Configuration Manager 的安全性基本概念Fundamentals of security for Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

本文摘要說明下列任一 Configuration Manager 環境的基本安全性元件:This article summarizes the following fundamental security components of any Configuration Manager environment:

安全性階層Security layers

Configuration Manager 的安全性階層分為下列幾項:Security for Configuration Manager consists of the following layers:

Windows OS 和網路安全性Windows OS and network security

第一層由 Windows 安全性功能針對 OS 及網路所提供。The first layer is provided by Windows security features for both the OS and the network. 這一層包含下列元件:This layer includes the following components:

  • 在 Configuration Manager 元件之間傳輸檔案的檔案共用File sharing to transfer files between Configuration Manager components

  • 存取控制清單 (ACL) 可確保檔案和登錄機碼的安全Access Control Lists (ACLs) to help secure files and registry keys

  • 網際網路通訊協定安全性 (IPsec) 可確保通訊安全Internet Protocol Security (IPsec) to help secure communications

  • 群組原則可設定安全性原則Group Policy to set security policy

  • 分散式元件物件模型 (DCOM) 權限可用於分散式應用程式,例如 Configuration Manager 主控台Distributed Component Object Model (DCOM) permissions for distributed applications, like the Configuration Manager console

  • Active Directory 網域服務可儲存安全性原則Active Directory Domain Services to store security principals

  • Windows 帳戶安全性,包括 Configuration Manager 在安裝期間建立的部分群組Windows account security, including some groups that Configuration Manager creates during setup

網路基礎結構Network infrastructure

額外的安全性元件,例如防火牆和入侵偵測,可協助提供整個環境的防護。Additional security components, like firewalls and intrusion detection, help provide defense for the whole environment. 由符合業界標準的公開金鑰基礎結構 (PKI) 實作所發行之憑證可協助提供驗證、簽署和加密。Certificates issued by industry standard public key infrastructure (PKI) implementations help provide authentication, signing, and encryption.

Configuration Manager 安全性控制Configuration Manager security controls

除了 Windows 伺服器和網路基礎結構所提供的安全性之外,Configuration Manager 也會以數種方式控制對其主控台與資源的存取。In addition to security provided by the Windows server and network infrastructure, Configuration Manager controls access to its console and resources in several ways. 依預設,只有本機系統管理員有權存取檔案和登錄機碼,以在您安裝 Configuration Manager 的電腦上執行主控台。By default, only local administrators have rights to the files and registry keys that the Configuration Manager console requires on computers where you install it.

SMS 提供者SMS Provider

下一層安全性以透過 Windows Management Instrumentation (WMI) 的存取為基礎,特別是 SMS 提供者。The next layer of security is based on access through Windows Management Instrumentation (WMI), specifically the SMS Provider. 「SMS 提供者」是一個 Configuration Manager 元件,授與使用者查詢站台資料庫以取得資訊的存取權。The SMS Provider is a Configuration Manager component that grants a user access to query the site database for information. 依照預設,對提供者的存取權已限制為僅授與本機 SMS Admins 群組的成員。By default, access to the provider is restricted to members of the local SMS Admins group. 此群組一開始僅包含已安裝 Configuration Manager 的使用者。This group at first contains only the user who installed Configuration Manager. 若要將其他帳戶權限授與給通用訊息模型 (CIM) 存放庫和 SMS 提供者,請新增其他帳戶到 SMS Admins 群組。To grant other accounts permission to the Common Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS Admins group.

從 1810 版開始,您可以指定系統管理員存取 Configuration Manager 站台的最低驗證層級。Starting in version 1810, you can specify the minimum authentication level for administrators to access Configuration Manager sites. 這項功能會強制系統管理員以必要層級登入 Windows。This feature enforces administrators to sign in to Windows with the required level.

如需詳細資訊,請參閱規劃 SMS 提供者For more information, see Plan for the SMS Provider.

站台資料庫權限Site database permissions

最後一層安全性是基於網站資料庫中物件的權限。The final layer of security is based on permissions to objects in the site database. 依預設,您安裝 Configuration Manager 時使用的本機系統帳戶和使用者帳戶,都有權限管理站台資料庫中的所有物件。By default, the Local System account and the user account that you used to install Configuration Manager can administer all objects in the site database. 使用以角色為基礎的系統管理,對 Configuration Manager 主控台中的額外系統管理使用者授與或限制權限。Grant and restrict permissions to additional administrative users in the Configuration Manager console by using role-based administration.

以角色為基礎的系統管理Role-based administration

Configuration Manager 使用以角色為基礎的系統管理,協助保護集合、部署及站台這類物件。Configuration Manager uses role-based administration to help secure objects like collections, deployments, and sites. 此管理模式主要針對所有網站和網站設定,定義與管理整個階層的安全性存取權設定。This administration model centrally defines and manages hierarchy-wide security access settings for all sites and site settings.

系統管理員會指派「安全性角色」 給系統管理使用者和群組權限。An administrator assigns security roles to administrative users and group permissions. 這些權限會連線到不同的 Configuration Manager 物件類型,例如建立或變更用戶端設定。The permissions are connected to different Configuration Manager object types, for example, to create or change client settings.

「安全性範圍」會將系統管理使用者負責管理之物件的特定執行個體 (例如安裝 Microsoft 365 Apps 的應用程式) 分組。Security scopes group specific instances of objects that an administrative user is responsible to manage, like an application that installs Microsoft 365 Apps.

結合安全性角色、安全性範圍和集合來定義系統管理使用者可檢視與管理的物件。The combination of security roles, security scopes, and collections define the objects that an administrative user can view and manage. Configuration Manager 安裝部分預設安全性角色以進行一般管理工作。Configuration Manager installs some default security roles for typical management tasks. 建立自己的安全性角色來支援特定的業務需求。Create your own security roles to support your specific business requirements.

如需詳細資訊,請參閱設定以角色為基礎的系統管理For more information, see Configure role-based administration.

確保用戶端端點安全Securing client endpoints

Configuration Manager 使用自我簽署/PKI 憑證或 Azure Active Directory (Azure AD) 權杖來保護用戶端與站台系統角色間的通訊。Configuration Manager secures client communication to site system roles by using either self-signed or PKI certificates, or Azure Active Directory (Azure AD) tokens. 某些情況下需要使用 PKI 憑證。Some scenarios require the use of PKI certificates. 例如,以網際網路為基礎的用戶端管理,以及面對行動裝置用戶端時。For example, internet-based client management, and for mobile device clients.

您可為用戶端連線的站台系統角色設定 HTTPS 或 HTTP 用戶端通訊。You can configure the site system roles to which clients connect for either HTTPS or HTTP client communication. 用戶端電腦一律會使用最安全的可用方法來通訊。Client computers always communicate by using the most secure method that's available. 只有在您的站台系統角色允許 HTTP 通訊時,用戶端電腦才會退而使用較不安全的通訊方法。Client computers only fall back to using the less secure communication method if you have site systems roles that allow HTTP communication.

如需詳細資訊,請參閱規劃安全性For more information, see Plan for security.

Configuration Manager 帳戶和群組Configuration Manager accounts and groups

Configuration Manager 在進行大部分站台作業時會使用本機系統帳戶。Configuration Manager uses the Local System account for most site operations. 部分管理工作可能需要建立與維護額外帳戶。Some management tasks might require you to create and maintain additional accounts. Configuration Manager 會在安裝期間建立數個預設群組和 SQL Server 角色。Configuration Manager creates several default groups and SQL Server roles during setup. 您可能需要將電腦或使用者帳戶手動新增到預設群組和 SQL Server 角色。You might have to manually add computer or user accounts to the default groups and SQL Server roles.

如需詳細資訊,請參閱 Accounts used in Configuration Manager (Configuration Manager 中使用的帳戶)。For more information, see Accounts used in Configuration Manager.

隱私權Privacy

在實作 Configuration Manager 之前,請先考慮您的隱私權需求。Before you implement Configuration Manager, consider your privacy requirements. 雖然企業管理產品能夠有效管理大量的用戶端而具備許多優點,但此軟體可能會影響組織中的使用者隱私權。Although enterprise management products offer many advantages because they can effectively manage lots of clients, this software might affect the privacy of users in your organization. Configuration Manager 內含許多可用來收集資料和監視裝置的工具。Configuration Manager includes many tools to collect data and monitor devices. 部分工具可能會引發組織中的隱私權疑慮。Some tools might raise privacy concerns in your organization.

例如,當您安裝 Configuration Manager 用戶端時,許多管理設定都會預設為啟用。For example, when you install the Configuration Manager client, it enables many management settings by default. 此設定會導致用戶端軟體將資訊傳送到 Configuration Manager 站台。This configuration causes the client software to send information to the Configuration Manager site. 此站台會將用戶端資訊儲存在站台資料庫中,The site stores client information in the site database. 而不會將用戶端資訊直接傳送至 Microsoft。The client information isn't directly sent to Microsoft. 如需詳細資訊,請參閱診斷和使用方式資料For more information, see Diagnostics and usage data.

請參閱See also