認證保護與管理Credentials Protection and Management

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題適用於 IT 專業人員討論功能與 Windows Server 2012 R2 和 Windows 8.1 認證保護和網域驗證控制項,以減少認證竊取導入了的方法。This topic for the IT professional discusses features and methods introduced in Windows Server 2012 R2 and Windows 8.1 for credential protection and domain authentication controls to reduce credential theft.

遠端桌面連接限制的管理模式Restricted Admin mode for Remote Desktop Connection

限制的管理模式提供的互動方式登入至主機的遠端伺服器不傳輸到伺服器認證的方法。Restricted Admin mode provides a method of interactively logging on to a remote host server without transmitting your credentials to the server. 如此可防止認證如果伺服器洩漏此初始連接程序期間所收集。This prevents your credentials from being harvested during the initial connection process if the server has been compromised.

遠端桌面 client 以系統管理員認證使用此模式,請嘗試互動方式登入的主機,也不會傳送認證支援此模式。Using this mode with administrator credentials, the remote desktop client attempts to interactively logon to a host that also supports this mode without sending credentials. 主機驗證使用者 account 連接具有系統管理員權限,以及支援限制的管理模式,當連接成功。When the host verifies that the user account connecting to it has administrator rights and supports Restricted Admin mode, the connection succeeds. 否則,連接失敗。Otherwise, the connection attempt fails. 不在任何點傳送一般或認證遠端電腦的其他重複使用形式,會限制的管理模式。Restricted Admin mode does not at any point send plain text or other re-usable forms of credentials to remote computers.

LSA 保護LSA protection

本機安全性授權單位 (LSA),位於在本機安全性授權單位安全性服務 (LSASS) 處理程序,驗證使用者的本機和遠端登入增益集,並執行本機安全性原則。The Local Security Authority (LSA), which resides within the Local Security Authority Security Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. Windows 8.1 作業系統提供額外的保護的程式碼插入避免由未受保護的處理程序 LSA。The Windows 8.1 operating system provides additional protection for the LSA to prevent code injection by non-protected processes. 新增的安全性提供的認證 LSA 儲存和管理。This provides added security for the credentials that the LSA stores and manages. LSA 程序受保護的設定可以設定 Windows 8.1 中,但在 Windows RT 8.1 中的預設和無法變更。This protected process setting for LSA can be configured in Windows 8.1 but is on by default in Windows RT 8.1 and cannot be changed.

適用於設定 LSA 保護的相關資訊,請查看設定額外的 LSA 保護For information about configuring LSA protection, see Configuring Additional LSA Protection.

使用者安全性群組受保護狀態Protected Users security group

這個新的網域的全域群組觸發主機電腦執行的 Windows Server 2012 R2 和 Windows 8.1 的裝置上新的非可設定保護。This new domain global group triggers new non-configurable protection on devices and host computers running Windows Server 2012 R2 and Windows 8.1. 保護 Users 群組可讓您的網域控制站和 Windows Server 2012 R2 網域中的網域額外的保護。The Protected Users group enables additional protections for domain controllers and domains in Windows Server 2012 R2 domains. 使用者登入電腦在網路上的非洩漏電腦時,此大幅降低了認證可用的類型。This greatly reduces the types of credentials available when users are signed in to computers on the network from a non-compromised computer.

有限制的受保護的 Users 群組成員進一步的驗證下列方法:Members of the Protected Users group are limited further by the following methods of authentication:

  • 受保護的 Users 群組成員只可以使用 Kerberos 通訊協定來登入。A member of the Protected Users group can only sign on using the Kerberos protocol. Account 無法使用 NTLM、摘要驗證或 CredSSP 進行驗證。The account cannot authenticate using NTLM, Digest Authentication, or CredSSP. 在執行 Windows 8.1 的裝置上的密碼不快取,讓您的裝置使用其中一種這些安全性支援提供者(層),將無法驗證網域 account 時的受保護的使用者群組成員。On a device running Windows 8.1, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.

  • Kerberos 通訊協定不會預先驗證程序使用較弱 DES 或 RC4 加密類型。The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. 這表示支援至少好一段 cypher 套件,必須設定的網域。This means that the domain must be configured to support at least the AES cypher suite.

  • 無法使用 Kerberos 限制或受限制地委派帳號委派。The user's account cannot be delegated with Kerberos constrained or unconstrained delegation. 這表示如果使用者群組成員的受保護的使用者先前連接到其他系統可能會失敗。This means that former connections to other systems may fail if the user is a member of the Protected Users group.

  • 四小時的預設 Kerberos 票證授與門票 (Tgt) 期間設定已可使用驗證原則和筒倉存取透過 Active Directory 系統管理員中心 (ADAC) 設定。The default Kerberos Ticket Granting Tickets (TGTs) lifetime setting of four hours is configurable using Authentication Policies and Silos accessed through the Active Directory Administrative Center (ADAC). 這表示當超過四小時的時間,使用者必須驗證再試一次。This means that when four hours has passed, the user must authenticate again.

警告

帳號服務和電腦不應該保護 Users 群組成員。Accounts for services and computers should not be members of the Protected Users group. 此群組的密碼或憑證都可在主機上,因為不提供任何本機的保護。This group provides no local protection because the password or certificate is always available on the host. 驗證將會失敗並顯示錯誤。使用者名稱或密碼不正確。Authentication will fail with the error ???the user name or password is incorrect??? 適用於任何服務或新增至受保護的使用者群組的電腦。for any service or computer that is added to the Protected Users group.

如需此群組的詳細資訊,請查看受保護的使用者安全性群組For more information about this group, see Protected Users Security Group.

驗證原則和驗證原則筒倉Authentication Policy and Authentication Policy Silos

為基礎的樹系的 Active Directory 原則的推出,並可用於帳號和 Windows Server 2012 R2 網域功能層級網域中。Forest-based Active Directory policies are introduced, and they can be applied to accounts in a domain with a Windows Server 2012 R2 domain functional level. 這些驗證原則可以控制要主機使用者可以用來登入。These authentication policies can control which hosts a user can use to sign in. 保護使用者安全性群組搭配運作,系統管理員可以將帳號套用驗證存取控制項條件。They work in conjunction with the Protect Users security group, and admins can apply access control conditions for authentication to the accounts. 這些驗證原則隔離相關的帳號,將網路的範圍。These authentication policies isolate related accounts to constrain the scope of a network.

新 Active Directory 物件課程,驗證原則,可讓您與 Windows Server 2012 R2 網域功能等級網域中 account 類別適用於驗證設定。The new Active Directory object class, Authentication Policy, allows you to apply authentication configuration to account classes in domains with a Windows Server 2012 R2 domain functional level. 驗證原則的 Kerberos 為或 TGS 期間執行換貨。Authentication policies are enforced during the Kerberos AS or the TGS exchange. Active Directory account 類別︰Active Directory account classes are:

  • 使用者User

  • 電腦Computer

  • 管理 Account 服務Managed Service Account

  • 群組多媒體受管理的服務 AccountGroup Managed Service Account

如需詳細資訊,請查看驗證原則和驗證原則筒倉For more information, see Authentication Policies and Authentication Policy Silos.

如需如何設定保護帳號,查看設定保護帳號如何For more information how to configure protected accounts, see How to Configure Protected Accounts.

也了See also

如需有關 LSA LSASS,請查看Windows 登入和技術驗證的概觀For more information about the LSA and the LSASS, see the Windows Logon and Authentication Technical Overview.