Configuration Manager 中 OS 部署的安全性和隱私權Security and privacy for OS deployment in Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

本文包含 Configuration Manager 中 OS 部署功能的安全性和隱私權資訊。This article contains security and privacy information for the OS deployment feature in Configuration Manager.

OS 部署的安全性最佳做法Security best practices for OS deployment

當您以 Configuration Manager 來部署作業系統時,可使用下列安全性最佳做法:Use the following security best practices for when you deploy operating systems with Configuration Manager:

實作存取控制以保護可開機媒體Implement access controls to protect bootable media

建立可開機媒體時,永遠指派密碼以保護媒體。When you create bootable media, always assign a password to help secure the media. 即使使用密碼,只會將包含敏感性資訊的檔案加密,而且會覆寫所有檔案。Even with a password, it only encrypts files that contain sensitive information, and all files can be overwritten.

控制對媒體的實體存取,以防止攻擊者利用密碼編譯攻擊來取得用戶端驗證憑證。Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate.

為協助防止用戶端安裝已遭竄改的內容或用戶端原則,內容須進行雜湊,並與原始原則搭配使用。To help prevent a client from installing content or client policy that has been tampered with, the content is hashed and must be used with the original policy. 如果內容雜湊失敗,或確認內容符合原則,用戶端就不會使用可開機媒體。If the content hash fails or the check that the content matches the policy, the client won't use the bootable media. 只有內容雜湊。Only the content is hashed. 原則未雜湊,但指定密碼時,就會進行加密及保護。The policy isn't hashed, but it's encrypted and secured when you specify a password. 此行為讓攻擊者更難成功修改原則。This behavior makes it more difficult for an attacker to successfully modify the policy.

建立用於 OS 映像的媒體時可使用安全的位置Use a secure location when you create media for OS images

如果未被授權的使用者具有該位置的存取權,他們就能竄改您建立的檔案。If unauthorized users have access to the location, they can tamper with the files that you create. 他們也可以使用所有可用的磁碟空間,因而造成媒體建立失敗。They can also use all the available disk space so that the media creation fails.

保護憑證檔案Protect certificate files

使用強式密碼保護憑證檔案 (.pfx)。Protect certificate files (.pfx) with a strong password. 如果您在網路上儲存檔案,在將檔案匯入 Configuration Manager 時,請保護網路通道If you store them on the network, secure the network channel when you import them into Configuration Manager

使用密碼來匯入用於可開機媒體的用戶端驗證憑證時,這項設定有助於保護憑證,使其免受攻擊者的攻擊。When you require a password to import the client authentication certificate that you use for bootable media, this configuration helps to protect the certificate from an attacker.

在網路位置和站台伺服器之間使用 SMB 簽署或 IPsec,以防止攻擊者竄改憑證檔案。Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the certificate file.

封鎖或撤銷任何遭入侵的憑證Block or revoke any compromised certificates

如果用戶端憑證遭入侵,此時可封鎖 Configuration Manager 的憑證。If the client certificate is compromised, block the certificate from Configuration Manager. 如果是 PKI 憑證,則可將它撤銷。If it's a PKI certificate, revoke it.

若要使用可開機媒體和 PXE 開機來部署 OS,您必須擁有含私密金鑰的用戶端驗證憑證。To deploy an OS by using bootable media and PXE boot, you must have a client authentication certificate with a private key. 如果該憑證遭到入侵,請在 [系統管理] 工作區的 [憑證] 節點、[安全性] 節點封鎖憑證。If that certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node.

保護站台伺服器與 SMS 提供者之間的通訊通道Secure the communication channel between the site server and the SMS Provider

當 SMS 提供者在站台伺服器的遠端時,請保護通訊通道以保護開機映像。When the SMS Provider is remote from the site server, secure the communication channel to protect boot images.

當您修改開機映像,且 SMS 提供者正在非站台伺服器的伺服器上執行時,開機映像很容易遭到攻擊。When you modify boot images and the SMS Provider is running on a server that isn't the site server, the boot images are vulnerable to attack. 使用 SMB 簽署或 IPsec,可保護這些電腦之間的網路通道。Protect the network channel between these computers by using SMB signing or IPsec.

啟用只在安全網路區段之 PXE 用戶端通訊的發佈點Enable distribution points for PXE client communication only on secure network segments

當用戶端傳送 PXE 開機要求時,您無法確保有效支援 PXE 的發佈點會回應該要求。When a client sends a PXE boot request, you have no way to make sure that the request is serviced by a valid PXE-enabled distribution point. 此案例具有以下安全性風險:This scenario has the following security risks:

  • 回應 PXE 要求的 rogue 發佈點,可提供遭竄改的映像給用戶端。A rogue distribution point that responds to PXE requests could provide a tampered image to clients.

  • 攻擊者可能針對 PXE 使用的 TFTP 通訊協定啟動攔截式攻擊。An attacker could launch a man-in-the-middle attack against the TFTP protocol that is used by PXE. 此攻擊可能會隨 OS 檔案傳送惡意程式碼。This attack could send malicious code with the OS files. 攻擊者也可能建立 Rogue 用戶端,直接對發佈點發出 TFTP 要求。The attacker could also create a rogue client to make TFTP requests directly to the distribution point.

  • 攻擊者可能利用惡意用戶端來啟動一項針對發佈點的服務攻擊回絕行動。An attacker could use a malicious client to launch a denial of service attack against the distribution point.

使用深度防禦來保護網路區段,讓用戶端可從中存取支援 PXE 的發佈點。Use defense in depth to protect the network segments where clients access PXE-enabled distribution points.

警告

基於這些安全性風險,若 PXE 通訊的發佈點是不受任信的網路 (例如周邊網路) 時,請勿啟用該發佈點。Because of these security risks, don't enable a distribution point for PXE communication when it's in an untrusted network, such as a perimeter network.

設定支援 PXE 的發佈點只在指定的網路介面回應 PXE 要求Configure PXE-enabled distribution points to respond to PXE requests only on specified network interfaces

如果您允許發佈點在所有網路介面上回應 PXE 要求,此設定可能會對不受信任網域公開 PXE 服務If you allow the distribution point to respond to PXE requests on all network interfaces, this configuration might expose the PXE service to untrusted networks

要求輸入密碼以將 PXE 開機Require a password to PXE boot

如果您要求輸入密碼以將 PXE 開機,此設定可為 PXE 開機程序增加一道額外的安全性等級。When you require a password for PXE boot, this configuration adds an extra level of security to the PXE boot process. 這項設定有助於防止Rogue 用戶端加入 Configuration Manager 階層。This configuration helps safeguard against rogue clients joining the Configuration Manager hierarchy.

限制用於 PXE 開機或多點傳送的 OS 映像內容Restrict content in OS images used for PXE boot or multicast

請勿將包含敏感性資料的企業營運應用程式或軟體納入用於 PXE 開機或多點傳送的映像中。Don't include line-of-business applications or software that contains sensitive data in an image that you use for PXE boot or multicast.

由於固有的安全性風險與 PXE 開機及多點傳送息息相關,如果 Rogue 電腦下載了 OS 映像,即需降低風險。Because of the inherent security risks involved with PXE boot and multicast, reduce the risks if a rogue computer downloads the OS image.

限制工作順序變數所安裝的內容Restrict content installed by task sequence variables

請勿將包含敏感性資料的企業營運應用程式或軟體納入使用工作順序變數安裝的應用程式套件中。Don't include line-of-business applications or software that contains sensitive data in packages of applications that you install by using task sequences variables.

當您使用工作順序變數部署軟體時,它可能會安裝在電腦上,並安裝到未被授權接收該軟體的使用者。When you deploy software by using task sequences variables, it might be installed on computers and to users who aren't authorized to receive that software.

移轉使用者狀態時保護網路通道Secure the network channel when migrating user state

當您移轉使用者狀態時,請使用 SMB 簽署或 IPsec 保護用戶端和狀態移轉點之間的網路通道。When you migrate user state, secure the network channel between the client and the state migration point by using SMB signing or IPsec.

透過 HTTP 初始連線後,會使用 SMB 傳送使用者狀態移轉資料。After the initial connection over HTTP, user state migration data is transferred by using SMB. 如果您未保護網路通道,攻擊者就可以讀取及修改此資料。If you don't secure the network channel, an attacker can read and modify this data.

使用最新版的 USMTUse the latest version of USMT

使用 Configuration Manager 所支援的最新版使用者狀態移轉工具 (USMT)。Use the latest version of the User State Migration Tool (USMT) that Configuration Manager supports.

最新版的 USMT 提供安全性增強功能,並且對於移轉使用者狀態資料時會有更好的控制。The latest version of USMT provides security enhancements and greater control for when you migrate user state data.

當您解除委任狀態移轉點上的資料夾時,請手動刪除資料夾Manually delete folders on state migration points when you decommission them

當您在 Configuration Manager 主控台的狀態移轉點內容中移除狀態移轉點資料夾時,站台不會刪除實體資料夾。When you remove a state migration point folder in the Configuration Manager console on the state migration point properties, the site doesn't delete the physical folder. 若要防止使用者狀態移轉資料發生資訊洩漏,請手動移除網路共用,並刪除資料夾。To protect the user state migration data from information disclosure, manually remove the network share and delete the folder.

請勿將刪除原則設定為立即刪除使用者狀態Don't configure the deletion policy to immediately delete user state

如果您將狀態移轉點上的刪除原則設定為立即移除標記刪除的資料,而且攻擊者比有效的電腦先擷取到使用者狀態資料,站台會立即刪除使用者狀態資料。If you configure the deletion policy on the state migration point to immediately remove data that's marked for deletion, and if an attacker manages to retrieve the user state data before the valid computer does, the site immediately deletes the user state data. 設定足夠的 [保留時間] 間隔,以確認成功還原使用者狀態資料。Set the Delete after interval to be long enough to verify the successful restore of user state data.

手動刪除電腦關聯Manually delete computer associations

當完成並確認使用者狀態移轉資料還原時,手動刪除電腦關聯。Manually delete computer associations when the user state migration data restore is complete and verified.

Configuration Manager 不會自動移除電腦關聯。Configuration Manager doesn't automatically remove computer associations. 手動刪除不再需要的電腦關聯,有助於保護使用者狀態資料的身分識別。Help to protect the identity of user state data by manually deleting computer associations that are no longer required.

手動備份狀態移轉點上的使用者狀態移轉資料Manually back up the user state migration data on the state migration point

Configuration Manager 備份不會在站台備份中包含使用者狀態移轉資料。Configuration Manager Backup doesn't include the user state migration data in the site backup.

實作存取控制以保護預先設置的媒體Implement access controls to protect the prestaged media

控制對媒體的實體存取,防止攻擊者利用密碼編譯攻擊來取得用戶端驗證憑證和機密資料。Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate and sensitive data.

實作存取控制以保護參照電腦影像處理Implement access controls to protect the reference computer imaging process

確定用來擷取 OS 映像的參照電腦位於安全的環境中。Make sure the reference computer you use to capture OS images is in a secure environment. 使用適當的存取控制,如此一來,未預期的或惡意軟體就不會被安裝及不經意地包含在擷取的映像中。Use appropriate access controls so that unexpected or malicious software can't be installed and inadvertently included in the captured image. 當您擷取映像時,請確定目的地網路位置是安全的。When you capture the image, make sure the destination network location is secure. 此程序有助於確保映像在擷取後不會遭到竄改。This process helps make sure the image can't be tampered with after you capture it.

在參照電腦上一律安裝最新的安全性更新程式Always install the most recent security updates on the reference computer

當參照電腦有最新的安全性更新程式時,就能減少新電腦第一次啟動時的漏洞。When the reference computer has current security updates, it helps to reduce the window of vulnerability for new computers when they first start up.

將 OS 部署到未知電腦時可實作存取控制Implement access controls when deploying an OS to an unknown computer

如果您必須將 OS 部署到未知電腦,請實作存取控制以防止未經授權的電腦與網路連線。If you must deploy an OS to an unknown computer, implement access controls to prevent unauthorized computers from connecting to the network.

佈建未知電腦能提供便利方法,以依需求部署新電腦。Provisioning unknown computers provides a convenient method to deploy new computers on demand. 但它也讓攻擊者有效變成您網路上的受信任用戶端。But it can also allow an attacker to efficiently become a trusted client on your network. 限制實體存取網路,以及監視用戶端以偵測未經授權的電腦。Restrict physical access to the network, and monitor clients to detect unauthorized computers.

電腦若回應 PXE 起始的 OS 部署,可能會讓所有資料在程序期間損毀。Computers responding to a PXE-initiated OS deployment might have all data destroyed during the process. 此行為可能會造成不經意重新格式化的系統無法使用。This behavior could result in a loss of availability of systems that are inadvertently reformatted.

啟用多點傳送套件加密Enable encryption for multicast packages

針對每個 OS 部署套件,您都可以在 Configuration Manager 利用多點傳送功能傳送套件時啟用加密。For every OS deployment package, you can enable encryption when Configuration Manager transfers the package by using multicast. 這項設定有助於防止 Rogue 電腦加入多點傳送工作階段。This configuration helps prevent rogue computers from joining the multicast session. 它也有助於防止攻擊者竄改傳輸。It also helps prevent attackers from tampering with the transmission.

監視未經授權之啟用多點傳送發佈點Monitor for unauthorized multicast-enabled distribution points

如果攻擊者能夠取得您的網路存取權,就可以設定 Rogue 多點傳送伺服器來詐騙 OS 部署。If attackers can gain access to your network, they can configure rogue multicast servers to spoof OS deployment.

將工作順序匯出到網路位置時,保護位置和網路通道的安全When you export task sequences to a network location, secure the location and secure the network channel

限制誰可以存取網路資料夾。Restrict who can access the network folder.

在網路位置和站台伺服器之間使用 SMB 簽署或 IPsec,以防止攻擊者竄改匯出的工作順序。Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the exported task sequence.

如果您使用工作順序執行身分帳戶,請採取額外的安全預防措施If you use the task sequence run as account, take additional security precautions

如果您使用工作順序執行身分帳戶,請採取下列預防性步驟:If you use the task sequence run as account, take the following precautionary steps:

  • 使用具最小權限的帳戶。Use an account with the least possible permissions.

  • 請勿對此帳戶使用網路存取帳戶。Don't use the network access account for this account.

  • 永不使帳戶成為網域系統管理員。Never make the account a domain administrator.

  • 永不設定此帳戶的漫遊設定檔。Never configure roaming profiles for this account. 工作順序在執行時會下載帳戶的漫遊設定檔,導致很容易在本機電腦上存取該設定檔。When the task sequence runs, it downloads the roaming profile for the account, which leaves the profile vulnerable to access on the local computer.

  • 限制帳戶的範圍。Limit the scope of the account. 例如,為每一個工作順序建立不同的工作順序執行身分帳戶。For example, create different task sequence run as accounts for each task sequence. 如果一個帳戶遭到洩露,則只有該帳戶可存取的用戶端電腦會遭到洩露。If one account is compromised, only the client computers to which that account has access are compromised. 如果命令列需要電腦的系統管理存取權,請考慮為工作順序執行身分帳戶單獨建立一個本機系統管理員帳戶。If the command line requires administrative access on the computer, consider creating a local administrator account solely for the task sequence run as account. 在執行工作順序的所有電腦上建立此本機帳戶;如果不再需要,請立即刪除帳戶。Create this local account on all computers that run the task sequence, and delete the account as soon as it's no longer required.

限制並監視被授與 OS 部署管理員安全性角色的系統管理使用者Restrict and monitor the administrative users who are granted the OS deployment manager security role

被授與 OS 部署管理員安全性角色的系統管理使用者可以建立自我簽署憑證。Administrative users who are granted the OS deployment manager security role can create self-signed certificates. 之後這些憑證可用來模擬用戶端,並從 Configuration Manager 取得用戶端原則。These certificates can then be used to impersonate a client and obtain client policy from Configuration Manager.

使用增強 HTTP 降低網路存取帳戶的需求Use Enhanced HTTP to reduce the need for a network access account

從 1806 版開始,當您啟用 增強 HTTP 時,數個 OS 部署案例不需要網路存取帳戶即可從發佈點下載內容。Starting in version 1806, when you enable Enhanced HTTP, several OS deployment scenarios don't require a network access account to download content from a distribution point. 如需詳細資訊,請參閱工作順序和網路存取帳戶For more information, see Task sequences and the network access account.

OS 部署的安全性問題Security issues for OS deployment

雖然 OS 部署是為您網路上的電腦部署最安全作業系統和設定的簡便方法,卻有下列安全性風險:Although OS deployment can be a convenient way to deploy the most secure operating systems and configurations for computers on your network, it does have the following security risks:

洩漏資訊與阻斷服務Information disclosure and denial of service

如果攻擊者可取得您的 Configuration Manager 基礎結構控制權,就可以執行任何的工作順序。If an attacker can obtain control of your Configuration Manager infrastructure, they could run any task sequences. 此程序可能包括將所有用戶端電腦的硬碟格式化。This process might include formatting the hard drives of all client computers. 工作順序可以設定為包含機密資料,例如具備加入網域權限和磁碟區授權識別碼的帳戶。Task sequences can be configured to contain sensitive information, such as accounts that have permissions to join the domain and volume licensing keys.

模擬和提高權限Impersonation and elevation of privileges

工作順序可將電腦加入網域,其可提供 rogue 電腦已驗證的網路存取權。Task sequences can join a computer to domain, which can provide a rogue computer with authenticated network access.

保護用於可開機工作順序媒體及 PXE 開機部署的用戶端驗證憑證。Protect the client authentication certificate that's used for bootable task sequence media and for PXE boot deployment. 當您擷取用戶端驗證憑證時,此程序給予攻擊者取得憑證私密金鑰的機會。When you capture a client authentication certificate, this process gives an attacker an opportunity to obtain the private key in the certificate. 此憑證可讓他們模擬網路上的有效用戶端。This certificate lets them impersonate a valid client on the network. 在此案例中,rogue 電腦可下載包含機密資料的原則。In this scenario, the rogue computer can download policy, which can contain sensitive data.

如果用戶端使用網路存取帳戶來存取儲存在狀態移轉點上的資料,這些用戶端便可有效地共用相同的身分識別。If clients use the network access account to access data stored on the state migration point, these clients effectively share the same identity. 它們可存取來自另一個使用網路存取帳戶之用戶端的狀態移轉資料。They could access state migration data from another client that uses the network access account. 資料會經過加密,因此只有原始用戶端可以讀取該資料,但資料有可能遭到竄改或刪除。The data is encrypted so only the original client can read it, but the data could be tampered with or deleted.

針對狀態移轉點的用戶端驗證是使用由管理點核發的 Configuration Manager 權杖所完成。Client authentication to the state migration point is achieved by using a Configuration Manager token that is issued by the management point.

Configuration Manager 不會限制或管理儲存在狀態移轉點上的資料量。Configuration Manager doesn't limit or manage the amount of data that's stored on the state migration point. 攻擊者可能會填滿可用的磁碟空間並造成拒絕服務。An attacker could fill up the available disk space and cause a denial of service.

如果您使用集合變數,本機系統管理員可以讀取潛在的敏感資訊。If you use collection variables, local administrators can read potentially sensitive information

雖然集合變數有彈性方法以部署作業系統,但這項功能可能會造成資訊洩漏。Although collection variables offer a flexible method to deploy operating systems, this feature might result in information disclosure.

OS 部署的隱私權資訊Privacy information for OS deployment

除了將 OS 部署至沒有 OS 的電腦之外,還可以使用 Configuration Manager 將使用者檔案與設定從一部電腦移轉至另一部電腦。In addition to deploying an OS to computers without one, Configuration Manager can be used to migrate users' files and settings from one computer to another. 系統管理員會設定要傳輸的資訊,包括個人資料檔案、組態設定以及瀏覽器 Cookie。The administrator configures which information to transfer, including personal data files, configuration settings, and browser cookies.

Configuration Manager 會將資訊儲存在狀態移轉點上,並在傳輸與儲存期間加密資訊。Configuration Manager stores the information on a state migration point, and encrypts it during transmission and storage. 只有與狀態資訊相關的新電腦才能擷取儲存的資訊。Only the new computer associated with the state information can retrieve the stored information. 如果新電腦遺失用來擷取資訊的金鑰,在電腦關聯執行個體物件上具有 [檢視復原資訊] 權限的 Configuration Manager 系統管理員可存取該資訊,並建立其與新電腦的關聯。If the new computer loses the key to retrieve the information, a Configuration Manager administrator with the View Recovery Information right on computer association instance objects can access the information and associate it with a new computer. 新電腦還原狀態資訊之後,預設會在一天後刪除資料。After the new computer restores the state information, it deletes the data after one day, by default. 您可以設定狀態移轉點何時移除標示為可刪除的資料。You can configure when the state migration point removes data marked for deletion. Configuration Manager 不會將狀態移轉資訊儲存在站台資料庫中,而且不會將它傳送給 Microsoft。Configuration Manager doesn't store the state migration information in the site database, and doesn't send it to Microsoft.

如果您使用開機映像部署 OS 映像,請一律使用預設選項以透過密碼來保護開機媒體。If you use boot media to deploy OS images, always use the default option to password-protect the boot media. 密碼會加密儲存在工作順序內的任何變數,但未儲存在變數內的所有資訊則會有外洩的風險。The password encrypts any variables stored in the task sequence, but any information not stored in a variable might be vulnerable to disclosure.

OS 部署可以使用工作順序在部署程序期間執行許多不同的工作,包括安裝應用程式與軟體更新。OS deployment can use task sequences to perform many different tasks during the deployment process, which includes installing applications and software updates. 設定工作順序時,您還必須注意安裝軟體所產生的隱私權問題。When you configure task sequences, you should also be aware of the privacy implications of installing software.

根據預設,Configuration Manager 不會實作 OS 部署。Configuration Manager doesn't implement OS deployment by default. 在收集使用者狀態資訊,或是建立工作順序或開機映像之前,需要數個設定步驟。It requires several configuration steps before you collect user state information or create task sequences or boot images.

設定 OS 部署之前,請考慮您的隱私需求。Before you configure OS deployment, consider your privacy requirements.

請參閱See also

診斷和使用情況資料Diagnostics and usage data

Configuration Manager 的安全性和隱私權Security and privacy for Configuration Manager