存取特殊權限的工作站Privileged Access Workstations

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

從網際網路攻擊和潛在威脅方法受保護的機密工作特殊權限的存取工作站(腳印)提供專用的作業系統。Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. 這些重要的任務和帳號分離每天使用工作站和裝置提供有力保護網路釣魚攻擊、應用程式與作業系統的安全漏洞、各種模擬攻擊及認證竊取攻擊按鍵登入,例如Pass--Hash,以及Pass-票Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket.

架構概觀Architecture Overview

下圖描述不同「通道」由不同專用管理帳號和工作站維護的系統管理(高度機密工作)。The diagram below depicts a separate "channel" for administration (a highly sensitive task) that is created by maintaining separate dedicated administrative accounts and workstations.

圖表顯示管理(高度機密工作)由不同專用管理帳號和工作站維護的不同「通道」

這個架構方法組建上保護 Windows 10 中找到Credential GuardDevice Guard功能,以及超出那些保護的機密帳號和工作。This architectural approach builds on the protections found in the Windows 10 Credential Guard and Device Guard features and goes beyond those protections for sensitive accounts and tasks.

這種方法是適用於帳號存取的高價值資產:This methodology is appropriate for accounts with access to high value assets:

  • 系統管理員權限腳印提供較高的安全性高影響 IT 系統管理員的角色,以及工作。Administrative Privileges the PAWs provide increased security for high impact IT administrative roles and tasks. 這個架構可套用至管理許多類型的系統 Active Directory 網域和森林,包括 Microsoft Azure Active Directory tenants、Office 365 tenants、程序控制項網路 (PCN)、排在主管控制項和資料擷取 (SCADA) 系統、自動櫃員機 (Atm) 和銷售點(位置)裝置。This architecture can be applied to administration of many types of systems including Active Directory Domains and Forests, Microsoft Azure Active Directory tenants, Office 365 tenants, Process Control Networks (PCN), Supervisory Control and Data Acquisition (SCADA) systems, Automated Teller Machines (ATMs), and Point of Sale (PoS) devices.

  • 高敏感度資訊背景工作爪中使用的方法可以也保護高機密資訊背景工作,例如預先宣告合併及擷取的活動,發行前版本財務報表、組織社交媒體卡、主管通訊、unpatented 的商業機密、機密參考資料,或其他專屬或敏感資訊的人員。High Sensitivity Information workers the approach used in a PAW can also provide protection for highly sensitive information worker tasks and personnel such as those involving pre-announcement Merger and Acquisition activity, pre-release financial reports, organizational social media presence, executive communications, unpatented trade secrets, sensitive research, or other proprietary or sensitive data. 本指南不討論深度這些資訊背景工作案例的設定或納入技術的指示執行此案例。This guidance does not discuss the configuration of these information worker scenarios in depth or include this scenario in the technical instructions.

    注意

    Microsoft IT 管理內部高價值系統從 Microsoft 安全地存取使用腳印(內部稱為「工作站安全系統管理員」或 SAWs)。Microsoft IT uses PAWs (internally referred to as "secure admin workstations", or SAWs) to manage secure access to internal high-value systems within Microsoft. 本指南已下方的其他詳細資料一節中 Microsoft 爪使用量」如何 Microsoft 使用系統管理員工作站」。This guidance has additional details below on PAW usage at Microsoft in the section "How Microsoft uses admin workstations". 如需詳細資訊高價值資產環境如此,請指向文章中,保護安全管理員工作站的高價值資產For more detailed information on this high value asset environment approach, please refer to the article, Protecting high-value assets with secure admin workstations.

本文件會描述為何保護高影響特殊權限帳號建議使用此做法,這些爪方案看起來保護系統管理員權限,以及如何快速部署爪方案的網域和雲端服務管理。This document will describe why this practice is recommended for protecting high impact privileged accounts, what these PAW solutions look like for protecting administrative privileges, and how to quickly deploy a PAW solution for domain and cloud services administration.

本文件會提供詳細的指導方針實作幾個爪設定,並包含實作詳細的指示來協助您保護常見高影響帳號:This document provides detailed guidance for implementing several PAW configurations and includes detailed implementation instructions to get you started on protecting common high impact accounts:

  • 1-部署立即 Active Directory 系統管理員階段這個提供爪快速的網域和森林管理角色場所上可保護Phase 1 - Immediate Deployment for Active Directory Administrators this provides a PAW quickly that can protect on premises domain and forest administration roles

  • 第 2 階段-延伸爪所有管理員這讓系統管理員的雲端服務,例如 Office 365 Azure、伺服器企業版、企業應用程式,並工作站的保護Phase 2 - Extend PAW to all administrators this enables protection for administrators of cloud services like Office 365 and Azure, enterprise servers, enterprise applications, and workstations

  • 階段 3-爪進階的安全性這個討論額外的防護和考量爪安全性Phase 3 - Advanced PAW security this discusses additional protections and considerations for PAW security

專用工作站為何?Why a dedicated workstation?

目前威脅環境組織是猜複雜網路釣魚與其他網際網路攻擊所建立的安全性危害網際網路公開帳號和工作站持續性的風險。The current threat environment for organizations is rife with sophisticated phishing and other internet attacks that create continuous risk of security compromise for internet exposed accounts and workstations.

此環境中威脅需要組織設計保護,像管理帳號高價值資產和敏感企業資產時採用」假設違約「安全性狀態。This threat environment requires an organizations to adopt an "assume breach" security posture when designing protections for high value assets like administrative accounts and sensitive business assets. 這些高價值資產需要保護同時直接存取網際網路的威脅,以及攻擊裝載從其他工作站、伺服器或裝置的環境中。These high value assets need to be protected against both direct internet threats as well as attacks mounted from other workstations, servers, and devices in the environment.

如果攻擊控制使用者工作站可用機密認證,受管理資產顯示風險圖

這個圖描述 managed 資產風險如果攻擊控制可用機密認證使用者工作站。This figure depicts risk to managed assets if an attacker gains control of a user workstation where sensitive credentials are used.

控制作業系統攻擊者許多,以非法存取所有活動的工作站,以及模擬合法 account 的方式。An attacker in control of an operating system has numerous ways in which to illicitly gain access to all activity on the workstation and impersonate the legitimate account. 已知與不明攻擊技術各種可用來取得此層級的存取。A variety of known and unknown attack techniques can be used to gain this level of access. 提高音量和的 cyberattacks 所做需要延長該分離的概念完全分開機密帳號 client 作業系統。The increasing volume and sophistication of cyberattacks have made it necessary to extend that separation concept to completely separate client operating systems for sensitive accounts. 這類攻擊相關資訊,請造訪網站傳遞 Hash包含白皮書、視訊等等。For more information on these types of attacks, please visit the Pass The Hash web site for informative white papers, videos and more.

爪方法是使用不同的系統管理員以及帳號管理人員建議建立良好的擴充功能。The PAW approach is an extension of the well-established recommended practice to use separate admin and user accounts for administrative personnel. 這樣會使用完全不同的使用者標準使用者 account 排列已指派管理 account。This practice uses an individually assigned administrative account that is completely separate from the user's standard user account. 爪組建上該 account 分離做法提供那些機密帳號可信度工作站。PAW builds on that account separation practice by providing a trustworthy workstation for those sensitive accounts.

注意

Microsoft IT 管理內部高價值系統從 Microsoft 安全地存取使用腳印(內部稱為「工作站安全系統管理員」或 SAWs)。Microsoft IT uses PAWs (internally referred to as "secure admin workstations", or SAWs) to manage secure access to internal high-value systems within Microsoft. 本指南對爪使用 Microsoft 一節中的其他詳細資料」如何 Microsoft 使用系統管理員工作站」This guidance has additional details on PAW usage at Microsoft in the section "How Microsoft uses admin workstations"

如需詳細資訊高價值資產環境如此,請指向文章保護安全管理員工作站的高價值資產For more detailed information on this high value asset environment approach, please refer to the article Protecting high-value assets with secure admin workstations.

本爪指南是可協助您執行這項功能,例如高權限 IT 系統管理員的高價值帳號和高敏感度商務帳號保護。This PAW guidance is intended to help you implement this capability for protecting high value accounts such as high-privileged IT administrators and high sensitivity business accounts. 本指南可協助您:The guidance helps you:

  • 只曝光認證的受信任的主機Restrict exposure of credentials to only trusted hosts

  • 讓他們可以輕鬆地執行管理工作提供系統管理員高安全性工作站。Provide a high-security workstation to administrators so they can easily perform administrative tasks.

使用只強化的腳印限制機密帳號是這些帳號,高度使用適用於系統管理員,很難對手打敗直接保護。Restricting the sensitive accounts to using only hardened PAWs is a straightforward protection for these accounts that is both highly usable for administrators and very difficult for an adversary to defeat.

替代方法-限制、考量及整合Alternate approaches - Limitations, considerations, and integration

本節的替代方案安全性比較爪,以及如何正確整合爪架構在這種方法的相關資訊。This section contains information on how the security of alternate approaches compares to PAW and how to correctly integrate these approaches within a PAW architecture. 所有這種方法執行重大風險實作隔離時,但有時候爪實作還可以將值。All of these approaches carry significant risks when implemented in isolation, but can add value to a PAW implementation in some scenarios.

Credential Guard 與 Microsoft PassportCredential Guard and Microsoft Passport

在 Windows 10,請Credential Guard使用硬體及模擬為基礎的安全性,以減少常見的認證竊取攻擊,Pass--Hash,例如由保護衍生的憑證。Introduced in Windows 10, Credential Guard uses hardware and virtualization-based security to mitigate common credential theft attacks, such as Pass-the-Hash, by protecting the derived credentials. 認證所使用的私密金鑰Microsoft Passport可能也會受到信賴平台模組 (TPM) 的硬體。The private key for credentials used by Microsoft Passport can be also be protected by Trusted Platform Module (TPM) hardware.

這些都是強大防護功能,但工作站仍然很容易受到攻擊特定即使認證受到 Credential Guard 或護照。These are powerful mitigations, but workstations can still be vulnerable to certain attacks even if the credentials are protected by Credential Guard or Passport. 攻擊可包含濫用權限和認證直接從重複使用先前遭竊的認證之前讓 Credential Guard,危害的裝置使用的工作站管理工具和弱應用程式設定和濫用。Attacks can include abusing privileges and use of credentials directly from a compromised device, reusing previously stolen credentials prior to enabling Credential Guard, and abuse of management tools and weak application configurations on the workstation.

在本區段中爪指南包含使用這些技術許多的高感應帳號和工作。The PAW guidance in this section includes the use of many of these technologies for high sensitivity accounts and tasks.

管理 VMAdministrative VM

管理一樣 (VM) 是專用的作業系統的管理裝載標準使用者桌面上的工作。An administrative virtual machine (VM) is a dedicated operating system for administrative tasks hosted on a standard user desktop. 雖然這種方式類似爪提供專用的作業系統的管理工作,它有嚴重的瑕疵管理 VM 是標準使用者桌面上的安全性相關。While this approach is similar to PAW in providing a dedicated OS for administrative tasks, it has a fatal flaw in that the administrative VM is dependent on the standard user desktop for its security.

下圖描述控制鏈結感興趣的系統管理員 VM 的目標物件按照使用者工作站攻擊的能力,確定它將會很難反向組態上建立的路徑。The diagram below depicts the ability of attackers to follow the control chain to the target object of interest with an Admin VM on a User Workstation and that it is difficult to create a path on the reverse configuration.

爪架構不允許裝載系統管理員使用者工作站,在 VM 但可以裝載爪主機提供適用於所有責任人員一部電腦上 VM 的標準公司映像的使用者。The PAW architecture does not allow for hosting an admin VM on a user workstation, but a user VM with a standard corporate image can be hosted on a PAW host to provide personnel with a single PC for all responsibilities.

爪架構的簡圖

跳伺服器Jump Server

管理」跳伺服器」架構小型的數字系統管理主控台伺服器設定,然後使用它們管理工作限制的人員。Administrative "Jump Server" architectures set up a small number administrative console servers and restrict personnel to using them for administrative tasks. 這通常根據遠端桌面服務、簡報第 3 廠商模擬方案或 Virtual 桌面基礎結構 (VDI) 技術。This is typically based on remote desktop services, a 3rd-party presentation virtualization solution, or a Virtual Desktop Infrastructure (VDI) technology.

但這種方法經常建議減少管理風險,並提供一些安全性保證,本身的捷徑伺服器方法很容易受到攻擊特定因為它會違反原則」全新來源]This approach is frequently proposed to mitigate risk to administration and does provide some security assurances, but the jump server approach by itself is vulnerable to certain attacks because it violates the "clean source" principle. 全新的來源原則需要若要為可靠物件受保護的所有安全性相依性。The clean source principle requires all security dependencies to be as trustworthy as the object being secured.

顯示控制項簡單關聯

這個圖描述簡單控制項的關係。This figure depicts a simple control relationship. 控制物件的任何主題是該物件的安全性相依性。Any subject in control of an object is a security dependency of that object. 如果對手可以控制目標物件(主旨)的安全性相依性,他們就可以控制物件。If an adversary can control a security dependency of a target object (subject), they can control that object.

管理工作階段捷徑伺服器上的依賴它存取的本機電腦完整性。The administrative session on the jump server relies on the integrity of the local computer accessing it. 如果這台電腦受到攻擊網路釣魚使用者工作站和其他網際網路的攻擊,然後管理工作階段也會受這些風險。If this computer is a user workstation subject to phishing attacks and other internet-based attack vectors, then the administrative session is also subject to those risks.

圖的顯示方式攻擊者可以遵循建立的控制鏈結目標物件感興趣的領域

圖描述攻擊如何建立的控制鏈結遵守感興趣的目標物件。The figure above depicts how attackers can follow an established control chain to the target object of interest.

雖然多因素驗證可以增加攻擊者透過這個管理工作階段將從使用者工作站不安全性功能的難度像是部分進階的安全性控制項可以完全抵禦技術攻擊時攻擊有系統的存取權的來源電腦(例如注入非法命令合法工作階段,劫持合法處理程序,以及等等。)While some advanced security controls like multi-factor authentication can increase the difficulty of an attacker taking over this administrative session from the user workstation, no security feature can fully protect against technical attacks when an attacker has administrative access of the source computer (e.g. injecting illicit commands into a legitimate session, hijacking legitimate processes, and so on.)

這個爪指導方針中的預設設定爪,在安裝系統管理工具,但捷徑伺服器架構也可以新增必要時。The default configuration in this PAW guidance installs administrative tools on the PAW, but a jump server architecture can also be added if required.

圖的顯示方式切換的控制項關係與使用者的應用程式存取的系統管理員工作站提供攻擊者不路徑目標物件

圖如何切換的控制項關係與使用者的應用程式存取的系統管理員工作站提供攻擊者不路徑目標物件。This figure shows how reversing the control relationship and accessing user apps from an admin workstation gives the attacker no path to the targeted object. 適當保護控制項、偵探控制項和回應處理程序應該仍會套用該網際網路的電腦,讓使用者捷徑伺服器仍然公開的風險。The user jump server is still exposed to risk so appropriate protective controls, detective controls, and response processes should still be applied for that internet-facing computer.

此設定需要系統管理員依照操作仔細地確保它們不小心輸入認證管理員到工作階段使用者在桌面上的做法。This configuration requires administrators to follow operational practices closely to ensure that they don't accidentally enter administrator credentials into the user session on their desktop.

圖的顯示方式存取管理捷徑伺服器爪從新增不路徑攻擊者納入管理資產

圖如何從爪存取的系統管理捷徑伺服器新增不路徑攻擊者納入管理資產。This figure shows how accessing an administrative jump server from a PAW adds no path for the attacker into the administrative assets. 爪捷徑伺服器即可在本案例中彙總監視管理活動和管理應用程式和工具散布位置的數目。A jump server with a PAW allows in this case you to consolidate the number of locations for monitoring administrative activity and distributing administrative applications and tools. 這將設計複雜,,但如果您的爪實作中使用大量帳號和工作站可以簡化安全性監視和軟體更新。This adds some design complexity, but can simplify security monitoring and software updates if a large number of accounts and workstations are used in your PAW implementation. 建置與類似安全性標準設定為爪需要捷徑伺服器。The jump server would need to be built and configured to similar security standards as the PAW.

權限管理方案Privilege Management Solutions

有特殊權限的管理方案會在需要提供所謂權限] 或 [權限的帳號暫存存取應用程式。Privileged Management solutions are applications that provide temporary access to discrete privileges or privileged accounts on demand. 權限管理方案是安全的存取權限,並提供極重要可見性,系統活動的責任完成策略非常寶貴元件。Privilege management solutions are an extremely valuable component of a complete strategy to secure privileged access and provide critically important visibility and accountability of administrative activity.

這些方案通常會使用彈性工作流程權限授與和額外的安全性功能和服務 account 密碼管理和整合管理捷徑伺服器的功能有許多。These solutions typically use a flexible workflow to grant access and many have additional security features and capabilities like service account password management and integration with administrative jump servers. 有許多方案在市集上提供權限管理的功能,其中是 Microsoft 的身分管理員 (MIM) 特殊權限存取管理 (PAM)。There are many solutions on the market that provide privilege management capabilities, one of which is Microsoft Identity Manager (MIM) privileged access management (PAM).

Microsoft 建議使用爪存取權限管理方案。Microsoft recommends using a PAW to access privilege management solutions. 這些方案存取應該只授與腳印。Access to these solutions should be granted only to PAWs. Microsoft 不建議使用這些方案以替代爪,因為存取權限,使用這些方案的桌面可能危害的使用者違反全新來源原則如下圖所示:Microsoft does not recommend using these solutions as a substitute for a PAW because accessing privileges using these solutions from a potentially compromised user desktop violates the clean source principle as depicted in the diagram below:

圖表顯示如何 Microsoft 建議您不要因為存取權限,使用這些方案的桌面可能危害的使用者違反全新來源原則,來取代爪使用這些方案

提供爪存取這些方案可讓您取得安全性優點爪和權限管理方案,這個圖所示:Providing a PAW to access these solutions enables you to gain the security benefits of both PAW and the privilege management solution, as depicted in this diagram:

圖表顯示如何提供爪存取這些方案可讓您取得的權限管理的方案和爪安全性優點

注意

應該會在它們管理及保護,或超過安全性等級權限的最高層歸類這些系統。These systems should be classified at the highest tier of the privilege they manage and be protected at or above that level of security. 這些經常設定來管理層 0 方案和層 0 資產,應該會在層 0 歸類。These are commonly configured to manage Tier 0 solutions and Tier 0 assets and should be classified at Tier 0. 適用於層型號的詳細資訊,請查看http://aka.ms/tiermodel的詳細資訊層 0 群組,請查看層 0 相等在保護特殊權限存取參考資料For more information on the tier model, see http://aka.ms/tiermodel For more information on Tier 0 groups, see Tier 0 equivalency in Securing Privileged Access Reference Material.

如需部署 Microsoft 身分管理員 (MIM) 特殊權限存取管理 (PAM) 的詳細資訊,請查看http://aka.ms/mimpamdeployFor more information on deploying Microsoft Identity Manager (MIM) privileged access management (PAM), see http://aka.ms/mimpamdeploy

Microsoft 如何使用系統管理員工作站How Microsoft is using admin workstations

在我們的系統上內部以及使用我們針對,Microsoft 會使用爪架構方法。Microsoft uses the PAW architectural approach both internally on our systems as well as with our customers. Microsoft 會使用您管理工作站內部以多種包括管理 Microsoft IT 基礎結構,Microsoft cloud fabric 基礎結構開發作業及其他高價值資產容量。Microsoft uses administrative workstations internally in a number of capacities including administration of Microsoft IT infrastructure, Microsoft cloud fabric infrastructure development and operations, and other high value assets.

本指南直接根據部署保護 cybersecurity 攻擊針對我們 cybersecurity 專業服務團隊,有特殊權限存取工作站(爪)參考架構。This guidance is directly based on the Privileged Access Workstation (PAW) reference architecture deployed by our cybersecurity professional services teams to protect customers against cybersecurity attacks. 管理工作站也有主要網域管理工作增強安全性系統的環境 (ESAE) 系統樹系參考架構最穩定保護的項目。The administrative workstations are also a key element of the strongest protection for domain administration tasks, the Enhanced Security Administrative Environment (ESAE) administrative forest reference architecture.

如需 ESAE 管理樹系的詳細資訊,ESAE 管理森林設計方法區段中保護特殊權限存取參考資料For more details on the ESAE administrative forest, see ESAE Administrative Forest Design Approach section in Securing Privileged Access Reference Material.

包括您的環境中部署爪或 ESAE Microsoft 服務的詳細資訊,請連絡您的 Microsoft 代表或瀏覽這個頁面For more information on engaging Microsoft services to deploy a PAW or ESAE for your environment, contact your Microsoft representative or visit this page.

有特殊權限存取工作站(爪)為何?What is a Privileged Access Workstation (PAW)?

簡言之,爪是設計用來提供敏感帳號,以及工作高安全性保證強化和鎖定工作站。In simplest terms, a PAW is a hardened and locked down workstation designed to provide high security assurances for sensitive accounts and tasks. 腳印管理的身分系統、雲端服務和私人雲端 fabric 以及商務敏感功能的建議。PAWs are recommended for administration of identity systems, cloud services, and private cloud fabric as well as sensitive business functions.

注意

爪架構不需要 1:1 對應的帳號工作站,但這是一個常見的設定。The PAW architecture doesn't require a 1:1 mapping of accounts to workstations, though this is a common configuration. 爪建立可供一或多個帳號信任的工作站環境。PAW creates a trusted workstation environment that can be used by one or more accounts.

為了提供最高的安全性,腳印永遠應該先執行最最新且安全的作業系統可:Microsoft 非常建議的 Windows 10 企業版包含額外的安全性功能的其他版本中無法使用的數字 (尤其是Credential GuardDevice Guard)。In order to provide the greatest security, PAWs should always run the most up-to-date and secure operating system available: Microsoft strongly recommends Windows 10 Enterprise, which includes a number of additional security features not available in other editions (in particular, Credential Guard and Device Guard).

注意

存取 Windows 10 企業版不組織,可以使用 Windows 10 專業版,包括重要的基礎技術許多腳印,包括信任開機、BitLocker 和遠端桌面。Organizations without access to Windows 10 Enterprise can use Windows 10 Pro, which includes many of the critical foundational technologies for PAWs, including Trusted Boot, BitLocker, and Remote Desktop. 教育用針對可以使用 Windows 10 教育版。Education customers can use Windows 10 Education. Windows 10 家用版應該不會用於爪。Windows 10 Home should not be used for a PAW.

針對不同版本的 Windows 10 的比較矩陣,讀取本文For a comparison matrix of the different editions of Windows 10, read this article.

爪安全性控制項被專注於緩和的最大的影響和最有可能危害風險。The security controls in PAW are focused on mitigating the highest impact and most likely risks of compromise. 其中包括緩和攻擊環境和降低爪控制項可能降低隨著時間的風險:These include mitigating attacks on the environment and mitigating risks that the PAW controls may degrade over time:

  • 網際網路攻擊的最攻擊直接或間接來自網際網路的來源,並使用網際網路 exfiltration 命令及控制項 (C2)。Internet attacks - Most attacks originate directly or indirectly from internet sources and use the internet for exfiltration and command and control (C2). 隔離開放網際網路爪是不會洩露確保爪金鑰項目。Isolating the PAW from the open internet is a key element to ensuring the PAW is not compromised.

  • 使用性風險-如果爪太難使用進行日常工作,系統管理員會優秀建立因應措施,讓工作更容易。Usability risk - If a PAW is too difficult to use for daily tasks, administrators will be motivated to create workarounds to make their jobs easier. 通常,這些因應措施開放管理工作站和帳號重大安全性風險,因此在涉及和推動創造力的爪使用者確實減少這些可用性問題。Frequently, these workarounds open the administrative workstation and accounts to significant security risks, so it's critical to involve and empower the PAW users to mitigate these usability issues securely. 這通常透過他們的意見反應,安裝工具聆聽,指令碼執行的工作,並確保所有管理人員所需注意的原因他們必須使用爪時,所爪,以及如何使用它正確及成功。This is frequently accomplished by listening to their feedback, installing tools and scripts required to perform their jobs, and ensuring all administrative personnel are aware of why they need to use a PAW, what a PAW is, and how to use it correctly and successfully.

  • 環境風險-爪網際網路風險 directory 或間接公開許多其他電腦和環境中的帳號,因為必須從 production 環境中危害資產攻擊受保護。Environment risks - Because many other computers and accounts in the environment are exposed to internet risk directory or indirectly, a PAW must be protected against attacks from compromised assets in the production environment. 這需要限制的管理工具和帳號,才能安全及監視這些特定的工作站絕對最小值腳印存取。This requires limiting the management tools and accounts that have access to the PAWs to the absolute minimum required to secure and monitor these specialized workstations.

  • 提供鏈結竄改-時可能會無法移除的硬體和軟體,請花一些的按鍵動作可以減少有攻擊隨時可供的重要攻擊竄改供應鏈結中的所有可能的風險。Supply chain tampering - While it's impossible to remove all possible risks of tampering in the supply chain for hardware and software, taking a few key actions can mitigate critical attack vectors that are readily available to attackers. 這包括驗證完整性所有的安裝媒體 (全新來源原則) 和硬體和軟體的使用受信任,可信賴的供應商。This includes validating the integrity of all installation media (Clean Source Principle) and using a trusted and reputable supplier for hardware and software.

  • 實體攻擊-因為腳印可以是實際的行動裝置版,並使用實體安全設備以外,他們必須攻擊利用電腦實體未經授權的存取受保護。Physical attacks - Because PAWs can be physically mobile and used outside of physically secure facilities, they must be protected against attacks that leverage unauthorized physical access to the computer.

注意

爪將不會從已經有獲得管理權限透過 Active Directory 樹系對手保護的環境。A PAW will not protect an environment from an adversary that has already gained administrative access over an Active Directory Forest. Active Directory Domain Services 許多現有實作有風險的認證竊取年已運作,因為組織應該假設違約,並考慮的可能性,他們可能無法偵測的入侵的網域或企業的系統管理員認證。Because many existing implementations of Active Directory Domain Services have been operating for years at risk of credential theft, organizations should assume breach and consider the possibility that they may have an undetected compromise of domain or enterprise administrator credentials. 勾選網域危害組織考慮專業事件回應服務使用。An organization that suspects domain compromise should consider the use of professional incident response services.

回應和復原指導方針詳細資訊,會看到「回應可疑的活動」和「從違約復原] 的區段Mitigating Pass--Hash 和其他認證竊取,版本 2。For more information on response and recovery guidance, see the "Respond to suspicious activity" and "Recover from a breach" sections of Mitigating Pass-the-Hash and Other Credential Theft, version 2.

請造訪Microsoft 意外回應和修復服務頁面,如需詳細資訊。Visit Microsoft's Incident Response and Recovery services page for more information.

爪硬體設定檔PAW Hardware Profiles

管理人員也標準使用者太-所需的爪,不僅標準使用者工作站檢查電子郵件、瀏覽網頁,以及存取企業營運應用程式。Administrative personnel are also standard users too - they need not only a PAW, but also a standard user workstation to check email, browse the web, and access corporate line of business applications. 確保您的系統管理員可以維持有效率且安全很重要的任何爪部署成功。Ensuring that administrators can remain both productive and secure is essential to the success of any PAW deployment. 大幅限制生產力安全方案將會放棄取而代之(即使在不安全的方式完成)能提升生產力一的使用者。A secure solution that dramatically limits productivity will be abandoned by the users in favor of one that enhances productivity (even if it is done in an insecure manner).

為了平衡加上生產力需要需要安全性,Microsoft 建議使用其中一個爪硬體設定檔:In order to balance the need for security with the need for productivity, Microsoft recommends using one of these PAW hardware profiles:

  • 專用硬體-分開專用的裝置管理工作對使用者工作Dedicated hardware - Separate dedicated devices for user tasks vs. administrative tasks

  • 同時使用-單一裝置可以執行使用者工作和管理工作同時利用作業系統或簡報模擬。Simultaneous Use - Single device that can run user tasks and administrative tasks concurrently by taking advantage of OS or presentation virtualization.

組織可能會使用只有一個設定檔或兩者。Organizations may use only one profile or both. 之間的硬體設定檔,並不交互操作考量和組織已經處於符合特定的系統管理員的情形與需要特定硬體設定檔。There are no interoperability concerns between the hardware profiles, and organizations have the flexibility to match the hardware profile to the specific need and situation of a given administrator.

注意

請務必在這些案例中,管理人員所發行是分開指定管理帳號標準使用者 account。It is critical that, in all of these scenarios, administrative personnel are issued a standard user account that is separate from designated administrative account(s). 管理帳號應該只用於爪管理作業系統上。The administrative account(s) should only be used on the PAW administrative operating system.

此表格摘要相對的優點和缺點觀點操作輕鬆使用及生產力安全性的每個硬體設定檔。This table summarizes the relative advantages and disadvantages of each hardware profile from the perspective of operational ease-of-use and productivity and security. 這兩種硬體方法提供穩固安全性管理帳號針對認證竊取及重複使用。Both hardware approaches provide strong security for administrative accounts against credential theft and reuse.

案例Scenario 優點Advantages 缺點Disadvantages
專用的硬體Dedicated hardware -工作的敏感度穩固訊號- Strong signal for sensitivity of tasks
-最安全分離- Strongest security separation
-其他的桌面空間- Additional desk space
-其他減重(適用於遠端工作)- Additional weight (for remote work)
硬體成本- Hardware Cost
同時使用Simultaneous use -低硬體成本- Lower hardware cost
-單一裝置體驗- Single device experience
共用單一的鍵盤滑鼠建立意外的錯誤風險的風險- Sharing single keyboard/mouse creates risk of inadvertent errors/risks

本指南包含詳細的爪設定的專用的硬體方法的指示執行。This guidance contains the detailed instructions for the PAW configuration for the dedicated hardware approach. 如果您有的設定檔同時使用的硬體需求,您可以調整指示自己根據本指南或雇用專業服務組織像 Microsoft 的協助。If you have requirements for the simultaneous use hardware profiles, you can adapt the instructions based on this guidance yourself or hire a professional services organization like Microsoft to assist with it.

專用的硬體Dedicated Hardware

在本案例中,爪適用於管理的完全獨立用於日常活動,例如電子郵件、文件編輯、及的開發工作電腦。In this scenario, a PAW is used for administration that is completely separate from the PC that is used for daily activities like email, document editing, and development work. 所有系統管理工具和應用程式已安裝在爪並安裝所有生產力應用程式的標準使用者工作站。All administrative tools and applications are installed on the PAW and all productivity applications are installed on the standard user workstation. 本指南逐步指示根據硬體設定檔。The step by step instructions in this guidance are based on this hardware profile.

將 [本機使用者 VM 同時使用Simultaneous Use - Adding a local user VM

在此同時使用案例中,一部電腦適用於管理工作和日常活動,例如電子郵件、文件編輯、及的開發工作。In this simultaneous use scenario, a single PC is used for both administration tasks and daily activities like email, document editing, and development work. 此設定時,使用者作業系統可中斷連接(適用於編輯文件及處理本機快取的電子郵件中)時,但是需要硬體與支援處理程序可容納此中斷連接的狀態。In this configuration, the user operating system is available while disconnected (for editing documents and working on locally cached email), but requires hardware and support processes that can accommodate this disconnected state.

電子郵件、文件編輯、及的開發工作,例如使用日常活動和管理工作的同時使用案例中顯示單一電腦的簡圖

實體硬體本機執行兩個作業系統:The physical hardware runs two operating systems locally:

  • 系統管理員 OS -實體主機管理工作爪主機上執行 Windows 10Admin OS - The physical host runs Windows 10 on the PAW host for Administrative tasks

  • 使用者 OS -A Windows 10 client HYPER-V 一樣來賓執行公司的影像User OS - A Windows 10 client Hyper-V virtual machine guest runs a corporate image

使用 Windows 10Hyper V,(也執行 Windows 10)來賓一樣都可以有豐富的使用者經驗,包括音效、視訊及網際網路通訊商務用 Skype 應用程式。With Windows 10Hyper-V, a guest virtual machine (also running Windows 10) can have a rich user experience including sound, video, and Internet communications applications such as Skype for Business.

此設定時,使用者 OS 一樣已一般企業的 Windows 10 映像,不受限制套用到爪主機中完成日常工作,不需要系統管理員權限。In this configuration, daily work that does not require administrative privileges is done in the user OS virtual machine which has a regular corporate Windows 10 image and is not subject to restrictions applied to the PAW host. 系統管理員作業系統上完成所有管理工作。All administrative work is done on the Admin OS.

將此設定,這個指導方針爪主機中的指示,請依照下列、新增 Client HYPER-V 功能、建立使用者 VM 中,並安裝 Windows 10 企業映像使用者 VM 上。To configure this, follow the instructions in this guidance for the PAW host, add Client Hyper-V features, create a User VM, and then install a Windows 10 corporate image on the User VM.

朗讀Client HYPER-V更多有關此功能。Read Client Hyper-V article for more information about this capability. 請注意作業系統中來賓虛擬電腦將會需要授權每個Microsoft product 授權,也上述以下Please note that the operating system in guest virtual machines will need to be licensed per Microsoft product licensing, also described here.

使用同時-新增 RemoteApp、RDP 或 VDISimultaneous Use - Adding RemoteApp, RDP, or a VDI

在此同時使用案例中,用於這兩個管理工作一部電腦,而且日常活動,例如電子郵件、文件編輯和開發運作。In this simultaneous use scenario, a single PC is used for both administration tasks and daily activities like email, document editing and development work. 此設定時,使用者作業系統的集中部署及管理(在雲端或在您的資料中心),但不使用時中斷連接。In this configuration, the user operating systems are deployed and managed centrally (on the cloud or in your datacenter), but aren't available while disconnected.

圖顯示一部電腦使用的同時案例中使用這兩個管理工作及日常活動,例如電子郵件、文件編輯和開發工作

實體硬體會執行單一爪作業系統的管理工作本機與連絡人的 Microsoft 或第 3 個廠商遠端桌面服務使用者應用程式,例如電子郵件、文件編輯、及營運應用程式。The physical hardware runs a single PAW operating system locally for administrative tasks and contacts a Microsoft or 3rd party remote desktop service for user applications such as email, document editing, and line of business applications.

此設定,這是不受限制套用到爪主機應用程式和遠端 OS(es) 完成日常工作,不需要系統管理員權限。In this configuration, daily work that does not require administrative privileges is done in the Remote OS(es) and applications which are not subject to restrictions applied to the PAW host. 系統管理員作業系統上完成所有管理工作。All administrative work is done on the Admin OS.

將此設定,這個指導方針爪主機中的指示,請依照下列網路連接到遠端桌面服務,可讓,然後將捷徑新增至爪使用者桌面存取應用程式。To configure this, follow the instructions in this guidance for the PAW host, allow network connectivity to the Remote Desktop services, and then add shortcuts to the PAW user's desktop to access the applications. 遠端桌面服務可能會在幾種方式包括裝載:The remote desktop services could be hosted in many ways including:

  • 現有的遠端桌面或 VDI 服務 (在場所或在雲端中)An existing Remote Desktop or VDI service (on-premises or in the cloud)

  • 您安裝場所上新的服務,或在雲端中A new service you install on-premises or in the cloud

  • 使用預先設定的 Office 365 範本或安裝影像 azure RemoteAppAzure RemoteApp using pre-configured Office 365 templates or your own installation images

在 Azure RemoteApp 詳細資訊,請造訪這個頁面For more information on Azure RemoteApp, visit this page.

爪案例PAW Scenarios

本節的案例此爪指導方針應該會套用到指導方針。This section contains guidance on which scenarios this PAW guidance should be applied to. 在所有案例中,應該只適用於執行遠端系統支援使用腳印訓練系統管理員。In all scenarios, administrators should be trained to only use PAWs for performing support of remote systems. 若要鼓勵成功,且安全的使用量,所有爪使用者應該也會都鼓勵提供應爪程式整合仔細地檢查 [意見反應,以改善爪體驗與意見反應。To encourage successful and secure usage, all PAW users should be also be encouraged to provide feedback to improve the PAW experience and this feedback should be reviewed carefully for integration with your PAW program.

所有案例中,稍後階段中的其他強化和設定檔不同的硬體本指南可能都用來可用性或安全性的需求角色。In all scenarios, additional hardening in later phases and different hardware profiles in this guidance may be used to meet the usability or security requirements of the roles.

注意

所有主機和服務,請都注意,此指導方針明確區分需要特定網際網路(例如 Azure 與 Office 365 系統管理員入口網站)和「開放網際網路」的服務存取權。Note that this guidance explicitly differentiates between requiring access to specific services on the internet (such as Azure and Office 365 administrative portals) and the "Open Internet" of all hosts and services.

查看層模型頁面的詳細資訊層指定。See the Tier model page for more information on the Tier designations.

案例Scenarios 使用爪嗎?Use PAW? 範圍和安全性考量Scope and Security Considerations
Active Directory 管理員-層 0Active Directory Admins - Tier 0 [是]Yes 建置與階段 1 指導方針爪不足,這個角色。A PAW built with Phase 1 guidance is sufficient for this role.

-在系統的樹系加入提供最穩定的防護本案例。- An administrative forest can be added to provide the strongest protection for this scenario. 適用於系統 ESAE 樹系的詳細資訊,請查看ESAE 管理森林設計方法For more information on the ESAE administrative forest, see ESAE Administrative Forest Design Approach
-爪可用來管理多個網域或多個樹系。- A PAW can be used to managed multiple domains or multiple forests.
-如果基礎結構主控網域控制站在場所模擬方案或服務 (IaaS),您應該優先順序實作腳印這些方案的系統管理員- If Domain Controllers are hosted on an Infrastructure as a Service (IaaS) or on-premises virtualization solution, you should prioritize implementing PAWs for the administrators of those solutions
Azure 系統管理員 IaaS 和 PaaS 服務-層 0 或 1 層(看到範圍和設計考量)Admin of Azure IaaS and PaaS services - Tier 0 or Tier 1 (see Scope and Design Considerations) [是]Yes 使用第 2 階段所提供的指導建置爪不足,這個角色。A PAW built using the guidance provided in Phase 2 is sufficient for this role.

-腳印適用於至少的全域系統管理員身分和裝機費帳單系統管理員。- PAWs should be used for at least the Global administrator and Subscription Billing administrator. 您也應該使用腳印委派系統管理員的重大或重要的伺服器。You should also use PAWs for delegated administrators of critical or sensitive servers.
-腳印適用於管理作業系統和應用程式,可提供 Directory 同步處理的身分聯盟雲端服務,例如Azure AD 連接和 [Active Directory 同盟服務 (ADFS)。- PAWs should be used for managing the operating system and applications that provide Directory Synchronization and Identity Federation for cloud services such as Azure AD Connect and Active Directory Federation Services (ADFS).
-輸出網路限制必須允許連接只會在授權的雲端服務使用中第 2 階段的指導方針。- The outbound network restrictions must allow connectivity only to authorized cloud services using the guidance in Phase 2. 從腳印允許無開放網際網路存取。No open internet access should be allowed from PAWs.
-EMET 應該工作站上使用所有瀏覽器設定請注意:裝機費會被視為層 0 的樹系如果網域控制站或其他層 0 主機裝機費。- EMET should be configured for all browsers used on the workstation Note: A subscription is considered to be Tier 0 for a Forest if Domain Controllers or other Tier 0 hosts are in the subscription. 在 Azure 裝載不層 0 伺服器裝機費為第 1 層A subscription is Tier 1 if no Tier 0 servers are hosted in Azure
系統管理員 Office 365 承租人Admin Office 365 Tenant
-第 1 層- Tier 1
[是]Yes 使用第 2 階段所提供的指導建置爪不足,這個角色。A PAW built using the guidance provided in Phase 2 is sufficient for this role.

-腳印適用於至少裝機費帳單系統管理員,全域系統管理員,換貨的系統管理員、SharePoint 系統管理員和使用者管理系統管理員角色。- PAWs should be used for at least the Subscription Billing administrator, Global administrator, Exchange administrator, SharePoint administrator, and User management administrator roles. 您也非常考慮使用腳印委派系統管理員的高度重大或重要的資料。You should also strongly consider the use of PAWs for delegated administrators of highly critical or sensitive data.
-EMET 應該工作站上使用所有瀏覽器設定- EMET should be configured for all browsers used on the workstation
-輸出網路限制必須允許 Microsoft 服務使用中第 2 階段的指導方針連接。- The outbound network restrictions must allow connectivity only to Microsoft services using the guidance in Phase 2. 從腳印允許無開放網際網路存取。No open internet access should be allowed from PAWs.
其他 IaaS 或 PaaS 雲端服務的系統管理員Other IaaS or PaaS cloud service admin
-層 0 或 1 層(看到範圍和設計考量)- Tier 0 or Tier 1 (see Scope and Design Considerations)
使用第 2 階段所提供的指導建置爪不足,這個角色。A PAW built using the guidance provided in Phase 2 is sufficient for this role.

-腳印適用於任何角色的系統管理員權限裝載的雲端 Vm 包括安裝代理程式、匯出硬碟檔案或存取存放裝置上儲存硬碟作業系統、機密資料,或企業重要的資料。- PAWs should be used for any role that has administrative rights over cloud hosted VMs including the ability to install agents, export hard disk files, or access storage where hard drives with operating systems, sensitive data, or business critical data is stored.
-輸出網路限制必須允許 Microsoft 服務使用中第 2 階段的指導方針連接。- The outbound network restrictions must allow connectivity only to Microsoft services using the guidance in Phase 2. 從腳印允許無開放網際網路存取。No open internet access should be allowed from PAWs.
-EMET 應該工作站上使用所有瀏覽器設定。- EMET should be configured for all browsers used on the workstation. 注意:裝機費為網域控制站或其他層 0 主機位於裝機費層的樹系 0。Note: A subscription is Tier 0 for a Forest if Domain Controllers or other Tier 0 hosts are in the subscription. 在 Azure 裝載不層 0 伺服器裝機費為第 1 層。A subscription is Tier 1 if no Tier 0 servers are hosted in Azure.
模擬系統管理員Virtualization Administrators
-層 0 或 1 層(看到範圍和設計考量)- Tier 0 or Tier 1 (see Scope and Design Considerations)
[是]Yes 使用第 2 階段所提供的指導建置爪不足,這個角色。A PAW built using the guidance provided in Phase 2 is sufficient for this role.

-腳印適用於任何角色的系統管理員權限 Vm 包括安裝代理程式、匯出 virtual 硬碟檔案或存取存放裝置上儲存硬碟來賓作業系統的資訊、機密資料,或企業重要的資料。- PAWs should be used for any role that has administrative rights over VMs including the ability to install agents, export virtual hard disk files, or access storage where hard drives with guest operating system information, sensitive data, or business critical data is stored. 注意:模擬系統(和其系統管理員」)會被視為層 0 的樹系如果網域控制站或其他層 0 主機裝機費。Note: A virtualization system (and its admins) are considered Tier 0 for a Forest if Domain Controllers or other Tier 0 hosts are in the subscription. 裝機費為第 1 層未層 0 伺服器裝載模擬系統中。A subscription is Tier 1 if no Tier 0 servers are hosted in the virtualization system.
伺服器維護系統管理員Server Maintenance Admins
-第 1 層- Tier 1
[是]Yes 使用第 2 階段所提供的指導建置爪不足,這個角色。A PAW built using the guidance provided in Phase 2 is sufficient for this role.

-爪適用於系統管理員的更新,更新,以及疑難排解企業伺服器,以及執行 Windows server、Linux,以及其他作業系統的應用程式。- A PAW should be used for administrators that update, patch, and troubleshoot enterprise servers and apps running Windows server, Linux, and other operating systems.
-可能需要新增腳印處理這些系統管理員」的更大的專用管理工具。- Dedicated management tools may need to be added for PAWs to handle the larger scale of these admins.
使用者工作站系統管理員User Workstation Admins
層 2- Tier 2
[是]Yes 使用提供第 2 階段的指導方針建置爪不足的角色所有系統管理員權限終端使用者的裝置(例如支援和 deskside 支援角色)。A PAW built using guidance provided in Phase 2 is sufficient for roles that have administrative rights on end user devices (such as helpdesk and deskside support roles).

-其他的應用程式可能需要安裝在腳印以便票證管理和其他支援功能。- Additional applications may need to be installed on PAWs to enable ticket management and other support functions.
-EMET 應該工作站上使用所有瀏覽器設定。- EMET should be configured for all browsers used on the workstation.
可能需要新增腳印處理這些系統管理員」的更大的專用的管理工具。Dedicated management tools may need to be added for PAWs to handle the larger scale of these admins.
SQL、SharePoint 或企業營運 (LOB) 管理員SQL, SharePoint, or line of business (LOB) Admin
-第 1 層- Tier 1
建置第 2 階段的指導方針與爪不足,這個角色。A PAW built with Phase 2 guidance is sufficient for this role.

的可能需要腳印讓系統管理員,管理應用程式,而不需要連接到使用遠端桌面的伺服器上安裝其他管理工具。- Additional management tools may need to be installed on PAWs to allow administrators to manage applications without needing to connect to servers using Remote Desktop.
管理社交媒體出席使用者Users Managing Social Media Presence 部分Partially 使用第 2 階段所提供的指導建置爪可做為起點來提供安全性這些角色。A PAW built using the guidance provided in Phase 2 can be used as a starting point to provide security for these role.

保護和管理社交媒體帳號使用 Azure Active Directory (AAD) 分享、保護,和社交媒體帳號追蹤存取。- Protect and manage social media accounts using Azure Active Directory (AAD) for sharing, protecting, and tracking access to social media accounts.
如需有關這個功能朗讀的這篇部落格文章For more information on this capability read this blog post.
-輸出網路限制必須允許連接這些服務。- The outbound network restrictions must allow connectivity to these services. 這可以讓網際網路開放(更高安全性風險會否定許多爪保證),或讓只需的 DNS 位址服務(可能不容易取得)。This can be done by allowing open internet connections (much higher security risk that negates many PAW assurances) or by allowing only required DNS addresses for the service (may be challenging to obtain).
標準使用者Standard Users 否]No 一般的使用者可以使用許多強化步驟,爪的設計目的是隔離帳號大部分的使用者要求的作業責任開放網際網路存取。While many hardening steps can be used for standard users, PAW is designed to isolate accounts from the open internet access that most users require for job duties.
客體 VDI 日 KioskGuest VDI/Kiosk 否]No 許多強化步驟可用於 kiosk 系統來賓,同時爪架構的設計目的是提供更高安全性的高感應帳號,較低敏感度帳號不較高的安全性。While many hardening steps can be used for a kiosk system for guests, the PAW architecture is designed to provide higher security for high sensitivity accounts, not higher security for lower sensitivity accounts.
VIP 使用者(高階主管、研究人員)VIP User (Executive, Researcher, etc.) 部分Partially 使用提供第 2 階段的指導方針建置爪可以使用做為起點,來提供安全性這些角色A PAW built using guidance provided in Phase 2 can be used as a starting point to provide security for these roles

-此案例類似標準使用者桌面,但通常會有較小、簡單,以及已知的應用程式設定檔。- This scenario is similar to a standard user desktop, but typically has a smaller, simpler, and well-known application profile. 本案例通常需要探索並保護的機密資料、服務和應用程式(這可能會或可能不會在桌面上安裝)。This scenario typically requires discovering and protecting sensitive data, services, and applications (which may or may not be installed on the desktops).
-這些角色通常需要高的安全性和很高的可用性、需要與使用者的喜好設定的變更設計。- These roles typically require a high degree of security and very high degree of usability, which require design changes to meet user preferences.
業界控制項系統(例如 SCADA、PCN,以及網域控制站)Industrial control systems (e.g. SCADA, PCN, and DCS) 部分Partially 可使用提供第 2 階段的指導方針建置爪做為起點提供安全性這些角色為大部分 ICS 瀏覽開放網際網路,並檢查電子郵件,不需要主機(包括 SCADA 和 PCN 這類一般標準)。A PAW built using guidance provided in Phase 2 can be used as a starting point to provide security for these roles as most ICS consoles (including such common standards as SCADA and PCN) don't require browsing the open Internet and checking email.

-必須用來控制實體機器應用程式整合與相容性測試並適當保護- Applications used for controlling physical machinery would have to be integrated and tested for compatibility and protected appropriately
Embedded 的作業系統Embedded Operating System 否]No 從爪許多強化步驟可用於 embedded 作業系統,自訂方案時需要強化在本案例中為開發。While many hardening steps from PAW can be used for embedded operating systems, a custom solution would need to be developed for hardening in this scenario.

注意

組合案例部分人員可能會有管理跨多個案例的責任。Combination scenarios some personnel may have administrative responsibilities that span multiple scenarios. 在這些案例中,重要記住規則的隨時,必須遵守層模型規則。In these cases, the key rules to keep in mind are that the Tier model rules must be followed at all times. 查看層模型頁面,如需詳細資訊。See the Tier model page for more information.

注意

縮放比例 PAW 計畫以包含更多名系統管理員和角色比例爪計畫,您必須以確保您維護遵守標準安全性和可用性繼續。Scaling the PAW Program as your PAW program scales to encompass more admins and roles, you need to continue to ensure that you maintain adherence to the security standards and usability. 這可能需要您更新您 IT 支援結構或建立新的解析爪挑戰時爪訓練程序,事件管理設定的管理,例如和挑戰位址可用性收集意見反應。This may require you to update your IT support structures or create new ones to resolve PAW specific challenges such as PAW onboarding process, incident management, configuration management, and gathering feedback to address usability challenges. 一個範例可能,您的組織決定 shift 桌面腳印從膝上型電腦腳印-shift 鍵,可能必須額外的安全性考量需要系統管理員可以工作家用版的案例。One example may be that your organization decides to enable work-from-home scenarios for administrators, which would necessitate a shift from desktop PAWs to laptop PAWs - a shift which may necessitate additional security considerations. 另一個常見範例是建立或更新的新的系統管理員-訓練必須現在包含在適當的方式使用的爪 content 訓練 (包括原因其重要,以及爪,不)。Another common example is to create or update training for new administrators - training which must now include content on the appropriate use of a PAW (including why its important and what a PAW is and isn't). 更多考量,必須為您調整爪計畫處理,會看到階段 2 的指示操作。For more considerations which must be addressed as you scale your PAW program, see Phase 2 of the instructions.

本指南包含詳細的指示爪組態案例,如上文所述。This guidance contains the detailed instructions for the PAW configuration for the scenarios as noted above. 如果您有需求針對其他案例,您可以調整指示自己根據本指南或雇用專業服務組織像 Microsoft 的協助。If you have requirements for the other scenarios, you can adapt the instructions based on this guidance yourself or hire a professional services organization like Microsoft to assist with it.

適用於包括設計量身訂做為您的環境爪 Microsoft 服務的詳細資訊,請連絡您的 Microsoft 代表或瀏覽這個頁面For more information on engaging Microsoft services to design a PAW tailored for your environment, contact your Microsoft representative or visit this page.

爪安裝指示PAW Installation instructions

因為爪必須管理提供安全且受信任的來源,很重要的建置程序,而且安全信任。Because the PAW must provide a secure and trusted source for administration, it's essential that the build process is secure and trusted. 這個區段會提供可讓您建置您自己的爪使用一般的原則詳細的指示及概念非常類似 Microsoft IT 與 Microsoft 使用雲端工程管理公司的服務。This section will provide detailed instructions which will allow you to build your own PAW using general principles and concepts very similar to those used by Microsoft IT and Microsoft cloud engineering and service management organizations.

指示分成三個階段的專注於快速就地將最重要的防護功能與然後漸進增加和展開爪適用於企業的使用量。The instructions are divided into three phases which focus on putting the most critical mitigations in place quickly and then progressively increasing and expanding the usage of PAW for the enterprise.

  • 1-部署立即 Active Directory 系統管理員階段Phase 1 - Immediate Deployment for Active Directory Administrators

  • 第 2 階段-爪延伸到所有系統管理員Phase 2 - Extend PAW to all administrators

  • 階段 3-爪進階的安全性Phase 3 - Advanced PAW security

請務必注意,階段一律應順序,即使它們的計畫和執行相同的整體專案的一部分。It is important to note that the phases should always be performed in order even if they are planned and implemented as part of the same overall project.

1-部署立即 Active Directory 系統管理員階段Phase 1 - Immediate Deployment for Active Directory Administrators

用途:提供爪快速,可以保護先網域和森林管理角色。Purpose: Provides a PAW quickly that can protect on-premises domain and forest administration roles.

包括企業系統管理員,網域系統管理員(適用於所有網域),以及其他授權身分系統管理員範圍:層 0 系統管理員。Scope: Tier 0 Administrators including Enterprise Admins, Domain Admins (for all domains), and administrators of other authoritative identity systems.

1 階段焦某系統管理員負責管理您先 Active Directory domain,這是非常重要的角色經常目標攻擊者。Phase 1 focuses on the administrators who manage your on-premises Active Directory domain, which are critically important roles frequently targeted by attackers. 這些身分系統將有效地運作是否 Active Directory 網域控制站(網域控制站)裝載先能源,對其他 IaaS 提供者或服務 (IaaS)、Azure 基礎結構保護這些系統管理員。These identity systems will work effectively for protecting these admins whether your Active Directory Domain Controllers (DCs) are hosted in on-premises datacenters, on Azure Infrastructure as a Service (IaaS), or another IaaS provider.

在此階段,您將會建立安全管理 Active Directory 單位(組織單位)結構裝載您有權限的存取工作站(爪),以及部署腳印本身。During this phase, you will create the secure administrative Active Directory organizational unit (OU) structure to host your privileged access workstation (PAW), as well as deploy the PAWs themselves. 這個結構也包含的群組原則和支援爪所需的群組。This structure also includes the group policies and groups required to support the PAW. 您將會建立大部分的結構使用 PowerShell 指令碼,可以在TechNet 主題館You will create most of the structure using PowerShell scripts which are available at TechNet Gallery.

下列 Ou 和安全性群組,將會建立指令碼:The scripts will create the following OUs and Security Groups:

  • 組織單位(組織單位)Organizational Units (OU)

    • 六個新的最上層 Ou:系統管理員。群組。第 1 層的伺服器。工作站。帳號;與隔離的電腦。Six new top-level OUs: Admin; Groups; Tier 1 Servers; Workstations; User Accounts; and Computer Quarantine. 每個的最上層組織單位會包含子女 Ou 的數字。Each top-level OU will contain a number of child OUs.
  • 群組Groups

    • 六個新安全性的全域群組:0 層複寫維護。第 1 層伺服器維護。服務 Desk 電信業者。工作站維護。爪使用者。爪維護。Six new security-enabled global groups: Tier 0 Replication Maintenance; Tier 1 Server Maintenance; Service Desk Operators; Workstation Maintenance; PAW Users; PAW Maintenance.

您也會建立群組原則物件的數字:PAW 組態-電腦。PAW 設定的使用者。RestrictedAdmin 所需的電腦。爪輸出限制。限制工作站登入。限制伺服器登入。You will also create a number of group policy objects: PAW Configuration - Computer; PAW Configuration - User; RestrictedAdmin Required - Computer; PAW Outbound Restrictions; Restrict Workstation Logon; Restrict Server Logon.

1 階段包含下列步驟:Phase 1 includes the following steps:

  1. 完成的必要條件Complete the Prerequisites

    1. 確保所有系統管理員使用不同、個人帳號管理和使用者活動的(包括電子郵件、瀏覽網際網路、業務的應用程式,與其他非系統管理員活動)。Ensure that all administrators use separate, individual accounts for administration and end user activities (including email, Internet browsing, line-of-business applications, and other non-administrative activities). 每個授權的人員不同指派管理帳號,從他們標準使用者 account 是基本爪模型,登入本身爪允許只有特定帳號。Assigning an administrative account to each authorized personnel separate from their standard user account is fundamental to the PAW model, as only certain accounts will be permitted to log onto the PAW itself.

      注意

      每個管理員應該使用自己 account 進行管理。Each administrator should use his or her own account for administration. 不要共用管理 account。Do not share an administrative account.

    2. 最小化層 0 特殊權限管理員數量Minimize the number of Tier 0 privileged administrators. 每個系統管理員必須使用爪,因為減少的系統管理員可以減少的腳印來支援這些及相關的成本。Because each administrator must use a PAW, reducing the number of administrators reduces the number of PAWs required to support them and the associated costs. 計數較低的系統管理員也會導致低公開這些權限,以及相關的風險。The lower count of administrators also results in lower exposure of these privileges and associated risks. 雖然您可以在同一個位置分享爪的系統管理員,在不同的所在位置的系統管理員會需要腳印不同。While it is possible for administrators in one location to share a PAW, administrators in separate physical locations will require separate PAWs.

    3. 取得的受信任的供應商符合所有的技術需求硬體Acquire hardware from a trusted supplier that meets all technical requirements. Microsoft 建議取得硬體符合技術文件中的保護網域認證 Credential Guard 的Microsoft recommends acquiring hardware that meets the technical requirements in the article Protect domain credentials with Credential Guard.

      注意

      爪安裝,而這些功能的硬體上可以提供重大保護,但無法使用進階的安全性功能,例如 Credential Guard 和 Device Guard。PAW installed on hardware without these capabilities can provide significant protections, but advanced security features such as Credential Guard and Device Guard will not be available. Credential Guard 及 Device Guard 並不需要階段 1 部署,但建議階段 3(進階強化)的一部分。Credential Guard and Device Guard are not required for Phase 1 deployment, but are strongly recommended as part of Phase 3 (advanced hardening).

      請確定用於爪硬體源自製造商及供應商信任組織的安全性做法的規範。Ensure that the hardware used for the PAW is sourced from a manufacturer and supplier whose security practices are trusted by the organization. 這是提供鏈結安全性應用程式的全新來源原則。This is an application of the clean source principle to supply chain security.

      注意

      更多的供應鏈結安全性重要性背景,請造訪這個網站For more background on the importance of supply chain security, visit this site.

    4. 取得與驗證的所需的 Windows 10 企業版和應用程式的軟體。Acquire and validate the required Windows 10 Enterprise Edition and application software. 取得適用於爪所需的軟體和驗證使用中的指導的安裝媒體的全新來源Obtain the software required for PAW and validate it using the guidance in Clean Source for installation media.

    5. 請確定您有使用 WSUS 伺服器在企業網路Ensure you have WSUS server available on the intranet. 您將需要在來下載並安裝更新的爪的企業網路 WSUS 伺服器。You will need a WSUS server on the intranet to download and install updates for PAW. 此 WSUS 伺服器應會設定為自動核准適用於 Windows 10 的所有安全性更新或管理的人員應該有責任和來快速都核准軟體更新的責任。This WSUS server should be configured to automatically approve all security updates for Windows 10 or an administrative personnel should have responsibility and accountability to rapidly approve software updates.

      注意

      如需詳細資訊,請查看中的 [自動核准適用於安裝更新] 區段核准更新指導方針For more information, see the "Automatically Approve Updates for Installation" section in the Approving Updates guidance.

  2. 部署裝載腳印管理員組織單位架構Deploy the Admin OU Framework to host the PAWs

    1. 下載爪指令碼媒體櫃的TechNet 主題館Download the PAW script library from TechNet Gallery

      注意

      下載的所有檔案儲存至同一個 directory,並執行這些指定下列順序。Download all of the files and save them to the same directory, and run them in the order specified below. Create-PAWGroups 而定,Create-PAWOUs、建立組織單位結構和 Set-PAWOUDelegation 而定 Create-PAWGroups 所建立的群組。Create-PAWGroups depends on the OU structure created by Create-PAWOUs, and Set-PAWOUDelegation depends on the groups created by Create-PAWGroups. 請勿修改任何指令碼或個以逗號分隔 (csv) 的檔案。Do not modify any of the scripts or the comma-separated value (CSV) file.

    2. 執行 Create-PAWOUs.ps1 指令碼Run the Create-PAWOUs.ps1 script. 此指令碼將會在 Active Directory 中建立新的組織單位(組織單位)結構,並在適當的新 Ou 繼承 GPO。This script will create the new organizational unit (OU) structure in Active Directory, and block GPO inheritance on the new OUs as appropriate.

    3. 執行 Create-PAWGroups.ps1 指令碼Run the Create-PAWGroups.ps1 script. 此指令碼將會在適當的 Ou 建立新的安全性的全域群組。This script will create the new global security groups in the appropriate OUs.

      注意

      此指令碼將會建立新的安全性群組,它就不會擴展它們自動。While this script will create the new security groups, it will not populate them automatically.

    4. 執行 Set-PAWOUDelegation.ps1 指令碼Run the Set-PAWOUDelegation.ps1 script. 此指令碼將會將權限指派到新的 Ou 至適當的群組。This script will assign permissions to the new OUs to the appropriate groups.

  3. 0 層帳號移動到 Admin\Tier 0\Accounts 組織單位Move Tier 0 accounts to the Admin\Tier 0\Accounts OU. 移動每個帳號所屬的網域系統管理員,管理企業,或層 0 相等群組(包括巢成員資格)這個組織單位。Move each account that is a member of the Domain Admin, Enterprise Admin, or Tier 0 equivalent groups (including nested membership) to this OU. 如果您的組織會有自己的群組新增至這些群組,您應該將這些 Admin\Tier 0\Groups 組織單位。If your organization has your own groups that are added to these groups, you should move these to the Admin\Tier 0\Groups OU.

    注意

    群組是層 0 的詳細資訊,會看到「層 0 相等」在保護特殊權限存取參考資料For more information on which groups are Tier 0, see "Tier 0 Equivalency" in Securing Privileged Access Reference Material.

  4. 加入相關群組的適當成員Add the appropriate members to the relevant groups

    1. 爪使用者-加入的網域層 0 系統管理員或企業管理員群組,您的階段 1 步驟 1 中所找出。PAW Users - Add the Tier 0 administrators with Domain or Enterprise Admin groups that you identified in Step 1 of Phase 1.

    2. 爪維護-新增至少一個用於爪維護帳號,並進行疑難排解的工作。PAW Maintenance - Add at least one account that will be used for PAW maintenance and troubleshooting tasks. PAW 維護帳號將會在少使用。The PAW Maintenance Account(s) will be used only rarely.

      注意

      PAW 使用者和 PAW 維護新增的相同使用者 account 或群組。Do not add the same user account or group to both PAW Users and PAW Maintenance. 爪安全性模型部分為基礎的爪使用者 account 有特殊權限在受管理的系統上或在爪權限,但不是能同時假設。The PAW security model is based partly on the assumption that the PAW user account has privileged rights on managed systems or over the PAW itself, but not both.

      • 這是很重要的系統最好的做法,並階段 1 中的習慣建置。This is important for building good administrative practices and habits in Phase 1.
      • 這是非常重要的第 2 階段和更多手勢來防止透過爪為腳印正在跨越層的權限的重大問題。This is critically important for Phase 2 and beyond to prevent escalation of privilege through PAW as PAWs being to span Tiers.

      最好不人員已指派給執行的原則的責任分隔、在多個層級責任,但 Microsoft 辨識,可能會有許多組織限制員工(或其他組織需求),不允許這完整責任分隔。Ideally, no personnel are assigned to duties at multiple tiers to enforce the principle of segregation of duties, but Microsoft recognizes that many organizations may have limited staff (or other organizational requirements) that don't allow for this full segregation. 在這些案例中,可能會指定這兩個角色,相同的人員,但不是應該使用相同的帳號這些功能。In these cases, the same personnel may be assigned to both roles, but should not use the same account for these functions.

  5. 建立「PAW 組態-電腦「群組原則物件 (GPO) 並連結到層 0 裝置組織單位(層 0\Admin 底下的 [裝置])。Create "PAW Configuration - Computer" group policy object (GPO) and link to the Tier 0 Devices OU ("Devices" under Tier 0\Admin). 在本區段中,您將會建立新」PAW 組態-電腦「GPO 它提供的這些腳印特定保護。In this section, you will create a new "PAW Configuration - Computer" GPO which provide specific protections for these PAWs.

    注意

    執行預設的網域原則新增下列設定Do not add these settings to the Default Domain Policy. 這樣會可能會影響整個 Active Directory 環境作業。Doing so will potentially impact operations on your entire Active Directory environment. 僅限中所述,建立新的 Gpo 進行這些設定,以及只能套用至 PAW 組織單位。Only configure these settings in the newly-created GPOs described here, and only apply them to the PAW OU.

    1. 爪維護存取-這個腳印組特定使用者的設定將會設定的特定特殊權限群組成員資格。PAW Maintenance Access - this setting will set the membership of specific privileged groups on the PAWs to a specific set of users. 移至電腦 Configuration\Preferences\Control 面板 \ 使用者和 [群組,請依照下列步驟:Go to Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups and follow the steps below:

      1. 按一下新增],按一下 [的本機群組Click New and click Local Group

      2. 選取 [更新動作,並選取 [系統管理員(建)」(進行選取網域群組系統管理員使用瀏覽按鈕)。Select the Update action, and select "Administrators (built-in)" (do not use the Browse button to select the domain group Administrators).

      3. 選取 [ Delete 所有成員使用者都 Delete 所有成員群組核取方塊Select the Delete all member users and Delete all member groups check boxes

      4. 新增 PAW 維護 (pawmaint) 和系統管理員(再試一次,請不要使用瀏覽按鈕選取系統管理員)。Add PAW Maintenance (pawmaint) and Administrator (again, do not use the Browse button to select Administrator).

        注意

        適用於系統管理員本機群組成員資格清單新增 PAW Users 群組。Do not add the PAW Users group to the membership list for the local Administrators group. 若要確保 PAW 使用者無法不小心或故意修改爪本身的安全性設定,它們不應該本機系統管理員群組成員。To ensure that PAW Users cannot accidentally or deliberately modify the security settings of the PAW itself, they should not be members of the local Administrators groups.

        如需有關修改群組成員資格使用群組原則喜好設定的詳細資訊,請參考 TechNet 文件設定本機群組項目For more information on using Group Policy Preferences to modify group membership, please refer to the TechNet article Configure a Local Group Item.

    2. 限制本機群組成員資格-此設定會確保都空白的本機系統管理員工作站群組成員資格Restrict Local Group Membership - this setting will ensure that the membership of local admin groups on the workstation is always empty

      1. 請移至 [電腦 Configuration\Preferences\Control 面板本機使用者和群組,請依照下列步驟:Go to Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups and follow the steps below:

        1. 按一下新增],按一下 [的本機群組Click New and click Local Group

        2. 選取 [更新動作,並選取 [備份電信業者(建)」(進行選取網域群組備份電信業者使用瀏覽按鈕)。Select the Update action, and select "Backup Operators (built-in)" (do not use the Browse button to select the domain group Backup Operators).

        3. 選取 [ Delete 所有成員使用者都 Delete 所有成員群組核取方塊。Select the Delete all member users and Delete all member groups check boxes.

        4. 不要新增任何會員群組。Do not add any members to the group. 只要按一下[確定]Simply click OK. 藉由指派空的清單,群組原則會自動移除的所有成員,並確認重新整理每個時間群組原則空白成員資格清單。By assigning an empty list, group policy will automatically remove all members and ensure a blank membership list each time group policy is refreshed.

      2. 完成上述步驟下列其他群組:Complete the above steps for the following additional groups:

        • 密碼編譯電信業者Cryptographic Operators

        • HYPER-V 系統管理員Hyper-V Administrators

        • 網路設定電信業者Network Configuration Operators

        • 進階使用者Power Users

        • 遠端桌面使用者Remote Desktop Users

        • Replicators

      3. 爪登入限制-這項設定將會限制帳號,可以登入爪。PAW Logon Restrictions - this setting will limit the accounts which can log onto the PAW. 請依照下列步驟來設定此設定:Follow the steps below to configure this setting:

        1. 在本機上移至 [電腦設定 \ 原則 \windows 安全性設定本機原則的權限 Assignment\Allow 登入。Go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally.

        2. 選取定義這些原則設定,並加入「PAW 使用者」和系統管理員(再試一次,請不要使用瀏覽按鈕選取系統管理員)。Select Define these policy settings and add "PAW Users" and Administrators (again, do not use the Browse button to select Administrators).

      4. 輸入網路流量封鎖-不明輸入的網路流量允許爪享有此設定。Block Inbound Network Traffic - This setting will ensure that no unsolicited inbound network traffic is allowed to the PAW. 請依照下列步驟來設定此設定:Follow the steps below to configure this setting:

        1. 移至 [電腦設定 \ 原則 \windows 安全性設定 windows 防火牆進階 Security\Windows 防火牆使用進階安全性,請依照下列步驟:Go to Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security and follow the steps below:

          1. 使用進階安全性 Windows 防火牆上按一下滑鼠右鍵,然後選取原則匯入Right click on Windows Firewall with Advanced Security and select Import policy.

          2. 按一下[是]若要接受這將會覆寫現有的任何防火牆原則。Click Yes to accept that this will overwrite any existing firewall policies.

          3. 瀏覽至 PAWFirewall.wfw 並選取 [開放Browse to PAWFirewall.wfw and select Open.

          4. 按一下[確定]Click OK.

            注意

            您可以新增地址或子網路,必須瑞曲之戰爪不明資料傳輸此時(例如安全性掃描或管理的軟體。You may add addresses or subnets which must reach the PAW with unsolicited traffic at this point (e.g. security scanning or management software. WFW 檔案中的設定將可以在「封鎖-預設值] 模式中的所有防火牆設定檔防火牆、關閉規則合併以及登入的捨棄或成功封包。The settings in the WFW file will enable the firewall in "Block - Default" mode for all firewall profiles, turn off rule merging and enable logging of both dropped and successful packets. 這些設定將會封鎖 unsolicitied 流量但仍然允許雙向通訊從爪車載機起始連接,避免建立本機免會覆寫 GPO 設定,並確保,登入及登出爪流量使用本機系統的存取權的使用者。These settings will block unsolicitied traffic while still allowing bidirectional communication on connections initiated from the PAW, prevent users with local administrative access from creating local firewall rules that would override the GPO settings and ensure that traffic in and out of the PAW is logged. 打開這個防火牆將展開爪攻擊並提高安全性風險。先新增任何地址,請洽詢本指南管理及操作 PAW 區段Opening up this firewall will expand the attack surface for the PAW and increase security risk. Before adding any addresses, consult the Managing and Operating PAW section in this guidance.

      5. Windows Update 設定 WSUS -請依照下列步驟變更設定腳印 Windows Update 設定:Configure Windows Update for WSUS - follow the steps below to change the settings to configure Windows Update for the PAWs:

        1. 請移至 [電腦設定 \ 原則管理替更新,請依照下列步驟:Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Updates and follow the steps below:

          1. [設定自動更新原則Enable the Configure Automatic Updates policy.

          2. 選取第 4-自動下載和排程安裝Select option 4 - Auto download and schedule the install.

          3. 變更選項[排程安裝日期0-每天和 [選項排程安裝時間到您的組織喜好設定。Change the option Scheduled install day to 0 - Every Day and the option Scheduled install time to your organizational preference.

          4. 選項可讓指定內部 Microsoft update 服務位置原則,和這兩個選項中指定 ESAE WSUS 伺服器的 URL。Enable option Specify intranet Microsoft update service location policy, and specify in both options the URL of the ESAE WSUS server.

      6. 連結」PAW 組態-電腦「GPO,如下所示:Link the "PAW Configuration - Computer" GPO as follows:

        原則Policy 位置的連結Link Location
        爪組態-電腦PAW Configuration - Computer Admin\Tier 0\DevicesAdmin\Tier 0\Devices
  6. 建立「PAW 組態-使用者「群組原則物件 (GPO) 並連結到層 0 帳號組織單位(在層 0\Admin 為「帳號「)Create "PAW Configuration - User" group policy object (GPO) and link to the Tier 0 Accounts OU ("Accounts" under Tier 0\Admin). 在本區段中,您將會建立新」PAW 組態-使用者「GPO 它提供的這些腳印特定保護。In this section, you will create a new "PAW Configuration - User" GPO which provide specific protections for these PAWs.

    注意

    預設的網域原則新增下列設定Do not add these settings to the Default Domain Policy

    1. 封鎖網際網路瀏覽-來阻止非故意網際網路瀏覽時,這會將回送地址 (127.0.0.1 proxy 地址)。Block internet browsing - To deter inadvertent internet browsing, this will set a proxy address of a loopback address (127.0.0.1).

      1. 請移至使用者 Configuration\Preferences\Windows Settings\Registry。Go to User Configuration\Preferences\Windows Settings\Registry. 以滑鼠右鍵按一下登錄,請選取 [ > 登錄項目然後變更下列設定:Right-click Registry, select New > Registry Item and configure the following settings:

        1. 動作:取代Action: Replace

        2. Hive: HKEY_CURRENT_USERHive: HKEY_CURRENT_USER

        3. 主要路徑:Software\Microsoft\Windows\CurrentVersion\Internet 設定Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

        4. 值名稱:ProxyEnableValue name: ProxyEnable

          注意

          請選取 [預設方塊的左測值的名稱。Do not select the Default box to the left of Value name.

        5. 值類型:呼叫完成Value type: REG_DWORD

        6. 數值資料:1Value data: 1

          1. a。a. 按一下 [一般] 索引標籤,然後選取移除此項目時不會再套用Click the Common tab and select Remove this item when it is no longer applied.

          2. 在 [一般] 索引標籤上選取 [層級目標的項目,按一下 [目標On the Common tab select Item level targeting and click Targeting.

          3. 按一下新項目,然後選取安全性群組Click New Item and select Security group.

          4. 選取 [...] 按鈕並瀏覽 PAW Users 群組。Select the "..." button and browse for the PAW Users group.

          5. 按一下新項目,然後選取安全性群組Click New Item and select Security group.

          6. 選取 [...] 按鈕,然後瀏覽雲端服務的系統管理員群組。Select the "..." button and browse for the Cloud Services Admins group.

          7. 按一下雲端服務的系統管理員項目,按項目選項Click on the Cloud Services Admins item and click Item Options.

          8. 選取 [Select Is not.

          9. 按一下[確定]上的目標視窗。Click OK on the targeting window.

        7. 按一下[確定]以完成 ProxyServer 群組原則設定Click OK to complete the ProxyServer group policy setting

      2. 請移至使用者 Configuration\Preferences\Windows Settings\Registry。Go to User Configuration\Preferences\Windows Settings\Registry. 以滑鼠右鍵按一下登錄,請選取 [ > 登錄項目然後變更下列設定:Right-click Registry, select New > Registry Item and configure the following settings:

        • 動作:取代Action: Replace

        • Hive: HKEY_CURRENT_USERHive: HKEY_CURRENT_USER

        • 主要路徑:Software\Microsoft\Windows\CurrentVersion\Internet 設定Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

        • 值名稱:ProxyServerValue name: ProxyServer

          注意

          請選取 [預設方塊的左測值的名稱。Do not select the Default box to the left of Value name.

        • 值類型:REG_SZValue type: REG_SZ

        • 數值資料:127.0.0.1:80Value data: 127.0.0.1:80

          1. 按一下常見索引標籤,然後選取 [移除此項目時不會再套用Click the Common tab and select Remove this item when it is no longer applied.

          2. 常見索引標籤上選取層級目標的項目目標On the Common tab select Item level targeting and click Targeting.

          3. 按一下新項目並選取安全性群組。Click New Item and select security group.

          4. 選取 [...] 按鈕,然後新增 PAW Users 群組。Select the "..." button and add the PAW Users group.

          5. 按一下新項目並選取安全性群組。Click New Item and select security group.

          6. 選取 [...] 按鈕,然後瀏覽雲端服務的系統管理員群組。Select the "..." button and browse for the Cloud Services Admins group.

          7. 按一下雲端服務的系統管理員項目,按項目選項Click on the Cloud Services Admins item and click Item Options.

          8. 選取 [Select Is not.

          9. 按一下[確定]上的目標視窗。Click OK on the targeting window.

      3. 按一下[確定]以完成 ProxyServer 群組原則設定,請Click OK to complete the ProxyServer group policy setting,

    2. 移至 [使用者設定 \ 原則管理略總管,以及下列選項。Go to User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer, and enable the options below. 這些設定會防止手動覆寫的 proxy 設定的系統管理員。These settings will prevent the administrators from manually overriding the proxy settings.

      1. 停用自動設定的變更設定。Enable the Disable changing Automatic Configuration settings.

      2. 防止變更自動偵測 proxy 設定Enable the Prevent changing proxy settings.

  7. 從登入低層主機,只系統管理員Restrict Administrators from logging onto lower tier hosts. 在本區段中,我們將會設定以防止登入低層主機特殊權限管理的帳號群組原則。In this section, we will configure group policies to prevent privileged administrative accounts from logging onto lower tier hosts.

    1. 建立新的限制工作站登入GPO-此設定會限制層 0 和第 1 層的系統管理員帳號從登入標準工作站。Create the new Restrict Workstation Logon GPO - this setting will restrict Tier 0 and Tier 1 administrator accounts from logging onto standard workstations. 此 GPO 連結到 [工作站」的最上層組織單位和下列設定:This GPO should be linked to the "Workstations" top-level OU and have the following settings:

      • (i)在 [電腦設定 \ 原則 \windows 安全性設定本機原則的權限 Assignment\Deny 登入為分批,選取 [定義這些原則設定,並新增層 0 及第 1 層的群組:(i) In Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job, select Define these policy settings and add the Tier 0 and Tier 1 groups:

        群組原則設定來新增︰Groups to add to policy settings:

        企業系統管理員Enterprise Admins

        網域系統管理員 」Domain Admins

        架構系統管理員Schema Admins

        DOMAIN\AdministratorsDOMAIN\Administrators

        Account 電信業者Account Operators

        備份電信業者Backup Operators

        列印電信業者Print Operators

        伺服器電信業者Server Operators

        網域控制站Domain Controllers

        Read-Only 網域控制站Read-Only Domain Controllers

        群組原則 Creators 擁有者Group Policy Creators Owners

        密碼編譯電信業者Cryptographic Operators

        注意

        注意:建層 0 群組中,查看如需詳細資訊層 0 相等。Note: Built-in Tier 0 Groups, see Tier 0 equivalency for more details.

        其他委派群組Other Delegated Groups

        注意

        注意︰ 有效的存取層 0,以建立群組任何自訂看到如需詳細資訊層 0 相等。Note: Any custom created groups with effective Tier 0 access, see Tier 0 equivalency for more details.

        Teir 1 名系統管理員Teir 1 Admins

        注意

        注意:此群組建立稍階段 1Note: This Group was created earlier in Phase 1

      • (ii)在 [電腦設定 \ 原則 \windows 安全性設定本機原則的權限 Assignment\Deny 登入以服務,選取 [定義這些原則設定,並新增層 0 及第 1 層的群組:(ii) In Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service, select Define these policy settings and add the Tier 0 and Tier 1 groups:

        群組原則設定來新增︰Groups to add to policy settings:

        企業系統管理員Enterprise Admins

        網域系統管理員 」Domain Admins

        架構系統管理員Schema Admins

        DOMAIN\AdministratorsDOMAIN\Administrators

        Account 電信業者Account Operators

        備份電信業者Backup Operators

        列印電信業者Print Operators

        伺服器電信業者Server Operators

        網域控制站Domain Controllers

        Read-Only 網域控制站Read-Only Domain Controllers

        群組原則 Creators 擁有者Group Policy Creators Owners

        密碼編譯電信業者Cryptographic Operators

        注意

        注意:建層 0 群組中,查看如需詳細資訊層 0 相等。Note: Built-in Tier 0 Groups, see Tier 0 equivalency for more details.

        其他委派群組Other Delegated Groups

        注意

        注意︰ 有效的存取層 0,以建立群組任何自訂看到如需詳細資訊層 0 相等。Note: Any custom created groups with effective Tier 0 access, see Tier 0 equivalency for more details.

        Teir 1 名系統管理員Teir 1 Admins

        注意

        注意:此群組建立稍階段 1Note: This Group was created earlier in Phase 1

    2. 建立新的限制伺服器登入GPO-此設定會限制層 0 系統管理員帳號從登入第 1 層的伺服器。Create the new Restrict Server Logon GPO - this setting will restrict Tier 0 administrator accounts from logging onto Tier 1 servers. 此 GPO 連結到「層 1 伺服器」的最上層組織單位和下列設定:This GPO should be linked to the "Tier 1 Servers" top-level OU and have the following settings:

      • (i)在 [電腦設定 \ 原則 \windows 安全性設定本機原則的權限 Assignment\Deny 登入為分批,選取 [定義這些原則設定和 [新增層 0 群組:(i) In Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job, select Define these policy settings and add the Tier 0 groups:

        群組原則設定來新增︰Groups to add to policy settings:

        企業系統管理員Enterprise Admins

        網域系統管理員 」Domain Admins

        架構系統管理員Schema Admins

        DOMAIN\AdministratorsDOMAIN\Administrators

        Account 電信業者Account Operators

        備份電信業者Backup Operators

        列印電信業者Print Operators

        伺服器電信業者Server Operators

        網域控制站Domain Controllers

        Read-Only 網域控制站Read-Only Domain Controllers

        群組原則 Creators 擁有者Group Policy Creators Owners

        密碼編譯電信業者Cryptographic Operators

        注意

        注意:建層 0 群組中,查看如需詳細資訊層 0 相等。Note: Built-in Tier 0 Groups, see Tier 0 equivalency for more details.

        其他委派群組Other Delegated Groups

        注意

        注意︰ 有效的存取層 0,以建立群組任何自訂看到如需詳細資訊層 0 相等。Note: Any custom created groups with effective Tier 0 access, see Tier 0 equivalency for more details.

      • (ii)在 [電腦設定 \ 原則 \windows 安全性設定本機原則的權限 Assignment\Deny 登入以服務,選取 [定義這些原則設定和 [新增層 0 群組:(ii) In Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service, select Define these policy settings and add the Tier 0 groups:

        群組原則設定來新增︰Groups to add to policy settings:

        企業系統管理員Enterprise Admins

        網域系統管理員 」Domain Admins

        架構系統管理員Schema Admins

        DOMAIN\AdministratorsDOMAIN\Administrators

        Account 電信業者Account Operators

        備份電信業者Backup Operators

        列印電信業者Print Operators

        伺服器電信業者Server Operators

        網域控制站Domain Controllers

        Read-Only 網域控制站Read-Only Domain Controllers

        群組原則 Creators 擁有者Group Policy Creators Owners

        密碼編譯電信業者Cryptographic Operators

        注意

        注意:建層 0 群組中,查看如需詳細資訊層 0 相等。Note: Built-in Tier 0 Groups, see Tier 0 equivalency for more details.

        其他委派群組Other Delegated Groups

        注意

        注意︰ 有效的存取層 0,以建立群組任何自訂看到如需詳細資訊層 0 相等。Note: Any custom created groups with effective Tier 0 access, see Tier 0 equivalency for more details.

      • (三)在 [電腦設定 \ 原則 \windows 安全性設定本機原則的權限 Assignment\Deny 登入本機,選取 [定義這些原則設定和 [新增層 0 群組:(iii) In Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally, select Define these policy settings and add the Tier 0 groups:

        群組原則設定來新增︰Groups to add to policy settings:

        企業系統管理員Enterprise Admins

        網域系統管理員 」Domain Admins

        架構系統管理員Schema Admins

        Account 電信業者Account Operators

        備份電信業者Backup Operators

        列印電信業者Print Operators

        伺服器電信業者Server Operators

        網域控制站Domain Controllers

        Read-Only 網域控制站Read-Only Domain Controllers

        群組原則 Creators 擁有者Group Policy Creators Owners

        密碼編譯電信業者Cryptographic Operators

        注意

        注意:建層 0 群組中,查看如需詳細資訊層 0 相等。Note: Built-in Tier 0 Groups, see Tier 0 equivalency for more details.

        其他委派群組Other Delegated Groups

        注意

        注意︰ 有效的存取層 0,以建立群組任何自訂看到如需詳細資訊層 0 相等。Note: Any custom created groups with effective Tier 0 access, see Tier 0 equivalency for more details.

  8. 部署您腳印Deploy your PAW(s)

    注意

    請確定爪中斷與網路,在作業系統建置程序。Ensure that the PAW is disconnected from the network during the operating system build process.

    1. 安裝 Windows 10 使用您獲得更早版本的全新來源安裝媒體。Install Windows 10 using the clean source installation media that you obtained earlier.

      注意

      您可以使用 Microsoft Deployment Toolkit (MDT) 或其他影像自動化的部署系統自動化爪部署,但是您必須在建置程序值得為為爪。You may use Microsoft Deployment Toolkit (MDT) or another automated image deployment system to automate PAW deployment, but you must ensure the build process is as trustworthy as the PAW. 對手專門找出公司影像及部署套件(包括 Iso、部署套件等等)做為持續機制,現有的系統部署或影像不應該使用。Adversaries specifically seek out corporate images and deployment systems (including ISOs, deployment packages, etc.) as a persistence mechanism so preexisting deployment systems or images should not be used.

      如果您自動化部署爪,您必須:If you automate deployment of the PAW, you must:

      • 建立安裝媒體使用中的指導驗證系統的安裝媒體的全新來源Build the system using installation media validated using the guidance in Clean Source for installation media.
      • 確保自動的部署系統中斷與網路,在作業系統建置程序。Ensure that the automated deployment system is disconnected from the network during the operating system build process.
    2. 將本機複雜的唯一密碼。Set a unique complex password for the local Administrator account. 請勿使用用於其他任何 account 環境中的密碼。Do not use a password that has been used for any other account in the environment.

      注意

      Microsoft 建議使用本機系統管理員密碼方案(圈)來管理所有工作站,包括腳印本機系統管理員密碼。Microsoft recommends using Local Administrator Password Solution (LAPS) to manage the local Administrator password for all workstations, including PAWs. 如果您使用圈,請確定您僅限授與 PAW 維護群組的腳印讀取圈管理密碼的權限。If you use LAPS, ensure that you only grant the PAW Maintenance group the right to read LAPS-managed passwords for the PAWs.

    3. 安裝遠端伺服器管理工具適用於 Windows 10 的全新來源的安裝媒體。Install Remote Server Administration Tools for Windows 10 using the clean source installation media.

    4. 安裝增強降低體驗 Toolkit (EMET) 使用全新來源安裝媒體。Install Enhanced Mitigation Experience Toolkit (EMET) using the clean source installation media.

      注意

      請注意,此指導方針的最新的更新時,EMET 5.5 仍在 beta 版測試。Please note that, at the time of the last update of this guidance, EMET 5.5 was still in beta testing. 因為這是第一個支援的 Windows 10 版本,則包含以下許可其搶鮮版的狀態。Because this is the first version supported on Windows 10, it is included here despite its beta state. 如果爪上安裝軟體搶鮮版超過風險容錯,您可能會跳過現在這個步驟。If installing beta software on the PAW exceeds your risk tolerance, you may skip this step for now.

    5. 爪連上網路。Connect the PAW to the network. 確保爪可以連接到至少一個網域控制站 (DC)。Ensure that the PAW can connect to at least one Domain Controller (DC).

    6. 使用的 PAW 維護群組成員帳號,執行下列 PowerShell 命令来加入網域的適當的組織單位新建爪:Using an account that is a member of the PAW Maintenance group, run the following PowerShell command from the newly-created PAW to join it to the domain in the appropriate OU:

      Add-Computer -DomainName Fabrikam -OUPath "OU=Devices,OU=Tier 0,OU=Admin,DC=fabrikam,DC=com"

      取代參考Fabrikam以您的網域名稱為適用。Replace the references to Fabrikam with your domain name, as appropriate. 如果您的網域名稱延伸到 (例如 child.fabrikam.com) 多個層級,新增額外的名稱」俠 =」識別碼網域的完整網域名稱中出現的順序。If your domain name extends to multiple levels (e.g. child.fabrikam.com), add the additional names with the "DC=" identifier in the order in which they appear in the domain's fully-qualified domain name.

      注意

      如果您已經部署ESAE 管理樹系(適用於在階段 1 層 0 系統管理員」)或Microsoft 的身分管理員 (MIM) 特殊權限管理的存取 (PAM)(適用於第 1 層和中第 2 階段的 2 系統管理員」),您會加入爪,而不是 production 網域該以下的環境中的網域。If you have deployed an ESAE Administrative Forest (for Tier 0 admins in Phase 1) or a Microsoft Identity Manager (MIM) privileged access management (PAM) (for Tier 1 and 2 admins in Phase 2), you would join the PAW to the domain in that environment here instead of the production domain.

    7. 之前安裝任何其他軟體(包括系統管理工具,代理程式等等),適用於所有重大和重要的 Windows 更新。Apply all critical and important Windows Updates before installing any other software (including administrative tools, agents, etc.).

    8. 推動群組原則應用程式。Force the Group Policy application.

      1. 打開提升權限的命令提示字元中,輸入下列命令:Open an elevated command prompt and enter the following command:

        Gpupdate /force /sync

      2. 電腦重新開機Restart the computer

    9. (選擇性)安裝額外所需的工具的 Active Directory 系統管理員。(Optional) Install additional required tools for Active Directory Admins. 安裝任何其他工具或執行工作職務所需的指令碼。Install any other tools or scripts required to perform job duties. 請確定才能將它新增到爪評估任何工具的目標電腦上的 credential 曝光度的風險。Ensure to evaluate the risk of credential exposure on the target computers with any tool before adding it to a PAW. 存取這個頁面來取得詳細資訊評估系統管理工具和方法連接 credential 曝光風險。Access this page to obtain more information on evaluating administrative tools and connection methods for credential exposure risk. 確保以取得所有使用中的指導的安裝媒體的安裝媒體的全新來源Ensure to obtain all installation media using the guidance in Clean Source for installation media.

      注意

      使用這些工具中央位置捷徑伺服器可以減少複雜,即使這不會做為安全性邊界。Using a jump server for a central location for these tools can reduce complexity, even if it doesn't serve as a security boundary.

    10. (選擇性)下載並安裝必要的遠端存取的軟體。(Optional) Download and install required remote access software. 如果系統管理員將會使用爪遠端管理,安裝使用從遠端存取方案廠商安全性指南遠端存取軟體。If administrators will be using the PAW remotely for administration, install the remote access software using security guidance from your remote access solution vendor. 請確定以取得所有來源] 簡潔指導方針使用安裝媒體的安裝媒體。Ensure to obtain all installation media using the guidance in Clean Source for installation media.

      注意

      仔細考量所有的風險參與透過爪遠端存取可讓。Carefully consider all of the risks involved in allowing remote access via a PAW. 行動裝置版的爪讓許多重要案例中,包括從首頁,工作時遠端存取軟體可能會受到攻擊,用來危害爪。While a mobile PAW enables many important scenarios, including work from home, remote access software can potentially be vulnerable to attack and used to compromise a PAW.

    11. 藉由檢視驗證爪系統的完整性,確認所有適用的設定會在位置使用下列步驟:Validate the integrity of the PAW system by reviewing and confirming that all appropriate settings are in place using the steps below:

      1. 確認您的只爪特定的群組原則已經套用到爪Confirm that only the PAW-specific group policies are applied to the PAW

        1. 打開提升權限的命令提示字元中,輸入下列命令:Open an elevated command prompt and enter the following command:

          Gpresult /scope computer /r

        2. 檢視結果清單中,並確保僅限群組原則,會顯示是您建立上方。Review the resulting list and ensure that the only group policies that appear are the ones you created above.

      2. 確認 [其他使用者帳號不會在 [使用下列步驟爪特殊權限群組成員:Confirm that no additional user accounts are members of privileged groups on the PAW using the steps below:

        1. 開放編輯本機使用者和群組(lusrmgr.msc) 選取群組,並確認只本機系統管理員群組成員本機和 PAW 維護安全性的全域群組。Open Edit Local Users and Groups (lusrmgr.msc), select Groups, and confirm that the only members of the local Administrators group are the local Administrator account and the PAW Maintenance global security group.

          注意

          PAW Users 群組不應該的系統管理員本機群組成員。The PAW Users group should not be a member of the local Administrators group. 本機和 PAW 維護安全性的全域群組,應該只成員(和 PAW 使用者不應該的全域群組成員可以)。The only members should be the local Administrator account and the PAW Maintenance global security group (and PAW Users should not be a member of that global group either).

        2. 也請使用編輯本機使用者和群組,確保擁有下列群組成員:Also using Edit Local Users and Groups, ensure that the following groups have no members:

          • 備份電信業者Backup Operators

          • 密碼編譯電信業者Cryptographic Operators

          • HYPER-V 系統管理員Hyper-V Administrators

          • 網路設定電信業者Network Configuration Operators

          • 進階使用者Power Users

          • 遠端桌面使用者Remote Desktop Users

          • Replicators

    12. (選擇性)如果您的組織使用的安全性資訊和事件管理 (SIEM) 方案,確保爪設定為使用 Windows 事件轉送 (WEF) 系統事件轉送或否則登記與方案,以便 SIEM 主動接收的事件和資訊的爪。(Optional) If your organization uses a security information and event management (SIEM) solution, ensure that the PAW is configured to forward events to the system using Windows Event Forwarding (WEF) or is otherwise registered with the solution so that the SIEM is actively receiving events and information from the PAW. 這項作業的詳細資料會根據您的方案 SIEM 而有所不同。The details of this operation will vary based on your SIEM solution.

      注意

      如果您 SIEM 需要的專員為系統或腳印、在本機系統管理員 account 的執行確保 SIEMs 管理信任的網域控制站以及身分系統相同層級。If your SIEM requires an agent which runs as system or a local administrative account on the PAWs, ensure that the SIEMs are managed with the same level of trust as your domain controllers and identity systems.

    13. (選擇性)如果您選擇要部署圈管理的本機上爪您的密碼,請確認密碼係成功。(Optional) If you chose to deploy LAPS to manage the password for the local Administrator account on your PAW, verify that the password is registered successfully.

      • 打開權限 account 使用朗讀圈管理的密碼,Active Directory 使用者和電腦(dsa.msc)。Using an account with permissions to read LAPS-managed passwords, open Active Directory Users and Computers (dsa.msc). 確定支援進階功能並物件適當的電腦上按一下滑鼠右鍵。Ensure that Advanced Features is enabled, and then right-click the appropriate computer object. 選取 [屬性編輯器] 索引標籤,並確認的值為 msSVSadmPwd 會填入有效的密碼。Select the Attribute Editor tab and confirm that the value for msSVSadmPwd is populated with a valid password.

第 2 階段-爪延伸到所有系統管理員Phase 2 - Extend PAW to All Administrators

範圍:所有使用者的重要的應用程式和相依性系統管理員權限。Scope: All users with administrative rights over mission-critical applications and dependencies. 這應至少包含應用程式伺服器、操作健康與安全性監控模擬方案、系統儲存空間,以及方案網路的裝置的系統管理員。This should include at least administrators of application servers, operational health and security monitoring solutions, virtualization solutions, storage systems, and network devices.

注意

在此階段中的指示假設完成後完整階段 1。The instructions in this phase assume that Phase 1 has been completed in its entirety. 您已完成 1 階段中的步驟執行的所有才開始第 2 階段。Do not begin Phase 2 until you have completed all of the steps in Phase 1.

一旦您確認已完成的所有的步驟進行,請執行下列步驟來完成階段 2:Once you confirm that all steps were done, perform the steps below to complete Phase 2:

  1. (建議選項)RestrictedAdmin模式-可讓您現有的伺服器與工作站,這項功能,然後執行這項功能的使用。(Recommended) Enable RestrictedAdmin mode - Enable this feature on your existing servers and workstations, then enforce the use of this feature. 這項功能會需要執行 Windows Server 2008 R2 的目標伺服器或更新版本及鎖定工作站執行 Windows 7 或更新版本。This feature will require the target servers to be running Windows Server 2008 R2 or later and target workstations to be running Windows 7 or later.

    1. RestrictedAdmin上伺服器工作站依照指示提供此模式下頁面Enable RestrictedAdmin mode on your servers and workstations by following the instructions available in this page.

      注意

      之前讓網際網路面對伺服器這項功能,您應該對手無法使用先前遭竊密碼 hash 這些伺服器驗證的風險。Before enabling this feature for internet facing servers, you should consider the risk of adversaries being able to authenticate to these servers with a previously-stolen password hash.

    2. 建立「RestrictedAdmin 需要-電腦「群組原則物件 (GPO)。Create "RestrictedAdmin Required - Computer" group policy object (GPO). 本區段中建立 GPO 執行使用它 /RestrictedAdmin 傳出遠端桌面連,在目標系統上認證竊取保護帳號切換This section creates a GPO which enforces the use of the /RestrictedAdmin switch for outgoing Remote Desktop connections, protecting accounts from credential theft on the target systems

      • 移至 [電腦設定 \ 原則 Templates\System\Credentials Delegation\Restrict 遠端伺服器的認證委派並設定啟用Go to Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation\Restrict delegation of credentials to remote servers and set to Enabled.
    3. 連結RestrictedAdmin所需的電腦,以適當的第 1 層和/或層 2 裝置,使用下列原則選項:Link the RestrictedAdmin Required - Computer to the appropriate Tier 1 and/or Tier 2 Devices by using the Policy options below:

      爪組態-電腦PAW Configuration - Computer

      ]-> [連結位置:Admin\Tier 0\Devices(現有)-> Link Location: Admin\Tier 0\Devices (Existing)

      PAW 組態-使用者PAW Configuration - User

      ]-> [連結位置:Admin\Tier 0\Accounts-> Link Location: Admin\Tier 0\Accounts

      RestrictedAdmin 所需的電腦RestrictedAdmin Required - Computer

      ]-> [Admin\Tier1\Devices 或]-> [的 Admin\Tier2\Devices(都選擇性)->Admin\Tier1\Devices or -> Admin\Tier2\Devices (Both are optional)

      注意

      這不是必要的系統層 0 這些系統已經的環境中的所有資產完全控制。This is not necessary for Tier 0 systems as these systems are already in full control of all assets in the environment.

  2. 前往適當的 Ou 層 1 物件。Move Tier 1 Objects to the appropriate OUs.

    1. 將第 1 層的群組到 Admin\Tier 1\Groups 組織單位。Move Tier 1 groups To the Admin\Tier 1\Groups OU. 尋找所有下列系統管理員權限授與並將它移到這個組織單位群組。Locate all groups that grant the following administrative rights and move them to this OU.

      • 在多部伺服器本機系統管理員Local administrator on more than one server

      • 管理雲端服務的存取Administrative Access to cloud services

      • 管理權限企業應用程式Administrative Access to enterprise applications

    2. 將第 1 層帳號移到 Admin\Tier 1\Accounts 組織單位。Move Tier 1 accounts to the Admin\Tier 1\Accounts OU. 移動每個 account 到此組織單位的第 1 層(包括巢成員資格)群組成員。Move each account that is a member of those Tier 1 groups (including nested membership) to this OU.

  3. 加入相關群組的適當成員Add the appropriate members to the relevant groups

    • 第 1 名系統管理員層-此群組包含層 1 名系統管理員,可從登入 2 層主機限制。Tier 1 Admins - This group will contain the Tier 1 Admins that will be restricted from logging onto Tier 2 hosts. 新增所有第 1 層管理群組,系統管理員權限有伺服器或網際網路服務。Add all of your Tier 1 administrative groups that have administrative privileges over servers or internet services.

      注意

      如果管理人員管理多個層級在資產責任,您將需要建立不同的系統管理員帳號每層。If administrative personnel have duties to manage assets at multiple tiers, you will need to create a separate admin account per tier.

  4. 讓 Credential Guard 的認證竊取降低及重複使用。Enable Credential Guard to reduce risk of credential theft and reuse. Credential Guard 是 Windows 10 應用程式存取限制認證,以防止認證竊取攻擊(包括 Pass Hash)的新功能。Credential Guard is a new feature of Windows 10 that restricts application access to credentials, preventing credential theft attacks (including Pass-the-Hash). Credential Guard 使用者完全透明,需要降到最低的安裝時間與精力。Credential Guard is completely transparent to the end user and requires minimal setup time and effort. 更多有關 Credential Guard,包括部署步驟和硬體需求,請指向文章中,保護網域認證 Credential Guard 的For further information on Credential Guard, including deployment steps and hardware requirements, please refer to the article, Protect domain credentials with Credential Guard.

    注意

    為了設定並使用 Credential Guard,必須將支援 device Guard。Device Guard must be enabled in order to configure and use Credential Guard. 不過,您就不需要任何其他 Device Guard 保護設定以使用 Credential Guard。However, you are not required to configure any other Device Guard protections in order to use Credential Guard.

  5. (選擇性)可以連接至雲端服務。(Optional) Enable Connectivity to Cloud Services. 這個步驟可讓您管理的適當的安全性保證等 Azure 與 Office 365 的雲端服務。This step allows management of cloud services like Azure and Office 365 with appropriate security assurances. 也適用於 Microsoft Intune 管理腳印需要此步驟。This step is also required for Microsoft Intune to manage the PAWs.

    注意

    如果不雲端連接 Intune 必要的雲端服務或管理管理,請略過此步驟。Skip this step if no cloud connectivity is required for administration of cloud services or management by Intune.

    下列步驟將會透過網際網路,只會在授權的雲端服務(而不是開放網際網路)限制的通訊,並加入保護瀏覽器,並將會從網際網路 content 處理的其他應用程式。These steps will restrict communication over the internet to only authorized cloud services (but not the open internet) and add protections to the browsers and other applications that will process content from the internet. 管理這些腳印永遠不會用於像是「網際網路通訊和生產力標準使用者工作。These PAWs for administration should never be used for standard user tasks like internet communications and productivity.

    讓爪連接到服務,請依照下列步驟:To enable connectivity to PAW services follow the steps below:

    1. 設定爪允許只會在授權的網際網路目的地。Configure PAW to allow only authorized Internet destinations. 當您延伸您爪部署,使其管理雲端,您必須允許授權服務的存取,同時篩選掉的開放網際網路存取位置攻擊可更輕鬆地裝載針對您的系統管理員。As you extend your PAW deployment to enable cloud administration, you need to allow access to authorized services while filtering out access from the open internet where attacks can more easily be mounted against your admins.

      1. 建立雲端服務的系統管理員群組和將所有帳號需要在網際網路上的雲端服務的存取。Create Cloud Services Admins group and add all of the accounts to it that require access to cloud services on the internet.

      2. 下載爪proxy.pac檔案的TechNet 主題館並將它發行內部網站上。Download the PAW proxy.pac file from TechNet Gallery and publish it on an internal website.

        注意

        您將需要更新proxy.pac之後以確保最新狀態並完成下載的檔案。You will need to update the proxy.pac file after downloading to ensure that it is up-to-date and complete.
        Microsoft office 發行所有目前的 Office 365 和 Azure Url支援中心Microsoft publishes all current Office 365 and Azure URLs in the Office Support Center.

        您可能需要新增到其他 IaaS 提供者,將新增至此清單,但請勿生產力娛樂、新聞、新增或搜尋網站這份清單其他有效網際網路目的地。You may need to add other valid Internet destinations to add to this list for other IaaS provider, but do not add productivity, entertainment, news, or search sites to this list.

        您也可能需要調整 PAC 檔案容納使用這些位址 proxy 有效地址。You may also need to adjust the PAC file to accommodate a valid proxy address to use for these addresses.

        注意

        您也可以從防禦也使用 web proxy 爪限制存取。You can also restrict access from the PAW using a web proxy as well for defense in depth. 我們不建議使用此本身 PAC 檔案而它只會腳印連接到企業網路時的限制存取。We don't recommend using this by itself without the PAC file as it will only restrict access for PAWs while connected to the corporate network.

        這些指示假設 Internet Explorer(或 Microsoft Edge),將會使用您管理的 Office 365、Azure,以及其他雲端服務。These instructions assume that you will be using Internet Explorer (or Microsoft Edge) for administration of Office 365, Azure, and other cloud services. Microsoft 建議設定限制任何廠商第 3 個瀏覽器,您需要進行管理。Microsoft recommends configuring similar restrictions for any 3rd party browsers that you require for administration. 網頁瀏覽器上腳印應該只用於管理的雲端服務和從未一般的網頁瀏覽。Web browsers on PAWs should only be used for administration of cloud services, and never for general web browsing.

      3. 一旦您已設定proxy.pac檔案時,請更新 PAW 設定的使用者 GPO。Once you have configured the proxy.pac file, update the PAW Configuration - User GPO.

        1. 請移至使用者 Configuration\Preferences\Windows Settings\Registry。Go to User Configuration\Preferences\Windows Settings\Registry. 以滑鼠右鍵按一下登錄,請選取 [ > 登錄項目然後變更下列設定:Right-click Registry, select New > Registry Item and configure the following settings:

          1. 動作:取代Action: Replace

          2. 群組:HKEY_ CURRENT_USERHive: HKEY_ CURRENT_USER

          3. 主要路徑:Software\Microsoft\Windows\CurrentVersion\Internet 設定Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

          4. 值名稱:AutoConfigUrlValue name: AutoConfigUrl

            注意

            不要選取 [預設的核取方塊的左測值名稱以。Do not select the Default box to the left of Value name.

          5. 值類型:REG_SZValue type: REG_SZ

          6. 數值資料:輸入完整的 URL 以proxy.pac包含 http:// 和檔案名稱,例如 http://proxy.fabrikam.com/proxy.pac 檔案。Value data: enter the complete URL to the proxy.pac file, including http:// and the file name - for example http://proxy.fabrikam.com/proxy.pac. URL 也可以將單一標籤 URL-,例如 http://proxy/proxy.pacThe URL can also be a single-label URL - for example, http://proxy/proxy.pac

            注意

            也可以使用的 file://server.fabrikan.com/share/proxy.pac 語法檔案共用,裝載 PAC 檔案,但這需要允許 file:// 通訊協定。The PAC file can also be hosted on a file share, with the syntax of file://server.fabrikan.com/share/proxy.pac but this requires allowing the file:// protocol. 看到的「注意:: File://-based Proxy 指令碼取代] 區段了解 Web Proxy 設定部落格上設定所需的登錄值,額外的詳細資料。See the "NOTE: File://-based Proxy Scripts Deprecated" section of this Understanding Web Proxy Configuration blog for additional detail on configuring the required registry value.

          7. 按一下常見索引標籤,然後選取 [移除此項目時不會再套用Click the Common tab and select Remove this item when it is no longer applied.

          8. 常見索引標籤上選取層級目標的項目目標On the Common tab select Item level targeting and click Targeting.

          9. 按一下新項目,然後選取安全性群組Click New Item and select security group.

          10. 選取 [...] 按鈕,然後瀏覽雲端服務的系統管理員群組。Select the "..." button and browse for the Cloud Services Admins group.

          11. 按一下新項目,然後選取安全性群組Click New Item and select security group.

          12. 選取 [...] 按鈕,然後瀏覽PAW 使用者群組。Select the "..." button and browse for the PAW Users group.

          13. 按一下PAW 使用者項目,按項目選項Click on the PAW Users item and click Item Options.

          14. 選取 [Select Is not.

          15. 按一下[確定]上的目標視窗。Click OK on the targeting window.

          16. 按一下[確定]以完成AutoConfigUrl群組原則設定。Click OK to complete the AutoConfigUrl group policy setting.

    2. 適用於基準 Windows 10 的安全性和雲端服務的存取連結安全性基準 Windows 和雲端服務存取(如果需要的話)正確 Ou 使用下列步驟:Apply Windows 10 Security baselines and Cloud Service Access Link the security baselines for Windows and for cloud service access (if required) to the correct OUs using the steps below:

      1. 擷取到 Windows 10 安全性基準壓縮檔案。Extract the contents of the Windows 10 Security Baselines ZIP file.

      2. 這些建立 Gpo,原則匯入設定和連結每參考下表。Create these GPOs, import the policy settings, and link per this table. 每個原則連結到每個位置,並確保順序遵循表格(表中的項目下方應該稍後套用或更高優先順序):Link each policy to each location and ensure the order follows the table (lower entries in table should be applied later and higher priority):

        原則:Policies:

        公分 Windows 10-網域安全性CM Windows 10 - Domain Security 不適用-不要現在連結N/A - Do Not Link Now
        SCM Windows 10 TH2 電腦SCM Windows 10 TH2 - Computer Admin\Tier 0\DevicesAdmin\Tier 0\Devices
        Admin\Tier 1\DevicesAdmin\Tier 1\Devices
        Admin\Tier 2\DevicesAdmin\Tier 2\Devices
        SCM Windows 10 TH2 BitLockerSCM Windows 10 TH2- BitLocker Admin\Tier 0\DevicesAdmin\Tier 0\Devices
        Admin\Tier 1\DevicesAdmin\Tier 1\Devices
        Admin\Tier 2\DevicesAdmin\Tier 2\Devices
        SCM Windows 10-Credential GuardSCM Windows 10 - Credential Guard Admin\Tier 0\DevicesAdmin\Tier 0\Devices
        Admin\Tier 1\DevicesAdmin\Tier 1\Devices
        Admin\Tier 2\DevicesAdmin\Tier 2\Devices
        SCM Internet Explorer 的電腦SCM Internet Explorer - Computer Admin\Tier 0\DevicesAdmin\Tier 0\Devices
        Admin\Tier 1\DevicesAdmin\Tier 1\Devices
        Admin\Tier 2\DevicesAdmin\Tier 2\Devices
        爪組態-電腦PAW Configuration - Computer Admin\Tier 0\Devices(現有)Admin\Tier 0\Devices (Existing)
        Admin\Tier 1\Devices(新的連結)Admin\Tier 1\Devices (New Link)
        Admin\Tier 2\Devices(新的連結)Admin\Tier 2\Devices (New Link)
        RestrictedAdmin 所需的電腦RestrictedAdmin Required - Computer Admin\Tier 0\DevicesAdmin\Tier 0\Devices
        Admin\Tier 1\DevicesAdmin\Tier 1\Devices
        Admin\Tier 2\DevicesAdmin\Tier 2\Devices
        SCM Windows 10 的使用者SCM Windows 10 - User Admin\Tier 0\DevicesAdmin\Tier 0\Devices
        Admin\Tier 1\DevicesAdmin\Tier 1\Devices
        Admin\Tier 2\DevicesAdmin\Tier 2\Devices
        SCM Internet Explorer 使用者SCM Internet Explorer - User Admin\Tier 0\DevicesAdmin\Tier 0\Devices
        Admin\Tier 1\DevicesAdmin\Tier 1\Devices
        Admin\Tier 2\DevicesAdmin\Tier 2\Devices
        PAW 組態-使用者PAW Configuration - User Admin\Tier 0\Devices(現有)Admin\Tier 0\Devices (Existing)
        Admin\Tier 1\Devices(新的連結)Admin\Tier 1\Devices (New Link)
        Admin\Tier 2\Devices(新的連結)Admin\Tier 2\Devices (New Link)

        注意

        「SCM Windows 10-網域安全性」GPO 可能連結到網域獨立爪,但將影響的完整網域。The "SCM Windows 10 - Domain Security" GPO may be linked to the domain independently of PAW, but will affect the entire domain.

  6. (選擇性)層 1 名系統管理員安裝其他所需的工具。(Optional) Install additional required tools for Tier 1 Admins. 安裝任何其他工具或執行工作職務所需的指令碼。Install any other tools or scripts required to perform job duties. 請確定才能將它新增到爪評估任何工具的目標電腦上的 credential 曝光度的風險。Ensure to evaluate the risk of credential exposure on the target computers with any tool before adding it to a PAW. 如需有關評估系統管理工具和連接 credential 曝光風險方法瀏覽這個頁面For more information on evaluating administrative tools and connection methods for credential exposure risk visit this page. 確保以取得所有來源] 簡潔指導方針使用安裝媒體的安裝媒體Ensure to obtain all installation media using the guidance in Clean Source for installation media

  7. 找出並安全地取得的軟體和管理所需的應用程式。Identify and safely obtain software and applications required for administration. 這是類似執行階段 1,但較大的範圍,因為應用程式、服務及受保護的系統更多的工作。This is similar to the work performed in Phase 1, but with a broader scope due to the increased number of applications, services, and systems being secured.

    注意

    確定您的保護(包括網頁瀏覽器)這些新應用程式來選擇到提供 EMET 保護它們。Ensure that you protect these new applications (including web browsers) by opting them into the protections provided by EMET.

    其他軟體與應用程式的範例包括:Examples of additional software and applications include:

    • Microsoft Azure PowerShellMicrosoft Azure PowerShell

    • Office 365 PowerShell(也稱為 Microsoft Online Services 模組)Office 365 PowerShell (also known as Microsoft Online Services Module)

    • 應用程式或根據 Microsoft Management Console 的服務管理軟體Application or service management software based on the Microsoft Management Console

    • 專屬(非 MMC 式)應用程式或服務管理軟體Proprietary (non-MMC-based) application or service management software

      注意

      許多應用程式現在專屬管理透過網頁瀏覽器,包括許多雲端服務。Many applications are now exclusively managed via web browsers, including many cloud services. 這樣可以降低需要爪上安裝的應用程式數目,同時也導入的瀏覽器交互操作的問題。While this reduces the number of applications which need to be installed on a PAW, it also introduces the risk of browser interoperability issues. 您可能需要部署到要讓特定的服務管理爪具體非 Microsoft 的網頁瀏覽器。You may need to deploy a non-Microsoft web browser onto specific PAW instances to enable administration of specific services. 如果您執行部署的其他網頁瀏覽器,請確定您在遵循所有全新來源原則和安全的瀏覽器根據廠商的安全性指南。If you do deploy an additional web browser, ensure that you follow all clean source principles and secure the browser according to the vendor's security guidance.

  8. (選擇性)下載並安裝任何必要的管理代理程式。(Optional) Download and install any required management agents.

    注意

    如果您選擇要安裝其他管理代理程式(監視、安全性、設定的管理、等),很重要,確保管理系統的受信任的網域控制站和身分系統相同層級。If you choose to install additional management agents (monitoring, security, configuration management, etc.), it is vital that you ensure the management systems are trusted at the same level as domain controllers and identity systems. 管理和更新腳印看到其他指導方針。See the Managing and Updating PAWs for additional guidance.

  9. 存取您的基礎結構以找出需要額外的安全性防護爪所提供的系統。Assess your infrastructure to identify systems which require the additional security protections provided by a PAW. 請確定您知道確切必須受保護的系統。Ensure that you know exactly which systems must be protected. 詢問重大問題的資源,例如:Ask critical questions about the resources themselves, such as:

    • 在何處管理目標系統嗎?Where are the target systems which must be managed? 它們會收集在單一的所在位置,或連接到單一模糊子網路?Are they collected in a single physical location, or connected to a single well-defined subnet?

    • 有許多方式系統?How many systems are there?

    • 執行這些系統而定(模擬、儲存空間、等)的其他系統和的話,這些系統管理方式嗎?Do these systems depend on other systems (virtualization, storage, etc.), and if so, how are those systems managed? 以這些相依性,以及額外的風險哪些公開重要系統相關那些相依性的?How are the critical systems exposed to these dependencies, and what are the additional risks associated with those dependencies?

    • 方式關鍵受管理的服務,而且如果那些服務的入侵是預期的遺失嗎?How critical are the services being managed, and what is the expected loss if those services are compromised?

      注意

      這項評定中包含您的雲端服務-攻擊越來越目標不安全的雲端部署,及很重要像您在場所重要的應用程式安全管理這些服務。Include your cloud services in this assessment - attackers increasingly target insecure cloud deployments, and it is vital that you administer those services as securely as you would your on-premises mission-critical applications.

      使用這個評定以找出特定系統的需要額外的保護,然後擴充爪計畫這些系統的系統管理員。Use this assessment to identify the specific systems which require additional protection, and then extend your PAW program to the administrators of those systems. 常見的系統更完美爪為基礎的管理範例 SQL Server(上場所和 SQL Azure),讓應用程式和財經軟體。Common examples of systems which benefit greatly from PAW-based administration include SQL Server (both on-premises and SQL Azure), human resources applications, and financial software.

      注意

      如果從 Windows 系統管理資源,加以管理與爪,即使作業系統以外 Windows 或非 Microsoft cloud 平台上執行本身應用程式。If a resource is managed from a Windows system, it can be managed with a PAW, even if the application itself runs on an operating system other than Windows or on a non-Microsoft cloud platform. 例如 Amazon Web 服務裝機費的擁有者應該只使用爪管理該 account。For example, the owner of an Amazon Web Services subscription should only use a PAW to administer that account.

  10. 開發,可在您的組織中部署腳印要求和 distribution 的方法。Develop a request and distribution method for deploying PAWs at scale in your organization. 根據您選擇部署第 2 階段的腳印的號碼,您可能需要自動程序。Depending on the number of PAWs you choose to deploy in Phase 2, you may need to automate the process.

    • 開發無障礙的正式要求和系統管理員以取得爪使用 \ [核准程序,請考慮。Consider developing a formal request and approval process for administrators to use to obtain a PAW. 此程序可協助標準化部署程序確保爪裝置的責任,協助找出縫隙爪部署。This process would help standardize the deployment process, ensure accountability for PAW devices, and help identify gaps in PAW deployment.

    • 如之前所述,此部署方案應該分開現有自動化的方法(這可能會有已經洩漏),並且應遵循階段 1 中所述的原則。As stated previously, this deployment solution should be separate from existing automation methods (which may have already been compromised) and should follow the principles outlined in Phase 1.

      注意

      管理資源任何系統本身應該管理相同或更高版本信任層級。Any system which manages resources should itself managed at the same or higher trust level.

  11. 檢視並必要部署其他爪硬體設定檔。Review and if necessary deploy additional PAW hardware profiles. 您選擇階段 1 部署硬體設定檔不是適用於所有系統管理員。The hardware profile you chose for Phase 1 deployment may not be suitable for all administrators. 檢視硬體設定檔,並視選取其他爪硬體設定檔,以符合系統管理員的需求。Review the hardware profiles and if appropriate select additional PAW hardware profiles to match the needs of the administrators. (不同爪和每日使用工作站)的專用硬體設定檔,例如可能適合通常旅行的系統管理員-在這種情形下,您可以選擇該管理部署同時使用的設定檔(爪與 VM 使用者)。For example, the Dedicated Hardware profile (separate PAW and daily use workstations) may be unsuitable for an administrator who travels often - in this case, you might choose to deploy the Simultaneous Use profile (PAW with user VM) for that administrator.

  12. 請考慮附有延伸的爪部署訓練需求與文化、操作通訊。Consider the cultural, operational, communications, and training needs which accompany an extended PAW deployment. 這類重大變更管理模型自然需要變更管理某些時候,且不可或缺的建置到本身部署專案。Such a significant change to an administrative model will naturally require change management to some degree, and it is essential to build that into the deployment project itself. 請考慮將至少下列動作:Consider at a minimum the following:

    • 您將會通訊確保他們支援的資深領導所做的變更?How will you communicate the changes to senior leadership to ensure their support? 任何投影無須資深領導備份是可能會失敗,或至少為集資努力,並接受 broad。Any project without senior leadership backing is likely to fail, or at the very least struggle for funding and broad acceptance.

    • 如何將您的文件新的處理程序適用於系統管理員?How will you document the new process for administrators? 這些變更必須記載和通訊而不只是現有的系統管理員(必須變更其習慣和管理資源以其他方式),以新的系統管理員(這些在升級或從雇用以外的公司)。These changes must be documented and communicated not only to existing administrators (who must change their habits and manage resources in a different way), but also for new administrators (those promoted from within or hired from outside the organization). 很重要的文件,清除並完全 articulates 重要性的威脅,系統管理員」,以及如何使用爪正確保護爪的角色。It is essential that the documentation is clear and fully articulates the importance of the threats, PAW's role in protecting the admins, and how to use PAW correctly.

      注意

      這是尤其是重要的角色與高重組,包括但不是限於工程師。This is especially important for roles with high turnover, including but not limited to help desk personnel.

    • 您將可確保新的處理程序遵守?How will you ensure compliance with the new process? 當爪型號包含許多技術控制項,以避免遭受的權限的認證時,就無法完全避免純粹只使用技術控制項所有可能曝光。While the PAW model includes a number of technical controls to prevent the exposure of privileged credentials, it is impossible to fully prevent all possible exposure purely using technical controls. 例如,雖然您可以防止成功登入的使用者桌面的權限的認證系統管理員的身分的嘗試登入簡單動作可以公開安裝該使用者桌面上的惡意程式碼的認證。For example, although it is possible to prevent an administrator from successfully logging onto a user desktop with privileged credentials, the simple act of attempting the logon can expose the credentials to malware installed on that user desktop. 因此,這是必要的表達不僅的優點爪型號,但不是相容的風險。It is therefore essential that you articulate not only the benefits of the PAW model, but the risks of non-compliance. 這應該補充稽核並使 credential 曝光可以快速偵測並提出警告。This should be complemented by auditing and alerting so that credential exposure can be quickly detected and addressed.

階段 3:擴充和美化保護Phase 3: Extend and Enhance Protection

範圍:這些保護美化階段 1 進階功能,包括多因素驗證和網路存取規則 bolstering 基本保護中之後建置套件。Scope: These protections enhance the systems built in Phase 1, bolstering the basic protection with advanced features including multi-factor authentication and network access rules.

注意

1 階段完成之後隨時可執行這個階段。This phase can be performed at any time after Phase 1 has been completed. 它不受完成第 2 階段的因此可以再執行,同時,或之後第 2 階段。It is not dependent on completion of Phase 2, and thus can be performed before, concurrent with, or after Phase 2.

請依照下列步驟來設定此階段:Follow the steps below to configure this phase:

  1. 讓特殊權限帳號多因素驗證。Enable multi-factor authentication for privileged accounts. 多因素驗證強化 account 安全性要求的使用者提供的認證除了實體預付碼。Multi-factor authentication strengthens account security by requiring the user to provide a physical token in addition to credentials. 多因素驗證補充驗證原則非常運作,但它不需要驗證原則部署(,驗證原則同樣地,不需要多因素驗證)。Multi-factor authentication complements authentication policies extremely well, but it does not depend on authentication policies for deployment (and, similarly, authentication policies do not require multi-factor authentication). Microsoft 建議使用這些多因素驗證的格式之一:Microsoft recommends using one of these forms of multi-factor authentication:

    • 智慧卡:智慧卡是竄改及可移植實體裝置提供 Windows 登入程序期間的第二個驗證。Smart card: A smart card is a tamper-resistant and portable physical device which provides a second verification during the Windows logon process. 藉由要求個人擁有卡登入,您可以減少遭竊認證遠端重複使用的風險。By requiring an individual to possess a card for logon, you can reduce the risk of stolen credentials being reused remotely. 適用於在 Windows 中的智慧卡登入的詳細資訊,請指向文章智慧卡概觀For details on smart card logon in Windows, please refer to the article Smart Card Overview.

    • Virtual 智慧卡: virtual 智慧卡提供相同的安全性優點為實體智慧卡,與好處,就的連結到特定的硬體。Virtual smart card: A virtual smart card provides the same security benefits as physical smart cards, with the added benefit of being linked to specific hardware. 如需部署和硬體需求的詳細資訊,請參考文章,Virtual 智慧卡概觀開始使用 Virtual 智慧卡:逐步解說指南For details on deployment and hardware requirements, please refer to the articles, Virtual Smart Card Overview and Get Started with Virtual Smart Cards: Walkthrough Guide.

    • Microsoft Passport: Microsoft Passport 讓使用者驗證 Microsoft account、Active Directory 帳號,Microsoft Azure Active Directory (Azure AD) 帳號,或非 Microsoft 的支援(fast ring) ID Online (FIDO) 驗證服務。Microsoft Passport: Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (Azure AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. Microsoft Passport 註冊期間初始雙步驟驗證] 之後, Microsoft Passport 設定使用者的裝置上,並使用者設定手勢,可為 Windows Hello 或 pin 碼。After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. Microsoft Passport 認證的非對稱式的金鑰,可以產生隔離的受信任平台模組 (Tpm) 的環境中。Microsoft Passport credentials are an asymmetric key pair, which can be generated within isolated environments of Trusted Platform Modules (TPMs). Microsoft Passport 的詳細資訊朗讀的Microsoft Passport 概觀文章。For more information on Microsoft Passport read Microsoft Passport overview article.

    • Azure 多因素驗證: Azure 多因素驗證 (MFA) 提供的第二個驗證比例,以及透過監視和機器學習根據分析美化的保護安全性。Azure multi-factor authentication: Azure multi-factor authentication (MFA) provides the security of a second verification factor as well as enhanced protection through monitoring and machine-learning-based analysis. Azure MFA 可以安全 Azure 系統管理員不僅許多其他方案,包括 web 應用程式、Azure Active Directory 及像遠端存取和遠端桌面先方案。Azure MFA can secure not only Azure administrators but many other solutions as well, including web applications, Azure Active Directory, and on-premises solutions like remote access and Remote Desktop. 如需有關 Azure 多因素驗證的資訊,請參考文章多因素驗證For more information on Azure multi-factor authentication, please refer to the article Multi-Factor Authentication.

  2. 份受信任的應用程式使用 Device Guard 和/或 AppLockerWhitelist trusted applications using Device Guard and/or AppLocker. 藉由限制爪執行未受信任或簽署的程式碼的能力,進一步降低惡意活動與危害的可能性。By limiting the ability of untrusted or unsigned code to run on a PAW, you further reduce the likelihood of malicious activity and compromise. Windows 會包含應用程式控制項主要有兩個選項:Windows includes two primary options for application control:

    • AppLocker: AppLocker 幫助系統管理員控制哪些應用程式可以在特定的系統上執行。AppLocker: AppLocker helps administrators control which applications can run on a given system. AppLocker 集中群組原則、透過控制,適用於特定的使用者或群組(適用於特定對象的應用程式的使用者腳印)。AppLocker can be centrally controlled through group policy, and applied to specific users or groups (for targeted application to users of PAWs). 如需有關 AppLocker 的詳細資訊,請參考 TechNet 文章AppLocker 概觀For more information on AppLocker, please refer to the TechNet article AppLocker Overview.

    • Device Guard:新的 Device Guard 功能影響的裝置上提供的與 AppLocker,不會覆寫美化的硬體應用程式控制項。Device Guard: the new Device Guard feature provides enhanced hardware-based application control which, unlike AppLocker, cannot be overridden on the impacted device. AppLocker,例如 Device Guard 可以控制透過群組原則和特定使用者的目標。Like AppLocker, Device Guard can be controlled via group policy and targeted to specific users. 如需有關限制使用 Device Guard 的應用程式使用方式的詳細資訊,請參考 TechNet 文章中,裝置 Guard 部署指南For more information on restricting application usage with Device Guard, please refer to the TechNet article, Device Guard Deployment Guide.

  3. 使用保護使用者、驗證原則和驗證筒倉進一步保護特殊權限的帳號Use Protected Users, Authentication Policies, and Authentication Silos to further protect privileged accounts. 受保護的憑證額外的安全性原則儲存在本機安全性代理程式所以無法受保護的使用者的成員,並大幅認證竊取及重複使用風險降到最低。The members of Protected Users are subject to additional security policies which protect the credentials stored in the local security agent (LSA) and greatly minimize the risk of credential theft and reuse. 驗證原則和筒倉控制如何特殊權限的使用者可以存取網域中的資源。Authentication policies and silos control how privileged users can access resources in the domain. 共同,這些保護大幅加強 account 的安全性這些權限的使用者。Collectively, these protections dramatically strengthen the account security of these privileged users. 這些功能的其他詳細資料,請參考網站文章設定保護帳號如何For additional details on these features, please refer to the web article How to Configure Protected Accounts.

    注意

    這些保護是適用於對短片補充、不取代現有安全性措施階段 1。These protections are meant to complement, not replace, existing security measures in Phase 1. 系統管理員仍然應該使用不同帳號管理與一般使用。Administrators should still use separate accounts for administration and general use.

管理和更新腳印Managing and Updating PAWs

腳印必須反惡意程式碼的功能和維護完整性這些工作站必須快速套用軟體更新。PAWs must have anti-malware capabilities and software updates must be rapidly applied to maintain integrity of these workstations.

額外的設定的管理、操作監視和安全性管理也可使用腳印,但這些整合必須視為仔細因為每個管理功能也引進了爪危害透過,此工具的風險。Additional configuration management, operational monitoring, and security management can also be used with PAWs, but the integration of these must be considered carefully because each management capability also introduces risk of PAW compromise through that tool. 是否合理引入進階的管理的功能而定因素包括:Whether it makes sense to introduce advanced management capabilities depends on a number of factors including:

  • 做法(包括此工具,系統管理員角色與帳號軟體更新做法中的角色,作業系統上或從,管理工具與任何其他硬體或軟體相依性,此工具的)的管理功能與安全性狀態The security state and practices of the management capability (including software update practices for the tool, administrative roles and accounts in those roles, operating systems the tool is hosted on or managed from, and any other hardware or software dependencies of that tool)

  • 頻率及數量軟體部署並在您腳印更新The frequency and quantity of software deployments and updates on your PAWs

  • 需求的清單及設定的詳細資訊Requirements for detailed inventory and configuration information

  • 安全性監控需求Security monitoring requirements

  • 組織標準及其他組織特定因素Organizational standards and other organizational-specific factors

每個全新來源原則,可用來管理或監視器腳印的所有工具都必須受信任,或超過腳印的層級。Per the clean source principle, all tools used to manage or monitor the PAWs must be trusted at or above the level of the PAWs. 這通常會需要這些工具,可從確保較低的權限工作站不安全性相依性爪進行管理。This typically requires those tools to be managed from a PAW to ensure no security dependency from lower privilege workstations.

此表格列出的不同方法,可用於管理及監視腳印:This table outlines different approaches that may be used to manage and monitor the PAWs:

方法Approach 注意事項Considerations
爪中的預設Default in PAW

Windows Server Update Services- Windows Server Update Services
Windows Defender- Windows Defender
-不的額外成本- No additional cost
-執行基本所需的安全性功能- Performs basic required security functions
-本指南指示- Instructions included in this guidance
管理,使用IntuneManage with Intune
  • 提供的雲端式可見性與控制Provides cloud based visibility and control

    • 軟體部署Software Deployment
    • O 管理軟體更新o Manage software updates
    • Windows 防火牆原則管理Windows Firewall policy management
    • 反惡意程式碼保護Anti-malware protection
    • 遠端協助Remote assistance
    • 軟體授權管理。Software license management.
  • 所需的任何伺服器基礎結構No server infrastructure required
  • 需要」可以連接至雲端服務] 步驟中第 2 階段Requires following "Enable Connectivity to Cloud Services" steps in Phase 2
  • 如果不爪電腦已經加入網域,這需要 SCM 基準套用到本機安全性基準下載所提供的工具的影像。If the PAW computer is not joined to a domain, this requires applying the SCM baselines to the local images using the tools provided in the security baseline download.
管理腳印新 System Center 執行個體New System Center instance(s) for managing PAWs -提供可見性,以及控制的設定、軟體部署及的安全性更新- Provides visibility and control of configuration, software deployment, and security updates
-需要獨立伺服器基礎結構,保護層級腳印,以和這些高特殊權限的人員技能- Requires separate server infrastructure, securing it to level of PAWs, and staffing skills for those highly privileged personnel
管理腳印現有管理工具Manage PAWs with existing management tool(s) -建立受到危害的腳印侵入您現有的管理基礎結構腳印的安全性等級帶出,否則請注意: Microsoft 通常會防止這種方式,否則您的組織已經使用特定的理由。- Creates significant risk to compromise of PAWs unless the existing management infrastructure is brought up to security level of PAWs Note: Microsoft would generally discourage this approach unless your organization has a specific reason to use it. 我們的經驗,有通常是非常高成本提供所有的這些工具(和安全性相依性)操之在腳印的安全性等級。In our experience, there is typically a very high cost of bringing all of these tools (and their security dependencies) up to the security level of the PAWs.
這些工具最提供可見性,以及控制的設定、軟體部署及的安全性更新- Most of these tools provide visibility and control of configuration, software deployment, and security updates
安全掃描或監視需要系統管理員的存取權的工具Security Scanning or monitoring tools requiring admin access 包含任何工具,安裝專員或需要 account 使用本機系統管理員的存取。Includes any tool that installs an agent or requires an account with local administrative access.

-需要提供工具安全性保證操之在腳印層級。- Requires bringing tool security assurance up to level of PAWs.
-可能需要降低腳印支援工具功能的安全性狀態(打開連接埠,安裝 Java 或其他介軟體等),建立安全性折衷決策,- May require lowering security posture of PAWs to support tool functionality (open ports, install Java or other middleware, etc.), creating a security trade-off decision,
安全性資訊與事件管理 (SIEM)Security information and event management (SIEM)
  • 如果 SIEM 無代理程式If SIEM is agentless

    • 可以存取事件腳印在系統的存取使用 account 在讀者事件登入群組Can access events on PAWs without administrative access by using an account in the Event Log Readers group
    • 將會需要開放允許輸入的流量的 SIEM 伺服器從網路連接埠Will require opening up network ports to allow inbound traffic from the SIEM servers
  • 如果 SIEM 需要代理程式,請查看其他列安全性掃描或監視需要系統管理員存取工具If SIEM requires an agent, see other row Security Scanning or monitoring tools requiring admin access.
Windows 事件轉送Windows Event Forwarding -提供從腳印的安全性事件轉送至外部行程或 SIEM 無代理程式方法- Provides an agentless method of forwarding security events from the PAWs to an external collector or SIEM
-可以存取事件腳印在系統的存取- Can access events on PAWs without administrative access
-不需要開放允許輸入的流量的 SIEM 伺服器從網路連接埠- Does not require opening up network ports to allow inbound traffic from the SIEM servers

操作腳印Operating PAWs

使用中的標準應該操作爪方案操作標準根據全新來源原則。The PAW solution should be operated using the standards in Operational Standards based on Clean Source Principle.

吸引人 Microsoft Cybersecurity 服務Engaging Microsoft Cybersecurity Services

試試的頂級: 如何 Pass Hash 和其他形式的認證竊取降低Taste of Premier: How to Mitigate Pass-the-Hash and Other Forms of Credential Theft

Microsoft 進階威脅 AnalyticsMicrosoft Advanced Threat Analytics

保護衍生的網域憑證的 Credential GuardProtect derived domain credentials with Credential Guard

裝置 Guard 概觀Device Guard Overview

使用安全管理員工作站保護的高價值資產Protecting high-value assets with secure admin workstations

目前 Probert (通道 9) 與 Windows 10 中的隔離的使用者模式Isolated User Mode in Windows 10 with Dave Probert (Channel 9)

隔離的使用者模式處理程序和記錄與 Windows 10 中的功能 Gabriel (通道 9)Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)

在處理程序與目前 Probert (通道 9) 與 Windows 10 隔離的使用者模式中的功能More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)

降低認證竊取使用 Windows 10 隔離的使用者模式 (Channel 9)Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)

[讓 Windows Kerberos 中的 [嚴格] \ KDC 驗證Enabling Strict KDC Validation in Windows Kerberos

適用於 Windows Server 2012 F:kerberos 驗證中的新功能What's New in Kerberos Authentication for Windows Server 2012

在 Windows Server 2008 R2 逐步 AD ds 驗證機制保證Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide

信賴平台模組Trusted Platform Module