保護網域控制站攻擊Securing Domain Controllers Against Attack

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

法律數字三: 如果份子有無限制的實體存取您的電腦,就不您的電腦是。Law Number Three: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. - 安全性 (2.0 版) 的 10 定律 - Ten Immutable Laws of Security (Version 2.0)

網域控制站 AD DS 資料庫,除了提供的服務和資料,可讓企業有效管理的伺服器、 工作站、 使用者和應用程式提供實體的儲存空間。Domain controllers provide the physical storage for the AD DS database, in addition to providing the services and data that allow enterprises to effectively manage their servers, workstations, users, and applications. 使用者惡意使用者取得網域控制站存取權限時,是否可以修改、 損壞,或破壞 AD DS 資料庫和延伸的所有受 Active Directory 帳號和系統。If privileged access to a domain controller is obtained by a malicious user, that user can modify, corrupt, or destroy the AD DS database and, by extension, all of the systems and accounts that are managed by Active Directory.

網域控制站可讀取和寫入到 AD DS 資料庫中的任何項目,因為危害的網域控制站表示 Active Directory 樹系可以永遠不會被視為高可信度再試一次除非您無法復原使用已知的良好備份,並關閉 [允許此程序危害縫隙。Because domain controllers can read from and write to anything in the AD DS database, compromise of a domain controller means that your Active Directory forest can never be considered trustworthy again unless you are able to recover using a known good backup and to close the gaps that allowed the compromise in the process.

攻擊者甚至關閉損壞到 AD DS 或修改準備、 工具,以及技能,而定,資料庫可以的時間,而不天或星期分鐘來完成。Depending on an attacker's preparation, tooling, and skill, modification or even irreparable damage to the AD DS database can be completed in minutes to hours, not days or weeks. 事情的無法攻擊有特殊權限存取 Active Directory,但幅度攻擊者已經計劃的存取權限時,所以取得方式時間。What matters isn't how long an attacker has privileged access to Active Directory, but how much the attacker has planned for the moment when privileged access is obtained. 危害網域控制站可以提供最有利路徑廣泛地傳播的存取或直接最破壞成員伺服器、 工作站和 Active Directory 路徑。Compromising a domain controller can provide the most expedient path to wide scale propagation of access, or the most direct path to destruction of member servers, workstations, and Active Directory. 因此,應該分開和比一般的 Windows 基礎結構嚴格保護網域控制站。Because of this, domain controllers should be secured separately and more stringently than the general Windows infrastructure.

實體網域控制站安全性Physical Security for Domain Controllers

本節實際保護網域控制站、 實體網域控制站是否或虛擬電腦,datacenter 位置、 分公司,甚至遠端位置與只有基礎的控制項中的相關資訊。This section provides information about physically securing domain controllers, whether the domain controllers are physical or virtual machines, in datacenter locations, branch offices, and even remote locations with only basic infrastructure controls.

Datacenter 網域控制站Datacenter Domain Controllers

實體網域控制站Physical Domain Controllers

能源、 實體網域控制站專用安全架或與一般伺服器擴展不同的欄中安裝。In datacenters, physical domain controllers should be installed in dedicated secure racks or cages that are separate from the general server population. 可能的話,應該設定的網域控制站晶片信賴平台模組 (TPM),並網域控制站伺服器中的所有磁碟區應該受透過 BitLocker 磁碟機加密。When possible, domain controllers should be configured with Trusted Platform Module (TPM) chips and all volumes in the domain controller servers should be protected via BitLocker Drive Encryption. BitLocker 通常新增效能費用位數百分比,但保護中毒 directory 即使從伺服器移除的磁碟。BitLocker generally adds performance overhead in single-digit percentages, but protects the directory against compromise even if disks are removed from the server. BitLocker 也可協助保護系統,例如 rookit 攻擊因為修改開機檔案將會導致開機進入修復模式,可載入原始二進位檔案伺服器。BitLocker can also help protect systems against attacks such as rootkits because the modification of boot files will cause the server to boot into recovery mode so that the original binaries can be loaded. 如果網域控制站設定為使用軟體 RAID 序號連接 SCSI,舊日 NAS 存放裝置,或無法實作動態磁碟區,BitLocker,應網域控制站儘使用到本機連接的儲存 (無論硬體 RAID)。If a domain controller is configured to use software RAID, serial-attached SCSI, SAN/NAS storage, or dynamic volumes, BitLocker cannot be implemented, so locally attached storage (with or without hardware RAID) should be used in domain controllers whenever possible.

Virtual 網域控制站Virtual Domain Controllers

如果實作 virtual 網域控制站,您應該確定網域控制站的環境中其他虛擬高於不同實體主機上執行。If you implement virtual domain controllers, you should ensure that domain controllers run on separate physical hosts than other virtual machines in the environment. 即使您使用協力廠商模擬平台,請考慮部署 virtual 的網域控制站在 Windows Server 2012 或 Windows Server 2008 R2,提供最少攻擊 surface HYPER-V Server 和可以來管理它裝載而非使用中的其餘部分模擬主機受管理的網域控制站。Even if you use a third-party virtualization platform, consider deploying virtual domain controllers on Hyper-V Server in Windows Server 2012 or Windows Server 2008 R2, which provides a minimal attack surface and can be managed with the domain controllers it hosts rather than being managed with the rest of the virtualization hosts. 如果您對模擬基礎結構管理實作系統中心一樣管理員 (SCVMM),您可以實體主機上的網域控制站虛擬的電腦位於網域控制站本身授權的系統管理員的管理委派。If you implement System Center Virtual Machine Manager (SCVMM) for management of your virtualization infrastructure, you can delegate administration for the physical hosts on which domain controller virtual machines reside and the domain controllers themselves to authorized administrators. 您也應該分隔 virtual 網域控制站,以避免存放裝置的系統管理員存取一樣檔案的存放裝置。You should also consider separating the storage of virtual domain controllers to prevent storage administrators from accessing the virtual machine files.

分支 」 的位置Branch Locations

實體網域控制站Physical Domain Controllers

在多部伺服器位於但實際並不安全的受保護資料中心伺服器程度實體網域控制站應該設定 BitLocker 磁碟機加密 TPM 晶片與的所有伺服器磁碟區。In locations in which multiple servers reside but are not physically secured to the degree that datacenter servers are secured, physical domain controllers should be configured with TPM chips and BitLocker Drive Encryption for all server volumes. 如果您無法儲存網域控制站鎖定分支 」 的位置在俱樂部中,您應該部署 Rodc 那些位置。If a domain controller cannot be stored in a locked room in branch locations, you should consider deploying RODCs in those locations.

Virtual 網域控制站Virtual Domain Controllers

可能的話,您應該會在分公司執行 virtual 網域控制站在網站中的其他虛擬機器比不同實體主機上。Whenever possible, you should run virtual domain controllers in branch offices on separate physical hosts than the other virtual machines in the site. 在分公司 virtual 網域控制站無法在其中執行中的其餘部分 isp 擴展從不同的實體主機,您應該在主機 virtual 網域控制站執行最小,並盡可能所有主機上實作 TPM 晶片和 BitLocker 磁碟機加密。In branch offices in which virtual domain controllers cannot run on separate physical hosts from the rest of the virtual server population, you should implement TPM chips and BitLocker Drive Encryption on hosts on which virtual domain controllers run at minimum, and all hosts if possible. 根據您的分公司大小和實體主機的安全性,您應該部署 Rodc 分支 」 的位置中。Depending on the size of the branch office and the security of the physical hosts, you should consider deploying RODCs in branch locations.

安全性與的有限的空間遠端位置Remote Locations with Limited Space and Security

如果您的基礎結構包含的位置中,只有單一實體伺服器可以安裝,應該可以執行的工作負載模擬伺服器安裝遠端的位置,並設定 BitLocker 磁碟機加密保護所有伺服器磁碟區。If your infrastructure includes locations in which only a single physical server can be installed, a server capable of running virtualization workloads should be installed in the remote location, and BitLocker Drive Encryption should be configured to protect all volumes in the server. 在伺服器上一個一樣應該先執行 RODC,與其他主機上的身分獨立虛擬電腦的伺服器。One virtual machine on the server should run an RODC, with other servers running as separate virtual machines on the host. 規劃 RODC 部署中所提供的資訊唯讀網域控制站規劃和部署指南Information about planning for deployment of RODC is provided in the Read-Only Domain Controller Planning and Deployment Guide. 如需部署及保護模擬的網域控制站的相關資訊,請查看HYPER-V 中的網域控制站執行TechNet 網站上。For more information about deploying and securing virtualized domain controllers, see Running Domain Controllers in Hyper-V on the TechNet website. 委派一樣管理及保護虛擬電腦,如需詳細指導方針強化 HYPER-V,查看HYPER-V 安全性指南Microsoft 網站上方案快速鍵。For more detailed guidance for hardening Hyper-V, delegating virtual machine management, and protecting virtual machines, see the Hyper-V Security Guide Solution Accelerator on the Microsoft website.

網域控制站作業系統Domain Controller Operating Systems

您應該執行所有網域控制站在最新版本的 Windows Server 在組織中支援並解除委任的網域控制站擴展中的舊版作業系統的優先順序。You should run all domain controllers on the newest version of Windows Server that is supported within your organization and prioritize decommissioning of legacy operating systems in the domain controller population. 保留您的網域控制站的目前與消除舊版網域控制站,您通常可以拍攝的新功能,以及安全性可能無法使用網域或森林中的網域控制站執行舊版作業系統的優點。By keeping your domain controllers current and eliminating legacy domain controllers, you can often take advantage of new functionality and security that may not be available in domains or forests with domain controllers running legacy operating system. 網域控制站應該剛安裝和升級而不是從先前的作業系統或伺服器角色; 升級也就是請勿執行網域控制站的位置在升級或執行 AD DS 安裝精靈中的作業系統未剛安裝的伺服器上。Domain controllers should be freshly installed and promoted rather than upgraded from previous operating systems or server roles; that is, do not perform in-place upgrades of domain controllers or run the AD DS Installation Wizard on servers on which the operating system is not freshly installed. 藉由實作剛安裝的網域控制站,就可以確保舊版檔案與設定的不小心左網域控制站上和您簡化執法一致且安全的網域控制站設定。By implementing freshly installed domain controllers, you ensure that legacy files and settings are not inadvertently left on domain controllers, and you simplify the enforcement of consistent, secure domain controller configuration.

網域控制站的安全設定Secure Configuration of Domain Controllers

許多免費的工具,其中一些安裝在 Windows 中的預設,可用於建立網域控制站的後續由 Gpo 初始的安全性設定基準。A number of freely available tools, some of which are installed by default in Windows, can be used to create an initial security configuration baseline for domain controllers that can subsequently be enforced by GPOs. 這些工具如下所示。These tools are described here.

安全性設定精靈Security Configuration Wizard

所有網域控制站應該都鎖定時初始建置。All domain controllers should be locked down upon initial build. 這可以使用推出原生設定服務、 登錄、 系統,以及 WFAS 設定 「 基礎建置 」 的網域控制站的 Windows Server 中的安全性設定精靈達成。This can be achieved using the Security Configuration Wizard that ships natively in Windows Server to configure service, registry, system, and WFAS settings on a "base build" domain controller. 儲存,匯出至 GPO 可以連結到網域控制站組織單位森林中的每個網域中執行設定的網域控制站的一致性的設定。Settings can be saved and exported to a GPO that can be linked to the Domain Controllers OU in each domain in the forest to enforce consistent configuration of domain controllers. 如果您的網域包含多個版本的 Windows 作業系統,您可以設定 Windows 管理檢測 (WMI) 篩選器 Gpo 僅適用於執行的作業系統版本相對應的網域控制站。If your domain contains multiple versions of Windows operating systems, you can configure Windows Management Instrumentation (WMI) filters to apply GPOs only to the domain controllers running the corresponding version of the operating system.

Microsoft Security Compliance ManagerMicrosoft Security Compliance Manager

Microsoft Security Compliance Manager安全性設定精靈設定製作網域控制站部署及 Gpo 部署網域控制站在 Active Directory 組織單位,來執行完整的設定基準可以結合網域控制站設定。Microsoft Security Compliance Manager domain controller settings can be combined with Security Configuration Wizard settings to produce comprehensive configuration baselines for domain controllers that are deployed and enforced by GPOs deployed at the Domain Controllers OU in Active Directory.

AppLockerAppLocker

AppLocker 或第三方應用程式家工具應服務和應用程式,允許執行網域控制站上設定,這些允許的應用程式與服務應該組成只是必要的主機 AD DS,可能是 DNS,加上所有系統安全性軟體,例如防毒軟體的電腦。AppLocker or a third-party application whitelisting tool should be used to configure services and applications that are permitted to run on domain controllers, and these permitted applications and services should be comprised only of what is required for the computer to host AD DS and possibly DNS, plus any system security software such as antivirus software. 根據家網域控制站允許的應用程式,這樣即使上網域控制站安裝未經授權的應用程式,則無法執行應用程式加入一層額外的安全性。By whitelisting permitted applications on domain controllers, an additional layer of security is added so that even if an unauthorized application is installed on a domain controller, the application cannot run.

RDP 限制RDP Restrictions

群組原則物件,應該只允許授權的使用者 RDP 連接到設定所有網域控制站 Ou 森林中的連結,而且 systemsthat,請跳伺服器。Group Policy Objects that link to all domain controllers OUs in a forest should be configured to allow RDP connections only from authorized users and systemsthat is, jump servers. 這可透過 WFAS 設定使用者權限設定的組合達到,應該實施 Gpo 使一致套用原則。This can be achieved through a combination of user rights settings and WFAS configuration and should be implemented in GPOs so that the policy is consistently applied. 如果會略過、 下一步的群組原則重新整理會系統的正確設定。If it is bypassed, the next Group Policy refresh returns the system to its proper configuration.

更新和網域控制站的組態管理Patch and Configuration Management for Domain Controllers

雖然它看起來直覺式,您應該修補網域控制站和其他重要的基礎結構元件分開您一般的 Windows 基礎結構。Although it may seem counterintuitive, you should consider patching domain controllers and other critical infrastructure components separately from your general Windows infrastructure. 如果您在您的基礎結構利用所有電腦的企業設定管理軟體,系統管理軟體的危害可用來危害或破壞所有的基礎結構元件由該軟體。If you leverage enterprise configuration management software for all computers in your infrastructure, compromise of the systems management software can be used to compromise or destroy all infrastructure components managed by that software. 從一般的擴展分隔網域控制站的更新及系統管理,您可以減少的網域控制站除了密切控制他們管理上安裝軟體。By separating patch and systems management for domain controllers from the general population, you can reduce the amount of software installed on domain controllers, in addition to tightly controlling their management.

網域控制站封鎖網際網路存取權Blocking Internet Access for Domain Controllers

檢查在 Active Directory 安全性評估執行的是使用與網域控制站的 Internet Explorer 的設定。One of the checks that is performed as part of an Active Directory Security Assessment is the use and configuration of Internet Explorer on domain controllers. Internet Explorer (或任何其他網頁瀏覽器) 應該不會用於網域控制站,但數以千計的網域控制站分析揭露許多案例中有特殊權限的使用者使用 Internet Explorer 瀏覽組織內部網路或網際網路。Internet Explorer (or any other web browser) should not be used on domain controllers, but analysis of thousands of domain controllers has revealed numerous cases in which privileged users used Internet Explorer to browse the organization's intranet or the Internet.

為先前的錯誤 「 設定 」 一節所述危害途徑,瀏覽網際網路 (或受感染內部網路),其中一個最有效中的電腦使用高度授權的 account Windows 基礎結構 (這只允許登入本機網域控制站預設帳號) 提供的特殊組織的安全性風險。As previously described in the "Misconfiguration" section of Avenues to Compromise, browsing the Internet (or an infected intranet) from one of the most powerful computers in a Windows infrastructure using a highly privileged account (which are the only accounts permitted to log on locally to domain controllers by default) presents an extraordinary risk to an organization's security. 透過下載,或惡意程式碼感染的 「 公用程式 」 下載磁碟機,是否攻擊者可以存取完全危害或破壞 Active Directory 環境所需的所有項目。Whether via a drive by download or by download of malware-infected "utilities," attackers can gain access to everything they need to completely compromise or destroy the Active Directory environment.

Windows Server 2012、 Windows Server 2008 R2、 Windows Server 2008、 和最新版 Internet Explorer 提供許多保護惡意下載項目,但在大部分案例中網域控制站和特殊權限的帳號有已用來瀏覽網際網路,網域控制站正在執行 Windows Server 2003,或較新的作業系統和瀏覽器所提供的防護已刻意停用。Although Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and current versions of Internet Explorer offer a number of protections against malicious downloads, in most cases in which domain controllers and privileged accounts had been used to browse the Internet, the domain controllers were running Windows Server 2003, or protections offered by newer operating systems and browsers had been intentionally disabled.

應該禁止這是第一個網域控制站在網頁瀏覽器,不只原則,但技術控制,並不會允許網域控制站存取網際網路。Launching web browsers on domain controllers should be prohibited not only by policy, but by technical controls, and domain controllers should not be permitted to access the Internet. 如果您的網域控制站需要複製網站上,您應該實作安全連接之間的網站。If your domain controllers need to replicate across sites, you should implement secure connections between the sites. 雖然這份文件的範圍詳細的設定指示操作,您可以執行控制項,以限制濫用或錯誤設定和後續危害網域控制站的能力的數字。Although detailed configuration instructions are outside the scope of this document, you can implement a number of controls to restrict the ability of domain controllers to be misused or misconfigured and subsequently compromised.

周邊防火牆限制Perimeter Firewall Restrictions

周邊防火牆應該設定封鎖來自網域控制站輸出連接網際網路。Perimeter firewalls should be configured to block outbound connections from domain controllers to the Internet. 雖然網域控制站可能需要在網站邊界通訊,可以允許間通訊中所提供的指導方針設定周邊防火牆如何設定針對網域和信任防火牆Microsoft 支援服務網站上。Although domain controllers may need to communicate across site boundaries, perimeter firewalls can be configured to allow intersite communication by following the guidelines provided in How to configure a firewall for domains and trusts on the Microsoft Support website.

俠防火牆設定DC Firewall Configurations

如之前所述,您應該使用安全性設定精靈擷取網域控制站的 Windows 防火牆使用進階安全性設定設定。As described earlier, you should use the Security Configuration Wizard to capture configuration settings for the Windows Firewall with Advanced Security on domain controllers. 您應該再次檢查以確保符合您組織的需求,防火牆設定並使用 Gpo 執行設定的安全性設定精靈的輸出。You should review the output of Security Configuration Wizard to ensure that the firewall configuration settings meet your organization's requirements, and then use GPOs to enforce configuration settings.

防止網頁瀏覽的網域控制站Preventing Web Browsing from Domain Controllers

防止網域控制站存取網際網路,避免使用網域控制站在網頁瀏覽器,您可以使用 AppLocker 設定、 」 黑色洞 「 proxy 設定] 和 WFAS 設定的組合。You can use a combination of AppLocker configuration, "black hole" proxy configuration, and WFAS configuration to prevent domain controllers from accessing the Internet and to prevent the use of web browsers on domain controllers.