保護的存取權限Securing Privileged Access

適用於:Windows Server 2016Applies To: Windows Server 2016

保護權限存取權是現代化在組織中建立的企業資產安全性保證重大第一個步驟。Securing privileged access is a critical first step to establishing security assurances for business assets in a modern organization. 大部分或全部商務資產是在組織中的安全性,而定的特殊權限帳號,管理管理 IT 系統完整性。The security of most or all business assets in an organization depends on the integrity of the privileged accounts that administer and manage IT systems. 攻擊者充滿網路的目標帳號這些和其他元素,以快速存取目標的資料與系統使用認證竊取攻擊特殊權限存取的Pass--Hash 和 Pass 票證Cyber-attackers are targeting these accounts and other elements of privileged access to rapidly gain access to targeted data and systems using credential theft attacks like Pass-the-Hash and Pass-the-Ticket.

保護管理存取針對判斷對手需要您拍攝以完成而重視方法來找出這些系統的風險。Protecting administrative access against determined adversaries require you to take a complete and thoughtful approach to isolate these systems from risks. 這個圖描述分隔並保護管理此藍圖中的三個階段建議:This figure depicts the three stages of recommendations for separating and protecting administration in this roadmap:


藍圖目標:Roadmap Objectives:

  • 2 至 4 星期計畫: 快速減少最常使用的攻擊技術2-4 week plan: quickly mitigate the most frequently used attack techniques

  • 1-3 個月計畫: 組建可見性的系統管理員活動控制項1-3 month plan: build visibility and control of admin activity

  • 6 + 每月方案: 繼續建置防禦以主動式更多的安全性狀態6+ month plan: continue building defenses to a more proactive security posture

Microsoft 建議您有依照此藍圖安全對有心對手特殊權限的存取。Microsoft recommends you follow this roadmap to secure privileged access against determined adversaries. 您可以調整此藍圖以符合您現有的功能與您組織中的特定要求。You may adjust this roadmap to accommodate your existing capabilities and specific requirements in your organizations.


保護權限存取需要各式各樣的項目包括技術元件 (主機防禦、 account 保護、 身分管理等),以及變更處理及系統管理做法知識。Securing privileged access requires a broad range of elements including technical components (host defenses, account protections, identity management, etc.) as well as changes to process, and administrative practices and knowledge.

為何保護特殊權限存取重要?Why is Securing Privileged Access important?

在大部分組織中,大部分或全部商務資產的安全性,而定完整性特殊權限帳號,管理管理 IT 系統。In most organizations, the security of most or all business assets depends on the integrity of the privileged accounts that administer and manage IT systems. 充滿網路-攻擊者會將焦點放在系統的存取權限的目標 Active Directory 快速存取所有組織的資料,例如。Cyber-attackers are focusing on privileged access to systems like Active Directory to rapidly gain access to all of an organizations targeted data.

安全性傳統的方式有專注於使用組織網路的輸入與輸出點主要安全性周邊,但的網路安全性效率明顯降低由兩個趨勢:Traditional security approaches have focused on using the ingress and egress points of an organizations network as the primary security perimeter, but the effectiveness of network security has been significantly diminished by two trends:

  • 組織裝載資料和行動裝置企業版電腦上的傳統網路邊界外、 裝置,例如行動裝置版的手機與平板電腦、 雲端服務和 BYOD 裝置Organizations are hosting data and resources outside the traditional network boundary on mobile enterprise PCs, devices like mobile phones and tablets, cloud services, and BYOD devices

  • 對手有示範一致的和傳出功能存取工作站放置網路邊界透過網路釣魚和其他網頁和電子郵件的攻擊。Adversaries have demonstrated a consistent and ongoing ability to obtain access on workstations inside the network boundary through phishing and other web and email attacks.

自然取代網路安全性周邊複雜的現代化企業版的方式是組織的身分層的驗證並授權控制項。The natural replacement for the network security perimeter in a complex modern enterprise is the authentication and authorization controls in an organization's identity layer. 特殊權限管理的帳號都是有效的這個新 」 安全性周邊 」 的控制,請務必保護的存取權限:Privileged administrative accounts are effectively in control of this new "security perimeter" so it's critical to protect privileged access:


取得管理 account 的控制權對手可以使用這些權限追求他們獲得執行目標組織如如下所示:An adversary that gains control of an administrative account can use those privileges to pursue their gain at the expense of the target organization as depicted below:


如需有關的攻擊,通常會導致系統帳號控制攻擊者類型的詳細資訊,請瀏覽傳遞 Hash 網站包含白皮書、 視訊等等。For more information on the types of attacks that commonly lead to attackers in control of administrative accounts, please visit the Pass The Hash web site for informative white papers, videos and more.

此圖所管理藍圖建立隔離的風險高標準使用者工作網頁瀏覽和存取電子郵件權限的存取工作指出不同 「 通道 」。This figure depicts the separate "channel" for administration that the roadmap establishes to isolate privileged access tasks from high risk standard user tasks like web browsing and accessing email.

圖表顯示管理隔離的風險高標準使用者工作網頁瀏覽和存取電子郵件權限的存取工作,建立藍圖不同 「 通道 」

因為對手可以使用各種不同的方法授權的存取權的控制權,緩和風險需要整體和詳細技術方法此藍圖中所述。Because the adversary can gain control of privileged access using a variety of methods, mitigating this risk requires a holistic and detailed technical approach as outlined in this roadmap. 藍圖會隔離及強化環境中建置防禦中的欄數字的每個區域中的防護功能可讓存取權限的項目:The roadmap will isolate and harden the elements in your environment that enable privileged access by building mitigations in each area of the defense column in this figure:


安全性特殊權限存取藍圖Security privileged access roadmap

放到最大的技術,您可能會使用的設計目的是藍圖部署,利用技術重要的目前與未來的安全性,並整合您可能已經部署任何 3 廠商安全性工具。The roadmap is designed to maximize the use of technologies that you may already be deployed, take advantage of key current and upcoming security technologies, and integrate any 3rd party security tools you may already have deployed.

Microsoft 建議的藍圖分為 3 個階段中:The roadmap of Microsoft recommendations is broken into 3 stages:

  • 2 至 4 星期計劃-快速減少最常使用的攻擊技術2-4 week plan - Quickly mitigate the most frequently used attack techniques

  • 1-3 個月計劃-組建可見性的系統管理員活動控制項1-3 month plan - Build visibility and control of admin activity

  • 6 + 月份計劃-繼續建置防禦以主動式更多的安全性狀態6+ month plan - Continue building defenses to a more proactive security posture

每個藍圖階段的設計目的是引發的成本和困難攻擊特殊權限的存取您在場所和雲端資產例子。Each stage of the roadmap is designed to raise the cost and difficulty for adversaries to attack privileged access for your on-premises and cloud assets. 藍圖已排程最有效和快實作第一次根據我們與這些的攻擊方案實作體驗的優先順序。The roadmap is prioritized to schedule the most effective and the quickest implementations first based on our experiences with these attacks and solution implementation.


藍圖的時間軸會大概和根據我們客戶實作體驗。The timelines for the roadmap are approximate and are based on our experience with customer implementations. 持續時間會視複雜的環境並變更管理處理程序在組織中而有所不同。The duration will vary in your organization depending on the complexity of your environment and your change management processes.

安全性特殊權限存取藍圖: 階段 1Security Privileged Access Roadmap: Stage 1

1 階段藍圖的焦點是在快速緩和認證竊取和濫用最常使用的攻擊技術。Stage 1 of the roadmap is focused on quickly mitigating the most frequently used attack techniques of credential theft and abuse. 階段 1 的設計目的是實作大約 2 至 4 星期中,這個圖所示:Stage 1 is designed to be implemented in approximately 2-4 weeks and is depicted in this diagram:

圖顯示 1 階段的設計目的是大約 2 至 4 星期中實作

1 階段安全性特殊權限存取藍圖包含這些元件:Stage 1 of the Security Privileged Access roadmap includes these components:

1.不同的系統管理員負責管理工作1. Separate Admin account for admin tasks

若要協助分開網際網路風險 (網路釣魚攻擊,瀏覽 web) 的系統管理員權限,建立專用的 account 所有的系統管理員權限的人員。To help separate internet risks (phishing attacks, web browsing) from administrative privileges, create a dedicated account for all personnel with administrative privileges. 在這其他指導方針隨附於發行爪指示在此Additional guidance on this is included in the PAW instructions published here.

2.特殊權限存取工作站 (腳印) 階段 1: Active Directory 系統管理員2. Privileged Access Workstations (PAWs) Phase 1: Active Directory admins

若要協助分開網際網路風險 (網路釣魚攻擊,瀏覽 web) 的網域系統管理員權限,建立廣告系統管理員權限的人員專用特殊權限的存取工作站 (腳印)。To help separate internet risks (phishing attacks, web browsing) from domain administrative privileges, create dedicated privileged access workstations (PAWs) for personnel with AD administrative privileges. 這是爪程式的第一個步驟,而且階段 1 指南發行的在此This is the first step of a PAW program and is Phase 1 of the guidance published here.

3.唯一本機系統管理員密碼工作站3. Unique Local Admin Passwords for Workstations

4.伺服器唯一本機系統管理員密碼4. Unique Local Admin Passwords for Servers

若要降低對手竊取從本機坡資料庫本機系統管理員 account 密碼 hash 和濫用它攻擊其他電腦的風險,您應該使用圈工具來設定每個工作站和伺服器隨機的唯一密碼,以及在 Active Directory 登記這些密碼。To mitigate the risk of an adversary stealing a local administrator account password hash from the local SAM database and abusing it to attack other computers, you should use the LAPS tool to configure unique random passwords on each workstation and server and register those passwords in Active Directory. 您可以取得工作站和伺服器使用本機系統管理員密碼方案在此You can obtain the Local Administrator Password Solution for use on workstations and servers here.

找不到其他指導方針操作圈與腳印環境在此Additional guidance for operating an environment with LAPS and PAWs can be found here.

安全性特殊權限存取藍圖: 步驟 2Security Privileged Access Roadmap: Stage 2

步驟 2 1 階段的組建上防護功能,並其設計可在大約 1-3 個月實作。Stage 2 builds on the mitigations from Stage 1 and is designed to be implemented in approximately 1-3 months. 在這個圖表描繪這個階段中的步驟:The steps of this stage are depicted in this diagram:

顯示步驟 2 階段的簡圖

1.爪階段 2 和 3: 所有系統管理員 」 和其他強化1. PAW Phases 2 and 3: all admins and additional hardening

若要網際網路風險分開所有特殊權限管理帳號,繼續與您在步驟 1 開始爪,實作專用的工作站所有的存取權限的人員。To separate internet risks from all privileged administrative accounts, continue with the PAW you started in stage 1 and implement dedicated workstations for all personnel with privileged access. 此第 2 階段和 3 種指南 maps 發行在此This maps to Phase 2 and 3 of the guidance published here.

2.時間繫結權限 (不永久管理員)2. Time-bound privileges (no permanent administrators)

若要降低曝光時間的權限提高看見他們的使用,提供權限在使用例如下方的適當方案的時間 (JIT):To lower the exposure time of privileges and increase visibility into their use, provide privileges just in time (JIT) using an appropriate solution such as the ones below:

3.多因素時間繫結提高權限3. Multi-factor for time-bound elevation

若要增加系統管理員驗證保證程度,您應該需要之前的權限授與多因素驗證。To increase the assurance level of administrator authentication, you should require multi-factor authentication before granting privileges. 這可以完成 MIM PAM 與 Azure AD PIM 使用 Azure 多因素驗證 (MFA)。This can be accomplished with MIM PAM and Azure AD PIM using Azure Multi-factor authentication (MFA).

4.俠維護只系統管理員 (JEA)4. Just Enough Admin (JEA) for DC Maintenance

若要減少帳號網域管理權限和相關的曝光量,使用中的 PowerShell 執行一般維護作業網域控制站只達到管理 (JEA) 功能。To reduce the quantity of accounts with domain administration privileges and associated risk exposure, use the Just Enough Administration (JEA) feature in PowerShell to perform common maintenance operations on domain controllers. JEA 技術允許特定的使用者來執行特定管理工作伺服器 (例如網域控制站),而不將它們提供系統管理員權限。The JEA technology allows specific users to perform specific administrative tasks on servers (like Domain Controllers) without giving them administrator rights. 下載從TechNetDownload this guidance from TechNet.

5.較低攻擊網域和網域控制站的 surface5. Lower attack surface of Domain and DCs

若要減少對手控制的樹系的機會,您應該減少攻擊可以取得控制的網域控制站或網域控制物件的路徑。To reduce opportunities for adversaries to take control of a forest, you should reduce the pathways an attacker can take to gain control of Domain Controllers or objects in control of the domain. 請依照下列指導方針來減少此風險發行在此Follow guidance to reduce this risk published here.

6.攻擊偵測6. Attack Detection

若要取得可見性到作用中認證竊取和身分攻擊,讓您可以快速回應的事件和損害,部署及設定Microsoft 進階威脅 Analytics (ATA)To get visibility into active credential theft and identity attacks so that you can respond quickly to events and contain damage, deploy and configure Microsoft Advanced Threat Analytics (ATA).

之前安裝 ATA,您應該確定您以處理主要安全性事件偵測 ATA 可能會有處理程序。Prior to installing ATA, you should ensure you have a process in place to handle a major security incident that ATA may detect.

  • 事件回應程序設定的詳細資訊,請查看回應 IT 安全性事件和 「 回應可疑的活動 」 和 「 從違約復原] 的區段Mitigating Pass--Hash 和其他認證竊取,版本 2。For more information on setting up an incident response process, see Responding to IT Security Incidents and the "Respond to suspicious activity" and "Recover from a breach" sections of Mitigating Pass-the-Hash and Other Credential Theft, version 2.

  • 如需有關包括 Microsoft 服務以協助您針對 ATA 產生事件和部署 ATA 準備您 IR 處理程序,請連絡 Microsoft 代表存取這個頁面For more information on engaging Microsoft services to assist with preparing your IR process for ATA generated events and deploying ATA, contact your Microsoft representative by accessing this page.

  • 存取這個頁面的詳細資訊包括 Microsoft 服務,以協助的調查,並從事件復原Access this page for more information on engaging Microsoft services to assist with investigating and recovering from an incident

  • 實作 ATA,請依照下列部署本指南使用在此To Implement ATA, follow the deployment guide available here.

安全性特殊權限存取藍圖: 階段 3Security Privileged Access Roadmap: Stage 3

3 階段藍圖組建上防護功能與階段 1 2 加強和範圍上新增防護功能。Stage 3 of the roadmap builds on the mitigations from Stages 1 and 2 to strengthen and add mitigations across the spectrum. 在這個圖表視覺描繪階段 3:Stage 3 is depicted visually in this diagram:

圖表顯示階段 3

這些功能將組建上之前的階段的防護功能,並將防禦移動到更多主動式的狀態。These capabilities will build on the mitigations from previous phases and move your defenses into a more proactive posture.

1.現代化角色與委派模型1. Modernize Roles and Delegation Model

若要減少安全性風險,您應該會重新設計角色與委派模型層型號的規則與相容、 容納雲端服務的系統管理員角色,並整合主旨為系統管理員使用性的各個的層面。To reduce security risk, you should redesign all aspects of your roles and delegation model to be compliant with the rules of the tier model, accommodate cloud service administrative roles, and incorporate administrator usability as a key tenet. 此模型應該利用 JIT 和 JEA 功能的早期階段,以及工作自動化技術部署以達成下列目的。This model should leverage the JIT and JEA capabilities deployed in the earlier stages as well as task automation technology to achieve these goals.

2.智慧卡或護照驗證的所有系統管理員2. Smartcard or Passport Authentication for all admins

增加保證層級和系統管理員驗證的可用性,您應該需要裝載 Azure Active Directory 與 (包括帳號聯盟雲端服務) 您 Windows 的伺服器 Active Directory 中的所有系統帳號穩固驗證。To increase the assurance level and usability of administrator authentication, you should require strong authentication for all administrative accounts hosted in Azure Active Directory and in your Windows Server Active Directory (including accounts federated to a cloud service).

3.管理員樹系的 Active Directory 系統管理員3. Admin Forest for Active Directory administrators

若要提供最穩定的 Active Directory 系統管理員的防護,設定環境,在您的實際執行 Active Directory 中已不安全性相依性隔所有的攻擊,但最受信任的系統 production 環境中。To provide the strongest protection for Active Directory administrators, set up an environment that has no security dependencies on your production Active Directory and is isolated from attacks from all but the most trusted systems in your production environment. 如需有關 ESAE 架構瀏覽這個頁面For more information on the ESAE architecture visit this page.

4.程式碼完整性原則 Dc (Server 2016)4. Code Integrity Policy for DCs (Server 2016)

若要限制的網域控制站的對手攻擊操作與管理意外的錯誤未經授權的程式,請設定 Windows Server 2016 的程式碼完整性核心 (驅動程式) 和使用者模式只允許電腦上執行的授權可執行檔 (應用程式)。To limit the risk of unauthorized programs on your domain controllers from adversary attack operations and inadvertent administrative errors, configure Windows Server 2016 Code Integrity for kernel (drivers) and user mode (applications) to only allow authorized executables to run on the machine.

5.護套 Vm virtual dc (Server 2016 HYPER-V Fabric)5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)

若要利用一樣既有遺失的實體安全性攻擊的保護模擬的網域控制站,使用此新 Server 2016 HYPER-V 功能 Virtual 網域控制站的 Active Directory 機密遭竊,防止其他。To protect virtualized domain controllers from attack vectors that exploit a virtual machine's inherent loss of physical security, use this new Server 2016 Hyper-V capability to help prevent the theft of Active Directory secrets from Virtual DCs. 您可以使用此方案,加密代 2 Vm 保護 VM 的資料免於檢查、 遭竊和竄改來儲存和網路系統管理員以及攻擊 HYPER-V 主機系統管理員的 vm 強化存取。Using this solution, you can encrypt Generation 2 VMs to protect the VM data against inspection, theft, and tampering by storage and network administrators as well as harden the access to the VM against Hyper-V host administrators attacks.

我已完成嗎?Am I done?

完成此藍圖,將會取得穩固特殊權限的存取保護目前目前已知,並且可用於對手攻擊。Completing this roadmap will gain you strong privileged access protections for the attacks that are currently known and available to adversaries today. 很抱歉,安全性威脅的攻擊會不斷演進和 shift,因此我們建議您檢視持續專注於引發成本和降低對手針對您的環境的成功率與安全性。Unfortunately, security threats will constantly evolve and shift, so we recommend you view security as an ongoing process focused on raising the cost and reducing the success rate of adversaries targeting your environment.

保護權限存取重要的第一個步驟的企業資產安全性保證建立在現代化組織中,但不會包括的項目,例如原則,作業,安全性資訊,伺服器、 應用程式、 電腦、 裝置、 雲端 fabric 和其他元件提供安全性保證您需要的完整的安全性程式的僅限部分。Securing privileged access is a critical first step to establishing security assurances for business assets in a modern organization, but it is not the only part of a complete security program that would include elements like policy, operations, information security, servers, applications, PCs, devices, cloud fabric, and other components provide the security assurances you require.

建置完成安全性藍圖的詳細資訊,會看到 「 客戶責任和藍圖 > 一節企業 Architects 文件的 Microsoft Cloud 安全性在此For more information on building a complete security roadmap, see the "Customer responsibilities and roadmap" section of the Microsoft Cloud Security for Enterprise Architects document available here.

適用於互動協助與下列主題的任何 Microsoft 服務的詳細資訊,請連絡您的 Microsoft 代表或瀏覽這個頁面For more information on engaging Microsoft services to assist with any of these topics, contact your Microsoft representative or visit this page.

試試的頂級: 如何 Pass Hash 和其他形式的認證竊取降低Taste of Premier: How to Mitigate Pass-the-Hash and Other Forms of Credential Theft

Microsoft 進階威脅 AnalyticsMicrosoft Advanced Threat Analytics

保護衍生的網域憑證的 Credential GuardProtect derived domain credentials with Credential Guard

裝置 Guard 概觀Device Guard Overview

使用安全管理員工作站保護的高價值資產Protecting high-value assets with secure admin workstations

目前 Probert (通道 9) 與 Windows 10 中的隔離的使用者模式Isolated User Mode in Windows 10 with Dave Probert (Channel 9)

隔離的使用者模式處理程序和記錄與 Windows 10 中的功能 Gabriel (通道 9)Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)

在處理程序與目前 Probert (通道 9) 與 Windows 10 隔離的使用者模式中的功能More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)

降低認證竊取使用 Windows 10 隔離的使用者模式 (Channel 9)Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)

[讓 Windows Kerberos 中的 [嚴格] \ KDC 驗證Enabling Strict KDC Validation in Windows Kerberos

適用於 Windows Server 2012 F:kerberos 驗證中的新功能What's New in Kerberos Authentication for Windows Server 2012

在 Windows Server 2008 R2 逐步 AD ds 驗證機制保證Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide

信賴平台模組Trusted Platform Module