減少 Active Directory 攻擊Reducing the Active Directory Attack Surface

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本章節焦某技術控制實作減少 Active Directory 安裝的攻擊。This section focuses on technical controls to implement to reduce the attack surface of the Active Directory installation. 一節包含下列資訊:The section contains the following information:

  • 實作最低權限管理機型重點在於提供使用的高特殊權限帳號日常的系統管理,除了提供建議實施減少帳號有特殊權限的風險。Implementing Least-Privilege Administrative Models focuses on identifying the risk that the use of highly privileged accounts for day-to-day administration presents, in addition to providing recommendations to implement to reduce the risk that privileged accounts present.

  • 實作安全管理主機的方法安全管理主機部署部署專用、安全管理系統,除了一些範例描述原則。Implementing Secure Administrative Hosts describes principles for deployment of dedicated, secure administrative systems, in addition to some sample approaches to a secure administrative host deployment.

  • 保護針對攻擊網域控制站討論原則和設定,類似的建議的實作系統主機安全,但包含來協助確保您的網域控制站和可用來管理他們的系統都是安全的一些網域控制站的特定建議。Securing Domain Controllers Against Attack discusses policies and settings that, although similar to the recommendations for the implementation of secure administrative hosts, contain some domain controller-specific recommendations to help ensure that the domain controllers and the systems used to manage them are well-secured.

有特殊權限的帳號,並 Active Directory 中的群組Privileged Accounts and Groups in Active Directory

本章節提供權限帳號的背景資訊,Active Directory 中的群組適合解釋共通性及特殊權限的帳號與不同群組 Active Directory 中。This section provides background information about privileged accounts and groups in Active Directory intended to explain the commonalities and differences between privileged accounts and groups in Active Directory. 了解這些區別後,是否您執行的建議在實作最低權限管理型號逐字或選擇以自訂您的組織,您有安全每個群組,並考慮適當所需的工具。By understanding these distinctions, whether you implement the recommendations in Implementing Least-Privilege Administrative Models verbatim or choose to customize them for your organization, you have the tools you need to secure each group and account appropriately.

建帳號及群組特殊權限Built-in Privileged Accounts and Groups

Active Directory 加速的管理委派,並且支援原則權限指派權利與權限。Active Directory facilitates delegation of administration and supports the principle of least privilege in assigning rights and permissions. [一般] 使用者網域中有帳號,根據預設,可以朗讀的多的項目儲存在 directory,但無法變更只非常有限的資料 directory。"Regular" users who have accounts in a domain are, by default, able to read much of what is stored in the directory, but are able to change only a very limited set of data in the directory. 使用者需要額外的權限授與到 directory 建置,所以它們可能會執行他們的角色的相關特定的工作,但無法執行工作,不會與他們責任各種」有特殊權限」群組成員資格。Users who require additional privilege can be granted membership in various "privileged" groups that are built into the directory so that they may perform specific tasks related to their roles, but cannot perform tasks that are not relevant to their duties. 組織也可以建立的量身打造,以特定工作責任和細微的權利和執行日常的管理功能,而不會授與的權利和超過功能這些功能的權限 IT 人員的權限授與的群組。Organizations can also create groups that are tailored to specific job responsibilities and are granted granular rights and permissions that allow IT staff to perform day-to-day administrative functions without granting rights and permissions that exceed what is required for those functions.

在 Active Directory 中建的三個群組的最高的權限群組中 directory:企業系統管理員,網域系統管理員及系統管理員。Within Active Directory, three built-in groups are the highest privilege groups in the directory: Enterprise Admins, Domain Admins, and Administrators. 預設設定,並且每個群組的功能下列各節所述:The default configuration and capabilities of each of these groups are described in the following sections:

在 Active Directory 中的最高的權限群組Highest Privilege Groups in Active Directory

企業系統管理員Enterprise Admins

企業系統管理員 (EA) 是群組的只存在於森林根網域中,而且預設森林中的所有網域中的系統管理員群組成員。Enterprise Admins (EA) is a group that exists only in the forest root domain, and by default, it is a member of the Administrators group in all domains in the forest. 森林根網域中的建是只預設 EA 群組成員。The built-in Administrator account in the forest root domain is the only default member of the EA group. EAs 會授與權限,讓他們實作樹系的變更(也就是,變更會影響所有網域森林中的),例如新增或移除網域、建立信任的樹系,或引發森林功能層級。EAs are granted rights and permissions that allow them to implement forest-wide changes (that is, changes that affect all domains in the forest), such as adding or removing domains, establishing forest trusts, or raising forest functional levels. 在適當地設計和實作委派模式下,僅第一次建構樹系時才或特定例如建立輸出森林信任的樹系變更,就需要 EA 成員資格。In a properly designed and implemented delegation model, EA membership is required only when first constructing the forest or when making certain forest-wide changes such as establishing an outbound forest trust. 大部分的權限與權限授與 EA 群組可以委派給權限使用者和群組。Most of the rights and permissions granted to the EA group can be delegated to lesser-privileged users and groups.

網域系統管理員 」Domain Admins

每個網域中的有它自己的網域系統管理員 (DA) 群組,也就是該網域中的系統管理員群組成員,並在每個已經加入網域的電腦上系統管理員本機群組成員。Each domain in a forest has its own Domain Admins (DA) group, which is a member of that domain's Administrators group and a member of the local Administrators group on every computer that is joined to the domain. 僅限預設群組成員的 DA 網域是該網域建。The only default member of the DA group for a domain is the built-in Administrator account for that domain. EAs 有樹系權限時,DAs 是他們網域中的「雖然」。DAs are "all-powerful" within their domains, while EAs have forest-wide privilege. 在適當地設計和實作委派模式下,應該只在「中斷玻璃「案例中(例如網域中的每一部電腦上的權限等級高帳號所的情形)需要網域系統管理員的資格。In a properly designed and implemented delegation model, Domain Admins membership should be required only in "break glass" scenarios (such as situations in which an account with high levels of privilege on every computer in the domain is needed). 原生 Active Directory 委派機制允許委派可能只在緊急案例中使用 DA 帳號,雖然建構生效委派型號可能會花時間,以及許多組織利用第三方促進此程序的工具。Although native Active Directory delegation mechanisms allow delegation to the extent that it is possible to use DA accounts only in emergency scenarios, constructing an effective delegation model can be time consuming, and many organizations leverage third-party tools to expedite the process.

系統管理員Administrators

第三個群組是建網域本機系統管理員 (BA) 的 DAs 和 EAs 的巢的群組。The third group is the built-in domain local Administrators (BA) group into which DAs and EAs are nested. 此群組會授與的許多直接存取權限和 directory 和上網域控制站的權限。This group is granted many of the direct rights and permissions in the directory and on domain controllers. 不過,系統管理員群組網域權限不或工作站成員伺服器上。However, the Administrators group for a domain has no privileges on member servers or on workstations. 它是透過群組成員資格在電腦本機系統管理員本機權限授與。It is via membership in the computers' local Administrators group that local privilege is granted.

注意

雖然這些都是個特殊權限群組預設設定的三個群組成員可以管理 directory 取得任何其他群組成員資格。Although these are the default configurations of these privileged groups, a member of any of the three groups can manipulate the directory to gain membership in any of the other groups. 有時很一般取得成員資格群組,而在其他很難,但潛在的權限的角度,從三個群組被視為相等有效地。In some cases, it is trivial to obtain membership in the other groups, while in others it is more difficult, but from the perspective of potential privilege, all three groups should be considered effectively equivalent.

架構系統管理員Schema Admins

第四個特殊權限的群組,架構系統管理員(索)森林根網域只存在於且只該網域的建做為預設成員類似企業系統管理員」群組。A fourth privileged group, Schema Admins (SA), exists only in the forest root domain and has only that domain's built-in Administrator account as a default member, similar to the Enterprise Admins group. 只會暫時有時(AD DS 架構修改需要時)和填入是架構管理員群組。The Schema Admins group is intended to be populated only temporarily and occasionally (when modification of the AD DS schema is required).

索的可以修改 Active Directory 架構(該現有的設定,例如物件和屬性 directory 的基礎資料結構)僅限群組,但索群組的權利和權限的範圍是更限制比之前所述的群組。Although the SA group is the only group that can modify the Active Directory schema (that is., the directory's underlying data structures such as objects and attributes), the scope of the SA group's rights and permissions is more limited than the previously described groups. 通常也會尋找組織已經開發適當做法管理索群組成員資格群組成員資格通常不常需要因為,且僅供簡短一段時間。It is also common to find that organizations have developed appropriate practices for the management of the membership of the SA group because membership in the group is typically infrequently needed, and only for short periods of time. 這是技術 EA、DA 及 BA 群組的 Active Directory 中,則為 true,但最較少見,以尋找您的組織已經實作類似做法索群組和這些群組。This is technically true of the EA, DA, and BA groups in Active Directory, as well, but it is far less common to find that organizations have implemented similar practices for these groups as for the SA group.

受保護的帳號,並 Active Directory 中的群組Protected Accounts and Groups in Active Directory

Active Directory 中有特殊權限的帳號及群組預設設定稱為「保護」帳號,並群組中 directory 其他物件不同的安全。Within Active Directory, a default set of privileged accounts and groups called "protected" accounts and groups are secured differently than other objects in the directory. 任何 account(無論是否成員資格從安全性或 distribution 群組)受保護的群組中的直接或轉移成員資格繼承這個限制的安全性。Any account that has direct or transitive membership in any protected group (regardless of whether the membership is derived from security or distribution groups) inherits this restricted security.

例如,如果使用者通訊群組成員也就是、的受保護的 Active Directory,該使用者物件群組成員標示為受保護的 account。For example, if a user is a member of a distribution group that is, in turn, a member of a protected group in Active Directory, that user object is flagged as a protected account. 當 account 被標示為受保護的帳號時,物件 adminCount 屬性的值為 1。When an account is flagged as a protected account, the value of the adminCount attribute on the object is set to 1.

注意

轉移受保護的群組成員資格包含巢的 distribution 和巢的安全性群組,雖然帳號巢的 distribution 群組成員,將不會收到他們存取權杖中的受保護的群組 SID。Although transitive membership in a protected group includes nested distribution and nested security groups, accounts that are members of nested distribution groups will not receive the protected group's SID in their access tokens. 不過,可以在也就是為何 distribution 群組均受保護的群組成員列舉在 Active Directory 安全性群組轉換 distribution 群組。However, distribution groups can be converted to security groups in Active Directory, which is why distribution groups are included in protected group member enumeration. 應受保護的巢的 distribution 群組曾經轉換成安全性群組,帳號先前通訊群組成員後續將會收到家長的保護,下次登入他們存取權杖中的群組 SID。Should a protected nested distribution group ever be converted to a security group, the accounts that are members of the former distribution group will subsequently receive the parent protected group's SID in their access tokens at the next logon.

下表列出的受保護的預設帳號和作業系統版本與 service pack 層級 Active Directory 中的群組。The following table lists the default protected accounts and groups in Active Directory by operating system version and service pack level.

預設的受保護的帳號和作業系統或 Service Pack (SP) 版本的 Active Directory 中的群組Default Protected Accounts and Groups in Active Directory by Operating System and Service Pack (SP) Version

Windows 2000 < SP4Windows 2000 <SP4 Windows 2000 SP4-Windows Server 2003Windows 2000 SP4 -Windows Server 2003 Windows Server 2003 SP1 +Windows Server 2003 SP1+ Windows Server 2008 的 Windows Server 2012Windows Server 2008 -Windows Server 2012
系統管理員Administrators Account 電信業者Account Operators Account 電信業者Account Operators Account 電信業者Account Operators
系統管理員Administrator 系統管理員Administrator 系統管理員Administrator
系統管理員Administrators 系統管理員Administrators 系統管理員Administrators
網域系統管理員 」Domain Admins 備份電信業者Backup Operators 備份電信業者Backup Operators 備份電信業者Backup Operators
憑證的發行者Cert Publishers
網域系統管理員 」Domain Admins 網域系統管理員 」Domain Admins 網域系統管理員 」Domain Admins
企業系統管理員Enterprise Admins 網域控制站Domain Controllers 網域控制站Domain Controllers 網域控制站Domain Controllers
企業系統管理員Enterprise Admins 企業系統管理員Enterprise Admins 企業系統管理員Enterprise Admins
KrbtgtKrbtgt KrbtgtKrbtgt KrbtgtKrbtgt
列印電信業者Print Operators 列印電信業者Print Operators 列印電信業者Print Operators
唯讀模式網域控制站Read-only Domain Controllers
複製者Replicator 複製者Replicator 複製者Replicator
架構系統管理員Schema Admins 架構系統管理員Schema Admins 架構系統管理員Schema Admins
AdminSDHolder 和 SDPropAdminSDHolder and SDProp

在系統容器中的每個 Active Directory domain,會自動建立稱為 AdminSDHolder 物件。In the System container of every Active Directory domain, an object called AdminSDHolder is automatically created. AdminSDHolder 物件的目的是為了確保持續執行受保護的帳號群組的權限,無論的受保護的群組和帳號網域中的所在位置。The purpose of the AdminSDHolder object is to ensure that the permissions on protected accounts and groups are consistently enforced, regardless of where the protected groups and accounts are located in the domain.

每個 60 分鐘(預設)處理程序稱為「安全性描述傳播 (SDProp) 上執行,網域控制站擁有的網域肯定角色。Every 60 minutes (by default), a process known as Security Descriptor Propagator (SDProp) runs on the domain controller that holds the domain's PDC Emulator role. SDProp 比較網域的 AdminSDHolder 物件的權限的權限的受保護的帳號及網域中的群組。SDProp compares the permissions on the domain's AdminSDHolder object with the permissions on the protected accounts and groups in the domain. 如果任何受保護的帳號及群組的權限不符合 AdminSDHolder 物件的權限的權限的受保護的帳號和群組會重設以符合網域的 AdminSDHolder 物件。If the permissions on any of the protected accounts and groups do not match the permissions on the AdminSDHolder object, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object.

權限繼承上已停用受保護的群組和帳號,這表示,即使移到不同的位置在 directory 帳號或群組,它們未繼承權限新父物件。Permissions inheritance is disabled on protected groups and accounts, which means that even if the accounts or groups are moved to different locations in the directory, they do not inherit permissions from their new parent objects. 繼承也停用 AdminSDHolder 物件,讓家長物件的權限變更不會變更 AdminSDHolder 的權限。Inheritance is also disabled on the AdminSDHolder object so that permissions changes to the parent objects do not change the permissions of AdminSDHolder.

注意

從一個受保護的群組移除帳號時, 不再是受保護的帳號,但不是手動變更為 1 其 adminCount 屬性保留。When an account is removed from a protected group, it is no longer considered a protected account, but its adminCount attribute remains set to 1 if it is not manually changed. 這項設定的結果是物件的 Acl 所不再更新 SDProp,但物件仍然不會繼承權限從其家長物件。The result of this configuration is that the object's ACLs are no longer updated by SDProp, but the object still does not inherit permissions from its parent object. 因此,物件可能位於單位(組織單位)的已經委派權限,但不是會有前身為受保護的物件繼承這些委派權限。Therefore, the object may reside in an organizational unit (OU) to which permissions have been delegated, but the formerly protected object will not inherit these delegated permissions. 指令碼以找出並重設保護前身為物件網域中的可以找到Microsoft 的支援文章 817433A script to locate and reset formerly protected objects in the domain can be found in the Microsoft Support article 817433.

AdminSDHolder 擁有權AdminSDHolder Ownership

大部分 Active Directory 物件的擁有的網域的 BA 群組。Most objects in Active Directory are owned by the domain's BA group. 不過,AdminSDHolder 物件,預設所擁有的網域 DA 群組。However, the AdminSDHolder object is, by default, owned by the domain's DA group. (這是的還中 DAs 執行衍生他們的權限和系統管理員的網域群組成員資格透過權限)。(This is a circumstance in which DAs do not derive their rights and permissions via membership in the Administrators group for the domain.)

在之前的版本 Windows Windows Server 2008、物件的擁有者可以變更權限的物件,包括其原始不需要的權限授與本身。In versions of Windows earlier than Windows Server 2008, owners of an object can change permissions of the object, including granting themselves permissions that they did not originally have. 因此,預設的網域 AdminSDHolder 物件的權限防止使用者變更網域 AdminSDHolder 物件的權限 BA 或 EA 群組成員。Therefore, the default permissions on a domain's AdminSDHolder object prevent users who are members of BA or EA groups from changing the permissions for a domain's AdminSDHolder object. 不過,系統管理員」的網域群組成員可以取得物件的擁有權,而且本身其他權限授與,也就是基本保護,只保護的使用者網域中的 DA 群組成員意外修改對物件。However, members of the Administrators group for the domain can take ownership of the object and grant themselves additional permissions, which means that this protection is rudimentary and only protects the object against accidental modification by users who are not members of the DA group in the domain. 此外,BA 和 EA(如果適用)群組已變更物件的屬性 AdminSDHolder(根 EA 網域)本機網域中的權限。Additionally, the BA and EA (where applicable) groups have permission to change the attributes of the AdminSDHolder object in the local domain (root domain for EA).

注意

屬性 AdminSDHolder 物件,dSHeuristics,可讓您的群組視為受保護的群組 AdminSDHolder 和 SDProp 會受到限制的自訂(移除)。An attribute on the AdminSDHolder object, dSHeuristics, allows limited customization (removal) of groups that are considered protected groups and are affected by AdminSDHolder and SDProp. 這個自訂仔細考慮如果實作,雖然上 AdminSDHolder dSHeuristics 修改適合有效的環境。This customization should be carefully considered if it is implemented, although there are valid circumstances in which modification of dSHeuristics on AdminSDHolder is useful. Microsoft 的支援文章中找到 AdminSDHolder 物件修改 dSHeuristics 屬性的其他資訊817433973840,在附錄 c:保護帳號,並 Active Directory 中的群組More information about modification of the dSHeuristics attribute on an AdminSDHolder object can be found in the Microsoft Support articles 817433 and 973840, and in Appendix C: Protected Accounts and Groups in Active Directory.

Active Directory 中最有特殊權限的群組如下所示,但有一些其他被授與的群組提高權限等級。Although the most privileged groups in Active Directory are described here, there are a number of other groups that have been granted elevated levels of privilege. 如需有關的所有預設和建 Active Directory 與使用者的權限指派給每個群組,請查看附錄 b 特殊權限帳號,並在 Active Directory 中的群組For more information about all of the default and built-in groups in Active Directory and the user rights assigned to each, see Appendix B: Privileged Accounts and Groups in Active Directory.