI certificates for client authentication, or self-signed certificates that Configuration Manager generates. 當 Configuration Manager 產生自我簽署憑證時,憑證中會有用於簽署及加密的自訂物件識別碼,而這些憑證也會用來唯一識別用戶端。When Configuration Manager generates self-signed certificates, they have a custom object identifier for signing and encryption, and these certificates are used to uniquely identify the client. 對於所有支援的作業系統 (Windows Server 2003 除外),這些自我簽署憑證會使用 SHA-256,且金鑰長度為 2048 位元。For all supported operating systems except Windows Server 2003, these self-signed certificates use SHA-256, and have a key length of 2048 bits. 如果是 Windows Server 2003,則會使用 SHA1,而金鑰長度為 1024 位元。For Windows Server 2003, SHA1 is used with a key length of 1024 bits.

作業系統部署和自我簽署憑證Operating system deployment and self-signed certificates

使用 Configuration Manager 部署具備自我簽署憑證的作業系統時,即使電腦是在轉換階段 (如從工作順序媒體或支援 PXE 的發佈點開機),也必須有憑證才能與管理點通訊。When you use Configuration Manager to deploy operating systems with self-signed certificates, a client computer must also have a certificate to communicate with the management point, even if the computer is in a transitional phase such as booting from task sequence media or a PXE-enabled distribution point. 為支援此種案例以進行 HTTP 用戶端連線,Configuration Manager 會產生自我簽署憑證時,憑證中具有用於簽署及加密的自訂物件識別碼,而這些憑證也會用來唯一識別用戶端。To support this scenario for HTTP client connections, Configuration Manager generates self-signed certificates that have a custom object identifier for signing and encryption, and these certificates are used to uniquely identify the client. 對於所有支援的作業系統 (Windows Server 2003 除外),這些自我簽署憑證會使用 SHA-256,且金鑰長度為 2048 位元。For all supported operating systems except Windows Server 2003, these self-signed certificates use SHA-256, and have a key length of 2048 bits. 如果是 Windows Server 2003,則會使用 SHA1,而金鑰長度為 1024 位元。For Windows Server 2003, SHA1 is used with a key length of 1024 bits. ‎如果這些自我簽署憑證遭到入侵,為了避免攻擊者使用這些憑證模擬受信任的用戶端,請在 [系統管理] 工作區的 [憑證] 節點、[安全性] 節點上封鎖憑證。If these self-signed certificates are compromised, to prevent attackers from using them to impersonate trusted clients, block the certificates in the Certificates node in the Administration workspace, Security node.

用戶端和伺服器驗證Client and server authentication

用戶端透過 HTTP 連線時,會使用 Active Directory 網域服務或 Configuration Manager 受信任的根金鑰驗證管理點。When clients connect over HTTP, they authenticate the management points by using either Active Directory Domain Services or by using the Configuration Manager trusted root key. 用戶端並不會驗證其他網站系統角色,例如狀態移轉點或軟體更新點。Clients do not authenticate other site system roles, such as state migration points or software update points.

管理點第一次使用自我簽署用戶端憑證驗證用戶端時,由於任何電腦皆可產生自我簽署憑證,因此該機制提供的安全性並不高。When a management point first authenticates a client by using the self-signed client certificate, this mechanism provides minimal security because any computer can generate a self-signed certificate. 在此案例中,必須在經過核准後增強用戶端識別程序。In this scenario, the client identity process must be augmented by approval. 只能核准受信任的電腦,並且必須由 Configuration Manager 自動核准,或是由系統管理員手動核准。Only trusted computers must be approved, either automatically by Configuration Manager, or manually, by an administrative user. 如需詳細資訊,請參閱端點間的通訊中的核准章節。For more information, see the approval section in Communications between endpoints.

關於 SSL 弱點About SSL vulnerabilities

為改善 Configuration Manager 用戶端和伺服器的安全性,請執行下列作業:To improve the security of your Configuration Manager clients and servers, do the following:

如需詳細資訊,請參閱 How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll (如何在 Schannel.dll 中限制使用特定的密碼編譯演算法與通訊協定) 和 Prioritizing Schannel Cipher Suites (設定安全通道加密套件的優先順序)。For more information, see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll and Prioritizing Schannel Cipher Suites. 這些程序不會影響 Configuration Manager 的功能。These procedures do not affect Configuration Manager functionality.