管理其他多因素驗證敏感的應用程式的風險Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications

適用於: Windows Server 2012 R2Applies To: Windows Server 2012 R2

本指南In this guide

本指南提供下列資訊:This guide provides the following information:

主要概念-AD FS 機制驗證Key Concepts - Authentication mechanisms in AD FS

AD FS 驗證機制的優點Benefits of authentication mechanisms in AD FS

在 Windows Server 2012 R2 的 active Directory 同盟 Services (AD FS) 提供 IT 系統管理員的工具一組更豐富的、更具彈性驗證使用者想要存取公司資源。Active Directory Federation Services (AD FS) in Windows Server 2012 R2 provides IT administrators with a richer, more flexible set of tools for authenticating users who want to access corporate resources. 這讓系統管理員彈性控制主要和額外的驗證方法、提供豐富的管理體驗設定驗證原則(同時透過使用者介面及 Windows PowerShell)、和美化存取應用程式與服務都會受到 AD FS 終端使用者的使用體驗。It empowers administrators with flexible control over the primary and the additional authentication methods, provides a rich management experience for configuring authentication polices (both through the user interface and Windows PowerShell), and enhances the experience for the end users that access applications and services that are secured by AD FS. 以下是一些保護您的應用程式與服務的 AD FS 在 Windows Server 2012 R2 的優點:The following are some of the benefits of securing your application and services with AD FS in Windows Server 2012 R2:

  • 全球驗證原則的集中管理功能,IT 系統管理員可以選擇的驗證方法用來驗證使用者根據網路位置,存取受保護的資源。Global authentication policy - a central management capability, from which an IT administrator can choose what authentication methods are used to authenticate users based on the network location from which they access protected resources. 這可讓系統管理員,執行下列動作:This enables administrators to do the following:

    • 從外部命令使用存取要求更安全的驗證方法。Mandate the use of more secure authentication methods for access requests from the extranet.

    • 讓裝置驗證順暢的第二個雙因素驗證。Enable device authentication for seamless second-factor authentication. 這繫結到用來存取資源,存取受保護的資源之前,因此提供更安全的身分複合驗證且已裝置的使用者的身分。This ties the user's identity to the registered device that is used to access the resource, thus offering more secure compound identity verification before protected resources are accessed.

      注意

      如順暢的第二個雙因素驗證和 SSO 裝置物件、裝置登記服務、加入的工作地點,以及裝置的相關詳細資訊,請查看SSO 和順暢第二個因數驗證在公司應用程式加入的工作地點,從任何裝置For more information about device object, Device Registration Service, Workplace Join, and the device as seamless second-factor authentication and SSO, see Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications.

    • 設定適用於所有外部網路存取 MFA 需求或條件根據使用者的身分、網路位置或裝置可用來存取受保護的資源。Set MFA requirement for all extranet access or conditionally based on the user's identity, network location or a device that is used to access protected resources.

  • 設定驗證原則彈性:您可以設定 AD FS 保護資源自訂驗證原則的不同的企業值。Greater flexibility in configuring authentication policies: you can configure custom authentication policies for AD FS-secured resources with varying business values. 例如,您可以要求 MFA 高企業影響的應用程式。For example, you can require MFA for application with high business impact.

  • 使用「輕鬆:簡單且直覺式管理工具,例如 gui AD FS 管理 MMC 嵌入式管理單元及 Windows PowerShell cmdlet 讓 IT 系統管理員輕鬆設定驗證原則。Ease of use: simple and intuitive management tools such as the GUI-based AD FS Management MMC snap-in and the Windows PowerShell cmdlets enable IT administrators to configure authentication policies with relative ease. 使用 Windows PowerShell 中,您可以指令碼方案適用於縮放以及自動化例行管理工作。With Windows PowerShell, you can script your solutions for use at scale and to automate mundane administrative tasks.

  • 更多的控制企業資產:因為您可以使用 AD FS 進行驗證原則的特定資源適用於系統管理員身分、為您擁有更控制透過如何公司資源的安全。Greater control over corporate assets: since as an administrator you can use AD FS to configure an authentication policy that applies to a specific resource, you have greater control over how corporate resources are secured. 應用程式不會覆寫 IT 系統管理員所指定的驗證原則。Applications cannot override the authentication policies specified by IT administrators. 適用於機密應用程式與服務,您可以讓 MFA 需求,裝置驗證,並選擇新的驗證每次存取資源。For sensitive applications and services, you can enable MFA requirement, device authentication, and optionally fresh authentication every time the resource is accessed.

  • 自訂 MFA 提供者的支援:利用第三方 MFA 方法的組織,AD FS 可讓您加入及使用這些驗證方法順暢地進行。Support for custom MFA providers: for organizations that leverage third-party MFA methods, AD FS offers the ability to incorporate and use these authentication methods seamlessly.

驗證範圍Authentication scope

您可以在 Windows Server 2012 R2 中 AD FS 指定在適用於所有應用程式與服務都會受到 AD FS 全域範圍驗證原則。In AD FS in Windows Server 2012 R2 you can specify an authentication policy at a global scope that is applicable to all applications and services that are secured by AD FS. 您也可以設定驗證原則的特定應用程式與服務(可以廠商信任)受到 AD FS。You can also set authentication policies for specific applications and services (relying party trusts) that are secured by AD FS. 指定驗證原則,針對特定應用程式 (每個可以廠商信任) 不覆寫全球驗證原則。Specifying an authentication policy for a particular application (per relying party trust) does not override the global authentication policy. 如果全球或每個可以當使用者想要這個信賴廠商信任驗證時,將會觸發驗證原則需要 MFA,MFA 廠商信任。If either global or per relying party trust authentication policy requires MFA, MFA will be triggered when the user tries to authenticate to this relying party trust. 全球驗證原則是後援信賴廠商信任(應用程式和服務),不需要特定驗證原則設定。The global authentication policy is a fallback for relying party trusts (applications and services) that do not have a specific authentication policy configured.

適用於所有信賴的對象,AD FS 受到全球驗證原則。A global authentication policy applies to all relying parties that are secured by AD FS. 您可以為全球驗證原則的一部分,設定下列設定:You can configure the following settings as part of the global authentication policy:

每個可以廠商信任驗證原則套用專門用來存取該信賴廠商信任(應用程式或服務)。Per-relying party trust authentication policies apply specifically to attempts to access that relying party trust (application or service). 您可以為每個可以廠商信任驗證原則的一部分,設定下列設定:You can configure the following settings as part of the per-relying party trust authentication policy:

  • 使用者是否需要提供認證每次登入。Whether users are required to provide their credentials each time at sign-in

  • MFA 設定為基礎群組使用者/裝置登記、,存取要求位置資料MFA settings based on the user/group, device registration, and access request location data

主要和額外的驗證方法Primary and additional authentication methods

在 Windows Server 2012 R2 的主要驗證機制,除了 AD FS 使用系統管理員可以設定額外的驗證方法。With AD FS in Windows Server 2012 R2, in addition to the primary authentication mechanism, administrators can configure additional authentication methods. 建及要驗證使用者身分主要的驗證方法。Primary authentication methods are built-in and are intended to validate users' identities. 您可以設定要求的身分使用者的詳細資訊,提供額外的驗證因素和因此確保較驗證。You can configure additional authentication factors to request that more information about the user's identity is provided and consequently ensure stronger authentication.

主要驗證,AD FS 在 Windows Server 2012 R2 中,您有下列選項:With primary authentication in AD FS in Windows Server 2012 R2, you have the following options:

  • 資源發行以外的公司網路的存取,預設會選取表單驗證。For resources published to be accessed from outside the corporate network, Forms Authentication is selected by default. 此外,您也可以讓憑證驗證(亦即,智慧卡驗證或使用者 client 憑證驗證的搭配 AD DS)。In addition, you can also enable Certificate Authentication (in other words, smart card-based authentication or user client certificate authentication that works with AD DS).

  • 適用於 intranet 資源,預設會選取 Windows 驗證。For intranet resources, Windows Authentication is selected by default. 除了您也可以讓表單和/或驗證憑證。In addition you can also enable Forms and/or Certificate Authentication.

選取一個以上的驗證方法,可以透過讓使用者可以選擇在登入頁面上的應用程式或服務的驗證方法。By selecting more than one authentication method, you enable your users to have a choice of what method to authenticate with at the sign-in page for your application or service.

您也可以讓裝置驗證順暢的第二個雙因素驗證。You can also enable device authentication for seamless second-factor authentication. 這繫結到用來存取資源,存取受保護的資源之前,因此提供更安全的身分複合驗證且已裝置的使用者的身分。This ties the user's identity to the registered device that is used to access the resource, thus offering more secure compound identity verification before protected resources are accessed.

注意

如順暢的第二個雙因素驗證和 SSO 裝置物件、裝置登記服務、加入的工作地點,以及裝置的相關詳細資訊,請查看SSO 和順暢第二個因數驗證在公司應用程式加入的工作地點,從任何裝置For more information about device object, Device Registration Service, Workplace Join, and the device as seamless second-factor authentication and SSO, see Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications.

如果您可以指定 Windows 驗證方法(預設選項)內部網路資源,驗證要求經歷這個地在支援 Windows 驗證的瀏覽器的方法。If you specify Windows Authentication method (default option) for your intranet resources, authentication requests undergo this method seamlessly on browsers that support Windows authentication.

注意

Windows 驗證不支援所有的瀏覽器。Windows authentication is not supported on all browsers. 在 Windows Server 2012 R2 AD FS 驗證機制偵測使用者的瀏覽器使用者代理程式,並使用,您可以設定判斷是否使用者代理程式都支援 Windows 驗證。The authentication mechanism in AD FS in Windows Server 2012 R2 detects the user's browser user agent and uses a configurable setting to determine whether that user agent supports Windows Authentication. 系統管理員可以新增到此清單中的使用者代理 (透過 Windows PowerShellSet-AdfsProperties -WIASupportedUserAgents命令,以指定支援 Windows 驗證的瀏覽器的其他使用者代理程式字串。Administrators can add to this list of user agents (via the Windows PowerShell Set-AdfsProperties -WIASupportedUserAgents command, in order to specify alternate user agent strings for browsers that support Windows Authentication. 如果 client 的使用者代理人不支援 Windows 驗證,預設回溯方法是表單驗證。If the client's user agent does not support Windows Authentication, the default fallback method is Forms Authentication.

設定 MFAConfiguring MFA

有兩個組件中的 Windows Server 2012 R2 AD FS 進行 MFA:指定下 MFA 不需要的條件,並選取 [額外的驗證方法。There are two parts to configure MFA in AD FS in Windows Server 2012 R2: specifying the conditions under which MFA is required, and selecting an additional authentication method. 適用於額外的驗證方法的相關詳細資訊,請查看設定額外的驗證方法 AD FSFor more information about additional authentication methods, see Configure Additional Authentication Methods for AD FS.

MFA 設定MFA settings

下列選項可供 MFA 設定(這需要 MFA 在條件):The following options are available for MFA settings (conditions under which to require MFA):

  • 您可以要求 MFA 特定使用者和群組中已加入您的聯盟伺服器 AD 網域。You can require MFA for specific users and groups in the AD domain that your federation server is joined to.

  • 您可以要求 MFA 登記(地點加入)或註冊(不地點加入)的裝置。You can require MFA for either registered (workplace joined) or unregistered (not workplace joined) devices.

    Windows Server 2012 R2 會使用者為主的方式現代裝置所在裝置物件代表之間的關係移至user@device和公司。Windows Server 2012 R2 takes a user-centric approach to modern devices where device objects represent a relationship between user@device and a company. 裝置物件是一種新中可以用來提供複合層的身分提供應用程式和服務的存取權時,Windows Server 2012 R2 的廣告。Device objects are a new class in AD in Windows Server 2012 R2 that can be used to offer compound-identity when providing access to applications and services. AD FS 裝置登記服務 (DRS)-的新元件 provisions Active Directory 中裝置的身分,並設定將會用來表示裝置的身分消費者裝置上的憑證。A new component of AD FS - the device registration service (DRS) - provisions a device identity in Active Directory and sets a certificate on the consumer device that will be used to represent the device identity. 您可以使用此裝置的工作地點的身分加入您的裝置,亦即,將您的個人裝置連接到您的工作地點的 Active Directory。You can then use this device identity to workplace join your device, in other words, to connect your personal device to the Active Directory of your workplace. 當您到您的工作場所加入您的個人裝置時,在 [已知的裝置並將會提供順暢的第二個雙因素驗證受保護的資源和應用程式。When you join your personal device to your workplace, it becomes a known device and will provide seamless second-factor authentication to protected resources and applications. 亦即,裝置地點加入之後,使用者的身分繫結到此裝置,存取受保護的資源之前,可以使用順暢複合身分驗證的需求。In other words, after a device is workplace joined, the user's identity is tied to this device and can be used for a seamless compound identity verification before a protected resource is accessed.

    適用於更多的工作地點加入並保留的詳細資訊,請查看加入到的工作場所 SSO 和順暢第二個因數驗證在公司應用程式的任何裝置上的For more information on workplace join and leave, see Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications.

  • 從外部網路或內部網路存取受保護的資源要求時,您可以要求 MFA。You can require MFA when the access request for the protected resources comes from either the extranet or the intranet.

案例概觀Scenario Overview

在本案例中,您可以根據針對特定應用程式的使用者的群組成員資格資料 MFA。In this scenario, you enable MFA based on the user's group membership data for a specific application. 亦即,您將會設定驗證原則聯盟伺服器上為需要 MFA 時的特定群組的使用者要求存取特定應用程式的網頁伺服器上。In other words, you will set up an authentication policy on your federation server to require MFA when users that belong to a certain group request access to a specific application that is hosted on a web server.

尤其,在本案例中,您可以宣告根據測試應用程式呼叫驗證原則claimapp,即 AD 使用者劉小龍 Hatley才能經歷 MFA 因為他屬於 AD 群組財經More specifically, in this scenario, you enable an authentication policy for a claims-based test application called claimapp, whereby an AD user Robert Hatley will be required to undergo MFA since he belongs to an AD group Finance.

步驟來執行「步驟的指示設定,並確認本案例中提供逐步解說快速入門:管理其他多因素驗證敏感的應用程式的風險The step-by step instructions to set up and verify this scenario are provided in Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications. 以完成本節中的步驟,您必須設定測試環境並依照在 Windows Server 2012 R2 AD FS 設定實驗室In order to complete the steps in this walkthrough, you must set up a lab environment and follow the steps in Set up the lab environment for AD FS in Windows Server 2012 R2.

讓 MFA AD FS 中的其他案例,包含下列類型:Other scenarios of enabling MFA in AD FS include the following:

也了See Also

逐步解說指南:管理敏感的應用程式與其他多因素驗證風險 設定實驗室 AD FS 在 Windows Server 2012 R2Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications Set up the lab environment for AD FS in Windows Server 2012 R2