最佳做法保護 Active Directory 同盟服務Best practices for securing Active Directory Federation Services

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本文件會提供最佳的做法安全計劃以及 Active Directory 同盟 Services (AD FS) 和 Web 應用程式 Proxy 部署。This document provides best practices for the secure planning and deployment of Active Directory Federation Services (AD FS) and Web Application Proxy. 它包含這些元件與建議的組織使用特定案例和安全性需求額外的安全性設定預設行為的相關資訊。It contains information about the default behaviors of these components and recommendations for additional security configurations for an organization with specific use cases and security requirements.

本文件適用於 AD FS 和 Windows Server 2012 R2 與 Windows Server 2016 (預覽版) WAP。This document applies to AD FS and WAP in Windows Server 2012 R2 and Windows Server 2016 (preview). 在場所網路或裝載的雲端 Microsoft Azure 例如環境中部署基礎結構是否可以使用這些建議。These recommendations can be used whether the infrastructure is deployed in an on premises network or in a cloud hosted environment such as Microsoft Azure.

標準部署拓撲Standard deployment topology

先環境中部署,我們建議您標準部署拓撲一或多個 AD FS 上伺服器企業連絡,以 DMZ 或外部網路中的一或多個 Web 應用程式 Proxy (WAP) 伺服器所組成。For deployment in on-premises environments, we recommend a standard deployment topology consisting of one or more AD FS servers on the internal corporate network, with one or more Web Application Proxy (WAP) servers in a DMZ or extranet network. AD FS 和 WAP,每個層級硬體或軟體負載平衡器放伺服器陣列前面,而處理流量路由。At each layer, AD FS and WAP, a hardware or software load balancer is placed in front of the server farm and handles traffic routing. 每個 (FS 和 proxy) 農場前面防火牆位於為所需的外部負載平衡器 IP 位址前面。Firewalls are placed as required in front of the external IP address of the load balancer in front of each (FS and proxy) farm.

AD FS 標準拓撲

需要連接埠Ports required

圖表如下描述防火牆連接埠必須在 AD FS 和 WAP 部署 」 的元件和之間會支援。The below diagram depicts the firewall ports that must be enabled between and amongst the components of the AD FS and WAP deployment. 如果部署不包含 Azure AD / 被略過 Office 365、 同步需求。If the deployment does not include Azure AD / Office 365, the sync requirements can be disregarded.

如果使用者憑證使用驗證,這是選擇性 Azure AD 所需的連接埠 49443 只有的筆記與 Office 365。Note that port 49443 is only required if user certificate authentication is used, which is optional for Azure AD and Office 365.

AD FS 標準拓撲

Azure AD 連接和聯盟伺服器日 WAPAzure AD Connect and Federation Servers/WAP

下表描述的連接埠和通訊協定進行通訊 Azure AD 連接伺服器之間聯盟日 WAP 伺服器。This table describes the ports and protocols that are required for communication between the Azure AD Connect server and Federation/WAP servers.

通訊協定Protocol 連接埠Ports 描述Description
HTTPHTTP 80 (TCP 日 UDP)80 (TCP/UDP) 用來下載 Crl (憑證撤銷列出) 來確認 SSL 憑證。Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates.
HTTPSHTTPS 443(TCP/UDP)443(TCP/UDP) 使用 Azure AD 的同步處理。Used to synchronize with Azure AD.
WinRMWinRM 59855985 WinRM 其實WinRM Listener

WAP 和聯盟伺服器WAP and Federation Servers

下表描述的連接埠與所需的通訊聯盟伺服器 WAP 伺服器間通訊協定。This table describes the ports and protocols that are required for communication between the Federation servers and WAP servers.

通訊協定Protocol 連接埠Ports 描述Description
HTTPSHTTPS 443(TCP/UDP)443(TCP/UDP) 使用進行驗證。Used for authentication.

WAP 和使用者WAP and Users

下表描述的連接埠與所需的使用者與 WAP 伺服器間通訊的通訊協定。This table describes the ports and protocols that are required for communication between users and the WAP servers.

通訊協定Protocol 連接埠Ports 描述Description
HTTPSHTTPS 443(TCP/UDP)443(TCP/UDP) 用於裝置的驗證。Used for device authentication.
TCPTCP 49443 (TCP)49443 (TCP) 用於憑證驗證。Used for certificate authentication.

如需詳細資訊,所需的連接埠與所需的混合部署看到文件通訊協定在此For additional information on required ports and protocols required for hybrid deployments see the document here.

連接埠和通訊協定 Azure AD 所需的詳細資訊的 Office 365 部署,查看 [文件和在此For detailed information about ports and protocols required for an Azure AD and Office 365 deployment, see the document here.

支援的端點Endpoints enabled

AD FS 和 WAP 安裝時,預設設定端點 AD FS 的才在同盟服務和 proxy。When AD FS and WAP are installed, a default set of AD FS endpoints are enabled on the federation service and on the proxy. 根據最常要求並使用案例選擇預設值,並不需要變更。These defaults were chosen based on the most commonly required and used scenarios and it is not necessary to change them.

[選擇性]最小值設定端點 proxy 支援 Azure AD 的日 Office 365[Optional] Min set of endpoints proxy enabled for Azure AD / Office 365

將 AD FS 和 WAP 部署的 Azure AD 只組織與 Office 365 案例] 可以限制進一步達成較小的攻擊 surface 支援 proxy 上 AD FS 端點的數目。Organizations deploying AD FS and WAP only for Azure AD and Office 365 scenarios can limit even further the number of AD FS endpoints enabled on the proxy to achieve a more minimal attack surface. 以下是清單中的端點必須會在這些案例中 proxy 功能:Below is the list of endpoints that must be enabled on the proxy in these scenarios:

端點Endpoint 用途Purpose
1 月 adfs 日 !/adfs/ls 瀏覽器驗證流量與目前的版本的 Microsoft Office 使用 Azure AD 從此端點進行與 Office 365 驗證Browser based authentication flows and current versions of Microsoft Office use this endpoint for Azure AD and Office 365 authentication
/adfs/services/trust/2005/usernamemixed/adfs/services/trust/2005/usernamemixed 使用適用於 Exchange Online Office 戶端超過 Office 2013 5 2015 update。Used for Exchange Online with Office clients older than Office 2013 May 2015 update. 稍後戶端使用被動式 \adfs\ls 結束點。Later clients use the passive \adfs\ls endpoint.
/adfs/services/trust/13/usernamemixed/adfs/services/trust/13/usernamemixed 使用適用於 Exchange Online Office 戶端超過 Office 2013 5 2015 update。Used for Exchange Online with Office clients older than Office 2013 May 2015 update. 稍後戶端使用被動式 \adfs\ls 結束點。Later clients use the passive \adfs\ls endpoint.
oauth2 日 adfs 日/adfs/oauth2 使用此 (prem 上或在雲端中) 的現代化應用程式,您已經設定直接向 (也就是不是透過 AAD) AD FS 進行驗證This one is used for any modern apps (on prem or in cloud) you have configured to authenticate directly to AD FS (i.e. not through AAD)
/adfs/services/trust/mex/adfs/services/trust/mex 使用適用於 Exchange Online Office 戶端超過 Office 2013 5 2015 update。Used for Exchange Online with Office clients older than Office 2013 May 2015 update. 稍後戶端使用被動式 \adfs\ls 結束點。Later clients use the passive \adfs\ls endpoint.
/adfs/ls/federationmetadata/2007-06/federationmetadata.xml/adfs/ls/federationmetadata/2007-06/federationmetadata.xml 適用於任何被動式流量; 需求使用 Office 365 / Azure AD,以檢查 AD FS 憑證,並Requirement for any passive flows; and used by Office 365 / Azure AD to check AD FS certificates

AD FS 端點可以使用下列 PowerShell cmdlet proxy 上已停用:AD FS endpoints can be disabled on the proxy using the following PowerShell cmdlet:

PS:\>Set-AdfsEndpoint -TargetAddressPath <address path> -Proxy $false

例如:For example:

PS:\>Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/certificatemixed -Proxy $false

驗證延伸的保護Extended protection for authentication

驗證延伸的保護是緩和男人 (MITM) 攻擊並 AD FS 使用的預設支援的功能。Extended protection for authentication is a feature that mitigates against man in the middle (MITM) attacks and is enabled by default with AD FS.

若要確認設定,您可以執行下列動作:To verify the settings, you can do the following:

該設定可以使用驗證 PowerShell commandlet 下方。The setting can be verified using the below PowerShell commandlet.

PS:\>Get-ADFSProperties

屬性是ExtendedProtectionTokenCheckThe property is ExtendedProtectionTokenCheck. 預設值是允許,以便可以的瀏覽器不支援的功能與相容性問題,而達成安全性優點。The default setting is Allow, so that the security benefits can be achieved without the compatibility concerns with browsers that do not support the capability.

壅塞控制保護同盟服務Congestion control to protect the federation service

同盟服務 proxy (WAP 部) 提供壅塞控制 AD FS 服務防止大量的要求。The federation service proxy (part of the WAP) provides congestion control to protect the AD FS service from a flood of requests. 如果偵測到的應用程式網路 Proxy 與聯盟伺服器之間的延遲為多聯盟伺服器載應用程式網路 Proxy 將拒絕外部 client 驗證要求。The Web Application Proxy will reject external client authentication requests if the federation server is overloaded as detected by the latency between the Web Application Proxy and the federation server. 這項功能與建議的延遲閾值來改善層級預設設定。This feature is configured by default with a recommended latency threshold level.

若要確認設定,您可以執行下列動作:To verify the settings, you can do the following:

  1. Web 應用程式 Proxy 電腦時,[開始] 視窗中提升權限的命令。On your Web Application Proxy computer, start an elevated command window.
  2. 瀏覽至 ADFS directory,WINDIR%\adfs\config %。Navigate to the ADFS directory, at %WINDIR%\adfs\config.
  3. 變更壅塞控制設定為預設值,以]'。Change the congestion control settings from its default values to ‘’.
  4. 儲存,並關閉檔案。Save and close the file.
  5. 將 AD FS 服務執行 'net 停止 adfssrv' 然後 '網路開始 adfssrv' 重新開機。Restart the AD FS service by running ‘net stop adfssrv’ and then ‘net start adfssrv’. 可供您參考,找到此功能的指導方針在此For your reference, guidance on this capability can be found here.

標準 HTTP 要求檢查 proxy。Standard HTTP request checks at the proxy

Proxy 也會執行下列對所有流量標準檢查:The proxy also performs the following standard checks against all traffic:

  • FS-P 本身向 AD FS 透過短暫的憑證。The FS-P itself authenticates to AD FS via a short lived certificate. 在可疑 dmz 伺服器危害的案例中,AD FS 可 」 撤銷 proxy 信任 」,它不會再信任的任何傳入要求可能危害 proxy。In a scenario of suspected compromise of dmz servers, AD FS can “revoke proxy trust” so that it no longer trusts any incoming requests from potentially compromised proxies. 撤銷 proxy 信任撤銷每個 proxy 自己的憑證,使其無法通過驗證適用於任何用途 AD FS 伺服器Revoking the proxy trust revokes each proxy’s own certificate so that it cannot successfully authenticate for any purpose to the AD FS server
  • FS P 終止所有連接和連絡上建立新的 HTTP 連接 AD FS 服務。The FS-P terminates all connections and creates a new HTTP connection to the AD FS service on the internal network. 這會提供 AD FS 服務外接式裝置之間工作階段層級緩衝。This provides a session-level buffer between external devices and the AD FS service. 直接與服務 AD FS 不會連接的外部裝置。The external device never connects directly to the AD FS service.
  • FS P 執行 HTTP 要求驗證,尤其是篩選掉不需要的 AD FS 服務 HTTP 標頭。The FS-P performs HTTP request validation that specifically filters out HTTP headers that are not required by AD FS service.

確保所有 AD FS 和 WAP 伺服器接收最重要的安全性 AD FS 基礎結構建議以都確定您有一種方法可以保留目前的所有安全性更新,以及這些選用的更新為重要 AD fs 此頁面上指定的伺服器 AD FS 和 WAP 的最新的更新。Ensure all AD FS and WAP servers receive the most current updates The most important security recommendation for your AD FS infrastructure is to ensure you have a means in place to keep your AD FS and WAP servers current with all security updates, as well as those optional updates specified as important for AD FS on this page.

Azure AD 針對監視和保持最新的建議方式其基礎結構是透過 Azure AD 連接健康 AD fs,Azure AD Premium 的功能。The recommended way for Azure AD customers to monitor and keep current their infrastructure is via Azure AD Connect Health for AD FS, a feature of Azure AD Premium. Azure AD 連接健康包含顯示器和觸發 AD FS 或 WAP 電腦是專為 AD FS 和 WAP 遺失其中一個重要更新通知。Azure AD Connect Health includes monitors and alerts that trigger if an AD FS or WAP machine is missing one of the important updates specifically for AD FS and WAP.

安裝 Azure AD 連接健康的 AD FS 可找到詳細資訊在此Information on installing Azure AD Connect Health for AD FS can be found here.

更多安全性設定Additional security configurations

可以提供額外的保護所提供的預設部署選擇性設定以下的額外功能。The following additional capabilities can be configured optionally to provide additional protections to those offered in the default deployment.

「 軟體 」 的外部鎖定帳號保護Extranet “soft” lockout protection for accounts

使用外部鎖定功能在 Windows Server 2012 R2,AD FS 管理員可以設定最多允許的數量驗證失敗的要求 (ExtranetLockoutThreshold) 並 ' 觀察視窗的時間間隔 (ExtranetObservationWindow)。With the extranet lockout feature in Windows Server 2012 R2, an AD FS administrator can set a maximum allowed number of failed authentication requests (ExtranetLockoutThreshold) and an ‘observation window's time period (ExtranetObservationWindow). 當達到上限 (ExtranetLockoutThreshold) 的驗證要求時,將會阻止 AD FS 想要的設定的期間 (ExtranetObservationWindow) 驗證 AD FS 提供的 account 憑證。When this maximum number (ExtranetLockoutThreshold) of authentication requests is reached, AD FS stops trying to authenticate the supplied account credentials against AD FS for the set time period (ExtranetObservationWindow). 這個動作防止 AD 鎖定此帳號,亦即,它可以避免此 account 公司資源 AD FS 進行驗證的使用者所仰賴喪失存取權。This action protects this account from an AD account lockout, in other words, it protects this account from losing access to corporate resources that rely on AD FS for authentication of the user. 這些設定套用到所有網域驗證,AD FS 服務。These settings apply to all domains that the AD FS service can authenticate.

您可以使用下列的 Windows PowerShell 命令來設定 AD FS 外部鎖定 (範例):You can use the following Windows PowerShell command to set the AD FS extranet lockout (example):

PS:\>Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow ( new-timespan -Minutes 30 )

如需參考資料,這項功能的公開文件是在此For reference, the public documentation of this feature is here.

區分存取原則內部和外部網路的存取權Differentiate access policies for intranet and extranet access

AD FS 有區分存取原則的要求,源自會從網際網路透過 proxy 本機、 公司網路與要求的功能。AD FS has the ability to differentiate access policies for requests that originate in the local, corporate network vs requests that come in from the internet via the proxy. 這可以在每個應用程式或全球完成。This can be done per application or globally. 高價值應用程式或應用程式與敏感或個人資訊,請考慮將需要使用多監視器因素驗證。For high business value applications or applications with sensitive or personally identifiable information, consider requiring multi factor authentication. 這可透過 AD FS 嵌入式管理單元完成。This can be done via the AD FS management snap-in.

需要多因數驗證 (MFA)Require Multi factor authentication (MFA)

您可以設定 AD FS 需要 (例如,使用多監視器因素驗證) 穩固驗證要求透過 proxy 提供專為個人應用程式,並條件存取這兩個 Azure AD 日 Office 365 和場所資源。AD FS can be configured to require strong authentication (such as multi factor authentication) specifically for requests coming in via the proxy, for individual applications, and for conditional access to both Azure AD / Office 365 and on premises resources. 支援的方法的 MFA 包含 Microsoft Azure MFA 和協力廠商提供者。Supported methods of MFA include both Microsoft Azure MFA and third party providers. 提示使用者提供額外的資訊 (例如包含一個簡訊文字時間程式碼),並 AD FS 使用插件,以允許存取特定提供者。The user is prompted to provide the additional information (such as an SMS text containing a one time code), and AD FS works with the provider specific plug-in to allow access.

支援的外部 MFA 提供者包含中所列出這個頁面上,以及 HDI 全球。Supported external MFA providers include those listed in this page, as well as HDI Global.

硬體安全性單元 (HSM)Hardware Security Module (HSM)

預設設定,一律不登入權杖按鍵 AD FS 使用會保留在企業網路聯盟伺服器。In its default configuration, the keys AD FS uses to sign tokens never leave the federation servers on the intranet. 它們有永遠不會存在 DMZ 或 proxy 電腦上。They are never present in the DMZ or on the proxy machines. 也提供額外的保護,這些按鍵可保護單元硬體安全性連接到 AD FS。Optionally to provide additional protection, these keys can be protected in a hardware security module attached to AD FS. Microsoft 並不會發出 HSM product,但有許多支援 AD FS 市面上。Microsoft does not produce an HSM product, however there are several on the market that support AD FS. 為了執行這個建議,請依照下列建立 X509 廠商指導方針憑證來簽署及加密,然後使用 AD FS 安裝 powershell commandlets,指定您自訂的憑證,如下所示:In order to implement this recommendation, follow the vendor guidance to create the X509 certs for signing and encryption, then use the AD FS installation powershell commandlets, specifying your custom certificates as follows:

PS:\>Install-AdfsFarm -CertificateThumbprint <String> -DecryptionCertificateThumbprint <String> -FederationServiceName <String> -ServiceAccountCredential <PSCredential> -SigningCertificateThumbprint <String>

位置:where:

  • CertificateThumbprint 為您的 SSL 憑證。is your SSL certificate
  • SigningCertificateThumbprint 您專屬的簽署憑證 (具有 HSM 保護鍵)is your signing certificate (with HSM protected key)
  • DecryptionCertificateThumbprint 為您的加密憑證 (具有 HSM 保護鍵)is your encryption certificate (with HSM protected key)