在 Active Directory 中附錄 f︰ 保護網域管理員群組Appendix F: Securing Domain Admins Groups in Active Directory

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 Active Directory 中附錄 f︰ 保護網域管理員群組Appendix F: Securing Domain Admins Groups in Active Directory

企業系統管理員 (EA) 群組一樣,應該只在組建或損壞修復案例中需要網域系統管理員 (DA) 群組成員資格。As is the case with the Enterprise Admins (EA) group, membership in the Domain Admins (DA) group should be required only in build or disaster recovery scenarios. 應該會不日常帳號建網域中,除了 DA 群組中所述保護附錄 d 保護建系統管理員帳號 Active Directory 在There should be no day-to-day user accounts in the DA group with the exception of the built-in Administrator account for the domain, if it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

網域系統管理員是,預設的所有成員伺服器與各自網域中的工作站本機系統管理員群組成員。Domain Admins are, by default, members of the local Administrators groups on all member servers and workstations in their respective domains. 此預設巢不應修改性和損壞復原。This default nesting should not be modified for supportability and disaster recovery purposes. 如果您已從本機系統管理員群組成員伺服器移除網域系統管理員 」,應該新增到每個成員 server 和工作站網域中的系統管理員群組。If Domain Admins have been removed from the local Administrators groups on the member servers, the group should be added to the Administrators group on each member server and workstation in the domain. 每個網域的網域管理群組逐步指示,請依照下列中所述安全。Each domain's Domain Admins group should be secured as described in the step-by-step instructions that follow.

森林中的每個網域中的網域管理員群組:For the Domain Admins group in each domain in the forest:

  1. 移除所有成員群組中,可能的建網域中,除了所述的保護提供附錄 d 保護建系統管理員帳號 Active Directory 在Remove all members from the group, with the possible exception of the built-in Administrator account for the domain, provided it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

  2. Gpo 連結到 Ou 包含成員伺服器及工作站每個網域中的,DA 群組應該新增到使用者權限在下列電腦設定 \ 原則 \windows 安全性設定本機 Settings\User 權限指派:In GPOs linked to OUs containing member servers and workstations in each domain, the DA group should be added to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments:

    • 拒絕從網路存取此電腦Deny access to this computer from the network

    • 拒絕以分批登入Deny log on as a batch job

    • 拒絕登入即服務Deny log on as a service

    • 在本機拒絕登入Deny log on locally

    • 透過遠端桌面服務使用者權利拒絕登入Deny log on through Remote Desktop Services user rights

  3. 稽核應該會傳送任何修改網域管理群組成員資格或屬性警示設定。Auditing should be configured to send alerts if any modifications are made to the properties or membership of the Domain Admins group.

適用於所有成員都移除網域管理員群組逐步指示Step-by-Step Instructions for Removing all Members from the Domain Admins Group

  1. 伺服器管理員,按一下 [工具,並按一下 [ Active Directory 使用者和電腦In Server Manager, click Tools, and click Active Directory Users and Computers.

  2. 若要移除的 DA 群組的所有成員,執行下列步驟:To remove all members from the DA group, perform the following steps:

    1. 按兩下網域系統管理員群組中,按一下 [成員索引標籤。Double-click the Domain Admins group and click the Members tab.

      安全網域管理員群組

    2. 選取的群組成員,請按一下移除,按一下 [,並按一下 [ [確定]Select a member of the group, click Remove, click Yes, and click OK.

  3. 已經移除 DA 群組的所有成員重複步驟 2。Repeat step 2 until all members of the DA group have been removed.

逐步指示安全在 Active Directory Domain 系統管理員Step-by-Step Instructions to Secure Domain Admins in Active Directory

  1. 伺服器管理員,按一下 [工具,並按群組原則管理In Server Manager, click Tools, and click Group Policy Management.

  2. 在主控台中,展開 \ < Forest\ > \Domains\\ < Domain\ >,然後群組原則物件(其中 \ < Forest\ > 是樹系的名稱及 \ < Domain\ > 是您想要設定群組原則設定的網域名稱)。In the console tree, expand <Forest>\Domains\<Domain>, and then Group Policy Objects (where <Forest> is the name of the forest and <Domain> is the name of the domain where you want to set the Group Policy).

  3. 在主機上按一下滑鼠右鍵群組原則物件,按一下 [新增]In the console tree, right-click Group Policy Objects, and click New.

    安全網域管理員群組

  4. 新的 GPO對話方塊中,輸入 \ < GPO Name\ >,按[確定] (位置 \ < GPO Name\ > 是此 GPO 的名稱)。In the New GPO dialog box, type <GPO Name>, and click OK (where <GPO Name> is the name of this GPO).

    安全網域管理員群組

  5. 在詳細資料窗格中,以滑鼠右鍵按一下 \ < GPO Name\ >,然後按一下編輯In the details pane, right-click <GPO Name>, and click Edit.

  6. 瀏覽至電腦設定 \ 原則 \windows 安全性設定本機原則,按一下 [權限指派使用者]Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies, and click User Rights Assignment.

    安全網域管理員群組

  7. 設定使用者權限以避免網域管理群組成員存取伺服器成員和工作站在網路上執行下列:Configure the user rights to prevent members of the Domain Admins group from accessing members servers and workstations over the network by doing the following:

    1. 按兩下拒絕從網路存取這台電腦,然後選取定義這些原則設定Double-click Deny access to this computer from the network and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入網域系統管理員,按一下 [檢查名稱,並按一下 [ [確定]Type Domain Admins, click Check Names, and click OK.

      安全網域管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  8. 設定使用者權限以避免 DA 群組成員分批身分登入,方法如下:Configure the user rights to prevent members of the DA group from logging on as a batch job by doing the following:

    1. 按兩下拒絕以分批登入,然後選取定義這些原則設定Double-click Deny log on as a batch job and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入網域系統管理員,按一下 [檢查名稱,並按一下 [ [確定]Type Domain Admins, click Check Names, and click OK.

      安全網域管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  9. 設定使用者權限防止 DA 群組成員登入以服務,方法如下:Configure the user rights to prevent members of the DA group from logging on as a service by doing the following:

    1. 按兩下以服務拒絕登入,然後選取定義這些原則設定Double-click Deny log on as a service and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入網域系統管理員,按一下 [檢查名稱,並按一下 [ [確定]Type Domain Admins, click Check Names, and click OK.

      安全網域管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  10. 設定使用者權限以避免網域管理群組成員登入本機成員伺服器以及工作站,方法如下:Configure the user rights to prevent members of the Domain Admins group from logging on locally to member servers and workstations by doing the following:

    1. 按兩下在本機拒絕登入,然後選取定義這些原則設定Double-click Deny log on locally and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入網域系統管理員,按一下 [檢查名稱,並按一下 [ [確定]Type Domain Admins, click Check Names, and click OK.

      安全網域管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  11. 設定使用者權限以避免網域管理群組成員存取成員伺服器,並透過遠端桌面服務工作站,方法如下:Configure the user rights to prevent members of the Domain Admins group from accessing member servers and workstations via Remote Desktop Services by doing the following:

    1. 按兩下透過遠端桌面服務拒絕登入,然後選取定義這些原則設定Double-click Deny log on through Remote Desktop Services and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入網域系統管理員,按一下 [檢查名稱,並按一下 [ [確定]Type Domain Admins, click Check Names, and click OK.

      安全網域管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  12. 結束群組原則編輯器] 管理,按一下 [檔案,並按結束To exit Group Policy Management Editor, click File, and click Exit.

  13. 在群組原則管理,將 GPO 連結到工作站 Ou 與成員伺服器,方法如下:In Group Policy Management, link the GPO to the member server and workstation OUs by doing the following:

    1. 瀏覽 \ < Forest\ > \Domains\\ < Domain\ > (位置 \ < Forest\ > 是樹系的名稱及 \ < Domain\ > 是您想要設定群組原則設定的網域名稱)。Navigate to the <Forest>\Domains\<Domain> (where <Forest> is the name of the forest and <Domain> is the name of the domain where you want to set the Group Policy).

    2. 以滑鼠右鍵按一下組織單位,將會套用至 GPO,然後按一下的現有 GPO 連結Right-click the OU that the GPO will be applied to and click Link an existing GPO.

      安全網域管理員群組

    3. 選取您剛建立 GPO 並按一下 [ [確定]Select the GPO that you just created and click OK.

      安全網域管理員群組

    4. 建立包含工作站所有其他 Ou 的連結。Create links to all other OUs that contain workstations.

    5. 建立所有其他 Ou 包含成員伺服器的連結。Create links to all other OUs that contain member servers.

      重要

      如果捷徑伺服器可用來管理網域控制站和 Active Directory,確定捷徑伺服器位於組織單位此 Gpo 不連結。If jump servers are used to administer domain controllers and Active Directory, ensure that jump servers are located in an OU to which this GPOs is not linked.

步驟驗證Verification Steps

請檢查 「 Deny 從網路存取此電腦] GPO 設定Verify "Deny access to this computer from the network" GPO Settings

從任何成員伺服器或 GPO 變更 (例如 「 捷徑伺服器) 」 不會受到影響的工作站,嘗試透過受 GPO 變更網路存取成員伺服器或工作站。From any member server or workstation that is not affected by the GPO changes (such as a "jump server"), attempt to access a member server or workstation over the network that is affected by the GPO changes. 要檢查 GPO 設定,請嘗試將系統磁碟機對應使用網路使用命令。To verify the GPO settings, attempt to map the system drive by using the NET USE command.

  1. 登入本機使用 account 網域管理群組成員。Log on locally using an account that is a member of the Domain Admins group.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入命令提示字元,以滑鼠右鍵按一下命令提示字元,,然後按一下以系統管理員身分執行打開提升權限的命令提示字元。In the Search box, type command prompt, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt.

  4. 核准提高權限提示,請按一下[是]When prompted to approve the elevation, click Yes.

    安全網域管理員群組

  5. 命令提示字元視窗中,輸入網路使用 \\ \c$ < 伺服器 Name\ >,其中 \ < 伺服器 Name\ > 是您嘗試在網路上存取的工作站成員伺服器的名稱。In the Command Prompt window, type net use \\<Server Name>\c$, where <Server Name> is the name of the member server or workstation you're attempting to access over the network.

  6. 下列螢幕擷取畫面顯示應該會出現錯誤訊息。The following screen shot shows the error message that should appear.

    安全網域管理員群組

確認 [拒絕登入分批為 「 GPO 設定Verify "Deny log on as a batch job" GPO Settings

從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

建立批次檔案Create a Batch File
  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入「 記事本 」,並按記事本In the Search box, type notepad, and click Notepad.

  3. [記事本],輸入dir c:In Notepad, type dir c:.

  4. 按一下檔案,按一下 [儲存為Click File, and click Save As.

  5. 檔案名稱] 欄位中,輸入.bat < Filename\ > (位置 \ < Filename\ > 是新的 「 批次檔案的名稱)。In the File name field, type <Filename>.bat (where <Filename> is the name of the new batch file).

排程工作Schedule a Task
  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入工作排程器,並按工作排程器In the Search box, type task scheduler, and click Task Scheduler.

    注意

    在電腦上執行 Windows 8 的搜尋方塊中,輸入排程工作,並按排程工作On computers running Windows 8, in the Search box, type schedule tasks, and click Schedule tasks.

  3. 工作排程器功能表列中,按動作,並按一下 [建立工作In the Task Scheduler menu bar, click Action, and click Create Task.

  4. 建立工作對話方塊中,輸入\ < 工作 Name\ > (位置 \ < 工作 Name\ > 是新工作的名稱)。In the Create Task dialog box, type <Task Name> (where <Task Name> is the name of the new task).

  5. 按一下動作索引標籤,然後按新增]Click the Actions tab, and click New.

  6. 動作欄位中,選取開始程式]In the Action field, select Start a program.

  7. 程式日指令碼,按一下 [瀏覽,找出並選取 [建立在 「 批次檔案建立批次檔案區段,然後按一下開放Under Program/script, click Browse, locate and select the batch file created in the Create a Batch File section, and click Open.

  8. 按一下[確定]Click OK.

  9. 按一下一般索引標籤。Click the General tab.

  10. 安全性按一下 [選項]變更使用者或群組Under Security options, click Change User or Group.

  11. 輸入網域管理群組成員 account 的名稱,請按一下檢查名稱],按一下 [ [確定]Type the name of an account that is a member of the Domain Admins group, click Check Names, and click OK.

  12. 選取 [是否使用者登入或不執行,然後選取不要儲存密碼Select Run whether the user is logged on or not and select Do not store password. 任務將只可以存取本機電腦資源。The task will only have access to local computer resources.

  13. 按一下[確定]Click OK.

  14. 應該會出現一個對話方塊,要求帳號認證執行的工作。A dialog box should appear, requesting user account credentials to run the task.

  15. 輸入認證之後, 請按[確定]After entering the credentials, click OK.

  16. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    安全網域管理員群組

確認 [拒絕登入即服務 」 GPO 設定Verify "Deny log on as a service" GPO Settings
  1. 從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,並按服務In the Search box, type services, and click Services.

  4. 找出並按兩下 [列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 按一下登入索引標籤。Click the Log On tab.

  6. 以登入,請選取此 account選項。Under Log on as, select the This account option.

  7. 按一下瀏覽,輸入名稱為網域管理群組成員後,按檢查名稱,並按一下 [ [確定]Click Browse, type the name of an account that is a member of the Domain Admins group, click Check Names, and click OK.

  8. 密碼確認密碼、 輸入選取的 account 的密碼,然後按一下 [ [確定]Under Password and Confirm password, type the selected account's password, and click OK.

  9. 按一下[確定]三次。Click OK three more times.

  10. 以滑鼠右鍵按一下列印多工緩衝處理器,按一下 [重新開機Right-click Print Spooler and click Restart.

  11. 服務會重新開始時,應該會顯示對話方塊中,如下所示。When the service is restarted, a dialog box similar to the following should appear.

    安全網域管理員群組

還原已變更的印表機多工緩衝處理器服務Revert Changes to the Printer Spooler Service
  1. 從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,並按服務In the Search box, type services, and click Services.

  4. 找出並按兩下 [列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 按一下登入索引標籤。Click the Log On tab.

  6. 以登入,請選取本機系統帳號,並按[確定]Under Log on as, select the Local System account, and click OK.

確認 [拒絕登入本機 」 GPO 設定Verify "Deny log on locally" GPO Settings
  1. 從任何成員伺服器或工作站受到 GPO 變更,嘗試登入本機使用 account 網域管理群組成員。From any member server or workstation affected by the GPO changes, attempt to log on locally using an account that is a member of the Domain Admins group. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    安全網域管理員群組

確認 [拒絕登入遠端桌面服務透過 「 GPO 設定Verify "Deny log on through Remote Desktop Services" GPO Settings
  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入遠端桌面連接,並按遠端桌面連接In the Search box, type remote desktop connection, and click Remote Desktop Connection.

  3. 電腦欄位中,輸入您想要連接,然後按一下電腦名稱連接In the Computer field, type the name of the computer that you want to connect to, and click Connect. (您也可以輸入 IP 位址,而不是電腦名稱)。(You can also type the IP address instead of the computer name.)

  4. 出現提示時,提供的認證帳號網域管理群組成員。When prompted, provide credentials for an account that is a member of the Domain Admins group.

  5. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    安全網域管理員群組