在 Active Directory 中附錄 g:保護系統管理員群組Appendix G: Securing Administrators Groups in Active Directory

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 Active Directory 中附錄 g:保護系統管理員群組Appendix G: Securing Administrators Groups in Active Directory

企業系統管理員 (EA) 和網域系統管理員 (DA) 群組一樣,應該只在組建或損壞修復案例中需要建系統管理員 (BA) 群組成員資格。As is the case with the Enterprise Admins (EA) and Domain Admins (DA) groups, membership in the built-in Administrators (BA) group should be required only in build or disaster recovery scenarios. 應該有不日常帳號系統管理員除外網域建系統管理員負責群組中所述保護附錄 d 保護建系統管理員帳號 Active Directory 在There should be no day-to-day user accounts in the Administrators group with the exception of the Built-in Administrator account for the domain, if it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

系統管理員是,大部分各自網域中 AD DS 物件的擁有者預設。Administrators are, by default, the owners of most of the AD DS objects in their respective domains. 此群組成員資格可能需要在組建或損壞擁有權或拍攝物件的擁有權的功能是在需要復原案例中。Membership in this group may be required in build or disaster recovery scenarios in which ownership or the ability to take ownership of objects is required. 此外,DAs 和 EAs 繼承他們的權限和一定他們預設群組中的成員系統管理員權限的數字。Additionally, DAs and EAs inherit a number of their rights and permissions by virtue of their default membership in the Administrators group. 不應修改巢 Active Directory 中有特殊權限的群組預設群組,與每個網域中的系統管理員群組逐步指示,請依照下列中所述安全。Default group nesting for privileged groups in Active Directory should not be modified, and each domain's Administrators group should be secured as described in the step-by-step instructions that follow.

森林中的每個網域中的系統管理員群組:For the Administrators group in each domain in the forest:

  1. 移除所有成員的系統管理員群組中,可能的建網域中,除了所述的保護提供附錄 d 保護建系統管理員帳號 Active Directory 在Remove all members from the Administrators group, with the possible exception of the built-in Administrator account for the domain, provided it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

  2. Gpo 連結到 Ou 包含成員伺服器及工作站每個網域中的,DA 群組應該新增到使用者權限在下列電腦設定 \ 原則 \windows 安全性設定本機 Policies\ 使用者權限指派:In GPOs linked to OUs containing member servers and workstations in each domain, the DA group should be added to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\ User Rights Assignment:

    • 拒絕從網路存取此電腦Deny access to this computer from the network

    • 拒絕以分批登入Deny log on as a batch job

    • 拒絕登入即服務Deny log on as a service

  3. 在網域控制站在森林中的每個網域中,系統管理員群組應被授與下列使用者權限:At the domain controllers OU in each domain in the forest, the Administrators group should be granted the following user rights:

    • 從網路存取此電腦Access this computer from the network

    • 在本機允許登入Allow log on locally

    • 允許登入透過遠端桌面服務Allow log on through Remote Desktop Services

  4. 稽核應該設定的系統管理員群組成員資格或屬性任何修改傳送通知。Auditing should be configured to send alerts if any modifications are made to the properties or membership of the Administrators group.

移除所有成員從系統管理員群組逐步指示Step-by-Step Instructions for Removing All Members from the Administrators Group

  1. 伺服器管理員,按一下 [工具,並按一下 [ Active Directory 使用者和電腦In Server Manager, click Tools, and click Active Directory Users and Computers.

  2. 若要從系統管理員群組中移除所有的成員,執行下列步驟:To remove all members from the Administrators group, perform the following steps:

    1. 按兩下系統管理員群組中,按一下 [成員索引標籤。Double-click the Administrators group and click the Members tab.

      安全管理員群組

    2. 選取的群組成員,請按一下移除,按一下 [,並按一下 [ [確定]Select a member of the group, click Remove, click Yes, and click OK.

  3. 系統管理員群組的所有成員都移除了重複步驟 2。Repeat step 2 until all members of the Administrators group have been removed.

安全 Active Directory 中的系統管理員群組逐步指示Step-by-Step Instructions to Secure Administrators Groups in Active Directory

  1. 伺服器管理員,按一下 [工具,並按群組原則管理In Server Manager, click Tools, and click Group Policy Management.

  2. 在主控台中,展開\Domains\,然後群組原則物件(其中樹系的名稱和是您想要設定群組原則設定的網域名稱)。In the console tree, expand \Domains\, and then Group Policy Objects (where is the name of the forest and is the name of the domain where you want to set the Group Policy).

  3. 在主機上按一下滑鼠右鍵群組原則物件,按一下 [新增]In the console tree, right-click Group Policy Objects, and click New.

    安全管理員群組

  4. 新的 GPO對話方塊中,輸入,按一下[確定] (其中GPO 的名稱是此 GPO 的名稱)。In the New GPO dialog box, type , and click OK (where GPO Name is the name of this GPO).

    安全管理員群組

  5. 在詳細資料窗格中,以滑鼠右鍵按一下** ,然後按一下編輯In the details pane, right-click **, and click Edit.

  6. 瀏覽至電腦設定 \ 原則 \windows 安全性設定本機原則,按一下 [權限指派使用者]Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies, and click User Rights Assignment.

    安全管理員群組

  7. 設定使用者權限以避免的系統管理員群組成員存取伺服器成員和工作站在網路上執行下列:Configure the user rights to prevent members of the Administrators group from accessing member servers and workstations over the network by doing the following:

    1. 按兩下拒絕從網路存取這台電腦,然後選取定義這些原則設定Double-click Deny access to this computer from the network and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Administrators, click Check Names, and click OK.

      安全管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  8. 設定使用者權限以防止的系統管理員群組成員分批身分登入,方法如下:Configure the user rights to prevent members of the Administrators group from logging on as a batch job by doing the following:

    1. 按兩下拒絕以分批登入,然後選取定義這些原則設定Double-click Deny log on as a batch job and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Administrators, click Check Names, and click OK.

      安全管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  9. 設定使用者防止的系統管理員群組成員執行以下動作來登入以服務的權限:Configure the user rights to prevent members of the Administrators group from logging on as a service by doing the following:

    1. 按兩下以服務拒絕登入,然後選取定義這些原則設定Double-click Deny log on as a service and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Administrators, click Check Names, and click OK.

      安全管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  10. 結束群組原則編輯器] 管理,按一下 [檔案,並按結束To exit Group Policy Management Editor, click File, and click Exit.

  11. 群組原則管理,將 GPO 連結到工作站 Ou 與成員伺服器,方法如下:In Group Policy Management, link the GPO to the member server and workstation OUs by doing the following:

    1. 瀏覽至\Domains\ (其中是樹系的名稱及是您想要設定群組原則設定的網域名稱)。Navigate to the \Domains\ (where is the name of the forest and is the name of the domain where you want to set the Group Policy).

    2. 以滑鼠右鍵按一下組織單位,將會套用至 GPO,然後按一下的現有 GPO 連結Right-click the OU that the GPO will be applied to and click Link an existing GPO.

      安全管理員群組

    3. 選取您剛建立 GPO 並按一下 [ [確定]Select the GPO that you just created and click OK.

      安全管理員群組

    4. 建立包含工作站所有其他 Ou 的連結。Create links to all other OUs that contain workstations.

    5. 建立所有其他 Ou 包含成員伺服器的連結。Create links to all other OUs that contain member servers.

      重要

      如果捷徑伺服器可用來管理網域控制站和 Active Directory,確定捷徑伺服器位於組織單位此 Gpo 不連結。If jump servers are used to administer domain controllers and Active Directory, ensure that jump servers are located in an OU to which this GPOs is not linked.

      注意

      當您的系統管理員群組 Gpo 上實作限制時,Windows 會套用的設定,除了網域中的系統管理員群組的電腦本機系統管理員群組成員。When you implement restrictions on the Administrators group in GPOs, Windows applies the settings to members of a computer's local Administrators group in addition to the domain's Administrators group. 因此,您應該時小心限制實作系統管理員 」 群組。Therefore, you should use caution when implementing restrictions in the Administrators group. 網路、 批次,以及服務登入禁止系統管理員群組成員建議不論是可行實作,但不會限制登入本機或透過遠端桌面服務登入。Although prohibiting network, batch, and service logons for members of the Administrators group is advised wherever it is feasible to implement, do not restrict local logons or logons through Remote Desktop Services. 封鎖這些登入類型,可以封鎖合法管理某部電腦的系統管理員本機群組成員。Blocking these logon types can block legitimate administration of a computer by members of the local Administrators group.

      下列螢幕擷取畫面顯示本機封鎖不當建設定和網域系統管理員帳號,除了不當建本機或網域系統管理員 」 群組。The following screen shot shows configuration settings that block misuse of built-in local and domain Administrator accounts, in addition to misuse of built-in local or domain Administrators groups. 請注意,透過遠端桌面服務拒絕登入使用者權限,不包含管理員群組,因為包含在此設定也會封鎖這些登入,必須在本機電腦的系統管理員群組成員。Note that the Deny log on through Remote Desktop Services user right does not include the Administrators group, because including it in this setting would also block these logons for accounts that are members of the local computer's Administrators group. 電腦上的服務執行操作有特殊權限的群組本節所述的設定,如果實作這些設定可能會造成服務和應用程式失敗。If services on computers are configured to run in the context of any of the privileged groups described in this section, implementing these settings can cause services and applications to fail. 因此,與的所有建議在本區段中,您應該會完全都測試適用於設定您的環境中。Therefore, as with all of the recommendations in this section, you should thoroughly test settings for applicability in your environment.

      安全管理員群組

權限授與使用者系統管理員群組逐步指示Step-by-Step Instructions to Grant User Rights to the Administrators Group

  1. 伺服器管理員,按一下 [工具,並按群組原則管理In Server Manager, click Tools, and click Group Policy Management.

  2. 在主控台中,展開\Domains\,然後群組原則物件(其中樹系的名稱和是您想要設定群組原則設定的網域名稱)。In the console tree, expand \Domains\, and then Group Policy Objects (where is the name of the forest and is the name of the domain where you want to set the Group Policy).

  3. 在主機上按一下滑鼠右鍵群組原則物件,按一下 [新增]In the console tree, right-click Group Policy Objects, and click New.

    安全管理員群組

  4. 新的 GPO對話方塊中,輸入,按一下[確定] (其中是此 GPO 的名稱)。In the New GPO dialog box, type , and click OK (where is the name of this GPO).

    安全管理員群組

  5. 在詳細資料窗格中,以滑鼠右鍵按一下** ,然後按一下編輯In the details pane, right-click **, and click Edit.

  6. 瀏覽至電腦設定 \ 原則 \windows 安全性設定本機原則,按一下 [權限指派使用者]Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies, and click User Rights Assignment.

    安全管理員群組

  7. 設定使用者權限允許網路上的存取網域控制站的系統管理員群組成員,方法如下:Configure the user rights to allow members of the Administrators group to access domain controllers over the network by doing the following:

    1. 按兩下到這部電腦從網路存取,然後選取定義這些原則設定Double-click Access to this computer from the network and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

      安全管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  8. 設定使用者權限以讓系統管理員群組成員登入本機,方法如下:Configure the user rights to allow members of the Administrators group to log on locally by doing the following:

    1. 按兩下在本機允許登入,然後選取定義這些原則設定Double-click Allow log on locally and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入系統管理員,按一下 [檢查]名稱,並按一下 [ [確定]Type Administrators, click Check Names, and click OK.

      安全管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  9. 設定使用者權限,好讓系統管理員群組成員執行以下動作來登入透過遠端桌面服務:Configure the user rights to allow members of the Administrators group to log on through Remote Desktop Services by doing the following:

    1. 按兩下允許透過遠端桌面服務登入,然後選取定義這些原則設定Double-click Allow log on through Remote Desktop Services and select Define these policy settings.

    2. 按一下[新增使用者或群組,按一下 [瀏覽]Click Add User or Group and click Browse.

    3. 輸入系統管理員,按一下 [檢查名稱],並按一下 [ [確定]Type Administrators, click Check Names, and click OK.

      安全管理員群組

    4. 按一下[確定],以及[確定]一次。Click OK, and OK again.

  10. 結束群組原則編輯器] 管理,按一下 [檔案,並按結束To exit Group Policy Management Editor, click File, and click Exit.

  11. 群組原則管理,將 GPO 連結到網域控制站,方法如下:In Group Policy Management, link the GPO to the domain controllers OU by doing the following:

    1. 瀏覽至\Domains\ (其中是樹系的名稱及是您想要設定群組原則設定的網域名稱)。Navigate to the \Domains\ (where is the name of the forest and is the name of the domain where you want to set the Group Policy).

    2. 以滑鼠右鍵按一下網域控制站組織單位,然後按一下的現有 GPO 連結Right-click the domain controllers OU and click Link an existing GPO.

      安全管理員群組

    3. 選取您剛建立 GPO 並按一下 [ [確定]Select the GPO that you just created and click OK.

      安全管理員群組

步驟驗證Verification Steps

請檢查 「 Deny 從網路存取此電腦] GPO 設定Verify "Deny access to this computer from the network" GPO Settings

從任何成員伺服器或 GPO 變更 (例如 「 捷徑伺服器) 」 不會受到影響的工作站,嘗試透過受 GPO 變更網路存取成員伺服器或工作站。From any member server or workstation that is not affected by the GPO changes (such as a "jump server"), attempt to access a member server or workstation over the network that is affected by the GPO changes. 要檢查 GPO 設定,請嘗試將系統磁碟機對應使用網路使用命令。To verify the GPO settings, attempt to map the system drive by using the NET USE command.

  1. 登入本機使用為系統管理員群組成員。Log on locally using an account that is a member of the Administrators group.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入命令提示字元,以滑鼠右鍵按一下命令提示字元,,然後按一下以系統管理員身分執行打開提升權限的命令提示字元。In the Search box, type command prompt, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt.

  4. 核准提高權限提示,請按一下[是]When prompted to approve the elevation, click Yes.

    安全管理員群組

  5. 命令提示字元視窗中,輸入網路使用 \<Server Name>\c$,其中是您嘗試在網路上存取的工作站成員伺服器的名稱。In the Command Prompt window, type net use \\\c$, where is the name of the member server or workstation you're attempting to access over the network.

  6. 下列螢幕擷取畫面顯示應該會出現錯誤訊息。The following screen shot shows the error message that should appear.

    安全管理員群組

確認 [拒絕登入分批為 「 GPO 設定Verify "Deny log on as a batch job" GPO Settings

從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

建立批次檔案Create a Batch File
  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入「 記事本 」,並按記事本In the Search box, type notepad, and click Notepad.

  3. [記事本],輸入dir c:In Notepad, type dir c:.

  4. 按一下檔案,按一下 [儲存為Click File, and click Save As.

  5. 檔案名稱欄位中,輸入** .bat** (其中是新的 「 批次檔案的名稱)。In the File name field, type .bat (where is the name of the new batch file).

排程工作Schedule a Task
  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入工作排程器,並按工作排程器In the Search box, type task scheduler, and click Task Scheduler.

    注意

    在搜尋方塊中,執行 Windows 8,電腦上輸入排程工作,並按一下 [排程工作。On computers running Windows 8, in the Search box, type schedule tasks, and click Schedule tasks.

  3. 按一下動作,按一下 [建立工作Click Action, and click Create Task.

  4. 建立工作對話方塊中,輸入** ** (其中是新工作的名稱)。In the Create Task dialog box, type (where is the name of the new task).

  5. 按一下動作索引標籤,然後按新增]Click the Actions tab, and click New.

  6. 動作欄位中,選取開始程式]In the Action field, select Start a program.

  7. 程式日指令碼欄位中,按一下 [瀏覽],找出並選取 [建立在 「 批次檔案建立批次檔案區段,然後按一下開放In the Program/script field, click Browse, locate and select the batch file created in the Create a Batch File section, and click Open.

  8. 按一下[確定]Click OK.

  9. 按一下一般索引標籤。Click the General tab.

  10. 安全性選項欄位中,按變更使用者或群組In the Security options field, click Change User or Group.

  11. 輸入系統管理員群組成員 account 的名稱,請按一下檢查名稱],按一下 [ [確定]Type the name of an account that is a member of the Administrators group, click Check Names, and click OK.

  12. 選取 [使用者是否已登的 onor 不執行不要儲存密碼Select Run whether the user is logged onor not and Do not store password. 任務將只可以存取本機電腦資源。The task will only have access to local computer resources.

  13. 按一下[確定]Click OK.

  14. 應該會出現一個對話方塊,要求帳號認證執行的工作。A dialog box should appear, requesting user account credentials to run the task.

  15. 之後輸入密碼,請按[確定]After entering the password, click OK.

  16. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    安全管理員群組

確認 [拒絕登入即服務 」 GPO 設定Verify "Deny log on as a service" GPO Settings
  1. 從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,並按服務In the Search box, type services, and click Services.

  4. 找出並按兩下 [列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 按一下登入索引標籤。Click the Log On tab.

  6. 欄位中,選取此 accountIn the Log on as field, select This account.

  7. 按一下瀏覽,輸入名稱為系統管理員群組成員後,按檢查名稱,並按一下 [ [確定]Click Browse, type the name of an account that is a member of the Administrators group, click Check Names, and click OK.

  8. 密碼確認密碼欄位,輸入所選取的密碼,然後按一下 [ [確定]In the Password and Confirm password fields, type the selected account's password, and click OK.

  9. 按一下[確定]三次。Click OK three more times.

  10. 以滑鼠右鍵按一下列印多工緩衝處理器,按一下 [重新開機Right-click Print Spooler and click Restart.

  11. 服務會重新開始時,應該會顯示對話方塊中,如下所示。When the service is restarted, a dialog box similar to the following should appear.

    安全管理員群組

還原已變更的印表機多工緩衝處理器服務Revert Changes to the Printer Spooler Service
  1. 從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,並按服務In the Search box, type services, and click Services.

  4. 找出並按兩下 [列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 按一下登入索引標籤。Click the Log On tab.

  6. 以登入欄位中,按一下 [本機系統帳號,並按[確定]In the Log on as field, click Local System account, and click OK.