實作安全管理主機Implementing Secure Administrative Hosts

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

安全管理主機的工作站或已設定為安全平台讓特殊權限的帳號執行管理工作 Active Directory 中,或建立網域控制站、 加入網域的系統和應用程式加入網域的系統上執行之目的的伺服器。Secure administrative hosts are workstations or servers that have been configured specifically for the purposes of creating secure platforms from which privileged accounts can perform administrative tasks in Active Directory or on domain controllers, domain-joined systems, and applications running on domain-joined systems. 在這種情形下,「 帳號特殊權限 」 是指的 Active Directory 中最有特殊權限群組成員帳號不僅任何帳號已委派的權利,並允許執行管理工作的權限。In this case, "privileged accounts" refers not only to accounts that are members of the most privileged groups in Active Directory, but to any accounts that have been delegated rights and permissions that allow administrative tasks to be performed.

這些帳號,可能會有重設密碼的網域中的使用者,帳號,可用來管理 DNS 記錄和區域或使用的組態管理帳號大部分的能力幫助 Desk 帳號。These accounts may be Help Desk accounts that have the ability to reset passwords for most of the users in a domain, accounts that are used to administer DNS records and zones, or accounts that are used for configuration management. 安全管理主機致力於管理功能,例如 Microsoft Office 不執行軟體,例如電子郵件應用程式、 網頁瀏覽器或生產力軟體。Secure administrative hosts are dedicated to administrative functionality, and they do not run software such as email applications, web browsers, or productivity software such as Microsoft Office.

雖然隨之應該最嚴格受保護的 「 最有特殊權限 」 帳號及群組,這不會排除保護任何帳號和標準使用者上方的權限帳號被授與的群組。Although the "most privileged" accounts and groups should accordingly be the most stringently protected, this does not eliminate the need to protect any accounts and groups to which privileges above those of standard user accounts have been granted.

安全的系統管理主機可能只適用於管理工作、 遠端桌面閘道伺服器角色執行,同時的 IT 使用者連接到執行管理目的地主機或執行 HYPER-V 角色,並且提供唯一一樣使用他們管理工作每個 IT 使用者伺服器成員伺服器專用的工作站。A secure administrative host can be a dedicated workstation that is used only for administrative tasks, a member server that runs the Remote Desktop Gateway server role and to which IT users connect to perform administration of destination hosts, or a server that runs the Hyper-V role and provides a unique virtual machine for each IT user to use for their administrative tasks. 您的環境中,可能會實作所有三種方法的組合。In many environments, combinations of all three approaches may be implemented.

實作安全管理主機需要規劃和您組織的大小、 與管理的做法,風險嚮往,高預算一致的設定。Implementing secure administrative hosts requires planning and configuration that is consistent with your organization's size, administrative practices, risk appetite, and budget. 考量和實作安全管理主機的選項會提供以下開發管理策略適用於您組織中使用。Considerations and options for implementing secure administrative hosts are provided here for you to use in developing an administrative strategy suitable for your organization.

建立安全管理主機原則Principles for Creating Secure Administrative Hosts

幾個一般原則應該有效安全系統攻擊,以保持記住:To effectively secure systems against attacks, a few general principles should be kept in mind:

  1. 您不應該管理信任的系統 (也就是安全的伺服器例如網域控制站) 較不受信任的主機 (也就是不受保護相同程度的系統管理為工作站)。You should never administer a trusted system (that is, a secure server such as a domain controller) from a less-trusted host (that is, a workstation that is not secured to the same degree as the systems it manages).

  2. 您不應該依賴單一驗證因數時執行特殊權限的活動。是的使用者名稱和密碼組合不能視為接受驗證因為表示唯一單一因素 (知道您)。You should not rely on a single authentication factor when performing privileged activities; that is, user name and password combinations should not be considered acceptable authentication because only a single factor (something you know) is represented. 您應該認證產生和快取或管理案例中儲存位置。You should consider where credentials are generated and cached or stored in administrative scenarios.

  3. 雖然大部分的攻擊目前的威脅景致利用惡意軟體和惡意駭客,不會忽略實體安全性時設計和實作安全管理主機。Although most attacks in the current threat landscape leverage malware and malicious hacking, do not omit physical security when designing and implementing secure administrative hosts.

Account 設定Account Configuration

即使您的組織目前無法使用智慧卡,您應該考慮實作他們的權限的帳號及安全管理主機。Even if your organization does not currently use smart cards, you should consider implementing them for privileged accounts and secure administrative hosts. 管理主機應該需要智慧卡登入的所有帳號,修改 gpo 連結到包含管理主機 Ou 下列設定來設定:Administrative hosts should be configured to require smart card logon for all accounts by modifying the following setting in a GPO that is linked to the OUs containing administrative hosts:

電腦設定 \ 原則 \windows 本機原則 \ 安全性 Options\Interactive 登入: 需要智慧卡Computer Configuration\Policies\Windows Settings\Local Policies\Security Options\Interactive logon: Require smart card

此設定會要求所有互動式登入以使用智慧卡,無論 Active Directory 中個人 account 上的設定。This setting will require all interactive logons to use a smart card, regardless of the configuration on an individual account in Active Directory.

您也應該設定安全允許登入,只要授權帳號,您可以設定中的系統管理主機:You should also configure secure administrative hosts to permit logons only by authorized accounts, which can be configured in:

電腦設定 \ 原則 \windows 本機原則 \ 安全性本機原則的權限指派Computer Configuration\Policies\Windows Settings\Local Policies\Security Settings\Local Policies\User Rights Assignment

這會授與互動 (,如適用,遠端桌面服務) 只登入授權的安全管理主機的使用者權限。This grants interactive (and, where appropriate, Remote Desktop Services) logon rights only to authorized users of the secure administrative host.

實體安全性Physical Security

管理視為可信度主機,必須將設定,並為他們管理系統相同程度的受保護。For administrative hosts to be considered trustworthy, they must be configured and protected to the same degree as the systems they manage. 大多數中提供的建議的保護網域控制站針對攻擊也適用於管理網域控制站 AD DS 資料庫主機。Most of the recommendations provided in Securing Domain Controllers Against Attack are also applicable to the hosts that are used to administer domain controllers and the AD DS database. 挑戰實作安全管理系統大部分的環境中的其中一個是可以更難實作,因為這些電腦通常位於不安全裝載能源,例如桌面管理使用者伺服器區域實體安全性。One of the challenges of implementing secure administrative systems in most environments is that physical security can be more difficult to implement because these computers often reside in areas that are not as secure as servers hosted in datacenters, such as administrative users' desktops.

實體安全性包含控制實體管理主機存取。Physical security includes controlling physical access to administrative hosts. 在組織中小,這可能表示您維護專用系統工作站的處於鎖定 office 或在不使用時 desk 抽屜。In a small organization, this may mean that you maintain a dedicated administrative workstation that is kept locked in an office or a desk drawer when not in use. 或者,它可能表示您需要執行 Active Directory 或您的網域控制站管理,當您登入網域控制站直接。Or it may mean that when you need to perform administration of Active Directory or your domain controllers, you log on to the domain controller directly.

在中型組織中,您可能會考慮實作安全管理 」 跳伺服器 」 的位於 office 安全的位置,並使用時所需的 Active Directory 或網域控制站管理。In medium-sized organizations, you may consider implementing secure administrative "jump servers" that are located in a secured location in an office and are used when management of Active Directory or domain controllers is required. 您也可以執行系統時無法使用中,或捷徑伺服器不安全的位置已被鎖定工作站。You may also implement administrative workstations that are locked in secure locations when not in use, with or without jump servers.

您可以大型的組織中部署 datacenter 放捷徑伺服器提供嚴格控制的存取權。網域控制站;與檔案、 列印、 或應用程式的伺服器。In large organizations, you can deploy datacenter-housed jump servers that provide strictly controlled access to Active Directory; domain controllers; and file, print, or application servers. 最有可能包含安全工作站和伺服器組合大的環境中的實作的捷徑伺服器架構。Implementation of a jump server architecture is most likely to include a combination of secure workstations and servers in large environments.

無論您組織的大小及管理您的主機的設計,您應該安全實體電腦防止未經授權的存取或遭竊,以及應該使用 BitLocker 磁碟機加密加密及保護管理主機上的磁碟機。Regardless of the size of your organization and the design of your administrative hosts, you should secure physical computers against unauthorized access or theft, and should use BitLocker Drive Encryption to encrypt and protect the drives on administrative hosts. 藉由實作 BitLocker 管理主機上,即使主機遭竊,或移除的磁碟,您可以確保磁碟機上的資料未經授權的使用者無法存取。By implementing BitLocker on administrative hosts, even if a host is stolen or its disks are removed, you can ensure that the data on the drive is inaccessible to unauthorized users.

作業系統版本和設定Operating System Versions and Configuration

管理所有主機,是否伺服器或工作站,應該執行最新的作業系統您在組織中使用本文件之前所述的原因。All administrative hosts, whether servers or workstations, should run the newest operating system in use in your organization for the reasons described earlier in this document. 藉由新的安全性功能、 完整廠商支援和導入了作業系統的其他功能執行目前的作業系統,您的系統管理員的員工權益。By running current operating systems, your administrative staff benefits from new security features, full vendor support, and additional functionality introduced in the operating system. 此外,當您正在評估新的作業系統,第一次系統主機部署,您將需要熟悉的新功能、 設定及管理機制它所提供的後續利用規劃談論部署的作業系統。Moreover, when you are evaluating a new operating system, by deploying it first to administrative hosts, you will need to familiarize yourself with the new features, settings and management mechanisms it offers, which can subsequently be leveraged in planning broader deployment of the operating system. 然後,您在組織中的最複雜的使用者也會的使用者使用新的作業系統熟悉且最佳定位支援。By then, the most sophisticated users in your organization will also be the users who are familiar with the new operating system and best positioned to support it.

Microsoft 安全性設定精靈Microsoft Security Configuration Wizard

如果實作捷徑伺服器管理主機策略的一部分,您應該使用建安全性設定精靈設定服務、 登錄、 稽核及防火牆設定以減少伺服器的攻擊。If you implement jump servers as part of your administrative host strategy, you should use the built-in Security Configuration Wizard to configure service, registry, audit, and firewall settings to reduce the server's attack surface. 當已收集的安全性設定精靈組態的設定並設定時,可以設定轉換成 GPO 用來執行所有捷徑伺服器一致的基礎設定。When the Security Configuration Wizard configuration settings have been collected and configured, the settings can be converted to a GPO that is used to enforce a consistent baseline configuration on all jump servers. 您也可以編輯 GPO 實作安全性設定特定跳伺服器,並結合的所有解壓縮從 Microsoft Security Compliance 管理員其他基準設定與設定。You can further edit the GPO to implement security settings specific to jump servers, and can combine all of the settings with additional baseline settings extracted from the Microsoft Security Compliance Manager.

Microsoft Security Compliance ManagerMicrosoft Security Compliance Manager

Microsoft Security Compliance Manager是免費的工具,整合建議的 Microsoft 作業系統版本和角色設定為基礎的安全性設定和它們收集的單一工具和可用於建立及基準安全性設定的網域控制站的 UI 中。The Microsoft Security Compliance Manager is a freely available tool that integrates security configurations that are recommended by Microsoft, based on operating system version and role configuration, and collects them in a single tool and UI that can be used to create and configure baseline security settings for domain controllers. Microsoft Security Compliance Manager 範本配合製作捷徑伺服器部署及 Gpo 部署的捷徑在伺服器位於 Active Directory Ou 在來執行完整的設定基準安全性設定精靈設定。Microsoft Security Compliance Manager templates can be combined with Security Configuration Wizard settings to produce comprehensive configuration baselines for jump servers that are deployed and enforced by GPOs deployed at the OUs in which jump servers are located in Active Directory.

注意

截至,Microsoft Security Compliance Manager 不包含捷徑伺服器或其他安全管理主機特定的設定,但 Security Compliance Manager (SCM) 仍然可用來建立您的系統管理主機初始的基準。As of this writing, the Microsoft Security Compliance Manager does not include settings specific to jump servers or other secure administrative hosts, but Security Compliance Manager (SCM) can still be used to create initial baselines for your administrative hosts. 不過,若要適當保護主機,您應該套用高度安全的工作站和伺服器的適當的其他安全性設定。To properly secure the hosts, however, you should apply additional security settings appropriate to highly secured workstations and servers.

AppLockerAppLocker

管理主機和 virtual machinesshould 設定的指令碼,工具和應用程式 whitelists 透過 AppLocker 或第三方應用程式限制軟體。Administrative hosts and virtual machinesshould be configured with script, tool, and application whitelists via AppLocker or a third-party application restriction software. 應該升級或工具遵守安全開發與管理的做法,以取代任何管理應用程式或公用程式,不符合安全性設定。Any administrative applications or utilities that do not adhere to secure settings should be upgraded or replaced with tooling that adheres to secure development and administrative practices. 管理主機上需要新的或其他工具,當應用程式與公共事業應該完全測試,並如果適用於系統主機上的部署工具,可以新增至系統 whitelists。When new or additional tooling is needed on an administrative host, applications and utilities should be thoroughly tested, and if the tooling is suitable for deployment on administrative hosts, it can be added to the systems' whitelists.

RDP 限制RDP Restrictions

即使特定的設定會根據您管理系統架構不同,您應該包含的限制帳號和電腦可用於建立連接遠端桌面通訊協定 (RDP) 受管理的系統,例如使用遠端桌面閘道器 (RD 閘道) 跳控制您的網域控制站伺服器和其他受管理的授權的使用者及系統。Although the specific configuration will vary depending on the architecture of your administrative systems, you should include restrictions on which accounts and computers can be used to establish Remote Desktop Protocol (RDP) connections to managed systems, such as using Remote Desktop Gateway (RD Gateway) jump servers to control access to domain controllers and other managed systems from authorized users and systems.

您應該允許授權的使用者互動登入和應該移除或甚至封鎖不需要伺服器存取其他登入類型。You should allow interactive logons by authorized users and should remove or even block other logon types that are not needed for server access.

修補程式和設定管理Patch and Configuration Management

較小的組織可能會依賴 Windows Update 例如方案或Windows Server Update Services (WSUS) 時較大型的組織可能實作企業更新和設定管理軟體例如 System Center Configuration Manager 管理部署的 Windows 系統更新。Smaller organizations may rely on offerings such as Windows Update or Windows Server Update Services (WSUS) to manage deployment of updates to Windows systems, while larger organizations may implement enterprise patch and configuration management software such as System Center Configuration Manager. 無論您用來部署更新您的一般伺服器與工作站擴展機制,您應該不同例如網域控制站、 憑證授權單位 」 及系統管理主機高安全性的系統部署。Regardless of the mechanisms you use to deploy updates to your general server and workstation population, you should consider separate deployments for highly secure systems such as domain controllers, certification authorities, and administrative hosts. 藉由分離這些系統的一般管理基礎結構,如果入侵管理軟體或服務帳號,危害無法輕鬆地延伸到在您的基礎結構最安全的系統。By segregating these systems from the general management infrastructure, if your management software or service accounts are compromised, the compromise cannot be easily extended to the most secure systems in your infrastructure.

雖然您不應該實作安全系統手動更新程序,但您應該設定不同的基礎結構更新安全的系統。Although you should not implement manual update processes for secure systems, you should configure a separate infrastructure for updating secure systems. 即使是在組織中非常大,此基礎結構可以通常實作專用的 WSUS 伺服器與 Gpo 透過受保護的系統。Even in very large organizations, this infrastructure can usually be implemented via dedicated WSUS servers and GPOs for secured systems.

封鎖網際網路存取權Blocking Internet Access

管理主機不得存取網際網路,也不應該可以瀏覽內部公司網路。Administrative hosts should not be permitted to access the Internet, nor should they be able to browse an organization's intranet. 網頁瀏覽器與相似的應用程式不得管理主機上。Web browsers and similar applications should not be permitted on administrative hosts. 您可以透過周邊防火牆設定、 WFAS 設定及主機安全 」 黑色洞 「 proxy 設定的組合安全主機封鎖網際網路存取。You can block Internet access for secure hosts via a combination of perimeter firewall settings, WFAS configuration, and "black hole" proxy configuration on secure hosts. 您也可以使用防止網頁瀏覽器管理主機上所使用的應用程式家。You can also use application whitelisting to prevent web browsers from being used on administrative hosts.

模擬Virtualization

若有可能,請考慮實作為系統主機虛擬電腦。Where possible, consider implementing virtual machines as administrative hosts. 使用模擬,您可以建立每個使用者系統系統的集中儲存及管理,和這可以輕鬆地關閉時無法使用中,確定的認證不向使用系統系統上。Using virtualization, you can create per-user administrative systems that are centrally stored and managed, and which can be easily shut down when not in use, ensuring that credentials are not left active on the administrative systems. 您也可以要求的 virtual 管理主機會重設為初始開發進程的快照之後使用每個確保虛擬的電腦永遠保持在漫步。You can also require that virtual administrative hosts are reset to an initial snapshot after each use, ensuring that the virtual machines remain pristine. 下一節中提供的系統管理主機模擬選項的相關詳細資訊。More information about options for virtualization of administrative hosts is provided in the following section.

範例方法實作安全管理主機Sample Approaches to Implementing Secure Administrative Hosts

如何設計及部署主機管理基礎結構,無論您應該會記住此主題中前面提供 「 原則的建立安全管理主機 」 中的指導方針。Regardless of how you design and deploy your administrative host infrastructure, you should keep in mind the guidelines provided in "Principles for Creating Secure Administrative Hosts" earlier in this topic. 每個以下所述的方式提供有關如何您可以將 「 系統管理員 」 和 「 生產力 「 系統由 IT 人員的一般資訊。Each of the approaches described here provides general information about how you can separate "administrative" and "productivity" systems used by your IT staff. 生產力系統的電腦檢查電子郵件,請瀏覽網際網路,並使用一般生產力軟體,例如 Microsoft Office,IT 系統管理員使用。Productivity systems are computers that IT administrators employ to check email, browse the Internet, and to use general productivity software such as Microsoft Office. 管理系統的 hardened 及專用日常的系統管理 IT 環境的所使用的電腦。Administrative systems are computers that are hardened and dedicated to use for day-to-day administration of an IT environment.

實作安全管理主機的最簡單方式是提供 IT 人員的可執行管理工作安全工作站。The simplest way to implement secure administrative hosts is to provide your IT staff with secured workstations from which they can perform administrative tasks. 僅限工作站實作中, 每個管理工作站用於上市管理工具和管理的伺服器,以及其他基礎結構 RDP 連接。In a workstation-only implementation, each administrative workstation is used to launch management tools and RDP connections to manage servers and other infrastructure. 僅限工作站實作能有效較小的組織,雖然更大、 更複雜的基礎結構可能受益分散式設計系統主機中專用管理的伺服器,並工作站使用時,「 實作安全管理工作站和跳伺服器 」 中所述稍後本主題中。Workstation-only implementations can be effective in smaller organizations, although larger, more complex infrastructures may benefit from a distributed design for administrative hosts in which dedicated administrative servers and workstations are used, as described in "Implementing Secure Administrative Workstations and Jump Servers" later in this topic.

不同的實作實體工作站Implementing Separate Physical Workstations

其中一種方式,您可以執行系統主機是發行的每個 IT 使用者兩個工作站。One way that you can implement administrative hosts is to issue each IT user two workstations. 一個工作站可搭配 「 一般 「 帳號執行活動,例如檢查電子郵件,並使用生產力應用程式時的第二個工作站專用嚴格管理功能。One workstation is used with a "regular" user account to perform activities such as checking email and using productivity applications, while the second workstation is dedicated strictly to administrative functions.

生產力工作站,IT 人員可以提供定期帳號,而不要使用帳號特殊權限來登入不安全的電腦。For the productivity workstation, the IT staff can be given regular user accounts rather than using privileged accounts to log on to unsecured computers. 管理工作站應以嚴格受控制的設定進行設定,IT 人員應該使用不同的帳號登入以管理工作站。The administrative workstation should be configured with a stringently controlled configuration and the IT staff should use a different account to log on to the administrative workstation.

如果您有實作智慧卡,系統工作站應會設定為要求智慧卡登入,並 IT 人員應該有另一個帳號管理使用,也需要智慧卡互動式登入的設定。If you have implemented smart cards, administrative workstations should be configured to require smart card logons, and IT staff should be given separate accounts for administrative use, also configured to require smart cards for interactive logon. 管理主機應該強化上文所述,並允許只有指定的 IT 使用者本機登入以管理工作站。The administrative host should be hardened as previously described, and only designated IT users should be allowed to log on locally to the administrative workstation.

專業人員Pros

實作獨立實體系統,您可以確保其角色每一部電腦已適當和 IT 使用者無法不慎公開管理系統風險。By implementing separate physical systems, you can ensure that each computer is configured appropriately for its role and that IT users cannot inadvertently expose administrative systems to risk.

缺點Cons

  • 實作不同所在的電腦將會增加硬體成本。Implementing separate physical computers increases hardware costs.

  • 實體可用來管理遠端系統認證的電腦登入快取的憑證。Logging on to a physical computer with credentials that are used to administer remote systems caches the credentials in memory.

  • 如果系統工作站不安全地儲存,他們可能漏洞透過機制,例如實體硬體鍵記錄器或其他實體攻擊。If administrative workstations are not stored securely, they may be vulnerable to compromise via mechanisms such as physical hardware key loggers or other physical attacks.

實作模擬的生產力工作站實體工作站安全Implementing a Secure Physical Workstation with a Virtualized Productivity Workstation

在這種方式,IT 使用者可以安全管理工作站,才能執行日常的系統管理功能,它們的責任的範圍中使用遠端伺服器管理工具 (RSAT) 或 RDP 伺服器連接。In this approach, IT users are given a secured administrative workstation from which they can perform day-to-day administrative functions, using Remote Server Administration Tools (RSAT) or RDP connections to servers within their scope of responsibility. 時 IT 使用者需要執行生產力工作,他們可以透過 RDP 連接到執行一樣為遠端生產力工作站。When IT users need to perform productivity tasks, they can connect via RDP to a remote productivity workstation running as a virtual machine. 應該使用不同的認證的每個工作站,以及應該執行控制項,例如智慧卡。Separate credentials should be used for each workstation, and controls such as smart cards should be implemented.

專業人員Pros

  • 用管理工作站和生產力工作站。Administrative workstations and productivity workstations are separated.

  • 使用安全工作站連接到生產力工作站 IT 人員可以用不同的認證並智慧卡,與權限的認證不存放在較不安全的電腦上。IT staff using secure workstations to connect to productivity workstations can use separate credentials and smart cards, and privileged credentials are not deposited on the less-secure computer.

缺點Cons

  • 實作方案需要設計和實作工作穩定模擬選項。Implementing the solution requires design and implementation work and robust virtualization options.

  • 如果您不安全地儲存實體工作站,他們可能會受到實體侵入您的硬體或作業系統,並讓他們遭到通訊攔截的攻擊。If the physical workstations are not stored securely, they may be vulnerable to physical attacks that compromise the hardware or the operating system and make them susceptible to communications interception.

實作單一連接至不同的 「 生產力 」 和 「 系統管理員 」 虛擬電腦的安全工作站Implementing a Single Secure Workstation with Connections to Separate "Productivity" and "Administrative" Virtual Machines

在這種方式,您可以發出 IT 使用者單一實體工作站的處於鎖定狀態下上文所述,而且上 IT 使用者不能存取權限。In this approach, you can issue IT users a single physical workstation that is locked down as previously described, and on which IT users do not have privileged access. 您可以提供遠端桌面服務連接至虛擬專用的伺服器上的電腦提供 IT 人員的電子郵件與其他生產力應用程式執行一個一樣和設定為使用者的專用管理主機第二個一樣。You can provide Remote Desktop Services connections to virtual machines hosted on dedicated servers, providing IT staff with one virtual machine that runs email and other productivity applications, and a second virtual machine that is configured as the user's dedicated administrative host.

您應該需要智慧卡或其他要素登入虛擬的電腦,使用另外帳號,而不用來登入實體電腦 account。You should require smart card or other multifactor logon for the virtual machines, using separate accounts other than the account that is used to log on to the physical computer. IT 使用者登入實體電腦之後,他們可以使用生產力智慧卡來連接生產力遠端電腦的不同 account 和智慧卡來連接遠端電腦系統。After an IT user logs on to a physical computer, they can use their productivity smart card to connect to their remote productivity computer and a separate account and smart card to connect to their remote administrative computer.

專業人員Pros

  • IT 使用者可以使用實體單一工作站。IT users can use a single physical workstation.

  • 藉由 virtual 主機和使用遠端桌面服務連接至虛擬的電腦需要不同帳號,IT 使用者的認證不會在本機電腦的記憶體中快取。By requiring separate accounts for the virtual hosts and using Remote Desktop Services connections to the virtual machines, IT users' credentials are not cached in memory on the local computer.

  • 實體主機可以做為系統主機,減少危害的本機電腦的可能性相同程度受到保護。The physical host can be secured to the same degree as administrative hosts, reducing the likelihood of compromise of the local computer.

  • 萬一中的 IT 使用者生產力一樣或他們的系統管理一樣可能已經修改,一樣可以輕易地重設 」 已知的好 」 狀態。In cases in which an IT user's productivity virtual machine or their administrative virtual machine may have been compromised, the virtual machine can easily be reset to a "known good" state.

  • 如果實體電腦受到攻擊,不權限的認證將會在記憶體中快取,並使用智慧卡可以防止認證的按鍵輸入記錄器危害。If the physical computer is compromised, no privileged credentials will be cached in memory, and the use of smart cards can prevent compromise of credentials by keystroke loggers.

缺點Cons

  • 實作方案需要設計和實作工作穩定模擬選項。Implementing the solution requires design and implementation work and robust virtualization options.

  • 如果您不安全地儲存實體工作站,他們可能會受到實體侵入您的硬體或作業系統,並讓他們遭到通訊攔截的攻擊。If the physical workstations are not stored securely, they may be vulnerable to physical attacks that compromise the hardware or the operating system and make them susceptible to communications interception.

實作安全管理工作站和捷徑伺服器Implementing Secure Administrative Workstations and Jump Servers

另一種安全管理工作站,或與他們的組合,您可以實作安全捷徑伺服器,及管理使用者可以連接到使用 RDP 和智慧卡來執行管理工作捷徑伺服器。As an alternative to secure administrative workstations, or in combination with them, you can implement secure jump servers, and administrative users can connect to the jump servers using RDP and smart cards to perform administrative tasks.

執行,讓您可以在連接捷徑伺服器,並將它從管理的目的伺服器實作限制遠端桌面閘道角色應該設定捷徑伺服器。Jump servers should be configured to run the Remote Desktop Gateway role to allow you to implement restrictions on connections to the jump server and to destination servers that will be managed from it. 如果可能的話,您應該也安裝於 HYPER-V 的角色,並建立個人 Virtual 桌面或 [其他每個使用者的虛擬電腦的系統管理員的使用者使用他們的捷徑伺服器上的工作。If possible, you should also install the Hyper-V role and create Personal Virtual Desktops or other per-user virtual machines for administrative users to use for their tasks on the jump servers.

讓每個使用者虛擬電腦管理使用者捷徑伺服器上,您提供系統工作站、 實體安全性與管理使用者可以重設或關機在不使用時他們虛擬電腦。By giving the administrative users per-user virtual machines on the jump server, you provide physical security for the administrative workstations, and administrative users can reset or shut down their virtual machines when not in use. 如果您偏好不將安裝於 HYPER-V 的角色,以及遠端桌面閘道角色管理同一部主機上,您可以在不同電腦上安裝它們。If you prefer not to install the Hyper-V role and the Remote Desktop Gateway role on the same administrative host, you can install them on separate computers.

可能的話,應該使用遠端系統管理工具來管理的伺服器。Wherever possible, remote administration tools should be used to manage servers. 遠端伺服器管理工具 (RSAT) 的功能應該要安裝上使用者虛擬機器 (或如果您不實作系統管理每個使用者虛擬機器捷徑伺服器) 和管理員工應該 RDP 透過連接以執行管理工作他們虛擬電腦。The Remote Server Administration Tools (RSAT) feature should be installed on the users' virtual machines (or the jump server if you are not implementing per-user virtual machines for administration), and administrative staff should connect via RDP to their virtual machines to perform administrative tasks.

萬一時管理使用者必須連接透過 RDP 來管理它直接目的地伺服器 RD 閘道應該設定允許進行才用來建立連接到目的伺服器的適當的使用者和電腦連接。In cases when an administrative user must connect via RDP to a destination server to manage it directly, RD Gateway should be configured to allow the connection to be made only if the appropriate user and computer are used to establish the connection to the destination server. 執行系統不會指定管理系統上應該禁止 RSAT (或類似) 的工具,例如一般使用工作站和的成員伺服器不跳伺服器。Execution of RSAT (or similar) tools should be prohibited on systems that are not designated management systems, such as general-use workstations and member servers that are not jump servers.

專業人員Pros

  • 建立捷徑伺服器,可讓您地圖特定伺服器 」 區域 」 (集合系統類似的設定、 連接和安全性需求與) 在您的網路,並需要的每個區域管理透過管理連接從指定 」 區域 」 伺服器安全管理主機的人員。Creating jump servers allows you to map specific servers to "zones" (collections of systems with similar configuration, connection, and security requirements) in your network and to require that the administration of each zone is achieved by administrative staff connecting from secure administrative hosts to a designated "zone" server.

  • 區域對應捷徑伺服器,您可以實作細微控制連接屬性,並設定需求,並嘗試將連接未經授權的系統可以輕鬆地找出。By mapping jump servers to zones, you can implement granular controls for connection properties and configuration requirements, and can easily identify attempts to connect from unauthorized systems.

  • 執行的每個管理員虛擬機器捷徑伺服器,您可以執行關機和管理工作完成已知全新狀態虛擬電腦重設。By implementing per-administrator virtual machines on jump servers, you enforce shutdown and resetting of the virtual machines to a known clean state when administrative tasks are completed. 來執行管理工作完成的虛擬的電腦關機 (或重新開機),虛擬的電腦無法加攻擊,也不是認證竊取攻擊可行因為記憶體快取認證不執行動作仍舊重新開機。By enforcing shutdown (or restart) of the virtual machines when administrative tasks are completed, the virtual machines cannot be targeted by attackers, nor are credential theft attacks feasible because memory-cached credentials do not persist beyond a reboot.

缺點Cons

  • 是否實體或 virtual,專用的伺服器所需的捷徑的伺服器。Dedicated servers are required for jump servers, whether physical or virtual.

  • 實作指定跳伺服器及系統管理工作站需要注意規劃和對應至設定環境中的任何安全性區域設定。Implementing designated jump servers and administrative workstations requires careful planning and configuration that maps to any security zones configured in the environment.