保護的存取權限的參考資料Securing Privileged Access Reference Material

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本章節包含保護特殊權限存取包括的參考資訊:This section contains reference information for Securing Privileged Access including:

Active Directory 系統層模型Active Directory administrative tier model

這個層型號的目的是要保護使用一組完整控制環境 (層 0) 和攻擊經常危害的高風險工作站資產之間緩衝區域的身分系統。The purpose of this tier model is to protect identity systems using a set of buffer zones between full control of the Environment (Tier 0) and the high risk workstation assets that attackers frequently compromise.

圖表顯示層型號的三個層級

層模型所組成 3 個層級與僅包含 [系統管理帳號,不標準帳號:The Tier model is composed of three levels and only includes administrative accounts, not standard user accounts:

  • 0 層-企業環境中的身分直接控制。Tier 0 - Direct Control of enterprise identities in the environment. 0 層包含帳號,群組及其他資產直接或間接管理控制項 Active Directory 森林、 網域,或網域控制站的所有資產它。Tier 0 includes accounts, groups, and other assets that have direct or indirect administrative control of the Active Directory forest, domains, or domain controllers, and all the assets in it. 如有所有有效地控制每個的所有層 0 資產安全性敏感度相當。The security sensitivity of all Tier 0 assets is equivalent as they are all effectively in control of each other.

  • 第 1 層-企業伺服器與應用程式的控制。Tier 1 - Control of enterprise servers and applications. 第 1 層資產包含伺服器作業系統、 雲端服務和企業應用程式。Tier 1 assets include server operating systems, cloud services, and enterprise applications. 層 1 系統管理員帳號有大量的企業值裝載這些資產上的系統管理控制項。Tier 1 administrator accounts have administrative control of a significant amount of business value that is hosted on these assets. 常見的範例角色是伺服器管理員維護這些作業系統來影響所有企業服務的能力。A common example role is server administrators who maintain these operating systems with the ability to impact all enterprise services.

  • 第 2 層-控制使用者工作站和裝置。Tier 2 - Control of user workstations and devices. 層 2 系統管理員帳號有大量商務值裝載的使用者工作站和裝置管理控制。Tier 2 administrator accounts have administrative control of a significant amount of business value that is hosted on user workstations and devices. 範例包含技術支援和電腦支援的系統管理員,因為它們可能會影響幾乎所有使用者資料的完整性。Examples include Help Desk and computer support administrators because they can impact the integrity of almost any user data.

注意

層級也當做基本優先順序機制來保護管理資產,但很重要,請考慮將在任何層所有資產控制的攻擊,可以存取大部分或全部企業資產。The tiers also serve as a basic prioritization mechanism for protecting administrative assets, but it is important to consider that an attacker with control of all assets at any tier can access most or all business assets. 做為基本優先順序機制實用的原因是攻擊者地日成本。The reason it is useful as a basic prioritization mechanism is attacker difficulty/cost. 它變得更容易執行的所有身分 (層 0) 或伺服器完全控制攻擊者和比的雲端服務 (第 1 層) 時,如果他們必須存取每個人工作站或使用者裝置 (層 2),以取得您組織的資料。It is easier for an attacker to operate with full control of all identities (Tier 0) or servers and cloud services (Tier 1) than it is if they must access each individual workstation or user device (Tier 2) to get your organization's data.

包含和安全性區域Containment and security zones

層級的相關特定的安全性區域。The tiers are relative to a specific security zone. 他們已經由多名稱,同時安全性區域的建立良好提供包含透過之間網路層隔離安全性威脅的方法。While they have gone by many names, security zones are a well-established approach that provide containment of security threats through network layer isolation between them. 層型號補充隔離提供包含的安全性區域位置網路隔離不是有效的例子。The tier model complements the isolation by providing containment of adversaries within a security zone where network isolation isn't effective. 安全性區域可以延伸到兩個上場所且 Azure 和網域控制站和網域成員相同網域中的裝載的場所在此範例中,例如雲端基礎結構。Security zones can span both on-premises and cloud infrastructure, such as in the example where Domain Controllers and domain members in the same domain are hosted on-premises and in Azure.

圖表顯示如何跨這兩個上場所和雲端基礎結構安全性區域

層型號會限制的系統管理員可以控制及何處可以登入 (因為登入電腦會授與控制那些認證,並由認證所有資產),以防止權限的重大問題。The Tier model prevents escalation of privilege by restricting what administrators can control and where they can log on (because logging on to a computer grants control of those credentials and all assets managed by those credentials).

控制限制Control restrictions

下圖顯示控制限制:Control restrictions are shown in the figure below:

控制限制的簡圖

主要責任和重要的限制Primary responsibilities and critical restrictions

0 層系統管理員-管理身分網上商店及少數幾個系統生效控制,並:Tier 0 administrator - manage the identity store and a small number of systems that are in effective control of it, and:

  • 可以管理和控制資產所需的任何層級Can manage and control assets at any level as required

  • 僅限互動方式登入或存取資產信任 0 層級Can only log on interactively or access assets trusted at the Tier 0 level

第 1 層的系統管理員-管理企業的伺服器、 服務和應用程式,以及:Tier 1 administrator - manage enterprise servers, services, and applications, and:

  • 只可以管理和控制資產層 1 或 2 層級Can only manage and control assets at the Tier 1 or Tier 2 level

  • 只存取資產 (透過網路登入類型) 第 1 層或層 0 層級受信任的可以Can only access assets (via network logon type) that are trusted at the Tier 1 or Tier 0 levels

  • 僅限互動方式登入資產受信任的第 1 層級Can only interactively log on to assets trusted at the Tier 1 level

第 2 層管理員-管理企業的桌面、 膝上型電腦、 印表機及其他使用者的裝置,並:Tier 2 administrator - manage enterprise desktops, laptops, printers, and other user devices, and:

  • 只可以管理和控制資產 2 層級Can only manage and control assets at the Tier 2 level

  • 可以存取資產 (透過網路登入類型) 做為所需的任何層級Can access assets (via network logon type) at any level as required

  • 只互動方式登入資產信任 2 層級Can only interactively log on to assets trusted at Tier 2 level

登入限制Logon restrictions

下圖顯示登入限制:Logon restrictions are shown in the figure below:

登入限制的簡圖

注意

請注意,某些資產可以層 0 影響可用性的環境中,但不直接影響的機密性或資產完整性。Note that some assets can have Tier 0 impact to availability of the environment, but do not directly impact the confidentiality or integrity of the assets. 其中包括的 DNS 伺服器服務和網際網路 proxy 等重要的網路裝置。These include the DNS Server service and critical network devices like Internet proxies.

全新的來源原則Clean source principle

全新的來源原則需要若要為可靠物件受保護的所有安全性相依性。The clean source principle requires all security dependencies to be as trustworthy as the object being secured.

圖表顯示控制物件的主題該物件的安全性相依性

控制物件的任何主題是該物件的安全性相依性。Any subject in control of an object is a security dependency of that object. 如果對手可以控制目標物件有效控制項中的任何項目,他們就可以控制目標物件。If an adversary can control anything in effective control of a target object, they can control that target object. 因此,您必須確定保證的所有安全性相依性,或超過物件本身所需的安全性等級。Because of this, you must ensure that the assurances for all security dependencies are at or above the desired security level of the object itself.

原則簡單、 時套用這需要了解感興趣的領域 (物件) 資產控制關係和執行所有安全性相依性 (Subject(s)) 為了相依性分析。While simple in principle, applying this requires understanding the control relationships of an asset of interest (Object) and performing a dependency analysis of it to discover all security dependencies (Subject(s)).

控制項是轉移,因為這原則必須是重複的循環。Because control is transitive, this principle has to be repeated recursively. 範例,若 B 和 B 控制項控制 C,然後 A 也間接控制 cFor example if A controls B and B controls C, then A also indirectly controls C.

圖表顯示如何如果控制項 B 和 B 控制 C,然後 A 也間接控制 C

攻擊者折衷取得存取每一件事控制項 (包括 B) 和 B 所有控制項 (包括 C)。An attacker that compromises A gets access to everything A controls (including B), and everything B controls (including C). 在此範例中相同使用的語言安全性相依性,同時 B A C 的安全性相依性並已受到保護層級保證所需的 C 順序 C 該保證層級。Using the language of security dependencies on this same example, both B and A are security dependencies of C and have to be secured at the desired assurance level of C in order for C to have that assurance level.

適用於 IT 基礎架構與身分系統應該這項原則套用到控制包括的硬體安裝套件的位置,系統、 架構和設定的系統和每日作業的安裝媒體的最常見的方式。For IT infrastructure and identity systems, this principle should be applied to the most common means of control including the hardware where systems are installed, the installation media for the systems, the architecture and configuration of the system, and daily operations.

全新的安裝媒體的來源Clean Source for installation media

圖表顯示全新來源的安裝媒體

安裝媒體來套用全新來源原則要求您確定的安裝媒體不遭到竄改自 (盡可能您就可以判斷) 發行製造商。Applying the clean source principle to installation media requires you to ensure that the installation media has not been tampered with since being released by the manufacturer (as best you are able to determine). 這個圖描述攻擊使用這個路徑侵入您的電腦:This figure depicts an attacker using this path to compromise a computer:

圖顯示攻擊使用路徑侵入您的電腦

安裝媒體來套用全新來源原則必須先確認您擁有期間擷取,儲存空間,包括其並傳送直到它使用循環整個軟體完整性。Applying the clean source principle to installation media requires validating the software integrity throughout the cycle you possess it including during acquisition, storage, and transfer up until it is used.

軟體程式Software acquisition

軟體的來源應該驗證透過這其中一個下列方法:The source of the software should be validated through one of the following means:

  • 取得軟體的實體媒體,也是來自製造商或信譽來源,通常製造廠商出貨的媒體。Software is obtained from physical media that is known to come from the manufacturer or a reputable source, typically manufactured media shipped from a vendor.

  • 軟體是從網際網路取得和 hashes 廠商提供的檔案的驗證。Software is obtained from the Internet and validated with vendor-provided file hashes.

  • 軟體是從網際網路取得和來下載並將有兩個獨立複製這些驗證:Software is obtained from the Internet and validated by downloading and comparing two independent copies:

    • 下載至兩個主機不安全的關聯 (不在相同的網域中,不受相同的工具),最好是從不同的網際網路。Download to two hosts with no security relationship (not in the same domain and not managed by the same tools), preferably from separate Internet connections.

    • 比較下載的檔案使用的公用程式,例如 certutil:Compare the downloaded files using a utility like certutil:

      certutil -hashfile <filename>

當盡可能、 [所有應用程式軟體,例如應用程式安裝程式與工具應該數位簽章和使用 Windows 驗證碼以驗證Windows Sysinternals 工具, sigcheck.exe,以撤銷檢查。When possible, all application software, such as application installers and tools should be digitally signed and verified using Windows Authenticode with the Windows Sysinternals tool, sigcheck.exe, with revocation checking. 可能需要一些軟體廠商可能會提供這種類型的數位簽章。Some software may be required where the vendor may not provide this type of digital signature.

軟體儲存空間及傳輸Software storage and transfer

取得之後軟體,它應該會儲存在修改,尤其是透過網際網路連接主機或層級比系統位置將會安裝 「 軟體 」 或 「 作業系統受信任的人員會保護的位置。After obtaining the software, it should be stored in a location that is protected from modification, especially by internet-connected hosts or personnel trusted at a lower level than the systems where the software or operating system will be installed. 這個儲存空間可以實體的媒體或電子安全的位置。This storage can be physical media or a secure electronic location.

使用的軟體Software usage

最好軟體應該驗證時使用它,例如時手動安裝、 \ [已封裝的組態管理工具,或匯入的組態管理工具。Ideally, the software should be validated at the time it is used, such as when it is manually installed, packaged for a configuration management tool, or imported into a configuration management tool.

全新的架構與設計的來源Clean source for architecture and design

全新的來源原則套用系統架構要求您確認系統不會依賴低信任套件。Applying the clean source principle to the system architecture requires you to ensure that the system is not dependent on lower trust systems. 系統可能會相關更高版本信任的系統上,而不是在較低的信任系統,較低的安全性標準。A system can be dependent on a higher trust system, but not on a lower trust system with lower security standards.

例如,Active Directory 控制標準使用者桌面,但它可接受是權限風險控制項的 Active Directory 中為使用者標準桌面的重大重大問題。As an example, its acceptable for Active Directory to control a standard user desktop but it's a significant escalation of privilege risk for a standard user desktop to be in control of the Active Directory.

圖表顯示如何系統可依賴高信任系統,但無法在較低的信任系統,較低的安全性標準

控制關係可以透過許多的方式,包括安全性存取控制清單 (Acl) 等 filesystems,在電腦上或為系統執行 (含任何程式碼和指令碼執行的功能) 的電腦上安裝代理程式本機系統管理員群組成員資格物件導入了。The control relationship can be introduced through many means including security Access Control Lists (ACLs) on objects like filesystems, membership in the local administrators group on a computer, or agents installed on a computer running as System (with the ability to run arbitrary code and scripts).

常被忽略的範例是透過登入,建立控制關係公開另一個系統系統的系統管理員認證。A frequently overlooked example is exposure through logon, which creates a control relationship by exposing administrative credentials of a system to another system. 這是非常強大認證竊取攻擊喜歡傳遞湊為何根本原因。This is the underlying reason why credential theft attacks like pass the hash are so powerful. 當系統管理員的身分登入以層 0 認證標準使用者桌面時,它們會公開到該桌面,將它放在控制項的廣告,以及建立提升權限路徑廣告的認證。When an administrator logs in to a standard user desktop with Tier 0 credentials, they are exposing those credentials to that desktop, putting it in control of AD, and creating an escalation of privilege path to AD. 適用於這些攻擊詳細資訊,請查看這個頁面For more information on these attacks, see this page.

因為有大量資產,例如 Active Directory 身分系統而定,您應該最小化數目系統您 Active Directory 和網域控制站而定。Because of the large number of assets that depend on identity systems like Active Directory, you should minimize the number of systems your Active Directory and Domain Controllers depend on.

圖表顯示,您應該最小化您的網域控制站和 Active Directory 而定的系統數量

適用於強化最高的風險 active directory 的詳細資訊,請查看這個頁面For more information on hardening the top risks of active directory, see this page.

根據原則全新來源操作標準Operational standards based on clean source principle

本節標準操作與管理人員預期。This section describes the operational standards and expectations for administrative personnel. 這些標準專為安全管理控制組織資訊技術系統針對無法由操作做法和處理程序的風險。These standards are designed to secure administrative control of an organization's information technology systems against risks that could be created by operational practices and processes.

圖表顯示標準專如何安全管理控制組織資訊的技術系統針對無法由操作做法和處理程序的風險

整合標準Integrating the standards

您可以將這些標準整合至您組織的整體標準和做法的規範。You can integrate these standards into your organization's overall standards and practices. 您可以調整這些特定需求,提供的工具,並風險嚮往公私兩便,但我們建議您只最小修改,以減少使用風險。You can adapt these to the specific requirements, available tools, and risk appetite of your organization, but we recommend only minimum modifications to reduce risk. 我們建議您為基準本指南使用預設值為您理想結束狀態,並為例外優先順序傳送管理任何細節。We recommend you use the defaults in this guidance as the benchmark for your ideal end state and manage any deltas as exceptions to be addressed in priority order.

分這些區段標準指導方針:The standards guidance is organized into these sections:

  • 假設Assumptions

  • 變更諮詢委員會Change Advisory Board

  • 操作做法Operational Practices

    • 摘要Summary

    • 標準詳細資料Standards Details

假設Assumptions

在本區段中標準假設下列屬性組織:The standards in this section assume that the organization has the following attributes:

  • Active Directory 加入伺服器和領域中的工作站大部分或全部。Most or all servers and workstations in scope are joined to Active Directory.

  • 所有伺服器管理都執行 Windows Server 2008 R2 或更新版本和 RDP RestrictedAdmin 模式功能。All servers to be managed are running Windows Server 2008 R2 or later and have RDP RestrictedAdmin mode enabled.

  • 管理所有工作站執行 Windows 7 或更新版本,並支援 RDP RestrictedAdmin 模式。All workstations to be managed are running Windows 7 or later and have RDP RestrictedAdmin mode enabled.

    注意

    要 RDP RestrictedAdmin 模式,請查看這個頁面To enable RDP RestrictedAdmin mode, see this page.

  • 智慧卡是提供及管理所有帳號發行。Smart cards are available and issued to all administrative accounts.

  • Builtin\Administrator針對每個網域指定為緊急存取帳號The Builtin\Administrator for each domain has been designated as an emergency access account

  • 企業的身分管理方案部署。An enterprise identity management solution is deployed.

  • 到伺服器及管理本機系統管理員密碼工作站部署LAPS has been deployed to servers and workstations to manage the local administrator account password

  • 存取特殊權限的管理方案,例如 Microsoft 身分管理員] 中的位置,或還有一收養計劃。There is a privileged access management solution, such as Microsoft Identity Manager, in place, or there is a plan to adopt one.

  • 人員已指派給監視的安全性警告,並給他們回應。Personnel are assigned to monitor security alerts and respond to them.

  • 使用快速適用於 Microsoft security 更新的技術功能。The technical capability to rapidly apply Microsoft security updates is available.

  • 板管理控制站伺服器上的將無法使用,或將遵守嚴格安全性控制項。Baseboard management controllers on servers will not be used, or will adhere to strict security controls.

  • 系統管理員帳號和群組伺服器] (1 層系統管理員 」) 和工作站 (層 2 系統管理員 」) 將受網域系統管理員 (層 0)。Administrator accounts and groups for servers (Tier 1 admins) and workstations (Tier 2 admins) will be managed by domain admins (Tier 0).

  • 還有變更諮詢原點,重新思考 (CAB) 或其他核准變更 Active Directory 位置中指定的授權單位。There is a Change Advisory Board (CAB) or another designated authority in place for approving Active Directory changes.

變更諮詢委員會Change advisory board

變更諮詢原點,重新思考 (CAB) 是對可能會影響組織的安全性設定檔討論論壇及 \ [核准授權單位。A Change Advisory Board (CAB) is the discussion forum and approval authority for changes that could impact the security profile of the organization. 這些標準任何例外應該傳送給前風險評量與理由封包。Any exceptions to these standards should be submitted to the CAB with a risk assessment and justification.

本文件中的每個標準關鍵性的特定的層級的標準是按照。Each standard in this document is broken out by the criticality of meeting the standard for a given Tier level.

圖表顯示標準提供層層級

必要項目 (標記紅色八角形或橘色三角形本文件中的) 所有例外都視為暫存,且他們必須核准封包。All exceptions for Mandatory items (marked with red octagon or an orange triangle in this document) are considered temporary, and they need to be approved by the CAB. 包括指導方針操作︰Guidelines include:

  • 初始要求必須接受對齊風險由立即監護人的人員,以及之後六個月到期。The initial request requires justification risk acceptance signed by personnel's immediate supervisor, and it expires after six months.

  • 續訂需要理由和簽署的商務用單位導演接受風險,並之後六個月到期。Renewals require justification and risk acceptance signed by a business unit director, and they expire after six months.

所有例外建議項目 (標示黃色圓形本文件) 視為暫存,且需要核准封包。All exceptions for Recommended items (marked with a yellow circle in this document) are considered temporary, and need to be approved by the CAB. 包括指導方針操作︰Guidelines include:

  • 初始要求必須接受對齊風險由立即監護人的人員,並之後 12 個月到期。The initial request requires justification risk acceptance signed by personnel's immediate supervisor, and it expires after 12 months.

  • 續訂需要理由和簽署的商務用單位導演接受風險,並之後 12 個月到期。Renewals require justification and risk acceptance signed by a business unit director, and they expire after 12 months.

操作做法標準摘要Operational practices standards summary

此表格層行是指的系統管理帳號,其中的控制項通常會影響所有資產該層層層級。The Tier columns in this table refer to the Tier level of the administrative account, the control of which typically impacts all assets in that tier.

下表顯示 admninistrative account 層層級

操作決策定期所維持皆很重要的安全性狀態的環境。Operational decisions that are made on a regular basis are critical to maintaining the security posture of the environment. 這些標準做法處理程序,可協助您確保的錯誤操作不會導致利用操作弱點環境中。These standards for processes and practices help ensure that an operational error does not lead to an exploitable operational vulnerability in the environment.

提供系統管理員身分和責任Administrator enablement and accountability

系統管理員必須通知、 取得授權的、 訓練,並盡可能安全地運作環境負責。Administrators must be informed, empowered, trained, and held accountable to operate the environment as securely as possible.

管理人員標準Administrative personnel standards

指派管理的人員必須將驗證確保他們可靠,需要系統管理員權限:Assigned administrative personnel must be vetted to ensure they are trustworthy and have a need for administrative privileges:

  • 執行背景檢查之前指派系統管理員權限的人員。Perform background checks on personnel prior to assigning administrative privileges.

  • 檢視系統管理員權限每一季判斷的人員,仍然可以合法的企業需要系統的存取。Review administrative privileges each quarter to determine which personnel still have a legitimate business need for administrative access.

管理安全性簡報和責任Administrative security briefing and accountability

系統管理員必須通知和負責對組織中管理風險他們角色風險。Administrators must be informed and accountable for the risks to the organization and their role in managing that risk. 應該會在每年訓練系統管理員:Administrators should be trained yearly on:

  • 一般威脅環境General threat environment

    • 確定的例子Determined adversaries

    • 攻擊 pass hash 技術和認證竊取Attack techniques including pass-the-hash and credential theft

  • 組織相關的威脅事件Organization-specific threats and incidents

  • 系統管理員角色保護攻擊Administrator's roles in protecting against attacks

    • 管理 credential 曝光與層模型Managing credential exposure with the Tier model

    • 使用系統工作站Use of administrative workstations

    • 使用遠端桌面通訊協定 RestrictedAdmin 模式的Use of Remote Desktop Protocol RestrictedAdmin mode

  • 組織特定管理做法Organization-specific administrative practices

    • 檢視 [在這個標準所有作業的指導方針Review all operational guidelines in this standard

    • 執行下列按鍵的規則:Implement the following key rules:

      • 請不要使用管理帳號系統工作站任何Do not use administrative accounts on anything but administrative workstations

      • 停用或 msx 安全性控制 account 或工作站 (,例如登入限制或智慧卡需屬性)Do not disable or dismantle security controls on your account or workstations (for example, logon restrictions or attributes required for smart cards)

      • 回報問題或特殊的活動Report issues or unusual activity

若要提供責任,系統帳號所有人員應該登都入他們想要依照組織特定管理原則做法標示為系統管理員權限管理辦法文件。To provide accountability, all personnel with administrative accounts should sign an Administrative Privilege Code of Conduct document that says they intend to follow organization-specific administrative policy practices.

提供與進行帳號系統處理程序Provisioning and deprovisioning processes for administrative accounts

必須符合下列標準會議週期需求。The following standards must be met for meeting lifecycle requirements.

  • 所有系統帳號必須核准核准授權下列表格中所述。All administrative accounts must be approved by the Approving Authority outlined in the following table.

    • 核准必須只會授與人員是否有合法企業需求的系統管理員權限。Approval must only be granted if the personnel have a legitimate business need for administrative privileges.

    • 系統管理員權限的 \ [核准應該不會超過六個月。Approval for administrative privileges should not exceed six months.

  • 必須以系統管理員權限存取立即辭去時:Access to administrative privileges must be immediately deprovisioned when:

    • 人員變更位置。Personnel change positions.

    • 人員離開組織。Personnel leave the organization.

  • 必須下列人員離開組織立即停用帳號。Accounts must be immediately disabled following personnel leaving the organization.

  • 必須停用的帳號刪除六個月中,其刪除記錄必須輸入變更核准原點,重新思考記錄。Disabled accounts must be deleted within six months and the record of their deletion must be entered into change approval board records.

  • 檢視確保不未經授權的權限有授與的所有特殊權限的 account 成員資格每個月。Review all privileged account memberships monthly to ensure that no unauthorized permissions have been granted. 這可以警示變更一項自動化工具來取代。This can be replaced by an automated tool that alerts changes.

Account 權限等級Account Privilege Level 核准授權Approving Authority 資格評論頻率Membership Review Frequency
0 層系統管理員Tier 0 Administrator 變更核准部門Change approval board 每個月或自動化Monthly or automated
第 1 層的系統管理員Tier 1 Administrator 0 層系統管理員或安全性Tier 0 administrators or security 每個月或自動化Monthly or automated
第 2 層系統管理員Tier 2 Administrator 0 層系統管理員或安全性Tier 0 administrators or security 每個月或自動化Monthly or automated
Operationalize 權限Operationalize least privilege

這些標準幫助您達到權限來減少的系統管理員中的角色與的時間,他們的權限。These standards help achieve least privilege by reducing the number of administrators in role and the amount of time that they have privileges.

注意

實現權限在您的組織會需要了解組織的角色,他們的需求和其設計機制,確保他們可以使用權限來完成工作。Achieving least privilege in your organization will require understanding the organizational roles, their requirements, and their designing mechanisms to ensure that they are able to accomplish their job by using least privilege. 實現最低系統管理模式中的狀態通常需要使用多個方法:Achieving a state of least privilege in an administrative model frequently requires the use of multiple approaches:

  • 系統管理員的計數或特殊權限群組成員限制Limit the count of administrators or members of privileged groups
  • 委派給帳號較少的權限Delegate fewer privileges to accounts
  • 視需要提供時間繫結權限Provide time-bound privileges on demand
  • 提供其他人員執行工作 (指引方法) 功能Provide ability for other personnel to perform tasks (a concierge approach)
  • 提供緊急存取和少使用案例處理程序Provide processes for emergency access and rare-use scenarios
系統管理員的限制計數Limit count of administrators

確保業務持續性的兩個限定人員應該指派給每個管理角色。A minimum of two qualified personnel should be assigned to each administrative role to ensure business continuity.

如果人員指派到任何角色數目超過兩個,變更核准部門必須核准將權限指派給 (包括原始兩者) 每個成員特定的原因。If the number of personnel assigned to any role exceeds two, the change approval board must approve the specific reasons for assigning privileges to each individual member (including the original two). 必須包含 \ [核准的理由:The justification for the approval must include:

  • 進行需要系統管理員權限管理員執行哪些技術工作What technical tasks are performed by the administrators that require the administrative privileges

  • 工作的執行頻率如何How often are the tasks performed

  • 特定的原因為何無法執行任務代表其其他系統管理員Specific reason why the tasks cannot be performed by another administrator on their behalf

  • 所有其他已知其他方法,以授予權限,以及為何每一個無法接受文件Document all other known alternative approaches to granting the privilege and why each isn't acceptable

動態指派權限Dynamically assign privileges

需要系統管理員以取得權限 」 只是時間 」 使用它們執行的工作。Administrators are required to obtain permissions "just-in-time" to use them as they perform tasks. 將會永久不權限指派給管理帳號中。No permissions will be permanently assigned to administrative accounts.

注意

永久指派系統管理員權限自然建立 「 大部分的權限 」 策略因為管理人員需要維持操作可用性,如果有問題的權限的快速存取。Permanently assigned administrative privileges naturally create a "most privilege" strategy because administrative personnel require rapid access to permissions to maintain operational availability if there is an issue. 只是-時間的權限提供的功能:Just-in-time permissions provide the ability to:

  • 靠近權限來取得更多細,指派權限。Assign permissions more granularly, getting closer to least privilege.
  • 減少曝光時間的權限Reduce the exposure time of privileges
  • 使用偵測濫用或攻擊追蹤權限。Tracking permissions use to detect abuse or attacks.
管理 Credential 曝光度的風險Manage Risk of Credential Exposure

使用下列做法正確管理 credential 曝光度的風險。Use the following practices to proper manage risk of credential exposure.

另外管理帳號Separate administrative accounts

所有的擁有權限管理已獲授權的人員必須帳號另一個不同於帳號的管理功能。All personnel that are authorized to possess administrative privileges must have separate accounts for administrative functions that are distinct from user accounts.

  • 標準帳號的權限標準使用者的使用者標準的工作,例如電子郵件、 網頁瀏覽,並使用的業務應用程式。Standard user accounts - Granted standard user privileges for standard user tasks, such as email, web browsing, and using line-of-business applications. 這些帳號不應被授與系統管理員權限。These accounts should not be granted administrative privileges.

  • 管理帳號-分開帳號建立已指派適當的系統管理員權限的人員。Administrative accounts - Separate accounts created for personnel who are assigned the appropriate administrative privileges. 管理資產每一層所需的系統管理員應該會有不同的 account 每一層。An administrator who is required to manage assets in each Tier should have a separate account for each Tier. 這些帳號應該會有不能存取電子郵件或公用網際網路。These accounts should have no access to email or the public Internet.

系統管理員身分登入做法Administrator logon practices

系統管理員可以登入至主機互動方式 (在本機上標準 RDP 中,請使用 [執行身分,或使用模擬主機) 之前,該主機必須符合,或超過標準管理員 account 層 (或更高版本層)。Before an administrator can log on to a host interactively (locally over standard RDP, by using RunAs, or by using the virtualization console), that host must meet or exceed the standard for the admin account Tier (or a higher Tier).

系統管理員可以僅限登入與管理帳號管理員工作站。Administrators can only sign in to admin workstations with their administrative accounts. 系統管理員只登入受管理的資源,使用核准的支援的技術下一節中所述。Administrators only log on to managed resources by using the approved support technology described in the next section.

注意

這是因為互動方式登入主機授與控制項的認證至該主機。This is required because logging onto a host interactively grants control of the credentials to that host.

查看系統管理工具和類型登入如登入類型、 一般管理工具,以及認證曝光的詳細資訊。See the Administrative Tools and Logon Types for details about logon types, common management tools, and credential exposure.

使用已核准的支援技術和方法Use of approved support technology and methods

遠端系統和使用者支援的系統管理員必須依照下列指導方針操作,以避免遠端電腦的控制對手竊取他們的系統管理員認證。Administrators who support remote systems and users must follow these guidelines to prevent an adversary in control of the remote computer from stealing their administrative credentials.

  • 如果有的話,應主要支援選項。The primary support options should be used if they are available.

  • 只有當您的主要支援選項不適會使用次要支援選項。The secondary support options should only be used if the primary support option is not available.

  • 可能不會使用禁止的支援的方法。Forbidden support methods may never be used.

  • 在任何時候任何管理 account 才能執行存取無網際網路瀏覽或電子郵件。No internet browsing or email access may be performed by any administrative account at any time.

0 層森林、 網域及 DC 管理Tier 0 forest, domain, and DC administration

確保以下做法會套用此案例:Ensure that the following practices are applied for this scenario:

  • 遠端伺服器支援-當遠端存取伺服器,層 0 系統管理員必須請依照下列指導方針操作︰Remote server support - When remotely accessing a server, Tier 0 administrators must follow these guidelines:

    • 主要 (工具) -遠端工具 (輸入 3) 該使用網路登入。Primary (tool) - Remote tools that use network logons (type 3). 如需詳細資訊,請查看系統管理工具和類型登入For more information, see Administrative Tools and Logon Types.

    • 主要 (互動式) -使用 RDP RestrictedAdmin 或標準核對的系統管理員工作站從 RDP 工作階段Primary (interactive) - Use RDP RestrictedAdmin or a Standard RDP Session from an admin workstation with a domain account

    注意

    如果您有層 0 權限管理方案,新增 」 的使用權限取得只是-時間的存取權限的管理方案。 」If you have a Tier 0 privilege management solution, add "that uses permissions obtained just-in-time from a privileged access management solution."

  • 實體伺服器支援-當實際出示伺服器主機,或一樣主控台 (HYPER-V 或 VMWare 工具),在這些帳號有任何特定的系統管理工具使用量限制的一般限制的標準使用者工作,例如電子郵件和瀏覽網際網路開放。Physical server support - When physically present at a server console or at a virtual machine console (Hyper-V or VMWare tools), these accounts have no specific administrative tool usage restrictions, only the general restrictions from standard user tasks like email and browsing the open internet.

    注意

    因為所有層 0 資產已都安裝的所有資產直接或間接控制項,層 0 管理是不同的其他層管理。Tier 0 administration is different from administration of other tiers because all Tier 0 assets already have direct or indirect control of all assets. 例如,控制 DC 攻擊已不需要在資料庫中已經可以存取所有網域認證竊取認證登入的系統管理員從。As an example, an attacker in control of a DC has no need to steal credentials from logged on administrators as they already have access to all domain credentials in the database.

第 1 層伺服器及企業應用程式支援Tier 1 server and enterprise application support

確保以下做法會套用此案例:Ensure that the following practices are applied for this scenario:

  • 遠端伺服器支援-當遠端存取伺服器,第 1 層的系統管理員必須請依照下列指導方針操作︰Remote server support - When remotely accessing a server, Tier 1 administrators must follow these guidelines:

    • 主要 (工具) -遠端工具 (輸入 3) 該使用網路登入。Primary (tool) - Remote tools that use network logons (type 3). 如需詳細資訊,請查看Mitigating Pass--Hash 和其他認證竊取v1 (頁 42-47)。For more information, see Mitigating Pass-the-Hash and Other Credential Theft v1 (pp 42-47).

    • 主要 (互動式) -從核對使用權限的系統管理員工作站使用 RDP RestrictedAdmin 的存取權限的管理方案取得只是時間。Primary (interactive) - Use RDP RestrictedAdmin from an admin workstation with a domain account that uses permissions obtained just-in-time from a privileged access management solution.

    • 第二個-登入伺服器時使用的設定,從系統管理員工作站圈本機密碼。Secondary - Log on to the server by using a local account password that is set by LAPS from an admin workstation.

    • 禁止-標準 RDP 可能核對搭配使用。Forbidden - Standard RDP may not be used with a domain account.

    • 禁止-使用核對認證活動中 (例如,使用RunAs或共用驗證)。Forbidden - Using the domain account credentials while in the session (for example, using RunAs or authenticating to a share). 這會公開登入認證竊取的風險。This exposes the logon credentials to the risk of theft.

  • 實體伺服器支援-當實際出示伺服器主控台或一樣主控台 (HYPER-V 或 VMWare 工具),以第 1 層的系統管理員必須擷取本機密碼圈之前存取伺服器。Physical server support - When physically present at a server console or at a virtual machine console (Hyper-V or VMWare tools), Tier 1 administrators must retrieve the local account password from LAPS prior to accessing the server.

    • 主要-擷取本機密碼之前,請先登入伺服器管理員工作站圈設定。Primary - Retrieve the local account password set by LAPS from an admin workstation before logging on to the server.

    • 禁止-核對的登入不允許在本案例中。Forbidden - Logging on with a domain account is not allowed in this scenario.

    • 禁止的活動 (例如,RunAs 或共用驗證) 中使用核對認證。Forbidden - Using the domain account credentials while in the session (for example, RunAs or authenticating to a share). 這會公開登入認證竊取的風險。This exposes the logon credentials to the risk of theft.

第 2 層協助 desk 和支援的使用者Tier 2 help desk and user support

協助支援和使用者支援組織執行支援 (不需要系統管理員權限) 的使用者及使用者工作站 (這需要系統管理員權限)。Help Desk and user support organizations perform support for end users (which doesn't require administrative privileges) and the user workstations (which does require administrative privileges).

使用者支援-工作包括協助使用者對於執行需要工作站,以修改工作經常顯示這些應用程式功能或的作業系統功能的使用方式。User support - Tasks include assisting users with performing tasks that require no modification to the workstation, frequently showing them how to use an application feature or operating system feature.

  • 遠端使用者的支援-使用者的工作區實體是層 2 支援人員。Desk-side user support - The Tier 2 support personnel is physically at the user's workspace.

    • 主要-」 透過身邊 「 可提供支援不工具。Primary - "Over the shoulder" support can be provided with no tools.

    • 禁止-的網域 account 系統認證登入不允許在本案例中。Forbidden - Logging on with domain account administrative credentials is not allowed in this scenario. 切換到桌面的側邊工作站支援是否需要系統管理員權限。Switch to desk-side workstation support if administrative privileges are required.

  • 遠端使用者的支援-2 層支援人員是實際遠端給使用者。Remote user support - The Tier 2 support personnel is physically remote to the user.

    • 主要-可能使用遠端協助 」,Skype Business 或類似的使用者的螢幕畫面分享。Primary - Remote Assistance, Skype for Business, or similar user-screen sharing may be used. 如需詳細資訊,請查看Windows 遠端協助為何?For more information, see What is Windows Remote Assistance?

    • 禁止-的網域 account 系統認證登入不允許在本案例中。Forbidden - Logging on with domain account administrative credentials is not allowed in this scenario. 切換到工作站支援是否需要系統管理員權限。Switch to workstation support if administrative privileges are required.

  • 工作站支援-工作包括執行工作站維護或檢視登、 安裝的軟體、 更新驅動程式等等的疑難排解,需要系統的存取權。Workstation support - Tasks include performing workstation maintenance or troubleshooting that requires access to a system for viewing logs, installing software, updating drivers, and so on.

    • 桌面的側邊工作站支援-2 層支援人員是實際使用者工作站。Desk-side workstation support - The Tier 2 support personnel is physically at the user's workstation.

      • 主要-擷取本機設定的系統管理員工作站之前連接使用者工作站圈的密碼。Primary - Retrieve the local account password set by LAPS from an admin workstation before connecting to user workstation.

      • 禁止-的網域 account 系統認證登入不允許在本案例中。Forbidden - Logging on with domain account administrative credentials is not allowed in this scenario.

    • 遠端工作站支援-2 層支援人員是實際遠端工作站。Remote workstation support - The Tier 2 support personnel is physically remote to the workstation.

      • 主要-從核對使用權限的系統管理員工作站使用 RDP RestrictedAdmin 的存取權限的管理方案取得只是時間。Primary - Use RDP RestrictedAdmin from an admin workstation with a domain account that uses permissions obtained just-in-time from a privileged access management solution.

      • 第二個-擷取本機密碼之前連接使用者工作站設定圈,從系統管理員工作站。Secondary - Retrieve a local account password set by LAPS from an admin workstation before connecting to user workstation.

      • 禁止-核對使用標準 RDP。Forbidden - Use standard RDP with a domain account.

不瀏覽的系統管理員帳號,或從系統管理員工作站公用網際網路No browsing the public Internet with admin accounts or from admin workstations

管理人員無法瀏覽開放網際網路時登入與管理帳號,或在登入以管理工作站。Administrative personnel cannot browse the open Internet while logged on with an administrative account or while logged on to an administrative workstation. 只會在授權的例外就是使用管理雲端型服務,例如 Microsoft Azure、 Amazon Web 服務、 Microsoft Office 365 或企業 Gmail 網頁瀏覽器。The only authorized exceptions are the use of a web browser to administer a cloud-based service, such as Microsoft Azure, Amazon Web Services, Microsoft Office 365, or enterprise Gmail.

使用系統管理員帳號,或從系統管理員工作站無存取電子郵件No accessing email with admin accounts or from admin workstations

管理人員不能存取電子郵件時登入與管理帳號,或在登入以管理工作站。Administrative personnel cannot access email while logged on with an administrative account or while logged on to an administrative workstation.

網上商店服務,並考慮密碼在安全位置的應用程式Store service and application account passwords in a secure location

適用於下列指導方針的實體安全性處理該存取控制密碼:The following guidelines should be used for the physical security processes that control access to the password:

  • 鎖定實體安全服務 account 密碼。Lock the service account passwords in a physical safe.

  • 確定在信任的僅限的人員或以上的 account 層分類存取密碼。Ensure that only personnel trusted at or above the Tier classification of the account have access to the account password.

  • 限制人密碼來規定的最少存取的數目。Limit the number of people who access to the passwords to a minimum number to for accountability.

  • 確定,登入,追蹤,並由 disinterested 廠商,例如不執行 IT 管理訓練管理員監控密碼的所有存取。Ensure that all access to the password is logged, tracked, and monitored by a disinterested party, such as a manager who is not trained to perform IT administration.

穩固驗證Strong Authentication

使用下列做法正確設定穩固驗證。Use the following practices to proper configure strong authentication.

執行適用於所有系統管理員帳號智慧卡多因素驗證 (MFA)Enforce smartcard multi-factor authentication (MFA) for all admin accounts

無管理 account 允許使用密碼來進行驗證。No administrative account is allowed to use a password for authentication. 只會在授權的例外的緊急存取帳號受到適當的處理程序。The only authorized exceptions are the emergency access accounts that are protected by the appropriate processes.

智慧卡連結所有系統帳號,並讓屬性 」智慧卡互動式登入。 」Link all administrative accounts to a smart card and enable the attribute "Smart Card Required for Interactive Logon."

應該會自動與定期重設密碼隨機 hash 停用並立即重新讓屬性實作指令碼]智慧卡互動式登入。 」A script should be implemented to automatically and periodically reset the random password hash value by disabling and immediately re-enabling the attribute "Smart Card Required for Interactive Logon."

不允許帳號由人類人員緊急存取帳號以外的任何例外。Allow no exceptions for accounts used by human personnel beyond the emergency access accounts.

執行適用於所有雲端管理員帳號多因素驗證Enforce Multi-Factor Authentication for All Cloud Admin Accounts

系統管理員權限的雲端服務,例如 Microsoft Azure 與 Office 365、 中的所有帳號必須都使用多因素驗證。All accounts with administrative privileges in a cloud service, such as Microsoft Azure and Office 365, must use multi-factor authentication.

很少使用的緊急程序Rare Use emergency procedures

操作做法必須支援下列標準:Operational practices must support the following standards:

  • 請確定可以快速解析中斷。Ensure outages can be resolved quickly.

  • 確定可以視需要完成少數高權限的工作。Ensure rare high-privilege tasks can be completed as needed.

  • 請確定安全程序會用來保護認證,以及特殊權限。Ensure safe procedures are used to protect the credentials and privileges.

  • 確定後面適當追蹤及 \ [核准處理程序。Ensure appropriate tracking and approval processes are followed.

正確依照所有存取緊急帳號適當處理程的序Correctly follow appropriate processes for all emergency access accounts

確保每個緊急存取 account 有追蹤表中的安全。Ensure that each emergency access account has a tracking sheet in the safe.

應該會遵守每一個帳號,包括變更密碼後每次使用與從任何工作站或使用在完成後伺服器登入密碼追蹤表中列出的程序。The procedure documented on the password tracking sheet should be followed for each account, which includes changing the password after each use and logging out of any workstations or servers used after completion.

所有使用應該由變更進階或之後--事實為 [已核准緊急使用 \ [核准部門核准帳號緊急存取。All use of emergency access accounts should be approved by the change approval board in advanced or after-the-fact as an approved emergency usage.

限制及監視的緊急存取帳號使用量Restrict and monitor usage of emergency access accounts

所有的緊急存取帳號使用:For all use of emergency access accounts:

  • 只會在授權的網域系統管理員可以存取緊急存取帳號網域系統管理員權限。Only authorized domain admins can access the emergency access accounts with domain admin privileges.

  • 緊急存取帳號只能用於網域控制站及其他層 0 主機。The emergency access accounts can be used only on domain controllers and other Tier 0 hosts.

  • 僅應該使用此帳號:This account should be used only to:

    • 執行疑難排解與修正的技術問題會導致系統的正確帳號使用。Perform troubleshooting and correction of technical issues that are preventing the use of the correct administrative accounts.

    • 執行少數工作,例如:Perform rare tasks, such as:

      • 結構管理Schema administration

      • 進行需要系統管理員權限企業版的樹系工作請注意,包括 Active Directory 網站和子網路管理拓撲管理委派給會限制這些權限的使用。Forest-wide tasks that require enterprise administrative privileges Note that topology management including Active Directory site and subnet management is delegated to limit the use of these privileges.

  • 所有使用其中一個這些帳號應該會有授權所都撰寫安全性群組首席All usage of one of these accounts should have written authorization by the security group lead

  • 針對每個緊急存取 account 追蹤張程序會需要進行變更的每個使用的密碼。The procedure on the tracking sheet for each emergency access account requires the password to be changed for each use. 安全性小組成員應該驗證這正常現象。A security team member should validate that this happened correctly.

暫時指派企業管理員和架構系統管理員的資格Temporarily assign enterprise admin and schema admin membership

視需要且移除之後使用應該加入權限。Privileges should be added as needed and removed after use. 緊急 account 應該會有這些權限指派無法完成任務的期間,以及 10 個小時的最大值。The emergency account should have these privileges assigned for only the duration of the task to be completed, and for a maximum of 10 hours. 在任務完成後,應該中變更核准原點,重新思考記錄擷取所有使用量與這些權限的持續時間。All usage and duration of these privileges should be captured in the change approval board record after the task is completed.

ESAE 管理森林設計方法ESAE Administrative Forest Design Approach

本節根據增強安全性系統的環境 (ESAE) 參考架構部署由 Microsoft cybersecurity 專業服務團隊保護針對 cybersecurity 攻擊管理樹系的方法。This section contains an approach for an administrative forest based on the Enhanced Security Administrative Environment (ESAE) reference architecture deployed by Microsoft's cybersecurity professional services teams to protect customers against cybersecurity attacks.

專用管理森林允許組織主機管理帳號、 工作站和群組比 production 環境較安全性控制項的環境中。Dedicated administrative forests allow organizations to host administrative accounts, workstations, and groups in an environment that has stronger security controls than the production environment.

此架構讓安全性控制項不可能或設定輕鬆地在單一森林架構中,即使是一個管理有特殊權限存取工作站 (腳印) 數目。This architecture enables a number of security controls that aren't possible or easily configured in a single forest architecture, even one managed with Privileged Access Workstations (PAWs). 這種方式可讓您提供帳號標準不權限管理樹系的使用者的高度的權限在 production 環境中,讓更大的技術執法控管為。This approach allows the provisioning of accounts as standard non-privileged users in the administrative forest that are highly privileged in the production environment, enabling greater technical enforcement of governance. 這個架構也可讓信任的選擇性驗證功能的使用做為限制只有登入 (和認證曝光) 授權主機。This architecture also enables the use of the selective authentication feature of a trust as a means to restrict logons (and credential exposure) to only authorized hosts. 在中保證進一步想要的實際的樹系的成本和複雜的完整重建開心情形,在系統的樹系可提供增加保證層級 production 環境的環境。In situations in which a greater level of assurance is desired for the production forest without incurring the cost and complexity of a complete rebuild, an administrative forest can provide an environment that increases the assurance level of the production environment.

雖然這種方式會增加樹系的 Active Directory 環境的成本和複雜僅限於修正的設計、 小型的硬體軟體使用量,並少數使用者。While this approach does add a forest to an Active Directory environment, the cost and complexity are limited by the fixed design, small hardware/software footprint, and small number of users.

注意

這種方式適用於管理 Active Directory,但不相容的外部使用標準信任的樹系帳號,受管理的許多應用程式。This approach works well for administering Active Directory, but many applications aren't compatible with being administered by accounts from an external forest using a standard trust.

這個圖描述 ESAE 樹系用於管理層 0 資產和自訂樹系設定使用的 Microsoft Id 管理員 」 的特殊權限存取管理功能。This figure depicts an ESAE forest used for administration of Tier 0 Assets and a PRIV forest configured for use with Microsoft Identity Manager's Privileged Access Management capability. 適用於部署 MIM PAM 執行個體詳細資訊,請查看特殊權限的身分管理 Active Directory Domain Services (AD DS) 的文章。For more information on deploying a MIM PAM instance, see Privileged Identity Management for Active Directory Domain Services (AD DS) article.

圖顯示用於層 0 資產和自訂樹系使用的 Microsoft Id 管理員 」 的特殊權限存取管理功能設定的管理 ESAE 森林

專用系統樹系是標準單一網域 Active Directory 樹系的 Active Directory 管理函式專用。A dedicated administrative forest is a standard single domain Active Directory forest dedicated to the function of Active Directory management. 可能會因為有限 production 森林使用案例是嚴格 hardened 系統樹系與網域。Administrative forests and domains may be hardened more stringently than production forests because of the limited use cases.

管理森林設計應包含下列事項:An administrative forest design should include the following considerations:

  • 受限於範圍-管理員樹系的主要價值,是高安全性保證和降低的攻擊 surface 較低的剩餘風險,會導致層級。Limited scope - The primary value of an admin forest is the high level of security assurance and reduced attack surface resulting in lower residual risk. 樹系可以用來儲存其他管理功能與應用程式,但每個增加的範圍會增加攻擊 surface 的樹系和資源。The forest can be used to house additional management functions and applications, but each increase in scope will increase the attack surface of the forest and its resources. 目標是攻擊 surface 保持在最小,限制的樹系和系統管理員的使用者中的功能,因此每個範圍增加應該謹慎。The objective is to limit the functions of the forest and admin users inside to keep the attack surface minimal, so each scope increase should be considered carefully.

  • 信任設定-設定的管理森林 (秒) 信任或管理的樹系的網域Trust configurations - Configure trust from managed forests(s) or domain(s) to the administrative forest

    • 以系統管理員樹系需要從 production 環境單向信任。A one-way trust is required from production environment to the admin forest. 這可以是信任的網域或信任的樹系。This can be a domain trust or a forest trust. 不需要系統管理員樹系日網域信任 managed 的網域日樹系管理 Active Directory,但其他應用程式可能需要雙向信任關係、 安全性驗證和測試。The admin forest/domain does not need to trust the managed domains/forests to manage Active Directory, though additional applications may require a two-way trust relationship, security validation, and testing.

    • 選擇性驗證應只系統管理員樹系帳號只適當 production 主機登入。Selective authentication should be used to restrict accounts in the admin forest to only logging on to the appropriate production hosts. 適用於維護網域控制站委派 Active Directory 中的權限,通常會要求授與 「 登入的允許 」 指定層 0 管理員帳號,系統管理員森林中的網域控制站的權限。For maintaining domain controllers and delegating rights in Active Directory, this typically requires granting the "Allowed to logon" right for domain controllers to designated Tier 0 admin accounts in the admin forest. 如需詳細資訊,請設定選擇性驗證設定。See Configuring Selective Authentication Settings for more information.

  • 權限 」 及 「 網域強化-管理樹系應該權限根據 Active Directory 管理的需求來設定。Privileges and domain hardening - The administrative forest should be configured to least privilege based on the requirements for Active Directory administration.

    • 管理網域控制站和代理人的權限的權限授與需要系統管理員樹系帳號加入的話網域本機群組。Granting rights to administer domain controllers and delegate permissions requires adding admin forest accounts to the BUILTIN\Administrators domain local group. 這是因為網域系統管理員的全域群組不能從外部網域有成員。This is because the Domain Admins global group cannot have members from an external domain.

    • 使用此群組的權限授與的一項限制是他們不會有新的群組原則物件管理權限預設。One caveat to using this group to grant rights is that they won't have administrative access to new group policy objects by default. 此程序中可以變更此知識庫文章若要變更架構預設權限。This can be changed by following the procedure in this knowledge base article to change the schema default permissions.

    • 系統管理員樹系帳號,可用來管理 production 環境不應會授與系統管理員權限管理員樹系網域或在工作站。Accounts in the admin forest that are used to administer the production environment should not be granted administrative privileges to the admin forest, domains in it, or workstations in it.

    • 系統管理員權限管理員樹系透過應該緊密受減少清除稽核登的攻擊者或惡意的測試人員有機會離線程序。Administrative privileges over the admin forest should be tightly controlled by an offline process to reduce the opportunity for an attacker or malicious insider to erase audit logs. 這也有助於確保人員 production 管理員帳號無法放鬆帳號限制及加快組織的風險。This also helps ensure that personnel with production admin accounts cannot relax the restrictions on their accounts and increase risk to the organization.

    • 管理森林應遵循網域,包括適用於驗證通訊協定穩固設定的 Microsoft Security Compliance Manager (SCM) 的設定。The administrative forest should follow the Microsoft Security Compliance Manager (SCM) configurations for the domain, including strong configurations for authentication protocols.

    • 系統管理員樹系的所有主機應該會自動都更新與安全性更新。All admin forest hosts should be automatically updated with security updates. 這可能會建立中斷網域控制站維護作業的風險,它提供的未的安全漏洞的安全性風險大幅降低。While this may create risk of interrupting domain controller maintenance operations, it provides a significant mitigation of security risk of unpatched vulnerabilities.

      注意

      專用的 Windows Server Update Services 執行個體可以設定為 [自動核准更新。A dedicated Windows Server Update Services instance can be configured to automatically approve updates. 如需詳細資訊,核准更新中的 [自動核准適用於安裝更新] 區段。For more information, see the "Automatically Approve Updates for Installation" section in Approving Updates.

  • 工作站強化-組建使用系統工作站有特殊權限存取工作站(透過階段 3),但變更網域成員資格管理樹系而不是實際執行的環境。Workstation Hardening - Build the administrative workstations using the Privileged Access Workstations (through Phase 3), but change the domain membership to the administrative forest instead of the production environment.

  • 伺服器與俠強化-適用於所有網域控制站和伺服器管理森林中:Server and DC hardening - For all domain controllers and servers in the administrative forest:

    • 確保您所有的媒體使用中的指導驗證全新來源的安裝媒體Ensure all media is validated using the guidance in Clean Source for installation media

    • 請確定管理森林伺服器應該會有安裝最新的作業系統,即使這並不是可行正式。Ensure the administrative forest servers should have the latest operating systems installed, even if this is not feasible in production.

    • 系統管理員的樹系主機應該會自動更新與安全性更新。Admin forest hosts should be automatically updated with security updates.

      注意

      Windows Server Update Services 可以設定為 [自動核准更新。Windows Server Update Services can be configured to automatically approve updates. 如需詳細資訊,核准更新中的 [自動核准適用於安裝更新] 區段。For more information, see the "Automatically Approve Updates for Installation" section in Approving Updates.

    • 開始設定以應安全性。Security Baselines should be used as starting configurations.

      注意

      針對可以使用 Microsoft Security Compliance Manager (SCM),適用於基準設定的管理主機上。Customers can use the Microsoft Security Compliance Manager (SCM) for configuring the baselines on the administrative hosts.

    • 安全開機進入緩和攻擊或惡意程式碼,嘗試簽署的程式碼載入開機程序。Secure Boot to mitigate against attackers or malware attempting to load unsigned code into the boot process.

      注意

      Windows 8,若要利用整合可延伸韌體介面 (UEFI) 中推出此功能。This feature was introduced in Windows 8 to leverage the Unified Extensible Firmware Interface (UEFI).

    • 針對電腦,例如系統膝上型電腦從遠端使用實體遺失降低完整磁碟區加密。Full volume encryption to mitigate against physical loss of computers, such as administrative laptops used remotely.

      注意

      查看BitLocker如需詳細資訊。See BitLocker for more information.

    • 若要防止實體感染行為 USB 限制。USB restrictions to protect against physical infection vectors.

    • 若要防止網路攻擊並不小心管理員動作網路隔離。Network isolation to protect against network attacks and inadvertent admin actions. 主機防火牆應封鎖除外明確所需的所有取,並都封鎖所有的輸出網際網路存取。Host firewalls should block all incoming connections except those explicitly required and block all outbound Internet access.

    • 反惡意程式碼來針對已知的威脅和惡意程式碼保護。Antimalware to protect against known threats and malware.

    • 若要防止 Windows 期間安裝新的軟體引進新的攻擊攻擊 surface 分析。Attack surface analysis to prevent introduction of new attack vectors to Windows during installation of new software.

      注意

      使用的工具,例如攻擊 Surface 分析器 (ASA)可協助評定主機上的設定,並找出軟體或設定變更所推出的攻擊。Use of tools such as the Attack Surface Analyzer (ASA) will help assess configuration settings on a host and identify attack vectors introduced by software or configuration changes.

  • 考慮強化Account hardening

    • 適用於所有帳號,系統管理員的樹系,除了一個 account 應該設定多因素驗證。Multi-factor authentication should be configured for all accounts in the admin forest, except one account. 至少一個管理 account 應該能以方便多因素驗證處理休息密碼,以確保存取。At least one administrative account should be password based to ensure access will work in case the multi-factor authentication process breaks. 這個 account 應受嚴格實體控制項處理程序。This account should be protected by a stringent physical control process.

    • 設定為多因素驗證帳號應該設定新的 NTLM hash 帳號定期設定。Accounts configured for multi-factor authentication should be configured to set a new NTLM hash on accounts regularly. 這可透過停用,並讓 account 屬性智慧卡,才互動式登入。This can be accomplished by disabling and enabling the account attribute Smart card is required for interactive logon.

      注意

      這可以中斷作業進行中的,使用此帳號,因此應該只系統管理員將不會使用時帳號,像是夜景或週末初始化此程序。This can interrupt operations in progress that are using this account, so this process should be initiated only when administrators won't be using the account, such as at night or on weekends.

  • 偵探控制項Detective controls

    • 應該設計系統樹系偵探控制項中的系統管理員樹系的異常提醒。Detective controls for the administrative forest should be designed to alert on anomalies in the admin forest. 調整這些控制項比 production 環境更精準地有助於有限的授權的案例和活動。The limited number of authorized scenarios and activities can help tune these controls more accurately than the production environment.

如需詳細資訊,包括 Microsoft 服務設計和部署 ESAE 為您的環境中相關,請查看這個頁面For more information engaging about Microsoft services to design and deploy an ESAE for your environment, see this page.

0 層相等Tier 0 Equivalency

大部分的組織控制強大層 0 Active Directory 群組等系統管理員,網域系統管理員 」,並企業系統管理員的資格。Most organizations control membership to powerful Tier 0 Active Directory groups like Administrators, Domain Admins, and Enterprise Admins. 許多公司會忽略其他群組,而且有效地相當於在一般的 active directory 環境中的權限的風險。Many organizations overlook the risk of other groups that are effectively equivalent in privilege in a typical active directory environment. 這些群組是提供非常簡單擴大路徑的攻擊同一個明確層使用各種不同的攻擊方法 0 權限。These groups are offer a relatively easy escalation path for an attacker to the same explicit Tier 0 privileges using various different attack methods.

例如,伺服器電信業者可能會存取備份的媒體網域控制站解壓縮所有的認證從該媒體檔案並使用它們來提升權限。As an example, a server operator could gain access to a backup media of a domain controller and extract all the credentials from the files in that media and use them to escalate privileges.

組織應該控制及監視成員資格中的所有層 0 群組 (包括巢成員資格),包括:Organizations should control and monitor membership in all of the Tier 0 groups (including nested membership) including:

  • 企業系統管理員Enterprise Admins

  • 網域系統管理員 」Domain Admins

  • 架構管理員Schema Admin

  • 的話BUILTIN\Administrators

  • Account 電信業者Account Operators

  • 備份電信業者Backup Operators

  • 列印電信業者Print Operators

  • 伺服器電信業者Server Operators

  • 網域控制站Domain Controllers

  • 唯讀模式網域控制站Read-only Domain Controllers

  • 群組原則 Creators 擁有者Group Policy Creators Owners

  • 密碼編譯電信業者Cryptographic Operators

  • 其他委派群組Other Delegated Groups

    注意

    [其他委派的群組 」 是指可能會由組織管理 directory 操作,也可能會有有效的層 0 存取的群組。"Other delegated groups" refers to groups that may be created by your organization to manage directory operations that may also have effective Tier 0 access.

系統管理工具並登入類型Administrative Tools and Logon Types

這是協助找出認證曝光度的遠端管理使用不同的系統管理工具相關聯的參考資訊。This is reference information to help identify the risk of credential exposure associated with using different administrative tools for remote administration.

在遠端管理案例中,認證永遠公開的來源電腦上可信度特殊權限的存取工作站 (爪) 建議的機密或高影響帳號。In a remote administration scenario, credentials are always exposed on the source computer so a trustworthy privileged access workstation (PAW) is always recommended for sensitive or high impact accounts. 可能竊取目標 (遠端) 的電腦上是否公開認證類型而定主要是 windows 登入供連接方法。Whether credentials are exposed to potential theft on the target (remote) computer depends primarily on the windows logon type used by the connection method.

本表包含的最常見的系統管理工具和方法連接指導方針:This table includes guidance for the most common administrative tools and connection methods:

連接Connection
方法method
登入類型Logon type 目的地重複使用認證Reusable credentials on destination 回應Comments
在主機上登入Log on at console 互動式Interactive v 鍵v 遠端存取的硬體 / 幕後卡和網路 KVMs。Includes hardware remote access / lights-out cards and network KVMs.
RUNASRUNAS 互動式Interactive v 鍵v
RUNAS /NETWORKRUNAS /NETWORK NewCredentialsNewCredentials v 鍵v 複製目前 LSA 工作階段本機的存取,但連接到網路資源時使用新的認證。Clones current LSA session for local access, but uses new credentials when connecting to network resources.
遠端桌面 (成功)Remote Desktop (success) RemoteInteractiveRemoteInteractive v 鍵v 如果要分享的裝置本機和資源遠端桌面 client 設定,這些可能受到威脅,以及。If the remote desktop client is configured to share local devices and resources, those may be compromised as well.
遠端桌面 (失敗-登入類型無法)Remote Desktop (failure - logon type was denied) RemoteInteractiveRemoteInteractive - 根據預設,如果 RDP 登入失敗認證只會儲存非常簡單。By default, if RDP logon fails credentials are only stored very briefly. 如果電腦受到,這可能不是如此。This may not be the case if the computer is compromised.
網路使用 * \\SERVERNet use * \\SERVER 網路Network -
網路使用 * \\SERVER /u:userNet use * \\SERVER /u:user 網路Network -
MMC 嵌入式管理單元遠端電腦MMC snap-ins to remote computer 網路Network - 範例: 電腦管理] 事件檢視器,[裝置管理員] 服務Example: Computer Management, Event Viewer, Device Manager, Services
PowerShell WinRMPowerShell WinRM 網路Network - 範例: 輸入 PSSession 伺服器Example: Enter-PSSession server
CredSSP 與 PowerShell WinRMPowerShell WinRM with CredSSP NetworkClearTextNetworkClearText v 鍵v 新 PSSession 伺服器New-PSSession server
Credssp 驗證-Authentication Credssp
認證 cred-Credential cred
未明確認證 PsExecPsExec without explicit creds 網路Network - 範例: PsExec \\server cmdExample: PsExec \\server cmd
使用明確的認證 PsExecPsExec with explicit creds 網路 + 互動式Network + Interactive v 鍵v PsExec \\server-u 使用者-p 顯示密碼詢問 cmdPsExec \\server -u user -p pwd cmd
建立多個登入工作階段。Creates multiple logon sessions.
遠端登錄Remote Registry 網路Network -
遠端桌面閘道Remote Desktop Gateway 網路Network - 遠端桌面閘道驗證。Authenticating to Remote Desktop Gateway.
排定的工作Scheduled task 批次Batch v 鍵v 密碼也會為 LSA 密碼儲存在 [磁碟上。Password will also be saved as LSA secret on disk.
即服務執行的工具Run tools as a service 服務Service v 鍵v 密碼也會為 LSA 密碼儲存在 [磁碟上。Password will also be saved as LSA secret on disk.
弱點掃描器Vulnerability scanners 網路Network - 大多數掃描器預設為使用網路登入,但部分廠商可能實作非網路登入和引入多個認證竊取風險。Most scanners default to using network logons, though some vendors may implement non-network logons and introduce more credential theft risk.

參考下表中的使用 web 驗證:For web authentication, use the reference from the table below:

連接Connection
方法method
登入類型Logon type 目的地重複使用認證Reusable credentials on destination 回應Comments
IIS 」 基本驗證]IIS "Basic Authentication" NetworkCleartextNetworkCleartext
(IIS 6.0 +)(IIS 6.0+)

互動式Interactive
(前 IIS 6.0)(prior to IIS 6.0)
v 鍵v
IIS 」 整合 Windows 驗證]IIS "Integrated Windows Authentication" 網路Network - NTLM 和 Kerberos 提供者。NTLM and Kerberos Providers.

欄定義:Column Definitions:

  • 登入類型辨識連接由車載機起始登入類型。Logon type identifies the logon type initiated by the connection.

  • 重複使用認證目的地表示 LSASS 目的地方指定的 account 登入本機電腦上的程序記憶體中將會儲存認證下列類型:Reusable credentials on destination indicates that the following credential types will be stored in LSASS process memory on the destination computer where the specified account is logged on locally:

    • LM 和 NT hashesLM and NT hashes

    • Kerberos TgtKerberos TGTs

    • 純文字密碼 (如果有的話)。Plaintext password (if applicable).

    -

此表格所定義如下符號:The symbols in this table defined as follows:

  • (-) 引入時不會公開認證。(-) denotes when credentials are not exposed.

  • (v) 引入公開認證。(v) denotes when credentials are exposed.

管理此表格中的應用程式,您可以判斷稽核登入事件欄位登入類型登入類型。For management applications that are not in this table, you can determine the logon type from the logon type field in the audit logon events. 如需詳細資訊,請查看稽核事件登入For more information, see Audit logon events.

在 windows 的電腦,以數種登入類型,無論驗證通訊協定或驗證器使用其中一個處理所有驗證。In Windows-based computers, all authentications are processed as one of several logon types, regardless of which authentication protocol or authenticator is used. 本表包含最常見的登入類型與他們和目的地的相對認證竊取屬性:This table includes most common logon types and their attributes relative to credential theft:

登入類型Logon type # 驗證者接受Authenticators accepted LSA 工作階段中的重複使用認證Reusable credentials in LSA session 範例Examples
互動 (又稱為,登入本機)Interactive (a.k.a., Logon locally) 22 密碼或智慧卡,Password, Smartcard,
其他other
[是]Yes 主機登入。Console logon;
RUNAS;RUNAS;
硬體遠端控制方案 (例如網路 KVM 或遠端存取 / 幕後卡伺服器中)Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)
IIS 基本驗證 (之前 IIS 6.0)IIS Basic Auth (before IIS 6.0)
網路Network 33 密碼Password,
NT Hash,NT Hash,
Kerberos 票證Kerberos ticket
無 (除了如果委派的話,然後 Kerberos 門票存在)No (except if delegation is enabled, then Kerberos tickets present) 網路使用。NET USE;
RPC 通話。RPC calls;
遠端登錄;Remote registry;
IIS 整合 Windows 授權。IIS integrated Windows auth;
SQL Windows 授權。SQL Windows auth;
批次Batch 44 密碼 (通常是儲存為 LSA 密碼)Password (usually stored as LSA secret) [是]Yes 排定的工作Scheduled tasks
服務Service 55 密碼 (通常是儲存為 LSA 密碼)Password (usually stored as LSA secret) [是]Yes Windows 服務Windows services
NetworkCleartextNetworkCleartext 88 密碼Password [是]Yes IIS 基本驗證 (IIS 6.0 及更新版本)。IIS Basic Auth (IIS 6.0 and newer);
CredSSP 使用 Windows PowerShellWindows PowerShell with CredSSP
NewCredentialsNewCredentials 99 密碼Password [是]Yes RUNAS /NETWORKRUNAS /NETWORK
RemoteInteractiveRemoteInteractive 1010 密碼或智慧卡,Password, Smartcard,
其他other
[是]Yes 遠端桌面 (先前稱為 「 車票服務 」)Remote Desktop (formerly known as "Terminal Services")

欄定義:Column definitions:

  • 登入類型已要求登入類型。Logon type is the type of logon requested.

  • #是的數字識別碼報告中稽核事件安全性事件登入類型登入。# is the numeric identifier for the logon type that is reported in audit events in the Security event log.

  • 接受驗證者表示何種類型的驗證者可起始這種類型的登入。Authenticators accepted indicates which types of authenticators are able to initiate a logon of this type.

  • 重複使用認證在 LSA 中工作階段指示登入類型是否會導致按住認證,例如純文字密碼、 NT hashes 或可能會使用其他網路資源驗證 Kerberos 門票 LSA 工作階段。Reusable credentials in LSA session indicates whether the logon type results in the LSA session holding credentials, such as plaintext passwords, NT hashes, or Kerberos tickets that could be used to authenticate to other network resources.

  • 範例清單常見案例中使用的登入類型。Examples list common scenarios in which the logon type is used.

注意

如需登入類型的詳細資訊,請查看SECURITY_LOGON_TYPE 列舉For more information about Logon Types, see SECURITY_LOGON_TYPE enumeration.