附錄 i:建立管理帳號受保護的帳號和 Active Directory 中的群組Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

附錄 i:建立管理帳號受保護的帳號和 Active Directory 中的群組Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory

挑戰實作並不仰賴永久高特殊權限群組成員資格 Active Directory 模型是必須需要暫時群組成員資格時填入這些群組的機制。One of the challenges in implementing an Active Directory model that does not rely on permanent membership in highly privileged groups is that there must be a mechanism to populate these groups when temporary membership in the groups is required. 某些權限的身分管理方案需要軟體的服務帳號會授與永久群組,例如 DA 或森林中的每個網域中的系統管理員的資格。Some privileged identity management solutions require that the software's service accounts are granted permanent membership in groups such as DA or Administrators in each domain in the forest. 不過,它不技術所需的特殊權限的身分管理 (PIM) 方案在這種高特殊權限的環境中執行他們的服務。However, it is technically not necessary for Privileged Identity Management (PIM) solutions to run their services in such highly privileged contexts.

此附錄建立帳號有限的權限但可以嚴格控制,可用於填入 Active Directory 中有特殊權限的群組需要暫時提高權限時,您可以使用的原生實作或第三方 PIM 方案的資訊。This appendix provides information that you can use for natively implemented or third-party PIM solutions to create accounts that have limited privileges and can be stringently controlled, but can be used to populate privileged groups in Active Directory when temporary elevation is required. 如果實作 PIM 成原生方案時,可能會這些帳號,系統管理員的員工用來執行暫時群組擴展,如果您透過協力廠商軟體實作 PIM,您可以調整下列帳號作為服務帳號,If you are implementing PIM as a native solution, these accounts may be used by administrative staff to perform the temporary group population, and if you're implementing PIM via third-party software, you might be able to adapt these accounts to function as service accounts.

注意

這個附錄中所述的程序提供管理高特殊權限的群組 Active Directory 中的其中一個方法。The procedures described in this appendix provide one approach to the management of highly privileged groups in Active Directory. 您可以調整下列程序,以符合您需求、 新增額外的限制或省略部分限制,如下所示。You can adapt these procedures to suit your needs, add additional restrictions, or omit some of the restrictions that are described here.

建立管理帳號受保護的帳號和 Active Directory 中的群組Creating Management Accounts for Protected Accounts and Groups in Active Directory

建立帳號,可用來管理的特殊權限群組成員資格,而不需要太多權限授與管理帳號,並包含所述逐步指示,請依照下列四個一般活動權限:Creating accounts that can be used to manage the membership of privileged groups without requiring the management accounts to be granted excessive rights and permissions consists of four general activities that are described in the step-by-step instructions that follow:

  1. 首先,您應該會建立群組,以管理帳號,因為這些帳號應該由一組有限的受信任的使用者。First, you should create a group that will manage the accounts, because these accounts should be managed by a limited set of trusted users. 如果不已經有可容納將權限和受保護帳號,並一般擴展網域中的組織單位結構,您應該會建立一個。If you do not already have an OU structure that accommodates segregating privileged and protected accounts and systems from the general population in the domain, you should create one. 特定的指示執行並不提供這個附錄,雖然螢幕擷取畫面會顯示此類組織單位階層的範例。Although specific instructions are not provided in this appendix, screenshots show an example of such an OU hierarchy.

  2. 建立管理帳號。Create the management accounts. 這些帳號應該建立 「 一般 「 帳號,並不預設已經授權給使用者以外的使用者權限授與。These accounts should be created as "regular" user accounts and granted no user rights beyond those that are already granted to users by default.

  3. 實作限制的管理帳號,並讓他們使用只能目的特殊的所建立,除了控制誰可以讓及使用帳號 (您建立的第一個步驟的群組) 上。Implement restrictions on the management accounts that make them usable only for the specialized purpose for which they were created, in addition to controlling who can enable and use the accounts (the group you created in the first step).

  4. 設定 AdminSDHolder 網域中的物件每個允許管理帳號,若要變更的網域中的特殊權限群組成員資格權限。Configure permissions on the AdminSDHolder object in each domain to allow the management accounts to change the membership of the privileged groups in the domain.

完全應該測試所有的這些程序,視您的環境 production 環境中執行之前進行修改。You should thoroughly test all of these procedures and modify them as needed for your environment before implementing them in a production environment. 您也應該確認 [所有設定],如預期般都運作 (部分測試提供程序本附錄),您應該先測試損壞復原案例中管理帳號並不適用於用於填入進行修復受保護的群組。You should also verify that all settings work as expected (some testing procedures are provided in this appendix), and you should test a disaster recovery scenario in which the management accounts are not available to be used to populate protected groups for recovery purposes. 如需有關備份及還原 Active Directory 的詳細資訊,請查看AD DS 備份和復原逐步For more information about backing up and restoring Active Directory, see the AD DS Backup and Recovery Step-by-Step Guide.

注意

利用這個附錄中所述,您將會建立帳號將能管理每個網域中的所有受保護的群組、 不僅的最高權限 Active Directory 群組等 Ea、 DAs 及 BAs 成員資格。By implementing the steps described in this appendix, you will create accounts that will be able to manage the membership of all protected groups in each domain, not only the highest-privilege Active Directory groups like EAs, DAs and BAs. 如需受保護的群組 Active Directory 中相關資訊,請查看附錄 c: 保護帳號,並 Active Directory 中的群組For more information about protected groups in Active Directory, see Appendix C: Protected Accounts and Groups in Active Directory.

建立管理帳號受保護的群組逐步指示Step-by-Step Instructions for Creating Management Accounts for Protected Groups

建立來讓及停用管理帳號群組Creating a Group to Enable and Disable Management Accounts

管理帳號應該已經在每次使用重設密碼和時活動需要是完整應該停用。Management accounts should have their passwords reset at each use and should be disabled when activities requiring them are complete. 您也可以考慮實作智慧卡登入需求這些帳號,雖然這是選擇性的設定,這些指示假設管理帳號將設定的使用者名稱和時間,複雜密碼,以最小的控制項。Although you might also consider implementing smart card logon requirements for these accounts, it is an optional configuration and these instructions assume that the management accounts will be configured with a user name and long, complex password as minimum controls. 在此步驟,您將會建立重設密碼的管理帳號,可以讓或停用帳號權限的群組。In this step, you will create a group that has permissions to reset password on the management accounts and to enable and disable the accounts.

若要建立來讓及停用管理帳號群組,請執行下列步驟:To create a group to enable and disable management accounts, perform the following steps:

  1. 在組織單位結構中,您將會與容納管理帳號,以滑鼠右鍵按一下組織的單位您想要用來建立群組中,按一下 [,按一下 [群組In the OU structure where you will be housing the management accounts, right-click the OU where you want to create the group, click New and click Group.

    建立管理帳號

  2. 新物件-群組對話方塊中,輸入該群組的名稱。In the New Object - Group dialog box, enter a name for the group. 如果您打算使用此群組 」 啟動 「 您森林中的所有管理帳號,讓它萬用安全性群組。If you plan to use this group to "activate" all management accounts in your forest, make it a universal security group. 如果您有樹系單一網域,或如果您想在每個網域中建立群組,您可以建立安全性的全域群組。If you have a single-domain forest or if you plan to create a group in each domain, you can create a global security group. 按一下[確定]以建立群組。Click OK to create the group.

    建立管理帳號

  3. 以滑鼠右鍵按一下您剛建立的群組中,按一下屬性,按一下 [物件索引標籤。Right-click the group you just created, click Properties, and click the Object tab. 在群組中的物件的屬性對話方塊中,選取以防止誤刪除保護物件、 的將會不只防止否則授權使用者刪除群組,但也從移到另一個除非屬性第一次取消選取。In the group's Object property dialog box, select Protect object from accidental deletion, which will not only prevent otherwise-authorized users from deleting the group, but also from moving it to another OU unless the attribute is first deselected.

    建立管理帳號

    注意

    如果您已經有群組的父系 Ou 限制的管理一組有限的使用者設定的權限,您可能不需要執行下列步驟。If you have already configured permissions on the group's parent OUs to restrict administration to a limited set of users, you may not need to perform the following steps. 他們提供以下,即使尚未實作已建立此群組的組織單位結構系統有限的控制,您可以安全對修改群組未經授權的使用者。They are provided here so that even if you have not yet implemented limited administrative control over the OU structure in which you've created this group, you can secure the group against modification by unauthorized users.

  4. 按一下成員索引標籤,然後將帳號新增的人員將會讓管理帳號或填入負責小組的成員保護時所需的群組。Click the Members tab, and add the accounts for members of your team who will be responsible for enabling management accounts or populating protected groups when necessary.

    建立管理帳號

  5. 如果您有未做,請在Active Directory 使用者和電腦主機,請按一下 [檢視,然後選取進階功能If you have not already done so, in the Active Directory Users and Computers console, click View and select Advanced Features. 以滑鼠右鍵按一下您剛建立的群組中,按一下屬性,按一下 [的安全性索引標籤。Right-click the group you just created, click Properties, and click the Security tab. 安全性索引標籤上,按進階]On the Security tab, click Advanced.

    建立管理帳號

  6. 群組] 的進階安全性設定對話方塊中,按停用繼承In the Advanced Security Settings for [Group] dialog box, click Disable Inheritance. 出現提示時,按一下 [轉換繼承到明確此物件的權限的權限,按一下 [ [確定]以返回群組的安全性] 對話方塊。When prompted, click Convert inherited permissions into explicit permissions on this object, and click OK to return to the group's Security dialog box.

    建立管理帳號

  7. 安全性索引標籤上,這應該不會存取此群組允許群組中移除。On the Security tab, remove groups that should not be permitted to access this group. 例如,如果您不想 Authenticated Users 以讀取群組的名稱及一般屬性,您可以移除該 A。For example, if you do not want Authenticated Users to be able to read the group's name and general properties, you can remove that ACE. 您也可以移除 a,例如這些 account 電信業者和 windows 2000 Server 相容存取。You can also remove ACEs, such as those for account operators and pre-Windows 2000 Server compatible access. 不過,,您應該就地退出物件的權限的最低的設定。You should, however, leave a minimum set of object permissions in place. 保留下列 a:Leave the following ACEs intact:

    • 自我SELF

    • 系統SYSTEM

    • 網域系統管理員 」Domain Admins

    • 企業系統管理員Enterprise Admins

    • 系統管理員Administrators

    • Windows 的授權的存取群組 (如果適用)Windows Authorization Access Group (if applicable)

    • 企業網域控制站ENTERPRISE DOMAIN CONTROLLERS

    雖然它看起來直覺式允許的最高有特殊權限的群組 Active Directory 管理此群組中,您在執行這些設定的目標是不防止授權的變更的這些群組成員。Although it may seem counterintuitive to allow the highest privileged groups in Active Directory to manage this group, your goal in implementing these settings is not to prevent members of those groups from making authorized changes. 而是,目標是確保當您需要更高等級權限的用場時,會在授權的變更會成功。Rather, the goal is to ensure that when you have occasion to require very high levels of privilege, authorized changes will succeed. 它是針對這個原因,變更預設的權限群組巢,權限,且本文件建議的權限。It is for this reason that changing default privileged group nesting, rights, and permissions are discouraged throughout this document. 離開結構預設關聯性,以及清空 directory 中的最高的權限群組成員資格,您可以建立更安全的環境仍會運作如預期般運作。By leaving default structures intact and emptying the membership of the highest privilege groups in the directory, you can create a more secure environment that still functions as expected.

    建立管理帳號

    注意

    如果您無法在此群組位置建立組織單位結構已經設定物件的稽核原則,您應該設定稽核來登入變更此群組。If you have not already configured audit policies for the objects in the OU structure where you created this group, you should configure auditing to log changes this group.

  8. 您已完成用於 「 請查看 「 群組的組態管理帳號,而且時,就需要 「 簽入 「 帳號完成他們的活動。You have completed configuration of the group that will be used to "check out" management accounts when they are needed and "check in" the accounts when their activities have been completed.

建立管理帳號Creating the Management Accounts

您應該建立至少一個 account 用於管理的安裝程式 Active Directory 中有特殊權限群組成員資格,最好是第二個 account 做為備份。You should create at least one account that will be used to manage the membership of privileged groups in your Active Directory installation, and preferably a second account to serve as a backup. 您是否選擇單一樹系網域中建立管理帳號,並授權管理功能所有網域保護群組,或您選擇管理帳號實作森林中的每個網域中,程序是否有效相同。Whether you choose to create the management accounts in a single domain in the forest and grant them management capabilities for all domains' protected groups, or whether you choose to implement management accounts in each domain in the forest, the procedures are effectively the same.

注意

本文件中的步驟假設,您有尚未實作以角色為基礎存取控制和身分特殊權限的管理的 Active Directory。The steps in this document assume that you have not yet implemented role-based access controls and privileged identity management for Active Directory. 因此,使用者其 account 是有問題的網域網域管理群組成員必須執行某些程序。Therefore, some procedures must be performed by a user whose account is a member of the Domain Admins group for the domain in question.

當您使用 account DA 權限時,您可以登入執行活動設定的網域控制站。When you are using an account with DA privileges, you can log on to a domain controller to perform the configuration activities. 登入以管理工作站的權限較低帳號,可以執行步驟不需要 DA 權限。Steps that do not require DA privileges can be performed by less-privileged accounts that are logged on to administrative workstations. 螢幕擷取畫面,以顯示藍色淺色對話方塊起代表網域控制站可執行的活動。Screen shots that show dialog boxes bordered in the lighter blue color represent activities that can be performed on a domain controller. 藍色深色中顯示的對話方塊的螢幕擷取畫面代表系統工作站帳號,所受到的權限才能執行的活動。Screen shots that show dialog boxes in the darker blue color represent activities that can be performed on administrative workstations with accounts that have limited privileges.

若要建立管理帳號,請執行下列步驟:To create the management accounts, perform the following steps:

  1. 登入網域控制站的為網域的 DA 群組成員。Log on to a domain controller with an account that is a member of the domain's DA group.

  2. 上市Active Directory 使用者和電腦,瀏覽到您將會建立管理 account 組織單位。Launch Active Directory Users and Computers and navigate to the OU where you will be creating the management account.

  3. 以滑鼠右鍵按一下組織單位,然後按一下新增] ,按一下 [使用者Right-click the OU and click New and click User.

  4. 新物件-使用者對話方塊中,輸入您想要的命名資訊帳號,按一下 [下一步In the New Object - User dialog box, enter your desired naming information for the account and click Next.

  5. 登入網域控制站的為網域的 DA 群組成員。Log on to a domain controller with an account that is a member of the domain's DA group.

  6. 上市Active Directory 使用者和電腦,瀏覽到您將會建立管理 account 組織單位。Launch Active Directory Users and Computers and navigate to the OU where you will be creating the management account.

  7. 以滑鼠右鍵按一下組織單位,然後按一下新增] ,按一下 [使用者Right-click the OU and click New and click User.

  8. 新物件-使用者對話方塊中,輸入您想要的命名資訊帳號,按一下 [下一步In the New Object - User dialog box, enter your desired naming information for the account and click Next.

    建立管理帳號

  9. 初始密碼提供使用者帳號,清除使用者必須在變更密碼登入下一步,請選取使用者無法變更密碼Account 已停用,然後按一下下一步Provide an initial password for the user account, clear User must change password at next logon, select User cannot change password and Account is disabled, and click Next.

    建立管理帳號

  10. 確認 account 詳細資料的正確,然後按一下 [完成Verify that the account details are correct and click Finish.

  11. 以滑鼠右鍵按一下您剛建立的使用者物件,然後按一下屬性Right-click the user object you just created and click Properties.

  12. 按一下Account索引標籤。Click the Account tab.

  13. Account 選項欄位中,選取機密帳號,無法委派旗標,選取此 account 支援 Kerberos 好一段 128 元加密和 (或)此 account 支援 Kerberos 好一段 256 加密旗標,然後按一下[確定]In the Account Options field, select the Account is sensitive and cannot be delegated flag, select the This account supports Kerberos AES 128 bit encryption and/or the This account supports Kerberos AES 256 encryption flag, and click OK.

    建立管理帳號

    注意

    此帳號,例如其他帳號,將會有有限,但強大功能,因為 account 只能在安全的系統管理主機上。Because this account, like other accounts, will have a limited, but powerful function, the account should only be used on secure administrative hosts. 適用於所有安全管理主機環境中,您應該考慮實作的群組原則設定網路安全性: 設定加密類型允許 Kerberos 的允許的最安全加密類型可以實作的安全主機。For all secure administrative hosts in your environment, you should consider implementing the Group Policy setting Network Security: Configure Encryption types allowed for Kerberos to allow only the most secure encryption types you can implement for secure hosts.

    雖然實作更安全加密類型的主機不未減少認證竊取攻擊,就能的適當地使用與安全主機設定。Although implementing more secure encryption types for the hosts does not mitigate credential theft attacks, the appropriate use and configuration of the secure hosts does. 設定僅供特殊權限帳號主機較加密類型是只會整體攻擊 surface 的電腦。Setting stronger encryption types for hosts that are only used by privileged accounts simply reduces the overall attack surface of the computers.

    適用於系統和帳號設定加密類型的相關詳細資訊,請查看Windows 設定 Kerberos 支援加密類型的For more information about configuring encryption types on systems and accounts, see Windows Configurations for Kerberos Supported Encryption Type.

    注意執行 Windows Server 2012、 Windows Server 2008 R2、 Windows 8 或 Windows 7 的電腦上只支援這些設定。Note These settings are supported only on computers running Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7.

  14. 物件索引標籤,選取以防止誤刪除保護物件On the Object tab, select Protect object from accidental deletion. 這將會不只防止物件會被 (即使是會在授權的使用者),但會防止正被移動至不同的組織單位,在您 AD DS 階層,除非核取方塊來變更屬性的權限的使用者第一次未。This will not only prevent the object from being deleted (even by authorized users), but will prevent it from being moved to a different OU in your AD DS hierarchy, unless the check box is first cleared by a user with permission to change the attribute.

    建立管理帳號

  15. 按一下遠端控制索引標籤。Click the Remote control tab.

  16. 清除可讓遠端控制旗標。Clear the Enable remote control flag. 不應所需的支援人員連接到此帳號的工作階段進行修正。It should never be necessary for support staff to connect to this account's sessions to implement fixes.

    建立管理帳號

    注意

    Active Directory 中的每個物件應有的指定的 IT 擁有者以及指定的公司擁有者中所述規劃危害的Every object in Active Directory should have a designated IT owner and a designated business owner, as described in Planning for Compromise. 如果您追蹤 Active Directory (而不是外部資料庫) AD DS 物件的擁有權,您應該輸入適當的擁有權物件的屬性。If you are tracking ownership of AD DS objects in Active Directory (as opposed to an external database), you should enter appropriate ownership information in this object's properties.

    此時,請公司擁有者最有可能是 IT 部門,andthere 不禁止在公司擁有者也正在 IT 擁有者。In this case, the business owner is most likely an IT division, andthere is no prohibition on business owners also being IT owners. 建立物件的擁有權點是讓您以找出連絡人時,會對物件,也許年從他們的初始建立需要做的變更。The point of establishing ownership of objects is to allow you to identify contacts when changes need to be made to the objects, perhaps years from their initial creation.

  17. 按一下組織索引標籤。Click on the Organization tab.

  18. 在您 AD DS 物件標準輸入所需的任何資訊。Enter any information that is required in your AD DS object standards.

    建立管理帳號

  19. 按一下-在索引標籤。Click on the Dial-in tab.

  20. 的網路存取權限欄位中,選取拒絕。完全不需要此 account 應該遠端連接到連接。In the Network Access Permission field, select Deny access.This account should never need to connect over a remote connection.

    建立管理帳號

    注意

    不太此帳號,可用來登入您的環境中唯讀網域控制站 (Rodc)。It is unlikely that this account will be used to log on to read-only domain controllers (RODCs) in your environment. 不過,應該情況得更容易需要 account 登入 RODC,您應該將這個 account 的拒絕 RODC 密碼複寫群組,使其密碼 RODC 不快取。However, should circumstance ever require the account to log on to an RODC, you should add this account to the Denied RODC Password Replication Group so that its password is not cached on the RODC.

    雖然應之後每次使用密碼重設應該停用帳號,實作此設定會不帳號,造成不利的影響,它可能會在情形中的系統管理員的身分忘記重設密碼,來停用它來協助。Although the account's password should be reset after each use and the account should be disabled, implementing this setting does not have a deleterious effect on the account, and it might help in situations in which an administrator forgets to reset the account's password and disable it.

  21. 按一下成員的索引標籤。Click the Member Of tab.

  22. 按一下新增Click Add.

  23. 輸入拒絕 RODC 密碼複寫群組選取使用者] 連絡人的電腦對話方塊中,按一下 [檢查名稱]Type Denied RODC Password Replication Group in the Select Users, Contacts, Computers dialog box and click Check Names. 當群組的名稱底線物件器中時,按一下[確定] ,並確認 account 現在會顯示在螢幕擷取畫面下列兩個群組成員。When the name of the group is underlined in the object picker, click OK and verify that the account is now a member of the two groups displayed in the following screenshot. Account 新增至受保護的任何群組。Do not add the account to any protected groups.

  24. 按一下[確定]Click OK.

    建立管理帳號

  25. 按一下安全性索引標籤,然後按進階]Click the Security tab and click Advanced.

  26. 進階安全性設定]對話方塊中,按一下 [繼承停用和繼承的權限以明確的權限,然後按一下 [新增In the Advanced Security Settings dialog box, click Disable inheritance and copy the inherited permissions as explicit permissions, and click Add.

    建立管理帳號

  27. 權限的項目的 [Account]對話方塊中,按一下 [選取主體,並加入您建立先前的程序群組。In the Permission Entry for [Account] dialog box, click Select a principal and add the group you created in the previous procedure. 捲動到底部的 [] 對話方塊中,按一下[全部清除]若要移除所有預設的權限。Scroll to the bottom of the dialog box and click Clear all to remove all default permissions.

    建立管理帳號

  28. 捲動至頂端的權限的項目對話方塊。Scroll to the top of the Permission Entry dialog box. 確保輸入下拉式清單為允許,在適用於下拉式清單中,選取只有這個物件Ensure that the Type drop-down list is set to Allow, and in the Applies to drop-down list, select This object only.

  29. 權限欄位中,選取朗讀所有屬性都朗讀權限],和重設密碼In the Permissions field, select Read all properties, Read permissions, and Reset password.

    建立管理帳號

  30. 屬性欄位中,選取朗讀 userAccountControl撰寫 userAccountControlIn the Properties field, select Read userAccountControl and Write userAccountControl.

  31. 按一下[確定][確定]再試一次在進階安全性設定] ] 對話方塊。Click OK, OK again in the Advanced Security Settings dialog box.

    建立管理帳號

    注意

    UserAccountControl屬性控制項多個 account 設定選項。The userAccountControl attribute controls multiple account configuration options. 您無法將變更的設定選項僅限部分時屬性寫入權限授與您的權限授與。You cannot grant permission to change only some of the configuration options when you grant write permission to the attribute.

  32. 群組或使用者名稱欄位的的安全性索引標籤上,這應該不會存取或管理 account 允許任何群組中移除。In the Group or user names field of the Security tab, remove any groups that should not be permitted to access or manage the account. 例如 Everyone 群組和自我計算帳號,並移除拒絕 a,已經設定的任何群組 (該 a 設定時使用者無法變更密碼]旗標期間帳號建立的支援。Do not remove any groups that have been configured with Deny ACEs, such as the Everyone group and the SELF computed account (that ACE was set when the user cannot change password flag was enabled during creation of the account. 也不要移除您剛加入該群組,系統帳號或群組,例如 EA、 DA、 BA 或 Windows 授權的存取群組。Also do not remove the group you just added, the SYSTEM account, or groups such as EA, DA, BA, or the Windows Authorization Access Group.

    建立管理帳號

  33. 按一下進階,並確認該進階安全性設定] 對話方塊類似下列螢幕擷取畫面。Click Advanced and verify that the Advanced Security Settings dialog box looks similar to the following screenshot.

  34. 按一下[確定],以及[確定]一次以關閉 account 的屬性對話方塊。Click OK, and OK again to close the account's property dialog box.

    建立管理帳號

  35. 第一次管理帳號的安裝程式現在已完成。Setup of the first management account is now complete. 您將會在稍後程序測試 account。You will test the account in a later procedure.

建立帳號其他管理Creating Additional Management Accounts

重複上一個步驟、 複製帳號,您剛建立,或建立指令碼以您想要的設定的設定建立帳號,您可以建立其他管理帳號。You can create additional management accounts by repeating the previous steps, by copying the account you just created, or by creating a script to create accounts with your desired configuration settings. 注意,是否您要複製您剛建立的帳號,數個自訂的設定和 Acl 將不會將複製到新的帳號,且您將必須重複的設定步驟來執行大多數。Note, however, that if you copy the account you just created, many of the customized settings and ACLs will not be copied to the new account and you will have to repeat most of the configuration steps.

您可以改為建立的群組您代理人的權限填入和 unpopulate 受保護的群組,但您將需要安全群組和帳號,您將其置於。You can instead create a group to which you delegate rights to populate and unpopulate protected groups, but you will need to secure the group and the accounts you place in it. 應該會在您 directory 授權管理群組成員資格的受保護的能力很少帳號,因為建立個人帳號可能是最簡單的方法。Because there should be very few accounts in your directory that are granted the ability to manage the membership of protected groups, creating individual accounts might be the simplest approach.

無論您如何選擇建立的群組,您可以在其中放置管理帳號,您應該確定之前所述的保護每個 account。Regardless of how you choose to create a group into which you place the management accounts, you should ensure that each account is secured as described earlier. 您也應該考慮實作 GPO 限制類似中所述附錄 d 保護建系統管理員帳號 Active Directory 在You should also consider implementing GPO restrictions similar to those described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

稽核帳號管理Auditing Management Accounts

您應會設定稽核至少登所有寫入 account account。You should configure auditing on the account to log, at minimum, all writes to the account. 這可讓您不只可以找出成功的 account 讓和期間授權使用,但也找出未經授權的使用者嘗試操作 account 的密碼重設。This will allow you to not only identify successful enabling of the account and resetting of its password during authorized uses, but to also identify attempts by unauthorized users to manipulate the account. 失敗的寫入帳號應該會拍下您的安全性資訊與事件監視 (SIEM) 系統 (如果有的話),以及應該觸發程序提供給負責調查潛在折衷人員通知的警示。Failed writes on the account should be captured in your Security Information and Event Monitoring (SIEM) system (if applicable), and should trigger alerts that provide notification to the staff responsible for investigating potential compromises.

SIEM 方案需要事件資訊 (例如,事件登、 應用程式資料、 網路串流、 你反惡意程式碼和入侵偵測來源) 的安全性相關的來源、 分頁資料,並嘗試智慧檢視和預防措施。SIEM solutions take event information from involved security sources (for example, event logs, application data, network streams, antimalware products, and intrusion detection sources), collate the data, and try to make intelligent views and proactive actions. 有許多 commercial SIEM 方案,以及許多企業建立私人實作。There are many commercial SIEM solutions, and many enterprises create private implementations. 安全性監視和回應事件功能,也設計和實作適當 SIEM 大幅可以美化。A well designed and appropriately implemented SIEM can significantly enhance security monitoring and incident response capabilities. 不過的功能和準確度而有所不同大幅方案。However, capabilities and accuracy vary tremendously between solutions. SIEMs 超出範圍此紙上一樣,但任何 SIEM 實作器所包含的特定的事件建議視為。SIEMs are beyond the scope of this paper, but the specific event recommendations contained should be considered by any SIEM implementer.

如建議的稽核設定的網域控制站的相關詳細資訊,請查看的符號的危害監視 Active DirectoryFor more information about recommended audit configuration settings for domain controllers, see Monitoring Active Directory for Signs of Compromise. 網域控制站的特定設定以提供適用於符號的危害監視 Active DirectoryDomain controller-specific configuration settings are provided in Monitoring Active Directory for Signs of Compromise.

讓管理帳號修改的受保護的群組成員資格Enabling Management Accounts to Modify the Membership of Protected Groups

在這個程序,您將會設定允許修改群組成員資格的受保護網域中的新建立的管理帳號網域的 AdminSDHolder 物件的權限。In this procedure, you will configure permissions on the domain's AdminSDHolder object to allow the newly created management accounts to modify the membership of protected groups in the domain. 透過圖形使用者介面 (GUI) 無法執行此程序。This procedure cannot be performed via a graphical user interface (GUI).

中所述附錄 c: 保護帳號,並 Active Directory 中的群組,在 SDProp 工作執行時的物件有效 「 即可 」 的網域 AdminSDHolder ACL 受保護物件。As discussed in Appendix C: Protected Accounts and Groups in Active Directory, the ACL on a domain's AdminSDHolder object is effectively "copied" to protected objects when the SDProp task runs. 受保護的群組和帳號未繼承他們的權限 AdminSDHolder 物件。他們的權限明確為符合 AdminSDHolder 物件。Protected groups and accounts do not inherit their permissions from the AdminSDHolder object; their permissions are explicitly set to match those on the AdminSDHolder object. 因此,當您修改 AdminSDHolder 物件的權限時,您必須修改它們適用於類型的受保護您的目標的物件的屬性。Therefore, when you modify permissions on the AdminSDHolder object, you must modify them for attributes that are appropriate to the type of the protected object you are targeting.

若是如此,您將會授與新建的管理帳號,讓它們讀取和寫入成員屬性物件群組。In this case, you will be granting the newly created management accounts to allow them to read and write the members attribute on group objects. 不過,AdminSDHolder 物件群組物件並不群組屬性不會顯示在圖形 ACL 編輯器。However, the AdminSDHolder object is not a group object and group attributes are not exposed in the graphical ACL editor. 它是針對這個原因,您將會執行透過 Dsacls 命令列的公用程式的權限的變更。It is for this reason that you will implement the permissions changes via the Dsacls command-line utility. 若要 (停用) 管理帳號權限授與修改受保護的群組成員資格,執行下列步驟:To grant the (disabled) management accounts permissions to modify the membership of protected groups, perform the following steps:

  1. 網域控制站,最好是角色網域控制站 PDC 模擬器 (PDCE)、 已 DA 群組成員網域中的使用者 account 的認證登入。Log on to a domain controller, preferably the domain controller holding the PDC Emulator (PDCE) role, with the credentials of a user account that has been made a member of the DA group in the domain.

    建立管理帳號

  2. 打開提升權限的命令提示字元中,以滑鼠右鍵按一下命令提示字元,按一下 [以系統管理員身分執行Open an elevated command prompt by right-clicking Command Prompt and click Run as administrator.

    建立管理帳號

  3. 核准提高權限提示,請按一下[是]When prompted to approve the elevation, click Yes.

    建立管理帳號

    注意

    如需提高權限和使用者 account 控制 Windows 中,查看UAC 處理程序與互動TechNet 網站上。For more information about elevation and user account control (UAC) in Windows, see UAC Processes and Interactions on the TechNet website.

  4. 在命令提示字元中,輸入 (替代您的網域特定資訊) Dsacls 分辨姓名 AdminSDHolder 物件網域中的 [管理 account UPN] /G: RPWP; 成員At the Command Prompt, type (substituting your domain-specific information) Dsacls [distinguished name of the AdminSDHolder object in your domain] /G [management account UPN]:RPWP;member.

    建立管理帳號

    (這是不區分大小寫) 前一個命令的運作方式如下:The previous command (which is not case-sensitive) works as follows:

    • Dsacls 設定或 a 顯示 directory 物件Dsacls sets or displays ACEs on directory objects

    • DATA-CN = AdminSDHolder,DATA-CN = 系統特區 = TailSpinToys 特區 = msft 辨識修改物件CN=AdminSDHolder,CN=System,DC=TailSpinToys,DC=msft identifies the object to be modified

    • /G 顯示 [正在設定授與 a/G indicates that a grant ACE is being configured

    • PIM001@tailspintoys.msft是的使用者主體名稱 (UPN) a 被授與的安全性主體PIM001@tailspintoys.msft is the User Principal Name (UPN) of the security principal to which the ACEs will be granted

    • RPWP 授權讀取和寫入屬性權限RPWP grants read property and write property permissions

    • 成員位於屬性名稱的使用權限設定Member is the name of the property (attribute) on which the permissions will be set

    如需有關使用Dsacls,而不需要任何參數,在命令提示字元中輸入 Dsacls。For more information about use of Dsacls, type Dsacls without any parameters at a command prompt.

    如果您已建立網域中的多個管理帳號,您應該會執行每個帳號 Dsacls 命令。If you have created multiple management accounts for the domain, you should run the Dsacls command for each account. 當您完成 AdminSDHolder 物件 ACL 設定時,您應該強制 SDProp 執行,或等待其排程的執行完成。When you have completed the ACL configuration on the AdminSDHolder object, you should force SDProp to run, or wait until its scheduled run completes. 有關強迫 SDProp 執行,查看 [手動執行 SDProp 」附錄 c: 保護帳號,並 Active Directory 中的群組For information about forcing SDProp to run, see "Running SDProp Manually" in Appendix C: Protected Accounts and Groups in Active Directory.

    SDProp 已執行時,您就可以驗證您 AdminSDHolder 物件所做的變更,已套用至網域中受保護的群組。When SDProp has run, you can verify that the changes you made to the AdminSDHolder object have been applied to protected groups in the domain. 您無法驗證此 ACL 檢視 AdminSDHolder 物件,如之前所述的原因,但您可以透過受保護的群組上檢視 Acl 已套用權限來確認。You cannot verify this by viewing the ACL on the AdminSDHolder object for the reasons previously described, but you can verify that the permissions have been applied by viewing the ACLs on protected groups.

  5. Active Directory 使用者和電腦,確認您有支援進階功能In Active Directory Users and Computers, verify that you have enabled Advanced Features. 若要這樣做,請按一下檢視,找出網域系統管理員 」群組中,以滑鼠右鍵按一下該群組,按一下 [屬性To do so, click View, locate the Domain Admins group, right-click the group and click Properties.

  6. 按一下安全性索引標籤,然後按一下 [進階]打開進階安全性設定針對網域系統管理員] 對話方塊。Click the Security tab and click Advanced to open the Advanced Security Settings for Domain Admins dialog box.

    建立管理帳號

  7. 選取 [允許 a 管理 account 的,按一下 [編輯Select Allow ACE for the management account and click Edit. 確認 account 授權,只朗讀成員寫入成員上 DA 群組中,按一下 [權限[確定]Verify that the account has been granted only Read Members and Write Members permissions on the DA group, and click OK.

  8. 按一下[確定]進階安全性設定]對話方塊中,然後按一下 [ [確定]再試一次以關閉 [DA 群組] 屬性對話方塊。Click OK in the Advanced Security Settings dialog box, and click OK again to close the property dialog box for the DA group.

    建立管理帳號

  9. 您可以在其他受保護的群組; 網域中的重複上一個步驟權限應該相同的所有受保護的群組。You can repeat the previous steps for other protected groups in the domain; the permissions should be the same for all protected groups. 您現在已完成建立及管理帳號,在這個網域中群組受保護的設定。You have now completed creation and configuration of the management accounts for the protected groups in this domain.

    注意

    任何 account 的權限群組成員資格寫入 Active Directory 中也可以新增自己群組。Any account that has permission to write membership of a group in Active Directory can also add itself to the group. 這是設計,也無法停用。This behavior is by design and cannot be disabled. 基於這個原因,您應該會一直在非使用中,停用管理帳號,以他們正在停用,以及使用中時密切應該監視帳號。For this reason, you should always keep management accounts disabled when not in use, and should closely monitor the accounts when they're disabled and when they're in use.

確認群組和 Account 設定Verifying Group and Account Configuration Settings

現在,當您建立並設定,可以修改的受保護 (包括的最高特殊權限的 EA、 DA 及 BA 群組) 網域中的群組成員資格管理帳號,您應該確認帳號,並其管理群組有已建立正常運作。Now that you have created and configured management accounts that can modify the membership of protected groups in the domain (which includes the most highly privileged EA, DA, and BA groups), you should verify that the accounts and their management group have been created properly. 這些一般工作驗證包含:Verification consists of these general tasks:

  1. 測試組可讓和驗證群組可的成員,讓和停用帳號和重設密碼,但無法執行其他管理活動管理帳號管理帳號停用。Test the group that can enable and disable management accounts to verify that members of the group can enable and disable the accounts and reset their passwords, but cannot perform other administrative activities on the management accounts.

  2. 測試管理帳號,驗證,可以將它們新增與移除成員受的網域中的群組,但無法變更其他任何屬性受保護的帳號及群組。Test the management accounts to verify that they can add and remove members to protected groups in the domain, but cannot change any other properties of protected accounts and groups.

測試,將會讓停用管理帳號群組Test the Group that Will Enable and Disable Management Accounts
  1. 若要測試讓管理帳號,並其密碼重設,登入安全管理工作站為群組成員與您建立附錄 i: 建立管理帳號 Active Directory 中的群組保護帳號,To test enabling a management account and resetting its password, log on to a secure administrative workstation with an account that is a member of the group you created in Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory.

    建立管理帳號

  2. 開放Active Directory 使用者和電腦,以滑鼠右鍵按一下 [管理帳號,然後按一下可讓 AccountOpen Active Directory Users and Computers, right-click the management account, and click Enable Account.

    建立管理帳號

  3. 應該會顯示對話方塊中,請確認帳號,已支援。A dialog box should display, confirming that the account has been enabled.

    建立管理帳號

  4. 接下來,重設管理 account 的密碼。Next, reset the password on the management account. 若要這樣做,請 account 上按一下滑鼠右鍵,然後按一下重設密碼To do so, right-click the account again and click Reset Password.

    建立管理帳號

  5. 輸入新密碼 account 中的新密碼確認密碼欄位,然後按一下 [ [確定]Type a new password for the account in the New password and Confirm password fields, and click OK.

    建立管理帳號

  6. 確認已重設密碼帳號,應該會出現一個對話方塊。A dialog box should appear, confirming that the password for the account has been reset.

    建立管理帳號

  7. 現在,嘗試修改管理 account 的其他屬性。Now attempt to modify additional properties of the management account. Account 上按一下滑鼠右鍵,然後按一下屬性,按一下 [遠端控制索引標籤。Right-click the account and click Properties, and click the Remote control tab.

  8. 選取 [可讓遠端控制,按一下 [套用]Select Enable remote control and click Apply. 操作應該會失敗並存取應該會顯示錯誤訊息。The operation should fail and an Access Denied error message should display.

    建立管理帳號

  9. 按一下Account索引標籤帳號,並嘗試變更 account 的名稱、 登入小時的時間或登入工作站。Click the Account tab for the account and attempt to change the account's name, logon hours, or logon workstations. 所有應該失敗,並考慮選項,不受userAccountControl屬性出並不適用於修改應該灰色。All should fail, and account options that are not controlled by the userAccountControl attribute should be grayed out and unavailable for modification.

    建立管理帳號

  10. 嘗試將管理群組新增至受保護的 DA 群組例如群組。Attempt to add the management group to a protected group such as the DA group. 當您按下[確定],訊息應該會通知您,您不需要修改群組權限。When you click OK, a message should appear, informing you that you do not have permissions to modify the group.

    建立管理帳號

  11. 在確認您無法在以外管理 account 上設定的任何項目,才能執行其他測試userAccountControl設定和密碼重設。Perform additional tests as required to verify that you cannot configure anything on the management account except userAccountControl settings and password resets.

    注意

    UserAccountControl屬性控制項多個 account 設定選項。The userAccountControl attribute controls multiple account configuration options. 您無法將變更的設定選項僅限部分時屬性寫入權限授與您的權限授與。You cannot grant permission to change only some of the configuration options when you grant write permission to the attribute.

測試管理帳號Test the Management Accounts

既然您有支援,可變更的受保護的群組成員資格一或多個帳號,您可以測試帳號,以確保他們可以修改受保護的群組成員資格,但無法執行其他修改受保護的帳號,並群組。Now that you have enabled one or more accounts that can change the membership of protected groups, you can test the accounts to ensure that they can modify protected group membership, but cannot perform other modifications on protected accounts and groups.

  1. 第一次管理 account 登入安全管理主機。Log on to a secure administrative host as the first management account.

    建立管理帳號

  2. 上市Active Directory 使用者和電腦,並找出群組網域系統管理員 」Launch Active Directory Users and Computers and locate the Domain Admins group.

  3. 以滑鼠右鍵按一下網域系統管理員群組中,按一下 [屬性Right-click the Domain Admins group and click Properties.

    建立管理帳號

  4. 網域管理員屬性,按一下 [成員索引標籤和按一下 [新增。In the Domain Admins Properties, click the Members tab and click Add. 輸入名稱帳號,將會提供暫時網域系統管理員權限,然後按一下檢查名稱]Enter the name of an account that will be given temporary Domain Admins privileges and click Check Names. 當底線 account 的名稱時,按一下[確定]以返回成員索引標籤。When the name of the account is underlined, click OK to return to the Members tab.

    建立管理帳號

  5. 成員索引標籤上的網域管理員屬性對話方塊中,按一下 [套用On the Members tab for the Domain Admins Properties dialog box, click Apply. 按一下 [後套用],account 應該就會保持 DA 群組成員且應該會出現任何錯誤訊息。After clicking Apply, the account should stay a member of the DA group and you should receive no error messages.

    建立管理帳號

  6. 按一下,受管理的索引標籤中網域管理員屬性對話方塊方塊,然後確認您不能在任何欄位中輸入文字的所有按鈕呈現都灰色。Click the Managed By tab in the Domain Admins Properties dialog box and verify that you cannot enter text in any fields and all buttons are grayed out.

    建立管理帳號

  7. 按一下一般索引標籤中網域管理員屬性對話方塊中,並確認您無法修改任何該] 索引標籤的相關資訊。Click the General tab in the Domain Admins Properties dialog box and verify that you cannot modify any of the information about that tab.

    建立管理帳號

  8. 視需要其他受保護的群組重複這些步驟。Repeat these steps for additional protected groups as needed. 當您完成時,請登入的群組成員 account 的安全的系統管理主機建立讓和管理帳號停用。When you have finished, log on to a secure administrative host with an account that is a member of the group you created to enable and disable the management accounts. 然後重設上管理您的帳號只測試 account 停用的密碼。Then reset the password on the management account you just tested and disable the account. 您已完成設定的管理帳號及負責讓和停用帳號群組。You have completed setup of the management accounts and the group that will be responsible for enabling and disabling the accounts.