在 Active Directory 中附錄 e 保護企業管理員群組Appendix E: Securing Enterprise Admins Groups in Active Directory

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 Active Directory 中附錄 e 保護企業管理員群組Appendix E: Securing Enterprise Admins Groups in Active Directory

企業系統管理員 (EA) 群組中,位於森林根網域中,應包含在日常,可能的根網域的管理員,除了不使用者所述的保護提供附錄 d 保護建系統管理員帳號 Active Directory 在The Enterprise Admins (EA) group, which is housed in the forest root domain, should contain no users on a day-to-day basis, with the possible exception of the root domain's Administrator account, provided it is secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

企業系統管理員是,預設的森林中的每個網域中的系統管理員群組成員。Enterprise Admins are, by default, members of the Administrators group in each domain in the forest. 您不應該移除 EA 群組的每個網域中的系統管理員群組因為發生的樹系損壞復原案例中,EA 權限可能會有需。You should not remove the EA group from the Administrators groups in each domain because in the event of a forest disaster recovery scenario, EA rights will likely be required. 安全的樹系企業系統管理員群組逐步指示,請依照下列為所述。The forest's Enterprise Admins group should be secured as detailed in the step-by-step instructions that follow.

森林中的企業系統管理員群組:For the Enterprise Admins group in the forest:

  1. Gpo 連結到 Ou 包含成員伺服器及工作站每個網域中的,在企業系統管理員應該新增到下列使用者權限在電腦設定 \ 原則 \windows 安全性設定本機 Settings\User 權限指派:In GPOs linked to OUs containing member servers and workstations in each domain, the Enterprise Admins group should be added to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments:

    • 拒絕從網路存取此電腦Deny access to this computer from the network

    • 拒絕以分批登入Deny log on as a batch job

    • 拒絕登入即服務Deny log on as a service

    • 在本機拒絕登入Deny log on locally

    • 透過遠端桌面服務拒絕登入Deny log on through Remote Desktop Services

  2. 稽核屬性或企業系統管理員群組成員資格任何修改傳送通知的設定。Configure auditing to send alerts if any modifications are made to the properties or membership of the Enterprise Admins group.

移除所有成員從系統管理員企業群組逐步指示Step-by-Step Instructions for Removing All Members from the Enterprise Admins Group

  1. 伺服器管理員,按一下 [工具,並按一下 [ Active Directory 使用者和電腦In Server Manager, click Tools, and click Active Directory Users and Computers.

  2. 如果您不管理主控台中,森林根網域以滑鼠右鍵按一下、,然後按一下 [變更網域(其中是您所管理的網域名稱)。If you are not managing the root domain for the forest, in the console tree, right-click , and then click Change Domain (where is the name of the domain you're currently administering).

    系統管理員群組安全企業版

  3. 變更網域對話方塊中,按瀏覽],選取 [樹系,根網域,按一下 [ [確定]In the Change domain dialog box, click Browse, select the root domain for the forest, and click OK.

    系統管理員群組安全企業版

  4. 若要移除的所有成員從 EA 群組:To remove all members from the EA group:

    1. 按兩下企業系統管理員群組,然後按一下 [成員索引標籤。Double-click the Enterprise Admins group and then click the Members tab.

      系統管理員群組安全企業版

    2. 選取的群組成員,請按一下移除,按一下 [,並按一下 [ [確定]Select a member of the group, click Remove, click Yes, and click OK.

  5. EA 群組的所有成員都移除了重複步驟 2。Repeat step 2 until all members of the EA group have been removed.

逐步指示安全企業 Active Directory 中的系統管理員Step-by-Step Instructions to Secure Enterprise Admins in Active Directory

  1. 伺服器管理員,按一下 [工具,並按群組原則管理In Server Manager, click Tools, and click Group Policy Management.

  2. 在主控台中,展開\Domains\,然後群組原則物件(其中樹系的名稱和是您想要設定群組原則設定的網域名稱)。In the console tree, expand \Domains\, and then Group Policy Objects (where is the name of the forest and is the name of the domain where you want to set the Group Policy).

    注意

    樹系包含多網域中應該每個需要保護企業系統管理員群組網域中建立 GPO 類似。In a forest that contains multiple domains, a similar GPO should be created in each domain that requires that the Enterprise Admins group be secured.

  3. 在主機上按一下滑鼠右鍵群組原則物件,按一下 [新增]In the console tree, right-click Group Policy Objects, and click New.

    系統管理員群組安全企業版

  4. 新的 GPO對話方塊中,輸入,按一下[確定] (其中是此 GPO 的名稱)。In the New GPO dialog box, type , and click OK (where is the name of this GPO).

    系統管理員群組安全企業版

  5. 在詳細資料窗格中,以滑鼠右鍵按一下,並按一下 [編輯In the details pane, right-click , and click Edit.

  6. 瀏覽至電腦設定 \ 原則 \windows 安全性設定本機原則,按一下 [權限指派使用者]Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies, and click User Rights Assignment.

    系統管理員群組安全企業版

  7. 設定使用者權限以避免企業系統管理員群組成員存取伺服器成員和工作站在網路上執行下列:Configure the user rights to prevent members of the Enterprise Admins group from accessing member servers and workstations over the network by doing the following:

    1. 按兩下拒絕從網路存取這台電腦,然後選取定義這些原則設定Double-click Deny access to this computer from the network and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入企業系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Enterprise Admins, click Check Names, and click OK.

      系統管理員群組安全企業版

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  8. 設定使用者權限以避免企業系統管理員群組成員分批身分登入,方法如下:Configure the user rights to prevent members of the Enterprise Admins group from logging on as a batch job by doing the following:

    1. 按兩下拒絕以分批登入,然後選取定義這些原則設定Double-click Deny log on as a batch job and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

      注意

      在 [樹系包含多網域,按一下 [位置,然後選取 [樹系的根網域。In a forest that contains multiple domains, click Locations and select the root domain of the forest.

    3. 輸入企業系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Enterprise Admins, click Check Names, and click OK.

      系統管理員群組安全企業版

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  9. 設定使用者權限防止 EA 群組成員登入以服務,方法如下:Configure the user rights to prevent members of the EA group from logging on as a service by doing the following:

    1. 按兩下以服務的 Deny 登入,然後選取定義這些原則設定Double-click Deny log as a service and select Define these policy settings.

    2. 按一下[新增使用者或群組,然後按一下 [瀏覽]Click Add User or Group and then click Browse.

      注意

      在 [樹系包含多網域,按一下 [位置,然後選取 [樹系的根網域。In a forest that contains multiple domains, click Locations and select the root domain of the forest.

    3. 輸入企業系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Enterprise Admins, click Check Names, and click OK.

      系統管理員群組安全企業版

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  10. 設定使用者權限以避免企業系統管理員群組成員登入本機成員伺服器以及工作站,方法如下:Configure user rights to prevent members of the Enterprise Admins group from logging on locally to member servers and workstations by doing the following:

    1. 按兩下在本機拒絕登入,然後選取定義這些原則設定Double-click Deny log on locally and select Define these policy settings.

    2. 按一下[新增使用者或群組,然後按一下 [瀏覽]Click Add User or Group and then click Browse.

      注意

      在 [樹系包含多網域,按一下 [位置,然後選取 [樹系的根網域。In a forest that contains multiple domains, click Locations and select the root domain of the forest.

    3. 輸入企業系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Enterprise Admins, click Check Names, and click OK.

      系統管理員群組安全企業版

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  11. 設定使用者權限以避免企業系統管理員群組成員存取成員伺服器,並透過遠端桌面服務工作站,方法如下:Configure the user rights to prevent members of the Enterprise Admins group from accessing member servers and workstations via Remote Desktop Services by doing the following:

    1. 按兩下透過遠端桌面服務拒絕登入,然後選取定義這些原則設定Double-click Deny log on through Remote Desktop Services and select Define these policy settings.

    2. 按一下[新增使用者或群組,然後按一下 [瀏覽]Click Add User or Group and then click Browse.

      注意

      在 [樹系包含多網域,按一下 [位置,然後選取 [樹系的根網域。In a forest that contains multiple domains, click Locations and select the root domain of the forest.

    3. 輸入企業系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Enterprise Admins, click Check Names, and click OK.

      系統管理員群組安全企業版

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  12. 結束群組原則編輯器] 管理,按一下 [檔案,並按結束To exit Group Policy Management Editor, click File, and click Exit.

  13. 群組原則管理,將 GPO 連結到工作站 Ou 與成員伺服器,方法如下:In Group Policy Management, link the GPO to the member server and workstation OUs by doing the following:

    1. 瀏覽至\Domains\ (其中是樹系的名稱及是您想要設定群組原則設定的網域名稱)。Navigate to the \Domains\ (where is the name of the forest and is the name of the domain where you want to set the Group Policy).

    2. 以滑鼠右鍵按一下組織單位,將會套用至 GPO,然後按一下的現有 GPO 連結Right-click the OU that the GPO will be applied to and click Link an existing GPO.

      系統管理員群組安全企業版

    3. 選取您剛建立 GPO 並按一下 [ [確定]Select the GPO that you just created and click OK.

      系統管理員群組安全企業版

    4. 建立包含工作站所有其他 Ou 的連結。Create links to all other OUs that contain workstations.

    5. 建立所有其他 Ou 包含成員伺服器的連結。Create links to all other OUs that contain member servers.

    6. 樹系包含多網域中應該每個需要保護企業系統管理員群組網域中建立 GPO 類似。In a forest that contains multiple domains, a similar GPO should be created in each domain that requires that the Enterprise Admins group be secured.

重要

如果捷徑伺服器可用來管理網域控制站和 Active Directory,確定捷徑伺服器位於組織單位此 Gpo 不連結。If jump servers are used to administer domain controllers and Active Directory, ensure that jump servers are located in an OU to which this GPOs is not linked.

步驟驗證Verification Steps

請檢查 「 Deny 從網路存取此電腦] GPO 設定Verify "Deny access to this computer from the network" GPO Settings

從任何成員伺服器或 GPO 變更 (例如 「 捷徑伺服器) 」 不會受到影響的工作站,嘗試透過受 GPO 變更網路存取成員伺服器或工作站。From any member server or workstation that is not affected by the GPO changes (such as a "jump server"), attempt to access a member server or workstation over the network that is affected by the GPO changes. 要檢查 GPO 設定,請嘗試將系統磁碟機對應使用網路使用命令執行下列步驟:To verify the GPO settings, attempt to map the system drive by using the NET USE command by performing the following steps:

  1. 登入本機使用為 EA 群組成員。Log on locally using an account that is a member of the EA group.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入命令提示字元,以滑鼠右鍵按一下命令提示字元,,然後按一下以系統管理員身分執行打開提升權限的命令提示字元。In the Search box, type command prompt, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt.

  4. 核准提高權限提示,請按一下[是]When prompted to approve the elevation, click Yes.

    系統管理員群組安全企業版

  5. 命令提示字元視窗中,輸入網路使用 \<Server Name>\c$,其中是您嘗試在網路上存取的工作站成員伺服器的名稱。In the Command Prompt window, type net use \\\c$, where is the name of the member server or workstation you're attempting to access over the network.

  6. 下列螢幕擷取畫面顯示應該會出現錯誤訊息。The following screen shot shows the error message that should appear.

    系統管理員群組安全企業版

確認 [拒絕登入分批為 「 GPO 設定Verify "Deny log on as a batch job" GPO Settings

從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

建立批次檔案Create a Batch File
  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入「 記事本 」,並按記事本In the Search box, type notepad, and click Notepad.

  3. [記事本],輸入dir c:In Notepad, type dir c:.

  4. 按一下檔案,按一下 [儲存為Click File, and click Save As.

  5. 檔案名稱] 方塊中,輸入** .bat** (其中是新的 「 批次檔案的名稱)。In the File name box, type .bat (where is the name of the new batch file).

排程工作Schedule a Task
  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入工作排程器,並按工作排程器In the Search box, type task scheduler, and click Task Scheduler.

    注意

    在電腦上執行 Windows 8 的搜尋方塊中,輸入排程工作,並按排程工作On computers running Windows 8, in the Search box, type schedule tasks, and click Schedule tasks.

  3. 按一下動作,按一下 [建立工作Click Action, and click Create Task.

  4. 建立工作對話方塊中,輸入** ** (其中是新工作的名稱)。In the Create Task dialog box, type (where is the name of the new task).

  5. 按一下動作索引標籤,然後按新增]Click the Actions tab, and click New.

  6. 動作欄位中,選取開始程式]In the Action field, select Start a program.

  7. 程式日指令碼,按一下 [瀏覽,找出並選取 [建立在 「 批次檔案建立批次檔案區段,然後按一下開放Under Program/script, click Browse, locate and select the batch file created in the Create a Batch File section, and click Open.

  8. 按一下[確定]Click OK.

  9. 按一下一般索引標籤。Click the General tab.

  10. 安全性選項欄位中,按變更使用者或群組In the Security options field, click Change User or Group.

  11. 輸入 account 成員 EAs 群組的名稱,請按一下檢查名稱],按一下 [ [確定]Type the name of an account that is a member of the EAs group, click Check Names, and click OK.

  12. 選取 [是否使用者登入或不執行,然後選取不要儲存密碼Select Run whether the user is logged on or not and select Do not store password. 任務將只可以存取本機電腦資源。The task will only have access to local computer resources.

  13. 按一下[確定]Click OK.

  14. 應該會出現一個對話方塊,要求帳號認證執行的工作。A dialog box should appear, requesting user account credentials to run the task.

  15. 輸入認證之後, 請按[確定]After entering the credentials, click OK.

  16. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    系統管理員群組安全企業版

確認 [拒絕登入即服務 」 GPO 設定Verify "Deny log on as a service" GPO Settings

  1. 從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,並按服務In the Search box, type services, and click Services.

  4. 找出並按兩下 [列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 按一下登入索引標籤。Click the Log On tab.

  6. 以登入,請選取此 accountUnder Log on as, select This account.

  7. 按一下瀏覽,輸入名稱為 EAs 群組成員後,按檢查名稱,並按一下 [ [確定]Click Browse, type the name of an account that is a member of the EAs group, click Check Names, and click OK.

  8. 的密碼:確認密碼、 輸入選取的 account 的密碼,然後按一下 [ [確定]Under Password: and Confirm password, type the selected account's password, and click OK.

  9. 按一下[確定]三次。Click OK three more times.

  10. 以滑鼠右鍵按一下列印多工緩衝處理器服務,然後選取 [重新開機Right-click the Print Spooler service and select Restart.

  11. 服務會重新開始時,應該會顯示對話方塊中,如下所示。When the service is restarted, a dialog box similar to the following should appear.

    系統管理員群組安全企業版

還原已變更的印表機多工緩衝處理器服務Revert Changes to the Printer Spooler Service

  1. 從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,並按服務In the Search box, type services, and click Services.

  4. 找出並按兩下 [列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 按一下登入索引標籤。Click the Log On tab.

  6. 以登入,請選取本機系統帳號,並按[確定]Under Log on as, select the Local System account, and click OK.

確認 [拒絕登入本機 」 GPO 設定Verify "Deny log on locally" GPO Settings

  1. 從任何成員伺服器或工作站受到 GPO 變更,嘗試登入本機使用為 EA 群組成員。From any member server or workstation affected by the GPO changes, attempt to log on locally using an account that is a member of the EA group. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    系統管理員群組安全企業版

確認 [拒絕登入遠端桌面服務透過 「 GPO 設定Verify "Deny log on through Remote Desktop Services" GPO Settings

  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入遠端桌面連接,然後按一下 [遠端桌面連接In the Search box, type remote desktop connection, and then click Remote Desktop Connection.

  3. 電腦欄位中,輸入您想要連接,然後按一下 [電腦名稱連接In the Computer field, type the name of the computer that you want to connect to, and then click Connect. (您也可以輸入 IP 位址,而不是電腦名稱)。(You can also type the IP address instead of the computer name.)

  4. 出現提示時,提供的認證為 EA 群組成員。When prompted, provide credentials for an account that is a member of the EA group.

  5. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    系統管理員群組安全企業版