實作最低權限管理模型Implementing Least-Privilege Administrative Models

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

下列摘要是從系統管理員帳號安全性規劃指南,第一次在 1999 年 4 月 1 日發行:The following excerpt is from The Administrator Accounts Security Planning Guide, first published on April 1, 1999:

「 最安全性相關訓練課程和文件討論實作原則權限,但組織少依照。"Most security-related training courses and documentation discuss the implementation of a principle of least privilege, yet organizations rarely follow it. 原則很簡單,並正確大幅套用的影響提升您的安全性,降低您的風險。The principle is simple, and the impact of applying it correctly greatly increases your security and reduces your risk. 原則會指出所有使用者應該已經最低限度權限才能完成目前的工作而不需使用者 account 的都登入。The principle states that all users should log on with a user account that has the absolute minimum permissions necessary to complete the current task and nothing more. 如此一來提供其他攻擊之間的惡意程式碼防護。Doing so provides protection against malicious code, among other attacks. 這個原則適用於電腦和電腦的使用者。This principle applies to computers and the users of those computers.
「 其中一個原因,此原則,也可以為它強制您進行內部研究。"One reason this principle works so well is that it forces you to do some internal research. 例如,您必須判斷的存取權限的電腦或使用者真正需要並加以執行。For example, you must determine the access privileges that a computer or user really needs, and then implement them. 許多組織,這項工作最初似乎變得更好的使用者張貼的工作。不過,它是成功保護您的網路環境基本步驟。For many organizations, this task might initially seem like a great deal of work; however, it is an essential step to successfully secure your network environment.
「 您應該會授與所有網域系統管理員的使用者權限的概念其網域權限。"You should grant all domain administrator users their domain privileges under the concept of least privilege. 例如,如果系統管理員的身分登入的特殊權限帳號,並不小心執行一個防毒程式,病毒擁有管理及存取權本機電腦的完整網域。For example, if an administrator logs on with a privileged account and inadvertently runs a virus program, the virus has administrative access to the local computer and to the entire domain. 如果系統管理員而必須以無 (非) account 登入,病毒的範圍損壞只會在本機電腦因為它會執行本機電腦的使用者。If the administrator had instead logged on with a nonprivileged (nonadministrative) account, the virus's scope of damage would only be the local computer because it runs as a local computer user.
「 另一個例子,帳號,您授與網域層級系統管理員權限必須不有提高權限在另一部樹系,即使有信任關係的樹系之間。"In another example, accounts to which you grant domain-level administrator rights must not have elevated rights in another forest, even if there is a trust relationship between the forests. 這項策略有助於避免廣泛的損害,若有危害一個受管理的樹系攻擊。This tactic helps prevent widespread damage if an attacker manages to compromise one managed forest. 組織應該定期稽核他們的網路,以防止未經授權的權限提升。 」Organizations should regularly audit their network to protect against unauthorized escalation of privilege."

下列摘要是從Microsoft Windows 安全性資源套件、 第一個在發行 2005年:The following excerpt is from the Microsoft Windows Security Resource Kit, first published in 2005:

「 永遠的安全性,以授予權限,才能執行工作的最低的想法。"Always think of security in terms of granting the least amount of privileges required to carry out the task. 如果應該入侵太多權限的應用程式,攻擊者可能無法以展開超過項目會應用程式已經在最少可能權限的攻擊。If an application that has too many privileges should be compromised, the attacker might be able to expand the attack beyond what it would if the application had been under the least amount of privileges possible. 例如,檢查無意打開的電子郵件附件,時限病毒的網路系統管理員的結果。For example, examine the consequences of a network administrator unwittingly opening an email attachment that launches a virus. 系統管理員身分登入使用網域管理員,若病毒將會有網域中的所有電腦上的系統管理員權限,因此不受限制存取網路上幾乎所有資料。If the administrator is logged on using the domain Administrator account, the virus will have Administrator privileges on all computers in the domain and thus unrestricted access to nearly all data on the network. 如果系統管理員身分登入使用本機系統管理員帳號,病毒將會在本機電腦上有系統管理員權限,因此想無法存取電腦上的任何資料,並在電腦上安裝軟體鍵-筆觸登入惡意軟體。If the administrator is logged on using a local Administrator account, the virus will have Administrator privileges on the local computer and thus would be able to access any data on the computer and install malicious software such as key-stroke logging software on the computer. 如果系統管理員身分登入使用一般帳號,病毒將可以存取只系統管理員的資料並不能安裝惡意軟體。If the administrator is logged on using a normal user account, the virus will have access only to the administrator's data and will not be able to install malicious software. 透過小必要朗讀在此範例中,電子郵件權限可能危害的範圍就會大幅降低。 」By using the least privileges necessary to read email, in this example, the potential scope of the compromise is greatly reduced."

權限的問題The Privilege Problem

上述摘要中所述的原則維持不變,但在評估 Active Directory 安裝,我們側面找到的已被授與權限超越所需執行日常工作,帳號過數字。The principles described in the preceding excerpts have not changed, but in assessing Active Directory installations, we invariably find excessive numbers of accounts that have been granted rights and permissions far beyond those required to perform day-to-day work. 環境大小影響原始的權限過於帳號,數字,但不是 proportionmidsized 可能會有許多帳號最高特殊權限的群組時可能成千上萬更大安裝。The size of the environment affects the raw numbers of overly privileged accounts, but not the proportionmidsized directories may have dozens of accounts in the most highly privileged groups, while large installations may have hundreds or even thousands. 有幾個例外,無論的攻擊者的技術與集合,攻擊通常會依照最低抗拒的路徑。With few exceptions, regardless of the sophistication of an attacker's skills and arsenal, attackers typically follow the path of least resistance. 它們基於這個工具和方法如果和時才簡單機制失敗或會阻止這類攻擊防禦者。They increase the complexity of their tooling and approach only if and when simpler mechanisms fail or are thwarted by defenders.

很抱歉,您的環境中最抗拒的路徑證明帳號 broad 和深度的權限的超額使用。Unfortunately, the path of least resistance in many environments has proven to be the overuse of accounts with broad and deep privilege. Broad 權限的權利和帳號,例如執行特定活動的環境-大型寬廣上的權限,幫助的支援人員可能會授與重設密碼,許多使用者帳號他們的權限。Broad privileges are rights and permissions that allow an account to perform specific activities across a large cross-section of the environment- for example, Help Desk staff may be granted permissions that allow them to reset the passwords on many user accounts.

深的權限,可套用至擴展窄區段強大權限,這類提供工程系統管理員權限的伺服器上,才能執行修復。Deep privileges are powerful privileges that are applied to a narrow segment of the population, such giving an engineer Administrator rights on a server so that they can perform repairs. Broad 權限和深度的權限都不一定危險,但時網域中的許多帳號永久授與 broad 和深度的權限,如果只有受到危害的其中一個帳號,它可以快速用於重新環境目的攻擊者的設定,或甚至破壞基礎結構大量區段。Neither broad privilege nor deep privilege is necessarily dangerous, but when many accounts in the domain are permanently granted broad and deep privilege, if only one of the accounts is compromised, it can quickly be used to reconfigure the environment to the attacker's purposes or even to destroy large segments of the infrastructure.

Pass hash 攻擊,是一種認證竊取攻擊,而普遍因為執行這些工具且自由地提供簡單易用,因為許多環境容易受到攻擊。Pass-the-hash attacks, which are a type of credential theft attack, are ubiquitous because the tooling to perform them is freely available and easy-to-use, and because many environments are vulnerable to the attacks. 不過,pass hash 攻擊,不是真正的問題。Pass-the-hash attacks, however, are not the real problem. 問題的關鍵有雙重:The crux of the problem is twofold:

  1. 它很容易攻擊者取得一部電腦上的深度權限,並傳送到其他電腦廣泛的權限。It is usually easy for an attacker to obtain deep privilege on a single computer and then propagate that privilege broadly to other computers.

  2. 在電腦地標通常太多永久帳號,高等級的權限。There are usually too many permanent accounts with high levels of privilege across the computing landscape.

即使排除 pass hash 攻擊,攻擊只會使用不同的策略,不不同的方法。Even if pass-the-hash attacks are eliminated, attackers would simply use different tactics, not a different strategy. 除了播種惡意程式碼,其中包含認證竊取工具,它們可能會植物惡意程式碼登的按鍵輸入,或利用任意數量的擷取認證跨環境 」 功能的其他方法。Rather than planting malware that contains credential theft tooling, they might plant malware that logs keystrokes, or leverage any number of other approaches to capture credentials that are powerful across the environment. 如何將,無論目標保持不變,: 帳號 broad 和深度的權限。Regardless of the tactics, the targets remain the same: accounts with broad and deep privilege.

太多權限授與不只找到 Active Directory 中危害的環境中。Granting of excessive privilege isn't only found in Active Directory in compromised environments. 當組織所開發超過需要更多的權限授與習慣時,通常是透過下列小節中所述基礎結構找到。When an organization has developed the habit of granting more privilege than is required, it is typically found throughout the infrastructure as discussed in the following sections.

在 Active DirectoryIn Active Directory

在 Active Directory,通常會尋找 EA、 DA 和 BA 群組包含的帳號過數字。In Active Directory, it is common to find that the EA, DA and BA groups contain excessive numbers of accounts. 最常,組織 EA 群組包含少成員、 DA 群組通常會包含加成數目的使用者,在 EA 群組中,及系統管理員群組通常會包含更多的成員,比其他群組結合擴展。Most commonly, an organization's EA group contains the fewest members, DA groups usually contain a multiplier of the number of users in the EA group, and Administrators groups usually contain more members than the populations of the other groups combined. 這通常是因為系統管理員的日子相信 」 較少比 DAs 或 EAs 的權限]。This is often due to a belief that Administrators are somehow "less privileged" than DAs or EAs. 會與的權利和權限授與每個群組,同時它們有效考慮同樣強大群組成員,都可以讓他或自己的其他這兩個成員因為。While the rights and permissions granted to each of these groups differ, they should be effectively considered equally powerful groups because a member of one can make himself or herself a member of the other two.

伺服器成員On Member Servers

當我們擷取的成員伺服器,您的環境中的系統管理員的本機群組成員資格時,我們發現範圍從本機和網域帳號,少數到許多巢群組成員資格,展開時,顯示數百種,甚至是數千使用本機系統管理員權限帳號,在伺服器上。When we retrieve the membership of local Administrators groups on member servers in many environments, we find membership ranging from a handful of local and domain accounts, to dozens of nested groups that, when expanded, reveal hundreds, even thousands, of accounts with local Administrator privilege on the servers. 很多時候,網域群組成員資格大的屬於成員伺服器本機系統管理員群組,而不是任何使用者都可以修改的網域中的群組成員資格可以控制權系統上所有系統群組已本機系統管理員群組中巢考慮。In many cases, domain groups with large memberships are nested in member servers' local Administrators groups, without consideration to the fact that any user who can modify the memberships of those groups in the domain can gain administrative control of all systems on which the group has been nested in a local Administrators group.

在 [工作站On Workstations

雖然工作站通常會有大幅較少成員他們本機系統管理員群組比成員伺服器,您的環境中,使用者會授與他們個人的電腦上系統管理員本機群組成員資格。Although workstations typically have significantly fewer members in their local Administrators groups than member servers do, in many environments, users are granted membership in the local Administrators group on their personal computers. 這發生時,即使支援 UAC,那些使用者提供整合的工作站提升權限的風險。When this occurs, even if UAC is enabled, those users present an elevated risk to the integrity of their workstations.

重要

您應該會仔細考慮是否使用者需要系統管理員權限工作站,以及成員的系統管理員群組的電腦上建立不同的本機 account 如此,可能會更好的方式。You should consider carefully whether users require administrative rights on their workstations, and if they do, a better approach may be to create a separate local account on the computer that is a member of the Administrators group. 當使用者需要權限時,他們可以提供該本機提高權限的認證,但因為本機帳號,無法使用危害的其他電腦或存取網域資源。When users require elevation, they can present the credentials of that local account for elevation, but because the account is local, it cannot be used to compromise other computers or access domain resources. 如同任何本機帳號,但是,本機特殊權限 account 認證應唯一;如果您使用多個工作站相同的認證建立本機帳號,您會公開 pass hash 攻擊的電腦。As with any local accounts, however, the credentials for the local privileged account should be unique; if you create a local account with the same credentials on multiple workstations, you expose the computers to pass-the-hash attacks.

在應用程式In Applications

目標是診斷組織的作業的攻擊,以授與應用程式中的強大權限帳號鎖定允許 exfiltration 的資料。In attacks in which the target is an organization's intellectual property, accounts that have been granted powerful privileges within applications can be targeted to allow exfiltration of data. 存取敏感資料帳號可能會被授與網域或作業系統不提高權限,但帳號,可以管理設定的應用程式或應用程式資訊的存取權提供有風險。Although the accounts that have access to sensitive data may have been granted no elevated privileges in the domain or the operating system, accounts that can manipulate the configuration of an application or access to the information the application provides present risk.

在 [資料存放庫In Data Repositories

攻擊者搜尋的存取權的文件及其他檔案中的其他目標一樣,可以針對帳號,控制項的檔案存放區的存取,帳號,就能直接存取檔案,甚至群組或存取檔案的角色。As is the case with other targets, attackers seeking access to intellectual property in the form of documents and other files can target the accounts that control access to the file stores, accounts that have direct access to the files, or even groups or roles that have access to the files. 例如如果檔案伺服器用來儲存合約文件,存取受文件所使用的 Active Directory 群組攻擊者可以修改群組成員資格可以新增到群組危害的帳號,並存取合約文件。For example, if a file server is used to store contract documents and access is granted to the documents by the use of an Active Directory group, an attacker who can modify the membership of the group can add compromised accounts to the group and access the contract documents. 萬一 SharePoint 應用程式中提供的存取權的文件,如上文攻擊者時,可以針對應用程式。In cases in which access to documents is provided by applications such as SharePoint, attackers can target the applications as described earlier.

減少權限Reducing Privilege

更大、 更複雜環境,更難管理及保護。The larger and more complex an environment, the more difficult it is to manage and secure. 在組織中小,審查和降低權限可能會非常簡單的方法,但每個其他伺服器、 工作站、 帳號,並在組織中使用的應用程式新增另一個要保護的物件。In small organizations, reviewing and reducing privilege may be a relatively simple proposition, but each additional server, workstation, user account, and application in use in an organization adds another object that must be secured. 很難或甚至無法正常運作,因為安全每個層面公司的 IT 基礎結構,您應該將焦點放努力第一次上的權限建立最大風險帳號,通常特殊權限建帳號群組 Active Directory 中及特殊權限的本機帳號工作站成員伺服器上。Because it can be difficult or even impossible to properly secure every aspect of an organization's IT infrastructure, you should focus efforts first on the accounts whose privilege create the greatest risk, which are typically the built-in privileged accounts and groups in Active Directory, and privileged local accounts on workstations and member servers.

本機系統管理員帳號工作站成員伺服器上的保護Securing Local Administrator Accounts on Workstations and Member Servers

本文件焦某保護 Active Directory,如之前所述,雖然大多數攻擊 directory 開始為個人主機攻擊。Although this document focuses on securing Active Directory, as has been previously discussed, most attacks against the directory begin as attacks against individual hosts. 無法提供完整的本機群組成員系統的保護指導方針,但下列建議可以用來協助您保護本機系統管理員帳號工作站成員伺服器上。Full guidelines for securing local groups on member systems cannot be provided, but the following recommendations can be used to help you secure the local Administrator accounts on workstations and member servers.

保護帳號本機系統管理員Securing Local Administrator Accounts

在所有 Windows 版本中目前的主要支援,本機停用根據預設,這會讓 account pass hash 和其他認證竊取攻擊無法使用。On all versions of Windows currently in mainstream support, the local Administrator account is disabled by default, which makes the account unusable for pass-the-hash and other credential theft attacks. 但是,在包含的舊版作業系統的網域或已支援的本機系統管理員帳號,這些帳號可成員伺服器和工作站傳播危害上文所述。However, in domains containing legacy operating systems or in which local Administrator accounts have been enabled, these accounts can be used as previously described to propagate compromise across member servers and workstations. 基於這個原因,下列控制項是針對所有加入網域的系統區域的系統管理員帳號建議。For this reason, the following controls are recommended for all local Administrator accounts on domain-joined systems.

適用於執行這些控制項詳細的指示中提供附錄 H:WINDOWS 保護本機系統管理員帳號及群組Detailed instructions for implementing these controls are provided in Appendix H: Securing Local Administrator Accounts and Groups. 之前實作這些設定,但確保本機系統管理員帳號不目前用於環境中在電腦上執行的服務,或是執行其他活動的這些帳號不應該使用。Before implementing these settings, however, ensure that local Administrator accounts are not currently used in the environment to run services on computers or perform other activities for which these accounts should not be used. 測試完全之前在 production 環境中執行這些設定。Test these settings thoroughly before implementing them in a production environment.

本機系統管理員帳號控制Controls for Local Administrator Accounts

建系統管理員帳號永遠不能當做成員伺服器上的服務帳號,也不應該其將用來登入本機電腦 (除非在安全模式下,即使 account 已停用允許)。Built-in Administrator accounts should never be used as service accounts on member servers, nor should they be used to log on to local computers (except in Safe Mode, which is permitted even if the account is disabled). 實作本文中的設定是以防止每部電腦的本機正在可用,除非它們控制項第一次還原。The goal of implementing the settings described here is to prevent each computer's local Administrator account from being usable unless protective controls are first reversed. 實作這些控制或監視變更系統管理員帳號,您可以大幅降低的可能性成功的攻擊本機系統管理員帳號該目標。By implementing these controls and monitoring Administrator accounts for changes, you can significantly reduce the likelihood of success of an attack that targets local Administrator accounts.

設定限制加入網域的系統管理員的身分帳號 GpoConfiguring GPOs to Restrict Administrator Accounts on Domain-Joined Systems

在您建立和連結工作站和成員伺服器 Ou 每個網域中的一或多個 Gpo,將管理員新增至下列使用者權限在電腦設定 \ 原則 \windows 安全性設定本機 Settings\User 權限指派:In one or more GPOs that you create and link to workstation and member server OUs in each domain, add the Administrator account to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments:

  • 拒絕從網路存取此電腦Deny access to this computer from the network

  • 拒絕以分批登入Deny log on as a batch job

  • 拒絕登入即服務Deny log on as a service

  • 透過遠端桌面服務拒絕登入Deny log on through Remote Desktop Services

當您新增這些使用者權限管理員帳號時,指定您要新增是否本機或網域中的系統管理員帳號順帶一提您標籤 account。When you add Administrator accounts to these user rights, specify whether you are adding the local Administrator account or the domain's Administrator account by the way that you label the account. 例如,新增這些 NWTRADERS 網域中的系統管理員 account 拒絕權限,您會輸入 account 為NWTRADERS\Administrator,或瀏覽以系統管理員負責 NWTRADERS 網域。For example, to add the NWTRADERS domain's Administrator account to these deny rights, you would type the account as NWTRADERS\Administrator, or browse to the Administrator account for the NWTRADERS domain. 為確保您的本機限制,請輸入:系統管理員這些使用者權限的群組原則物件編輯器設定。To ensure that you restrict the local Administrator account, type Administrator in these user rights settings in the Group Policy Object Editor.

注意

即使重新命名本機系統管理員帳號,仍會套用原則。Even if local Administrator accounts are renamed, the policies will still apply.

這些設定將可確保您的電腦的系統管理員 account 無法用來連接到其他電腦,即使這不小心或惡意支援。These settings will ensure that a computer's Administrator account cannot be used to connect to the other computers, even if it is inadvertently or maliciously enabled. 無法完全停用本機登入使用本機系統管理員帳號,也不應該您嘗試這樣做,因為電腦的本機的設計目的是要用於損壞修復案例。Local logons using the local Administrator account cannot be completely disabled, nor should you attempt to do so, because a computer's local Administrator account is designed to be used in disaster recovery scenarios.

應該成員伺服器或工作站成為退出網域與任何其他本機帳號授與系統管理員權限、 電腦開機進入安全模式、 可支援的系統管理員帳號,並 account 然後可用來影響電腦上的修復。Should a member server or workstation become disjoined from the domain with no other local accounts granted administrative privileges, the computer can be booted into safe mode, the Administrator account can be enabled, and the account can then be used to effect repairs on the computer. 當替換完成後時,管理員應該一次停用。When repairs are completed, the Administrator account should again be disabled.

保護本機特殊權限的帳號,並 Active Directory 中的群組Securing Local Privileged Accounts and Groups in Active Directory

法律第 6 號: 電腦只有在安全的系統管理員是可信任。Law Number Six: A computer is only as secure as the administrator is trustworthy. - 安全性 (2.0 版) 的 10 定律 - Ten Immutable Laws of Security (Version 2.0)

以下提供的資訊被要讓一般指導方針保護的最高的權限建帳號和 Active Directory 中的群組。The information provided here is intended to give general guidelines for securing the highest privilege built-in accounts and groups in Active Directory. 也會提供詳細逐步指示在附錄 d 保護建系統管理員帳號 Active Directory 中附錄 e 保護企業管理員群組 Active Directory 中附錄 f︰ 保護網域管理員群組 Active Directory 中,並在附錄 g: 保護系統管理員群組 Active Directory 中Detailed step-by-step instructions are also provided in Appendix D: Securing Built-In Administrator Accounts in Active Directory, Appendix E: Securing Enterprise Admins Groups in Active Directory, Appendix F: Securing Domain Admins Groups in Active Directory, and in Appendix G: Securing Administrators Groups in Active Directory.

在這些設定實作之前,您也應該測試完全若要判斷是否有適用於您的環境所有的設定。Before you implement any of these settings, you should also test all settings thoroughly to determine if they are appropriate for your environment. 並非所有組織都無法執行這些設定。Not all organizations will be able to implement these settings.

在 Active Directory 保障建系統管理員帳號Securing Built-in Administrator Accounts in Active Directory

在 Active Directory 中每個網域中建立管理員建立網域中的一部分。In each domain in Active Directory, an Administrator account is created as part of the creation of the domain. 預設為這個 account 網域系統管理員 」 及網域中的系統管理員群組成員和如果網域森林根網域,account 也是您的企業系統管理員群組成員。This account is by default a member of the Domain Admins and Administrator groups in the domain, and if the domain is the forest root domain, the account is also a member of the Enterprise Admins group. 使用本機系統管理員 account 網域的應該保留僅適用於初始建置活動和可能損壞修復案例。Use of a domain's local Administrator account should be reserved only for initial build activities and, possibly, disaster-recovery scenarios. 為了確保建可用於影響替換,可以使用任何其他帳號,您應該不會變更管理員森林中的任何網域中的預設成員資格。To ensure that a built-in Administrator account can be used to effect repairs in the event that no other accounts can be used, you should not change the default membership of the Administrator account in any domain in the forest. 而是,您應該下列以協助保護森林中的每個網域中管理員指導方針。Instead, you should following guidelines to help secure the Administrator account in each domain in the forest. 適用於執行這些控制項詳細的指示中提供附錄 d 保護建系統管理員帳號 Active Directory 在Detailed instructions for implementing these controls are provided in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

控制帳號建系統管理員Controls for Built-in Administrator Accounts

實作本文設定的目標是每個網域中的系統管理員 account (不是群組) 除非還原控制項的數字會防止可用。The goal of implementing the settings described here is to prevent each domain's Administrator account (not a group) from being usable unless a number of controls are reversed. 藉由實作這些控制及監視變更的系統管理員帳號,您可以利用網域管理員大幅降低攻擊的可能性。By implementing these controls and monitoring the Administrator accounts for changes, you can significantly reduce the likelihood of a successful attack by leveraging a domain's Administrator account. 針對每個您樹系網域中的系統管理員帳號,您應該進行下列設定。For the Administrator account in each domain in your forest, you should configure the following settings.

讓 「 Account 是機密,無法委派 」 上的旗標 accountEnable the "Account is sensitive and cannot be delegated" flag on the account

根據預設,您可以委派 Active Directory 中的所有帳號。By default, all accounts in Active Directory can be delegated. 委派讓電腦或服務提供的認證的電腦已驗證 account 服務來取得代表 account 服務的其他電腦。Delegation allows a computer or service to present the credentials for an account that has authenticated to the computer or service to other computers to obtain services on behalf of the account. 您可以在機密帳號,無法委派屬性網域型帳號,無法獲得 account 的認證的電腦或其他服務網路限制利用其他系統上使用 account 的認證委派的攻擊。When you enable the Account is sensitive and cannot be delegated attribute on a domain-based account, the account's credentials cannot be presented to other computers or services on the network, which limits attacks that leverage delegation to use the account's credentials on other systems.

讓 「 智慧卡,才互動式登入 「 旗標帳號Enable the "Smart card is required for interactive logon" flag on the account

您可以在智慧卡,才互動式登入屬性帳號,Windows 將密碼重設為 120 字元隨機的值。When you enable the Smart card is required for interactive logon attribute on an account, Windows resets the account's password to a 120-character random value. 設定此旗標建管理員帳號,您可以確定 account 的密碼不只長且複雜,但不是知道的所有使用者。By setting this flag on built-in Administrator accounts, you ensure that the password for the account is not only long and complex, but is not known to any user. 不技術需要建立智慧卡帳號之前讓這個屬性,但如果可能,請應該針對每個管理員前設定 account 限制建立智慧卡和智慧卡應存放在安全的位置。It is not technically necessary to create smart cards for the accounts before enabling this attribute, but if possible, smart cards should be created for each Administrator account prior to configuring the account restrictions and the smart cards should be stored in secure locations.

雖然設定智慧卡,才互動式登入旗標重設密碼、 防止使用者權限來重設密碼的 account 設為 [已知的值,並在網路上使用 account 的名稱及存取資源的新密碼。Although setting the Smart card is required for interactive logon flag resets the account's password, it does not prevent a user with rights to reset the account's password from setting the account to a known value and using the account's name and new password to access resources on the network. 因此,您應該實作 account 下列其他控制項。Because of this, you should implement the following additional controls on the account.

停用 AccountDisable the Account

如果未已停用管理員,停用它當您完成設定 account 的屬性。If the Administrator account is not already disabled, disable it when you have completed configuration of the account's properties. 這可防止 account 除非第一次可以使用適用於任何用途。This prevents the account from being used for any purpose unless it is first enabled. 在損壞復原案例中將可執行的 AD DS 環境修復無帳號,您可以網域控制站開機進入安全模式、 在本機建 (這不會封鎖來自登入本機),以重新登入,讓網域的管理員,若有必要。In a disaster recovery scenario in which no accounts are available to perform repairs of the AD DS environment, you can boot a domain controller into safe mode, log on locally with the built-in Administrator account (which is never blocked from local logon), and enable the domain's Administrator account, if necessary.

設定限制加入網域的系統上網域中的系統管理員帳號 GpoConfiguring GPOs to Restrict Domains' Administrator Accounts on Domain-Joined Systems

雖然停用網域中的系統管理員 account 使 account 有效無法使用,您應該其他限制上實作 account 以防 account 不小心或惡意支援。Although disabling the Administrator account in a domain makes the account effectively unusable, you should implement additional restrictions on the account in case the account is inadvertently or maliciously enabled. 雖然這些控制項最終可以透過管理員回復,目標是建立 slow 攻擊者進行,控制和可能會損壞 account 限制。Although these controls can ultimately be reversed by the Administrator account, the goal is to create controls that slow an attacker's progress and limit the damage the account can inflict.

在您建立和連結工作站和成員伺服器 Ou 每個網域中的一或多個 Gpo,將每個網域的管理員新增至下列使用者權限在電腦設定 \ 原則 \windows 安全性設定本機 Settings\User 權限指派:In one or more GPOs that you create and link to workstation and member server OUs in each domain, add each domain's Administrator account to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments:

  • 拒絕從網路存取此電腦Deny access to this computer from the network

  • 拒絕以分批登入Deny log on as a batch job

  • 拒絕登入即服務Deny log on as a service

  • 透過遠端桌面服務拒絕登入Deny log on through Remote Desktop Services

注意

當您新增本機系統管理員帳號此設定時,您必須指定您要設定本機系統管理員帳號或網域系統管理員帳號。When you add local Administrator accounts to this setting, you must specify whether you are configuring local Administrator accounts or domain Administrator accounts. 例如,新增拒絕 NWTRADERS 網域的本機這些權限,您必須輸入 account 為NWTRADERS\Administrator,或瀏覽到本機系統管理員負責 NWTRADERS 網域。For example, to add the NWTRADERS domain's local Administrator account to these deny rights, you must either type the account as NWTRADERS\Administrator, or browse to the local Administrator account for the NWTRADERS domain. 如果您輸入系統管理員中的這些使用者權限設定群組原則物件編輯器] 中,您將會限制本機管理員 GPO 所套用的每一部電腦上。If you type Administrator in these user rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the GPO is applied.

我們建議以相同的方式為網域型系統管理員帳號限制本機系統管理員帳號工作站成員伺服器上。We recommend restricting local Administrator accounts on member servers and workstations in the same manner as domain-based Administrator accounts. 因此,您應該通常加入每個網域森林中的系統管理員負責和本機電腦的系統管理員負責這些使用者權限設定。Therefore, you should generally add the Administrator account for each domain in the forest and the Administrator account for the local computers to these user rights settings. 下圖顯示設定封鎖本機系統管理員帳號,並網域的管理員,執行下列帳號的應該不需要登入的這些使用者權限的範例。The following screenshot shows an example of configuring these user rights to block local Administrator accounts and a domain's Administrator account from performing logons that should not be needed for these accounts.

最小的權限管理員模型

設定限制的系統管理員帳號網域控制站 GpoConfiguring GPOs to Restrict Administrator Accounts on Domain Controllers

在森林中的每個網域中的預設網域控制站的原則或原則連結到網域控制站組織單位應修改將每個網域的管理員新增至下列使用者權限在電腦設定 \ 原則 \windows 安全性設定本機 Settings\User 權限指派:In each domain in the forest, the Default Domain Controllers policy or a policy linked to the Domain Controllers OU should be modified to add each domain's Administrator account to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments:

  • 拒絕從網路存取此電腦Deny access to this computer from the network

  • 拒絕以分批登入Deny log on as a batch job

  • 拒絕登入即服務Deny log on as a service

  • 透過遠端桌面服務拒絕登入Deny log on through Remote Desktop Services

注意

這些設定將可確保您的本機無法用來連接網域控制站,雖然帳號,如果功能,可以登入本機網域控制站。These settings will ensure that the local Administrator account cannot be used to connect to a domain controller, although the account, if enabled, can log on locally to domain controllers. 應該僅支援並損壞修復案例中使用此帳號,因為它被預期實體存取至少網域控制站將或從遠端存取網域控制站的權限的其他帳號,可以使用。Because this account should only be enabled and used in disaster-recovery scenarios, it is anticipated that physical access to at least one domain controller will be available, or that other accounts with permissions to access domain controllers remotely can be used.

設定的建系統管理員帳號稽核Configure Auditing of Built-in Administrator Accounts

當您有保護每個網域中的系統管理員帳號,並將它關閉時,您應該設定稽核監視 account 變更。When you have secured each domain's Administrator account and disabled it, you should configure auditing to monitor for changes to the account. 如果尚未 account、 重設密碼,或任何其他修改過去,應該會收到通知的使用者或的小組負責 AD ds,除了事件回應團隊,在組織中管理。If the account is enabled, its password is reset, or any other modifications are made to the account, alerts should be sent to the users or teams responsible for administration of AD DS, in addition to incident response teams in your organization.

保障系統管理員、 網域系統管理員 」 及企業管理員群組Securing Administrators, Domain Admins and Enterprise Admins Groups

保護企業管理員群組Securing Enterprise Admin Groups

企業系統管理員群組中,位於森林根網域中,應包含在日常,可能的網域的本機,除了不使用者提供如之前所述方式保護和附錄 d 保護建系統管理員帳號 Active Directory 在The Enterprise Admins group, which is housed in the forest root domain, should contain no users on a day-to-day basis, with the possible exception of the domain's local Administrator account, provided it is secured as described earlier and in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

EA 存取必要時,其帳號需要 EA 權利與權限,使用者應該暫時置於企業系統管理員 」 群組。When EA access is required, the users whose accounts require EA rights and permissions should be temporarily placed into the Enterprise Admins group. 雖然使用者使用高度授權的帳號,應該稽核,最好是執行的一位使用者執行所做的變更,並觀察所做的變更的其他使用者最小化非故意濫用或設定錯誤的可能性他們的活動。Although users are using the highly privileged accounts, their activities should be audited and preferably performed with one user performing the changes and another user observing the changes to minimize the likelihood of inadvertent misuse or misconfiguration. 完成後活動,帳號應該會從 EA 群組。When the activities have been completed, the accounts should be removed from the EA group. 這可以實現手動程序,記載處理程序,第三方特殊權限的身分日存取管理 (PIM 日 PAM) 軟體或兩者。This can be achieved via manual procedures and documented processes, third-party privileged identity/access management (PIM/PAM) software, or a combination of both. 指導方針建立帳號,可以用來控制的 Active Directory 中有特殊權限群組成員資格的中所提供的認證竊取吸引帳號中提供詳細的指示及附錄 i: 建立管理帳號保護帳號及群組 Active Directory 中的Guidelines for creating accounts that can be used to control the membership of privileged groups in Active Directory are provided in Attractive Accounts for Credential Theft and detailed instructions are provided in Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory.

企業系統管理員是,預設建森林中的每個網域中的系統管理員群組成員。Enterprise Admins are, by default, members of the built-in Administrators group in each domain in the forest. 因為發生的樹系損壞修復案例中,EA 權限很可能就需要從系統管理員群組中的每個網域移除企業系統管理員群組是不適當的修改。Removing the Enterprise Admins group from the Administrators groups in each domain is an inappropriate modification because in the event of a forest disaster-recovery scenario, EA rights will likely be required. 如果企業系統管理員群組已移除從森林中的系統管理員群組,應該加入每個網域中的系統管理員群組,下列其他控制項應:If the Enterprise Admins group has been removed from Administrators groups in a forest, it should be added to the Administrators group in each domain and the following additional controls should be implemented:

  • 企業系統管理員群組如上文所述,應包含在日常,可能安全中所述的樹系根網域管理員帳號,除了不使用者附錄 d 保護建系統管理員帳號 Active Directory 在As described earlier, the Enterprise Admins group should contain no users on a day-to-day basis, with the possible exception of the forest root domain's Administrator account, which should be secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

  • EA 群組應該 gpo 連結到 Ou 包含成員伺服器與每個網域中的工作站,新增至下列使用者權限︰In GPOs linked to OUs containing member servers and workstations in each domain, the EA group should be added to the following user rights:

    • 拒絕從網路存取此電腦Deny access to this computer from the network

    • 拒絕以分批登入Deny log on as a batch job

    • 拒絕登入即服務Deny log on as a service

    • 在本機拒絕登入Deny log on locally

    • 透過遠端桌面服務,拒絕登入。Deny log on through Remote Desktop Services.

這會阻止 EA 群組成員登入成員伺服器以及工作站。This will prevent members of the EA group from logging on to member servers and workstations. 如果捷徑伺服器可用來管理網域控制站和 Active Directory,確定捷徑伺服器位於不連結的嚴格 Gpo 組織單位。If jump servers are used to administer domain controllers and Active Directory, ensure that jump servers are located in an OU to which the restrictive GPOs are not linked.

  • 稽核應該會傳送任何修改 EA 群組成員資格或屬性警示設定。Auditing should be configured to send alerts if any modifications are made to the properties or membership of the EA group. 這些應該會收到通知,至少的使用者或的小組負責 Active Directory 管理及意外回應。These alerts should be sent, at a minimum, to users or teams responsible for Active Directory administration and incident response. 您也應該定義處理程序以及暫時填入 EA 群組,包括通知程序群組合法人口執行時的程序。You should also define processes and procedures for temporarily populating the EA group, including notification procedures when legitimate population of the group is performed.

保護網域管理員群組Securing Domain Admins Groups

企業系統管理員群組一樣,應該只在組建或損壞修復案例中需要網域系統管理員群組成員資格。As is the case with the Enterprise Admins group, membership in Domain Admins groups should be required only in build or disaster-recovery scenarios. 應該有不日常帳號本機系統管理員負責網域中,除了 DA 群組中所述保護附錄 d 保護建系統管理員帳號 Active Directory 在There should be no day-to-day user accounts in the DA group with the exception of the local Administrator account for the domain, if it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

需要 DA 存取權時,需要這個層級的存取權限帳號應該暫時放 DA 群組中的問題網域。When DA access is required, the accounts needing this level of access should be temporarily placed in the DA group for the domain in question. 雖然使用者使用高度授權的帳號,應該稽核活動,以及最好是執行最小化非故意濫用或設定錯誤的可能性執行所做的變更的一位使用者和另一位使用者觀察所做的變更。Although the users are using the highly privileged accounts, activities should be audited and preferably performed with one user performing the changes and another user observing the changes to minimize the likelihood of inadvertent misuse or misconfiguration. 完成後活動,帳號應該移除網域系統管理員 」 群組。When the activities have been completed, the accounts should be removed from the Domain Admins group. 這可以實現手動程序,記載處理程序,透過協力廠商特殊權限的身分日存取管理 (PIM 日 PAM) 軟體或兩者。This can be achieved via manual procedures and documented processes, via third-party privileged identity/access management (PIM/PAM) software, or a combination of both. 指導方針建立帳號,可以用來控制的 Active Directory 中有特殊權限群組成員資格的提供可在附錄 i: 建立管理帳號 Active Directory 中的群組保護帳號,Guidelines for creating accounts that can be used to control the membership of privileged groups in Active Directory are provided in Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory.

網域系統管理員是,預設的所有成員伺服器與各自網域中的工作站本機系統管理員群組成員。Domain Admins are, by default, members of the local Administrators groups on all member servers and workstations in their respective domains. 此預設巢應該修改,因為它會影響性和損壞的復原選項。This default nesting should not be modified because it affects supportability and disaster recovery options. 如果從本機系統管理員群組成員伺服器上已移除網域管理員群組,他們應該加入每個成員 server 和工作站透過 [設定限制的群組 Gpo 連結網域中的系統管理員群組。If Domain Admins groups have been removed from the local Administrators groups on the member servers, they should be added to the Administrators group on each member server and workstation in the domain via restricted group settings in linked GPOs. 下列一般控制項,深度中所述附錄 f︰ 保護網域管理員群組 Active Directory 在也應執行。The following general controls, which are described in depth in Appendix F: Securing Domain Admins Groups in Active Directory should also be implemented.

森林中的每個網域中的網域管理員群組:For the Domain Admins group in each domain in the forest:

  1. 移除所有成員 DA 群組中,可能的建網域中,除了所述的保護提供附錄 d 保護建系統管理員帳號 Active Directory 在Remove all members from the DA group, with the possible exception of the built-in Administrator account for the domain, provided it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

  2. Gpo 連結到 Ou 包含成員伺服器與每個網域中的工作站,應該 DA 群組新增至下列使用者權限︰In GPOs linked to OUs containing member servers and workstations in each domain, the DA group should be added to the following user rights:

    • 拒絕從網路存取此電腦Deny access to this computer from the network

    • 拒絕以分批登入Deny log on as a batch job

    • 拒絕登入即服務Deny log on as a service

    • 在本機拒絕登入Deny log on locally

    • 透過遠端桌面服務拒絕登入Deny log on through Remote Desktop Services

    這會阻止 DA 群組成員登入成員伺服器以及工作站。This will prevent members of the DA group from logging on to member servers and workstations. 如果捷徑伺服器可用來管理網域控制站和 Active Directory,確定捷徑伺服器位於不連結的嚴格 Gpo 組織單位。If jump servers are used to administer domain controllers and Active Directory, ensure that jump servers are located in an OU to which the restrictive GPOs are not linked.

  3. 稽核應該會傳送任何修改 DA 群組成員資格或屬性警示設定。Auditing should be configured to send alerts if any modifications are made to the properties or membership of the DA group. 這些應該會收到通知,至少的使用者或的小組負責 AD DS 管理及意外回應。These alerts should be sent, at a minimum, to users or teams responsible for AD DS administration and incident response. 您也應該定義處理程序以及暫時填入 DA 群組,包括通知程序群組合法人口執行時的程序。You should also define processes and procedures for temporarily populating the DA group, including notification procedures when legitimate population of the group is performed.

保護 Active Directory 中的系統管理員群組Securing Administrators Groups in Active Directory

EA 和 DA 群組一樣,應該只在組建或損壞修復案例中需要系統管理員 (BA) 群組成員資格。As is the case with the EA and DA groups, membership in the Administrators (BA) group should be required only in build or disaster-recovery scenarios. 應該有不日常帳號系統管理員除外本機系統管理員負責網域群組中所述保護附錄 d 保護建系統管理員帳號 Active Directory 在There should be no day-to-day user accounts in the Administrators group with the exception of the local Administrator account for the domain, if it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

所需的系統管理員的存取權時,需要這個層級的存取權限帳號應該暫時放網域有問題的系統管理員 」 群組。When Administrators access is required, the accounts needing this level of access should be temporarily placed in the Administrators group for the domain in question. 使用者使用高度授權的帳號,雖然活動應該會稽核,最好使用使用者執行所做的變更,並觀察所做的變更的其他使用者最小化非故意濫用或設定錯誤的可能性執行。Although the users are using the highly privileged accounts, activities should be audited and, preferably, performed with a user performing the changes and another user observing the changes to minimize the likelihood of inadvertent misuse or misconfiguration. 活動完成後,從系統管理員群組應該會立即移除帳號。When the activities have been completed, the accounts should immediately be removed from the Administrators group. 這可以實現手動程序,記載處理程序,透過協力廠商特殊權限的身分日存取管理 (PIM 日 PAM) 軟體或兩者。This can be achieved via manual procedures and documented processes, via third-party privileged identity/access management (PIM/PAM) software, or a combination of both.

系統管理員是,大部分各自網域中 AD DS 物件的擁有者預設。Administrators are, by default, the owners of most of the AD DS objects in their respective domains. 此群組成員資格可能需要在組建和損壞擁有權或拍攝物件的擁有權的功能是在需要復原案例中。Membership in this group may be required in build and disaster recovery scenarios in which ownership or the ability to take ownership of objects is required. 此外,DAs 和 EAs 繼承他們的權限和一定他們預設群組中的成員系統管理員權限的數字。Additionally, DAs and EAs inherit a number of their rights and permissions by virtue of their default membership in the Administrators group. 預設群組巢不應修改特殊權限的群組 Active Directory 中,針對和安全每個網域中的系統管理員群組中所述附錄 g: 保護系統管理員群組 Active Directory 中,以及一般下方的指示操作。Default group nesting for privileged groups in Active Directory should not be modified, and each domain's Administrators group should be secured as described in Appendix G: Securing Administrators Groups in Active Directory, and in the general instructions below.

  1. 移除所有成員的系統管理員群組中,可能的本機系統管理員負責網域中,除了所述的保護提供附錄 d 保護建系統管理員帳號 Active Directory 在Remove all members from the Administrators group, with the possible exception of the local Administrator account for the domain, provided it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.

  2. 登入成員伺服器或工作站應該完全不需要的網域中的系統管理員群組成員。Members of the domain's Administrators group should never need to log on to member servers or workstations. 一或多個 gpo 連結到工作站和成員伺服器 Ou 每個網域中,系統管理員群組應該加入下列使用者權限:In one or more GPOs linked to workstation and member server OUs in each domain, the Administrators group should be added to the following user rights:

    • 拒絕從網路存取此電腦Deny access to this computer from the network

    • 拒絕分批,以登入Deny log on as a batch job,

    • 拒絕登入即服務Deny log on as a service

    • 這會阻止的系統管理員群組成員用來登入或連接到成員伺服器或工作站 (除非多控制項的第一次破壞) 位置他們的認證可能會快取,藉此危害。This will prevent members of the Administrators group from being used to log on or connect to member servers or workstations (unless multiple controls are first breached), where their credentials could be cached and thereby compromised. 有特殊權限的 account 應該永遠不會用來登入的權限較低系統,並執行這些控制項可以提供的防護一些攻擊。A privileged account should never be used to log on to a less-privileged system, and enforcing these controls affords protection against a number of attacks.

  3. 在每一個網域中的樹系的系統管理員群組組織單位應被授與下列使用者的網域控制站權利 (如果它們已無權這些),這會讓來執行所需的樹系損壞復原案例功能的系統管理員群組成員:At the domain controllers OU in each domain in the forest, the Administrators group should be granted the following user rights (if they do not already have these rights), which will allow the members of the Administrators group to perform functions necessary for a forest-wide disaster recovery scenario:

    • 從網路存取此電腦Access this computer from the network

    • 在本機允許登入Allow log on locally

    • 允許登入透過遠端桌面服務Allow log on through Remote Desktop Services

  4. 稽核應該設定的系統管理員群組成員資格或屬性任何修改傳送通知。Auditing should be configured to send alerts if any modifications are made to the properties or membership of the Administrators group. 這些應該會收到通知,至少負責 AD DS 管理小組的成員。These alerts should be sent, at a minimum, to members of the team responsible for AD DS administration. 也會收到通知安全性小組的成員,並修改的系統管理員群組成員資格應定義程序。Alerts should also be sent to members of the security team, and procedures should be defined for modifying the membership of the Administrators group. 具體而言,這些處理程序應包含安全性小組的通知時時不會收到通知,, 它們會如預期般並不會引發鬧鐘修改即將系統管理員群組程序。Specifically, these processes should include a procedure by which the security team is notified when the Administrators group is going to be modified so that when alerts are sent, they are expected and an alarm is not raised. 此外,應該實作通知安全性小組的系統管理員群組使用已經完成之帳號已從群組時的處理程序。Additionally, processes to notify the security team when the use of the Administrators group has been completed and the accounts used have been removed from the group should be implemented.

注意

當您的系統管理員群組 Gpo 上實作限制時,Windows 會套用的設定,除了網域中的系統管理員群組的電腦本機系統管理員群組成員。When you implement restrictions on the Administrators group in GPOs, Windows applies the settings to members of a computer's local Administrators group in addition to the domain's Administrators group. 因此,您應該時小心上系統管理員群組實作限制。Therefore, you should use caution when implementing restrictions on the Administrators group. 系統管理員群組成員制訂網路、 批次及服務登入,建議您不論是可行實作,但不會限制登入本機或透過遠端桌面服務登入。Although prohibiting network, batch and service logons for members of the Administrators group is advised wherever it is feasible to implement, do not restrict local logons or logons through Remote Desktop Services. 封鎖這些登入類型,可以封鎖合法管理某部電腦的系統管理員本機群組成員。Blocking these logon types can block legitimate administration of a computer by members of the local Administrators group. 下圖顯示本機封鎖不當建設定,並網域系統管理員帳號,除了不當建本機或網域系統管理員 」 群組。The following screenshot shows configuration settings that block misuse of built-in local and domain Administrator accounts, in addition to misuse of built-in local or domain Administrators groups. 請注意,透過遠端桌面服務拒絕登入使用者權限,不包含管理員群組,因為包含在此設定也會封鎖這些登入,必須在本機電腦的系統管理員群組成員。Note that the Deny log on through Remote Desktop Services user right does not include the Administrators group, because including it in this setting would also block these logons for accounts that are members of the local computer's Administrators group. 電腦上的服務執行操作有特殊權限的群組本節所述的設定,如果實作這些設定可能會造成服務和應用程式失敗。If services on computers are configured to run in the context of any of the privileged groups described in this section, implementing these settings can cause services and applications to fail. 因此,與的所有建議在本區段中,您應該會完全都測試適用於設定您的環境中。Therefore, as with all of the recommendations in this section, you should thoroughly test settings for applicability in your environment.

最小的權限管理員模型

Active Directory 角色為基礎的存取控制 (RBAC)Role-Based Access Controls (RBAC) for Active Directory

一般而言,以角色為基礎存取控制 (RBAC) 是群組的使用者,並提供資源商業規則的存取權的機制。Generally speaking, role-based access controls (RBAC) are a mechanism for grouping users and providing access to resources based on business rules. 在 Active Directory AD ds 實作 RBAC 是建立的權限與權限的委派給角色允許不太多權限授與他們執行日常的系統管理工作角色的成員。In the case of Active Directory, implementing RBAC for AD DS is the process of creating roles to which rights and permissions are delegated to allow members of the role to perform day-to-day administrative tasks without granting them excessive privilege. Active Directory 中為 RBAC 可以設計和實作透過原生工具和介面,利用您可能已經擁有,你第三方或任何組合種方法購買的軟體。RBAC for Active Directory can be designed and implemented via native tooling and interfaces, by leveraging software you may already own, by purchasing third-party products, or any combination of these approaches. 本章節不提供逐步指示實作 RBAC 的 Active Directory,但改為討論的因素考慮中選擇實作 RBAC AD DS 安裝您的方法。This section does not provide step-by-step instructions to implement RBAC for Active Directory, but instead discusses factors you should consider in choosing an approach to implementing RBAC in your AD DS installations.

原生種 RBAC 的 Active DirectoryNative Approaches to RBAC for Active Directory

最簡單的 RBAC 實作,您可以實作角色為 AD DS 群組並代理人的權利和權限的群組,允許執行日常的系統管理指定的範圍中的角色。In the simplest RBAC implementation, you can implement roles as AD DS groups and delegate rights and permissions to the groups that allow them to perform daily administration within the designated scope of the role.

有時候,現有在 Active Directory 安全性群組可以用於授與的權利和工作函式的適當權限。In some cases, existing security groups in Active Directory can be used to grant rights and permissions appropriate to a job function. 例如,如果 IT 組織中的特定員工負責管理與維護 DNS 區域和記錄,委派那些責任可以簡單 account 建立的每個 DNS 系統管理員,並將它新增到群組 DNS 系統管理員 Active Directory 中為。For example, if specific employees in your IT organization are responsible for the management and maintenance of DNS zones and records, delegating those responsibilities can be as simple as creating an account for each DNS administrator and adding it to the DNS Admins group in Active Directory. DNS 管理群組,然而更高特殊權限的群組在 Active Directory,有幾個強大的權限,雖然這群組成員已委派權限,讓它們來管理 DNS。The DNS Admins group, unlike more highly privileged groups, has few powerful rights across Active Directory, although members of this group have been delegated permissions that allow them to administer DNS.

有時候,您可能需要建立安全性群組和代理人的權利和允許群組成員 Active Directory 物件、 檔案系統物件,以及登錄物件的權限來執行指定管理工作。In other cases, you may need to create security groups and delegate rights and permissions to Active Directory objects, file system objects, and registry objects to allow members of the groups to perform designated administrative tasks. 例如,負責遺失的密碼重設您的技術支援電信業者時,協助使用者的連接的問題,以及疑難排解應用程式設定中,您可能需要結合委派設定使用者 Active Directory 物件的權限,支援服務的使用者來連接遠端使用者的電腦,以檢視或修改使用者的設定可讓。For example, if your Help Desk operators are responsible for resetting forgotten passwords, assisting users with connectivity problems, and troubleshooting application settings, you may need to combine delegation settings on user objects in Active Directory with privileges that allow Help Desk users to connect remotely to users' computers to view or modify the users' configuration settings. 針對每個您定義的角色,您應該找出:For each role you define, you should identify:

  1. 日常和頻率較低執行哪些工作執行哪些工作角色的成員。Which tasks members of the role perform on a day-to-day basis and which tasks are less frequently performed.

  2. 系統上,以及哪些應用程式中的角色成員應該會授與權限。On which systems and in which applications members of a role should be granted rights and permissions.

  3. 哪些使用者應被授與的角色成員資格。Which users should be granted membership in a role.

  4. 如何將會執行管理角色成員資格。How management of role memberships will be performed.

您的環境中,手動建立角色為基礎的存取 Active Directory 環境管理控制可能會很困難與維護。In many environments, manually creating role-based access controls for administration of an Active Directory environment can be challenging to implement and maintain. 如果清楚定義角色及系統管理 IT 基礎架構的責任,您可能想要利用其他工具,可協助您建立可以管理原生 RBAC 部署。If you have clearly defined roles and responsibilities for administration of your IT infrastructure, you may want to leverage additional tooling to assist you in creating a manageable native RBAC deployment. 例如,如果 Forefront 身分管理員 (FIM-A) 中使用您的環境中,您可以使用 FIM 來建立和管理的角色,可以輕鬆地執行管理人口自動化。For example, if Forefront Identity Manager (FIM) is in use in your environment, you can use FIM to automate the creation and population of administrative roles, which can ease ongoing administration. 如果您使用 System Center Configuration Manager (SCCM) 和 System Center Operations Manager (SCOM),您可以使用特定應用程式的角色委派管理及監視功能,並也執行設定的一致性與稽核跨網域中的系統。If you use System Center Configuration Manager (SCCM) and System Center Operations Manager (SCOM), you can use application-specific roles to delegate management and monitoring functions, and also enforce consistent configuration and auditing across systems in the domain. 如果您有實作公用基礎結構 (PKI),您可以問題,並要求負責管理環境 IT 人員智慧卡。If you have implemented a public key infrastructure (PKI), you can issue and require smart cards for IT staff responsible for administering the environment. FIM Credential 管理 (FIM-A 公分),您甚至可以管理的角色與認證結合為您管理的人員。With FIM Credential Management (FIM CM), you can even combine management of roles and credentials for your administrative staff.

有時候,它可能組織考慮部署第三方 RBAC 軟體提供 「 的全新 」 功能的建議。In other cases, it may be preferable for an organization to consider deploying third-party RBAC software that provides "out-of-box" functionality. Active Directory、 Windows 及非 Windows 目錄作業系統的 RBAC commercial、 現有 (COTS) 方案提供的供應商的數字。Commercial, off-the-shelf (COTS) solutions for RBAC for Active Directory, Windows, and non-Windows directories and operating systems are offered by a number of vendors. 在選擇之間原生方案和第三方你時,您應該考慮下列:When choosing between native solutions and third-party products, you should consider the following factors:

  1. 高預算: 投資開發 RBAC 使用軟體,以及您已經擁有的工具,可減少軟體相關的成本部署方案。Budget: By investing in development of RBAC using software and tools you may already own, you can reduce the software costs involved in deploying a solution. 不過,除非您有豐富的經驗,在 [建立及部署原生 RBAC 方案的人員,您可能需要參與顧問資源開發方案。However, unless you have staff who are experienced in creating and deploying native RBAC solutions, you may need to engage consulting resources to develop your solution. 您應該會仔細衡量預期的費用自訂開發方案的成本部署 」 的全新 「 方案,尤其是預算會限制。You should carefully weigh the anticipated costs for a custom-developed solution with the costs to deploy an "out-of-box" solution, particularly if your budget is limited.

  2. IT 環境組成: 如果您的環境主要組成 Windows 系統中,或如果您已經運用 Active Directory 非 Windows 系統管理帳號,自訂的原生方案可能會為您的需求提供最佳方案。Composition of the IT environment: If your environment is comprised primarily of Windows systems, or if you are already leveraging Active Directory for management of non-Windows systems and accounts, custom native solutions may provide the optimal solution for your needs. 如果您的基礎結構包含許多系統,不執行 Windows 不會由 Active Directory,您可能要考慮選項分開 Active Directory 環境非 Windows 系統管理。If your infrastructure contains many systems that are not running Windows and are not managed by Active Directory, you may need to consider options for management of non-Windows systems separately from the Active Directory environment.

  3. 方案中的雲端模型: 如果 product 依賴位置高特殊權限的群組 Active Directory 中為其服務帳號,並不提供不需要太多權限的選項會授與 RBAC 軟體,則您真的不降低您的 Active Directory 攻擊 surfaceyou 已只變更組成 directory 中最有特殊權限的群組。Privilege model in the solution: If a product relies on placement of its service accounts into highly privileged groups in Active Directory and does not offer options that do not require excessive privilege be granted to the RBAC software, you have not really reduced your Active Directory attack surfaceyou've only changed the composition of the most privileged groups in the directory. 除非應用程式廠商可以提供服務帳號,最小化帳號危害及惡意使用的可能性控制項,您可能要考慮其他選項。Unless an application vendor can provide controls for service accounts that minimize the probability of the accounts being compromised and maliciously used, you may want to consider other options.

有特殊權限的身分管理Privileged Identity Management

特殊權限的身分管理 (PIM),有時到特殊權限 account 為管理 (PAM) 或 credential 特殊權限的管理 (PCM) 會建築設計和實作的方法來管理特殊權限在您的基礎結構帳號。Privileged identity management (PIM), sometimes referred to as privileged account management (PAM) or privileged credential management (PCM) is the design, construction, and implementation of approaches to managing privileged accounts in your infrastructure. 一般而言,PIM 提供的機制來帳號會授與暫時權限,並權限,才能執行建置或中斷修復功能,而不是離開永久連接到帳號權限。Generally speaking, PIM provides mechanisms by which accounts are granted temporary rights and permissions required to perform build-or-break fix functions, rather than leaving privileges permanently attached to accounts. 是否 PIM 功能手動建立,或透過實作可能提供部署協力廠商軟體一或多個下列功能:Whether PIM functionality is manually created or is implemented via the deployment of third-party software one or more of the following features may be available:

  • 認證 」 保存庫、 [位置] 核取 [並受指派的初始密碼,然後 「 簽入 」 時活動已完成,此時會再試一次重設密碼帳號特殊權限的密碼。Credential "vaults," where passwords for privileged accounts are "checked out" and assigned an initial password, then "checked in" when activities have been completed, at which time passwords are again reset on the accounts.

  • 使用的權限的認證繫結的時間限制Time-bound restrictions on the use of privileged credentials

  • 其中之一單次使用認證One-time-use credentials

  • 工作流程自訂監視與報告執行之活動和自動移除權限的活動正在完成,或分配時間的權限授與已經過期Workflow-generated granting of privilege with monitoring and reporting of activities performed and automatic removal of privilege when activities are completed or allotted time has expired

  • 更換固定認證,例如使用者名稱和密碼的應用程式開發介面 (Api) 的指令碼,讓從保存庫視擷取認證Replacement of hard-coded credentials such as user names and passwords in scripts with application programming interfaces (APIs) that allow credentials to be retrieved from vaults as needed

  • 自動服務 account 認證管理Automatic management of service account credentials

若要管理特殊權限的帳號建立授權的帳號Creating Unprivileged Accounts to Manage Privileged Accounts

管理特殊權限的帳號挑戰,根據預設,可以管理已授權和受保護的帳號帳號的權限的群組和帳號受保護。One of the challenges in managing privileged accounts is that, by default, the accounts that can manage privileged and protected accounts and groups are privileged and protected accounts. 如果您安裝您 Active Directory 實作適當 RBAC 和 PIM 方案,方案可能包含方式,可讓您有效 depopulate 的最有特殊權限的群組 directory,在填入只會暫時和時所需的群組成員資格。If you implement appropriate RBAC and PIM solutions for your Active Directory installation, the solutions may include approaches that allow you to effectively depopulate the membership of the most privileged groups in the directory, populating the groups only temporarily and when needed.

如果您實作原生 RBAC 和 PIM,但是,您應該時所需的 Active Directory 中建立帳號,已經不權限的功能只有填入與 depopulating 權限的群組。If you implement native RBAC and PIM, however, you should consider creating accounts that have no privilege and with the only function of populating and depopulating privileged groups in Active Directory when needed. 附錄 i: 帳號保護帳號和 Active Directory 中的群組的建立管理提供逐步指示為這個項目的建立帳號,您可以使用。Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory provides step-by-step instructions that you can use to create accounts for this purpose.

實作穩定驗證控制Implementing Robust Authentication Controls

法律第 6 號: 確實是其他人查看可用嘗試猜到您的密碼。Law Number Six: There really is someone out there trying to guess your passwords. - 10 變的法律的安全性管理 - 10 Immutable Laws of Security Administration

Pass hash 和其他認證竊取攻擊並非特定 Windows 作業系統,即使它們新。Pass-the-hash and other credential theft attacks are not specific to Windows operating systems, nor are they new. 在 1997年建立第一次 hash 攻擊。The first pass-the-hash attack was created in 1997. 在過去,不過,這些攻擊自訂的工具,已在他們的成功、 hit-or-miss 而必須具有較高的技能攻擊。Historically, however, these attacks required customized tools, were hit-or-miss in their success, and required attackers to have a relatively high degree of skill. 免費且輕鬆使用的工具的原生擷取認證導入會導致指數增加認證竊取攻擊成功率與數量最近幾年。The introduction of freely available, easy-to-use tooling that natively extracts credentials has resulted in an exponential increase in the number and success of credential theft attacks in recent years. 不過,認證竊取攻擊是不是用認證是針對和危害的僅限機制。However, credential theft attacks are by no means the only mechanisms by which credentials are targeted and compromised.

雖然您應該先執行控制項,以協助您防範認證竊取攻擊,您也應該找出您的環境中最常攻擊者做目標帳號,並實作穩定驗證控制那些帳號。Although you should implement controls to help protect you against credential theft attacks, you should also identify the accounts in your environment that are most likely to be targeted by attackers, and implement robust authentication controls for those accounts. 如果您的最有特殊權限的帳號使用單一因數驗證,例如使用者名稱和密碼 (都 「 您知道,」 是一個驗證因素),那些帳號弱受保護。If your most privileged accounts are using single factor authentication such as user names and passwords (both are "something you know," which is one authentication factor), those accounts are weakly protected. 攻擊需要就是知道的使用者名稱和密碼帳號,並 pass hash 攻擊不 requiredthe 攻擊者可以使用者任何系統接受單一規格認證,以驗證。All that an attacker needs is knowledge of the user name and knowledge of the password associated with the account, and pass-the-hash attacks are not requiredthe attacker can authenticate as the user to any systems that accept single factor credentials.

雖然實作要素保護不您攻擊 pass hash、 受保護的系統可以搭配實作要素。Although implementing multifactor authentication does not protect you against pass-the-hash attacks, implementing multifactor authentication in combination with protected systems can. 執行系統受保護的相關詳細資訊中提供實作安全的系統管理主機,和驗證選項討論下列區段中。More information about implementing protected systems is provided in Implementing Secure Administrative Hosts, and authentication options are discussed in the following sections.

一般驗證控制項General Authentication Controls

如果您未實作要素例如智慧卡,請考慮將這樣做。If you have not already implemented multifactor authentication such as smart cards, consider doing so. 智慧卡在公開私密金鑰按鍵組,導致無法存取或使用除非使用者提出的正確的 PIN、 密碼或智慧卡人體使用者的私密金鑰實作私密金鑰硬體執行保護。Smart cards implement hardware-enforced protection of private keys in a public-private key pair, preventing a user's private key from being accessed or used unless the user presents the proper PIN, passcode, or biometric identifier to the smart card. 即使使用者的 pin 碼或密碼攔截按鍵記錄器危害的電腦上,攻擊重複使用 pin 碼或密碼,也必須實際卡。Even if a user's PIN or passcode is intercepted by a keystroke logger on a compromised computer, for an attacker to reuse the PIN or passcode, the card must also be physically present.

萬一長且複雜密碼已經證明難以因為使用者抗拒實作,智慧卡提供的使用者可能會執行簡單的 pin 碼或密碼不會受到影響暴力或彩虹表格攻擊認證機制。In cases in which long, complex passwords have proven difficult to implement because of user resistance, smart cards provide a mechanism by which users may implement relatively simple PINs or passcodes without the credentials being susceptible to brute force or rainbow table attacks. 智慧卡的 Pin 是不會儲存在 Active Directory 中,或在本機坡資料庫中,雖然認證 hashes 可能仍然在電腦使用智慧卡有已驗證的 LSASS 保護記憶體中儲存。Smart card PINs are not stored in Active Directory or in local SAM databases, although credential hashes may still be stored in LSASS protected memory on computers on which smart cards have been used for authentication.

適用於 VIP 帳號其他控制項Additional Controls for VIP Accounts

其他優點實作智慧卡或其他憑證式驗證機制是利用驗證機制保證保護的機密資料的存取 VIP 使用者的能力。Another benefit of implementing smart cards or other certificate-based authentication mechanisms is the ability to leverage Authentication Mechanism Assurance to protect sensitive data that is accessible to VIP users. 驗證機制保證位於的網域中的功能層級設定為 Windows Server 2012 或 Windows Server 2008 R2。Authentication Mechanism Assurance is available in domains in which the functional level is set to Windows Server 2012 or Windows Server 2008 R2. 停用它,是時驗證機制保證加入系統管理員指定的全域群組成員資格使用者的 Kerberos 權杖時使用的憑證登入方法登入期間驗證使用者的認證。When it is enabled, Authentication Mechanism Assurance adds an administrator-designated global group membership to a user's Kerberos token when the user's credentials are authenticated during logon using a certificate-based logon method.

這可讓資源控制資源,例如的檔案、 資料夾及根據是否使用者登入時使用的憑證登入方法,除了使用憑證的類型印表機的系統管理員。This makes it possible for resource administrators to control access to resources, such as files, folders, and printers, based on whether the user logs on using a certificate-based logon method, in addition to the type of certificate used. 例如,使用者登入時使用智慧卡,使用者的存取權的網路上的資源可以指定為不同的存取權時,使用者不會使用智慧卡 (也就是,當使用者登入時輸入使用者名稱和密碼)。For example, when a user logs on by using a smart card, the user's access to resources on the network can be specified as different from what the access is when the user does not use a smart card (that is, when the user logs on by entering a user name and password). 如需驗證機制保證的詳細資訊,請查看適用於在 Windows Server 2008 R2 的指示 AD DS 驗證機制保證For more information about Authentication Mechanism Assurance, see the Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide.

設定特殊權限的 Account 驗證Configuring Privileged Account Authentication

中的所有系統帳號 Active Directory,讓要求智慧卡互動式登入屬性,並變更 (最小) 稽核屬性的任何Account索引標籤上的 (例如,data-cn、 名稱、 sAMAccountName、 userPrincipalName 和 userAccountControl) account 管理使用者物件。In Active Directory for all administrative accounts, enable the Require smart card for interactive logon attribute, and audit for changes to (at a minimum), any of the attributes on the Account tab for the account (for example, cn, name, sAMAccountName, userPrincipalName, and userAccountControl) administrative user objects.

雖然設定要求智慧卡互動式登入上帳號重設密碼 120 字元隨機值,並需要互動式登入,屬性智慧卡仍被覆的權限,它們變更密碼帳號,讓使用者和帳號然後可以用來建立非互動式只有使用者名稱和密碼的登入。Although setting the Require smart card for interactive logon on accounts resets the account's password to a 120-character random value and requires smart cards for interactive logons, the attribute can still be overwritten by users with permissions that allow them to change passwords on the accounts, and the accounts can then be used to establish noninteractive logons with only user name and password.

有時候的設定而定帳號 Active Directory 和憑證] 設定中 Active Directory 憑證 Services (AD CS) 或第三方 PKI、 使用者主體名稱 (UPN) 屬性管理或 VIP 帳號可以會針對特定類型的攻擊,如下所述。In other cases, depending on the configuration of accounts in Active Directory and certificate settings in Active Directory Certificate Services (AD CS) or a third-party PKI, User Principal Name (UPN) attributes for administrative or VIP accounts can be targeted for a specific kind of attack, as described here.

適用於憑證詐騙 UPN 劫持UPN Hijacking for Certificate Spoofing

雖然這份文件的範圍完整的攻擊公用基礎結構 (Pki) 討論,已指數自 2008年增加公開和私人 Pki 攻擊。Although a thorough discussion of attacks against public key infrastructures (PKIs) is outside the scope of this document, attacks against public and private PKIs have increased exponentially since 2008. 已針對公開的公用 Pki 漏洞,但可能更大規模組織內部 PKI 攻擊。Breaches of public PKIs have been broadly publicized, but attacks against an organization's internal PKI are perhaps even more prolific. 這類一個攻擊運用 Active Directory 和憑證允許的攻擊,以詐騙方式很難偵測其他帳號的認證。One such attack leverages Active Directory and certificates to allow an attacker to spoof the credentials of other accounts in a manner that can be difficult to detect.

當憑證將會提供個加入網域的系統驗證時,主題或主旨另一種方式名稱 (舊) 中的屬性憑證用來地圖使用者在 Active Directory 物件的憑證。When a certificate is presented for authentication to a domain-joined system, the contents of the Subject or the Subject Alternative Name (SAN) attribute in the certificate are used to map the certificate to a user object in Active Directory. 根據的憑證,以及如何建構類型,主題中的屬性憑證通常會包含使用者的一般的名稱 (DATA-CN),下列螢幕擷取畫面中所示。Depending on the type of certificate and how it is constructed, the Subject attribute in a certificate typically contains a user's common name (CN), as shown in the following screenshot.

最小的權限管理員模型

預設 Active Directory 建構使用者的 DATA-CN 串連 account 的第一個名稱 + 「 」 + 姓氏。By default, Active Directory constructs a user's CN by concatenating the account's first name + " "+ last name. 不過,不需要 DATA-CN 元件使用者 Active Directory 物件的或保證唯一,且帳號移動到不同 directory 位置中變更 account 的分辨的名稱,也就是完整設定中,directory 物件先前的螢幕擷取畫面的底部窗格中所示。However, CN components of user objects in Active Directory are not required or guaranteed to be unique, and moving a user account to a different location in the directory changes the account's distinguished name (DN), which is the full path to the object in the directory, as shown in the bottom pane of the previous screenshot.

憑證主體名稱並不保證靜態或唯一,因為到另一種方式主體名稱常用 Active Directory 中找出使用者物件。Because certificate subject names are not guaranteed to be static or unique, the contents of the Subject Alternative Name are often used to locate the user object in Active Directory. (Active Directory 整合 Ca) 的企業憑證授權單位使用者發行憑證的舊屬性通常會包含使用者的 UPN 或電子郵件地址。The SAN attribute for certificates issued to users from enterprise certification authorities (Active Directory integrated CAs) typically contains the user's UPN or email address. 因為 Upn 保證為唯一 AD DS 森林中,尋找使用者物件 UPN,通常執行驗證,或不憑證參與驗證程序的一部分。Because UPNs are guaranteed to be unique in an AD DS forest, locating a user object by UPN is commonly performed as part of authentication, with or without certificates involved in the authentication process.

攻擊者以取得詐騙憑證運用 Upn 用於中驗證憑證的舊屬性。The use of UPNs in SAN attributes in authentication certificates can be leveraged by attackers to obtain fraudulent certificates. 如果攻擊已入侵可以讀取和寫入 Upn 使用者物件帳號,攻擊實作方式如下:If an attacker has compromised an account that has the ability to read and write UPNs on user objects, the attack is implemented as follows:

在使用者 (例如 VIP 使用者) 物件 UPN 屬性暫時變更為不同的值。The UPN attribute on a user object (such as a VIP user) is temporarily changed to a different value. 薩姆 account 名稱屬性和 DATA-CN 也可以變更在此階段,雖然這通常不需要如之前所述的原因。The SAM account name attribute and CN can also be changed at this time, although this is usually not necessary for the reasons described earlier.

當已變更 UPN 屬性目標帳號時,過時,讓使用者 account 或剛建立的使用者 account 的 UPN 屬性變更為原始已指派給目標 account 值。When the UPN attribute on the target account has been changed, a stale, enabled user account or a freshly created user account's UPN attribute is changed to the value that was originally assigned to the target account. 過時,讓使用者帳號是帳號不登入長一段時間,但不會被關閉。Stale, enabled user accounts are accounts that have not logged on for long periods of time, but have not been disabled. 他們的目標攻擊者會想要 」 隱藏一般看見 」 原因如下:They are targeted by attackers who intend to "hide in plain sight" for the following reasons:

  1. 因為 account 支援,但尚未最近使用,使用 account 不太可能觸發通知的方式讓使用者停用的 account 可能。Because the account is enabled, but hasn't been used recently, using the account is unlikely to trigger alerts the way that enabling a disabled user account might.

  2. 使用現有的帳號,不需要建立新的使用者帳號,可能會注意到的系統管理員的員工。Use of an existing account doesn't require the creation of a new user account that might be noticed by administrative staff.

  3. 過時帳號,仍都支援通常各種不同的安全性群組成員,並會授與資源簡化的存取,「 混合 「 現有的使用者擴展到網路上的存取權。Stale user accounts that are still enabled are usually members of various security groups and are granted access to resources on the network, simplifying access and "blending in" to an existing user population.

目標 UPN 現在已帳號用於要求 Active Directory 憑證服務的一或多個憑證。The user account on which the target UPN has now been configured is used to request one or more certificates from Active Directory Certificate Services.

當憑證取得攻擊者帳號時,upn,請在 [新的 「 account 和目標 account 會傳回至其原始值。When certificates have been obtained for the attacker's account, the UPNs on the "new" account and the target account are returned to their original values.

攻擊者現在有一或多個憑證如果為使用者其 account 暫時已修改 VIP 使用者可以顯示驗證資源和應用程式。The attacker now has one or more certificates that can be presented for authentication to resources and applications as if the user is the VIP user whose account was temporarily modified. 雖然完整的所有方式可以透過攻擊目標憑證和 PKI 討論本文件的範圍,此攻擊機制提供闡述為何,您應該在監視權限和 VIP 帳號 AD DS,尤其是對屬性的任何變更,在Account索引標籤上的 account (例如data-cn,名稱、 sAMAccountName、 userPrincipalName,以及 userAccountControl)。Although a full discussion of all of the ways in which certificates and PKI can be targeted by attackers is outside the scope of this document, this attack mechanism is provided to illustrate why you should monitor privileged and VIP accounts in AD DS for changes, particularly for changes to any of the attributes on the Account tab for the account (for example, cn, name, sAMAccountName, userPrincipalName, and userAccountControl). 除了監視帳號,您應該只誰可以修改以較小的帳號一組盡可能管理使用者。In addition to monitoring the accounts, you should restrict who can modify the accounts to as small a set of administrative users as possible. 同樣地,帳號的系統管理員使用者應該保護與監視未經授權的變更。Likewise, the accounts of administrative users should be protected and monitored for unauthorized changes.