附錄 H:WINDOWS 保護本機系統管理員帳號,並群組Appendix H: Securing Local Administrator Accounts and Groups

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

附錄 H:WINDOWS 保護本機系統管理員帳號,並群組Appendix H: Securing Local Administrator Accounts and Groups

在所有 Windows 版本中目前的主要支援,本機停用根據預設,這會讓 account pass hash 和其他認證竊取攻擊無法使用。On all versions of Windows currently in mainstream support, the local Administrator account is disabled by default, which makes the account unusable for pass-the-hash and other credential theft attacks. 但是,在環境中所包含的舊版作業系統或中有已經支援本機系統管理員帳號,這些帳號可成員伺服器和工作站傳播危害上文所述。However, in environments that contain legacy operating systems or in which local Administrator accounts have been enabled, these accounts can be used as previously described to propagate compromise across member servers and workstations. 每個本機系統管理員 account 及群組應該保護逐步指示,請依照下列中所述。Each local Administrator account and group should be secured as described in the step-by-step instructions that follow.

考量保護建系統管理員 (BA) 群組中的相關詳細資訊,請查看實作最低權限管理型號For detailed information about considerations in securing Built-in Administrator (BA) groups, see Implementing Least-Privilege Administrative Models.

本機系統管理員帳號控制Controls for Local Administrator Accounts

針對每一個網域中的樹系本機系統管理員帳號,您應該進行下列設定:For the local Administrator account in each domain in your forest, you should configure the following settings:

  • 設定限制的系統管理員核對的使用加入網域的系統 GpoConfigure GPOs to restrict the domain's Administrator account's use on domain-joined systems

    • 在您建立和連結工作站和成員伺服器 Ou 每個網域中的一或多個 Gpo,將管理員新增至下列使用者權限在電腦設定 \ 原則 \windows 安全性設定本機 Settings\User 權限指派:In one or more GPOs that you create and link to workstation and member server OUs in each domain, add the Administrator account to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments:

      • 拒絕從網路存取此電腦Deny access to this computer from the network

      • 拒絕以分批登入Deny log on as a batch job

      • 拒絕登入即服務Deny log on as a service

      • 透過遠端桌面服務拒絕登入Deny log on through Remote Desktop Services

安全本機系統管理員群組逐步指示Step-by-Step Instructions to Secure Local Administrators Groups

設定限制加入網域的系統管理員 GpoConfiguring GPOs to Restrict Administrator Account on Domain-Joined Systems
  1. 伺服器管理員,按一下 [工具,並按群組原則管理In Server Manager, click Tools, and click Group Policy Management.

  2. 在主控台中,展開\Domains\,然後群組原則物件(其中樹系的名稱和是您想要設定群組原則設定的網域名稱)。In the console tree, expand \Domains\, and then Group Policy Objects (where is the name of the forest and is the name of the domain where you want to set the Group Policy).

  3. 在主機上按一下滑鼠右鍵群組原則物件,按一下 [新增]In the console tree, right-click Group Policy Objects, and click New.

    安全本機系統管理員帳號,並群組

  4. 新的 GPO對話方塊中,輸入** ,然後按一下[確定]** (位置此 GPO 的名稱)。In the New GPO dialog box, type , and click OK (where is the name of this GPO).

    安全本機系統管理員帳號,並群組

  5. 在詳細資料窗格中,以滑鼠右鍵按一下** ,然後按一下編輯In the details pane, right-click **, and click Edit.

  6. 瀏覽至電腦設定 \ 原則 \windows 安全性設定本機原則,按一下 [權限指派使用者]Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies, and click User Rights Assignment.

    安全本機系統管理員帳號,並群組

  7. 設定使用者權限以避免本機伺服器成員和工作站網路存取,方法如下:Configure the user rights to prevent the local Administrator account from accessing members servers and workstations over the network by doing the following:

    1. 按兩下拒絕從網路存取這台電腦,然後選取定義這些原則設定Double-click Deny access to this computer from the network and select Define these policy settings.

    2. 按一下新增使用者或群組,輸入本機的使用者名稱,然後按[確定]Click Add User or Group, type the user name of the local Administrator account, and click OK. 此使用者名稱將會系統管理員時已安裝 Windows,,預設值。This user name will be Administrator, the default when Windows is installed.

      安全本機系統管理員帳號,並群組

    3. 按一下 \ [確定 ]。Click OK.

      重要

      當您新增這些設定的系統管理員帳號時,您可以指定是否您所設定的本機或核對系統管理員的帳號的標籤。When you add the Administrator account to these settings, you specify whether you are configuring a local Administrator account or a domain Administrator account by how you label the accounts. 例如,若要新增這些 TAILSPINTOYS 網域中的系統管理員 account 拒絕權限,您可以瀏覽以系統管理員負責 TAILSPINTOYS 網域中,它會顯示為 TAILSPINTOYS\Administrator。For example, to add the TAILSPINTOYS domain's Administrator account to these deny rights, you would browse to the Administrator account for the TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator. 如果您輸入系統管理員中的這些使用者權限設定群組原則物件編輯器] 中,您將會限制 GPO 所套用的每一部電腦上本機系統管理員 account 之前所述。If you type Administrator in these user rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the GPO is applied, as described earlier.

  8. 設定使用者權限以避免本機分批身分登入,方法如下:Configure the user rights to prevent the local Administrator account from logging on as a batch job by doing the following:

    1. 按兩下拒絕以分批登入,然後選取定義這些原則設定Double-click Deny log on as a batch job and select Define these policy settings.

    2. 按一下新增使用者或群組,輸入本機的使用者名稱,然後按[確定]Click Add User or Group, type the user name of the local Administrator account, and click OK. 此使用者名稱將會系統管理員時已安裝 Windows,,預設值。This user name will be Administrator, the default when Windows is installed.

      安全本機系統管理員帳號,並群組

    3. 按一下[確定]Click OK.

      重要

      當您新增這些設定的系統管理員帳號時,您可以指定是否您所設定的本機或核對系統管理員的帳號的標籤。When you add the Administrator account to these settings, you specify whether you are configuring local Administrator account or domain Administrator account by how you label the accounts. 例如,若要新增這些 TAILSPINTOYS 網域中的系統管理員 account 拒絕權限,您可以瀏覽以系統管理員負責 TAILSPINTOYS 網域中,它會顯示為 TAILSPINTOYS\Administrator。For example, to add the TAILSPINTOYS domain's Administrator account to these deny rights, you would browse to the Administrator account for the TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator. 如果您輸入系統管理員中的這些使用者權限設定群組原則物件編輯器] 中,您將會限制 GPO 所套用的每一部電腦上本機系統管理員 account 之前所述。If you type Administrator in these user rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the GPO is applied, as described earlier.

  9. 設定使用者防止本機執行以下動作來登入以服務的權限:Configure the user rights to prevent the local Administrator account from logging on as a service by doing the following:

    1. 按兩下以服務拒絕登入,然後選取定義這些原則設定Double-click Deny log on as a service and select Define these policy settings.

    2. 按一下新增使用者或群組,輸入本機的使用者名稱,然後按[確定]Click Add User or Group, type the user name of the local Administrator account, and click OK. 此使用者名稱將會系統管理員時已安裝 Windows,,預設值。This user name will be Administrator, the default when Windows is installed.

      安全本機系統管理員帳號,並群組

    3. 按一下[確定]Click OK.

      重要

      當您新增這些設定的系統管理員帳號時,您可以指定是否您所設定的本機或核對系統管理員的帳號的標籤。When you add the Administrator account to these settings, you specify whether you are configuring local Administrator account or domain Administrator account by how you label the accounts. 例如,若要新增這些 TAILSPINTOYS 網域中的系統管理員 account 拒絕權限,您可以瀏覽以系統管理員負責 TAILSPINTOYS 網域中,它會顯示為 TAILSPINTOYS\Administrator。For example, to add the TAILSPINTOYS domain's Administrator account to these deny rights, you would browse to the Administrator account for the TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator. 如果您輸入系統管理員中的這些使用者權限設定群組原則物件編輯器] 中,您將會限制 GPO 所套用的每一部電腦上本機系統管理員 account 之前所述。If you type Administrator in these user rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the GPO is applied, as described earlier.

  10. 設定使用者權限以避免本機存取成員伺服器,並透過遠端桌面服務工作站,方法如下:Configure the user rights to prevent the local Administrator account from accessing member servers and workstations via Remote Desktop Services by doing the following:

    1. 按兩下透過遠端桌面服務拒絕登入,然後選取定義這些原則設定Double-click Deny log on through Remote Desktop Services and select Define these policy settings.

    2. 按一下新增使用者或群組,輸入本機的使用者名稱,然後按[確定]Click Add User or Group, type the user name of the local Administrator account, and click OK. 此使用者名稱將會系統管理員時已安裝 Windows,,預設值。This user name will be Administrator, the default when Windows is installed.

      安全本機系統管理員帳號,並群組

    3. 按一下[確定]Click OK.

      重要

      當您新增這些設定的系統管理員帳號時,您可以指定是否您所設定的本機或核對系統管理員的帳號的標籤。When you add the Administrator account to these settings, you specify whether you are configuring local Administrator account or domain Administrator account by how you label the accounts. 例如,若要新增這些 TAILSPINTOYS 網域中的系統管理員 account 拒絕權限,您可以瀏覽以系統管理員負責 TAILSPINTOYS 網域中,它會顯示為 TAILSPINTOYS\Administrator。For example, to add the TAILSPINTOYS domain's Administrator account to these deny rights, you would browse to the Administrator account for the TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator. 如果您輸入系統管理員中的這些使用者權限設定群組原則物件編輯器] 中,您將會限制 GPO 所套用的每一部電腦上本機系統管理員 account 之前所述。If you type Administrator in these user rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the GPO is applied, as described earlier.

  11. 結束群組原則編輯器] 管理,按一下 [檔案,並按結束To exit Group Policy Management Editor, click File, and click Exit.

  12. 群組原則管理,將 GPO 連結到工作站 Ou 與成員伺服器,方法如下:In Group Policy Management, link the GPO to the member server and workstation OUs by doing the following:

    1. 瀏覽至\Domains\ (其中是樹系的名稱及是您想要設定群組原則設定的網域名稱)。Navigate to the \Domains\ (where is the name of the forest and is the name of the domain where you want to set the Group Policy).

    2. 以滑鼠右鍵按一下組織單位,將會套用至 GPO,然後按一下的現有 GPO 連結Right-click the OU that the GPO will be applied to and click Link an existing GPO.

      安全本機系統管理員帳號,並群組

    3. 選取 [建立 GPO 並按一下[確定]Select the GPO that you created and click OK.

      安全本機系統管理員帳號,並群組

    4. 建立包含工作站所有其他 Ou 的連結。Create links to all other OUs that contain workstations.

    5. 建立所有其他 Ou 包含成員伺服器的連結。Create links to all other OUs that contain member servers.

步驟驗證Verification Steps

請檢查 「 Deny 從網路存取此電腦] GPO 設定Verify "Deny access to this computer from the network" GPO Settings

從任何成員伺服器或 GPO 變更 (例如捷徑伺服器) 不會受到影響的工作站,嘗試透過受 GPO 變更網路存取成員伺服器或工作站。From any member server or workstation that is not affected by the GPO changes (such as a jump server), attempt to access a member server or workstation over the network that is affected by the GPO changes. 要檢查 GPO 設定,請嘗試將系統磁碟機對應使用網路使用命令。To verify the GPO settings, attempt to map the system drive by using the NET USE command.

  1. 登入本機任何成員伺服器或 GPO 變更不會受到影響的工作站。Log on locally to any member server or workstation that is not affected by the GPO changes.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入命令提示字元,以滑鼠右鍵按一下命令提示字元,,然後按一下以系統管理員身分執行打開提升權限的命令提示字元。In the Search box, type command prompt, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt.

  4. 核准提高權限提示,請按一下[是]When prompted to approve the elevation, click Yes.

    安全本機系統管理員帳號,並群組

  5. 命令提示字元視窗中,輸入網路使用 \<Server Name>\c$ /user:\Administrator,其中是您嘗試在網路上存取的工作站成員伺服器的名稱。In the Command Prompt window, type net use \\\c$ /user:\Administrator, where is the name of the member server or workstation you're attempting to access over the network.

    注意

    必須是相同的系統您嘗試在網路上存取本機系統管理員認證。The local Administrator credentials must be from the same system you're attempting to access over the network.

  6. 下圖顯示應該會出現錯誤訊息。The following screenshot shows the error message that should appear.

    安全本機系統管理員帳號,並群組

確認 [拒絕登入分批為 「 GPO 設定Verify "Deny log on as a batch job" GPO Settings

從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

建立批次檔案Create a Batch File
  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入「 記事本 」,並按記事本In the Search box, type notepad, and click Notepad.

  3. [記事本],輸入dir c:In Notepad, type dir c:.

  4. 按一下檔案,按一下 [儲存為Click File, and click Save As.

  5. 檔案名稱方塊中,輸入** .bat** (其中是新的 「 批次檔案的名稱)。In the File name box, type .bat (where is the name of the new batch file).

排程工作Schedule a Task
  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中輸入工作排程器,然後按工作排程器In the Search box, type task scheduler, and click Task Scheduler.

    注意

    在電腦上執行 Windows 8 的搜尋方塊中,輸入排程工作,並按排程工作On computers running Windows 8, in the Search box, type schedule tasks, and click Schedule tasks.

  3. 按一下動作,按一下 [建立工作Click Action, and click Create Task.

  4. 建立工作對話方塊中,輸入** ** (其中是新工作的名稱)。In the Create Task dialog box, type (where is the name of the new task).

  5. 按一下動作索引標籤,然後按新增]Click the Actions tab, and click New.

  6. 動作欄位中,按一下 [開始程式]In the Action field, click Start a program.

  7. 程式日指令碼欄位中,按一下 [瀏覽],找出並選取 [建立在 「 批次檔案建立批次檔案區段,然後按一下開放In the Program/script field, click Browse, locate and select the batch file created in the Create a Batch File section, and click Open.

  8. 按一下[確定]Click OK.

  9. 按一下一般索引標籤。Click the General tab.

  10. 安全性選項欄位中,按變更使用者或群組In the Security options field, click Change User or Group.

  11. 輸入本機系統管理員的名稱,請按一下檢查名稱],按一下 [ [確定]Type the name of the system's local Administrator account, click Check Names, and click OK.

  12. 選取 [是否使用者登入或不執行不要儲存密碼Select Run whether the user is logged on or not and Do not store password. 任務將只可以存取本機電腦資源。The task will only have access to local computer resources.

  13. 按一下[確定]Click OK.

  14. 應該會出現一個對話方塊,要求帳號認證執行的工作。A dialog box should appear, requesting user account credentials to run the task.

  15. 輸入認證之後, 請按[確定]After entering the credentials, click OK.

  16. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    安全本機系統管理員帳號,並群組

確認 [拒絕登入即服務 」 GPO 設定Verify "Deny log on as a service" GPO Settings
  1. 從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,並按服務In the Search box, type services, and click Services.

  4. 找出並按兩下 [列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 按一下登入索引標籤。Click the Log On tab.

  6. 以登入欄位中,按一下 [此 accountIn Log on as field, click This account.

  7. 按一下瀏覽,輸入本機系統管理員,按一下 [檢查名稱,並按一下 [ [確定]Click Browse, type the system's local Administrator account, click Check Names, and click OK.

  8. 密碼確認密碼欄位,輸入所選取的密碼,然後按一下 [ [確定]In the Password and Confirm password fields, type the selected account's password, and click OK.

  9. 按一下[確定]三次。Click OK three more times.

  10. 以滑鼠右鍵按一下列印多工緩衝處理器,按一下 [重新開機Right-click Print Spooler and click Restart.

  11. 服務會重新開始時,應該會顯示對話方塊中,如下所示。When the service is restarted, a dialog box similar to the following should appear.

    安全本機系統管理員帳號,並群組

還原已變更的印表機多工緩衝處理器服務Revert Changes to the Printer Spooler Service
  1. 從任何成員伺服器或受到 GPO 變更工作站,登入本機。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,並按服務In the Search box, type services, and click Services.

  4. 找出並按兩下 [列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 按一下登入索引標籤。Click the Log On tab.

  6. 身分登入: 欄位中,選取本機 Systemaccount,並按[確定]In the Log on as: field, select Local Systemaccount, and click OK.

確認 [拒絕登入遠端桌面服務透過 「 GPO 設定Verify "Deny log on through Remote Desktop Services" GPO Settings
  1. 使用滑鼠,將滑鼠指標移動到畫面的右上角或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用列出現時,按搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入遠端桌面連接,並按遠端桌面連接In the Search box, type remote desktop connection, and click Remote Desktop Connection.

  3. 電腦欄位中,輸入您想要連接,然後按一下電腦名稱連接In the Computer field, type the name of the computer that you want to connect to, and click Connect. (您也可以輸入 IP 位址,而不是電腦名稱)。(You can also type the IP address instead of the computer name.)

  4. 出現提示時,提供的認證系統的當地的系統管理員account。When prompted, provide credentials for the system's local Administrator account.

  5. 應該會出現一個對話方塊類似下列。A dialog box similar to the following should appear.

    安全本機系統管理員帳號,並群組