規劃安全和部署 AD FS 的最佳做法Best Practices for Secure Planning and Deployment of AD FS

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題提供最佳資訊來幫助您計劃以及當您設計 Active Directory 同盟 Services (AD FS) 部署評估安全性。This topic provides best-practice information to help you plan and evaluate security when you design your Active Directory Federation Services (AD FS) deployment. 此主題是 「 檢視及評估會影響您的 AD FS 使用的整體安全性考量的起點。This topic is a starting point for reviewing and assessing considerations that affect the overall security of your use of AD FS. 此主題中的資訊是用來與和延伸您的現有安全性計劃與其他設計最佳做法的規範。The information in this topic is meant to compliment and extend your existing security planning and other design best practices.

AD fs 核心安全性最佳做法Core security best practices for AD FS

下列幾個核心最佳的常見的所有 AD FS 安裝您想要改善或擴充設計或部署安全性:The following core best practices are common to all AD FS installations where you want to improve or extend the security of your design or deployment:

  • AD FS 特定安全的最佳做法會套用到聯盟伺服器與聯盟 proxy 伺服器的電腦使用的安全性設定精靈Use the Security Configuration Wizard to apply AD FS-specific security best practices to federation servers and federation server proxy computers

    安全性設定精靈 (SCW) 是在 Windows Server 2008、 Windows Server 2008 R2 和 Windows Server 2012 的電腦進入預先安裝的工具。The Security Configuration Wizard (SCW) is a tool that comes preinstalled on all Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 computers. 您可以使用它來適用的最佳做法,可協助您減少伺服器,根據您所安裝的伺服器角色攻擊 surface 安全性。You can use it to apply security best practices that can help reduce the attack surface for a server, based on the server roles that you are installing.

    當您安裝 AD FS 時,安裝程式會建立角色擴充功能來建立安全性原則,將會套用到特定 AD FS 伺服器角色 (聯盟伺服器或聯盟伺服器 proxy),您在設定期間選擇使用 SCW 的檔案。When you install AD FS, the setup program creates role extension files that you can use with the SCW to create a security policy that will apply to the specific AD FS server role (either federation server or federation server proxy) that you choose during setup.

    安裝每個角色延伸模組檔案代表角色 subrole 每一台電腦的設定類型。Each role extension file that is installed represents the type of role and subrole for which each computer is configured. 下列角色延伸檔案安裝 C:WindowsADFSScw directory 中:The following role extension files are installed in the C:WindowsADFSScw directory:

    • Farm.xmlFarm.xml

    • SQLFarm.xmlSQLFarm.xml

    • StandAlone.xmlStandAlone.xml

    • Proxy.xml (是您在聯盟 proxy 伺服器的角色設定電腦時,才有此檔案)。Proxy.xml (This file is present only if you configured the computer in the federation server proxy role.)

    若要套用中 SCW AD FS 角色擴充功能,請完成順序下列步驟:To apply the AD FS role extensions in the SCW, complete the following steps in order:

    1. 安裝 AD FS,然後選擇該電腦的適當的伺服器角色。Install AD FS and choose the appropriate server role for that computer. 如需詳細資訊,請查看安裝同盟服務 Proxy 角色服務中的 AD FS 部署。For more information, see Install the Federation Service Proxy Role Service in the AD FS Deployment Guide.

    2. 登記使用 Scwcmd 命令列工具適當的角色延伸模組檔案。Register the appropriate role extension file using the Scwcmd command-line tool. 查看下表中的角色您的電腦設定中使用此工具的相關詳細資訊。See the following table for details about using this tool in the role for which your computer is configured.

    3. 請確認命令已成功完成,請檢查位於 WindowssecurityMsscwLogs directory SCWRegister_log.xml 檔案。Verify that the command has completed successfully by examining the SCWRegister_log.xml file, which is located in the WindowssecurityMsscwLogs directory.

    您必須在每個聯盟伺服器或想要套用 AD FS 為基礎 SCW 安全性原則聯盟伺服器 proxy 電腦上執行所有這些步驟。You must perform all these steps on each federation server or federation server proxy computer to which you want to apply AD FS–based SCW security policies.

    下表如何登記適當 SCW 角色擴充功能,根據您選擇您已安裝 AD FS 使用的電腦的 AD FS 伺服器角色。The following table explains how to register the appropriate SCW role extension, based on the AD FS server role that you chose on the computer where you installed AD FS.

    AD FS 伺服器角色AD FS server role AD FS 使用的設定資料庫AD FS configuration database used 在命令提示字元中輸入下列命令:Type the following command at a command prompt:
    聯盟獨立伺服器Stand-alone federation server Windows 內部資料庫Windows Internal Database scwcmd register /kbname:ADFS2Standalone /kbfile:"WindowsADFSscwStandAlone.xml"
    發電廠加入聯盟伺服器Farm-joined federation server Windows 內部資料庫Windows Internal Database scwcmd register /kbname:ADFS2Standalone /kbfile:"WindowsADFSscwFarm.xml"
    發電廠加入聯盟伺服器Farm-joined federation server SQL ServerSQL Server scwcmd register /kbname:ADFS2Standalone /kbfile:"WindowsADFSscwSQLFarm.xml"
    聯盟伺服器 proxyFederation server proxy 不適用N/A scwcmd register /kbname:ADFS2Standalone /kbfile:"WindowsADFSscwProxy.xml"

    如需資料庫,您可以使用 AD FS 使用的詳細資訊,請查看的角色 AD FS 設定資料庫的For more information about the databases that you can use with AD FS, see The Role of the AD FS Configuration Database.

  • 在中安全性時非常重要的問題,例如 kiosk 時使用權杖重播偵測功能。Use token replay detection in situations in which security is a very important concern, for example, when kiosks are used.
    權杖重播偵測是 AD FS 可確保偵測到任何嘗試重新執行的專為同盟服務權杖要求並捨棄要求的功能。Token replay detection is a feature of AD FS that ensures that any attempt to replay a token request that is made to the Federation Service is detected and the request is discarded. 預設的話權杖重播偵測功能。Token replay detection is enabled by default. 這也適用於 WS 同盟被動式設定檔和安全性判斷提示標記的語言 (SAML) WebSSO 設定檔來確保相同權杖一律不會超過一次。It works for both the WS-Federation passive profile and the Security Assertion Markup Language (SAML) WebSSO profile by ensuring that the same token is never used more than once.

    聯盟服務時,它開始建置實現任何權杖要求的快取。When the Federation Service starts, it begins to build a cache of any token requests that it fulfills. 長時間在後續權杖要求加入的快取,來偵測到重新執行權杖要求多次任何嘗試的功能增加同盟服務。Over time, as subsequent token requests are added to the cache, the ability to detect any attempts to replay a token request multiple times increases for the Federation Service. 如果您重新執行權杖偵測停用,稍後再試一次讓它,請記住同盟服務會仍接受一段時間,檔案可能使用之前,直到重新顯示快取的已允許時間不足重建內容權杖選擇。If you disable token replay detection and later choose to enable it again, remember that the Federation Service will still accept tokens for a period of time that may have been used previously, until the replay cache has been allowed enough time to rebuild its contents. 如需詳細資訊,請查看的角色 AD FS 設定資料庫的For more information, see The Role of the AD FS Configuration Database.

  • 尤其是當您正在使用支援 SAML 成品解析度,請使用權杖加密。Use token encryption, especially if you are using supporting SAML artifact resolution.

    加密權杖會建議您提高安全性與防護可能在中央男人 (MITM),可能會嘗試針對 AD FS 部署。Encryption of tokens is strongly advised to increase security and protection against potential man-in-the-middle (MITM) attacks that might be tried against your AD FS deployment. 使用使用加密可能會有輕微影響整個,但通常,它應該不會通常注意到而且在許多部署適用於更高安全性的優點超過成本則伺服器的效能。Using use encryption might have a slight impact on throughout but in general, it should not be usually noticed and in many deployments the benefits for greater security exceed any cost in terms of server performance.

    若要以便權杖加密,第一組新增加密您依賴廠商信任的憑證。To enable token encryption, first set add an encryption certificate for your relying party trusts. 您可以設定可能可以在建立時廠商信任的加密憑證或更新版本。You can configure an encryption certificate either when creating a relying party trust or later. 將的加密憑證新增至現有信賴廠商信任的之後,您可以在設定使用的憑證加密索引標籤中時使用 AD FS 信任屬性。To add an encryption certificate later to an existing relying party trust, you can set a certificate for use on the Encryption tab within trust properties while using the AD FS snap-in. 指定使用 AD FS cmdlet 現有信任的憑證,請使用任一個的 EncryptionCertificate 參數設定為 ClaimsProviderTrust設定為 RelyingPartyTrust cmdlet。To specify a certificate for an existing trust using the AD FS cmdlets, use the EncryptionCertificate parameter of either the Set-ClaimsProviderTrust or Set-RelyingPartyTrust cmdlets. 設定同盟服務解密權杖時要使用的憑證,請使用設定為 ADFSCertificate cmdlet 並指定 」Token-Encryption」 的CertificateType參數。To set a certificate for the Federation Service to use when decrypting tokens, use the Set-ADFSCertificate cmdlet and specify "Token-Encryption" for the CertificateType parameter. 讓和停用加密的特定信賴信任可透過使用EncryptClaims的參數設定為 RelyingPartyTrust cmdlet。Enabling and disabling encryption for specific relying party trust can be done by using the EncryptClaims parameter of the Set-RelyingPartyTrust cmdlet.

  • 利用驗證延伸的保護Utilize extended protection for authentication

    為了協助保護您的部署,您可以設定並使用 AD FS 進行驗證功能的延伸的保護。To help secure your deployments, you can set and use the extended protection for authentication feature with AD FS. 此設定中指定延伸支援聯盟伺服器的驗證的保護層的級。This setting specifies the level of extended protection for authentication supported by a federation server.

    驗證延伸的保護可協助防護在中央男人 (MITM) 攻擊,攻擊攔截 client 認證然後轉寄給伺服器。Extended protection for authentication helps protect against man-in-the-middle (MITM) attacks, in which an attacker intercepts client credentials and forwards them to a server. 這類防護是因為透過通道繫結權杖 (CBT) 可以可能需要、 允許,或建立與戶端通訊時,不需要伺服器。Protection against such attacks is made possible through a Channel Binding Token (CBT) which can be either required, allowed, or not required by the server when it establishes communications with clients.

    要保護的延伸的功能,請使用ExtendedProtectionTokenCheck上的參數設定為 ADFSProperties cmdlet。To enable the extended protection feature, use the ExtendedProtectionTokenCheck parameter on the Set-ADFSProperties cmdlet. 下表描述此設定和層級的安全性,值提供可能值。Possible values for this setting and the level of security that the values provide are described in the following table.

    讓參數值Parameter Value 安全性層級Security level 保護設定Protection setting
    需要Require 完全強化伺服器。Server is fully hardened. 延伸的保護會執行並一定。Extended protection is enforced and always required.
    允許Allow 部分強化伺服器。Server is partially hardened. 延伸的保護會執行系統有修補支援。Extended protection is enforced where systems involved have been patched to support it.
    None 雖然伺服器。Server is vulnerable. 不被執行延伸的保護。Extended protection is not enforced.
  • 如果您使用的登入和追蹤,確認所有敏感資訊的隱私權。If you are using logging and tracing, ensure the privacy of any sensitive information.

    AD FS 不會預設公開或直接曲目同盟服務或正常運作的一部分 (PII) 的個人資訊。AD FS does not, by default, expose or track personally identifiable information (PII) directly as part of the Federation Service or normal operations. 當事件登入及偵錯追蹤登入 AD FS 中的功能時,但是,根據您所設定的部分宣告宣告原則類型與自己相關的值可能包含 PII 可能會在登入 AD FS 事件或追蹤登。When event logging and debug trace logging are enabled in AD FS, however, depending on the claims policy that you configure some claims types and their associated values might contain PII that might be logged in the AD FS event or tracing logs.

    因此,非常建議執行存取控制 AD FS 設定和檔案登入。Therefore, enforcing access control on the AD FS configuration and its log files is strongly advised. 如果您不想資訊,可看見這類,您應該停用 loggin,或之前與其他人共用您登入篩選掉任何 PII 或敏感性資料。If you do not want this kind of information to be visible, you should disable loggin, or filter out any PII or sensitive data in your logs before you share them with others.

    以下秘訣,可協助您避免 content 的登入檔案不小心被公開:The following tips can help you prevent the content of a log file from being exposed unintentionally:

    • 請確定 AD FS 事件登入和追蹤登入檔案保護的存取控制清單 (ACL),以限制只有這些受信任的系統管理員需要存取權限存取。Ensure that the AD FS event log and trace log files are protected by access control lists (ACL) that limit access to only those trusted administrators who require access to them.

    • 請勿複製或封存登入檔案,使用副檔名或可輕鬆地提供使用的 Web 要求的路徑。Do not copy or archive log files using file extensions or paths that can be easily served using a Web request. 例如,.xml 檔案副檔名並不安全的選擇。For example, the .xml file name extension is not a safe choice. 您可以檢查網際網路服務 (IIS) 管理指南看到擴充功能,可提供一份。You can check the Internet Information Services (IIS) administration guide to see a list of extensions that can be served.

    • 如果修改登入檔案的路徑,請務必指定絕對應該以外 Web 主機 virtual 根 (vroot) 公用 directory 防止存取外部廠商使用網頁瀏覽器登入檔案位置的路徑。If you revise the path to the log file, be sure to specify an absolute path for the log file location, which should be outside of the Web host virtual root (vroot) public directory to prevent it from being accessed by an external party using a Web browser.

  • AD FS 外部鎖定保護AD FS Extranet Lockout Protection

    來自 Web 應用程式 Proxy invalid(bad) 密碼驗證要求的形式攻擊,在 AD FS 外部鎖定可讓您從 AD FS 鎖定保護您的使用者。In case of an attack in the form of authentication requests with invalid(bad) passwords that come through the Web Application Proxy, AD FS extranet lockout enables you to protect your users from an AD FS account lockout. 除了從 AD FS 保護您的使用者帳號鎖定,AD FS 外部鎖定也會防止猜測攻擊暴力密碼。In addition to protecting your users from an AD FS account lockout, AD FS extranet lockout also protects against brute force password guessing attacks. 如需詳細資訊請查看AD FS 外部鎖定保護For more information see AD FS Extranet Lockout Protection.

AD fs 的 SQL Server – 特定安全性最佳做法SQL Server–specific security best practices for AD FS

下列幾個安全性最佳專屬於 Microsoft SQL Server® 或 Windows 內部資料庫 (WID) 使用時這些資料庫技術管理 AD FS 設計和部署的資料。The following security best practices are specific to the use of Microsoft SQL Server® or Windows Internal Database (WID) when these database technologies are used to manage data in AD FS design and deployment.


這些建議是延長,但不會取代,SQL Server product 安全性指南。These recommendations are meant to extend, but not replace, SQL Server product security guidance. 如需有關計劃的安全 SQL Server 安裝,請查看安全性考量安全 SQL 安裝的(https://go.microsoft.com/fwlink/?LinkID=139831)。For more information about planning a secure SQL Server installation, see Security Considerations for a Secure SQL Installation (https://go.microsoft.com/fwlink/?LinkID=139831).

  • 隨時防火牆實體安全的網路環境中部署 SQL Server。Always deploy SQL Server behind a firewall in a physically secure network environment.

    不應直接與網際網路公開 SQL Server 安裝。A SQL Server installation should never be exposed directly to the Internet. 您應該可以瑞曲之戰 SQL server 安裝支援 AD FS 資料中心中的電腦。Only computers that are inside your datacenter should be able to reach your SQL server installation that supports AD FS. 如需詳細資訊,請查看安全性最佳做法檢查清單(https://go.microsoft.com/fwlink/?LinkID=189229)。For more information, see Security Best Practices Checklist (https://go.microsoft.com/fwlink/?LinkID=189229).

  • 執行而不是使用建預設系統服務帳號服務 account SQL Server。Run SQL Server under a service account instead of using the built-in default system service accounts.

    根據預設,SQL Server 通常安裝和使用其中一個支援的建系統帳號,例如帳號 LocalSystem 或其他設定。By default, SQL Server is often installed and configured to use one of the supported built-in system accounts, such as the LocalSystem or NetworkService accounts. 若要提升 AD fs SQL Server 安裝的安全性,不論可能來存取您 SQL Server 服務使用不同的服務帳號以及 Kerberos 驗證,在 Active Directory 部署登記這個 account 安全性主體名稱 (SPN)。To enhance the security of your SQL Server installation for AD FS, wherever possible use a separate service account for accessing your SQL Server service and enable Kerberos authentication by registering the security principal name (SPN) of this account in your Active Directory deployment. 這可讓 client 和 server 之間的相互驗證。This enables mutual authentication between client and server. SPN 登記的不同服務帳號,而 SQL Server 將使用 NTLM 適用於 windows 的驗證,驗證只 client 的位置。Without SPN registration of a separate service account, SQL Server will use NTLM for Windows-based authentication, where only the client is authenticated.

  • 最小化 surface SQL Server 區域。Minimize the surface area of SQL Server.

    讓所需 SQL Server 端點。Enable only those SQL Server endpoints that are necessary. 根據預設,SQL Server 提供無法移除的單一建 TCP 端點。By default, SQL Server provides a single built-in TCP endpoint that cannot be removed. AD fs,您應該讓 F:kerberos 驗證此 TCP 結束點。For AD FS, you should enable this TCP endpoint for Kerberos authentication. 若要檢視目前 TCP 端點以查看是否其他使用者定義 TCP 連接埠] 會新增至 SQL 安裝,您可以使用 「 選取 * sys.tcp_endpoints 從 「 查詢聲明 SQL (SQL At&t) 的活動中。To review the current TCP endpoints to see if additional user-defined TCP ports are added to a SQL installation, you can use the "SELECT * FROM sys.tcp_endpoints" query statement in a Transact-SQL (T-SQL) session. 如需 SQL Server 端點設定的詳細資訊,請查看如何:多 TCP 連接埠設定資料庫引擎接聽(https://go.microsoft.com/fwlink/?LinkID=189231)。For more information about SQL Server endpoint configuration, see How To: Configure the Database Engine to Listen on Multiple TCP Ports (https://go.microsoft.com/fwlink/?LinkID=189231).

  • 避免使用 SQL 架構的驗證。Avoid using SQL-based authentication.

    若要避免明文密碼傳輸到您的網路,或將密碼儲存在設定,Windows 驗證只適用於您安裝 SQL Server。To avoid having to transfer passwords as clear text over your network or storing passwords in configuration settings, use Windows authentication only with your SQL Server installation. SQL Server 驗證是舊版驗證模式。SQL Server authentication is a legacy authentication mode. 儲存結構化查詢的語言 (SQL) 登入認證 (SQL 使用者名稱和密碼) 使用時 SQL Server 驗證不建議。Storing Structured Query Language (SQL) login credentials (SQL user names and passwords) when you are using SQL Server authentication is not recommended. 如需詳細資訊,請查看驗證模式(https://go.microsoft.com/fwlink/?LinkID=189232)。For more information, see Authentication Modes (https://go.microsoft.com/fwlink/?LinkID=189232).

  • 仔細評估 SQL 安裝中的其他頻道安全性的需求。Evaluate the need for additional channel security in your SQL installation carefully.

    事實上,即使有 F:kerberos 驗證 SQL Server 安全性支援提供者介面 (SSPI) 並不會提供通道層級的安全性。Even with Kerberos authentication in effect, the SQL Server Security Support Provider Interface (SSPI) does not provide channel-level security. 不過,安裝中伺服器確實位於防火牆受保護的網路,加密 SQL 通訊可能不需。However, for installations in which servers are securely located on a firewall-protected network, encrypting SQL communications may not be necessary.

    雖然加密可協助您確保安全性寶貴工具,就不能視為適用於所有的資料或連接。Although encryption is a valuable tool to help ensure security, it should not be considered for all data or connections. 當您決定是否實作加密時,請考慮使用者存取資料的方式。When you are deciding whether to implement encryption, consider how users will access data. 如果使用者透過公用網路存取的資料,可能需要提高安全性資料加密。If users access data over a public network, data encryption might be required to increase security. 不過,如果 AD FS SQL 資料的所有存取都包含內部安全的網路設定,加密可能不需。However, if all access of SQL data by AD FS involves a secure intranet configuration, encryption might not be required. 使用任何加密應該也包含密碼、 按鍵,以及憑證維護策略。Any use of encryption should also include a maintenance strategy for passwords, keys, and certificates.

    如果有任何 SQL 資料,可能會看到或竄改透過您的網路,以協助保護您的 SQL 連接使用網際網路通訊協定的安全性 (IPsec) 或安全通訊端層 (SSL) 的問題。If there is a concern that any SQL data might be seen or tampered with over your network, use Internet Protocol security (IPsec) or Secure Sockets Layer (SSL) to help secure your SQL connections. 不過,這可能會影響負 SQL Server 效能,這可能會影響或限制有時 AD FS 效能。However, this might have a negative effect on SQL Server performance, which might affect or limit AD FS performance in some situations. 例如,AD FS 效能權杖發行也可能降低當 SQL 為基礎的屬性存放區的屬性對應權杖發行的重要。For example, AD FS performance in token issuance might degrade when attribute lookups from a SQL-based attribute store are critical for token issuance. 您可以更排除 SQL 竄改威脅所遇到周邊安全性設定。You can better eliminate a SQL tampering threat by having a strong perimeter security configuration. 保護您的 SQL Server 安裝好方案,例如是確保該 app 會維持網際網路使用者無法存取和電腦,且該仍然可以存取只的使用者或電腦 datacenter 環境中。For example, a better solution for securing your SQL Server installation is to ensure that it remains inaccessible for Internet users and computers and that it remains accessible only by users or computers within your datacenter environment.

    如需詳細資訊,請查看加密連接 SQL ServerSQL Server 加密For more information, see Encrypting Connections to SQL Server or SQL Server Encryption.

  • 安全地設計的存取設定儲存程序使用 AD FS 的 SQL 儲存的資料來執行所有 SQL 為基礎的對應。Configure securely designed access by using stored procedures to perform all SQL-based lookups by AD FS of SQL-stored data.

    為了提供更好的服務,資料隔離,您可以建立所有屬性市集中搜尋命令儲存程的序。To provide better service and data isolation, you can create stored procedures for all attribute store lookup commands. 您可以建立的您再授予權限來執行儲存程序資料庫角色。You can create a database role to which you then grant permission to run the stored procedures. 將服務的身分 AD FS Windows 服務指派給此資料庫角色。Assign the service identity of the AD FS Windows service to this database role. AD FS Windows 服務不應該可以執行任何其他 SQL 隱私權聲明,適用於屬性對應的適當儲存程序以外。The AD FS Windows service should not be able to run any other SQL statement, other than the appropriate stored procedures that are used for attribute lookup. 鎖定存取這種方式 SQL Server 資料庫降低攻擊權限提高權限的風險。Locking down access to the SQL Server database in this way reduces the risk of an elevation-of-privilege attack.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012