如何設定帳號受保護狀態How to Configure Protected Accounts

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

透過 Pass--hash (PtH) 的攻擊,攻擊者可以使用 [基本 NTLM 湊使用者的密碼 (或是其他 credential 衍生) 驗證遠端伺服器或服務。Through Pass-the-hash (PtH) attacks, an attacker can authenticate to a remote server or service by using the underlying NTLM hash of a user's password (or other credential derivatives). Microsoft 先前已發行指導方針來減少 pass hash 攻擊。Microsoft has previously published guidance to mitigate pass-the-hash attacks. Windows Server 2012 R2 包含新功能,協助您減少進一步這類攻擊。Windows Server 2012 R2 includes new features to help mitigate such attacks further. 如需有關其他防範認證竊取的安全性功能的詳細資訊,請認證保護和管理For more information about other security features that help protect against credential theft, see Credentials Protection and Management. 本主題如何設定下列新功能:This topic explains how to configure the following new features:

您有 Windows 8.1 和 Windows Server 2012 R2 可協助抵禦認證竊取,涵蓋的下列主題中之後建置額外的防護功能:There are additional mitigations built in to Windows 8.1 and Windows Server 2012 R2 to help protect against credential theft, which are covered in the following topics:

受保護的使用者Protected Users

受保護的使用者是,您可以新增新的或現有使用者新的安全性的全域群組。Protected Users is a new global security group to which you can add new or existing users. Windows 8.1 的裝置與 Windows Server 2012 R2 主機有特殊此群組以提供更好的防護功能認證竊取成員行為。Windows 8.1 devices and Windows Server 2012 R2 hosts have special behavior with members of this group to provide better protection against credential theft. 適用於群組成員,Windows 8.1 的裝置或 Windows Server 2012 R2 主機不快取不支援的受保護的使用者的認證。For a member of the group, a Windows 8.1 device or a Windows Server 2012 R2 host does not cache credentials that are not supported for Protected Users. 此群組成員有任何額外的保護是否已登入執行的 Windows 版本 Windows 8.1 之前的裝置。Members of this group have no additional protection if they are logged on to a device that runs a version of Windows earlier than Windows 8.1.

受保護的使用者成員群組人員的登入 Windows 8.1 的裝置與 Windows Server 2012 R2 主機可以不再使用:Members of the Protected Users group who are signed-on to Windows 8.1 devices and Windows Server 2012 R2 hosts can no longer use:

  • 預設的認證委派 (CredSSP)-純文字不快取認證即使允許將預設的認證委派支援原則Default credential delegation (CredSSP) - plaintext credentials are not cached even when the Allow delegating default credentials policy is enabled

  • Windows 摘要-認證純文字快取即使在他們的功能Windows Digest - plaintext credentials are not cached even when they are enabled

  • 不會快取 NTLM-NTOWFNTLM - NTOWF is not cached

  • Kerberos 長期-Kerberos 票證授與票證 (TGT) 登入以取得和無法重新取得自動Kerberos long term keys - Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-acquired automatically

  • 登入 offline-登入快取驗證器不會建立Sign-on offline - the cached logon verifier is not created

Windows Server 2012 R2 網域功能等級時,在群組成員可以不再:If the domain functional level is Windows Server 2012 R2 , members of the group can no longer:

  • 使用 NTLM 驗證驗證Authenticate by using NTLM authentication

  • 使用的資料加密標準 (DES) 或 RC4 密碼套件 F:kerberos 預先驗證Use Data Encryption Standard (DES) or RC4 cipher suites in Kerberos pre-authentication

  • 使用未限制或限制委派委派Be delegated by using unconstrained or constrained delegation

  • 續約初始 4 小時期間以外的使用者門票 (Tgt)Renew user tickets (TGTs) beyond the initial 4-hour lifetime

將使用者新增到群組中,您可以使用UI 工具如 Active Directory 系統管理員中心 (ADAC) 或 Active Directory 使用者和電腦的命令列工具,例如Dsmod 群組,或 Windows PowerShell新增-ADGroupMember cmdlet。To add users to the group, you can use UI tools such as Active Directory Administrative Center (ADAC) or Active Directory Users and Computers, or a command-line tool such as Dsmod group, or the Windows PowerShellAdd-ADGroupMember cmdlet. 服務和電腦的不應該會受 Users 群組成員。Accounts for services and computers should not be members of the Protected Users group. 這些帳號成員資格提供不本機保護因為密碼或憑證都可以在主機上使用。Membership for those accounts provides no local protections because the password or certificate is always available on the host.

警告

驗證限制有任何因應措施,這表示,例如企業系統管理員或網域管理群組高特殊權限群組成員是受保護 Users 群組的其他成員為相同的限制。The authentication restrictions have no workaround, which means that members of highly privileged groups such as the Enterprise Admins group or the Domain Admins group are subject to the same restrictions as other members of the Protected Users group. 如果這類群組的所有成員都加入保護 Users 群組時,可能是所有那些帳號被鎖定。您應該不會新增所有高度授權的帳號保護 Users 群組直到您擁有完全測試可能影響。If all members of such groups are added to the Protected Users group, it is possible for all of those accounts to be locked out. You should never add all highly privileged accounts to the Protected Users group until you have thoroughly tested the potential impact.

必須能與進階加密標準 (好一段) 使用 Kerberos 驗證保護 Users 群組成員。Members of the Protected Users group must be able to authenticate by using Kerberos with Advanced Encryption Standards (AES). 這個方法 Active Directory 中 account 需要好一段按鍵。This method requires AES keys for the account in Active Directory. 建的系統管理員會不會有好一段鍵,除非的密碼不在執行 Windows Server 2008 的網域控制站變更或更新版本。The built-in Administrator does not have an AES key unless the password was changed on a domain controller that runs Windows Server 2008 or later. 此外,任何帳號,有已變更網域控制站執行較舊版本的 Windows Server 的密碼,請被鎖定。因此,請遵循這些最佳做法:Additionally, any account, which has a password that was changed at a domain controller that runs an earlier version of Windows Server, is locked out. Therefore, follow these best practices:

  • 不要測試網域中,除非所有網域控制站會都執行 Windows Server 2008,或更新版本Do not test in domains unless all domain controllers run Windows Server 2008 or later.

  • 變更密碼適用於所有網域帳號所建立的之前建立網域。Change password for all domain accounts that were created before the domain was created. 否則,這些帳號無法通過驗證。Otherwise, these accounts cannot be authenticated.

  • 變更密碼每一位使用者 account 新增至受保護的使用者前群組或確認您的密碼不在執行 Windows Server 2008 的網域控制站最近變更或更新版本。Change password for each user before adding the account to the Protected Users group or ensure that the password was changed recently on a domain controller that runs Windows Server 2008 or later.

使用帳號受保護的需求Requirements for using protected accounts

受保護的帳號有部署下列需求:Protected accounts have the following deployment requirements:

  • 若要提供 client 端限制受保護的使用者,主機必須執行 Windows 8.1 或 Windows Server 2012 R2。To provide client-side restrictions for Protected Users, hosts must run Windows 8.1 or Windows Server 2012 R2 . 使用者只有來登入以的受保護的使用者群組成員。A user only has to sign-on with an account that is a member of a Protected Users group. 在這種情形下,可以建立保護 Users 群組,傳輸主要網域控制站 (PDC) 模擬器角色執行 Windows Server 2012 R2 網域控制站。In this case, the Protected Users group can be created by transferring the primary domain controller (PDC) emulator role to a domain controller that runs Windows Server 2012 R2 . 其他網域控制站複製物件群組之後,可以在執行 Windows Server 的較舊版本的網域控制站裝載 PDC 模擬器角色。After that group object is replicated to other domain controllers, the PDC emulator role can be hosted on a domain controller that runs an earlier version of Windows Server.

  • 若要提供網域控制站端限制的受保護的使用者,這是限制 NTLM 驗證的使用量,以及其他限制,網域功能等級必須 Windows Server 2012 R2。To provide domain controller-side restrictions for Protected Users, that is to restrict usage of NTLM authentication, and other restrictions, the domain functional level must be Windows Server 2012 R2 . 如需功能層級,請查看Active Directory Domain Services 了解 (AD DS) 功能的層級For more information about functional levels, see Understanding Active Directory Domain Services (AD DS) Functional Levels.

本節涵蓋新登來協助排解疑難受保護的使用者及如何保護使用者可能會影響到問題的疑難排解任一票證授與門票 (TGT) 到期日或委派變更相關的活動。This section covers new logs to help troubleshoot events that are related to Protected Users and how Protected Users can impact changes to troubleshoot either ticket-granting tickets (TGT) expiration or delegation issues.

新登的受保護的使用者New logs for Protected Users

有兩個新操作管理登了可幫助疑難排解事件相關受保護的使用者: 保護的使用者:Two new operational administrative logs are available to help troubleshoot events that are related to Protected Users: Protected User ??? Client 登入並受保護的使用者失敗。Client Log and Protected User Failures ??? 網域控制站登入。Domain Controller Log. 這些新登位於事件檢視器和都預設停用。These new logs are located in Event Viewer and are disabled by default. 要登入,請按一下 [應用程式與服務登,按一下 [ Microsoft,按一下 [ Windows,按一下驗證,然後按一下 [登入的名稱,再按動作(或以滑鼠右鍵按一下 [登入),按一下 [可以登入To enable a log, click Applications and Services Logs, click Microsoft, click Windows, click Authentication, and then click the name of the log and click Action (or right-click the log) and click Enable Log.

如需事件這些登入,請查看驗證原則和驗證原則筒倉For more information about events in these logs, see Authentication Policies and Authentication Policy Silos.

疑難排解 TGT 到期Troubleshoot TGT expiration

一般而言,網域控制站設定 TGT 期間和續約,根據網域原則下列群組原則編輯器] 管理視窗中所示。Normally, the domain controller sets the TGT lifetime and renewal based on the domain policy as shown in the following Group Policy Management Editor window.

帳號受保護狀態

適用於保護使用者,下列設定是固定:For Protected Users, the following settings are hard-coded:

  • 最大期間使用者票證: 240 分鐘Maximum lifetime for user ticket: 240 minutes

  • 最大期間使用者票證續約: 240 分鐘Maximum lifetime for user ticket renewal: 240 minutes

委派問題的疑難排解Troubleshoot delegation issues

之前,是否已無法使用 Kerberos 委派的技術,client account 已檢查是否機密帳號,無法委派設定。Previously, if a technology that uses Kerberos delegation was failing, the client account was checked to see if Account is sensitive and cannot be delegated was set. 不過,如果 account 成員的受保護的使用者,不可能會有此設定在 Active Directory 系統管理員中心 (ADAC)。However, if the account is a member of Protected Users, it might not have this setting configured in Active Directory Administrative Center (ADAC). 如此一來時,要檢查的設定和群組成員資格您委派問題進行疑難排解。As a result, check the setting and group membership when you troubleshoot delegation issues.

帳號受保護狀態

稽核驗證嘗試Audit authentication attempts

若要稽核明確的成員驗證嘗試保護使用者群組中,您可以繼續收集稽核事件或收集的資料新操作管理登入。To audit authentication attempts explicitly for the members of the Protected Users group, you can continue to collect security log audit events or collect the data in the new operational administrative logs. 如需有關這些事件的詳細資訊,請查看驗證原則和驗證原則筒倉For more information about these events, see Authentication Policies and Authentication Policy Silos

提供服務和電腦俠端保護Provide DC-side protections for services and computers

帳號服務和電腦不能成員保護使用者Accounts for services and computers cannot be members of Protected Users. 本章節解釋的網域控制站型保護可供下列帳號:This section explains which domain controller-based protections can be offered for these accounts:

  • 拒絕 NTLM 驗證: 透過只可以設定NTLM 封鎖原則Reject NTLM authentication: Only configurable via NTLM block policies

  • 拒絕 F:kerberos 預先驗證中的資料加密標準 (DES): Windows Server 2012 R2 網域控制站不會接受 DES 的電腦帳號,除非它們因為 Kerberos 與發行 Windows 的每個版本也支援 RC4 DES 的設定。Reject Data Encryption Standard (DES) in Kerberos pre-authentication: Windows Server 2012 R2 domain controllers do not accept DES for computer accounts unless they are configured for DES only because every version of Windows released with Kerberos also supports RC4.

  • 在 F:kerberos 預先驗證拒絕 RC4: 無法進行設定。Reject RC4 in Kerberos pre-authentication: not configurable.

    注意

    雖然您可以變更的組態支援的加密類型的,而測試目標環境中變更這些設定電腦帳號不建議。Although it is possible to change the configuration of supported encryption types, it is not recommended to change those settings for computer accounts without testing in the target environment.

  • 只使用者門票 (Tgt) 的初始 4 小時期間: 使用驗證原則。Restrict user tickets (TGTs) to an initial 4-hour lifetime: Use Authentication Policies.

  • 拒絕未限制或限制委派委派: 若要限制帳號,請打開 Active Directory 系統管理員中心 (ADAC),然後選取機密帳號,無法委派核取方塊。Deny delegation with unconstrained or constrained delegation: To restrict an account, open Active Directory Administrative Center (ADAC) and select the Account is sensitive and cannot be delegated check box.

    帳號受保護狀態

驗證原則Authentication policies

驗證原則是新 AD ds,其中包含驗證原則物件的容器。Authentication Policies is a new container in AD DS that contains authentication policy objects. 驗證原則可以指定設定有助於減少遭受認證竊取,例如限制 TGT 期間帳號,或新增其他宣告相關的條件。Authentication policies can specify settings that help mitigate exposure to credential theft, such as restricting TGT lifetime for accounts or adding other claims-related conditions.

在 Windows Server 2012、 動態存取控制導入了稱為提供可以輕鬆地將檔案伺服器設定組織的中央存取原則 Active Directory 樹系範圍物件課程。In Windows Server 2012 , Dynamic Access Control introduced an Active Directory forest-scope object class called Central Access Policy to provide an easy way to configure file servers across an organization. 在 Windows Server 2012 R2,稱為 [驗證原則 (objectClass msDS-AuthNPolicies) 新物件課程可用來適用於 Windows Server 2012 R2 網域中 account 類別驗證設定。In Windows Server 2012 R2 , a new object class called Authentication Policy (objectClass msDS-AuthNPolicies) can be used to apply authentication configuration to account classes in Windows Server 2012 R2 domains. Active Directory account 類別︰Active Directory account classes are:

  • 使用者User

  • 電腦Computer

  • 管理服務 Account 與群組管理服務 Account (GMSA)Managed Service Account and group Managed Service Account (GMSA)

快速 Kerberos 重新整理程式Quick Kerberos refresher

三種類型的交易所,也就是 subprotocols Kerberos 驗證通訊協定包含:The Kerberos authentication protocol consists of three types of exchanges, also known as subprotocols:

帳號受保護狀態

  • 驗證服務 (為) 交換 (KRB_AS_ The Authentication Service (AS) Exchange (KRB_AS_)

  • 票證授與服務 (TGS) 換貨 (KRB_TGS_ The Ticket-Granting Service (TGS) Exchange (KRB_TGS_)

  • Client 伺服器 (AP) 交換 (KRB_AP_ The Client/Server (AP) Exchange (KRB_AP_)

為換貨是 client 位置使用 account 的密碼或私密金鑰來建立驗證要求票證授與票證 (TGT) 發行前器。The AS exchange is where the client uses the account's password or private key to create a pre-authenticator to request a ticket-granting ticket (TGT). 此選項出現時,使用者登入或服務票證需要第一次。This happens at user sign-on or the first time a service ticket is needed.

TGS 換貨是使用建立驗證要求服務票證 TGT account 的位置。The TGS exchange is where the account's TGT is used to create an authenticator to request a service ticket. 這就是當您需要驗證的連接。This happens when an authenticated connection is needed.

AP 換貨發生通常是在應用程式通訊協定的資料並不受到驗證原則。The AP exchange occurs as typically as data inside the application protocol and is not impacted by authentication policies.

如需詳細資訊,請查看 [Kerberos 版本 5 驗證通訊協定的運作方式] (http://technet.microsoft.com/library/cc772815(v=WS.10.aspx.For more detailed information, see [How the Kerberos Version 5 Authentication Protocol Works](http://technet.microsoft.com/library/cc772815(v=WS.10.aspx.

概觀Overview

驗證原則補充受保護的使用者提供一種方式可設定限制帳號,並藉由限制帳號提供的服務和電腦。Authentication policies complement Protected Users by providing a way to apply configurable restrictions to accounts and by providing restrictions for accounts for services and computers. 驗證原則以換貨或 TGS 期間執行換貨。Authentication policies are enforced during either the AS exchange or the TGS exchange.

您可以藉由設定限制初始驗證或為換貨:You can restrict initial authentication or the AS exchange by configuring:

  • TGT 期間A TGT lifetime

  • 存取控制項條件使用者登入,必須符合的裝置,即將為換貨的限制Access control conditions to restrict user sign-on, which must be met by devices from which the AS exchange is coming

帳號受保護狀態

您可以藉由設定限制服務票證要求透過票證授與服務 (TGS) 交換:You can restrict service ticket requests through a ticket-granting service (TGS) exchange by configuring:

  • 存取控制項條件 client 使用者、 服務 (電腦) 必須符合的或從中即將 TGS 換貨的裝置Access control conditions which must be met by the client (user, service, computer) or device from which the TGS exchange is coming

使用 [驗證原則的需求Requirements for using authentication policies

原則Policy 需求Requirements
提供自訂 TGT 存留時間Provide custom TGT lifetimes Windows Server 2012 R2 網域正常運作的層級 account 網域Windows Server 2012 R2 domain functional level account domains
限制使用者登入Restrict user sign-on Windows Server 2012 R2 網域正常運作的層級 account 網域動態存取控制與支援- Windows Server 2012 R2 domain functional level account domains with Dynamic Access Control support
Windows 8、 Windows 8.1、 Windows Server 2012 或 Windows Server 2012 R2 動態存取控制裝置的支援- Windows 8, Windows 8.1, Windows Server 2012 or Windows Server 2012 R2 devices with Dynamic Access Control support
限制使用者 account 及安全性群組為基礎的服務票證發行Restrict service ticket issuance that is based on user account and security groups Windows Server 2012 R2 網域正常運作的層級資源網域Windows Server 2012 R2 domain functional level resource domains
限制服務票證發行根據使用者宣告或裝置帳號,安全性群組或宣告Restrict service ticket issuance based on user claims or device account, security groups, or claims Windows Server 2012 R2 網域正常運作的層級資源網域動態存取控制與支援Windows Server 2012 R2 domain functional level resource domains with Dynamic Access Control support

限制帳號裝置的特定和主機Restrict a user account to specific devices and hosts

以系統管理員權限的高價值 account 應該成員的保護使用者群組。A high-value account with administrative privilege should be a member of the Protected Users group. 根據預設,不帳號屬於保護使用者群組。By default, no accounts are members of the Protected Users group. 您加入該群組帳號之前,設定的網域控制站支援,並建立以確定您不有任何問題,封鎖稽核原則。Before you add accounts to the group, configure domain controller support and create an audit policy to ensure that there are no blocking issues.

設定的網域控制站支援Configure domain controller support

Windows Server 2012 R2 網域等級正常運作 (DFL) 必須使用者 account 網域。The user's account domain must be at Windows Server 2012 R2 domain functional level (DFL). 確定已 Windows Server 2012 R2 網域控制站,並使用 Active Directory 網域與信任移到提高 DFL以 Windows Server 2012 R2。Ensure all the domain controllers are Windows Server 2012 R2 , and then use Active Directory Domains and Trusts to raise the DFL to Windows Server 2012 R2 .

若要設定的支援動態存取控制To configure support for Dynamic Access Control

  1. 在 [預設的網域控制站原則中,按一下 [啟用以便鍵 Distribution 中心 (KDC) client 支援宣告、 複合驗證以及 Kerberos 保護 \在 [電腦設定 |系統管理範本 |系統 |\ [KDC。In the Default Domain Controllers Policy, click Enabled to enable Key Distribution Center (KDC) client support for claims, compound authentication and Kerberos armoring in Computer Configuration | Administrative Templates | System | KDC.

    帳號受保護狀態

  2. 選項,在下拉式清單中,選取 [永遠提供宣告Under Options, in the drop-down list box, select Always provide claims.

    注意

    支援的您也可以設定,但因為網域是在 Windows Server 2012 R2 DFL,有網域控制站永遠提供宣告允許使用者宣告為基礎的存取檢查以使用非宣告注意裝置時,就會發生和主控連接到宣告感知服務。Supported can also be configured, but because the domain is at Windows Server 2012 R2 DFL, having the DCs always provide claims will allow user claims-based access checks to occur when using non-claims aware devices and hosts to connect to claims-aware services.

    帳號受保護狀態

    警告

    設定失敗護身的驗證要求,將導致驗證失敗的任何不支援 Kerberos 保護 \,例如 Windows 7 和舊版的作業系統,作業系統或開頭為 Windows 8,尚未明確設定支援的作業系統。Configuring Fail unarmored authentication requests will result in authentication failures from any operating system which does not support Kerberos armoring, such as Windows 7 and previous operating systems, or operating systems beginning with Windows 8, which have not been explicitly configured to support it.

建立驗證原則使用者 account 稽核 ADAC 與Create a user account audit for authentication policy with ADAC

  1. 打開 Active Directory 系統管理員中心 (ADAC)。Open Active Directory Administrative Center (ADAC).

    帳號受保護狀態

    注意

    選取驗證節點就是在 Windows Server 2012 R2 DFL 網域。The selected Authentication node is visible for domains which are at Windows Server 2012 R2 DFL. 如果未出現] 節點,然後再試一次核對系統管理員使用的是 Windows Server 2012 R2 DFL 網域。If the node does not appear, then try again by using a domain administrator account from a domain that is at Windows Server 2012 R2 DFL.

  2. 按一下驗證原則,然後按一下 [來建立新原則。Click Authentication Policies, and then click New to create a new policy.

    帳號受保護狀態

    驗證原則必須顯示名稱,而且預設會執行。Authentications Policies must have a display name and are enforced by default.

  3. 建立僅稽核原則,請按只稽核原則限制To create an audit-only policy, click Only audit policy restrictions.

    帳號受保護狀態

    驗證原則已經套用 Active Directory account 類型為基礎。Authentication policies are applied based on the Active Directory account type. 這三 account 種套用單一原則設定為每個輸入。A single policy can apply to all three account types by configuring settings for each type. Account 類型︰Account types are:

    • 使用者User

    • 電腦Computer

    • 管理服務 Account 受管理的服務 Account 和群組Managed Service Account and Group Managed Service Account

    如果您有延伸架構與新原則,可用來金鑰 Distribution 中心 (KDC),從接近衍生的 account 類型歸類新 account 類型。If you have extended the schema with new principals that can be used by the Key Distribution Center (KDC), then the new account type is classified from the closest derived account type.

  4. 若要設定的使用者帳號 TGT 期間,請選取 [指定票證授與票證期間帳號的核取方塊,輸入分鐘的時間。To configure a TGT lifetime for user accounts, select the Specify a Ticket-Granting Ticket lifetime for user accounts check box and enter the time in minutes.

    帳號受保護狀態

    例如,如果您想要 10 小時的時間上限 TGT 期間,輸入600所示。For example, if you want a 10-hour maximum TGT lifetime, enter 600 as shown. 如果您不 TGT 期間設定,然後 account 是否屬於保護使用者群組中,TGT 期間,而且續約 4 小時。If no TGT lifetime is configured, then if the account is a member of the Protected Users group, the TGT lifetime and renewal is 4 hours. 否則,TGT 期間和更新根據網域原則下列群組原則編輯器] 管理視窗中的預設設定的網域中所見。Otherwise, TGT lifetime and renewal are based on the domain policy as seen in the following Group Policy Management Editor window for a domain with default settings.

    帳號受保護狀態

  5. 若要限制帳號,以選取裝置,請按一下編輯來定義裝置所需要的條件。To restrict the user account to select devices, click Edit to define the conditions that are required for the device.

    帳號受保護狀態

  6. 編輯存取控制項條件視窗中,按[新增條件In the Edit Access Control Conditions window, click Add a condition.

    帳號受保護狀態

新增電腦 account 或群組條件Add computer account or group conditions
  1. 若要設定電腦帳號或群組] 下拉式清單中,選取 [下拉式清單的每個成員,然後變更至的任何成員To configure computer accounts or groups, in the drop-down list, select the drop-down list box Member of each and change to Member of any.

    帳號受保護狀態

    注意

    本存取控制定義條件主機使用者登入,或裝置。This access control defines the conditions of the device or host from which the user signs on. 在存取控制詞彙的裝置或主機的電腦負責是的使用者,便是一例使用者是唯一的選項。In access control terminology, the computer account for the device or host is the user, which is why User is the only option.

  2. 按一下[新增項目Click Add items.

    帳號受保護狀態

  3. 若要變更物件的類型,請按一下物件類型To change object types, click Object Types.

    帳號受保護狀態

  4. 若要選取 [電腦物件 Active Directory 中,按一下 [電腦,然後按一下 [ [確定]To select computer objects in Active Directory, click Computers, and then click OK.

    帳號受保護狀態

  5. 輸入名稱的電腦,以限制使用者,然後按一下檢查名稱]Type the name of the computers to restrict the user, and then click Check Names.

    帳號受保護狀態

  6. 按一下 [確定],並建立電腦 account 任何其他條件。Click OK and create any other conditions for the computer account.

    帳號受保護狀態

  7. 完成時,然後按一下[確定] ,將會顯示電腦 account 定義的條件。When done, then click OK and the defined conditions will appear for the computer account.

    帳號受保護狀態

新增電腦宣告條件Add computer claim conditions
  1. 若要設定電腦宣告,下拉式群組,選取 [宣告。To configure computer claims, drop-down Group to select the claim.

    帳號受保護狀態

    宣告才可以使用已提供給在森林中。Claims are only available if they are already provisioned in the forest.

  2. 輸入名稱的組織單位,帳號應該限制登入。Type the name of OU, the user account should be restricted to sign on.

    帳號受保護狀態

  3. 完成時,然後按一下 [確定],在方塊中會顯示定義條件。When done, then click OK and the box will show the conditions defined.

    帳號受保護狀態

疑難排解遺失電腦宣告Troubleshoot missing computer claims

如果宣告已,但不能使用,則可能只設定適用於電腦類別。If the claim has been provisioned, but is not available, it might only be configured for Computer classes.

假設您想要限制驗證根據單位 (組織單位) 的電腦,已經設定但只適用於電腦類別。Let's say you wanted to restrict authentication based on the organizational unit (OU) of the computer, which was already configured, but only for Computer classes.

帳號受保護狀態

宣告能讓使用者登入裝置限制,請選取使用者核取方塊。For the claim to be available to restrict User sign-on to the device, select the User check box.

帳號受保護狀態

提供與 ADAC 驗證原則的使用者 accountProvision a user account with an authentication policy with ADAC

  1. 使用者帳號,按原則From the User account, click Policy.

    帳號受保護狀態

  2. 選取 [這個過去指派驗證原則核取方塊。Select the Assign an authentication policy to this account check box.

    帳號受保護狀態

  3. 然後選取 [驗證原則套用到使用者。Then select the authentication policy to apply to the user.

    帳號受保護狀態

設定動態存取控制支援的主機上的裝置Configure Dynamic Access Control support on devices and hosts

您可以設定 TGT 存留時間,而不設定動態存取控制 (DAC)。You can configure TGT lifetimes without configuring Dynamic Access Control (DAC). 只需要 DAC 檢查 AllowedToAuthenticateFrom 和 AllowedToAuthenticateTo。DAC is only needed for checking AllowedToAuthenticateFrom and AllowedToAuthenticateTo.

使用群組原則 」 或 「 本機群組原則編輯器] 中,讓Kerberos client 支援宣告、 複合驗證以及 Kerberos 保護 \在 [電腦設定 |系統管理範本 |系統 |Kerberos:Using either Group Policy or Local Group Policy Editor, enable Kerberos client support for claims, compound authentication and Kerberos armoring in Computer Configuration | Administrative Templates | System | Kerberos:

帳號受保護狀態

疑難排解驗證原則Troubleshoot Authentication Policies

判斷帳號直接指派驗證原則Determine the accounts that are directly assigned an Authentication Policy

驗證原則的帳號區段會顯示帳號,直接套用原則。The accounts section in the Authentication Policy shows the accounts that have directly applied the policy.

帳號受保護狀態

使用 [驗證原則失敗的原因。Use the Authentication Policy Failures ??? 網域控制站管理登入Domain Controller administrative log

新的驗證原則失敗。網域控制站在管理登入應用程式與服務登 > Microsoft > Windows > 驗證已建立,讓它更容易地發現驗證原則因為失敗。A new Authentication Policy Failures ??? Domain Controller administrative log under Applications and Services Logs > Microsoft > Windows > Authentication has been created to make it easier to discover failures due to Authentication Policies. 登入預設停用。The log is disabled by default. 若要讓它,以滑鼠右鍵按一下 [登入的名稱,然後按一下可以登入To enable it, right-click the log name and click Enable Log. 新事件都很相似 content 中的現有 Kerberos TGT 和稽核事件服務票證。The new events are very similar in content to the existing Kerberos TGT and service ticket auditing events. 如需有關這些事件的詳細資訊,請查看驗證原則和驗證原則筒倉For more information about these events, see Authentication Policies and Authentication Policy Silos.

使用 Windows PowerShell 來管理驗證原則Manage authentication policies by using Windows PowerShell

這個命令建立驗證原則名為TestAuthenticationPolicyThis command creates an authentication policy named TestAuthenticationPolicy. UserAllowedToAuthenticateFrom參數指定的使用者可以進行驗證的檔名為 someFile.txt 中 SDDL 字串的裝置。The UserAllowedToAuthenticateFrom parameter specifies the devices from which users can authenticate by an SDDL string in the file named someFile.txt.

PS C:\> New-ADAuthenticationPolicy testAuthenticationPolicy -UserAllowedToAuthenticateFrom (Get-Acl .\someFile.txt).sddl  

這個命令取得篩選符合所有驗證原則的篩選參數指定。This command gets all authentication policies that match the filter that the Filter parameter specifies.

PS C:\> Get-ADAuthenticationPolicy -Filter "Name -like 'testADAuthenticationPolicy*'" -Server Server02.Contoso.com  

這個命令修改描述和UserTGTLifetimeMins指定的驗證原則的屬性。This command modifies the description and the UserTGTLifetimeMins properties of the specified authentication policy.

PS C:\> Set-ADAuthenticationPolicy -Identity ADAuthenticationPolicy1 -Description "Description" -UserTGTLifetimeMins 45  

這個命令移除驗證原則的的身分參數指定。This command removes the authentication policy that the Identity parameter specifies.

PS C:\> Remove-ADAuthenticationPolicy -Identity ADAuthenticationPolicy1  

使用這個命令取得-ADAuthenticationPolicy cmdlet 的篩選將不會執行的所有驗證原則的參數。This command uses the Get-ADAuthenticationPolicy cmdlet with the Filter parameter to get all authentication policies that are not enforced. 結果將會傳送到移除-ADAuthenticationPolicy cmdlet。The result set is piped to the Remove-ADAuthenticationPolicy cmdlet.

PS C:\> Get-ADAuthenticationPolicy -Filter 'Enforce -eq $false' | Remove-ADAuthenticationPolicy  

驗證原則筒倉Authentication policy silos

驗證原則筒倉的使用者、 電腦及服務帳號 AD DS 是新的容器 (objectClass msDS-AuthNPolicySilos)。Authentication Policy Silos is a new container (objectClass msDS-AuthNPolicySilos) in AD DS for user, computer, and service accounts. 它們保護帳號高價值。They help protect high-value accounts. 雖然所有組織都需要保護群組企業系統管理員,網域管理和架構系統管理員 」 的成員,因為存取森林中的任何項目攻擊者可能會使用這些帳號,其他帳號也可能都需要保護。While all organizations need to protect members of Enterprise Admins, Domain Admins and Schema Admins groups because those accounts could be used by an attacker to access anything in the forest, other accounts may also need protection.

某些組織隔離工作負載建立的唯一它們帳號,並套用限制本機和遠端互動式登入和系統管理員權限的群組原則設定。Some organizations isolate workloads by creating accounts that are unique to them and by applying Group Policy settings to limit local and remote interactive logon and administrative privileges. 驗證原則筒倉補充這項工作建立方式定義使用者、 電腦及管理的服務帳號之間的關聯。Authentication policy silos complement this work by creating a way to define a relationship between User, Computer and managed Service accounts. 一個筒倉只能屬於帳號。Accounts can only belong to one silo. 您可以設定為每一種 account 驗證原則為了控制:You can configure authentication policy for each type of account in order to control:

  1. 非儲值 TGT 期間Non-renewable TGT lifetime

  2. 存取控制項條件退貨 TGT (請注意: 無法適用於系統因為 Kerberos 保護 \ 必要)Access control conditions for returning TGT (Note: cannot apply to systems because Kerberos armoring is required)

  3. 退貨服務票證存取控制項條件Access control conditions for returning service ticket

此外,在 [驗證原則筒倉帳號有筒倉理賠要求,可用於透過宣告感知資源,例如檔案伺服器控制。Additionally, accounts in an authentication policy silo have a silo claim, which can be used by claims-aware resources such as file servers to control access.

新的安全性描述您可以控制發行根據服務票證設定:A new security descriptor can be configured to control issuing service ticket based on:

  • 使用者、 使用者安全性群組和/或使用者的宣告User, user's security groups, and/or user's claims

  • 裝置、 裝置安全性群組,和/或裝置的宣告Device, device's security group, and/or device's claims

取得此資訊來資源的網域控制站需要動態存取控制:Getting this information to the resource's DCs requires Dynamic Access Control:

  • 使用者宣告:User claims:

    • Windows 8 和稍後戶端支援動態存取控制Windows 8 and later clients supporting Dynamic Access Control

    • Account 網域支援動態存取控制和宣告Account domain supports Dynamic Access Control and claims

  • 裝置和/或裝置安全性群組:Device and/or device security group:

    • Windows 8 和稍後戶端支援動態存取控制Windows 8 and later clients supporting Dynamic Access Control

    • 設定為複合驗證資源Resource configured for compound authentication

  • 裝置宣告:Device claims:

    • Windows 8 和稍後戶端支援動態存取控制Windows 8 and later clients supporting Dynamic Access Control

    • 裝置網域支援動態存取控制和宣告Device domain supports Dynamic Access Control and claims

    • 設定為複合驗證資源Resource configured for compound authentication

可以驗證原則套用到所有成員驗證原則筒倉而不是以個人帳號,或另一個驗證原則可在套用到不同類型的帳號筒倉中。Authentication policies can be applied to all members of an authentication policy silo instead of to individual accounts, or separate authentication policies can be applied to different types of accounts within a silo. 例如一驗證原則可套用至高度授權的帳號,並不同原則可套用至帳號服務。For example, one authentication policy can be applied to highly privileged user accounts, and a different policy can be applied to services accounts. 建立驗證原則筒倉之前,就必須先建立至少一驗證原則。At least one authentication policy must be created before an authentication policy silo can be created.

注意

驗證原則可在套用成員驗證原則筒倉,或可在套用獨立筒倉限制特定 account 範圍。An authentication policy can be applied to members of an authentication policy silo, or it can be applied independently of silos to restrict specific account scope. 例如保護單一帳號或一組小型帳號,可以設定原則那些帳號上新增筒倉帳號。For example, to protect a single account or a small set of accounts, a policy can be set on those accounts without adding the accounts to a silo.

您可以使用 Active Directory 管理中心或 Windows PowerShell 來建立驗證原則筒倉。You can create an authentication policy silo by using Active Directory Administrative Center or Windows PowerShell. 根據預設,驗證原則筒倉只稽核筒倉原則,相當於指定WhatIf Windows PowerShell cmdlet 中的參數。By default, an authentication policy silo only audits silo policies, which is equivalent to specifying the WhatIf parameter in Windows PowerShell cmdlets. 若是如此,不會套用原則筒倉限制,但稽核會出現,指出是否限制套用發生錯誤。In this case, policy silo restrictions do not apply, but audits are generated to indicate whether failures occur if the restrictions are applied.

若要使用 Active Directory 管理中心建立驗證原則筒倉To create an authentication policy silo by using Active Directory Administrative Center

  1. 開放Active Directory 管理中心,按一下驗證,以滑鼠右鍵按一下驗證原則筒倉,按一下,然後按一下 [驗證原則筒倉Open Active Directory Administrative Center, click Authentication, right-click Authentication Policy Silos, click New, and then click Authentication Policy Silo.

    帳號受保護狀態

  2. 顯示名稱,輸入筒倉的名稱。In Display name, type a name for the silo. 允許帳號,按一下 [新增,輸入帳號的名稱,然後按[確定]In Permitted Accounts, click Add, type the names of the accounts, and then click OK. 您可以指定的使用者、 電腦或帳號服務。You can specify users, computers, or service accounts. 然後指定要使用單一原則的所有原則或每種主體,與原則的名稱或原則的不同的原則。Then specify whether to use a single policy for all principals or a separate policy for each type of principal, and the name of the policy or policies.

    帳號受保護狀態

使用 Windows PowerShell 來管理驗證原則筒倉Manage authentication policy silos by using Windows PowerShell

建立驗證原則筒倉物件這個命令,並執行它。This command creates an authentication policy silo object and enforces it.

PS C:\>New-ADAuthenticationPolicySilo -Name newSilo ???Enforce  

這個命令取得所有驗證原則筒倉所指定的篩選器符合篩選的參數。This command gets all the authentication policy silos that match the filter that is specified by the Filter parameter. 然後傳遞輸出到格式化表格cmdlet 顯示的名稱原則和的值為動作將使用在每個原則。The output is then passed to the Format-Table cmdlet to display the name of the policy and the value for Enforce on each policy.

PS C:\>Get-ADAuthenticationPolicySilo -Filter 'Name -like "*silo*"' | Format-Table Name, Enforce ???AutoSize  

Name  Enforce  
--  ----  
silo     True  
silos   False  

使用這個命令取得-ADAuthenticationPolicySilo cmdlet 的篩選參數,以取得所有的不執行驗證原則筒倉與管道的篩選器結果移除-ADAuthenticationPolicySilo cmdlet。This command uses the Get-ADAuthenticationPolicySilo cmdlet with the Filter parameter to get all authentication policy silos that are not enforced and pipe the result of the filter to the Remove-ADAuthenticationPolicySilo cmdlet.

PS C:\>Get-ADAuthenticationPolicySilo -Filter 'Enforce -eq $False' | Remove-ADAuthenticationPolicySilo  

這個命令授與的存取權驗證原則筒倉名為筒倉以帳號名為User01This command grants access to the authentication policy silo named Silo to the user account named User01.

PS C:\>Grant-ADAuthenticationPolicySiloAccess -Identity Silo -Account User01  

這個命令撤銷存取驗證原則筒倉名為筒倉帳號名為User01This command revokes access to the authentication policy silo named Silo for the user account named User01. 因為確認參數設為$False,就會顯示無確認訊息。Because the Confirm parameter is set to $False, no confirmation message appears.

PS C:\>Revoke-ADAuthenticationPolicySiloAccess ???Identity Silo ???Account User01 ???Confirm:$False  

此範例中第一次使用取得-ADComputer cmdlet 將篩選符合所有電腦帳號,篩選參數指定。This example first uses the Get-ADComputer cmdlet to get all computer accounts that match the filter that the Filter parameter specifies. 這個命令的輸出傳遞至設定為 ADAccountAuthenticatinPolicySilo指派驗證原則筒倉名為筒倉和驗證原則名為AuthenticationPolicy02給他們。The output of this command is passed to Set-ADAccountAuthenticatinPolicySilo to assign the authentication policy silo named Silo and the authentication policy named AuthenticationPolicy02 to them.

PS C:\>Get-ADComputer ???Filter 'Name ???like "newComputer*"' | Set-ADAccountAuthenticationPolicySilo ???AuthenticationPolicySilo Silo ???AuthenticationPolicy AuthenticationPolicy02