動態存取控制概觀Dynamic Access Control Overview

適用於:Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2012 R2, Windows Server 2012

適用於 IT 專業人員此概觀主題描述動態存取控制與它已項目,這是在 Windows Server 2012 和 Windows 8 中。This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.

網域型動態存取控制可讓存取權的控制權限,根據模糊規則可以包含的資源,工作或使用者的角色,以及存取下列資源來使用裝置的設定敏感度限制適用於系統管理員。Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.

例如,使用者存取時的資源從他們的 office 電腦與筆記型電腦會使用透過 virtual 私人網路時,可能有不同的權限。For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. 或存取可能會允許的裝置才符合安全性需求的網路系統管理員所定義。Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. 動態存取控制使用時,使用者的權限變更動態介入額外的系統管理員使用者的工作或角色變更(導致對使用者的 account 屬性 AD ds)。When Dynamic Access Control is used, a user's permissions change dynamically without additional administrator intervention if the user's job or role changes (resulting in changes to the user's account attributes in AD DS).

不支援動態存取控制在之前的 Windows Server 2012 和 Windows 8 的 Windows 作業系統。Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. 當動態存取控制設定環境的支援,不受支援的 Windows 版本中時,只有支援的版本會實作所做的變更。When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.

功能與動態存取控制相關聯的概念包括:Features and concepts associated with Dynamic Access Control include:

中央存取規則Central access rules

中央存取規則是授權規則,可能包括一或多個條件,包括使用者群組、使用者宣告、裝置宣告和資源屬性。A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. 多個中央存取規則可以結合成的中央存取原則。Multiple central access rules can be combined into a central access policy.

如果有一或多個中央存取規則定義網域,檔案共用系統管理員可以符合特定資源與企業需求的特定規則。If one or more central access rules have been defined for a domain, file share administrators can match specific rules to specific resources and business requirements.

中央存取原則Central access policies

中央存取原則是包含條件運算式授權原則。Central access policies are authorization policies that include conditional expressions. 例如,我們顯示組織只檔案擁有者和人們資源(小時又)部門的成員獲准檢視 PII 資訊中有個人資訊 (PII) 上限制存取商務用需求。For example, let's say an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information. 這表示全組織的原則,適用於 PII 檔案,只要它們跨組織位於檔案伺服器上。This represents an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. 若要執行這項原則,組織必須無法:To implement this policy, an organization needs to be able to:

  • 找出並標記包含 PII 的檔案。Identify and mark the files that contain the PII.

  • 找出小時又成員獲准檢視 PII 資訊的群組。Identify the group of HR members who are allowed to view the PII information.

  • 中央存取原則新增到中央存取規則,並套用的中央存取規則至檔案中包含 PII,它們的跨組織所在之間檔案伺服器的地方。Add the central access policy to a central access rule, and apply the central access rule to all files that contain the PII, wherever they are located amongst the file servers across the organization.

中央存取原則做為安全性 umbrellas 組織套用其伺服器上。Central access policies act as security umbrellas that an organization applies across its servers. 這些原則的除此之外(但不是會取代)任意存取控制清單 (Dacl),適用於的檔案和資料夾的存取本機原則。These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that are applied to files and folders.

宣告Claims

理賠要求是獨特的使用者,裝置或度網域控制站的資源的相關資訊。A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. 使用者的標題、的檔案或電腦的健康狀態部門分類是有效範例理賠要求。The user's title, the department classification of a file, or the health state of a computer are valid examples of a claim. 實體可能需要多個宣告,請及任何主張的組合,可用於授權的存取權的資源。An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. 支援的 Windows 版本提供宣告下列類型:The following types of claims are available in the supported versions of Windows:

  • 使用者宣告的特定使用者的 Active Directory 屬性。User claims Active Directory attributes that are associated with a specific user.

  • 裝置宣告的特定電腦物件相關聯的 Active Directory 屬性。Device claims Active Directory attributes that are associated with a specific computer object.

  • 資源屬性標示為決策授權使用及發行 Active Directory 中的全域資源屬性。Resource attributes Global resource properties that are marked for use in authorization decisions and published in Active Directory.

宣告讓系統管理員讓精確組織或企業版-全聲明使用者、裝置和資源,就可以加入運算式、規則和原則。Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.

運算式Expressions

條件運算式是 enhancement 存取控制管理允許或拒絕符合某些條件時才資源,例如群組成員資格、位置或裝置的安全狀態。Conditional expressions are an enhancement to access control management that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. 管理運算式透過進階安全性設定] 對話方塊 ACL 編輯器的中央存取規則編輯器在 Active Directory 系統管理員中心 (ADAC)。Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC).

運算式幫助系統管理員,管理存取敏感的資源彈性條件越來越複雜的企業環境中使用。Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments.

建議的權限Proposed permissions

建議的權限讓系統管理員可以更精準地模型潛在的變更,而不需要實際變更它們存取控制設定的影響。Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them.

預測生效存取資源協助您規劃和之前實作變更這些設定的權限的資源。Predicting the effective access to a resource helps you plan and configure permissions for those resources before implementing those changes.

其他的變更Additional changes

支援的支援動態存取控制 Windows 版本中的其他改進包括:Additional enhancements in the supported versions of Windows that support Dynamic Access Control include:

支援 Kerberos 驗證通訊協定可靠地提供使用者宣告、裝置宣告,與裝置群組中。Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device groups.

根據預設,執行下列任何支援的 Windows 版本的裝置都能處理動態存取控制與 Kerberos 門票,包括複合驗證所需資料。By default, devices running any of the supported versions of Windows are able to process Dynamic Access Control-related Kerberos tickets, which include data needed for compound authentication. 網域控制站的問題,以及回應 Kerberos 門票複合驗證相關資訊。Domain controllers are able to issue and respond to Kerberos tickets with compound authentication-related information. 網域辨識動態存取控制設定之後,裝置收到宣告網域控制站初始在驗證期間,並在提交服務票證要求時,它們會接收複合驗證票證。When a domain is configured to recognize Dynamic Access Control, devices receive claims from domain controllers during initial authentication, and they receive compound authentication tickets when submitting service ticket requests. 包含的資源,辨識動態存取控制裝置的使用者身分存取權杖會導致複合驗證。Compound authentication results in an access token that includes the identity of the user and the device on the resources that recognize Dynamic Access Control.

使用網域讓動態存取控制鍵 Distribution 中心 (KDC) 群組原則設定支援。Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain.

每個網域控制站需要有相同的系統管理範本原則設定,這是位於電腦設定 \ 原則 Templates\System\KDC\Support 動態存取控制以及 Kerberos 保護 \Every domain controller needs to have the same Administrative Template policy setting, which is located at Computer Configuration\Policies\Administrative Templates\System\KDC\Support Dynamic Access Control and Kerberos armoring.

使用網域讓動態存取控制鍵 Distribution 中心 (KDC) 群組原則設定支援。Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain.

每個網域控制站需要有相同的系統管理範本原則設定,這是位於電腦設定 \ 原則 Templates\System\KDC\Support 動態存取控制以及 Kerberos 保護 \Every domain controller needs to have the same Administrative Template policy setting, which is located at Computer Configuration\Policies\Administrative Templates\System\KDC\Support Dynamic Access Control and Kerberos armoring.

在 Active Directory 儲存使用者和裝置宣告、資源屬性和中央存取原則物件的支援。Support in Active Directory to store user and device claims, resource properties, and central access policy objects.

使用群組原則部署中央存取原則物件的支援。Support for using Group Policy to deploy central access policy objects.

下列群組原則設定可讓您將檔案伺服器您在組織中部署中央存取原則物件:電腦 Configuration\Policies\ Windows 安全性設定後者 System\Central 存取原則The following Group Policy setting enables you to deploy central access policy objects to file servers in your organization: Computer Configuration\Policies\ Windows Settings\Security Settings\File System\Central Access Policy.

授權宣告為基礎的檔案和檔案系統稽核使用群組原則和全球物件存取稽核支援Support for claims-based file authorization and auditing for file systems by using Group Policy and Global Object Access Auditing

您必須支援階段的中央存取原則稽核使用建議的權限稽核中央存取原則有效的存取。You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. 在電腦這個設定進階稽核原則設定的安全性設定群組原則物件 (GPO)。You configure this setting for the computer under Advanced Audit Policy Configuration in the Security Settings of a Group Policy Object (GPO). [安全性] 設定中 GPO 設定之後,您可以在您的網路 GPO 部署至電腦。After you configure the security setting in the GPO, you can deploy the GPO to computers in your network.

轉換或篩選往返樹系的 Active Directory 信任的理賠要求原則物件的支援Support for transforming or filtering claim policy objects that traverse Active Directory forest trusts

您可以篩選或轉換往返信任的樹系的傳入的和傳出宣告。You can filter or transform incoming and outgoing claims that traverse a forest trust. 您有篩選與轉換宣告三個基本案例:There are three basic scenarios for filtering and transforming claims:

  • 值型篩選篩選器可以為基礎的值理賠要求。Value-based filtering Filters can be based on the value of a claim. 這可讓受信任的樹系,以避免傳送到信任的樹系的某些值主張。This allows the trusted forest to prevent claims with certain values from being sent to the trusting forest. 信任的樹系的網域控制站可以使用的值為基礎篩選防範篩選傳入宣告特定值的受信任的樹系的權限提高權限的攻擊。Domain controllers in trusting forests can use value-based filtering to guard against an elevation-of-privilege attack by filtering the incoming claims with specific values from the trusted forest.

  • 取得型篩選篩選根據類型理賠要求,而非宣告的值。Claim type-based filtering Filters are based on the type of claim, rather than the value of the claim. 您找出宣告類型宣告的名稱。You identify the claim type by the name of the claim. 您使用型篩選受信任的樹系,理賠要求,它就會防止視窗傳送宣告公開信任的樹系資訊。You use claim type-based filtering in the trusted forest, and it prevents Windows from sending claims that disclose information to the trusting forest.

  • 取得型轉換操作傳送到預期的目標之前理賠要求。Claim type-based transformation Manipulates a claim before sending it to the intended target. 您使用宣告型轉換在受信任的樹系来將已知理賠要求含有特定資訊。You use claim type-based transformation in the trusted forest to generalize a known claim that contains specific information. 您可以使用轉換来將宣告類型、宣告值,或兩者。You can use transformations to generalize the claim-type, the claim value, or both.

軟體需求Software requirements

宣告」和「動態存取控制複合驗證要求 Kerberos 驗證擴充功能,因為任何支援動態存取控制網域必須不足,無法網域控制站執行支援支援從動態存取控制感知 Kerberos 驗證的 Windows 版本。Because claims and compound authentication for Dynamic Access Control require Kerberos authentication extensions, any domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows to support authentication from Dynamic Access Control-aware Kerberos clients. 根據預設,裝置必須使用網域控制站在其他網站。By default, devices must use domain controllers in other sites. 如果這類網域控制站可供使用,將會失敗驗證。If no such domain controllers are available, authentication will fail. 因此,您必須支援一項下列條件:Therefore, you must support one of the following conditions:

  • 每個網域支援動態存取控制必須執行 Windows server 支援所有的裝置執行的 Windows 或 Windows Server 支援的版本中的驗證支援的版本不足,無法網域控制站。Every domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows Server to support authentication from all devices running the supported versions of Windows or Windows Server.

  • 裝置執行的 Windows 或是可支援的版本不使用宣告或複合身分保護資源,應該停用動態存取控制 Kerberos 通訊協定的支援。Devices running the supported versions of Windows or that do not protect resources by using claims or compound identity, should disable Kerberos protocol support for Dynamic Access Control.

支援宣告使用者網域中,每個執行支援的版本的 Windows server 的網域控制站必須設定與支援宣告和複合驗證以及提供 Kerberos 保護 \ 適當的設定。For domains that support user claims, every domain controller running the supported versions of Windows server must be configured with the appropriate setting to support claims and compound authentication, and to provide Kerberos armoring. 設定的管理範本] \ [KDC 原則中,如下所示:Configure settings in the KDC Administrative Template policy as follows:

  • 永遠提供宣告使用此設定,如果所有網域控制站都執行支援的 Windows Server 版本。Always provide claims Use this setting if all domain controllers are running the supported versions of Windows Server. 此外,在 Windows Server 2012 或更高版本設定的網域功能層級。In addition, set the domain functional level to Windows Server 2012 or higher.

  • 支援的當您使用此設定時,監視網域控制站確保足以 client 的電腦需要存取受動態存取控制資源數目執行支援的版本的 Windows Server 網域控制站的數目。Supported When you use this setting, monitor domain controllers to ensure that the number of domain controllers running the supported versions of Windows Server is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control.

如果使用者網域和檔案伺服器網域中不同的樹系,必須設定檔案伺服器的樹系根中的所有網域控制站的 Windows Server 2012 或更高版本功能層級。If the user domain and file server domain are in different forests, all domain controllers in the file server's forest root must be set at the Windows Server 2012 or higher functional level.

如果戶端無法辨識動態存取控制,之間兩個樹系必須是雙向信任關係。If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two forests.

如果轉換宣告他們會離開樹系時,必須設定所有使用者的樹系根網域控制站在 Windows Server 2012 或更高版本正常運作的層級。If claims are transformed when they leave a forest, all domain controllers in the user's forest root must be set at the Windows Server 2012 or higher functional level.

執行 Windows Server 2012 或 Windows Server 2012 R2 檔案伺服器必須指定是否需要將無法執行宣告的使用者權杖使用者宣告群組原則設定。A file server running Windows Server 2012 or Windows Server 2012 R2 must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. 此設定預設為自動,而導致已此群組原則設定是否中央包含裝置的使用者或宣告該檔案伺服器的原則。This setting is set by default to Automatic, which results in this Group Policy setting to be turned On if there is a central policy that contains user or device claims for that file server. 該檔案伺服器包含包含使用者宣告任意 Acl,如果您需要將這個群組原則設定為,伺服器便知道要求宣告代表不提供宣告存取伺服器時的使用者。If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to On so that the server knows to request claims on behalf of users that do not provide claims when they access the server.

其他資源Additional resource

適用於執行方案這個技術為基礎的相關資訊,請查看動態存取控制:案例概觀For information about implementing solutions based on this technology, see Dynamic Access Control: Scenario Overview.