管理條件存取控制的風險Manage Risk with Conditional Access Control

適用於: Windows Server 2012 R2Applies To: Windows Server 2012 R2

主要概念-條件存取控制 AD FS 中Key concepts - conditional access control in AD FS

AD FS 的整體功能是發行包含一組宣告存取預付碼。The overall function of AD FS is to issue an access token that contains a set of claims. AD FS 接受並再問題所宣告相關受到理賠要求規則。The decision regarding what claims AD FS accepts and then issues is governed by claim rules.

AD FS 中的存取控制係發行授權理賠要求規則發行允許或拒絕宣告將會判斷使用者是否可使用與或存取 AD FS 保護資源,或不會允許群組中的使用者。Access control in AD FS is implemented with issuance authorization claim rules that are used to issue a permit or deny claims that will determine whether a user or a group of users will be allowed to access AD FS-secured resources or not. 授權規則只能信賴廠商信任上設定。Authorization rules can only be set on relying party trusts.

規則選項Rule option 邏輯規則Rule logic
允許所有使用者Permit all users 如果輸入宣告類型等於任何宣告類型和值等的任何值,問題然後取得的值等允許If incoming claim type equals any claim type and value equals any value, then issue claim with value equals Permit
允許此傳入理賠要求的使用者存取Permit access to users with this incoming claim 如果輸入宣告類型等於指定宣告類型和值等指定宣告值,問題然後取得的值等允許If incoming claim type equals specified claim type and value equals specified claim value, then issue claim with value equals Permit
拒絕這個傳入理賠要求的使用者存取Deny access to users with this incoming claim 如果輸入宣告類型等於指定宣告類型和值等指定宣告值,問題然後取得的值等拒絕If incoming claim type equals specified claim type and value equals specified claim value, then issue claim with value equals Deny

如需有關這些的規則選項並邏輯操作,請查看使用授權理賠要求規則For more information about these rule options and logic, see When to Use an Authorization Claim Rule.

在 Windows Server 2012 R2 AD FS 中, 存取控制的多因素,包括使用者、裝置、位置及驗證資料的改善。In AD FS in Windows Server 2012 R2, access control is enhanced with multiple factors, including user, device, location, and authentication data. 這是因為宣告類型更多種的授權理賠要求規則。This is made possible by a greater variety of claim types available for the authorization claim rules. 亦即,AD FS 在 Windows Server 2012 R2,您可以執行的使用者身分或群組成員資格網路位置,裝置為基礎的條件存取控制 (是否地點加入,如需詳細資訊,請查看SSO 和順暢第二個因數驗證在公司應用程式加入的工作地點,從任何裝置),以及驗證狀態(是否執行要素 (MFA))。In other words, in AD FS in Windows Server 2012 R2, you can enforce conditional access control based on user identity or group membership, network location, device (whether it is workplace joined, for more information, see Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications), and the authentication state (whether multifactor authentication (MFA) was performed ).

在 Windows Server 2012 R2,AD FS 中的條件存取控制提供下列優點:Conditional access control in AD FS in Windows Server 2012 R2, offers the following benefits:

  • 彈性、易懂每個應用程式授權原則,讓您可以允許或拒絕存取權的使用者,裝置、網路位置,以及驗證狀態Flexible and expressive per-application authorization policies, whereby you can permit or deny access based on user, device, network location, and authentication state

  • 建立發行授權信賴廠商應用程式規則Creating issuance authorization rules for relying party applications

  • 常見的條件存取控制案例豐富 UI 體驗Rich UI experience for the common conditional access control scenarios

  • 支援進階條件存取控制案例豐富宣告語言及 Windows PowerShellRich claims language & Windows PowerShell support for advanced conditional access control scenarios

  • 自訂 (每個可以方應用程式) '存取' 訊息。Custom (per relying party application) 'Access Denied' messages. 如需詳細資訊,請查看[自訂頁面 AD FS 登入For more information, see Customizing the AD FS Sign-in Pages. 藉由自訂這些訊息,您可以解釋為何使用者正在無法存取和也有助於自助的補救很有可能,例如提示使用者的工作地點加入他們的裝置。By being able to customize these messages, you can explain why a user is being denied access and also facilitate self-service remediation where it is possible, for example, prompt users to workplace join their devices. 如需詳細資訊,請查看SSO 和順暢第二個因數驗證在公司應用程式加入的工作地點,從任何裝置For more information, see Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications.

下表包含 AD FS 提供所有宣告類型實作條件存取控制使用 Windows Server 2012 R2。The following table includes all the claim types available in AD FS in Windows Server 2012 R2 to be used for implementing conditional access control.

宣告類型Claim type 描述Description
電子郵件地址Email Address 使用者的電子郵件地址。The email address of the user.
名字Given Name 指定的使用者名稱。The given name of the user.
名稱Name 唯一的使用者名稱The unique name of the user,
UPNUPN 使用者主體名稱 (UPN) 的使用者。The user principal name (UPN) of the user.
一般的名稱Common Name 一般的使用者名稱。The common name of the user.
AD FS 1 x 電子郵件地址AD FS 1 x E-mail Address 使用者相互操作 AD FS 1.1 或 AD FS 1.0 時的電子郵件地址。The email address of the user when interoperating with AD FS 1.1 or AD FS 1.0.
群組Group 群組的使用者的成員。A group that the user is a member of.
AD FS 1 x UPNAD FS 1 x UPN UPN 的相互操作 AD FS 1.1 或 AD FS 1.0 時的使用者。The UPN of the user when interoperating with AD FS 1.1 or AD FS 1.0.
角色Role 使用者的角色。A role that the user has.
姓氏Surname 姓氏的使用者。The surname of the user.
PPIDPPID 使用者私人識別碼。The private identifier of the user.
名稱 IDName ID SAML 名稱 identifier 的使用者。The SAML name identifier of the user.
驗證頻率Authentication time stamp 用來顯示的時間和日期,已驗證使用者。Used to display the time and date that the user was authenticated.
驗證方法Authentication method 用來驗證使用者的方法。The method used to authenticate the user.
拒絕僅限群組 SIDDeny only group SID 僅限拒絕 SID 使用者群組。The deny-only group SID of the user.
拒絕只主要 SIDDeny only primary SID 僅限拒絕主要使用者的 SID。The deny-only primary SID of the user.
拒絕主要群組 SIDDeny only primary group SID 僅限拒絕主要群組使用者的 SID。The deny-only primary group SID of the user.
SID 群組Group SID 使用者群組 SID。The group SID of the user.
主要群組 SIDPrimary group SID 主要群組使用者的 SID。The primary group SID of the user.
主要 SIDPrimary SID 使用者主要 SID。The primary SID of the user.
Windows account 名稱Windows account name 網域 account 的網域使用者的使用者名稱。The domain account name of the user in the form of domain\user.
是登記使用者Is Registered User 使用者係使用此裝置。User is registered to use this device.
裝置識別碼Device Identifier 識別碼裝置。Identifier of the device.
裝置登記識別碼Device Registration Identifier 識別碼裝置登記。Identifier for Device Registration.
裝置登記顯示名稱Device Registration Display Name 顯示名稱裝置登記。Display name of Device Registration.
裝置作業系統類型Device OS Type 裝置作業系統類型。Operating system type of the device.
裝置作業系統版本Device OS Version 作業系統版本的裝置。Operating system version of the device.
已受管理的裝置Is Managed Device 管理服務所管理的裝置。Device is managed by a management service.
轉送 Client IPForwarded Client IP 使用者的 IP 位址。IP address of the user.
Client 應用程式Client Application Client 應用程式類型。Type of the client application.
Client 使用者代理程式Client User Agent 使用裝置類型 client 存取應用程式。Device type the client is using to access the application.
Client IPClient IP Client 的 IP 位址。IP address of the client.
端點路徑Endpoint Path 可用來判斷使用被動式戶端與絕對端點路徑。Absolute Endpoint path which can be used to determine active versus passive clients.
ProxyProxy 聯盟伺服器 proxy 傳遞要求 DNS 名稱。DNS name of the federation server proxy that passed the request.
應用程式識別碼Application Identifier 信賴識別碼。Identifier for the relying party.
應用程式原則Application policies 應用程式原則的憑證。Application policies of the certificate.
授權金鑰識別字Authority Key Identifier 簽署發行的憑證的憑證授權單位金鑰識別碼擴充功能。The authority key identifier extension of the certificate that signed an issued certificate.
基本限制Basic Constraint 其中一個基本限制的憑證。One of the basic constraints of the certificate.
美化金鑰使用Enhanced Key Usage 請描述美化金鑰憑證的方式之一。Describes one of the enhanced key usages of the certificate.
發行者Issuer 憑證授權單位發行 X.509 憑證的名稱。The name of the certification authority that issued the X.509 certificate.
發行者的名稱Issuer Name 分辨的憑證發行者的名稱。The distinguished name of the certificate issuer.
使用Key Usage 其中一個金鑰使用憑證的方式。One of the key usages of the certificate.
不之後Not After 本地時間之後憑證已不再有效的日期。Date in local time after which a certificate is no longer valid.
不之前Not Before 本地時間憑證生效日期。The date in local time on which a certificate becomes valid.
憑證原則Certificate Policies 發行憑證的原則。The policies under which the certificate has been issued.
公開鍵Public Key 公開的憑證鍵。Public key of the certificate.
憑證未經處理資料Certificate Raw Data 憑證未經處理資料。The raw data of the certificate.
主旨替代名稱Subject Alternative Name 其中一個替代憑證的名稱。One of the alternative names of the certificate.
序號Serial Number 憑證的序號。The serial number of the certificate.
簽章演算法Signature Algorithm 用來建立的憑證簽章的演算法。The algorithm used to create the signature of a certificate.
主題Subject 憑證的主題。The subject from the certificate.
主旨按鍵識別字Subject Key Identifier 主旨按鍵識別碼的憑證。The subject key identifier of the certificate.
主體名稱Subject Name 主旨分辨的憑證的名稱。The subject distinguished name from a certificate.
V2 範本名稱V2 Template Name 當發行或更新憑證使用的版本 2 憑證範本名稱。The name of the version 2 certificate template used wen issuing or renewing a certificate. 這是特定 Microsoft 的值。This is a Microsoft-specific value.
V1 範本名稱V1 Template Name 第 1 版的憑證範本發行或更新的憑證時使用的名稱。The name of the version 1 certificate template used when issuing or renewing a certificate. 這是特定 Microsoft 的值。This is a Microsoft-specific value.
指紋Thumbprint 憑證的指紋。Thumbprint of the certificate.
X x509 版本X 509 Version X.509 格式憑證的版本。The X.509 format version of the certificate.
Inside 企業網路Inside Corporate Network 用來表示是否要求來自在公司網路。Used to indicate if a request originated from inside the corporate network.
密碼到期時間Password Expiration Time 用來顯示密碼後到期的時間。Used to display the time when the password expires.
密碼到期日Password Expiration Days 用來顯示天數密碼到期。Used to display the number of days to password expiry.
更新密碼 URLUpdate Password URL 用來顯示更新密碼服務的網頁位址。Used to display the web address of update password service.
驗證方法資訊尋找參考資料Authentication Methods References 用來表示 al 驗證方法驗證使用者使用。Used to indicate al authentication methods used to authenticate the user.

管理條件存取控制的風險Managing Risk with Conditional Access Control

使用的可用設定,有許多方式可以中,您可以管理風險實作條件存取控制。Using the available settings, there are many ways in which you can manage risk by implementing conditional access control.

常見案例Common Scenarios

例如,想像用實作條件存取控制使用者的群組成員資格資料特定應用程式(信賴廠商信任)為基礎的簡單的方式。For example, imagine a simple scenario of implementing conditional access control based on the user's group membership data for a particular application (relying party trust). 亦即,您可以設定發行授權規則聯盟伺服器上為允許特定群組屬於您的廣告中的使用者網域特定應用程式 AD FS 受保護的存取。In other words, you can set up an issuance authorization rule on your federation server to permit users that belong to a certain group in your AD domain access to a particular application that is secured by AD FS. 詳細的逐步指示(使用 UI 及 Windows PowerShell)執行此案例涵蓋在逐步解說快速入門:條件存取控制與管理的風險The detailed step by step instructions (using the UI and Windows PowerShell) for implementing this scenario are covered in Walkthrough Guide: Manage Risk with Conditional Access Control. 以完成本節中的步驟,您必須設定測試環境並依照在 Windows Server 2012 R2 AD FS 設定實驗室In order to complete the steps in this walkthrough, you must set up a lab environment and follow the steps in Set up the lab environment for AD FS in Windows Server 2012 R2.

若要進一步Advanced Scenarios

其他實作條件存取控制在 AD FS 在 Windows Server 2012 R2 的範例包括:Other examples of implementing conditional access control in AD FS in Windows Server 2012 R2 include the following:

  • 允許應用程式才這位使用者的身分 MFA 的驗證,AD FS 受保護的存取Permit access to an application secured by AD FS only if this user's identity was validated with MFA

    您可以使用下列程式碼:You can use the following code:

    @RuleTemplate = "Authorization"
    @RuleName = "PermitAccessWithMFA"
    c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences", Value =~ "^(?i)http://schemas\.microsoft\.com/claims/multipleauthn$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
    
  • 允許應用程式係地點結合裝置的使用者即將存取要求時,才受到 AD FS 存取Permit access to an application secured by AD FS only if the access request is coming from a workplace joined device that is registered to the user

    您可以使用下列程式碼:You can use the following code:

    @RuleTemplate = "Authorization"
    @RuleName = "PermitAccessFromRegisteredWorkplaceJoinedDevice"
    c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value =~ "^(?i)true$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
    
  • 允許應用程式存取要求來自係的工作地點結合裝置的身分 MFA 的已驗證使用者才 AD FS 受保護的存取Permit access to an application secured by AD FS only if the access request is coming from a workplace joined device that is registered to a user whose identity has been validated with MFA

    您可以使用下列程式碼You can use the following code

    @RuleTemplate = "Authorization"
    @RuleName = "RequireMFAOnRegisteredWorkplaceJoinedDevice"
    c1:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences", Value =~ "^(?i)http://schemas\.microsoft\.com/claims/multipleauthn$"] &&
    c2:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", Value =~ "^(?i)true$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
    
  • 允許應用程式存取要求來自的使用者 MFA 的已驗證的身分,才受到 AD FS 外部網路存取。Permit extranet access to an application secured by AD FS only if the access request is coming from a user whose identity has been validated with MFA.

    您可以使用下列程式碼:You can use the following code:

    @RuleTemplate = "Authorization"
    @RuleName = "RequireMFAForExtranetAccess"
    c1:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences", Value =~ "^(?i)http://schemas\.microsoft\.com/claims/multipleauthn$"] &&
    c2:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value =~ "^(?i)false$"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
    

也了See Also

逐步解說指南:管理條件存取控制與風險 設定實驗室 AD FS 在 Windows Server 2012 R2Walkthrough Guide: Manage Risk with Conditional Access Control Set up the lab environment for AD FS in Windows Server 2012 R2