途徑危害Avenues to Compromise

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

法律第 7 號: 最安全的網路是一份完整管理。Law Number Seven: The most secure network is a well-administered one. - 10 變的法律的安全性管理 - 10 Immutable Laws of Security Administration

在組織中所遇到嚴重危害活動,評估通常會顯示組織的有限掌握其 IT 基礎結構,這可能會大幅有所不同其 「 如 「 狀態的實際狀態。In organizations that have experienced catastrophic compromise events, assessments usually reveal that the organizations have limited visibility into the actual state of their IT infrastructures, which may differ significantly from their "as documented" states. 這些差異推出公開危害,通常小風險探索之前的攻擊有效 「 擁有 「 環境點地進行危害的環境中的弱點。These variances introduce vulnerabilities that expose the environment to compromise, often with little risk of discovery until the compromise has progressed to the point at which the attackers effectively "own" the environment.

這些組織 AD DS 設定、 公用基礎結構 (Pki)、 伺服器、 工作站、 應用程式的詳細的評估存取控制清單 (Acl),和其他技術顯示錯誤設定和弱點,如果在於,可能會讓初始危害。Detailed assessments of these organizations' AD DS configuration, public key infrastructures (PKIs), servers, workstations, applications, access control lists (ACLs), and other technologies reveal misconfigurations and vulnerabilities that, if remediated, could have prevented the initial compromise.

IT 文件及程序的分析辨識弱點縫隙中管理已利用攻擊最後取得用於完全危害 Active Directory 樹系的權限的做法。Analysis of IT documentation, processes, and procedures identifies vulnerabilities introduced by gaps in administrative practices that were leveraged by attackers to eventually obtain privileges that were used to fully compromise the Active Directory forest. 完全危害的樹系是攻擊危害不僅個人系統、 應用程式或帳號,但向上呈報存取取得層級的權限,它們可以修改或破壞樹系的各個層面。A fully compromised forest is one in which attackers compromise not only individual systems, applications, or user accounts, but escalate their access to obtain a level of privilege in which they can modify or destroy all aspects of the forest. 當 Active Directory 安裝洩漏以的角度,攻擊者可進行變更,讓他們維護整個的環境中或更糟,破壞 directory 系統和管理的帳號出現。When an Active Directory installation has been compromised to that degree, attackers can make changes that allow them to maintain a presence throughout the environment, or worse, to destroy the directory and the systems and accounts it manages.

雖然依照描述常利用弱點數不是針對 Active Directory 攻擊,它們允許攻擊,以建立據點可用於執行權限提升 (也稱為權限提高) 攻擊和最後為目標,危害 AD DS 環境中。Although a number of the commonly exploited vulnerabilities in the descriptions that follow are not attacks against Active Directory, they allow attackers to establish a foothold in an environment that can be used to run privilege escalation (also called privilege elevation) attacks and to eventually target and compromise AD DS.

本文件本節焦某描述攻擊通常會使用稍權限提高攻擊存取基礎結構,最後的機制。This section of this document focuses on describing the mechanisms that attackers typically use to gain access to the infrastructure and eventually to launch privilege elevation attacks. 也請查看下列的區段:Also see the following sections:


雖然這份文件著重在 Active Directory 和 Windows 的系統屬於 AD DS 網域,攻擊少對焦只在 Active Directory 和 Windows。Although this document focuses on Active Directory and Windows systems that are part of an AD DS domain, attackers rarely focus solely on Active Directory and Windows. 在作業系統、 目錄、 應用程式,以及資料存放庫中的混合的環境中,它通常會尋找也受到危害非 Windows 系統。In environments with a mixture of operating systems, directories, applications, and data repositories, it is common to find that non-Windows systems have also been compromised. 這是尤其系統提供 「 橋樑 「 Windows 及非 Windows 的環境中,例如 Windows 及 UNIX Linux 戶端、 目錄提供多個作業系統、 驗證服務或中繼資料同步跨不同的目錄存取檔案伺服器。This is particularly true if the systems provide a "bridge" between Windows and non-Windows environments, such as file servers accessed by Windows and UNIX or Linux clients, directories that provide authentication services to multiple operating systems, or metadirectories that synchronize data across disparate directories.

因為中央存取和組態管理功能提供給 Windows 系統中,但其他不只被針對 AD DS。AD DS is targeted because of the centralized access and configuration management capabilities it provides not only to Windows systems, but to other clients. Directory 或應用程式提供的服務管理驗證和設定,也就會對應有心攻擊者。Any other directory or application that provides authentication and configuration management services can, and will be targeted by determined attackers. 雖然這份文件致力於可以減少危害的 Active Directory 安裝,每個組織包含非 Windows 電腦的可能性保護目錄、 應用程式或資料存放庫中也應該準備對這些系統的攻擊。Although this document is focused on protections that can reduce the likelihood of a compromise of Active Directory installations, every organization that includes non-Windows computers, directories, applications, or data repositories should also prepare for attacks against those systems.

初始違約目標Initial Breach Targets

人刻意組建 IT 基礎結構公開組織危害。Nobody intentionally builds an IT infrastructure that exposes the organization to compromise. Active Directory 樹系建構時第一次,通常是漫步,目前。When an Active Directory forest is first constructed, it is usually pristine and current. 年傳遞並取得新的作業系統和應用程式時,他們正在樹系加入。As years pass and new operating systems and applications are acquired, they're added to the forest. 在 Active Directory 提供管理權益辨識,directory 新增了多 content、 更多人整合其電腦或應用程式 AD DS,並支援的最新版本的 Windows 作業系統所提供的新功能升級網域。As the manageability benefits that Active Directory provides are recognized, more and more content is added to the directory, more people integrate their computers or applications with AD DS, and domains are upgraded to support new functionality offered by the most current versions of the Windows operating system. 也反應段時間,不過,是即使在新的基礎結構加入,可能不一樣一開始也維護基礎結構的其他部分系統和應用程式會正常運作,因此無法接收注意,而且組織開始忘記它們已經未排除他們舊版的基礎結構。What also happens over time, however, is that even as a new infrastructure is being added, other parts of the infrastructure might not be maintained as well as they initially were, systems and applications are functioning properly and therefore are not receiving attention, and organizations begin to forget that they have not eliminated their legacy infrastructure. 根據我們看到評估危害的基礎結構,在較舊、 變大,且更複雜環境,可能會有許多通常利用弱點執行個體。Based on what we see in assessing compromised infrastructures, the older, larger, and more complex the environment, the more likely it is that there are numerous instances of commonly exploited vulnerabilities.

攻擊者的動機,無論大部分的資訊安全漏洞開始一或兩個系統危害一次。Regardless of the motivation of the attacker, most information security breaches start with the compromise of one or two systems at a time. 這些初始活動或進入點網路,通常利用可能已修正,但不安全漏洞。These initial events, or entry points into the network, often leverage vulnerabilities that could have been fixed, but were not. 2012年資料違約調查報告 (DBIR),這是由 Verizon 風險小組中的一些國際安全代理商和其他公司合作年度研究,指出 96%攻擊已 」 不高度困難,」 並的 「 破壞 97%已透過簡單或中繼控制項階層。 」The 2012 Data Breach Investigations Report (DBIR), which is an annual study produced by the Verizon RISK Team in cooperation with a number of national security agencies and other companies, states that 96 percent of attacks were "not highly difficult," and that "97 percent of breaches were avoidable through simple or intermediate controls." 這些結果可能會利用通常弱點,請依照下列的直接結果。These findings may be a direct consequence of the commonly exploited vulnerabilities that follow.

在 [防毒軟體和部署反惡意程式碼的間隔Gaps in Antivirus and Antimalware Deployments

法律第 8 號: 過期的惡意程式碼掃描器只有稍微比不掃描器完全。Law Number Eight: An out-of-date malware scanner is only marginally better than no scanner at all. - 安全性 (2.0 版) 的 10 定律 - Ten Immutable Laws of Security (Version 2.0)

分析組織的防毒軟體並反惡意程式碼部署通常會顯示工作站大部分的防毒軟體並反惡意程式碼軟體可以使用已設定與目前的環境。Analysis of organizations' antivirus and antimalware deployments often reveals an environment in which most workstations are configured with antivirus and antimalware software that is enabled and current. 例外通常不常哪些防毒軟體和反惡意程式碼軟體可以很難部署、 設定及更新的企業環境或員工裝置連接的工作站。Exceptions are usually workstations that connect infrequently to the corporate environment or employee devices for which antivirus and antimalware software can be difficult to deploy, configure, and update.

伺服器擴展,不過,通常會小於持續受保護危害您的環境中。Server populations, however, tend to be less consistently protected in many compromised environments. 報告在2012年資料違約調查、 94%的所有資料危害相關的伺服器,用來表示 18 百分透過去年,以及 69%攻擊納入惡意程式碼。As reported in the 2012 Data Breach Investigations, 94 percent of all data compromises involved servers, which represents an 18 percent increase over the previous year, and 69 percent of attacks incorporated malware. 在 [伺服器擴展,不常見防毒軟體並反惡意程式碼的安裝的不一致設定、 過期、 設定錯誤,或甚至停用。In server populations, it is not uncommon to find that antivirus and antimalware installations are inconsistently configured, outdated, misconfigured, or even disabled. 有時候,管理的人員,已停用防毒軟體並反惡意程式碼軟體,但有時候,攻擊之後停用軟體危害透過其他弱點伺服器。In some cases, the antivirus and antimalware software is disabled by administrative staff, but in other cases, attackers disable the software after compromising a server via other vulnerabilities. 停用防毒軟體並反惡意程式碼軟體時,攻擊者然後植物伺服器上的惡意程式碼,並對焦於台傳播危害。When the antivirus and antimalware software is disabled, the attackers then plant malware on the server and focus on propagating compromise across the server population.

請務必不只以確保您的系統受目前、 完整的惡意程式碼防護,但也監視系統停用或移除防毒軟體並反惡意程式碼軟體和要時手動停用自動重新開機保護。It is important not only to ensure that your systems are protected with current, comprehensive malware protection, but also to monitor systems for disabling or removal of antivirus and antimalware software and to automatically restart protection when it is manually disabled. 雖然不防毒軟體並反惡意程式碼軟體可以保證欺詐和所有感染偵測,正確設定和部署防毒軟體並反惡意程式碼實作可以減少感染的可能性。Although no antivirus and antimalware software can guarantee prevention and detection of all infections, a properly configured and deployed antivirus and antimalware implementation can reduce the likelihood of infection.

修正不完整Incomplete Patching

法律數字三: 如果您不保持安全性問題修正、 您的網路不會在您的長時間。Law Number Three: If you don't keep up with security fixes, your network won't be yours for long. - 10 變的法律的安全性管理 - 10 Immutable Laws of Security Administration

Microsoft 會發行,每個月的第二個星期二公告雖然偶而安全性更新的發行之間每月安全性更新 (也稱為是 「 推出的 band 」 的更新) 時的弱點會判斷風險 urgent 客戶系統。Microsoft releases security bulletins on the second Tuesday of each month, although on rare occasions security updates are released between the monthly security updates (these are also known as "out-of-band" updates) when the vulnerability is determined to pose an urgent risk to customer systems. 小型企業的設定來管理系統和應用程式修補使用 Windows Update 的 Windows 電腦或大型的組織使用管理軟體,例如系統 Center Configuration Manager (SCCM) 來部署詳細、 階層計劃依據修補程式,許多針對修補他們 Windows 基礎結構及時相當。Whether a small business configures its Windows computers to use Windows Update to manage system and application patching or a large organization uses management software such as System Center Configuration Manager (SCCM) to deploy patches according to detailed, hierarchical plans, many customers patch their Windows infrastructures in a relatively timely manner.

不過,幾個基礎結構只包含 Windows 的電腦和 Microsoft 應用程式,並危害的環境中,它通常會尋找組織修補程式管理策略包含縫隙。However, few infrastructures include only Windows computers and Microsoft applications, and in compromised environments, it is common to find that the organization's patch management strategy contains gaps. 在這些環境中的 [Windows 系統一致的修正。Windows systems in these environments are inconsistently patched. 非 Windows 作業系統是否完全偶爾,修補。Non-Windows operating systems are patched sporadically, if at all. 商業 (COTS) 應用程式可能包含修補程式存在,但尚未套用的安全漏洞。Commercial off-the-shelf (COTS) applications contain vulnerabilities for which patches exist, but have not been applied. 網路的裝置通常會以認證為原廠預設設定,並不韌體更新後其安裝年。Networking devices are often configured with factory-default credentials and no firmware updates years after their installation. 應用程式和作業系統,其廠商不再支援通常會保持執行,請儘管不再分開修補漏洞。Applications and operating systems that are no longer supported by their vendors are often kept running, despite the fact that they can no longer be patched against vulnerabilities. 每個未系統代表其他潛在的進入點攻擊。Each of these unpatched systems represents another potential entry point for attackers.

It 消費的化 IT 已經引入其他員工挑戰擁有的裝置用來存取擁有的公司資料,並的組織可能有一些到無法控制修補和個人員工的裝置的設定。The consumerization of IT has introduced additional challenges in that employee owned devices are being used to access corporate owned data, and the organization may have little to no control over the patching and configuration of employees' personal devices. 企業級硬體通常會隨附的企業準備設定選項及管理功能,但這會降低個人自訂及裝置的選取範圍中較少選擇。Enterprise-class hardware typically ships with enterprise-ready configuration options and management capabilities, at the cost of less choice in individual customization and device selection. 員工焦點硬體提供廣泛的製造商、 廠商、 的安全性功能的硬體、 軟體安全性功能、 管理功能和設定選項,和許多企業版功能完全可能不存在。Employee-focused hardware offers a broader range of manufacturers, vendors, hardware security features, software security features, management capabilities and configuration options, and many enterprise features may be absent altogether.

更新和弱點管理軟體Patch and Vulnerability Management Software

如果有效修補程式管理系統位置適用於 windows 和 Microsoft 應用程式中,部分未的弱點建立攻擊 surface 已處理。If an effective patch management system is in place for the Windows systems and Microsoft applications, part of the attack surface that unpatched vulnerabilities create has been addressed. 不過,除非非 Windows 系統、 非 Microsoft 應用程式、 網路基礎結構和員工的裝置也維持最新還與其他的修正,仍很容易受到基礎結構。However, unless the non-Windows systems, non-Microsoft applications, network infrastructure, and employee devices are also kept up-to-date on patches and other fixes, the infrastructure remains vulnerable. 有時候,應用程式的廠商可能會提供自動更新的功能。在其他 app,可能需要策劃定期擷取和適用於修補程式及其他的修正的方法。In some cases, an application's vendor may offer automatic update capabilities; in others, there may be a need to devise an approach to regularly retrieve and apply patches and other fixes.

過時的應用程式或作業系統Outdated Applications and Operating Systems

「 無法預期 6 歲作業系統來保護您的六個月歷史攻擊。 」"You can't expect a six-year-old operating system to protect you against a six-month-old attack." 使用 10 年的資訊安全專業版的體驗保障企業安裝- Information Security Professional with 10 years of experience securing enterprise installations

雖然 」 取得目前、 保持最新狀態的 「 聽起來行銷片語、 過時的作業系統和應用程式建立風險許多組織可能 IT 基礎架構。Although "get current, stay current" may sound like a marketing phrase, outdated operating systems and applications create risk in many organizations' IT infrastructures. 發行 2003年作業系統可能仍支援由該廠商並提供的地址的弱點更新,但作業系統可能不會包含在較新版本的作業系統中新增安全性功能。An operating system that was released in 2003 might still be supported by the vendor and provided with updates to address vulnerabilities, but that operating system might not contain security features added in newer versions of the operating system. 過時的系統更需要攻破的特定 AD DS 安全性設定,以支援那些電腦的小功能。Outdated systems can even require weakening of certain AD DS security configuration to support the lesser capabilities of those computers.

使用傳統驗證通訊協定廠商通常不支援的應用程式所撰寫的應用程式不會改裝支援較驗證機制。Applications that were written to use legacy authentication protocols by vendors who are no longer supporting the application usually cannot be retooled to support stronger authentication mechanisms. 不過,組織 Active Directory domain 可能仍然可以設定儲存 At hashes 或回復的加密支援這類應用程式密碼。However, an organization's Active Directory domain may still be configured to store LAN Manager hashes or reversibly encrypted passwords to support such applications. 較新的作業系統導入之前撰寫應用程式可能無法運作或完全在目前的作業系統,需要維護較舊的和舊版系統組織和有些案例、 完全不支援的硬體和軟體。Applications written prior to the introduction of newer operating systems may not function well or at all on current operating systems, requiring organizations to maintain older and older systems, and in some cases, completely unsupported hardware and software.

即使是在組織已經更新 Windows Server 2012、 Windows Server 2008 R2 或 Windows Server 2008 他們網域控制站案例,通常會尋找重大部分成員伺服器擴展執行 (也就是不會再中主要支援) 的 Windows Server 2003,或甚至是 Windows 2000 Server 或 Windows nt4.0 伺服器 (這完全不受支援)。Even in cases in which organizations have updated their domain controllers to Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008, it is typical to find significant portions of the member server population to be running Windows Server 2003 (which is no longer in mainstream support), or even Windows 2000 Server or Windows NT Server 4.0 (which are completely unsupported). 再組織維護過時系統、 更功能集之間不等,並越在 production 系統將會支援。The longer an organization maintains aging systems, the more the disparity between feature sets grows, and the more likely it becomes that production systems will be unsupported. 此外,再維護 Active Directory 樹系,我們更觀察舊版系統和應用程式的未接升級計劃中。Additionally, the longer an Active Directory forest is maintained, the more we observe that legacy systems and applications are missed in upgrade plans. 這可能表示因為 Active Directory 已設定為支援其舊版通訊協定與驗證機制單一電腦執行的單一應用程式可能造成網域或樹系資訊安全風險。This can mean that a single computer running a single application can introduce domain- or forest-wide vulnerabilities because Active Directory is configured to support its legacy protocols and authentication mechanisms.

若要排除舊版系統和應用程式,您應該先對焦上找出並分類,然後在判斷是否升級或更換的應用程式或主機。To eliminate legacy systems and applications, you should first focus on identifying and cataloging them, then on determining whether to upgrade or replace the application or host. 雖然就很難的高度特定應用程式的有不是支援,也不升級路徑,您可以利用概念稱為 「 創意破壞 」 來取代傳統應用程式具有新的應用程式提供所需的功能。Although it can be difficult to find replacements for highly specialized applications for which there is neither support nor an upgrade path, you may be able to leverage a concept called "creative destruction" to replace the legacy application with a new application that provides the necessary functionality. 規劃區域危害的在本文稍後深入在 「 計畫適用於危害 」 中所述。Planning for Compromise is described in more depth in "Planning for Compromise" later in this document.


法律號碼四個: 它並不會執行得清楚永遠不會開始保護的電腦上安裝安全性問題修正。Law Number Four: It doesn't do much good to install security fixes on a computer that was never secured to begin with. - 10 變的法律的安全性管理 - 10 Immutable Laws of Security Administration

即使在系統通常保留目前和修補的環境中,我們通常找出縫隙或作業系統,在錯誤設定 Active Directory 電腦上執行的應用程式。Even in environments where systems are generally kept current and patched, we commonly identify gaps or misconfigurations in the operating system, applications running on computers, and Active Directory. 有些錯誤設定公開本機電腦危害,,但電腦 」 所指後,「 攻擊通常著重於所有其他系統和最後 Active Directory 進一步傳播危害。Some misconfigurations expose only the local computer to compromise, but after a computer is "owned," attackers usually focus on further propagating the compromise across other systems and eventually to Active Directory. 以下是一些常見區域我們找出造成的風險的設定。Following are some of the common areas in which we identify configurations that introduce risk.

在 Active DirectoryIn Active Directory

Active Directory 中的帳號攻擊者會最常目標是,例如 「 網域系統管理員 (DA)、 企業版系統管理員 (EA),或建 Active Directory 中的系統管理員 (BA) 群組成員最高特殊權限群組成員。The accounts in Active Directory that are most commonly targeted by attackers are those that are members of the most-highly privileged groups, such as members of the Domain Admins (DA), Enterprise Admins (EA), or built-in Administrators (BA) groups in Active Directory. 這些群組攻擊 surface 會有限的因此可這些群組成員資格減少帳號可能數目最小。The membership of these groups should be reduced to the smallest number of accounts possible so that the attack surface of these groups is limited. 它是甚至可以減少 」 永久 」 的成員資格這些特殊權限的群組。是的您可以實作設定,讓您會需要他們網域和樹系的權限時,才暫時填入這些群組。It is even possible to eliminate "permanent" membership in these privileged groups; that is, you can implement settings that allow you to temporarily populate these groups only when their domain- and forest-wide privileges are needed. 高度授權的帳號使用時,應該只在例如網域控制站或安全的系統管理主機指定、 安全的系統上使用它們。When highly privileged accounts are used, they should be used only on designated, secure systems such as domain controllers or secure administrative hosts. 提供詳細的資訊,以協助執行所有的設定減少 Active Directory 攻擊Detailed information to help implement all of these configurations is provided in Reducing the Active Directory Attack Surface.

當我們評估的 Active Directory 中的最高有特殊權限群組成員資格時,我們通常找到過成員資格三個大部分權限的群組。When we evaluate the membership of the highest privileged groups in Active Directory, we commonly find excessive membership in all three of the most- privileged groups. 有時候,公司有許多,甚至數百帳號 DA 群組中。In some cases, organizations have dozens, even hundreds of accounts in DA groups. 有時候,組織放帳號直接建系統管理員群組、 想法,該群組 「 較少於 DAs 群組的權限]。In other cases, organizations place accounts directly into built-in Administrators groups, thinking that that group is "less privileged" than the DAs group. 不。It is not. 我們經常儘管 EA 權限的少並暫時所需的樹系根網域找到少數永久 EA 群組成員。We often find a handful of permanent members of the EA group in the forest root domain, despite the fact that EA privileges are rarely and temporarily required. 三個群組中尋找 IT 使用者日常的系統管理 account 通常也,即使這是重複有效的設定。Finding an IT user's day-to-day administrative account in all three groups is also common, even though this is an effectively redundant configuration. 中所述減少 Active Directory 攻擊、 account 是否的其中一個群組或全部,永久成員 account 可用於侵入您,並甚至破壞 AD DS 環境系統和帳號由它。As described in Reducing the Active Directory Attack Surface, whether an account is a permanent member of one of these groups or all of them, the account can be used to compromise, and even destroy the AD DS environment and the systems and accounts managed by it. 在 [提供建議使用 Active Directory 中有特殊權限帳號和安全設定減少 Active Directory 攻擊Recommendations for the secure configuration and use of privileged accounts in Active Directory are provided in Reducing the Active Directory Attack Surface.

網域控制站在On Domain Controllers

當我們評估網域控制站,我們通常尋找尋找這些設定及管理不不同成員伺服器。When we assess domain controllers, we find often find them configured and managed no differently than member servers. 網域控制站有時候執行相同應用程式與公共事業成員在伺服器上安裝,但不是因為他們正在所需的網域控制站因為應用程式的標準組建的一部分。Domain controllers sometimes run the same applications and utilities installed on member servers, not because they're needed on the domain controllers, but because the applications are part of a standard build. 這些應用程式可能會網域控制站提供最少功能,但它攻擊 surface 大幅新增要求打開連接埠,建立高特殊權限的服務帳號,或權限授與系統不應該為網域控制站連接適用於任何用途以外驗證及群組原則應用程式的使用者設定。These applications may provide minimal functionality on the domain controllers but add significantly to its attack surface by requiring configuration setting that open ports, create highly privileged service accounts, or grant access to the system by users who should not connect to a domain controller for any purpose other than authentication and Group Policy application. 在某些破壞、 攻擊使用已安裝的不只存取您的網域控制站,但來修改或損害 AD DS 資料庫網域控制站的工具。In some breaches, attackers have used tools that were already installed on domain controllers not only to gain access to the domain controllers, but to modify or damage the AD DS database.

當我們解壓縮網域控制站上的 Internet Explorer 設定時,我們尋找使用者有帳號,有高層級的雲端 Active Directory 中使用的網域控制站存取網際網路和內部帳號登入。When we extract the Internet Explorer configuration settings on domain controllers, we find that users have logged on with accounts that have high levels of privilege in Active Directory and have used the accounts to access the Internet and intranet from the domain controllers. 有時候,帳號網域控制站允許網際網路下載,以設定 Internet Explorer 設定,已從網際網路下載並安裝網域控制站免費軟體的公用程式。In some cases, the accounts have configured Internet Explorer settings on the domain controllers to allow download of Internet content, and freeware utilities have been downloaded from Internet sites and installed on the domain controllers. Internet Explorer 增強安全性設定讓使用者和系統管理員根據預設,但我們經常觀察到的是適用於系統管理員已停用。Internet Explorer Enhanced Security Configuration is enabled for Users and Administrators by default, yet we often observe that is has been disabled for Administrators. 高度授權的 account 存取網際網路,下載 content 任何電腦時,電腦將會嚴重的風險。When a highly privileged account accesses the Internet and downloads content to any computer, that computer is put at severe risk. 網域控制站電腦時,整個 AD DS 安裝放風險。When the computer is a domain controller, the entire AD DS installation is put at risk.

網域控制站的保護Protecting Domain Controllers

網域控制站應該重要的基礎結構元件被視為、 嚴格更安全和比檔案、 列印和應用程式伺服器系統設定。Domain controllers should be treated as critical infrastructure components, secured more stringently and configured more rigidly than file, print, and application servers. 網域控制站不應該執行的任何軟體,不需要的網域控制站運作或無法保護網域控制站攻擊。Domain controllers should not run any software that is not required for the domain controller to function or doesn't protect the domain controller against attacks. 不應該存取網際網路,允許網域控制站及的安全性設定應會設定群組原則物件 (Gpo) 來執行。Domain controllers should not be permitted to access the Internet, and security settings should be configured and enforced by Group Policy Objects (GPOs). 提供詳細的建議安全安裝、 設定及管理的網域控制站在保護網域控制站針對攻擊Detailed recommendations for the secure installation, configuration, and management of domain controllers are provided in Securing Domain Controllers Against Attack.

在作業系統Within the Operating System

法律號碼兩個: 如果份子可以變更您的電腦上的作業系統,並不您的電腦是。Law Number Two: If a bad guy can alter the operating system on your computer, it's not your computer anymore. - 安全性 (2.0 版) 的 10 定律 - Ten Immutable Laws of Security (Version 2.0)

某些組織建立伺服器不同類型的基準設定,並允許作業系統的有限的自訂,安裝之後,雖然危害環境分析通常會發現大量部署臨機操作方式,並設定以手動方式與獨立伺服器。Although some organizations create baseline configurations for servers of different types and allow limited customization of the operating system after it's installed, analysis of compromised environments often uncovers large numbers of servers deployed in an ad hoc fashion, and configured manually and independently. 其中兩伺服器已確實,可能會完全不同設定之間兩部執行相同的功能。Configurations between two servers performing the same function may be completely different, where neither server is configured securely. 伺服器設定基準反而,可能會持續執行,但也持續設定錯誤。伺服器也就被設定在同一個弱點建立特定類型的所有伺服器的方式。Conversely, server configuration baselines may be consistently enforced, but also consistently misconfigured; that is, servers are configured in a manner that creates the same vulnerability on all servers of a given type. 設定錯誤包含例如停用安全性功能的做法,授與太多權利和帳號 (尤其是服務帳號) 的權限,使用相同的本機認證系統和許可安裝未經授權的應用程式與公用程式建立自己的安全漏洞。Misconfiguration includes practices such as disabling of security features, granting excessive rights and permissions to accounts (particularly service accounts), use of identical local credentials across systems, and permitting installation of unauthorized applications and utilities that create vulnerabilities of their own.

停用安全性的功能Disabling Security Features

組織有時會使用進階安全性 (WFAS) 的 Windows 防火牆停用完信念 WFAS 很難設定,或在需要工作大量的設定。Organizations sometimes disable Windows Firewall with Advanced Security (WFAS) out of a belief that WFAS is difficult to configure or requires work-intensive configuration. 不過,開始使用 Windows Server 2008、 時的伺服器上安裝任何角色或功能,預設設定所需的功能,功能的角色至少權限 Windows 防火牆自動設定為支援功能的角色。However, beginning with Windows Server 2008, when any role or feature is installed on a server, it is configured by default with the least privileges required for the role or feature to function, and the Windows Firewall is automatically configured to support the role or feature. 停用 WFAS (和不在原處使用另一部主機為基礎的防火牆) 組織增加整個 Windows 環境的攻擊。By disabling WFAS (and not using another host-based firewall in its place), organizations increase the attack surface of the entire Windows environment. 周邊防火牆提供一些防護直接從網際網路、 環境為目標,但它們會提供任何防護利用其他的攻擊,例如下載磁碟機,攻擊或攻擊來自其他危害在企業網路系統。Perimeter firewalls provide some protection against attacks that directly target an environment from the Internet, but they provide no protection against attacks that exploit other attack vectors such as drive-by download attacks, or attacks that originate from other compromised systems on the intranet.

使用者 Account 控制設定伺服器上有時候會停用,因為管理人員尋找提示干擾。User Account Control (UAC) settings are sometimes disabled on servers because administrative staff find the prompts intrusive. 雖然Microsoft 的支援文章 2526083描述的案例中 UAC 可能會停用在 Windows Server,除非您正在執行伺服器核心安裝] (位置 UAC 已停用的設計),您應該停 UAC 用不小心和研究伺服器上。Although Microsoft Support article 2526083 describes scenarios in which UAC may be disabled on Windows Server, unless you are running a server core installation (where UAC is disabled by design), you should not disable UAC on servers without careful consideration and research.

有時候,伺服器設定是以較不安全的值因為組織會套用到新作業系統,例如申請電腦,而無須更動以反映作業系統中的變更基準執行 Windows Server 2012、 Windows Server 2008 R2 或 Windows Server 2008、 Windows Server 2003 基準過時的伺服器設定。In other cases, server settings are configured to less-secure values because organizations apply outdated server configuration settings to new operating systems, such as applying Windows Server 2003 baselines to computers running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008, without changing the baselines to reflect the changes in the operating system. 舊伺服器基準到新作業系統,在帶有部署新的作業系統時,除了檢視變更安全性和設定,以確保實作設定適用和適用的新的作業系統。Rather than carrying old server baselines to new operating systems, when deploying a new operating system, review security changes and configuration settings to ensure that the settings implemented are applicable and appropriate for the new operating system.

太多權限授與Granting Excessive Privilege

我們已經評估幾乎每個環境,過權限授與本機和網域型帳號,在 Windows 系統。In nearly every environment we have assessed, excessive privilege is granted to local and domain-based accounts on Windows systems. 在他們的工作站本機系統管理員權限授與使用者、 成員伺服器執行設定他們必須運作,以外的權限的服務,並本機系統管理員群組台包含許多或甚至數百本機及網域帳號。Users are granted local Administrator rights on their workstations, member servers run services that are configured with rights beyond what they need to function, and local Administrators groups across the server population contain dozens or even hundreds of local and domain accounts. 危害只有一個特殊權限帳號,在電腦上可以讓駭客危害帳號的每個使用者和到電腦,並套用到其他系統危害雲和善用認證登入服務。Compromise of only one privileged account on a computer allows attackers to compromise the accounts of every user and service that logs on to the computer, and to harvest and leverage credentials to propagate the compromise to other systems.

雖然 pass--hash (PTH) 和其他認證竊取攻擊目前普遍,這是因為有免費的工具,可讓您更簡單且輕鬆地在解壓縮時攻擊其他特殊權限帳號的憑證已取得電腦的系統管理員或系統層級存取。Although pass-the-hash (PTH) and other credential theft attacks are ubiquitous today, it is because there is freely available tooling that makes it simple and easy to extract the credentials of other privileged accounts when an attacker has gained Administrator- or SYSTEM-level access to a computer. 不工具,可從登入工作階段認證的蒐集,甚至攻擊到電腦的特殊權限存取可以輕鬆地安裝按鍵、 螢幕擷取畫面、 剪貼記下的按鍵輸入記錄器。Even without tooling that allows harvesting of credentials from logon sessions, an attacker with privileged access to a computer can just as easily install keystroke loggers that capture keystrokes, screenshots, and clipboard contents. 攻擊到電腦的特殊權限存取可以停用反惡意程式碼軟體,安裝 rootkit、 修改受保護的檔案,或在的電腦會自動執行攻擊或會將伺服器上安裝的惡意程式碼下載磁碟機,主機。An attacker with privileged access to a computer can disable antimalware software, install rootkits, modify protected files, or install malware on the computer that automates attacks or turns a server into a drive-by download host.

用來延長超過一部電腦違約策略而有所不同,但傳播危害的關鍵取得額外的系統高度授權的存取。The tactics used to extend a breach beyond a single computer vary, but the key to propagating compromise is the acquisition of highly privileged access to additional systems. 以減少任何系統的存取權限帳號,您減少專業該電腦上,但攻擊蒐集寶貴認證的電腦上的可能性攻擊。By reducing the number of accounts with privileged access to any system, you reduce the attack surface not only of that computer, but the likelihood of an attacker harvesting valuable credentials from the computer.

將本機系統管理員認證Standardizing Local Administrator Credentials

長有安全性專家做為之間爭議是否中重新命名本機系統管理員帳號,在 Windows 電腦上的有值。There has long been debate among security specialists as to whether there is value in renaming local Administrator accounts on Windows computers. 本機系統管理員帳號真的很重要的是是否設定的相同使用者名稱和密碼在多部電腦。What is actually important about local Administrator accounts is whether they are configured with the same user name and password across multiple computers.

本機伺服器上命名為相同的值密碼指派給 account 也已設定為相同的值,如果攻擊可以擷取一部電腦的系統管理員或系統層級取得存取 account 的認證。If the local Administrator account is named to the same value across servers and the password assigned to the account is also configured to the same value, attackers can extract the account's credentials on one computer on which Administrator or SYSTEM-level access has been obtained. 攻擊者不需要一開始危害管理員。它們僅需要危害 account 的使用者的本機系統管理員群組中,或設定為執行 LocalSystem 或系統管理員權限的服務 account 的成員。The attacker does not have to initially compromise the Administrator account; they need only compromise the account of a user who is a member of the local Administrators group, or of a service account that is configured to run as LocalSystem or with Administrator privileges. 攻擊者可以擷取的認證管理員,然後重新執行這些網路網路上其他電腦的登入認證。The attacker can then extract the credentials for the Administrator account and replay those credentials in network logons to other computers on the network.

在另一部電腦已使用的相同使用者名稱和密碼 (或密碼 hash) account 認證,就會顯示為本機帳號,成功登入嘗試和攻擊者會取得授權的存取權的目標電腦。As long as another computer has a local account with the same user name and password (or password hash) as the account credentials that are being presented, the logon attempt succeeds and the attacker obtains privileged access to the targeted computer. 建是在目前的 Windows 版本中,預設停用的,但在舊版的作業系統,account 支援預設。In current versions of Windows, the built-in Administrator account is disabled by default, but in legacy operating systems, the account is enabled by default.


某些組織已經刻意設定可在此提供 「 保全 「 以防所有其他特殊權限的帳號鎖定退出系統信念本機系統管理員帳號。Some organizations have intentionally configured local Administrator accounts to be enabled in the belief that this provides a "failsafe" in case all other privileged accounts are locked out of a system. 不過,即使已停用本機不有任何其他帳號可用,可讓 account 或登入系統使用系統管理員權限,系統開機進入安全模式與本機建重新均可中, 所述Microsoft 的支援文章 814777However, even if the local Administrator account is disabled and there are no other accounts available that can enable the account or log on to the system with Administrator privileges, the system can be booted into safe mode and the built-in local Administrator account can be re-enabled, as described in Microsoft Support article 814777. 此外,系統仍已成功套用 Gpo,如果可以修改 GPO (暫時) 重新讓系統管理員帳號,或您可以設定群組限制加入的網域型帳號本機系統管理員群組。Additionally, if the system still successfully applies GPOs, a GPO can be modified to (temporarily) re-enable the Administrator account, or Restricted Groups can be configured to add a domain-based account to the local Administrators group. 修復可執行和管理員可以再試一次停用。Repairs can be performed and the Administrator account can again be disabled. 本機系統管理員帳號必須設定獨特的使用者名稱和密碼有效避免使用建本機系統管理員 account 認證危害側面。To effectively prevent a lateral compromise that uses built-in local Administrator account credentials, unique user names and passwords must be configured for local Administrator accounts. 若要部署的 GPO 本機系統管理員帳號獨特的密碼,請查看方案管理透過 GPO 建的密碼的MSDN 網站上。To deploy unique passwords for local Administrator accounts via a GPO, see Solution for management of built-in Administrator account's password via GPO on the MSDN website.

允許安裝未經授權的應用程式Permitting Installation of Unauthorized Applications

法律數個: 如果不良份子可以在您電腦上執行他的程式,不只是您的電腦再。Law Number One: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore. - 安全性 (2.0 版) 的 10 定律 - Ten Immutable Laws of Security (Version 2.0)

組織的伺服器上部署設定一致的基礎,是否應該不允許安裝的應用程式,不是在伺服器定義角色的一部分。Whether an organization deploys consistent baseline settings across servers, the installation of applications that are not part of a server's defined role should not be permitted. 允許安裝的軟體不指定的伺服器的功能的部分,非故意或惡意軟體會增加伺服器的攻擊,導入應用程式弱點,或讓系統不穩定的安裝公開伺服器。By allowing software to be installed that is not part of a server's designated functionality, servers are exposed to inadvertent or malicious installation of software that increases the server's attack surface, introduces application vulnerabilities, or causes system instability.


如之前所述,應用程式通常安裝及使用帳號確實需要更多應用程式的權限授與設定。As described earlier, applications are often installed and configured to use accounts that are granted more privilege than the application actually requires. 有時候,應用程式的文件指定服務帳號必須使用本機系統管理員群組伺服器的成員,或必須設定為 LocalSystem 的環境中執行。In some cases, the application's documentation specifies that service accounts must be members of a server's local Administrators group or must be configured to run in the context of the LocalSystem. 這通常是因為應用程式需要那些權限,但因為判斷哪些權利與權限的應用程式服務帳號需要需要額外的時間與精力投資。This is often not because the application requires those rights, but because determining what rights and permissions an application's service accounts need requires investment in additional time and effort. 如果應用程式不會安裝的應用程式與它設定的功能運作所需的小權限,系統將會公開利用應用程式權限,而不需要任何攻擊作業系統本身的攻擊。If an application does not install with the minimum privileges required for the application and its configured features to function, the system is exposed to attacks that leverage application privileges without any attack against the operating system itself.

缺少的安全的應用程式開發做法Lack of Secure Application Development Practices

基礎結構存在商務工作負載的支援。Infrastructure exists to support business workloads. 這些工作負載的實作自訂應用程式中,它是很重要的開發應用程式使用安全的最佳做法。Where these workloads are implemented in custom applications, it is critical to ensure that the applications are developed using secure best practices. 事件企業的根本原因分析通常會顯示的初始危害透過自訂受影響應用程式,尤其是網際網路的這些面對。Root-cause analysis of enterprise-wide incidents often reveals that an initial compromise is effected through custom applications-particularly those that are Internet facing. 大部分的這些折衷可以透過 [已知的攻擊,例如隱 (SQLi) 危害完成及跨網站指令碼 (XSS) 攻擊。Most of these compromises are accomplished via compromise of well-known attacks such as SQL injection (SQLi) and cross-site scripting (XSS) attacks.

隱是一個應用程式弱點,可讓使用者定義輸入修改執行傳遞至資料庫 SQL 聲明。SQL Injection is an application vulnerability that allows user-defined input to modify a SQL statement that is passed to the database for execution. 透過應用程式、 參數 (例如查詢字串或 cookie) 或其他方法中的欄位提供此輸入。This input can be provided via a field in the application, a parameter (such as the query string or a cookie), or other methods. 這個注入的結果是徹底不同哪些開發人員 sql 提供資料庫。The result of this injection is that the SQL statement provided to the database is fundamentally different than what the developer intended. 例如,需要一般使用中的使用者名稱/密碼組合評估查詢:Take, for example, a common query used in the evaluation of a user name/password combination:

SELECT userID FROM users WHERE username = 'sUserName' AND password = 'sPassword'

當資料庫伺服器收到時,它會指示瀏覽使用者表,並傳回任何身份記錄位置的使用者名稱和密碼符合 (可能需透過某種類型的登入表單) 使用者提供的伺服器。When this is received by the database server, it instructs the server to look through the users table and return any userID record where the user name and password match those provided by the user (presumably via a login form of some kind). 自然地開發人員的目的這是是否可以利用使用者提供的正確的使用者名稱和密碼僅退款有效的記錄。Naturally the intent of the developer in this case is to only return a valid record if a correct user name and password can be provided by the user. 如果可能不正確,資料庫伺服器無法尋找符合記錄並返回主頁空的結果。If either is incorrect, the database server will be unable to find a matching record and return an empty result.

攻擊者會非預期提供給自己 SQL 來取代有效的資料,例如時發生問題。The issue occurs when an attacker does something unexpected such as providing their own SQL in place of valid data. 因為 SQL 解譯上即時資料庫伺服器,如同開發人員必須將它放在自己想處理插入程式碼。Because SQL is interpreted on-the-fly by the database server, the injected code would be processed as if the developer had put it in himself. 例如,如果攻擊者輸入系統管理員的使用者 id 和xyz或者1 = 1的密碼,會顯示聲明處理資料庫:For example, if the attacker entered administrator for the user ID and xyz OR 1=1 as the password, the resulting statement processed by the database would be:

SELECT userID FROM users WHERE username = 'administrator' AND password = 'xyz' OR 1=1

這項查詢資料庫伺服器處理時,所有的資料列表中將會傳回查詢 1 = 1 一律會因此評估為 True,因為無關緊要如果已知或提供正確的使用者名稱和密碼。When this query is processed by the database server, all rows in the table will be returned in the query because 1=1 will always evaluate to True, thus it doesn't matter if the correct username and password is known or provided. 結論在大部分案例中為使用者將會登入,為使用者的資料庫; 在使用者第一次在大部分案例中,這將會管理使用者。The net result in most cases is that the user will be logged on as the first user in the user's database; in most cases, this will be the administrative user.

例如這可以用來加入,只要登入格式不正確 SQL 聲明,除了 delete,或變更資料,或甚至卸除 (delete) 整個表格資料庫中。In addition to simply logging on, malformed SQL statements such as this can be used to add, delete, or change data, or even drop (delete) entire tables from a database. 萬一最 SQLi 加過權限的位置,以建立新的使用者,攻擊工具,下載,或選擇攻擊者的任何其他動作的可執行作業系統的命令。In the most extreme cases where SQLi is combined with excessive privilege, operating system commands can be run to enable the creation of new users, to download attack tools, or to take any other actions of the attackers choosing.

在跨網站指令碼,是引進了應用程式的輸出中的弱點。In cross-site scripting, the vulnerability is introduced in the application's output. 攻擊開頭攻擊提供格式不正確資料的應用程式,但這種情形下不正確的資料 (例如 JavaScript) 將會執行受害者的瀏覽器的指令碼的形式。An attack begins with an attacker providing malformed data to the application, but in this case the malformed data is in the form of scripting code (such as JavaScript) that will be run by the victim's browser. 利用 XSS 弱點的可以允許攻擊執行任何目標應用程式的功能的部分使用者發射瀏覽器。Exploit of an XSS vulnerability can allow an attacker to run any functions of the target application in the context of the user who launched the browser. XSS 攻擊通常是透過鼓勵使用者按下一個連結,可連接至應用程式,並執行程式碼攻擊網路釣魚電子郵件車載機起始。XSS attacks are typically initiated by a phishing email encouraging the user to click a link that connects to the application and runs the attack code.

XSS 通常會利用 online 銀行電子商務案例攻擊者可進行購買的項目或傳輸利用使用者的財經位置中。XSS is often exploited in online banking and e-commerce scenarios where an attacker can make purchases or transfer money in the context of the exploited user. 在目標攻擊自訂 web 架構身分管理應用程式,它可以讓建立自己的身分、 修改權限的權限,以及會導致系統危害攻擊。In the case of a targeted attack on a custom web-based identity management application, it can allow an attacker to create their own identities, modify permissions and rights, and lead to a systemic compromise.

雖然完整的指令碼跨網站和隱討論超出範圍本文件開放 Web 應用程式安全性專案 (OWASP)發行前 10 名清單中的弱點措施深度討論。Although a full discussion of cross-site scripting and SQL injection is outside the scope of this document, the Open Web Application Security Project (OWASP) publishes a top 10 list with in-depth discussion of the vulnerabilities and countermeasures.

無論的投資基礎結構的安全性,如果不良設計及撰寫應用程式部署在該基礎結構,環境是由容易受到攻擊。Regardless of the investment in infrastructure security, if poorly designed and written applications are deployed within that infrastructure, the environment is made vulnerable to attacks. 即使是安全的基礎結構通常無法提供有效措施這些應用程式的攻擊。Even well-secured infrastructures often cannot provide effective countermeasures to these application attacks. 複合問題、 不良設計的應用程式可能需要服務帳號被授與過的應用程式正常運作的權限。Compounding the problem, poorly designed applications may require that service accounts be granted excessive permissions for the application to function.

Microsoft Security 開發週期 (SDL) 是一組結構處理程序控制項,以改善安全性開頭收集和延伸的應用程式週期透過,直到它解除的需求中優先的工作。The Microsoft Security Development Lifecycle (SDL) is a set of structural process controls that work to improve security beginning early in requirements gathering and extending through the lifecycle of the application until it is decommissioned. 這個整合有效的安全性控制項不只重大安全性而言很重要,以確保應用程式的安全性成本,排程有效。This integration of effective security controls is not only critical from a security perspective, it is critical to ensure that application security is cost and schedule effective. 組織做出應用程式的安全性相關只之前,或甚至後的應用程式部署需要時實際上是完整程式碼評估應用程式的安全性問題。Assessing an application for security issues when it is effectively code complete requires organizations to make decisions about application security only before or even after the application has been deployed. 組織可以選擇地應用程式瑕疵之前部署實際支付費用,並延遲,應用程式或應用程式可以已知擅自,公開危害組織 production 部署。An organization can choose to address the application flaws before deploying the application in production, incurring costs and delays, or the application can be deployed in production with known security flaws, exposing the organization to compromise.

某些組織的安全性問題修正在每次的問題,請 $10000 上方的實際執行程式碼完整成本然後不有效 SDL 開發應用程式可以平均 100000 行程式碼的每超過 10 高嚴重性問題。Some organizations place the full cost of fixing a security issue in production code above $10,000 per issue, and applications developed without an effective SDL can average more than ten high-severity issues per 100,000 lines of code. 在大應用程式中,快速向上呈報成本。In large applications, the costs escalate quickly. 相較之下,許多公司 SDL,最後的程式碼評論階段設定 100000 行程式碼的每個問題的基準的零正式高風險應用程式中的問題。By contrast, many companies set a benchmark of less than one issue per 100,000 lines of code at the final code review stage of the SDL, and aim for zero issues in high-risk applications in production.

實作 SDL 改善安全性需求收集在早期包括安全性需求,並且設計的應用程式提供威脅模型高風險應用程式。需要有效訓練及監視的開發人員。並清除,需要一致的程式碼標準和做法的規範。Implementing the SDL improves security by including security requirements early in requirements gathering and design of an application provides threat modeling for high-risk applications; requires effective training and monitoring of developers; and requires clear, consistent code standards and practices. 網路的 SDL 效果降低成本開發、 部署、 維護、 和解除應用程式時重大改進的應用程式安全性。The net effect of an SDL is significant improvements in application security while reducing the cost to develop, deploy, maintain, and decommission an application. 雖然詳細的設計和實作 SDL 超出範圍的這份文件,請參考Microsoft 安全性開發階段的詳細的指導方針和資訊。Although a detailed discussion of the design and implementation of SDL is beyond the scope of this document, refer to the Microsoft Security Development Lifecycle for detailed guidance and information.