適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

攻擊運算基礎結構,不論是簡單或複雜曾在的電腦。Attacks against computing infrastructures, whether simple or complex, have existed as long as computers have. 但是,在過去十,越來越規模的組織所有,在所有部分的世界中已攻擊並危害有明顯的變更威脅景致的方式。However, within the past decade, increasing numbers of organizations of all sizes, in all parts of the world have been attacked and compromised in ways that have significantly changed the threat landscape. 使用碼表進行速率增加充滿網路-戰爭和網路犯罪。Cyber-warfare and cybercrime have increased at record rates. 「Hacktivism,」中攻擊引發的 activist 位置,已聲稱之破壞數目的動機是透過組織的機密資訊,若要建立服務指,或甚至破壞基礎結構。"Hacktivism," in which attacks are motivated by activist positions, has been claimed as the motivation for a number of breaches intended to expose organizations' secret information, to create denials-of-service, or even to destroy infrastructure. 使用 exfiltrating 的公開和私人機構攻擊組織的診斷的作業」(IP) 已成為普遍。Attacks against public and private institutions with the goal of exfiltrating the organizations' intellectual property (IP) have become ubiquitous.

不組織的基礎結構的資訊 (IT) 技術會受到攻擊,但如果實作適當的原則、處理程序,以及控制保護組織運算基礎結構金鑰區段,來自攻擊入侵完成危害的重大問題可能預防。No organization with an information technology (IT) infrastructure is immune from attack, but if appropriate policies, processes, and controls are implemented to protect key segments of an organization's computing infrastructure, escalation of attacks from penetration to complete compromise might be preventable. 數字和規模的組織外部來自攻擊最近幾年已經 eclipsed 測試人員威脅,因為這份文件通常討論外部攻擊,而非不當環境授權使用者。Because the number and scale of attacks originating from outside an organization has eclipsed insider threat in recent years, this document often discusses external attackers rather than misuse of the environment by authorized users. 儘管如此,這份文件中所提供的建議與原則是以協助保護您的環境針對外部攻擊者和誤導或惡意的測試人員。Nonetheless, the principles and recommendations provided in this document are intended to help secure your environment against external attackers and misguided or malicious insiders.

資訊和建議提供,本文件中的一些來源繪製和推斷的做法是設計用來保護中毒 Active Directory 安裝。The information and recommendations provided in this document are drawn from a number of sources and derived from practices designed to protect Active Directory installations against compromise. 雖然它並不可避免攻擊,以減少 Active Directory 攻擊,以及執行控制項,可讓可能是更難 directory 危害的攻擊。Although it is not possible to prevent attacks, it is possible to reduce the Active Directory attack surface and to implement controls that make compromise of the directory much more difficult for attackers. 本文件會提供我們的安全漏洞的最常見的類型危害的環境中觀察到,我們已經針對以改善安全性其 Active Directory 安裝的最常見的建議。This document presents the most common types of vulnerabilities we have observed in compromised environments and the most common recommendations we have made to customers to improve the security of their Active Directory installations.

慣例 account 和命名群組Account and Group Naming Conventions

下表提供命名規格使用本文件中的群組與帳號在文件中所參照指南。The following table provides a guide to the naming conventions used in this document for the groups and accounts referenced throughout the document. 下表包含是每個 account 日群組,其名稱,以及如何這些帳號日群組參考本文件中的位置。Included in the table is the location of each account/group, its name, and how these accounts/groups are referenced in this document.

Account 群組的位置Account/Group Location Account 日群組的名稱Name of Account/Group 其參考本文件中的方式How It is Referenced in this Document
Active Directory-每個網域Active Directory - each domain 系統管理員Administrator 建管理員Built-in Administrator account
Active Directory-每個網域Active Directory - each domain 系統管理員Administrators 建系統管理員 (BA) 群組Built-in Administrators (BA) group
Active Directory-每個網域Active Directory - each domain 網域系統管理員 」Domain Admins 系統管理員 (DA) 群組Domain Admins (DA) group
Active Directory-森林根網域Active Directory - forest root domain 企業系統管理員Enterprise Admins 企業系統管理員 (EA) 群組Enterprise Admins (EA) group
本機電腦安全性帳號管理程式資料庫上執行 Windows Server 和工作站未網域控制站的電腦Local computer security accounts manager (SAM) database on computers running Windows Server and workstations that are not domain controllers 系統管理員Administrator 本機系統管理員 accountLocal Administrator account
本機電腦安全性帳號管理程式資料庫上執行 Windows Server 和工作站未網域控制站的電腦Local computer security accounts manager (SAM) database on computers running Windows Server and workstations that are not domain controllers 系統管理員Administrators 本機Local Administrators group

關於此文件About This Document

Microsoft 資訊安全風險管理 (ISRM) 組織,也就是部分的 Microsoft 的資訊技術 (MSIT),適用於內部商務單位、外部針對,以及 industry 同儕收集、散播,並定義原則、做法的規範,以及控制。The Microsoft Information Security and Risk Management (ISRM) organization, which is part of Microsoft Information Technology (MSIT), works with internal business units, external customers, and industry peers to gather, disseminate, and define policies, practices, and controls. 此資訊可用於透過 Microsoft 和我們針對提高安全性,並減少他們 IT 基礎架構的攻擊。This information can be used by Microsoft and our customers to increase the security and reduce the attack surface of their IT infrastructures. 本文件中所提供的建議依據一些資訊來源,用於 MSIT 和 ISRM 做法的規範。The recommendations provided in this document are based on a number of information sources and practices used within MSIT and ISRM. 下列章節提供詳細資訊出處本文件。The following sections present more information about the origins of this document.

Microsoft IT 和 ISRMMicrosoft IT and ISRM

已在安全的 Microsoft AD DS 森林和網域 MSIT 和 ISRM 開發出的做法,以及控制。A number of practices and controls have been developed within MSIT and ISRM to secure the Microsoft AD DS forests and domains. 這些控制項所廣泛適用,其已經整合至本文件。Where these controls are broadly applicable, they have been integrated into this document. 安全 T(新興技術方案加速器)是在其許可是找出新的技術,以及定義安全性需求與控制項,來加速採用 ISRM 團隊。SAFE-T (Solution Accelerators for Emerging Technologies) is a team within ISRM whose charter is to identify emerging technologies, and to define security requirements and controls to accelerate their adoption.

Active Directory 安全性評估Active Directory Security Assessments

在 Microsoft ISRM、評定、查閱和工程 (A) 小組與內部 Microsoft 商務單位外部針對評估應用程式和安全性基礎結構及提供策略與策略的指導方針增加組織的安全性狀態運作。Within Microsoft ISRM, the Assessment, Consulting, and Engineering (ACE) Team works with internal Microsoft business units and external customers to assess application and infrastructure security and to provide tactical and strategic guidance to increase the organization's security posture. 一個 a 服務提供是 Active Directory 安全性評定 (ADSA),也就是組織的 AD DS 環境中的人員、程序和技術評估並製作客戶特定建議的整體評估。One ACE service offering is the Active Directory Security Assessment (ADSA), which is a holistic assessment of an organization's AD DS environment that assesses people, process, and technology and produces customer-specific recommendations. 針對提供的組織的唯一特性、方式,以及風險嚮往為基礎的建議。Customers are provided with recommendations that are based on the organization's unique characteristics, practices, and risk appetite. 將安裝 Microsoft Active Directory 除了我們針對的執行 ADSAs。ADSAs have been performed for Active Directory installations at Microsoft in addition to those of our customers. 隨著時間,建議的一些找到跨不同的大小和業界針對會適用。Over time, a number of recommendations have been found to be applicable across customers of varying sizes and industries.

內容原點與組織Content Origin and Organization

大部分的 content 本文件被從 ADSA 和危害的針對和尚未發生重大入侵者針對執行其他 a 小組評量。Much of the content of this document is derived from the ADSA and other ACE Team assessments performed for compromised customers and customers who have not experienced significant compromise. 客戶個人資料無法用來建立這份文件,雖然我們已經收集我們找出利用最常弱點我們評估和建議我們已經針對改善其 AD DS 安裝的安全性。Although individual customer data was not used to create this document, we have collected the most commonly exploited vulnerabilities we have identified in our assessments and the recommendations we have made to customers to improve the security of their AD DS installations. 並非所有的安全漏洞適用於所有環境,也不是所有建議可以在每個組織實作。Not all vulnerabilities are applicable to all environments, nor are all recommendations feasible to implement in every organization.

本文件是來整理,如下所示:This document is organized as follows:

執行摘要Executive Summary

高階主管摘要,可讀取獨立文件或搭配完整的文件,提供高階摘要本文件。The Executive Summary, which can be read as a standalone document or in combination with the full document, provides a high-level summary of this document. 高階主管摘要包括我們已經觀察到用來危害客戶環境,摘要建議保護 Active Directory 安裝以及基本目標針對人員計劃部署新 AD DS 森林現在或在未來的最常見的攻擊。Included in the Executive Summary are the most common attack vectors we have observed used to compromise customer environments, summary recommendations for securing Active Directory installations, and basic objectives for customers who plan to deploy new AD DS forests now or in the future.


這是您會立即朗讀的區段。This is the section you are reading now.

途徑危害Avenues to Compromise

本章節提供資訊一些最常運用我們發現攻擊者會用來危害針對的基礎結構的資訊安全風險。This section provides information about some of the most commonly leveraged vulnerabilities we have found to be used by attackers to compromise customers' infrastructures. 本章節弱點,以及他們如何運用一開始侵入針對的基礎結構,額外的系統上傳播危害和最後為目標,以取得組織的樹系的完整控制權 AD DS 和網域控制站的一般分類的開頭。This section begins with general categories of vulnerabilities and how they are leveraged to initially penetrate customers' infrastructures, propagate compromise across additional systems, and eventually target AD DS and domain controllers to obtain complete control of organizations' forests.

本章節不提供詳細位址各種弱點,尤其是在區域中的弱點不用來直接目標 Active Directory 中相關的建議。This section does not provide detailed recommendations about addressing each type of vulnerability, particularly in the areas in which the vulnerabilities are not used to directly target Active Directory. 不過,適用於各種弱點,我們也提供其他資訊可供您開發措施並降低您的組織攻擊 surface 的連結。However, for each type of vulnerability, we have provided links to additional information that you can use to develop countermeasures and reduce your organization's attack surface.

減少 Active Directory 攻擊Reducing the Active Directory Attack Surface

本章節開始提供權限的帳號及群組以提供的資訊,協助澄清保護和管理特殊權限的群組帳號後續建議的原因 Active Directory 中的背景資訊。This section begins by providing background information about privileged accounts and groups in Active Directory to provide the information that helps clarify the reasons for the subsequent recommendations for securing and managing privileged groups and accounts. 我們然後討論方法,以減少使用高度授權的帳號日常的系統管理,不需要的權限授與給群組,例如企業系統管理員 (EA)、網域系統管理員 (DA),以及建系統管理員 (BA) 群組 Active Directory 中層級。We then discuss approaches to reduce the need to use highly privileged accounts for day-to-day administration, which does not require the level of privilege that is granted to groups such as the Enterprise Admins (EA), Domain Admins (DA), and Built-in Administrators (BA) groups in Active Directory. 接下來,我們提供指導方針保護的特殊權限的群組和帳號和實作安全管理的方式與系統。Next, we provide guidance for securing the privileged groups and accounts and for implementing secure administrative practices and systems.

雖然這個區段會提供這些設定的詳細的資訊,我們也包含逐步設定指示操作,可以使用「現狀」,或者可以經過修改,提供的組織所需的每個建議附錄。Although this section provides detailed information about these configuration settings, we have also included appendices for each recommendation that provide step-by-step configuration instructions that can be used "as is" or can be modified for the organization's needs. 本章節完成提供安全地部署與管理網域控制站,應該會在系統嚴格最安全的基礎結構的資訊。This section finishes by providing information to securely deploy and manage domain controllers, which should be among the most stringently secured systems in the infrastructure.

Active Directory 監視危害的符號Monitoring Active Directory for Signs of Compromise

無論您已實作穩定的安全性資訊與事件 (SIEM) 監視您的環境中使用其他機制來監視基礎結構的安全性,本節可用來辨識在 Windows 系統可能會被攻擊組織的活動的資訊。Whether you have implemented robust security information and event monitoring (SIEM) in your environment or are using other mechanisms to monitor the security of the infrastructure, this section provides information that can be used to identify events on Windows systems that may indicate that an organization is being attacked. 我們討論傳統和進階稽核原則,包括有效的稽核子設定,在 Windows 7 和 Windows Vista 作業系統。We discuss traditional and advanced audit policies, including effective configuration of audit subcategories in the Windows 7 and Windows Vista operating systems. 本節物件的稽核,系統的完整清單,並相關的附錄會列出的活動的您應該會監視目標是否偵測入侵嘗試。This section includes comprehensive lists of objects and systems to audit, and an associated appendix lists events for which you should monitor if the goal is to detect compromise attempts.

規劃區域的入侵Planning for Compromise

本章節一開始先從技術的詳細資料,即可對焦於原則和可實作找出使用者、應用程式,以及限於 IT 基礎結構最重要的系統處理程序「逐步返回「企業,但。This section begins by "stepping back" from technical detail to focus on principles and processes that can be implemented to identify the users, applications, and systems that are most critical not only to the IT infrastructure, but to the business. 檢測軍人最重要的穩定性和您的組織的作業之後, 您可以專注於分離和保護資產是否有診斷作業人員或系統。After identifying what is most critical to the stability and operations of your organization, you can focus on segregating and securing these assets, whether they are intellectual property, people, or systems. 有時候,分離和保護資產可能會執行在現有的 AD DS 環境,而在其他案例,您應該考慮實作小的不同「儲存格」可讓您建立重大資產在安全的邊界,比較不重要元件嚴格監視資產。In some cases, segregating and securing assets may be performed in your existing AD DS environment, while in other cases, you should consider implementing small, separate "cells" that allow you to establish a secure boundary around critical assets and monitor those assets more stringently than less-critical components. 討論稱為「創意破壞],是一種機制來傳統應用程式和系統可以排除來建立新的方案的概念,並區段結尾的建議,可協助以更安全的環境維護藉由組合企業及 IT 建構圖片功能正常運作狀態的詳細的資訊。A concept called "creative destruction," which is a mechanism by which legacy applications and systems can be eliminated by creating new solutions is discussed, and the section ends with recommendations that can help to maintain a more secure environment by combining business and IT information to construct a detailed picture of what is a normal operational state. 藉由行車建議等項目正常現象組織,可以比較容易辨識異常攻擊及折衷可能表示。By knowing what is normal for an organization, abnormalities that may indicate attacks and compromises can be more easily identified.

最佳做法建議的摘要Summary of Best Practice Recommendations

本節提供表摘要本文件中所提供的建議,並訂單它們來優先權,除了提供位置可以找到詳細的資訊,有關每個建議,其附錄文件中的連結。This section provides a table that summarizes the recommendations made in this document and orders them by relative priority, in addition to providing links to where more information about each recommendation can be found in the document and its appendices.


本文件擴大本文件中所包含的資訊,均附錄。Appendices are included in this document to augment the information contained in the body of the document. 附錄和每的簡短描述清單會包含表。The list of appendices and a brief description of each is included the following table.

附錄Appendix 描述Description
B 附錄特殊權限的帳號及 Active Directory 中的群組Appendix B: Privileged Accounts and Groups in Active Directory 提供協助找出使用者和群組,您應該會對焦於因為它們可以利用攻擊者甚至破壞 Active Directory 安裝侵入您,並保護您的背景資訊。Provides background information that helps you to identify the users and groups you should focus on securing because they can be leveraged by attackers to compromise and even destroy your Active Directory installation.
C:附錄受保護的帳號及 Active Directory 中的群組Appendix C: Protected Accounts and Groups in Active Directory 包含受保護的群組 Active Directory 中相關資訊。Contains information about protected groups in Active Directory. 它也包含群組視為受保護的群組 AdminSDHolder 和 SDProp 會受到限制自訂 (移除) 的資訊。It also contains information for limited customization (removal) of groups that are considered protected groups and are affected by AdminSDHolder and SDProp.
在 Active Directory 中附錄 d 保護建系統管理員帳號Appendix D: Securing Built-In Administrator Accounts in Active Directory 包含可協助保護森林中的每個網域中管理員指導方針。Contains guidelines to help secure the Administrator account in each domain in the forest.
在 Active Directory 中附錄 e 保護企業管理員群組Appendix E: Securing Enterprise Admins Groups in Active Directory 包含指導方針操作,以協助保護森林中的企業系統管理員 」 群組。Contains guidelines to help secure the Enterprise Admins group in the forest.
在 Active Directory 中附錄 f︰ 保護網域管理員群組Appendix F: Securing Domain Admins Groups in Active Directory 包含指導方針操作,以協助保護森林中的每個網域中的網域系統管理員 」 群組。Contains guidelines to help secure the Domain Admins group in each domain in the forest.
在 Active Directory 中附錄 g:保護系統管理員群組Appendix G: Securing Administrators Groups in Active Directory 包含可協助保護建系統管理員群組森林中的每個網域中的指導方針。Contains guidelines to help secure the Built-in Administrators group in each domain in the forest.
附錄 H:WINDOWS 保護本機系統管理員帳號,並群組Appendix H: Securing Local Administrator Accounts and Groups 包含指導方針操作,以協助安全本機系統管理員帳號,並加入網域的伺服器上工作站系統管理員 」 群組。Contains guidelines to help secure local Administrator accounts and Administrators groups on domain-joined servers and workstations.
附錄 i:建立管理帳號受保護的帳號和 Active Directory 中的群組Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory 提供資訊,以建立帳號,有限的權限但可以嚴格控制,可以用來需要暫時提高權限時填入 Active Directory 中有特殊權限的群組。Provides information to create accounts that have limited privileges and can be stringently controlled, but can be used to populate privileged groups in Active Directory when temporary elevation is required.
事件監視器附錄 l:Appendix L: Events to Monitor 列出的活動,您應該會監視您的環境中。Lists events for which you should monitor in your environment.
附錄 m:文件的連結,並建議朗讀Appendix M: Document Links and Recommended Reading 包含建議朗讀的清單。Contains a list of recommended reading. 也包含清單連結到外部文件,以及他們的 Url,讀卡機的硬碟份文件可以存取此資訊。Also contains a list of links to external documents and their URLs so that readers of hard copies of this document can access this information.