執行摘要Executive Summary

適用於:Windows Server 2012Applies To: Windows Server 2012

重要

下列文件寫入 2013 年中,且只提供僅供歷史。The following documentation was written in 2013 and is provided for historical purposes only. 目前我們正在查看這份文件,就如有變更。Currently we are reviewing this documentation and it is subject to change. 它可能不會反映目前的最佳做法。It may not reflect current best practices.

不組織的基礎結構的資訊 (IT) 技術會受到攻擊,但如果適當的原則、處理程序,以及控制保護組織運算基礎結構金鑰區段實作時,可能會防止違約事件批發危害運算環境。No organization with an information technology (IT) infrastructure is immune from attack, but if appropriate policies, processes, and controls are implemented to protect key segments of an organization's computing infrastructure, it might be possible to prevent a breach event from growing to a wholesale compromise of the computing environment.

這個執行摘要旨在也會大減摘要的文件,其中包含有助於組織中美化的其 Active Directory 安裝安全性建議 content 獨立文件。This executive summary is intended to be useful as a standalone document summarizing the content of the document, which contains recommendations that will assist organizations in enhancing the security of their Active Directory installations. 利用這些建議組織將能以找出和優先順序安全性活動、保護組織的計算基礎結構金鑰區段並建立大幅降低成功攻擊 IT 環境的關鍵元件的可能性的控制項。By implementing these recommendations, organizations will be able to identify and prioritize security activities, protect key segments of their organization's computing infrastructure, and create controls that significantly decrease the likelihood of successful attacks against critical components of the IT environment.

本文討論 Active Directory 和措施,以減少攻擊最常見的攻擊,但它也包含復原完成危害發生的建議。Although this document discusses the most common attacks against Active Directory and countermeasures to reduce the attack surface, it also contains recommendations for recovery in the event of complete compromise. Active Directory 完成危害時修復只確定方式是前危害的準備。The only sure way to recover in the event of a complete compromise of Active Directory is to be prepared for the compromise before it happens.

本文件的主要部分如下:The major sections of this document are:

  • 途徑危害Avenues to Compromise

  • 減少 Active Directory 攻擊Reducing the Active Directory Attack Surface

  • Active Directory 監視危害的符號Monitoring Active Directory for Signs of Compromise

  • 規劃區域的入侵Planning for Compromise

途徑危害Avenues to Compromise

本節中提供一些最常 leveraged 弱點攻擊用於危害針對的基礎結構的資訊。This section provides information about some of the most commonly leveraged vulnerabilities used by attackers to compromise customers' infrastructures. 它包含一般分類的弱點,以及他們最初侵入針對的基礎結構,額外的系統上傳播危害和最後為目標,以取得完整控制權組織的樹系的 Active Directory 和網域控制站的使用方式。It contains general categories of vulnerabilities and how they're used to initially penetrate customers' infrastructures, propagate compromise across additional systems, and eventually target Active Directory and domain controllers to obtain complete control of the organizations' forests. 不提供詳細位址各種弱點,尤其是在區域中的弱點不用來直接目標 Active Directory 中相關的建議。It does not provide detailed recommendations about addressing each type of vulnerability, particularly in the areas in which the vulnerabilities are not used to directly target Active Directory. 不過,適用於各種弱點,我們也提供使用開發措施,並減少組織的攻擊 surface 所需的詳細資訊的連結。However, for each type of vulnerability, we have provided links to additional information to use to develop countermeasures and reduce the organization's attack surface.

包含的遇到與下列主題:Included are the following subjects:

  • 初始違約目標的最資訊的安全漏洞開始組織的基礎結構通常一或兩個系統的小型危害一次。Initial breach targets - Most information security breaches start with the compromise of small pieces of an organization's infrastructure-often one or two systems at a time. 這些初始活動或進入點網路,通常弱點可能會有修正,但無法。These initial events, or entry points into the network, often exploit vulnerabilities that could have been fixed, but weren't. 常見的安全漏洞︰Commonly seen vulnerabilities are:

    • 在 [防毒軟體並反惡意程式碼部署縫隙Gaps in antivirus and antimalware deployments

    • 修正不完整Incomplete patching

    • 過時的應用程式或作業系統Outdated applications and operating systems

    • 錯誤設定Misconfiguration

    • 缺少的安全的應用程式開發做法Lack of secure application development practices

  • 認證竊取吸引帳號-認證竊取攻擊是那些中攻擊最初取得授權的存取,來在網路上的電腦,然後使用免費工具解壓縮認證從其他登入帳號的工作階段。Attractive Accounts for Credential Theft - Credential theft attacks are those in which an attacker initially gains privileged access to a computer on a network and then uses freely available tooling to extract credentials from the sessions of other logged-on accounts.
    包含在本區段中,如下所示:Included in this section are the following:

    • 活動增加危害的可能性,的認證竊取目標通常是高度授權的網域帳號,「非常重要的人員」,因為 (VIP) 帳號,很重要的系統管理員會了解增加憑證竊取攻擊的成功的可能性的活動。Activities that Increase the Likelihood of Compromise - Because the target of credential theft is usually highly privileged domain accounts and "very important person" (VIP) accounts, it is important for administrators to be conscious of activities that increase the likelihood of a success of a credential-theft attack. 這些的活動包括:These activities are:

      • 登入不安全的帳號特殊權限的電腦Logging on to unsecured computers with privileged accounts

      • 瀏覽高度授權 account 與網際網路Browsing the Internet with a highly privileged account

      • 使用所有系統相同的認證本機特殊權限的帳號設定Configuring local privileged accounts with the same credentials across systems

      • Overpopulation 和的網域特殊權限的群組超額使用Overpopulation and overuse of privileged domain groups

      • 管理不足網域控制站的安全性。Insufficient management of the security of domain controllers.

    • 權限提高權限和傳用來執行的特定帳號,伺服器,並基礎結構元件通常攻擊 Active Directory 的主要目標。Privilege Elevation and Propagation - Specific accounts, servers, and infrastructure components are usually the primary targets of attacks against Active Directory. 這些帳號︰These accounts are:

      • 帳號永久特殊權限Permanently privileged accounts

      • VIP 帳號VIP accounts

      • [權限連接「Active Directory 帳號"Privilege-Attached" Active Directory accounts

      • 網域控制站Domain controllers

      • 影響的身分,存取和設定的管理,例如公用基礎結構 (PKI) 伺服器及系統管理伺服器的基礎結構其他服務Other infrastructure services that affect identity, access, and configuration management, such as public key infrastructure (PKI) servers and systems management servers

減少 Active Directory 攻擊Reducing the Active Directory Attack Surface

本章節焦某技術控制項,以減少 Active Directory 安裝的攻擊。This section focuses on technical controls to reduce the attack surface of an Active Directory installation. 此一節中所遇到與下列主題:Included in this section are the following subjects:

  • 特殊權限帳號,並 Active Directory 中的群組區段討論的最高的特殊權限的帳號和群組的機制特殊權限的帳號受保護的 Active Directory 中。The Privileged Accounts and Groups in Active Directory section discusses the highest privileged accounts and groups in Active Directory and the mechanisms by which privileged accounts are protected. 在 Active Directory 建的三個群組雖然也要保護的帳號,以及其他群組是 directory(企業系統管理員,網域系統管理員」或系統管理員,)中的最高的權限群組。Within Active Directory, three built-in groups are the highest privilege groups in the directory (Enterprise Admins, Domain Admins, and Administrators), although a number of additional groups and accounts should also be protected.

  • 實作最低權限管理型號區段著重於找出所使用的高特殊權限的風險帳號的日常的系統管理禮品,此外提供建議,可減少風險。The Implementing Least-Privilege Administrative Models section focuses on identifying the risk that the use of highly privileged accounts for day-to-day administration presents, in addition to providing recommendations to reduce that risk.

太多權限不只 Active Directory 中找到危害的環境中。Excessive privilege isn't only found in Active Directory in compromised environments. 當您組織所開發超過需要更多的權限授與習慣時,通常是透過基礎結構找到:When an organization has developed the habit of granting more privilege than is required, it is typically found throughout the infrastructure:

  • 在 Active DirectoryIn Active Directory

  • 伺服器成員On member servers

  • 在 [工作站On workstations

  • 在應用程式In applications

  • 在 [資料存放庫In data repositories

  • 實作安全管理主機區段描述安全管理主機、電腦設定為支援的 Active Directory 和連接的系統管理。The Implementing Secure Administrative Hosts section describes secure administrative hosts, which are computers that are configured to support administration of Active Directory and connected systems. 這些主機致力於管理功能,而且不會執行軟體,例如電子郵件應用程式、網頁瀏覽器或生產力軟體(例如 Microsoft Office)。These hosts are dedicated to administrative functionality and do not run software such as email applications, web browsers, or productivity software (such as Microsoft Office).

包含在本區段中,如下所示:Included in this section are the following:

  • 原則建立安全的系統管理主機的-記住一般原則是:Principles for Creating Secure Administrative Hosts - The general principles to keep in mind are:

    • 永遠不會從低信任主機管理信任的系統。Never administer a trusted system from a less-trusted host.

    • 不要在單一驗證規格上執行的活動特殊權限時。Do not rely on a single authentication factor when performing privileged activities.

    • 不要忘記實體安全性時設計和實作安全管理主機。Do not forget physical security when designing and implementing secure administrative hosts.

  • 保護針對攻擊網域控制站的使用者如果惡意的使用者會取得的網域控制站存取權限,可以修改、損壞,以及破壞 Active Directory 資料庫,和延伸的所有受 Active Directory 帳號和系統。Securing Domain Controllers Against Attack - If a malicious user obtains privileged access to a domain controller, that user can modify, corrupt, and destroy the Active Directory database, and by extension, all of the systems and accounts that are managed by Active Directory.

此一節中所遇到與下列主題:Included in this section are the following subjects:

  • 實體安全性網域控制站的-包含提供實體安全性網域控制站的資料中心、分公司和遠端位置的建議。Physical Security for Domain Controllers - Contains recommendations for providing physical security for domain controllers in datacenters, branch offices, and remote locations.

  • 網域控制站作業系統-包含保護網域控制站作業系統的建議。Domain Controller Operating Systems - Contains recommendations for securing the domain controller operating systems.

  • 保護設定的網域控制站的原生和免費設定工具和設定可用於建立的安全性設定基準網域控制站的後續由群組原則物件 (Gpo)。Secure Configuration of Domain Controllers - Native and freely available configuration tools and settings can be used to create security configuration baselines for domain controllers that can subsequently be enforced by Group Policy Objects (GPOs).

Active Directory 監視危害的符號Monitoring Active Directory for Signs of Compromise

本節舊版稽核分類稽核原則子(這是在 Windows Vista 和 Windows Server 2008),並進階稽核原則(早在 Windows Server 2008 R2)的相關資訊。This section provides information about legacy audit categories and audit policy subcategories (which were introduced in Windows Vista and Windows Server 2008), and Advanced Audit Policy (which was introduced in Windows Server 2008 R2). 也提供活動的相關資訊,表示破壞環境和某些其他參考資料,可以用來建立完整稽核原則的 Active Directory 物件的監視。Also provided is information about events and objects to monitor that can indicate attempts to compromise the environment and some additional references that can be used to construct a comprehensive audit policy for Active Directory.

此一節中所遇到與下列主題:Included in this section are the following subjects:

  • Windows 稽核原則-Windows 安全性事件登有分類和追蹤和錄製子判斷的安全性事件。Windows Audit Policy - Windows security event logs have categories and subcategories that determine which security events are tracked and recorded.

  • 稽核原則建議-本節 Windows 預設稽核原則設定,稽核原則設定,建議使用 Microsoft 或組織的更多積極建議使用稽核重要伺服器及工作站。Audit Policy Recommendations - This section describes the Windows default audit policy settings, audit policy settings that are recommended by Microsoft, and more aggressive recommendations for organizations to use to audit critical servers and workstations.

規劃區域的入侵Planning for Compromise

本節建議,可協助組織準備危害前、實作控制項,可偵測入侵事件之前發生的完整漏洞,和回應和復原指導方針,提供的 directory 完成危害透過攻擊。This section contains recommendations that will help organizations prepare for a compromise before it happens, implement controls that can detect a compromise event before a full breach has occurred, and provide response and recovery guidelines for cases in which a complete compromise of the directory is achieved by attackers. 此一節中所遇到與下列主題:Included in this section are the following subjects:

  • 重新思考方法-包含原則和建立的組織可以將其最重要資產安全環境指導方針。Rethinking the Approach - Contains principles and guidelines to create secure environments into which an organization can place their most critical assets. 下列指導方針操作方式如下:These guidelines are as follows:

    • 檢測軍人分離和設定資產重要的安全性原則Identifying principles for segregating and securing critical assets

    • 定義有限、風險根據移轉計劃Defining a limited, risk-based migration plan

    • 必要時運用」nonmigratory「移轉Leveraging "nonmigratory" migrations where necessary

    • 實作」創意破壞」Implementing "creative destruction"

    • 隔離舊版系統和應用程式Isolating legacy systems and applications

    • 簡化終端使用者的安全性Simplifying security for end users

  • 維護更安全環境-包含適用於對短片指導方針與用來使用開發不僅有效的安全性,而且生效週期管理高階建議。Maintaining a More Secure Environment - Contains high-level recommendations meant to be used as guidelines to use in developing not only effective security, but effective lifecycle management. 此一節中所遇到與下列主題:Included in this section are the following subjects:

    • Active Directory 建立商務中心安全性做法-要有效管理的使用者,資料、應用程式和系統由 Active Directory 週期,請遵循這些原則。Creating Business-Centric Security Practices for Active Directory - To effectively manage the lifecycle of the users, data, applications and systems managed by Active Directory, follow these principles.

      • Active Directory 資料指派公司擁有-指派基礎結構元件的擁有權 IT;資料,以支援商務,例如,新員工、新應用程式和新資訊存放庫中的 Active Directory Domain Services (AD DS) 中新增了指定的營業或使用者應該相關聯的資料。Assign a Business Ownership to Active Directory Data - Assign ownership of infrastructure components to IT; for data that is added to Active Directory Domain Services (AD DS) to support the business, for example, new employees, new applications, and new information repositories, a designated business unit or user should be associated with the data.

      • 實作 Business-Driven 週期管理-週期管理應 Active Directory 中的資料。Implement Business-Driven Lifecycle Management - Lifecycle management should be implemented for data in Active Directory.

      • 可所有 Active Directory 資料-企業擁有者應該提供分類的 Active Directory 中的資料。Classify all Active Directory Data - Business owners should provide classification for data in Active Directory. 資料分類模式,當中應該包含分類的 Active Directory 下列資料:Within the data classification model, classification for the following Active Directory data should be included:

        • 系統-分類伺服器擴展,其作業系統自己的角色,以及其上的應用程式和記錄的公司擁有者。Systems - Classify server populations, their operating system their role, the applications running on them, and the IT and business owners of record.

        • 應用程式-分類應用程式的功能、使用者基底,以及他們作業系統。Applications - Classify applications by functionality, user base, and their operating system.

        • 使用者-中最常攻擊者會對應的 Active Directory 安裝帳號應該標記及監視。Users - The accounts in the Active Directory installations that are most likely to be targeted by attackers should be tagged and monitored.

最佳做法保護 Active Directory Domain Services 的摘要Summary of Best Practices for Securing Active Directory Domain Services

下表會提供建議保護 AD DS 安裝本文件中所提供的摘要。The following table provides a summary of the recommendations provided in this document for securing an AD DS installation. 某些最好的做法是策略的並需要完整規劃並實作專案。其他人的策略與著重於 Active Directory 和相關的基礎結構的特定元件。Some best practices are strategic in nature and require comprehensive planning and implementation projects; others are tactical and focused on specific components of Active Directory and related infrastructure.

大約順序優先順序,該現有的設定中所列的做法,較低的數字表示高優先順序。Practices are listed in approximate order of priority, that is., lower numbers indicate higher priority. 位置適用,最好的做法被視為 preventative 或性質偵探。Where applicable, best practices are identified as preventative or detective in nature. 這些建議全部應完全測試並視需要適用於您組織的特性和需求修改。All of these recommendations should be thoroughly tested and modified as needed for your organization's characteristics and requirements.

|-|-|-|-|
||最佳做法|策略或策略|Preventative 或偵探|||Best Practice|Tactical or Strategic|Preventative or Detective|
| 1 |更新的應用程式。|策略 |Preventative ||1|Patch applications.|Tactical|Preventative|
| 2 |更新的作業系統。|策略 |Preventative ||2|Patch operating systems.|Tactical|Preventative|
| 3 |部署和立即上所有系統和監視器嘗試移除或停用它來更新防毒軟體並反惡意程式碼軟體。|策略 |兩者都 ||3|Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it.|Tactical|Both|
| 4 |監視機密 Active Directory 物件的修改嘗試與 Windows 可能嘗試的危害的活動。|策略 |偵探 ||4|Monitor sensitive Active Directory objects for modification attempts and Windows for events that may indicate attempted compromise.|Tactical|Detective|
| 5 |保護並監視帳號用於機密資料的存取權的使用者 |策略 |兩者都 ||5|Protect and monitor accounts for users who have access to sensitive data|Tactical|Both|
| 6 |防止未經授權的系統上使用強大帳號。|策略 |Preventative ||6|Prevent powerful accounts from being used on unauthorized systems.|Tactical|Preventative|
| 7 |排除永久高特殊權限群組成員資格。|策略 |Preventative ||7|Eliminate permanent membership in highly privileged groups.|Tactical|Preventative|
| 8 |執行控制項,以授與暫時時所需的特殊權限群組成員資格。|策略 |Preventative ||8|Implement controls to grant temporary membership in privileged groups when needed.|Tactical|Preventative|
| 9 |實作安全管理主機。|策略 |Preventative ||9|Implement secure administrative hosts.|Tactical|Preventative|
| 10 |網域控制站、管理主機,以及其他重要的系統上使用應用程式家。|策略 |Preventative ||10|Use application whitelisting on domain controllers, administrative hosts, and other sensitive systems.|Tactical|Preventative|
| 11 |找出重大資產,優先順序安全性及監視。|策略 |兩者都 ||11|Identify critical assets, and prioritize their security and monitoring.|Tactical|Both|
| 12 |實作最低權限以角色為基礎的存取權的 directory,其支援基礎結構,並加入網域的系統管理控制項。|策略 |Preventative ||12|Implement least-privilege, role-based access controls for administration of the directory, its supporting infrastructure, and domain-joined systems.|Strategic|Preventative|
| 13 |找出舊版系統和應用程式。|策略 |Preventative ||13|Isolate legacy systems and applications.|Tactical|Preventative|
| 14 |舊版系統和應用程式解除。|策略 |Preventative ||14|Decommission legacy systems and applications.|Strategic|Preventative|
| 15 |實作安全開發週期自訂應用程式。|策略 |Preventative ||15|Implement secure development lifecycle programs for custom applications.|Strategic|Preventative|
| 16 |實作設定的管理、檢視 compliance 定期,並評估設定的每個新硬體或軟體的版本。|策略 |Preventative ||16|Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version.|Strategic|Preventative|
| 17 |移轉到漫步樹系的重大資產與嚴格安全性監控需求。|策略 |兩者都 ||17|Migrate critical assets to pristine forests with stringent security and monitoring requirements.|Strategic|Both|
| 18 |簡化終端使用者的安全性。|策略 |Preventative ||18|Simplify security for end users.|Strategic|Preventative|
| 19 |使用主機防火牆來控制及安全通訊。|策略 |Preventative ||19|Use host-based firewalls to control and secure communications.|Tactical|Preventative|
| 20 |更新的裝置。|策略 |Preventative ||20|Patch devices.|Tactical|Preventative|
| 21 |實作 IT 資產管理商務中心週期。|策略 |不適用 ||21|Implement business-centric lifecycle management for IT assets.|Strategic|N/A|
| 22 |建立或更新事件修復計劃。|策略 |不適用 ||22|Create or update incident recovery plans.|Strategic|N/A|