在 Active Directory 中附錄 d 保護建系統管理員帳號Appendix D: Securing Built-In Administrator Accounts in Active Directory

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 Active Directory 中附錄 d 保護建系統管理員帳號Appendix D: Securing Built-In Administrator Accounts in Active Directory

在 Active Directory 中每個網域中建立管理員建立網域中的一部分。In each domain in Active Directory, an Administrator account is created as part of the creation of the domain. 這個 account 預設成員網域系統管理員 」 及系統管理員網域中的群組,而且如果網域是森林根網域,account 是也的企業系統管理員群組成員。This account is by default a member of the Domain Admins and Administrators groups in the domain, and if the domain is the forest root domain, the account is also a member of the Enterprise Admins group.

應只適用於初始建置活動,而且可能損壞修復案例保留網域管理員使用。Use of a domain's Administrator account should be reserved only for initial build activities, and possibly, disaster-recovery scenarios. 若要確保管理員,可以用於影響替換,可以使用任何其他帳號,您不應該變更管理員森林中的任何網域中的預設成員資格。To ensure that an Administrator account can be used to effect repairs in the event that no other accounts can be used, you should not change the default membership of the Administrator account in any domain in the forest. 您應該安全森林中的每個網域中的系統管理員帳號下, 一節中所述而逐步指示,請依照下列所述。Instead, you should secure the Administrator account in each domain in the forest as described in the following section and detailed in the step-by-step instructions that follow.

注意

本指南使用建議停用 account。This guide used to recommend disabling the account. 此白皮書樹系修復為已移除預設管理員使用。This was removed as the forest recovery white paper makes use of the default administrator account. 是,這是讓登入,而不需要全球 Catalog 伺服器只 account。The reason is, this is the only account that allows logon without a Global Catalog Server.

控制帳號建系統管理員Controls for Built-in Administrator Accounts

適用於建您森林中的每個網域中,您應該進行下列設定:For the built-in Administrator account in each domain in your forest, you should configure the following settings:

  • 機密帳號,無法委派上 account 旗標。Enable the Account is sensitive and cannot be delegated flag on the account.

  • 智慧卡,才互動式登入上 account 旗標。Enable the Smart card is required for interactive logon flag on the account.

  • 設定限制加入網域的系統管理員使用 Gpo:Configure GPOs to restrict the Administrator account's use on domain-joined systems:

    • 在您建立和連結工作站和成員伺服器 Ou 每個網域中的一或多個 Gpo,將每個網域的管理員新增至下列使用者權限在電腦設定 \ 原則 \windows 安全性設定本機 Settings\User 權限指派:In one or more GPOs that you create and link to workstation and member server OUs in each domain, add each domain's Administrator account to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments:

      • 拒絕從網路存取此電腦Deny access to this computer from the network

      • 拒絕以分批登入Deny log on as a batch job

      • 拒絕登入即服務Deny log on as a service

      • 透過遠端桌面服務拒絕登入Deny log on through Remote Desktop Services

注意

當您新增此設定帳號時,您必須指定您要設定本機系統管理員帳號或網域系統管理員帳號。When you add accounts to this setting, you must specify whether you are configuring local Administrator accounts or domain Administrator accounts. 例如,將這些 NWTRADERS 網域中的系統管理員 account 拒絕權限,您必須輸入 account NWTRADERS\Administrator 或瀏覽至管理員 NWTRADERS 網域。For example, to add the NWTRADERS domain's Administrator account to these deny rights, you must type the account as NWTRADERS\Administrator, or browse to the Administrator account for the NWTRADERS domain. 如果您在這些使用者權限設定群組原則物件編輯器中輸入 「 系統管理員 」,您將會限制本機管理員 GPO 所套用的每一部電腦上。If you type "Administrator" in these user rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the GPO is applied.

我們建議以相同的方式為網域型系統管理員帳號限制本機系統管理員帳號工作站成員伺服器上。We recommend restricting local Administrator accounts on member servers and workstations in the same manner as domain-based Administrator accounts. 因此,您應該通常加入每個網域森林中的系統管理員負責和本機電腦的系統管理員負責這些使用者權限設定。Therefore, you should generally add the Administrator account for each domain in the forest and the Administrator account for the local computers to these user rights settings. 下圖顯示設定封鎖本機系統管理員帳號,並網域的管理員,執行下列帳號的應該不需要登入的這些使用者權限的範例。The following screenshot shows an example of configuring these user rights to block local Administrator accounts and a domain's Administrator account from performing logons that should not be needed for these accounts.

保護建管理員帳號

  • 設定限制的系統管理員帳號網域控制站 GpoConfigure GPOs to restrict Administrator accounts on domain controllers

    • 森林中的每個網域中預設的網域控制站 GPO 或原則連結到網域控制站組織單位應修改將每個網域的管理員新增至下列使用者權限在電腦設定 \ 原則 \windows 安全性設定本機 Settings\User 權限指派:In each domain in the forest, the Default Domain Controllers GPO or a policy linked to the domain controllers OU should be modified to add each domain's Administrator account to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments:

      • 拒絕從網路存取此電腦Deny access to this computer from the network

      • 拒絕以分批登入Deny log on as a batch job

      • 拒絕登入即服務Deny log on as a service

      • 透過遠端桌面服務拒絕登入Deny log on through Remote Desktop Services

注意

這些設定將可確保您的網域的建不能用來連接網域控制站,雖然帳號,如果功能,可以登入本機網域控制站。These settings will ensure that the domain's built-in Administrator account cannot be used to connect to a domain controller, although the account, if enabled, can log on locally to domain controllers. 應該僅支援並損壞修復案例中使用此帳號,因為它被預期實體存取至少網域控制站將或從遠端存取網域控制站的權限的其他帳號,可以使用。Because this account should only be enabled and used in disaster-recovery scenarios, it is anticipated that physical access to at least one domain controller will be available, or that other accounts with permissions to access domain controllers remotely can be used.

  • 設定的系統管理員帳號稽核Configure Auditing of Administrator Accounts

    當您有保護每個網域中的系統管理員帳號,並將它關閉時,您應該設定稽核監視 account 變更。When you have secured each domain's Administrator account and disabled it, you should configure auditing to monitor for changes to the account. 如果尚未 account、 重設密碼,或任何其他修改過去,應該會收到通知小組負責管理 Active directory,除了事件回應團隊,在組織中的使用者。If the account is enabled, its password is reset, or any other modifications are made to the account, alerts should be sent to the users or teams responsible for administration of Active Directory, in addition to incident response teams in your organization.

逐步指示保護建系統管理員帳號 Active Directory 中Step-by-Step Instructions to Secure Built-in Administrator Accounts in Active Directory

  1. 伺服器管理員,按一下 [工具,並按一下 [ Active Directory 使用者和電腦In Server Manager, click Tools, and click Active Directory Users and Computers.

  2. 若要防止利用其他系統上使用 account 的認證委派的攻擊,執行下列步驟:To prevent attacks that leverage delegation to use the account's credentials on other systems, perform the following steps:

    1. 以滑鼠右鍵按一下系統管理員帳號,按屬性Right-click the Administrator account and click Properties.

    2. 按一下Account索引標籤。Click the Account tab.

    3. 帳號選項,請選取機密帳號,無法委派標示 (如同指示),下列螢幕擷取畫面,並按[確定]Under Account options, select Account is sensitive and cannot be delegated flag as indicated in the following screenshot, and click OK.

      保護建管理員帳號

  3. 若要讓智慧卡,才互動式登入旗標帳號,請執行下列步驟:To enable the Smart card is required for interactive logon flag on the account, perform the following steps:

    1. 以滑鼠右鍵按一下系統管理員帳號,並選取 [屬性Right-click the Administrator account and select Properties.

    2. 按一下Account索引標籤。Click the Account tab.

    3. Account選項,選取智慧卡,才互動式登入標示 (如同指示),下列螢幕擷取畫面,並按[確定]Under Account options, select the Smart card is required for interactive logon flag as indicated in the following screenshot, and click OK.

      保護建管理員帳號

設定限制的系統管理員帳號網域層級 GpoConfiguring GPOs to Restrict Administrator Accounts at the Domain-Level

警告

永遠不會應該將此 GPO 連結網域層級,因為這會使建無法使用,甚至在損壞復原案例中。This GPO should never be linked at the domain-level because it can make the built-in Administrator account unusable, even in disaster recovery scenarios.

  1. 伺服器管理員,按一下 [工具,並按群組原則管理In Server Manager, click Tools, and click Group Policy Management.

  2. 在主控台中,展開\Domains\,然後群組原則物件(其中樹系的名稱和是您想要用來建立群組原則的網域名稱)。In the console tree, expand \Domains\, and then Group Policy Objects (where is the name of the forest and is the name of the domain where you want to create the Group Policy).

  3. 在主機上按一下滑鼠右鍵群組原則物件,按一下 [新增]In the console tree, right-click Group Policy Objects, and click New.

    保護建管理員帳號

  4. 新的 GPO對話方塊中,輸入,按一下[確定] (其中是此 GPO 的名稱) (如同指示),下列螢幕擷取畫面。In the New GPO dialog box, type , and click OK (where is the name of this GPO) as indicated in the following screenshot.

    保護建管理員帳號

  5. 在詳細資料窗格中,以滑鼠右鍵按一下,並按一下 [編輯In the details pane, right-click , and click Edit.

  6. 瀏覽至電腦設定 \ 原則 \windows 安全性設定本機原則,按一下 [權限指派使用者]Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies, and click User Rights Assignment.

    保護建管理員帳號

  7. 設定使用者權限以避免管理員成員伺服器和工作站網路存取,方法如下:Configure the user rights to prevent the Administrator account from accessing members servers and workstations over the network by doing the following:

    1. 按兩下拒絕從網路存取這台電腦,然後選取定義這些原則設定Double-click Deny access to this computer from the network and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Administrator, click Check Names, and click OK. 請確認 account 會顯示在\Username 格式 (如同指示),下列螢幕擷取畫面。Verify that the account is displayed in \Username format as indicated in the following screenshot.

      保護建管理員帳號

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  8. 設定使用者權限以避免管理員分批身分登入,方法如下:Configure the user rights to prevent the Administrator account from logging on as a batch job by doing the following:

    1. 按兩下拒絕以分批登入,然後選取定義這些原則設定Double-click Deny log on as a batch job and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Administrator, click Check Names, and click OK. 請確認 account 會顯示在\Username 格式 (如同指示),下列螢幕擷取畫面。Verify that the account is displayed in \Username format as indicated in the following screenshot.

      保護建管理員帳號

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  9. 設定使用者防止管理員執行以下動作來登入以服務的權限:Configure the user rights to prevent the Administrator account from logging on as a service by doing the following:

    1. 按兩下以服務拒絕登入,然後選取定義這些原則設定Double-click Deny log on as a service and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Administrator, click Check Names, and click OK. 請確認 account 會顯示在\Username 格式 (如同指示),下列螢幕擷取畫面。Verify that the account is displayed in \Username format as indicated in the following screenshot.

      保護建管理員帳號

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  10. 設定使用者權限以避免 BA account 存取成員伺服器,並透過遠端桌面服務工作站,方法如下:Configure the user rights to prevent the BA account from accessing member servers and workstations via Remote Desktop Services by doing the following:

    1. 按兩下透過遠端桌面服務拒絕登入,然後選取定義這些原則設定Double-click Deny log on through Remote Desktop Services and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Administrator, click Check Names, and click OK. 請確認 account 會顯示在\Username 格式 (如同指示),下列螢幕擷取畫面。Verify that the account is displayed in \Username format as indicated in the following screenshot.

      保護建管理員帳號

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  11. 結束群組原則編輯器] 管理,按一下 [檔案,並按結束To exit Group Policy Management Editor, click File, and click Exit.

  12. 群組原則管理,將 GPO 連結到工作站 Ou 與成員伺服器,方法如下:In Group Policy Management, link the GPO to the member server and workstation OUs by doing the following:

    1. 瀏覽至\Domains\ (其中是樹系的名稱及是您想要設定群組原則設定的網域名稱)。Navigate to the \Domains\ (where is the name of the forest and is the name of the domain where you want to set the Group Policy).

    2. 以滑鼠右鍵按一下組織單位,將會套用至 GPO,然後按一下的現有 GPO 連結Right-click the OU that the GPO will be applied to and click Link an existing GPO.

      保護建管理員帳號

    3. 選取 [建立 GPO 並按一下[確定]Select the GPO that you created and click OK.

      保護建管理員帳號

    4. 建立包含工作站所有其他 Ou 的連結。Create links to all other OUs that contain workstations.

    5. 建立所有其他 Ou 包含成員伺服器的連結。Create links to all other OUs that contain member servers.

重要

當您新增這些設定的系統管理員帳號時,您可以指定是否您所設定的本機或核對系統管理員的帳號的標籤。When you add the Administrator account to these settings, you specify whether you are configuring a local Administrator account or a domain Administrator account by how you label the accounts. 例如,若要新增這些 TAILSPINTOYS 網域中的系統管理員 account 拒絕權限,您可以瀏覽以系統管理員負責 TAILSPINTOYS 網域中,它會顯示為 TAILSPINTOYS\Administrator。For example, to add the TAILSPINTOYS domain's Administrator account to these deny rights, you would browse to the Administrator account for the TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator. 如果您在這些使用者權限設定群組原則物件編輯器中輸入 「 系統管理員 」,您將會限制 GPO 所套用的每一部電腦上本機系統管理員 account 之前所述。If you type "Administrator" in these user rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the GPO is applied, as described earlier.

步驟驗證Verification Steps

以下簡述的驗證步驟只適用於 Windows 8 和 Windows Server 2012。The verification steps outlined here are specific to Windows 8 and Windows Server 2012.

確認 「 智慧卡需互動式登入的 「 Account 選項Verify "Smart card is required for interactive logon" Account Option
  1. 從任何成員伺服器或工作站受到 GPO 變更,嘗試登入互動方式網域使用的網域建。From any member server or workstation affected by the GPO changes, attempt to log on interactively to the domain by using the domain's built-in Administrator account. 在嘗試登入後, 對話方塊類似下列應該會出現。After attempting to log on, a dialog box similar to the following should appear.

保護建管理員帳號

確認 [Account 已停用 「 Account 選項Verify "Account is disabled" Account Option
  1. 從任何成員伺服器或工作站受到 GPO 變更,嘗試登入互動方式網域使用的網域建。From any member server or workstation affected by the GPO changes, attempt to log on interactively to the domain by using the domain's built-in Administrator account. 在嘗試登入後, 對話方塊類似下列應該會出現。After attempting to log on, a dialog box similar to the following should appear.

保護建管理員帳號

請檢查 「 Deny 從網路存取此電腦] GPO 設定Verify "Deny access to this computer from the network" GPO Settings

從任何成員伺服器或 GPO 變更 (例如捷徑伺服器) 不會受到影響的工作站,嘗試透過受 GPO 變更網路存取成員伺服器或工作站。From any member server or workstation that is not affected by the GPO changes (such as a jump server), attempt to access a member server or workstation over the network that is affected by the GPO changes. 要檢查 GPO 設定,請嘗試將系統磁碟機對應使用網路使用命令執行下列步驟:To verify the GPO settings, attempt to map the system drive by using the NET USE command by performing the following steps:

  1. 登入的網域建網域。Log on to the domain using the domain's built-in Administrator account.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入命令提示字元,以滑鼠右鍵按一下命令提示字元,,然後按一下以系統管理員身分執行打開提升權限的命令提示字元。In the Search box, type command prompt, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt.

  4. 核准提高權限提示,請按一下[是]When prompted to approve the elevation, click Yes.

    保護建管理員帳號

  5. 命令提示字元視窗中,輸入網路使用 \<Server Name>\c$,其中是您正嘗試在網路上存取的工作站成員伺服器的名稱。In the Command Prompt window, type net use \\\c$, where is the name of the member server or workstation you are attempting to access over the network.

  6. 下圖顯示應該會出現錯誤訊息。The following screenshot shows the error message that should appear.

    保護建管理員帳號

確認 [拒絕登入分批為 「 GPO 設定Verify "Deny log on as a batch job" GPO Settings

從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

建立批次檔案Create a Batch File

  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入「 記事本 」,並按記事本In the Search box, type notepad, and click Notepad.

  3. [記事本],輸入dir c:In Notepad, type dir c:.

  4. 按一下檔案,按一下 [儲存為Click File and click Save As.

  5. 檔名欄位中,輸入** .bat** (其中是新的 「 批次檔案的名稱)。In the Filename field, type .bat (where is the name of the new batch file).

排程工作Schedule a Task

  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入工作排程器,並按工作排程器In the Search box, type task scheduler, and click Task Scheduler.

    注意

    在 [電腦是執行 Windows 8,在搜尋方塊中,輸入排程工作,按一下 [排程工作On computers running Windows 8, in the Search box, type schedule tasks, and click Schedule tasks.

  3. 工作排程器,按一下 [動作,並按一下 [建立工作On Task Scheduler, click Action, and click Create Task.

  4. 建立工作對話方塊中,輸入** ** (其中** 新工作的名稱)。In the **Create Task dialog box, type (where is the name of the new task).

  5. 按一下動作索引標籤,然後按新增]Click the Actions tab, and click New.

  6. 動作:,請選取開始程式]Under Action:, select Start a program.

  7. 程式日指令碼:,按一下 [瀏覽],找出並選取 [建立批次檔案 」 一節中所建立的批次檔案,按一下 [開放Under Program/script:, click Browse, locate and select the batch file created in the "Create a Batch File" section, and click Open.

  8. 按一下[確定]Click OK.

  9. 按一下一般索引標籤。Click the General tab.

  10. 安全性按一下 [選項]變更使用者或群組Under Security options, click Change User or Group.

  11. 輸入 BA account 的名稱,在網域層級,請按檢查名稱,按一下 [ [確定]Type the name of the BA account at the domain-level, click Check Names, and click OK.

  12. 選取 [是否使用者登入或不執行不要儲存密碼Select Run whether the user is logged on or not and Do not store password. 任務將只可以存取本機電腦資源。The task will only have access to local computer resources.

  13. 按一下[確定]Click OK.

  14. 應該會出現一個對話方塊,要求帳號認證執行的工作。A dialog box should appear, requesting user account credentials to run the task.

  15. 輸入認證之後, 請按[確定]After entering the credentials, click OK.

  16. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    保護建管理員帳號

確認 [拒絕登入即服務 」 GPO 設定Verify "Deny log on as a service" GPO Settings

  1. 從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,並按服務In the Search box, type services, and click Services.

  4. 找出並按兩下 [列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 按一下登入索引標籤。Click the Log On tab.

  6. 以登入:,請選取此 accountUnder Log on as:, select This account.

  7. 按一下瀏覽,輸入名稱 BA account 網域層級,按一下 [檢查名稱,並按一下 [ [確定]Click Browse, type the name of the BA account at the domain-level, click Check Names, and click OK.

  8. 的密碼:確認密碼:、 輸入管理員密碼,然後按一下 [ [確定]Under Password: and Confirm password:, type the Administrator account's password, and click OK.

  9. 按一下[確定]三次。Click OK three more times.

  10. 以滑鼠右鍵按一下列印多工緩衝處理器服務,然後選取重新開機Right-click the Print Spooler service and select Restart.

  11. 服務會重新開始時,應該會顯示對話方塊中,如下所示。When the service is restarted, a dialog box similar to the following should appear.

    保護建管理員帳號

還原已變更的印表機多工緩衝處理器服務Revert Changes to the Printer Spooler Service

  1. 從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,並按服務In the Search box, type services, and click Services.

  4. 找出並按兩下 [列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 按一下登入索引標籤。Click the Log On tab.

  6. 以登入:,請選取本機系統帳號,並按[確定]Under Log on as:, select the Local System account, and click OK.

確認 [拒絕登入遠端桌面服務透過 「 GPO 設定Verify "Deny log on through Remote Desktop Services" GPO Settings

  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入遠端桌面連接,並按遠端桌面連接In the Search box, type remote desktop connection, and click Remote Desktop Connection.

  3. 電腦欄位中,輸入您想要連接,然後按一下電腦名稱連接In the Computer field, type the name of the computer that you want to connect to, and click Connect. (您也可以輸入 IP 位址,而不是電腦名稱)。(You can also type the IP address instead of the computer name.)

  4. 出現提示時,提供的認證 BA account 網域層級的名稱。When prompted, provide credentials for the name of the BA account at the domain-level.

  5. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    保護建管理員帳號