網路原則伺服器最佳做法Network Policy Server Best Practices

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

若要深入了解部署及管理的網路原則伺服器 (NPS) 最佳做法,您可以使用此主題。You can use this topic to learn about best practices for deploying and managing Network Policy Server (NPS).

下列章節提供最佳做法 NPS 部署的其他方面。The following sections provide best practices for different aspects of your NPS deployment.

計量Accounting

以下是 NPS 登入的最佳做法的規範。Following are the best practices for NPS logging.

有兩種類型的計量,或在 NPS 登入:There are two types of accounting, or logging, in NPS:

  • NPS 的事件登入。Event logging for NPS. 您可以在 [系統及安全性事件登使用使用碼表進行 NPS 事件的事件登入。You can use event logging to record NPS events in the system and security event logs. 這是主要用於稽核和連接嘗試進行疑難排解。This is used primarily for auditing and troubleshooting connection attempts.

  • 登入驗證使用者以及計量要求。Logging user authentication and accounting requests. 您可以登入的使用者來登入文字的格式或資料庫格式] 底下的 [檔案驗證及計量要求或您可以到儲存程序 SQL Server 2000 資料庫中登入。You can log user authentication and accounting requests to log files in text format or database format, or you can log to a stored procedure in a SQL Server 2000 database. 要求登入主要用於連接分析及計費用途,並也適用於做為安全性調查工具,為您提供攻擊追蹤活動的方法。Request logging is used primarily for connection analysis and billing purposes, and is also useful as a security investigation tool, providing you with a method of tracking down the activity an attacker.

若要使用最有效的 NPS 登入:To make the most effective use of NPS logging:

  • 關閉 [在登入 (initially) 會計記錄和驗證。Turn on logging (initially) for both authentication and accounting records. 修改這些選項之後在您判斷適合您的環境。Modify these selections after you have determined what is appropriate for your environment.

  • 確定事件登入的容量不足以維護您登的設定。Ensure that event logging is configured with a capacity that is sufficient to maintain your logs.

  • 因為他們無法重新建立損壞或刪除時備份定期登入的所有檔案。Back up all log files on a regular basis because they cannot be recreated when they are damaged or deleted.

  • 使用 RADIUS 課程屬性追蹤使用和簡化的部門或使用者收取使用的驗證。Use the RADIUS Class attribute to both track usage and simplify the identification of which department or user to charge for usage. 雖然唯一的每個要求自動的課程屬性,重複記錄可能存在於的案例位置的存取伺服器回覆遺失,重新傳送要求。Although the automatically generated Class attribute is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is resent. 您可能需要從您以精確追蹤使用量登 delete 重複要求。You might need to delete duplicate requests from your logs to accurately track usage.

  • 如果您的網路存取伺服器以及 RADIUS proxy 伺服器會定期傳送虛構連接要求訊息給 NPS 確認 online NPS 伺服器,請使用ping 使用者名稱登錄設定。If your network access servers and RADIUS proxy servers periodically send fictional connection request messages to NPS to verify that the NPS server is online, use the ping user-name registry setting. 這項設定設定為自動不處理拒絕這些 false 連接要求 NPS。This setting configures NPS to automatically reject these false connection requests without processing them. 此外,NPS 記錄交易涉及虛構中的使用者名稱任何登入檔案,讓事件登入變得更容易上尚未取得共識。In addition, NPS does not record transactions involving the fictional user name in any log files, which makes the event log easier to interpret.

  • 停用 NAS 通知轉接。Disable NAS Notification Forwarding. 您可以停用的 [開始] 畫面與停止訊息從網路存取伺服器 (Nas) 遠端 RADIUS 伺服器成員群組該 IS NPS 中設定。You can disable the forwarding of start and stop messages from network access servers (NASs) to members of a remote RADIUS server group THAT IS configured in NPS. 如需詳細資訊,請查看停用 NAS 通知轉寄For more information, see Disable NAS Notification Forwarding.

如需詳細資訊,請查看設定的網路原則伺服器計量For more information, see Configure Network Policy Server Accounting.

  • 若要提供錯誤移轉及冗餘 SQL Server 登入,放置執行 SQL Server 不同子網路上的兩部電腦。To provide failover and redundancy with SQL Server logging, place two computers running SQL Server on different subnets. 使用 SQL Server建立發行精靈來設定資料庫複製兩部伺服器。Use the SQL Server Create Publication Wizard to set up database replication between the two servers. 如需詳細資訊,請查看SQL Server 技術文件SQL Server 複寫For more information, see SQL Server Technical Documentation and SQL Server Replication.

驗證Authentication

以下是進行驗證的最佳做法。Following are the best practices for authentication.

  • 使用穩固驗證保護延伸驗證通訊協定 (PEAP) 和延伸驗證通訊協定 (EAP) 憑證為基礎的驗證方法。Use certificate-based authentication methods such as Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP) for strong authentication. 請勿使用僅輸入密碼的驗證方法,因為它們可以很容易各種不同的攻擊,並不安全。Do not use password-only authentication methods because they are vulnerable to a variety of attacks and are not secure. Wireless 安全驗證,使用 PEAP-MS-CHAP v2 建議,因為 NPS 伺服器使用者證明他們的身分使用者名稱與密碼時使用伺服器的憑證,以 wireless 戶端證明的身分。For secure wireless authentication, using PEAP-MS-CHAP v2 is recommended, because the NPS server proves its identity to wireless clients by using a server certificate, while users prove their identity with their user name and password. 如需有關如何使用 NPS wireless 部署的詳細資訊,請查看架構部署密碼 802.1 X 驗證 Wireless 存取For more information about using NPS in your wireless deployment, see Deploy Password-Based 802.1X Authenticated Wireless Access.
  • 部署自己憑證授權單位 (CA) Active Directory 使用®當您使用穩固憑證式驗證方法、PEAP 和 EAP,例如,需要的伺服器上的憑證 NPS 伺服器使用憑證服務 (AD CS)。Deploy your own certification authority (CA) with Active Directory® Certificate Services (AD CS) when you use strong certificate-based authentication methods, such as PEAP and EAP, that require the use of a server certificate on NPS servers. 您也可以使用您的 CA 憑證電腦和使用者憑證註冊。You can also use your CA to enroll computer certificates and user certificates. 如需有關伺服器的憑證部署至 NPS 及遠端存取伺服器,查看適用於 802.1 X 的有線和無線部署部署伺服器憑證For more information on deploying server certificates to NPS and Remote Access servers, see Deploy Server Certificates for 802.1X Wired and Wireless Deployments.

Client 電腦設定Client computer configuration

以下是 client 電腦設定為最佳做法的規範。Following are the best practices for client computer configuration.

  • 自動使用群組原則設定您網域成員 802.1 X client 電腦的所有。Automatically configure all of your domain member 802.1X client computers by using Group Policy. 如需詳細資訊,請查看」設定無線 (IEEE 802.11) 的網路原則」主題中的區段無線存取部署For more information, see the section "Configure Wireless Network (IEEE 802.11) Policies" in the topic Wireless Access Deployment.

安裝建議Installation suggestions

以下是安裝 NPS 的最佳做法。Following are the best practices for installing NPS.

  • 安裝之前 NPS,安裝和使用本機的驗證方法將它們設定為在 NPS RADIUS 戶端之前您的網路存取伺服器的每個測試。Before installing NPS, install and test each of your network access servers using local authentication methods before you configure them as RADIUS clients in NPS.

  • 您安裝和設定 NPS 之後,將設定儲存使用 Windows PowerShell 命令匯出-NpsConfigurationAfter you install and configure NPS, save the configuration by using the Windows PowerShell command Export-NpsConfiguration. 儲存 NPS 組態的每次您重新設定 NPS 伺服器這個命令。Save the NPS configuration with this command each time you reconfigure the NPS server.

警告

  • 匯出的 NPS 設定檔包含加密共用的密碼 RADIUS 戶端和遠端 RADIUS 伺服器群組成員。The exported NPS configuration file contains unencrypted shared secrets for RADIUS clients and members of remote RADIUS server groups. 因此,請確定您將檔案儲存在安全的位置。Because of this, make sure that you save the file to a secure location.
  • 匯出程序不包含匯出之檔案的 Microsoft SQL Server 的登入設定。The export process does not include logging settings for Microsoft SQL Server in the exported file. 如果您匯入到另一個 NPS 伺服器匯出的檔案,您必須手動設定 SQL Server 登入新的伺服器上。If you import the exported file to another NPS server, you must manually configure SQL Server Logging on the new server.

調整 NPS 效能Performance tuning NPS

以下是效能調整 NPS 的最佳做法。Following are the best practices for performance tuning NPS.

  • 若要最佳化 NPS 驗證和授權回應時間和網路流量最小化,安裝 NPS 網域控制站。To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.

  • 萬用主體名稱 (UPNs) 或 Windows Server 2008 和 Windows Server 2003 網域使用時,NPS 使用通用驗證使用者。When universal principal names (UPNs) or Windows Server 2008 and Windows Server 2003 domains are used, NPS uses the global catalog to authenticate users. 最小化時所需執行此動作,請安裝 NPS 通用伺服器或相同通用伺服器子網路上的伺服器上。To minimize the time it takes to do this, install NPS on either a global catalog server or a server that is on the same subnet as the global catalog server.

  • 當您有遠端設定 RADIUS 伺服器群組,NPS 連接要求原則,在您清除在下列遠端 RADIUS 伺服器群組錄製計量伺服器上的資訊核取方塊,這些群組仍會傳送網路存取伺服器 (NAS) 開始和停止訊息通知。When you have remote RADIUS server groups configured and, in NPS Connection Request Policies, you clear the Record accounting information on the servers in the following remote RADIUS server group check box, these groups are still sent network access server (NAS) start and stop notification messages. 這會建立不必要的網路流量。This creates unnecessary network traffic. 若要排除此流量,來停用 NAS 個人伺服器每個遠端 RADIUS 伺服器群組中的通知轉接清除向前網路 [開始] 畫面與停止此伺服器通知核取方塊。To eliminate this traffic, disable NAS notification forwarding for individual servers in each remote RADIUS server group by clearing the Forward network start and stop notifications to this server check box.

使用大型的組織 NPSUsing NPS in large organizations

以下是使用大型的組織 NPS 最佳做法。Following are the best practices for using NPS in large organizations.

  • 如果您正在使用的網路原則限制存取所有但某些群組,會建立萬用適用於所有使用者您要允許存取權限的群組,並建立授與此通用群組的存取權的網路原則。If you are using network policies to restrict access for all but certain groups, create a universal group for all of the users for whom you want to allow access, and then create a network policy that grants access for this universal group. 不要將所有使用者的通用群組中,直接將尤其是當您有許多人在您的網路。Do not put all of your users directly into the universal group, especially if you have a large number of them on your network. 不過,建立通用群組中,並將使用者新增這些群組到不同群組。Instead, create separate groups that are members of the universal group, and add users to those groups.

  • 使用參照使用者盡可能使用者主體名稱。Use a user principal name to refer to users whenever possible. 使用者可能無論網域成員資格相同的使用者主體名稱。A user can have the same user principal name regardless of domain membership. 這個做法提供延展性,可能需要在組織中有大量的網域。This practice provides scalability that might be required in organizations with a large number of domains.

  • 如果您的網域控制站以外的電腦上安裝的網路原則伺服器 (NPS) NPS 伺服器接收大量驗證要求秒,您可以增加允許 NPS 伺服器之間的網域控制站同時驗證的數目改善 NPS 效能。If you installed Network Policy Server (NPS) on a computer other than a domain controller and the NPS server is receiving a large number of authentication requests per second, you can improve NPS performance by increasing the number of concurrent authentications allowed between the NPS server and the domain controller. 如需詳細資訊,請查看For more information, see

安全性問題Security issues

以下是最佳做法減少安全性問題。Following are the best practices for reducing security issues.

當您的遠端管理 NPS 伺服器時,請不要純文字在網路上傳送敏感或機密資料(例如,共用的密碼或密碼)。When you are administering a NPS server remotely, do not send sensitive or confidential data (for example, shared secrets or passwords) over the network in plaintext. 有兩個 NPS 伺服器的遠端管理建議的方法:There are two recommended methods for remote administration of NPS servers:

  • 使用遠端桌面服務存取 NPS 伺服器。Use Remote Desktop Services to access the NPS server. 當您使用遠端桌面服務時,伺服器 client 之間將不會傳送資料。When you use Remote Desktop Services, data is not sent between client and server. 遠端桌面服務 client,稱為 windows 遠端桌面連接到傳送只使用者介面(例如,桌面作業系統和 NPS 主機映像)伺服器的®10。Only the user interface of the server (for example, the operating system desktop and NPS console image) is sent to the Remote Desktop Services client, which is named Remote Desktop Connection in Windows® 10. Client 傳送鍵盤和滑鼠輸入,這在本機伺服器遠端桌面服務功能的處理。The client sends keyboard and mouse input, which is processed locally by the server that has Remote Desktop Services enabled. 當遠端桌面服務使用者登入時,他們就可以檢視只他們個人 client 工作階段,這由伺服器,各自獨立。When Remote Desktop Services users log on, they can view only their individual client sessions, which are managed by the server and are independent of each other. 此外,遠端桌面連接提供 client 之間伺服器 128 元加密。In addition, Remote Desktop Connection provides 128-bit encryption between client and server.

  • 用於機密資料加密網際網路通訊協定的安全性 (IPsec)。Use Internet Protocol security (IPsec) to encrypt confidential data. 您可以使用 IPsec 加密 NPS 伺服器和您使用管理 NPS client 遠端電腦之間的通訊。You can use IPsec to encrypt communication between the NPS server and the remote client computer that you are using to administer NPS. 若要從遠端管理的伺服器,您可以安裝遠端伺服器管理工具適用於 Windows 10 的上。To administer the server remotely, you can install the Remote Server Administration Tools for Windows 10 on the client computer. 安裝之後,請使用 Microsoft Management Console (MMC) NPS 伺服器嵌入式管理單元新增至主機。After installation, use the Microsoft Management Console (MMC) to add the NPS server snap-in to the console.

重要

您可以安裝遠端伺服器管理工具適用於 Windows 10 完整版本的 Windows 10 專業版或 Windows 10 企業版只在。You can install Remote Server Administration Tools for Windows 10 only on the full release of Windows 10 Professional or Windows 10 Enterprise.

如需 NPS 的詳細資訊,請查看的網路原則 Server (NPS)For more information about NPS, see Network Policy Server (NPS).