規劃 Configuration Manager 中的安全性Plan for security in Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

本文描述規劃 Configuration Manager 實作安全性時可考量的概念。This article describes the concepts for you to consider when planning for security with your Configuration Manager implementation. 它包含下列各節:It includes the following sections:

規劃憑證 (自我簽署與 PKI)Plan for certificates (self-signed and PKI)

Configuration Manager 使用自我簽署憑證及公開金鑰基礎結構 (PKI) 憑證的組合。Configuration Manager uses a combination of self-signed certificates and public key infrastructure (PKI) certificates.

請盡可能使用 PKI 憑證。Use PKI certificates whenever possible. 如需詳細資訊,請參閱 PKI 憑證需求For more information, see PKI certificate requirements. 當 Configuration Manager 在註冊行動裝置期間要求 PKI 憑證時,您必須使用 Active Directory 網域服務和企業憑證授權單位。When Configuration Manager requests PKI certificates during enrollment for mobile devices, you must use Active Directory Domain Services and an enterprise certification authority. 針對其他所有 PKI 憑證,請從 Configuration Manager 獨立部署和管理這些憑證。For all other PKI certificates, deploy and manage them independently from Configuration Manager.

當用戶端電腦連線到以網際網路為基礎的站台系統時,需要 PKI 憑證。PKI certificates are required when client computers connect to internet-based site systems. 使用雲端管理閘道和雲端發佈點的一些案例也需要 PKI 憑證。Some scenarios with the cloud management gateway and cloud distribution point also require PKI certificates. 如需詳細資訊,請參閱管理網際網路上的用戶端For more information, see Manage clients on the internet.

使用 PKI 時,您也可利用 IPsec 協助保護站台內站台系統之間和站台之間的伺服器對伺服器通訊,以及電腦之間其他的資料傳輸。When you use a PKI, you can also use IPsec to help secure the server-to-server communication between site systems in a site, between sites, and for other data transfer between computers. IPsec 實作不受 Configuration Manager 影響。Implementation of IPsec is independent from Configuration Manager.

沒有 PKI 憑證可用時,Configuration Manager 會自動產生自我簽署憑證。When PKI certificates aren't available, Configuration Manager automatically generates self-signed certificates. Configuration Manager 中的某些憑證一律會自我簽署。Some certificates in Configuration Manager are always self-signed. 在大部分情況下,Configuration Manager 會自動管理自我簽署憑證,您不需要採取額外動作。In most cases, Configuration Manager automatically manages the self-signed certificates, and you don't have to take additional action. 站台伺服器簽署憑證即為一例。One example is the site server signing certificate. 此憑證一律會自我簽署。This certificate is always self-signed. 這會確保用戶端從管理點下載的原則已從站台伺服器送出,且未遭竄改。It makes sure that the policies that clients download from the management point were sent from the site server and weren't tampered with.

密碼編譯:新一代 (CNG) v3 憑證Cryptography: Next Generation (CNG) v3 certificates

Configuration Manager 支援密碼編譯:新一代 (CNG) v3 憑證。Configuration Manager supports Cryptography: Next Generation (CNG) v3 certificates. 設定管理員用戶端可以搭配 CNG 金鑰儲存提供者 (KSP) 中的私密金鑰來使用 PKI 用戶端驗證憑證。Configuration Manager clients can use PKI client authentication certificate with private key in CNG Key Storage Provider (KSP). 有 KSP 的支援,設定管理員用戶端可以支援硬體式私密金鑰,例如 PKI 用戶端驗證憑證的 TPM KSP。With KSP support, Configuration Manager clients support hardware-based private key, such as TPM KSP for PKI client authentication certificates. 如需詳細資訊,請參閱 CNG v3 憑證概觀For more information, see CNG v3 certificates overview.

增強 HTTPEnhanced HTTP

建議所有 Configuration Manager 通訊路徑都使用 HTTPS 通訊,但因管理 PKI 憑證造成的額外負荷,對於某些客戶而言是項挑戰。Using HTTPS communication is recommended for all Configuration Manager communication paths, but is challenging for some customers due to the overhead of managing PKI certificates. Azure Active Directory (Azure AD) 整合功能的引進,可減少一些憑證需求,但無法根除。The introduction of Azure Active Directory (Azure AD) integration reduces some but not all of the certificate requirements. 從 1806 版開始,您可以啟用站台使用 [增強 HTTP] 。Starting in version 1806, you can enable the site to use Enhanced HTTP. 這項設定使用自我簽署憑證和 Azure AD 的組合來支援站台系統上的 HTTPS。This configuration supports HTTPS on site systems by using a combination of self-signed certificates and Azure AD. 它不需要 PKI。It doesn't require PKI. 如需詳細資訊,請參閱增強 HTTPFor more information, see Enhanced HTTP.

CMG 和 CDP 的憑證Certificates for CMG and CDP

透過雲端管理閘道 (CMG) 和雲端發佈點 (CDP) 管理網際網路上的用戶端需要使用憑證。Managing clients on the internet via the cloud management gateway (CMG) and cloud distribution point (CDP) requires the use of certificates. 憑證的數目和類型會視您的特定案例而有所不同。The number and type of certificates varies depending upon your specific scenarios. 如需詳細資訊,請參閱下列文章:For more information, see the following articles:

規劃站台伺服器簽署憑證 (自我簽署)Plan for the site server signing certificate (self-signed)

用戶端可從 Active Directory 網域服務及用戶端推入安裝,安全地取得一份網站伺服器簽署憑證複本。Clients can securely get a copy of the site server signing certificate from Active Directory Domain Services and from client push installation. 如果用戶端無法利用這些機制的其中一種來取得一份憑證複本,請在安裝用戶端時予以安裝。If clients can't get a copy of this certificate by one of these mechanisms, install it when you install the client. 如果用戶端第一次與站台通訊是透過以網際網路為基礎的管理點,此程序尤其重要。This process is especially important if the client's first communication with the site is with an internet-based management point. 由於此站台連線到不受信任的網路,因此更容易遭受攻擊。Because this server is connected to an untrusted network, it's more vulnerable to attack. 如果不採用這個額外步驟,用戶端便會自動從管理點下載一份站台伺服器簽署憑證複本。If you don't take this additional step, clients automatically download a copy of the site server signing certificate from the management point.

在下列情況中,用戶端無法安全地取得一份站台伺服器憑證複本:Clients can't securely get a copy of the site server certificate in the following scenarios:

  • 您未使用用戶端推入安裝用戶端,而且:You don't install the client by using client push, and:

    • 您尚未延伸 Configuration Manager 的 Active Directory 架構。You haven't extended the Active Directory schema for Configuration Manager.

    • 您尚未將用戶端的站台發佈至 Active Directory 網域服務。You haven't published the client's site to Active Directory Domain Services.

    • 用戶端來自不受信任的樹系或工作群組。The client is from an untrusted forest or a workgroup.

  • 您正在使用以網際網路為基礎的用戶端管理,而且當用戶端在網際網路時,您會安裝用戶端。You're using internet-based client management and you install the client when it's on the internet.

安裝用戶端和一份網站伺服器簽署憑證複本To install clients with a copy of the site server signing certificate

  1. 找出主要站台伺服器上的站台伺服器簽署憑證。Locate the site server signing certificate on the primary site server. 此憑證是儲存在 Windows 的 SMS 憑證存放區中。The certificate is stored in the SMS certificate store of Windows. 其主體名稱為站台伺服器,易記名稱為站台伺服器簽署憑證It has the Subject name Site Server and the friendly name, Site Server Signing Certificate.

  2. 匯出不含私密金鑰的憑證,將檔案儲存在安全的地方,只從安全通道存取該檔案。Export the certificate without the private key, store the file securely, and access it only from a secured channel.

  3. 使用下列 client.msi 內容安裝用戶端:SMSSIGNCERT=<full path and file name>Install the client by using the following client.msi property: SMSSIGNCERT=<full path and file name>

規劃 PKI 憑證撤銷Plan for PKI certificate revocation

當您搭配 Configuration Manager 使用 PKI 憑證時,請規劃使用憑證撤銷清單 (CRL)。When you use PKI certificates with Configuration Manager, plan for use of a certificate revocation list (CRL). 裝置使用 CRL 來確認連線電腦上的憑證。Devices use the CRL to verify the certificate on the connecting computer. CRL 是憑證授權單位 (CA) 所建立並簽署的檔案。The CRL is a file that a certificate authority (CA) creates and signs. 它有一份由 CA 簽發但撤銷的憑證清單。It has a list of certificates that the CA has issued but revoked. 當憑證管理員撤銷憑證時,該憑證的指紋會新增至 CRL。When a certificate administrator revokes certificates, its thumbprint is added to the CRL. 例如,如果已簽發的憑證已知或有遭到洩露的可能。For example, if an issued certificate is known or suspected to be compromised.

重要

由於 CA 簽發憑證時會將 CRL 的位置新增至憑證,因此請務必在部署 Configuration Manager 所使用的任何 PKI 憑證之前,先規劃 CRL。Because the location of the CRL is added to a certificate when a CA issues it, ensure that you plan for the CRL before you deploy any PKI certificates that Configuration Manager uses.

IIS 一律會檢查用戶端憑證的 CRL,您無法在 Configuration Manager 中變更這項設定。IIS always checks the CRL for client certificates, and you can't change this configuration in Configuration Manager. Configuration Manager 用戶端預設一律會檢查 CRL 有無站台系統。By default, Configuration Manager clients always check the CRL for site systems. 指定站台內容和 CCMSetup 內容來停用此設定。Disable this setting by specifying a site property and by specifying a CCMSetup property.

如果電腦使用憑證撤銷檢查,卻無法找出 CRL,電腦的反應就像憑證鏈中所有的憑證都已被撤銷一樣。Computers that use certificate revocation checking but can't locate the CRL behave as if all certificates in the certification chain are revoked. 會有這樣的行為,是因為它們無法驗證憑證是否有在憑證撤銷清單內。This behavior is due to the fact that they can't verify if the certificates are in the certificate revocation list. 在這樣的情況下,需要憑證且包含 CRL 檢查的連線都會失敗。In this scenario, all connections fail that require certificates and include CRL checking. 當您在驗證是否能透過瀏覽 CRL 的 http 位置來存取 CRL 時,請務必注意 Configuration Manager 會以 LOCAL SYSTEM 的身分執行。When validating that your CRL is accessible by browsing to its http location, it is important to note that the Configuration Manager client runs as LOCAL SYSTEM. 因此,在使用者內容下以網頁瀏覽器測試 CRL 的可存取性或許會成功,但因為受到內部 Web 篩選解決方案的影響,所以對同樣的 CRL URL 嘗試進行 http 連線時,電腦帳戶可能會遭到封鎖。Therefore, testing CRL accessibility with a web browser running under user context may succeed, however the computer account may be blocked when attempting to make an http connection to the same CRL URL due to the internal web filtering solution. 在這種情況下,可能有必要在所有 Web 篩選解決方案上將 CRL URL 新增到允許清單。Adding the CRL URL to the approved list on any web filtering solutions may be necessary in this situation.

在每一次使用憑證時檢查 CRL,如此可提供比使用已撤銷之憑證更多的安全性。Checking the CRL every time that a certificate is used offers more security against using a certificate that's revoked. 但同時也會造成用戶端連線延遲及額外的處理工作。Although it introduces a connection delay and additional processing on the client. 如果用戶端在網際網路或不受信任的網路上,您的組織可能需要這項額外的安全性檢查。Your organization may require this additional security check for clients on the internet or an untrusted network.

在判定 Configuration Manager 用戶端是否須檢查 CRL 之前,請先向您的 PKI 系統管理員查詢。Consult your PKI administrators before you decide whether Configuration Manager clients must check the CRL. 之後,當下列兩項條件成立時,再考慮保留 Configuration Manager 中啟用的這個選項:Then consider keeping this option enabled in Configuration Manager when both of the following conditions are true:

  • 您的 PKI 基礎結構支援 CRL,且會發佈在所有 Configuration Manager 用戶端都可找到它的地方。Your PKI infrastructure supports a CRL, and it's published where all Configuration Manager clients can locate it. 這些用戶端可能包含網際網路上的裝置,以及不受信任樹系中的裝置。These clients might include devices on the internet, and ones in untrusted forests.

  • 檢查每一個站台系統 (其設定為使用 PKI 憑證) 連線的 CRL 需求,遠大於下列需求:The requirement to check the CRL for each connection to a site system that's configured to use a PKI certificate is greater than the following requirements:

    • 更快速連線Faster connections
    • 用戶端的有效處理Efficient processing on the client
    • 找不到 CRL 時,用戶端無法連線到伺服器的風險The risk of clients failing to connect to servers if the CRL cannot be located

規劃 PKI 受信任根憑證及憑證簽發者清單Plan for the PKI trusted root certificates and the certificate issuers list

如果您的 IIS 站台系統使用 PKI 用戶端憑證,以透過 HTTP 供用戶端驗證之用,或是透過 HTTPS 供用戶端驗證及加密之用時,您可能必須匯入根 CA 憑證,並將它當成站台內容來使用。If your IIS site systems use PKI client certificates for client authentication over HTTP, or for client authentication and encryption over HTTPS, you might have to import root CA certificates as a site property. 以下是兩個案例︰Here are the two scenarios:

  • 您使用 Configuration Manager 部署作業系統,且管理點只接受 HTTPS 用戶端連線。You deploy operating systems by using Configuration Manager, and the management points only accept HTTPS client connections.

  • 您使用未鏈結至管理點所信任根憑證的 PKI 用戶端憑證。You use PKI client certificates that don't chain to a root certificate that the management points trust.

    注意

    當您從簽發用於管理點之伺服器憑證的相同 CA 階層來簽發用戶端 PKI 憑證時,您不需要指定這個根 CA 憑證。When you issue client PKI certificates from the same CA hierarchy that issues the server certificates that you use for management points, you don't have to specify this root CA certificate. 不過,如果您使用多重 CA 階層,但不確定其是否彼此信任,即可匯入用戶端 CA 階層所適用的根 CA。However, if you use multiple CA hierarchies and you aren't sure whether they trust each other, import the root CA for the clients' CA hierarchy.

如果必須匯入 Configuration Manager 的根 CA 憑證,請將該憑證從簽發 CA 或從用戶端電腦匯出。If you must import root CA certificates for Configuration Manager, export them from the issuing CA or from the client computer. 如果從簽發 CA 匯出也是根 CA 的憑證,請確保未匯出私密金鑰。If you export the certificate from the issuing CA that's also the root CA, make sure you don't export the private key. 將匯出的憑證檔案儲存在安全位置,以防遭到竄改。Store the exported certificate file in a secure location to prevent tampering. 當您設定站台時,需要檔案的存取權。You need access to the file when you set up the site. 如果是透過網路來存取檔案,請務必利用 IPsece 來防止通訊內容遭到竄改。If you access the file over the network, make sure the communication is protected from tampering by using IPsec.

如果匯入的根 CA 憑證已更新,您就必須匯入更新的憑證。If any root CA certificate that you import is renewed, you must import the renewed certificate.

這些匯入的根 CA 憑證及每一個管理點的根 CA 憑證,會建立一份 Configuration Manager 電腦以下列方式使用的憑證簽發者清單:These imported root CA certificates and the root CA certificate of each management point create the certificate issuers list that Configuration Manager computers use in the following ways:

  • 當用戶端連線到管理點時,管理點會確認用戶端憑證鏈結至站台憑證簽發者清單中的受信任根憑證。When clients connect to management points, the management point verifies that the client certificate is chained to a trusted root certificate in the site's certificate issuers list. 如果沒這麼做,就會拒絕憑證,PKI 連線就會失敗。If it doesn't, the certificate is rejected, and the PKI connection fails.

  • 當用戶端選取 PKI 憑證並擁有憑證簽發者清單時,即可選取鏈結至憑證簽發者清單中之受信任根憑證的憑證。When clients select a PKI certificate and have a certificate issuers list, they select a certificate that chains to a trusted root certificate in the certificate issuers list. 如果沒有符合者,用戶端就不會選取 PKI 憑證。If there's no match, the client doesn't select a PKI certificate. 如需詳細資訊,請參閱規劃 PKI 用戶端憑證選擇For more information, see Plan for PKI client certificate selection.

規劃 PKI 用戶端憑證選擇Plan for PKI client certificate selection

如果您的 IIS 站台系統使用 PKI 用戶端憑證,以透過 HTTP 供用戶端驗證之用,或是透過 HTTPS 供用戶端驗證及加密之用時,請規劃 Windows 用戶端如何選取可供 Configuration Manager 使用的憑證。If your IIS site systems use PKI client certificates for client authentication over HTTP or for client authentication and encryption over HTTPS, plan for how Windows clients select the certificate to use for Configuration Manager.

注意

有些裝置不支援憑證選擇方法。Some devices don't support a certificate selection method. 它們反倒會自動選取第一個滿足憑證需求的憑證。Instead, they automatically select the first certificate that fulfills the certificate requirements. 例如,Mac 電腦上的用戶端及行動裝置不支援憑證選擇方法。For example, clients on Mac computers and mobile devices don't support a certificate selection method.

在許多情況下,預設的設定和行為即已足夠。In many cases, the default configuration and behavior is sufficient. Windows 電腦上的 Configuration Manager 用戶端,會依此順序使用下列準則篩選多種憑證:The Configuration Manager client on Windows computers filters multiple certificates by using these criteria in this order:

  1. 憑證簽發者清單:憑證鏈結至管理點所信任的根 CA。The certificate issuers list: The certificate chains to a root CA that's trusted by the management point.

  2. 憑證在 [個人] 預設憑證存放區中。The certificate is in the default certificate store of Personal.

  3. 憑證是有效的,未撤銷,也未過期。The certificate is valid, not revoked, and not expired. 有效性檢查會確認私密金鑰的可存取性。The validity check also verifies that the private key is accessible.

  4. 憑證具有用戶端驗證功能。The certificate has client authentication capability.

  5. 憑證主體名稱包含一個子字串,該子字串為本機電腦名稱。The certificate Subject Name contains the local computer name as a substring.

  6. 憑證具有最長的有效期。The certificate has the longest validity period.

利用下列機制,將用戶端設定為使用憑證簽發者清單:Configure clients to use the certificate issuers list by using the following mechanisms:

  • 將它與 Configuration Manager 站台資訊一起發佈至 Active Directory 網域服務。Publish it with Configuration Manager site information to Active Directory Domain Services.

  • 使用用戶端推入來安裝用戶端。Install clients by using client push.

  • 用戶端在順利被指派到其站台後,會從管理點下載該清單。Clients download it from the management point after they're successfully assigned to their site.

  • 在用戶端安裝期間將它指定為 CCMCERTISSUERS 的 CCMSetup client.msi 內容。Specify it during client installation as a CCMSetup client.msi property of CCMCERTISSUERS.

第一次安裝且尚未指派到站台的用戶端,不具備憑證簽發者清單,所以會略過此檢查。Clients that don't have the certificate issuers list when they're first installed and aren't yet assigned to the site skip this check. 如果用戶端的確擁有憑證簽發者清單,但沒有鏈結至憑證簽發者清單中受信任根憑證的 PKI 憑證時,憑證選擇會失敗。When clients do have the certificate issuers list and don't have a PKI certificate that chains to a trusted root certificate in the certificate issuers list, certificate selection fails. 用戶端不會繼續其他憑證選擇準則。Clients don't continue with the other certificate selection criteria.

在多數情況下,Configuration Manager 用戶端會正確地識別出唯一且適當的 PKI 憑證。In most cases, the Configuration Manager client correctly identifies a unique and appropriate PKI certificate. 不過,若不符合此行為,就不需根據用戶端驗證功能來選取憑證,您可以設定其他兩種選擇方法:However, when this behavior isn't the case, instead of selecting the certificate based on the client authentication capability, you can set up two alternative selection methods:

  • 用戶端憑證主體名稱的部分相符字串。A partial string match on the client certificate subject name. 此方法在比對時不區分大小寫。This method is a case-insensitive match. 如果主旨欄位正在使用電腦完整網域名稱 (FQDN),而且是根據網域尾碼選擇憑證 (例如 contoso.com),則適用此方法。It's appropriate if you're using the fully qualified domain name (FQDN) of a computer in the subject field and want the certificate selection to be based on the domain suffix, for example contoso.com. 不過,您可使用此選擇方法來識別憑證主體名稱 (用以區分與用戶端憑證存放區其他憑證的不同) 中循序字元的任何字串。However, you can use this selection method to identify any string of sequential characters in the certificate subject name that differentiates the certificate from others in the client certificate store.

    注意

    您不可將主體別名 (SAN) 的部分相符字串當成站台設定來使用。You can't use the partial string match with the subject alternative name (SAN) as a site setting. 雖然您可使用 CCMSetup 為 SAN 指定部分相符字串,但在下列案例中,該相符字串將會被站台內容覆寫:Although you can specify a partial string match for the SAN by using CCMSetup, it'll be overwritten by the site properties in the following scenarios:

    • 用戶端會擷取發佈至 Active Directory 網域服務的站台資訊。Clients retrieve site information that's published to Active Directory Domain Services.

      • 用戶端是使用用戶端推入安裝的。Clients are installed by using client push installation.

      只有在您手動安裝用戶端,且用戶端不從 Active Directory 網域服務擷取站台資訊時,才使用 SAN 中的部分相符字串。Use a partial string match in the SAN only when you install clients manually and when they don't retrieve site information from Active Directory Domain Services. 例如,這些狀況僅適用於網際網路用戶端。For example, these conditions apply to internet-only clients.

  • 用戶端憑證的主體名稱屬性值或主體別名 (SAN) 屬性值相符。A match on the client certificate subject name attribute values or the subject alternative name (SAN) attribute values. 此方法在比對時區分大小寫。This method is a case-sensitive match. 如果您使用 X500 辨別名稱或符合 RFC 3280 的對等物件識別 (OID),且您希望根據屬性值進行憑證選擇,則適用此方法。It's appropriate if you're using an X500 distinguished name or equivalent object identifiers (OIDs) in compliance with RFC 3280, and you want the certificate selection to be based on the attribute values. 您可以僅指定屬性與您要求的值來唯一識別或驗證憑證,和區別憑證存放區中的其他憑證。You can specify only the attributes and their values that you require to uniquely identify or validate the certificate and differentiate the certificate from others in the certificate store.

下表顯示針對用戶端憑證選擇準則 Configuration Manager 支援的屬性值。The following table shows the attribute values that Configuration Manager supports for the client certificate selection criteria.

OID 屬性OID Attribute 辨別名稱屬性Distinguished name attribute 屬性定義Attribute definition
0.9.2342.19200300.100.1.250.9.2342.19200300.100.1.25 DCDC 網域元件Domain component
1.2.840.113549.1.9.11.2.840.113549.1.9.1 E 或 E-mailE or E-mail 電子郵件地址Email address
2.5.4.32.5.4.3 CNCN 一般名稱Common name
2.5.4.42.5.4.4 SNSN 主體名稱Subject name
2.5.4.52.5.4.5 SERIALNUMBERSERIALNUMBER 序號Serial number
2.5.4.62.5.4.6 CC 國碼 (地區碼)Country code
2.5.4.72.5.4.7 LL 位置Locality
2.5.4.82.5.4.8 S 或 STS or ST 省份名稱State or province name
2.5.4.92.5.4.9 STREETSTREET 街道地址Street address
2.5.4.102.5.4.10 OO 組織名稱Organization name
2.5.4.112.5.4.11 OUOU 組織單位Organizational unit
2.5.4.122.5.4.12 T 或 TitleT or Title 標題Title
2.5.4.422.5.4.42 G 或 GN 或 GivenNameG or GN or GivenName 指定的名稱Given name
2.5.4.432.5.4.43 I 或 InitialsI or Initials 縮寫Initials
2.5.29.172.5.29.17 (沒有值)(no value) 主體替代名稱Subject Alternative Name

注意

若您設定上述任一種替代憑證選取方法,憑證主體名稱就不需包含本機電腦名稱。If you configure either of the above alternate certificate selection methods, the certificate Subject Name does not need to contain the local computer name.

若套用選取準則後有一個以上的合適憑證,您可以覆寫預設設定以選取有效期間最長的憑證,或者改為指定不選取任何憑證。If more than one appropriate certificate is located after the selection criteria are applied, you can override the default configuration to select the certificate that has the longest validity period and instead, specify that no certificate is selected. 在此案例中,用戶端無法和有 PKI 憑證的 IIS 站台系統進行通訊。In this scenario, the client won't be able to communicate with IIS site systems with a PKI certificate. 用戶端會將錯誤訊息傳送至指派的後援狀態點,向您警示憑證選取失敗,如此您就可以變更或縮小憑證選擇準則。The client sends an error message to its assigned fallback status point to alert you to the certificate selection failure so that you can change or refine your certificate selection criteria. 接著,用戶端行為就會根據失敗的連線是經由 HTTPS 或 HTTP 來進行。The client behavior then depends on whether the failed connection was over HTTPS or HTTP:

  • 如果失敗的連線是經由 HTTPS:用戶端會嘗試透過 HTTP 進行連線,並使用用戶端自我簽署憑證。If the failed connection was over HTTPS: The client tries to connect over HTTP and uses the client self-signed certificate.

  • 如果失敗的連線是經由 HTTP:用戶端會嘗試使用自我簽署用戶端憑證,透過 HTTP 進行另一個連線。If the failed connection was over HTTP: The client tries to connect again over HTTP by using the self-signed client certificate.

若要協助識別唯一 PKI 用戶端憑證,除了在 [電腦] 存放區中的 [個人] 預設值外,您也可以指定自訂存放區。To help identify a unique PKI client certificate, you can also specify a custom store other than the default of Personal in the Computer store. 不過,您必須從 Configuration Manager 單獨建立此存放區。However, you must create this store independently from Configuration Manager. 您必須能夠將憑證部署至此自訂存放區,並在有效期間到期前更新憑證。You must be able to deploy certificates to this custom store and renew them before the validity period expires.

如需詳細資訊,請參閱設定用戶端 PKI 憑證設定For more information, see Configure settings for client PKI certificates.

規劃用於 PKI 憑證和以網際網路為基礎的用戶端管理轉換策略Plan a transition strategy for PKI certificates and internet-based client management

Configuration Manager 中的彈性設定選項可讓您逐漸轉換用戶端和網站,以使用 PKI 憑證來協助確保用戶端端點的安全。The flexible configuration options in Configuration Manager let you gradually transition clients and the site to use PKI certificates to help secure client endpoints. PKI 憑證提供更好的安全性讓您管理網際網路用戶端。PKI certificates provide better security and enable you to manage internet clients.

由於 Configuration Manager 中設定選項和選擇的數目,會使得轉換站台的方法不只一種,如此一來,所有用戶端就都會使用 HTTPS 連線。Because of the number of configuration options and choices in Configuration Manager, there's no single way to transition a site so that all clients use HTTPS connections. 不過,您可以遵循這些步驟作為指引:However, you can follow these steps as guidance:

  1. 安裝並設定 Configuration Manager 網站,如此網站系統就會接受透過 HTTPS 和 HTTP 的用戶端連線。Install the Configuration Manager site and configure it so that site systems accept client connections over HTTPS and HTTP.

  2. 設定網站內容中的 用戶端電腦通訊 索引標籤,如此 站台系統設定 就會是 HTTP 或 HTTPS,然後選取 使用可用的 PKI 用戶端憑證 (用戶端驗證功能 。Configure the Client Computer Communication tab in the site properties so that the Site System Settings is HTTP or HTTPS, and select Use PKI client certificate (client authentication capability) when available. 如需詳細資訊,請參閱設定用戶端 PKI 憑證設定For more information, see Configure settings for client PKI certificates.

    注意

    從 1906 版開始,此索引標籤稱為通訊安全性Starting in version 1906, this tab is called Communication Security.

  3. 針對用戶端憑證試驗 PKI 首度發行。Pilot a PKI rollout for client certificates. 如需部署範例,請參閱部署 Windows 電腦的用戶端憑證For an example deployment, see Deploy the client certificate for Windows computers.

  4. 使用用戶端推入安裝方法安裝用戶端。Install clients by using the client push installation method. 如需詳細資訊,請參閱如何使用用戶端推入來安裝 Configuration Manager 用戶端For more information, see the How to install Configuration Manager clients by using client push.

  5. 使用 Configuration Manager 主控台中的報告和資訊來監控用戶端部署和狀態。Monitor client deployment and status by using the reports and information in the Configuration Manager console.

  6. 檢視 [資產與相容性] 工作區 [裝置] 節點中的 [用戶端憑證] 欄位,來追蹤有多少用戶端使用用戶端 PKI 憑證Track how many clients are using a client PKI certificate by viewing the Client Certificate column in the Assets and Compliance workspace, Devices node.

    您也可以在電腦上部署 Configuration Manager HTTPS 整備評估工具(cmHttpsReadiness.exe)。You can also deploy the Configuration Manager HTTPS Readiness Assessment Tool (cmHttpsReadiness.exe) to computers. 然後使用報告檢視有多少電腦可以搭配 Configuration Manager 使用用戶端 PKI 憑證。Then use the reports to view how many computers can use a client PKI certificate with Configuration Manager.

    注意

    當您安裝 Configuration Manager 用戶端時,它會安裝 %windir%\CCM 資料夾中的 CMHttpsReadiness.exe 工具。When you install the Configuration Manager client, it installs the CMHttpsReadiness.exe tool in the %windir%\CCM folder. 當您執行此工具時,可以使用下列命令列選項:The following command-line options are available when you run this tool:

    • /Store:<name>:此選項相當於 CCMCERTSTORE client.msi 內容/Store:<name>: This option is the same as the CCMCERTSTORE client.msi property

    • /Issuers:<list>:此選項相當於 CCMCERTISSUERS client.msi 內容/Issuers:<list>: This option is the same as the CCMCERTISSUERS client.msi property

    • /Criteria:<criteria>:此選項相當於 CCMCERTSEL client.msi 內容/Criteria:<criteria>: This option is the same as the CCMCERTSEL client.msi property

    • /SelectFirstCert:此選項相當於 CCMFIRSTCERT client.msi 內容/SelectFirstCert: This option is the same as the CCMFIRSTCERT client.msi property

      如需詳細資訊,請參閱關於用戶端安裝內容For more information, see About client installation properties.

  7. 您自信有足夠的用戶端能成功使用其用戶端 PKI 憑證透過 HTTP 進行驗證時,請遵循下列步驟作業:When you're confident that enough clients are successfully using their client PKI certificate for authentication over HTTP, follow these steps:

    1. 將 PKI Web 伺服器憑證部署至將執行網站上其他管理點的成員伺服器,並在 IIS 中設定該憑證。Deploy a PKI web server certificate to a member server that runs an additional management point for the site, and configure that certificate in IIS. 如需詳細資訊,請參閱為執行 IIS 的站台系統部署 Web 伺服器憑證For more information, see Deploy the web server certificate for site systems that run IIS.

    2. 將管理點角色安裝在此伺服器上,並在 [HTTPS] 的管理點內容中設定 [用戶端連線] 選項。Install the management point role on this server and configure the Client connections option in the management point properties for HTTPS.

  8. 監控並確認具備 PKI 憑證的用戶端藉由使用 HTTPS 來使用新的管理點。Monitor and verify that clients that have a PKI certificate use the new management point by using HTTPS. 您可以使用 IIS 記錄或效能計數器進行確認。You can use IIS logging or performance counters to verify.

  9. 重新設定其他網站系統角色以使用 HTTPS 用戶端連線。Reconfigure other site system roles to use HTTPS client connections. 如果您想管理網際網路上的用戶端,請確認站台系統具備網際網路 FQDN。If you want to manage clients on the internet, make sure that site systems have an internet FQDN. 請設定個別管理點和發佈點,以接受來自網際網路的用戶端連線。Configure individual management points and distribution points to accept client connections from the internet.

    重要

    設定站台系統角色以接受來自網際網路的連線前,請檢閱以網際網路為基礎的用戶端管理規劃資訊和必要條件。Before you set up site system roles to accept connections from the internet, review the planning information and prerequisites for internet-based client management. 如需詳細資訊,請參閱端點間的通訊For more information, see Communications between endpoints.

  10. 延伸用戶端與執行 IIS 之站台系統的 PKI 憑證首度發行。Extend the PKI certificate rollout for clients and for site systems that run IIS. 按需求設定 HTTPS 用戶端連線與網際網路連線的站台系統角色。Set up the site system roles for HTTPS client connections and internet connections, as required.

  11. 針對最高安全性:當您確認所有用戶端都使用用戶端 PKI 憑證進行驗證和加密時,請將網站內容變更至僅使用 HTTPS。For the highest security: When you're confident that all clients are using a client PKI certificate for authentication and encryption, change the site properties to use HTTPS only.

    此規劃會先導入 PKI 憑證僅透過 HTTP 進行驗證,然後透過 HTTPS 驗證並加密。This plan first introduces PKI certificates for authentication only over HTTP, and then for authentication and encryption over HTTPS. 遵循此規劃來漸漸導入這些憑證時,您可以降低用戶端變成非受控的風險。When you follow this plan to gradually introduce these certificates, you reduce the risk that clients become unmanaged. 您也會因 Configuration Manager 支援的最高安全性而受益。You'll also benefit from the highest security that Configuration Manager supports.

規劃受信任的根金鑰Plan for the trusted root key

Configuration Manager 受信任的根金鑰提供 Configuration Manager 用戶端機制來確認站台系統隸屬其階層。The Configuration Manager trusted root key provides a mechanism for Configuration Manager clients to verify site systems belong to their hierarchy. 每個網站伺服器會產生網站交換金鑰,以與其他網站通訊。Every site server generates a site exchange key to communicate with other sites. 來自階層頂層網站的網站交換金鑰稱為受信任的根金鑰。The site exchange key from the top-level site in the hierarchy is called the trusted root key.

Configuration Manager 中受信任根金鑰的功能類似公開金鑰基礎結構的根憑證。The function of the trusted root key in Configuration Manager resembles a root certificate in a public key infrastructure. 由受信任根金鑰的私密金鑰所簽署的任何物件,都會沿著階層受到信任。Anything signed by the private key of the trusted root key is trusted further down the hierarchy. 用戶端會將站台的受信任根金鑰複本儲存在 root\ccm\locationservices WMI 命名空間中。Clients store a copy of the site's trusted root key in the root\ccm\locationservices WMI namespace.

例如,站台會對管理點發出憑證,並使用受信任根金鑰的私密金鑰進行簽署。For example, the site issues a certificate to the management point, which it signs with the private key of the trusted root key. 站台會與用戶端分享其受信任根金鑰的公開金鑰。The site shares with clients the public key of its trusted root key. 然後,用戶端可以區別出階層中的管理點與不在階層中的管理點。Then clients can differentiate between management points that are in their hierarchy and management points that aren't in their hierarchy.

用戶端會使用兩種機制來自動擷取受信任根金鑰的公開複本。Clients automatically retrieve the public copy of the trusted root key by using two mechanisms:

  • 您可以延伸 Configuration Manager 的 Active Directory 架構,並將站台發佈至 Active Directory 網域服務。You extend the Active Directory schema for Configuration Manager, and publish the site to Active Directory Domain Services. 然後,用戶端會從通用類別目錄伺服器擷取此站台資訊。Then clients retrieve this site information from a global catalog server. 如需詳細資訊,請參閱準備 Active Directory 以發佈站台For more information, see Prepare Active Directory for site publishing.

  • 您可以使用用戶端推入安裝方法來安裝用戶端。When you install clients using the client push installation method. 如需詳細資訊,請參閱用戶端推入安裝For more information, see Client push installation.

如果用戶端無法使用其中一種機制來擷取受信任的根金鑰,就會信任由第一個與其通訊之管理點所提供的受信任根金鑰。If clients can't retrieve the trusted root key by using one of these mechanisms, they trust the trusted root key that's provided by the first management point that they communicate with. 在此案例中,可能會將用戶端錯誤導向到攻擊者的管理點 (該管理點會接收來自 Rogue 管理點的原則)。In this scenario, a client might be misdirected to an attacker's management point where it would receive policy from the rogue management point. 此動作必須由狡猾的攻擊者發動。This action requires a sophisticated attacker. 只有用戶端從有效管理點擷取受信任根金鑰前的短時間內,才會發動這項攻擊。This attack is limited to the short time before the client retrieves the trusted root key from a valid management point. 若要降低攻擊者錯誤導向用戶端至 Rogue 管理點的這種風險,請使用受信任的根金鑰來預先佈建用戶端。To reduce this risk of an attacker misdirecting clients to a rogue management point, pre-provision the clients with the trusted root key.

使用以下程序預先佈建並確認 Configuration Manager 用戶端的受信任根金鑰:Use the following procedures to pre-provision and verify the trusted root key for a Configuration Manager client:

使用檔案以受信任的根金鑰預先佈建用戶端Pre-provision a client with the trusted root key by using a file

  1. 在站台伺服器上,以文字編輯器開啟下列檔案:<Configuration Manager install directory>\bin\mobileclient.tcfOn the site server, open the following file in a text editor: <Configuration Manager install directory>\bin\mobileclient.tcf

  2. 找出項目 SMSPublicRootKey=Locate the entry, SMSPublicRootKey=. 從該行複製金鑰,然後在不進行任何變更的狀況下關閉檔案。Copy the key from that line, and close the file without any changes.

  3. 建立新的文字檔,並貼上您從 mobileclient.tcf 檔案中複製的金鑰資訊。Create a new text file, and paste the key information that you copied from the mobileclient.tcf file.

  4. 將檔案儲存至所有電腦都可以存取的位置,以確保檔案的安全,避免遭到竄改。Save the file in a location where all computers can access it, but where the file is safe from tampering.

  5. 使用接受 client.msi 內容的任何安裝方法來安裝用戶端。Install the client by using any installation method that accepts client.msi properties. 指定下列內容:SMSROOTKEYPATH=<full path and file name>Specify the following property: SMSROOTKEYPATH=<full path and file name>

    重要

    當您在用戶端安裝期間指定受信任的根金鑰時,請同時指定站台碼。When you specify the trusted root key during client installation, also specify the site code. 請使用下列 client.msi 內容:SMSSITECODE=<site code>Use the following client.msi property: SMSSITECODE=<site code>

在不使用檔案的狀況下,以受信任的根金鑰預先佈建用戶端Pre-provision a client with the trusted root key without using a file

  1. 在站台伺服器上,以文字編輯器開啟下列檔案:<Configuration Manager install directory>\bin\mobileclient.tcfOn the site server, open the following file in a text editor: <Configuration Manager install directory>\bin\mobileclient.tcf

  2. 找出項目 SMSPublicRootKey=Locate the entry, SMSPublicRootKey=. 從該行複製金鑰,然後在不進行任何變更的狀況下關閉檔案。Copy the key from that line, and close the file without any changes.

  3. 使用接受 client.msi 內容的任何安裝方法來安裝用戶端。Install the client by using any installation method that accepts client.msi properties. 指定下列 client.msi 內容:SMSPublicRootKey=<key>。其中 <key> 是您從 mobileclient.tcf 複製來的字串。Specify the following client.msi property: SMSPublicRootKey=<key> where <key> is the string that you copied from mobileclient.tcf.

    重要

    當您在用戶端安裝期間指定受信任的根金鑰時,請同時指定站台碼。When you specify the trusted root key during client installation, also specify the site code. 請使用下列 client.msi 內容:SMSSITECODE=<site code>Use the following client.msi property: SMSSITECODE=<site code>

確認用戶端上的受信任根金鑰Verify the trusted root key on a client

  1. 以系統管理員的身分開啟 Windows PowerShell 主控台。Open a Windows PowerShell console as an administrator.

  2. 執行下列命令:Run the following command:

    (Get-WmiObject -Namespace root\ccm\locationservices -Class TrustedRootKey).TrustedRootKey
    

傳回的字串是受信任的根金鑰。The returned string is the trusted root key. 請確認它與站台伺服器上 mobileclient.tcf 檔案中的 SMSPublicRootKey 值相符。Verify that it matches the SMSPublicRootKey value in the mobileclient.tcf file on the site server.

移除或取代受信任的根金鑰Remove or replace the trusted root key

您可以使用 client.msi 內容 RESETKEYINFORMATION = TRUE,從用戶端移除受信任的根金鑰。Remove the trusted root key from a client by using the client.msi property, RESETKEYINFORMATION = TRUE.

若要取代受信任的根金鑰,請重新安裝用戶端與新的受信任根金鑰。To replace the trusted root key, reinstall the client together with the new trusted root key. 例如,使用用戶端推入,或指定 client.msi 內容 SMSPublicRootKeyFor example, use client push, or specify the client.msi property SMSPublicRootKey.

如需這些安裝內容的詳細資訊,請參閱關於用戶端安裝參數和內容For more information on these installation properties, see About client installation parameters and properties.

規劃簽署與加密Plan for signing and encryption

針對所有用戶端通訊使用 PKI 憑證時,您不需要為協助保護用戶端資料通訊而規劃簽署與加密。When you use PKI certificates for all client communications, you don't have to plan for signing and encryption to help secure client data communication. 如果您設定執行 IIS 的任何站台系統以允許 HTTP 用戶端連線,請決定如何協助站台保護用戶端通訊。If you set up any site systems that run IIS to allow HTTP client connections, decide how to help secure the client communication for the site.

若要協助保護用戶端傳送至管理點的資料,您可以要求用戶端簽署資料。To help protect the data that clients send to management points, you can require clients to sign the data. 您也可以要求 SHA-256 演算法進行簽署。You can also require the SHA-256 algorithm for signing. 這項設定比較安全,但除非所有用戶端都支援 SHA-256,否則無法要求此演算法。This configuration is more secure, but don't require SHA-256 unless all clients support it. 許多作業系統原本就支援此演算法,但較舊的作業系統則需要更新或是 Hotfix。Many operating systems natively support this algorithm, but older operating systems might require an update or hotfix.

簽署有助保護資料不受竄改,而加密則可確保資料不會洩漏。While signing helps protect the data from tampering, encryption helps protect the data from information disclosure. 您可以為用戶端傳送至網站內管理點的清查資料與狀況訊息啟用 3DES 加密。You can enable 3DES encryption for the inventory data and state messages that clients send to management points in the site. 您不需要在用戶端上安裝任何更新以支援此選項。You don't have to install any updates on clients to support this option. 用戶端和管理點需要使用額外的 CPU 來進行加密和解密。Clients and management points require additional CPU usage for encryption and decryption.

如需如何進行簽署和加密設定的詳細資訊,請參閱設定簽署及加密For more information about how to configure the settings for signing and encryption, see Configure signing and encryption.

規劃以角色為基礎的系統管理Plan for role-based administration

如需詳細資訊,請參閱以角色為基礎的系統管理基本概念For more information, see Fundamentals of role-based administration.

規劃 Azure Active DirectoryPlan for Azure Active Directory

Configuration Manager 與 Azure Active Directory (Azure AD) 整合,以允許站台和用戶端使用新式驗證。Configuration Manager integrates with Azure Active Directory (Azure AD) to enable the site and clients to use modern authentication. 將您的站台連線到 Azure AD 可支援下列 Configuration Manager 案例:Onboarding your site with Azure AD supports the following Configuration Manager scenarios:

用戶端Client

伺服器Server

如需將您的站台連線到 Azure AD 的詳細資訊,請參閱設定 Azure 服務For more information on connecting your site to Azure AD, see Configure Azure services.

如需 Azure AD 的詳細資訊,請參閱 Azure Active Directory 文件For more information about Azure AD, see Azure Active Directory documentation.

規劃 SMS 提供者驗證Plan for SMS Provider authentication

從 1810 版開始,您可以指定系統管理員存取 Configuration Manager 站台的最低驗證層級。Starting in version 1810, you can specify the minimum authentication level for administrators to access Configuration Manager sites. 這項功能會強制系統管理員以必要層級登入 Windows。This feature enforces administrators to sign in to Windows with the required level. 它會套用至存取 SMS 提供者的所有元件。It applies to all components that access the SMS Provider. 例如,Configuration Manager 主控台、SDK 方法和 Windows PowerShell Cmdlet。For example, the Configuration Manager console, SDK methods, and Windows PowerShell cmdlets.

此設定是全階層設定。This configuration is a hierarchy-wide setting. 在您變更此設定之前,請確定所有 Configuration Manager 系統管理員都能以必要的驗證層級登入 Windows。Before you change this setting, make sure that all Configuration Manager administrators can sign in to Windows with the required authentication level.

可用的層級如下:The following levels are available:

  • Windows 驗證:需要使用 Active Directory 網域認證驗證。Windows authentication: Require authentication with Active Directory domain credentials.

  • 憑證驗證:需要使用由信任的 PKI 憑證授權單位發出的有效憑證進行驗證。Certificate authentication: Require authentication with a valid certificate that's issued by a trusted PKI certificate authority.

  • Windows Hello 企業版驗證:需要以繫結至裝置強式雙因素驗證進行驗證並使用生物識別技術或 PIN。Windows Hello for Business authentication: Require authentication with strong two-factor authentication that's tied to a device and uses biometrics or a PIN.

如需詳細資訊,請參閱規劃 SMS 提供者For more information, see Plan for the SMS Provider.

請參閱See also