規劃區域的入侵Planning for Compromise

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

法律數個:人認為不正確的任何項目可能會發生,直到它執行。Law Number One: Nobody believes anything bad can happen to them, until it does. - 10 變的法律的安全性管理 - 10 Immutable Laws of Security Administration

在許多組織損壞修復計劃對焦於復原地區嚴重損壞,或導致運算服務失敗。Disaster recovery plans in many organizations focus on recovering from regional disasters or failures that result in loss of computing services. 不過,危害針對使用時,我們通常找到復原從刻意危害不存在他們損壞修復計劃中。However, when working with compromised customers, we often find that recovering from intentional compromise is absent in their disaster recovery plans. 尤其是當危害導致竊取診斷作業或故意破壞運用邏輯邊界(例如所有 Active Directory 網域或所有伺服器破壞),而不是實體邊界(例如 datacenter 破壞)。This is particularly true when the compromise results in theft of intellectual property or intentional destruction that leverages logical boundaries (such as destruction of all Active Directory domains or all servers) rather than physical boundaries (such as destruction of a datacenter). 雖然組織可能會意外回應計劃定義初始危害發現時所要執行的活動,這些方案通常省略復原影響整個電腦的基礎結構危害的步驟執行。Although an organization may have incident response plans that define initial activities to take when a compromise is discovered, these plans often omit steps to recover from a compromise that affects the entire computing infrastructure.

Active Directory 使用者、伺服器、工作站和應用程式提供豐富的身分及存取的管理功能,因為它是側面目標攻擊者。Because Active Directory provides rich identity and access management capabilities for users, servers, workstations, and applications, it is invariably targeted by attackers. 如果攻擊高特殊權限的存取 Active Directory domain 或網域控制站,可以存取、控制,或甚至破壞整個 Active Directory 樹系運用的存取。If an attacker gains highly privileged access to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even destroy the entire Active Directory forest.

這份文件已討論了一些最常見的攻擊針對 Windows 和 Active Directory,而且措施,您可以減少攻擊 surface,但僅確定方式復原完成危害的 Active Directory 萬一實作前危害的準備。This document has discussed some of the most common attacks against Windows and Active Directory and countermeasures you can implement to reduce your attack surface, but the only sure way to recover in the event of a complete compromise of Active Directory is to be prepared for the compromise before it happens. 本章節聚焦較少的技術的詳細資料比上一個區段的這份文件,及其他高階建議,您可以用來建立安全及管理您組織的重大企業及 IT 資產整體、完整的方法。This section focuses less on technical implementation details than previous sections of this document, and more on high-level recommendations that you can use to create a holistic, comprehensive approach to secure and manage your organization's critical business and IT assets.

無論您的基礎結構已經不會受到攻擊,有 resisted 嘗試漏洞,或有拼裝攻擊並已完全入侵,您應該準備不可避免實境,您將會受到攻擊和再試一次。Whether your infrastructure has never been attacked, has resisted attempted breaches, or has succumbed to attacks and been fully compromised, you should plan for the inevitable reality that you will be attacked again and again. 不能使攻擊,但可能確實是可避免重大漏洞或批發危害。It is not possible to prevent attacks, but it may indeed be possible to prevent significant breaches or wholesale compromise. 每個組織應該密切評估他們現有的風險管理應用程式,以防止、偵測,而和復原讓平衡的投資有助於弱點他們整體層級必要的調整。Every organization should closely evaluate their existing risk management programs, and make necessary adjustments to help reduce their overall level of vulnerability by making balanced investments in prevention, detection, containment, and recovery.

若要建立有效防禦同時提供服務的使用者與您的基礎結構和應用程式而定,企業,您可能需要考慮嶄新的方式,以避免,偵測,危害包含在您的環境中,並從危害然後復原。To create effective defenses while still providing services to the users and businesses that depend on your infrastructure and applications, you may need to consider novel ways to prevent, detect, and contain compromise in your environment, and then recover from the compromise. 本文件中的建議與方法可能不協助您修復危害的 Active Directory 安裝,但可協助您保護您的下一個。The approaches and recommendations in this document may not help you repair a compromised Active Directory installation, but can help you secure your next one.

復原 Active Directory 樹系的建議,會顯示在Windows Server 2012:規劃 Active Directory 森林復原Recommendations for recovering an Active Directory forest are presented in Windows Server 2012: Planning for Active Directory Forest Recovery. 您可能會防止新環境不完全受到危害的但即使您不能您將會有工具復原並重新控制您的環境。You may be able to prevent your new environment from being completely compromised, but even if you can't, you will have tools to recover and regain control of your environment.

重新思考方法Rethinking the Approach

法律第 8 號:防禦網路的難度是直接比例其複雜。Law Number Eight: The difficulty of defending a network is directly proportional to its complexity. - 10 變的法律的安全性管理 - 10 Immutable Laws of Security Administration

這是通常是接受,如果攻擊者取得系統,系統管理員,根或相當於電腦的存取權,無論作業系統,該電腦可以不再可靠,不論是多少努力對 [清理系統」。It is generally well-accepted that if an attacker has obtained SYSTEM, Administrator, root, or equivalent access to a computer, regardless of operating system, that computer can no longer be considered trustworthy, no matter how many efforts are made to "clean" the system. Active Directory 是不不同。Active Directory is no different. 攻擊者取得特殊權限的存取網域控制站或 Active Directory 中的高度授權的帳號,除非您有記錄攻擊者可讓每個修改或備份,如果您從未可以還原 directory 到完全可信任狀態。If an attacker has obtained privileged access to a domain controller or a highly privileged account in Active Directory, unless you have a record of every modification the attacker makes or a known good backup, you can never restore the directory to a completely trustworthy state.

時成員伺服器或工作站危害,攻擊者變更電腦不會可靠,但鄰近追求的伺服器,並且工作站 arecompromise 某一部電腦不代表的所有電腦都危害。When a member server or a workstation is compromised and altered by an attacker, the computer is no longer trustworthy, but neighboring uncompromised servers and workstations arecompromise of one computer does not imply that all computers are compromised.

不過,Active Directory domain,在所有的網域控制站主機相同的 AD DS 資料庫的複本。However, in an Active Directory domain, all domain controllers host replicas of the same AD DS database. 如果單網域控制站受到攻擊者修改 AD DS 資料庫,那些修改複寫每個其他網域控制站在網域中,並根據中修改,樹系的磁碟分割。If a single domain controller is compromised and an attacker modifies the AD DS database, those modifications replicate to every other domain controller in the domain, and depending on the partition in which the modifications are made, the forest. 即使您重新安裝所有的網域控制站森林中,您只要重新安裝 AD DS 資料庫所在的主機。Even if you reinstall every domain controller in the forest, you are simply reinstalling the hosts on which the AD DS database resides. Active Directory 惡意修改會複寫剛安裝的網域控制站為他們會複寫已執行年的網域控制站輕鬆。Malicious modifications to Active Directory will replicate to freshly installed domain controllers as easily as they will replicate to domain controllers that have been running for years.

評估危害的環境中,我們通常尋找的項目第一方「事件「相信確實觸發星期之後月,或甚至幾年後攻擊有一開始洩漏環境。In assessing compromised environments, we commonly find that what was believed to be the first breach "event" was actually triggered after weeks, months, or even years after attackers had initially compromised the environment. 攻擊者通常取得認證高度授權帳號長再偵測到有漏洞,它們會運用這些帳號危害 directory、網域控制站、成員伺服器、工作站和甚至連接非 Windows 系統。Attackers usually obtained the credentials for highly privileged accounts long before a breach was detected, and they leveraged those accounts to compromise the directory, domain controllers, member servers, workstations, and even connected non-Windows systems.

這些結果是使用 Verizon 的 2012 年資料違約調查報告中,其狀態的幾個發現一致:These findings are consistent with several findings in Verizon's 2012 Data Breach Investigations Report, which states that:

  • 且有 98%的電量的資料破壞 stemmed 從外部代理程式98 percent of data breaches stemmed from external agents

  • 資料破壞 85%拍攝星期或更多探索85 percent of data breaches took weeks or more to discover

  • 事件 92%發現透過協力廠商和92 percent of incidents were discovered by a third party, and

  • 破壞 97%階層簡單但或中級控制項。97 percent of breaches were avoidable though simple or intermediate controls.

上述程度危害是有效關閉,和「扁平化和重建」標準建議危害的每個系統不會可行或甚至盡可能 Active Directory 被洩露或損壞。A compromise to the degree described earlier is effectively irreparable, and the standard advice to "flatten and rebuild" every compromised system is simply not feasible or even possible if Active Directory has been compromised or destroyed. 已知的好狀態甚至還原不會排除允許首先洩漏環境瑕疵。Even restoring to a known good state does not eliminate the flaws that allowed the environment to be compromised in the first place.

您必須保護您的基礎結構的每一環,雖然攻擊只需要瑕疵不足,無法找到您防禦以取得他們所需的目標。Although you must defend every facet of your infrastructure, an attacker only needs to find enough flaws in your defenses to get to their desired goal. 如果您的環境簡單及漫步,在過去管理良好,然後實作提供更早版本本文件中的建議,可能會直接主張。If your environment is relatively simple and pristine, and historically well-managed, then implementing the recommendations provided earlier in this document may be a straightforward proposition.

不過,我們發現的較舊、變大,且更複雜環境,可能是這份文件中的建議,將會無法或甚至無法執行。However, we have found that the older, larger, and more complex the environment, the more likely it is that the recommendations in this document will be infeasible or even impossible to implement. 這是更難征服的基礎結構安全之後,比重新開始並建構竄改攻擊,危害的環境。It is much harder to secure an infrastructure after the fact than it is to start fresh and to construct an environment that is resistant to attack and compromise. 但如之前所述,並重新建立整個 Active Directory 樹系不小型執行。But as previously noted, it is no small undertaking to rebuild an entire Active Directory forest. 基於這些原因,我們建議您更專注於,來保護您的 Active Directory 樹系目標的方法。For these reasons, we recommend a more focused, targeted approach to secure your Active Directory forests.

除了將焦點放在嘗試修正問題的 [中斷] 項目,請考慮將您優先順序方法根據您的企業和您的基礎結構最重要。Rather than focusing on and trying to fix all of the things that are "broken," consider an approach in which you prioritize based on what is most important to your business and in your infrastructure. 而不是嘗試以唯讀環境填入過時、設定錯誤系統和應用程式,請考慮將建立新小型、安全的環境中,您可以放心地移植使用者、系統和您的企業最重要的資訊。Instead of trying to remediate an environment filled with outdated, misconfigured systems and applications, consider creating a new small, secure environment into which you can safely port the users, systems, and information that are most critical to your business.

在本區段中,我們描述您可以建立做為「生活拉梅斯」或「安全儲存格」核心商務基礎結構漫步 AD DS 樹系的方法。In this section, we describe an approach by which you can create a pristine AD DS forest that serves as a "life boat" or "secure cell" for your core business infrastructure. 漫步樹系是只安裝新 Active Directory 森林,通常有限的大小和範圍,以及使用目前的作業系統,應用程式,以及原則中所述的建置減少 Active Directory 攻擊A pristine forest is simply a newly installed Active Directory forest that is typically limited in size and scope, and which is built by using current operating systems, applications, and with the principles described in Reducing the Active Directory Attack Surface.

藉由新建置森林中實作建議的設定,您可以建立 AD DS 安裝所建立的土地上安全設定與做法的規範,而且您可以減少挑戰隨附支援舊版系統和應用程式。By implementing the recommended configuration settings in a newly built forest, you can create an AD DS installation that is built from the ground up with secure settings and practices, and you can reduce the challenges that accompany supporting legacy systems and applications. 本文件的範圍詳細的指示的設計和實作漫步 AD DS 安裝時,則應該依照部分一般原則和建立「安全儲存格「您可以在其中儲存最重要資產指導方針。While detailed instructions for the design and implementation of a pristine AD DS installation are outside the scope of this document, you should follow some general principles and guidelines to create a "secure cell" into which you can house your most critical assets. 下列指導方針操作方式如下:These guidelines are as follows:

  1. 找出分離和設定資產重要的安全性原則。Identify principles for segregating and securing critical assets.

  2. 定義有限、風險根據移轉計劃。Define a limited, risk-based migration plan.

  3. 必要時,請使用「nonmigratory」進行移轉。Leverage "nonmigratory" migrations where necessary.

  4. 實作」創意破壞」。Implement "creative destruction."

  5. 找出舊版系統和應用程式。Isolate legacy systems and applications.

  6. 簡化終端使用者的安全性。Simplify security for end users.

分離和保護重大資產找出原則Identifying Principles for Segregating and Securing Critical Assets

建立館重大資產漫步環境的特性可以廣泛而有所不同。The characteristics of the pristine environment that you create to house critical assets can vary widely. 例如,您選擇建立您的移轉只有 VIP 使用者和機密資料的存取的使用者可以漫步樹系。For example, you may choose to create a pristine forest into which you migrate only VIP users and sensitive data that only those users can access. 您可能會建立漫步樹系的在您移轉不只 VIP 的使用者,但您實作為系統管理員的樹系,實作原則中所述減少 Active Directory 攻擊來建立安全管理帳號,可用來管理您的舊版樹系來自漫步樹系的主機。You may create a pristine forest in which you migrate not only VIP users, but which you implement as an administrative forest, implementing the principles described in Reducing the Active Directory Attack Surface to create secure administrative accounts and hosts that can be used to manage your legacy forests from the pristine forest. 您可能會實作」特殊用途」的樹系的容量 VIP 帳號,特殊權限的帳號,並需要額外的安全性,例如執行 Active Directory 憑證 Services (AD CS) 伺服器以較不安全的樹系分離它們具備目標系統。You might implement a "purpose-built" forest that houses VIP accounts, privileged accounts, and systems requiring additional security such as servers running Active Directory Certificate Services (AD CS) with the sole goal of segregating them from less-secure forests. 最後,您可能會實作漫步樹系變成 de 為所有新的使用者,系統、應用程式和資料,位置,可讓您最後解除透過消耗戰舊版樹系。Finally, you might implement a pristine forest that becomes the de facto location for all new users, systems, applications and data, allowing you to eventually decommission your legacy forest via attrition.

而不論是否漫步樹系包含了少數使用者和系統或它構成更積極移轉的基礎,則應該依照下列原則您計劃中:Regardless of whether your pristine forest contains a handful of users and systems or it forms the basis for a more aggressive migration, you should follow these principles in your planning:

  1. 假設您舊版的樹系已遭入侵。Assume that your legacy forests have been compromised.

  2. 請勿設定漫步環境信任的樹系舊版,雖然您可以設定為信任的樹系漫步舊版的環境。Do not configure a pristine environment to trust a legacy forest, although you can configure a legacy environment to trust a pristine forest.

  3. 不會移轉帳號使用者或群組從舊的樹系漫步環境如果可能,帳號群組成員資格、歷史 SID 或其他屬性可能已經惡意修改。Do not migrate user accounts or groups from a legacy forest to a pristine environment if there is a possibility that the accounts' group memberships, SID history, or other attributes may have been maliciously modified. 請改用「nonmigratory」的方式擴展漫步樹系。Instead, use "nonmigratory" approaches to populate a pristine forest. (nonmigratory 方法稍後此一節所述。)(Nonmigratory approaches are described later in this section.)

  4. 不會移轉電腦舊版的樹系至漫步樹系。Do not migrate computers from legacy forests to pristine forests. 剛安裝實作伺服器、漫步樹系剛已安裝的伺服器上安裝應用程式,並將應用程式資料移轉到新安裝的套件。Implement freshly installed servers in the pristine forest, install applications on the freshly installed servers, and migrate application data to the newly installed systems. 檔案伺服器,資料複製到剛安裝伺服器、使用中新的樹系,使用者和群組設定 Acl,然後建立列印伺服器類似的方式。For file servers, copy data to freshly installed servers, set ACLs by using users and groups in the new forest, and then create print servers in a similar fashion.

  5. 不允許安裝舊版的作業系統或漫步森林中的應用程式。Do not permit the installation of legacy operating systems or applications in the pristine forest. 如果您無法將更新和剛安裝應用程式,讓它保持在舊版的樹系,並考慮創意破壞,來取代應用程式的功能。If an application cannot be updated and freshly installed, leave it in the legacy forest and consider creative destruction to replace the application's functionality.

定義有限、風險根據移轉計劃Defining a Limited, Risk-Based Migration Plan

建立有限,風險根據移轉計劃只要表示決定的使用者、應用程式和資料移轉到您漫步的樹系應該找出潛在的風險組織的公開如果一的使用者或系統受到移轉目標時。Creating a limited, risk-based migration plan simply means that when deciding which users, applications, and data to migrate into your pristine forest, you should identify migration targets based on the degree of risk to which your organization is exposed if one of the users or systems is compromised. 應該位於漫步樹系 VIP 使用者其帳號會忽略攻擊者會對應。VIP users whose accounts are most likely to be targeted by attackers should be housed in the pristine forest. 提供應該、漫步樹系剛建立伺服器上安裝重要商務功能與應該高度機密資料移到應用程式安全漫步森林中的伺服器。Applications that provide vital business functions should be installed on freshly built servers in the pristine forest, and highly sensitive data should be moved to secured servers in the pristine forest.

如果您不 Active Directory 環境中已經有最重要的使用者,系統、應用程式,和資料清除圖片,使用商務用單位找出它們。If you do not already have a clear picture of the most business-critical users, systems, applications, and data in your Active Directory environment, work with business units to identify them. 商業運作所需的任何應用程式應該辨識,應該執行的應用程式,或重要的資料儲存的任何伺服器。Any application required for the business to operate should be identified, as should any servers on which critical applications run or critical data is stored. 找出使用者和組織繼續運作所需的資源,您可以建立自然優先順序的資產上對您的收藏。By identifying the users and resources that are required for your organization to continue to function, you create a naturally prioritized collection of assets on which to focus your efforts.

使用「Nonmigratory「移轉Leveraging "Nonmigratory" Migrations

是否知道您的環境已受到危害,可疑它已洩漏,或只是不想舊版資料和物件從舊的 Active Directory 安裝移轉到新位置,請考慮移轉不技術」移轉「物件的方法。Whether you know that your environment has been compromised, suspect that it has been compromised, or simply prefer not to migrate legacy data and objects from a legacy Active Directory installation to a new one, consider migration approaches that do not technically "migrate" objects.

帳號User Accounts

傳統 Active Directory 移轉樹系到另一個在使用者物件的屬性 SIDHistory(SID 歷史)用來儲存 SID 使用者和群組使用者已成員舊版森林中的 Sid。In a traditional Active Directory migration from one forest to another, the SIDHistory (SID history) attribute on user objects is used to store users' SID and the SIDs of groups that users were members of in the legacy forest. 如果使用者帳號移轉到新的樹系,它們存取舊版森林中的資源中 SID 歷史, 的 Sid 用來建立,讓使用者可以存取的存取權之前原本移轉帳號資源存取預付碼。If users accounts are migrated to a new forest, and they access resources in the legacy forest, the SIDs in the SID history are used to create an access token that allows the users to access resources to which they had access before the accounts were migrated.

維護 SID 歷史,不過,證明有問題的一些環境中填入使用者存取權杖的目前與歷史 Sid 因為可能會導致權杖膨脹。Maintaining SID history, however, has proven problematic in some environments because populating users' access tokens with current and historical SIDs can result in token bloat. 權杖膨脹中使用的 Sid 必須在存取的使用者權杖中儲存的數字的問題,或超過權杖中可用空間量。Token bloat is an issue in which the number of SIDs that must be stored in a user's access token uses or exceeds the amount of space available in the token.

雖然您可以增加權杖大小限制的程度,ultimate 權杖膨脹是,以減少 Sid 帳號,相關聯的是否 rationalizing 群組成員資格排除 SID 歷史或兩者。Although token sizes can be increased to a limited extent, the ultimate solution to token bloat is to reduce the number of SIDs associated with user accounts, whether by rationalizing group memberships, eliminating SID history, or a combination of both. 如需權杖膨脹的詳細資訊,請查看MaxTokenSize 和 Kerberos 權杖 BloatFor more information about token bloat, see MaxTokenSize and Kerberos Token Bloat.

而不是移轉使用者從舊版的環境(尤其是一個群組成員資格和 SID 歷史可能受到)使用 SID 歷史,請考慮將運用中繼應用程式的使用者,「移轉「不到新的樹系執行歷史 SID。Rather than migrating users from a legacy environment (particularly one in which group memberships and SID histories may be compromised) by using SID history, consider leveraging metadirectory applications to "migrate" users, without carrying SID histories into the new forest. 時,會建立新的樹系帳號,您可以在舊版的樹系對應帳號地圖帳號使用中繼的應用程式。When user accounts are created in the new forest, you can use a metadirectory application to map the accounts to their corresponding accounts in the legacy forest.

為了提供新的使用者帳號存取舊版森林中的資源,您可以找出資源群組到授與使用者的舊版帳號存取、使用中繼工具,然後將使用者新增帳號新增到群組。To provide the new user accounts access to resources in the legacy forest, you can use the metadirectory tooling to identify resource groups into which the users' legacy accounts were granted access, and then add the users' new accounts to those groups. 根據您的群組策略舊版森林中,您可能需要建立網域資源存取的本機群組或允許新增帳號資源群組加入網域本機群組轉換現有的群組。Depending on your group strategy in the legacy forest, you may need to create domain local groups for resource access or convert existing groups to domain local groups to allow the new accounts to be added to resource groups. 第一次著重的最重要的應用程式和資料,將它們移轉到新的環境(無論 SID 歷史),您可以限制投入在舊版的環境中耗用的量。By focusing first on the most critical applications and data and migrating them to the new environment (with or without SID history), you can limit the amount of effort expended in the legacy environment.

伺服器和工作站Servers and Workstations

在一個 Active directory 傳統移轉移轉的另一部電腦的樹系通常是非常簡單相較於移轉使用者、群組和應用程式。In a traditional migration from one Active Directory forest to another, migrating computers is often relatively simple compared to migrating users, groups, and applications. 電腦的角色,根據移轉到新的樹系很簡單退出舊網域和加入了一個新。Depending on the computer role, migrating to a new forest can be as simple as disjoining an old domain and joining a new one. 不過,移轉電腦帳號關聯性到漫步樹系擊敗目的建立新的環境。However, migrating computer accounts intact into a pristine forest defeats the purpose of creating a fresh environment. 而不是移轉(可能危害、錯誤設定,或過時)電腦帳號到新的樹系、應該剛新增的環境中安裝伺服器和工作站。Rather than migrating (potentially compromised, misconfigured, or outdated) computer accounts to a new forest, you should freshly install servers and workstations in the new environment. 您可以從系統、漫步樹系舊版森林中的系統,但不是系統移轉資料,該館資料。You can migrate data from systems in the legacy forest to systems in the pristine forest, but not the systems that house the data.


應用程式可呈現最重要挑戰樹系的移轉到另一個,但在「nonmigratory「移轉,其中一個最基本您應該會在套用的原則漫步森林中的應用程式應該目前、支援,及剛安裝。Applications can present the most significant challenge in any migration from one forest to another, but in the case of a "nonmigratory" migration, one of the most basic principles you should apply is that applications in the pristine forest should be current, supported, and freshly installed. 可能的話,可以從舊的森林中的應用程式執行個體移轉資料。Data can be migrated from application instances in the old forest where possible. 中的應用程式無法」重新建立」漫步森林中的情形,您應該方法,例如創意破壞或隔離傳統應用程式的下一節中所述。In situations in which an application cannot be "recreated" in the pristine forest, you should consider approaches such as creative destruction or isolation of legacy applications as described in the following section.

實作創意破壞Implementing Creative Destruction

創意破壞是訂單的經濟字詞描述經濟開發由破壞先前。Creative destruction is an economics term that describes economic development created by the destruction of a prior order. 最近幾年,已套用字詞技術的資訊。In recent years, the term has been applied to information technology. 這通常表示機制,就會被淘汰的舊的基礎結構,無法藉由升級,但來取代完全新項目。It typically refers to mechanisms by which old infrastructure is eliminated, not by upgrading it, but by replacing it with something altogether new. 2011 年Gartner 討論會 ITXPO的 Cio 和資深 IT 主管呈現創意破壞做為其金鑰主題降低成本及增加其中效率。The 2011 Gartner Symposium ITXPO for CIOs and senior IT executives presented creative destruction as one of its key themes for cost reduction and increases in efficiency. 為程序的自然 outgrowth 可能會出現在安全的改進。Improvements in security are possible as a natural outgrowth of the process.

多個商務單位使用不同的應用程式執行類似的功能,請 modernity 和廠商支援的程度,例如可能由組織。For example, an organization may be composed of multiple business units that use a different application that performs similar functionality, with varying degrees of modernity and vendor support. 在過去,IT 可能會另行購買,維護每個營業的應用程式和彙總努力會包含嘗試找出的應用程式提供的最佳的功能,然後移轉到由其他人該應用程式的資料。Historically, IT might be responsible for maintaining each business unit's application separately, and consolidation efforts would consist of attempting to figure out which application offered the best functionality and then migrating data into that application from the others.

創意破壞,而非維護過時或冗餘的應用程式,您實作取代舊版,請將資料移轉到新的應用程式有全新的應用程式,並解除舊的應用程式和系統執行。In creative destruction, rather than maintaining outdated or redundant applications, you implement entirely new applications to replace the old, migrate data into the new applications, and decommission the old applications and the systems on which they run. 有時候,您可以實作創意破壞傳統應用程式部署新的應用程式在您的基礎結構,但是可能的話,您應該考慮改為移植應用程式以雲端為基礎的方案。In some cases, you can implement creative destruction of legacy applications by deploying a new application in your own infrastructure, but wherever possible, you should consider porting the application to a cloud-based solution instead.

部署更換舊版公司應用程式以雲端為基礎的應用程式,您不只減少維護努力與費用,但排除舊版系統和應用程式出現利用攻擊者弱點,降低您組織的攻擊。By deploying cloud-based applications to replace legacy in-house applications, you not only reduce maintenance efforts and costs, but you reduce your organization's attack surface by eliminating legacy systems and applications that present vulnerabilities for attackers to leverage. 這種方式提供以取得所需的功能時同時排除基礎結構舊版目標組織更快的方法。This approach provides a faster way for an organization to obtain desired functionality while simultaneously eliminating legacy targets in the infrastructure. 雖然的創意破壞原則不適用於所有 IT 資產,提供通常可行,以排除舊版系統和應用程式時同時部署穩定,安全性,以雲端為基礎的應用程式。Although the principle of creative destruction does not apply to all IT assets, it provides an often viable option to eliminating legacy systems and applications while simultaneously deploying robust, secure, cloud-based applications.

隔離傳統系統和應用程式Isolating Legacy Systems and Applications

自然 outgrowth 漫步、安全的環境移轉您的使用者關鍵性和系統的是較有用的資訊和系統,將會包含舊版樹系。A natural outgrowth of migrating your business-critical users and systems to a pristine, secure environment is that your legacy forest will be contain less valuable information and systems. 舊版系統和應用程式保留較不安全的環境中,可能會呈現提升權限的風險的但它們也代表低的嚴重性為危害。Although the legacy systems and applications that remain in the less secure environment may present elevated risk of compromise, they also represent a reduced severity of compromise. 藉由隸屬並將重要的業務資產現代化,您可以專注於部署生效管理及監視而不需要容納舊版設定和通訊協定。By rehoming and modernizing your critical business assets, you can focus on deploying effective management and monitoring while not needing to accommodate legacy settings and protocols.

當您有隸屬漫步樹系您重要的資料時,您可以評估選項,以取得進一步隔離舊版系統與您的「主要」AD DS 森林中的應用程式。When you have rehomed your critical data to a pristine forest, you can evaluate options to further isolating legacy systems and applications in your "main" AD DS forest. 您可能會實作創意破壞,來取代一個應用程式」和「伺服器執行,但有時候您可能會考慮其他隔離的最不安全的系統和應用程式。Although you might implement creative destruction to replace one application and the servers on which it runs, in other cases you might consider additional isolation of the least secure systems and applications. 例如,應用程式了少數使用者的使用,但這需要可以小網域移轉像 At hashes 舊版認證建立支援系統您有任何更換選項。For example, an application that is used by a handful of users, but which requires legacy credentials like LAN Manager hashes can be migrated to a small domain you create to support systems for which you have no replacement options.

移除這些系統的網域它們被迫實作舊版設定的位置,您可以藉由設定,以支援只目前作業系統和應用程式後續增加網域的安全性。By removing these systems from domains where they forced implementation of legacy settings, you can subsequently increase the security of the domains by configuring them to support only current operating systems and applications. 不過,最好解除舊版系統和應用程式盡可能。Although, it is preferable to decommission legacy systems and applications whenever possible. 如果解除委任不會針對您的舊版人口小,它分離到另一個 domain(或樹系)可讓您的其餘部分舊版安裝執行增量改進。If decommissioning is simply not feasible for a small segment of your legacy population, segregating it into a separate domain (or forest) allows you to perform incremental improvements in the rest of the legacy installation.

簡化終端使用者的安全性Simplifying Security for End Users

在大部分組織中,通常在組織中有他們的角色因為性質最敏感資訊的存取權的使用者有考量學習限制複雜存取和控制的時間長度。In most organizations, users who have access to the most sensitive information due to the nature of their roles in the organization often have the least amount of time to devote to learning complex access restrictions and controls. 雖然您應該會有完整的安全性教育版程式適用於所有使用者在組織中,您應該也對焦於做為容易使用的透明實作控制項和簡化原則的使用者遵守盡可能安全性。Although you should have a comprehensive security education program for all users in your organization, you should also focus on making security as simple to use as possible by implementing controls that are transparent and simplifying principles to which users adhere.

例如,您可能會定義的原則中向高階主管與其他 Vip,才能使用安全工作站存取敏感的資料與系統,讓他們使用較機密資料的存取的其他裝置。For example, you may define a policy in which executives and other VIPs are required to use secure workstations to access sensitive data and systems, allowing them to use their other devices to access less sensitive data. 這是簡單原則的使用者,請記住,但您可以執行多個端控制項,以協助執行方式。This is a simple principle for users to remember, but you can implement a number of backend controls to help to enforce the approach.

您可以使用驗證機制保證來讓使用者和他們登入以使用智慧卡,其安全系統,並可以使用 IPsec 使用者權限來控制,他們可以連接到機密資料存放庫中的系統限制時,才存取敏感的資料。You can use Authentication Mechanism Assurance to permit the users to access sensitive data only if they've logged on to their secure systems using their smart cards, and can use IPsec and user rights restrictions to control the systems from which they can connect to sensitive data repositories. 您可以使用Microsoft 資料分類工具組來建置穩定檔案分類的基礎結構,以及您可以執行動態存取控制限制根據特性嘗試存取,商務規則轉譯技術控制資料的存取。You can use the Microsoft Data Classification Toolkit to build a robust file classification infrastructure, and you can implement Dynamic Access Control to restrict access to data based on characteristics of an access attempt, translating business rules into technical controls.

使用者而言,存取機密資料的安全系統」只適」,並嘗試從不安全的系統」就無法」。From the perspective of the user, accessing sensitive data from a secured system "just works," and attempting to do so from an unsecured system "just doesn't." 不過,觀點監視和管理您的環境,您的協助對象來建立可辨識的模式使用者如何存取敏感的資料與系統,讓您更輕鬆地偵測異常存取嘗試。However, from the perspective of monitoring and managing your environment, you're helping to create identifiable patterns in how users access sensitive data and systems, making it easier for you to detect anomalous access attempts.

環境中的使用者長且複雜密碼抗拒會導致不足密碼原則,尤其是針對 VIP 的使用者,在考慮將替代方案驗證,以透過(這會以強化驗證外形規格和其他功能與數)智慧卡,例如指撥動位讀卡機或甚至驗證使用者電腦信賴平台模組 (TPM) 受保護資料晶片生物特徵辨識控制項。In environments in which user resistance to long, complex passwords has resulted in insufficient password policies, particularly for VIP users, consider alternate approaches to authentication, whether via smart cards (which come in a number of form factors and with additional features to strengthen authentication), biometric controls such as finger-swipe readers, or even authentication data that is secured by trusted platform module (TPM) chips in users' computers. 雖然要素不會阻止認證竊取攻擊,如果您的電腦已受到,讓使用者輕鬆使用驗證控制項,您可以指定更穩定的密碼給使用者龐大傳統的使用者名稱和密碼控制項的對象 %。Although multifactor authentication does not prevent credential theft attacks if a computer is already compromised, by giving your users easy-to-use authentication controls, you can assign more robust passwords to the accounts of users for whom traditional user name and password controls are unwieldy.