網路原則伺服器最佳做法Network Policy Server Best Practices

適用於:Windows Server (半年度管道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題來瞭解部署和管理網路原則伺服器(NPS)的最佳作法。You can use this topic to learn about best practices for deploying and managing Network Policy Server (NPS).

下列各節提供 NPS 部署不同層面的最佳作法。The following sections provide best practices for different aspects of your NPS deployment.

帳戶處理Accounting

以下是 NPS 記錄的最佳作法。Following are the best practices for NPS logging.

NPS 中有兩種類型的帳戶處理或記錄:There are two types of accounting, or logging, in NPS:

  • NPS 的事件記錄。Event logging for NPS. 您可以使用事件記錄來記錄系統和安全性事件記錄檔中的 NPS 事件。You can use event logging to record NPS events in the system and security event logs. 這主要用於針對連線嘗試進行的程式和疑難排解。This is used primarily for auditing and troubleshooting connection attempts.

  • 記錄使用者驗證和帳戶處理要求。Logging user authentication and accounting requests. 您可以使用文字格式或資料庫格式, 將使用者驗證和帳戶處理要求記錄到記錄檔中, 也可以記錄到 SQL Server 2000 資料庫中的預存程式。You can log user authentication and accounting requests to log files in text format or database format, or you can log to a stored procedure in a SQL Server 2000 database. 要求記錄主要是用來進行連線分析和計費, 而且也很適合做為安全性調查工具, 提供您追蹤攻擊者活動的方法。Request logging is used primarily for connection analysis and billing purposes, and is also useful as a security investigation tool, providing you with a method of tracking down the activity of an attacker.

若要充分利用 NPS 記錄:To make the most effective use of NPS logging:

  • 一開始( )針對驗證和帳戶處理記錄開啟記錄。Turn on logging (initially) for both authentication and accounting records. 在決定適合您環境的專案之後, 請修改這些選項。Modify these selections after you have determined what is appropriate for your environment.

  • 請確定已使用足以維護記錄的容量來設定事件記錄。Ensure that event logging is configured with a capacity that is sufficient to maintain your logs.

  • 定期備份所有記錄檔, 因為它們在損毀或刪除時無法重新建立。Back up all log files on a regular basis because they cannot be recreated when they are damaged or deleted.

  • 使用 RADIUS 類別屬性來追蹤使用量, 並簡化識別使用方式的部門或使用者。Use the RADIUS Class attribute to both track usage and simplify the identification of which department or user to charge for usage. 雖然自動產生的類別屬性對於每個要求都是唯一的, 但在存取伺服器的回復遺失且要求重新傳送的情況下, 可能會有重複的記錄。Although the automatically generated Class attribute is unique for each request, duplicate records might exist in cases where the reply to the access server is lost and the request is resent. 您可能需要從記錄中刪除重複的要求, 才能正確地追蹤使用方式。You might need to delete duplicate requests from your logs to accurately track usage.

  • 如果您的網路存取伺服器和 RADIUS proxy 伺服器定期傳送虛構的連線要求訊息給 NPS, 以確認 NPS 已上線, 請使用ping 使用者名稱登錄設定。If your network access servers and RADIUS proxy servers periodically send fictional connection request messages to NPS to verify that the NPS is online, use the ping user-name registry setting. 此設定會將 NPS 設定為自動拒絕這些不處理的假連線要求。This setting configures NPS to automatically reject these false connection requests without processing them. 此外, NPS 不會在任何記錄檔中記錄涉及虛構使用者名稱的交易, 讓事件記錄檔更容易解讀。In addition, NPS does not record transactions involving the fictional user name in any log files, which makes the event log easier to interpret.

  • 停用 NAS 通知轉送。Disable NAS Notification Forwarding. 您可以停用從網路存取伺服器 (Nas) 轉送啟動和停止訊息到 NPS 中設定的遠端 RADIUS 伺服器群組的成員。You can disable the forwarding of start and stop messages from network access servers (NASs) to members of a remote RADIUS server group THAT IS configured in NPS. 如需詳細資訊, 請參閱停用 NAS 通知轉送For more information, see Disable NAS Notification Forwarding.

如需詳細資訊, 請參閱設定網路原則伺服器帳戶處理。For more information, see Configure Network Policy Server Accounting.

  • 若要使用 SQL Server 記錄來提供容錯移轉和冗余, 請將兩部執行 SQL Server 的電腦放在不同的子網上。To provide failover and redundancy with SQL Server logging, place two computers running SQL Server on different subnets. 使用 SQL Server建立發行集 , 在兩部伺服器之間設定資料庫複寫。Use the SQL Server Create Publication Wizard to set up database replication between the two servers. 如需詳細資訊, 請參閱SQL Server 技術檔SQL Server 複寫For more information, see SQL Server Technical Documentation and SQL Server Replication.

驗證Authentication

以下是驗證的最佳作法。Following are the best practices for authentication.

  • 使用以憑證為基礎的驗證方法, 例如受保護(的)可延伸驗證通訊協定) PEAP 和可延伸的驗證通訊協定(EAP 進行增強式驗證。Use certificate-based authentication methods such as Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP) for strong authentication. 請勿使用僅限密碼的驗證方法, 因為它們很容易遭受各種攻擊, 而且並不安全。Do not use password-only authentication methods because they are vulnerable to a variety of attacks and are not secure. 針對安全無線驗證, 建議使用-PEAP-MS CHAP v2, 因為 NPS 會使用伺服器憑證向無線用戶端證明其身分識別, 而使用者以其使用者名稱和密碼證明其身分識別。For secure wireless authentication, using PEAP-MS-CHAP v2 is recommended, because the NPS proves its identity to wireless clients by using a server certificate, while users prove their identity with their user name and password. 如需在無線部署中使用 NPS 的詳細資訊, 請參閱部署以密碼為基礎的 802.1 x 驗證無線存取For more information about using NPS in your wireless deployment, see Deploy Password-Based 802.1X Authenticated Wireless Access.
  • 當您使用強式(憑證型驗證®方法 (例如 PEAP)和 EAP) 時, 以 Active Directory 憑證服務(AD CS 部署自己的憑證授權單位單位 CA)需要在 Nps 上使用伺服器憑證。Deploy your own certification authority (CA) with Active Directory® Certificate Services (AD CS) when you use strong certificate-based authentication methods, such as PEAP and EAP, that require the use of a server certificate on NPSs. 您也可以使用您的 CA 來註冊電腦憑證和使用者憑證。You can also use your CA to enroll computer certificates and user certificates. 如需將伺服器憑證部署至 NPS 和遠端存取服務器的詳細資訊, 請參閱部署 802.1 x 有線和無線部署的伺服器憑證For more information on deploying server certificates to NPS and Remote Access servers, see Deploy Server Certificates for 802.1X Wired and Wireless Deployments.

重要

網路原則伺服器 (NPS) 不支援在密碼中使用延伸的 ASCII 字元。Network Policy Server (NPS) does not support the use of the Extended ASCII characters within passwords.

用戶端電腦設定Client computer configuration

以下是用戶端電腦設定的最佳作法。Following are the best practices for client computer configuration.

  • 使用群組原則自動設定所有網域成員 802.1 X 用戶端電腦。Automatically configure all of your domain member 802.1X client computers by using Group Policy. 如需詳細資訊, 請參閱無線存取部署主題中的「設定無線網路 (IEEE 802.11) 原則」一節。For more information, see the section "Configure Wireless Network (IEEE 802.11) Policies" in the topic Wireless Access Deployment.

安裝建議Installation suggestions

以下是安裝 NPS 的最佳作法。Following are the best practices for installing NPS.

  • 安裝 NPS 之前, 請先使用本機驗證方法來安裝和測試每個網路存取伺服器, 再將它們設定為 NPS 中的 RADIUS 用戶端。Before installing NPS, install and test each of your network access servers using local authentication methods before you configure them as RADIUS clients in NPS.

  • 安裝和設定 NPS 之後, 請使用 Windows PowerShell 命令匯出-import-npsconfiguration來儲存設定。After you install and configure NPS, save the configuration by using the Windows PowerShell command Export-NpsConfiguration. 每次您重新設定 NPS 時, 請使用此命令來儲存 NPS 設定。Save the NPS configuration with this command each time you reconfigure the NPS.

警告

  • 針對 RADIUS 用戶端和遠端 RADIUS 伺服器群組的成員, 匯出的 NPS 設定檔案包含未加密的共用密碼。The exported NPS configuration file contains unencrypted shared secrets for RADIUS clients and members of remote RADIUS server groups. 因此, 請確定您將檔案儲存到安全的位置。Because of this, make sure that you save the file to a secure location.
  • 匯出程式不會在匯出的檔案中包含 Microsoft SQL Server 的記錄設定。The export process does not include logging settings for Microsoft SQL Server in the exported file. 如果您將匯出的檔案匯入到另一個 NPS, 您必須在新的伺服器上手動設定 SQL Server 記錄。If you import the exported file to another NPS, you must manually configure SQL Server Logging on the new server.

效能微調 NPSPerformance tuning NPS

以下是效能調整 NPS 的最佳作法。Following are the best practices for performance tuning NPS.

  • 若要將 NPS 驗證和授權回應時間優化, 並將網路流量降至最低, 請在網域控制站上安裝 NPS。To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.

  • 當使用通用主要(名稱) upn 或 windows server 2008 和 windows server 2003 網域時, NPS 會使用通用類別目錄來驗證使用者。When universal principal names (UPNs) or Windows Server 2008 and Windows Server 2003 domains are used, NPS uses the global catalog to authenticate users. 若要將執行此動作所花費的時間降到最低, 請在通用類別目錄伺服器或與通用類別目錄伺服器位於相同子網的伺服器上安裝 NPS。To minimize the time it takes to do this, install NPS on either a global catalog server or a server that is on the same subnet as the global catalog server.

  • 當您設定遠端 RADIUS 伺服器群組, 並在 NPS 連線要求原則中, 清除 [在下列遠端 radius 伺服器群組中的伺服器上記錄帳戶處理資訊] 核取方塊時, 這些群組仍會傳送網路存取伺服器( NAS)啟動和停止通知訊息。When you have remote RADIUS server groups configured and, in NPS Connection Request Policies, you clear the Record accounting information on the servers in the following remote RADIUS server group check box, these groups are still sent network access server (NAS) start and stop notification messages. 這會產生不必要的網路流量。This creates unnecessary network traffic. 若要排除此流量, 請清除 [轉寄網路啟動和停止通知到這部伺服器] 核取方塊, 以停用每個遠端 RADIUS 伺服器群組中個別伺服器的 NAS 通知轉送。To eliminate this traffic, disable NAS notification forwarding for individual servers in each remote RADIUS server group by clearing the Forward network start and stop notifications to this server check box.

在大型組織中使用 NPSUsing NPS in large organizations

以下是在大型組織中使用 NPS 的最佳作法。Following are the best practices for using NPS in large organizations.

  • 如果您使用網路原則來限制所有特定群組的存取權, 請為您想要允許存取的所有使用者建立萬用群組, 然後建立網路原則來授與此萬用群組的存取權。If you are using network policies to restrict access for all but certain groups, create a universal group for all of the users for whom you want to allow access, and then create a network policy that grants access for this universal group. 請勿將所有使用者直接放入萬用群組, 特別是當您的網路上有大量的使用者時。Do not put all of your users directly into the universal group, especially if you have a large number of them on your network. 相反地, 請建立屬於萬用群組成員的個別群組, 並將使用者新增至這些群組。Instead, create separate groups that are members of the universal group, and add users to those groups.

  • 如果可能, 請使用使用者主體名稱來參照使用者。Use a user principal name to refer to users whenever possible. 無論網域成員資格為何, 使用者都可以擁有相同的使用者主體名稱。A user can have the same user principal name regardless of domain membership. 這種作法可提供在擁有大量網域的組織中可能需要的擴充性。This practice provides scalability that might be required in organizations with a large number of domains.

  • 如果您已在網域控制站(以外)的電腦上安裝網路原則伺服器 NPS, 而 nps 每秒都會收到大量的驗證要求, 您可以藉由增加NPS 與網域控制站之間允許的並行驗證。If you installed Network Policy Server (NPS) on a computer other than a domain controller and the NPS is receiving a large number of authentication requests per second, you can improve NPS performance by increasing the number of concurrent authentications allowed between the NPS and the domain controller. 如需詳細資訊,請參閱本主題中的For more information, see

安全性問題Security issues

以下是減少安全性問題的最佳作法。Following are the best practices for reducing security issues.

當您從遠端系統管理 NPS 時, 請勿透過網路以純文字傳送敏感或機密資料 (例如共用密碼或密碼)。When you are administering a NPS remotely, do not send sensitive or confidential data (for example, shared secrets or passwords) over the network in plaintext. Nps 的遠端系統管理有兩種建議的方法:There are two recommended methods for remote administration of NPSs:

  • 使用遠端桌面服務來存取 NPS。Use Remote Desktop Services to access the NPS. 當您使用遠端桌面服務時, 不會在用戶端與伺服器之間傳送資料。When you use Remote Desktop Services, data is not sent between client and server. 只有伺服器的使用者介面 (例如作業系統桌面和 NPS 主控台映射) 會傳送至 Windows® 10 中名為遠端桌面連線的遠端桌面服務用戶端。Only the user interface of the server (for example, the operating system desktop and NPS console image) is sent to the Remote Desktop Services client, which is named Remote Desktop Connection in Windows® 10. 用戶端會傳送鍵盤和滑鼠輸入, 這會由已啟用遠端桌面服務的伺服器在本機處理。The client sends keyboard and mouse input, which is processed locally by the server that has Remote Desktop Services enabled. 當遠端桌面服務使用者登入時, 他們只能查看由伺服器管理且彼此獨立的個別用戶端會話。When Remote Desktop Services users log on, they can view only their individual client sessions, which are managed by the server and are independent of each other. 此外, 遠端桌面連線在用戶端和伺服器之間提供128位加密。In addition, Remote Desktop Connection provides 128-bit encryption between client and server.

  • 使用網際網路通訊協定安全性 (IPsec) 來加密機密資料。Use Internet Protocol security (IPsec) to encrypt confidential data. 您可以使用 IPsec 來加密 NPS 與您用來管理 NPS 的遠端用戶端電腦之間的通訊。You can use IPsec to encrypt communication between the NPS and the remote client computer that you are using to administer NPS. 若要從遠端管理伺服器, 您可以在用戶端電腦上安裝適用于 Windows 10 的遠端伺服器管理工具To administer the server remotely, you can install the Remote Server Administration Tools for Windows 10 on the client computer. 安裝之後, 請使用 Microsoft Management Console (MMC) 將 NPS 嵌入式管理單元新增至主控台。After installation, use the Microsoft Management Console (MMC) to add the NPS snap-in to the console.

重要

您只能在完整版的 Windows 10 Professional 或 Windows 10 企業版上安裝適用于 Windows 10 的遠端伺服器管理工具。You can install Remote Server Administration Tools for Windows 10 only on the full release of Windows 10 Professional or Windows 10 Enterprise.

如需 NPS 的詳細資訊, 請參閱網路原則伺服器 (NPS)For more information about NPS, see Network Policy Server (NPS).