維護更安全的環境Maintaining a More Secure Environment

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

法律數字十:技術不萬靈丹。Law Number Ten: Technology is not a panacea. - 10 變的法律的安全性管理 - 10 Immutable Laws of Security Administration

當您已經建立重要商務資產易於且安全的環境時,您的焦點應該 shift 確保於安全的地方。When you have created a manageable, secure environment for your critical business assets, your focus should shift to ensuring that it is maintained securely. 雖然您已具有提高安全性 AD DS 安裝您的特定技術控制,只技術將不會保護的環境中的 IT 不適用於合作關係與維護安全、可用的基礎結構業務。Although you've been given specific technical controls to increase the security of your AD DS installations, technology alone will not protect an environment in which IT does not work in partnership with the business to maintain a secure, usable infrastructure. 在本區段中高階建議是適用於對短片做為可供您開發不僅有效的安全性,而且生效週期管理指導方針。The high level recommendations in this section are meant to be used as guidelines that you can use to develop not only effective security, but effective lifecycle management.

有時候,IT 組織可能已經關閉合作關係企業單元,將簡化執行這些建議。In some cases, your IT organization might already have a close working relationship with business units, which will ease implementing these recommendations. 在組織中的 IT 與商務用單位不密切,您可能需要先取得執行贊助努力創造靠近之間的關聯的 IT 和商務用單位。In organizations in which IT and business units are not closely tied, you might need to first obtain executive sponsorship for efforts to forge a closer relationship between IT and business units. 執行摘要要在執行評論,以及它的獨立文件可以將該決策者您在組織中也會大減。The Executive Summary is intended to be useful as a standalone document for executive review, and it can be disseminated to decision makers in your organization.

Active Directory 建立做法的規範安全性商務中心Creating Business-Centric Security Practices for Active Directory

在過去,許多組織中的資訊技術被視為支援結構及成本中心。In the past, information technology within many organizations was viewed as a support structure and a cost center. IT 部門已通常主要隔離和商務使用者,互動限於要求回應模型企業要求的資源和 IT 回應。IT departments were often largely segregated from business users, and interactions limited to a request-response model in which the business requested resources and IT responded.

為技術了發展,而不斷,] 在所有桌面上的電腦」的有有效的世界中,將會與甚至已可輕鬆地存取技術今天提供各種 eclipsed。As technology has evolved and proliferated, the vision of "a computer on every desktop" has effectively come to pass for much of the world, and even been eclipsed by the broad range of easily accessible technologies available today. 資訊技術已不再支援功能,核心商務用功能。Information technology is no longer a support function, it is a core business function. 如果您的組織不可能繼續運作如果所有 IT 服務都已無法使用,您組織的商務用是,至少中的一部分,資訊技術。If your organization could not continue to function if all IT services were unavailable, your organization's business is, at least in part, information technology.

若要建立有效的折衷修復計劃,IT 服務必須密切與在組織中的企業單位找出不僅最重要 IT 景致,但所需的企業的重大功能的元件。To create effective compromise recovery plans, IT services must work closely with business units in your organization to identify not only the most critical components of the IT landscape, but the critical functions required by the business. 來找出您的組織整個重要資訊,您可以專注於保護元件有大部分的值。By identifying what is important to your organization as a whole, you can focus on securing the components that have the most value. 不建議給 shirk 低值系統和資料的安全。This is not a recommendation to shirk the security of low value systems and data. 而是,像是您定義服務的系統執行時間層級,請考慮定義層級的安全性控制及監視為基礎的資產關鍵性。Rather, like you define levels of service for system uptime, you should consider defining levels of security control and monitoring based on criticality of asset.

當您有投資在建立目前、安全、更容易管理環境時,您可以焦點移至有效管理,確保您擁有有效週期管理程序可不只是以判斷 IT,企業,但。When you have invested in creating a current, secure, manageable environment, you can shift focus to managing it effectively and ensuring that you have effective lifecycle management processes that aren't determined only by IT, but by the business. 完成此動作,您必須不僅合作關係企業,但投資企業中「所有權」的資料,並在 Active Directory 中的系統。To achieve this, you need not only to partner with the business, but to invest the business in "ownership" of data and systems in Active Directory.

當資料與系統會指定的擁有者、的擁有者企業及 IT 擁有者不導入 Active Directory 時,就會負責提供,管理、監視、更新及最後解除委任系統不清除鏈結。When data and systems are introduced into Active Directory without designated owners, business owners and IT owners, there is no clear chain of responsibility for the provisioning, management, monitoring, updating, and eventually decommissioning the system. 這會導致系統公開風險組織但不會因為擁有不太清楚解除基礎結構。This results in infrastructures in which systems expose the organization to risk but cannot be decommissioned because ownership is unclear. 有效的管理週期的使用者,資料、應用程式和系統由您的 Active Directory 安裝,則應該依照本節所述的原則。To effectively manage the lifecycle of the users, data, applications, and systems managed by your Active Directory installation, you should follow the principles described in this section.

商務用擁有者為 Active Directory 資料Assign a Business Owner to Active Directory Data

Active Directory 中的資料應該擁有者商務,也就是指定的部門或連絡的判斷資產週期點的使用者。Data in Active Directory should have an identified business owner, that is, a specified department or user who is the point of contact for decisions about the lifecycle of the asset. 有時候,IT 部門或使用者將會 Active directory 元件的公司擁有者。In some cases, the business owner of a component of Active Directory will be an IT department or user. 基礎結構元件例如網域控制站、DHCP 和 DNS 伺服器,並 Active Directory 將最有可能「屬於」IT。Infrastructure components such as domain controllers, DHCP and DNS servers, and Active Directory will most likely be "owned" by IT. 新增到 AD DS 支援企業(例如,新員工,新的應用程式,並新資訊存放庫中),以指定的企業資料單位或使用者應該相關聯的資料。For data that is added to AD DS to support the business (for example, new employees, new applications, and new information repositories), a designated business unit or user should be associated with the data.

不論是使用 Active Directory 中 directory、資料使用碼表進行擁有權,或您實作獨立資料庫追蹤 IT 資產是否,應該會建立任何帳號,不伺服器或工作站應該安裝,且應該部署未指定記錄的任何應用程式。Whether you use Active Directory to record ownership of data in the directory, or whether you implement a separate database for tracking IT assets, no user account should be created, no server or workstation should be installed, and no application should be deployed without a designated owner of record. 嘗試之後它們已在 production 部署建立系統的擁有權可以困難多多最佳,在有時候不可能。Trying to establish ownership of systems after they've been deployed in production can be challenging at best, and impossible in some cases. 因此,擁有權,您應該要建立在 Active Directory 引入資料的時間。Therefore, ownership should be established at the time the data is introduced into Active Directory.

實作業務導向週期管理Implement Business-Driven Lifecycle Management

週期管理應 Active Directory 中的所有資料。Lifecycle management should be implemented for all data in Active Directory. 例如,插入 Active Directory domain 引入新的應用程式時,應用程式的公司擁有者,定期,應該會到足以繼續使用的應用程式。For example, when a new application is introduced into an Active Directory domain, the application's business owner should, at regular intervals, be expected to attest to the continued use of the application. 在發行新版本的應用程式,應用程式的公司擁有者應該通知和應該可以選擇是否及何時將實作新的版本。When a new version of an application is released, the application's business owner should be informed and should decide if and when the new version will be implemented.

如果的公司擁有者選擇不要核准部署新版本的應用程式,該公司擁有者應該不會通知目前的版本時將不再支援與應該負責判斷將會解除或更換應用程式的日期。If a business owner chooses not to approve deployment of a new version of an application, that business owner should also be notified of the date when the current version will no longer be supported and should be responsible for determining whether the application will be decommissioned or replaced. 讓舊版執行,並不受支援的應用程式不得選項。Keeping legacy applications running and unsupported should not be an option.

Active Directory 中建立帳號時, 應該物件建立在收到通知,所需的 account 有效性證明定期的記錄經理。When user accounts are created in Active Directory, their managers of record should be notified at object creation and required to attest to the validity of the account at regular intervals. 藉由實作企業推動週期與一般證明的有效的資料,人的行列最佳配備找出異常資料中的檢視資料的人。By implementing a business driven lifecycle and regular attestation of the validity of the data, the people who are best equipped to identify anomalies in the data are the people who review the data.

例如攻擊者可能會建立帳號看起來似乎有效帳號,您的組織命名規格和物件位置下列。For example, attackers might create user accounts that appear to be valid accounts, following your organization's naming conventions and object placement. 偵測到這些 account 作品,您可能會實作日常工作,您可以檢查帳號傳回所有使用者物件,而不需要指定的公司擁有者。To detect these account creations, you might implement a daily task that returns all user objects without a designated business owner so that you can investigate the accounts. 如果攻擊建立帳號,公司擁有者指派執行報告給指定的公司擁有者物件建立新的工作的公司擁有者快速找出 account 是否合法。If attackers create accounts and assign a business owner, by implementing a task that reports new object creation to the designated business owner, the business owner can quickly identify whether the account is legitimate.

您應該可以執行的安全性和 distribution 群組類似的方法。You should implement similar approaches to security and distribution groups. 雖然一些群組可能是由功能群組 IT、建立指定擁有者的每個群組,您可以擷取指定的使用者所擁有的所有群組,並需要使用者證明他們成員資格的有效性。Although some groups may be functional groups created by IT, by creating every group with a designated owner, you can retrieve all groups owned by a designated user and require the user to attest to the validity of their memberships. 類似拍攝使用者 account 建立的方法,您可以觸發給指定的公司擁有者的報告群組修改。Similar to the approach taken with user account creation, you can trigger reporting group modifications to the designated business owner. 在商務用來表示處理程序失敗或實際洩露異常找出您的證明有效性或無效資料 Active Directory,更配備的擁有者更多維持常態。The more routine it becomes for a business owner to attest to the validity or invalidity of data in Active Directory, the more equipped you are to identify anomalies that can indicate process failures or actual compromise.

可所有 Active Directory 資料Classify all Active Directory Data

除了錄製所有 Active Directory 資料的公司擁有者會新增到 directory 時,您也應該需要企業擁有者為分類的資料。In addition to recording a business owner for all Active Directory data at the time it is added to the directory, you should also require business owners to provide classification for the data. 例如,如果應用程式儲存重要的資料,公司擁有者應該標籤應用程式,依據您的組織分類基礎結構。For example, if an application stores business-critical data, the business owner should label the application as such, in accordance with your organization's classification infrastructure.

某些組織實作資料分類原則依據曝光度的資料會收取遭竊或公開損壞標籤資料。Some organizations implement data classification policies that label data according to the damage that exposure of the data would incur if it were stolen or exposed. 其他公司實作資料分類標籤資料關鍵性、存取需求,並保留。Other organizations implement data classification that labels data by criticality, by access requirements, and by retention. 無論您在組織中使用的資料分類模型,您應該確定您可以將套用分類 Active Directory 資料,而不只 [檔案] 資料。Regardless of the data classification model in use in your organization, you should ensure that you are able to apply classification to Active Directory data, not only to "file" data. 如果 VIP account 帳號,它應該會辨識資產分類資料庫中(是否您透過上 AD DS 中的物件的屬性使用實作這是否部署不同資產分類資料庫)。If a user's account is a VIP account, it should be identified in your asset classification database (whether you implement this via the use of attributes on the objects in AD DS, or whether you deploy separate asset classification databases).

在您的資料分類模型,您應該包含分類 AD DS 資料,如下所示。Within your data classification model, you should include classification for AD DS data such as the following.

系統Systems

您應該不只分類資料,同時也是他們伺服器擴展。You should not only classify data, but also their server populations. 針對每個伺服器,您應該要知道安裝了哪些作業系統,伺服器會提供何種一般角色哪些應用程式正在執行伺服器、記錄,IT 擁有者和記錄的公司擁有者適用的地方。For each server, you should know what operating system is installed, what general roles the server provides, what applications are running on the server, the IT owner of record, and the business owner of record, where applicable. 適用於所有的資料或在伺服器上執行的應用程式,您應該需要分類,而且伺服器應該受到保護根據其支援的工作負載和分類套用到的資料與系統需求。For all data or applications running on the server, you should require classification, and the server should be secured according to the requirements for the workloads it supports and the classifications applied to the system and data. 您也可以群組,可讓您快速地找出應該是非常受監視和最嚴格設定伺服器的他們工作負載,分類的伺服器。You can also group servers by the classification of their workloads, which allows you to quickly identify the servers that should be the most closely monitored and most stringently configured.

應用程式Applications

您應該將分類應用程式的功能(他們執行),使用者群(針對使用應用程式),與他們所執行的作業系統。You should classify applications by functionality (what they do), user base (who uses the applications), and the operating system on which they run. 您應該維護記錄包含版本資訊、修補狀態及其他相關資訊。You should maintain records that contain version information, patch status, and any other pertinent information. 您也應該分類的應用程式來處理,如同之前所述之資料類型。You should also classify applications by the types of data they handle, as previously described.

使用者Users

您稱之為「VIP」的使用者,重大帳號,或使用不同的標籤時,是否應該標記中您最常攻擊者會對應的 Active Directory 安裝帳號,並監視。Whether you call them "VIP" users, critical accounts, or use a different label, the accounts in your Active Directory installations that are most likely to be targeted by attackers should be tagged and monitored. 在大部分組織中,它不會監視的所有所有使用者的活動。In most organizations, it is simply not feasible to monitor all of the activities of all users. 不過,如果您可以在您安裝的 Active Directory 辨識重大帳號,您可以監視那些帳號,對這份文件之前所述。However, if you are able to identify the critical accounts in your Active Directory installation, you can monitor those accounts for changes as described earlier in this document.

您也可以開始為您稽核帳號,這些帳號組建資料庫的「預期的行為]。You can also begin to build a database of "expected behaviors" for these accounts as you audit the accounts. 例如,如果您發現指定高階主管使用他安全的工作站存取重要的資料,他 office 從和他在家,但很少從其他位置,如果您看到嘗試使用他 account 未經授權的電腦或位置一半在世界各地您知道該主管不是目前所在存取的資料,您可以更快速地找出並調查此異常行為。For example, if you find that a given executive uses his secured workstation to access business-critical data from his office and from his home, but rarely from other locations, if you see attempts to access data by using his account from an unauthorized computer or a location halfway around the planet where you know the executive is not currently located, you can more quickly identify and investigate this anomalous behavior.

整合的基礎結構的資訊,您可以使用該資訊來協助您找出誤判。By integrating business information with your infrastructure, you can use that business information to help you identify false positives. 例如,如果主管旅行錄製中的 IT 人員負責監視環境存取行事曆,您可以與相互關聯連接嘗試主管的已知位置的。For example, if executive travel is recorded in a calendar that is accessible to IT staff responsible for monitoring the environment, you can correlate connection attempts with the executives' known locations.

假設高階主管 A 通常位於芝加哥使用安全的工作站他 desk,從存取重要的資料並觸發事件失敗嘗試存取資料的亞特蘭大位於不安全工作站。Let's say Executive A is normally located in Chicago and uses a secured workstation to access business-critical data from his desk, and an event is triggered by a failed attempt to access the data from an unsecured workstation located in Atlanta. 如果您可以檢查主管目前正在亞特蘭大,您可以連絡行政或主管的小幫手判斷存取的失敗是使用存取資料的安全的工作站忘記主管的結果來解析事件。If you are able to verify that the executive is currently in Atlanta, you can resolve the event by contacting the executive or the executive's assistant to determine if the access failure was the result of the executive forgetting to use the secured workstation to access the data. 藉由建構使用中所述方式的程式,規劃危害的,就可以開始建置的預期行為資料庫 Active Directory 安裝,可能會協助您更快速地在 [重要] 帳號探索及回應攻擊。By constructing a program that uses the approaches described in Planning for Compromise, you can begin to build a database of expected behaviors for the most "important" accounts in your Active Directory installation that can potentially help you more quickly discover and respond to attacks.