適用於 Windows Server 開始您的一般資料保護 (GDPR) 法規之旅Beginning your General Data Protection Regulation (GDPR) journey for Windows Server

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

這篇文章提供資訊 GDPR,包括該功能,以及你 Microsoft 提供協助,使其符合您。This article provides info about the GDPR, including what it is, and the products Microsoft provides to help you to become compliant.

簡介Introduction

在 2018 年 25 歐洲隱私權法是因為生效設定新的通用列的隱私權、安全性與相容性。On May 25, 2018, a European privacy law is due to take effect that sets a new global bar for privacy rights, security, and compliance.

一般的資料保護法規或 GDPR,即將徹底保護,讓人的隱私權。The General Data Protection Regulation, or GDPR, is fundamentally about protecting and enabling the privacy rights of individuals. GDPR 建立嚴格全球隱私權需求管理如何管理及保護的個人資料,同時尊重個人選擇—不論位置資料是傳送、處理或儲存。The GDPR establishes strict global privacy requirements governing how you manage and protect personal data while respecting individual choice — no matter where data is sent, processed, or stored.

Microsoft 以及我們針對是現在之旅達成 GDPR 隱私權目標。Microsoft and our customers are now on a journey to achieve the privacy goals of the GDPR. Microsoft 相信隱私權基本權限,且我們認為 GDPR 是一個重要步驟向前釐清和讓個人的隱私權。At Microsoft, we believe privacy is a fundamental right, and we believe that the GDPR is an important step forward for clarifying and enabling individual privacy rights. 但我們也辨識 GDPR 會需要重大變更,世界各地的組織。But we also recognize that the GDPR will require significant changes by organizations all over the world.

我們已要求我們承諾 GDPR 及我們如何支援中的,我們針對取得 GDPR 符合 Microsoft Cloud 與部落格文章我們首席隱私官,Brendon 醫界Earning 您信任的以一般的資料保護法規履約承諾「部落格文章,豐富 Sauer -Microsoft 公司副總裁與副一般顧問。We have outlined our commitment to the GDPR and how we are supporting our customers within the Get GDPR compliant with the Microsoft Cloud blog post by our Chief Privacy Officer Brendon Lynch and the Earning your trust with contractual commitments to the General Data Protection Regulation” blog post by Rich Sauer - Microsoft Corporate Vice President & Deputy General Counsel.

雖然您之旅 GDPR 規範似乎困難多多、我們的可協助您。Although your journey to GDPR-compliance may seem challenging, we're here to help you. 如需 GDPR 特定資訊,我們承諾,以及如何開始您的之旅,請造訪Microsoft 信任中心] GDPR 部分For specific information about the GDPR, our commitments and how to begin your journey, please visit the GDPR section of the Microsoft Trust Center.

GDPR 和其影響GDPR and its implications

GDPR 是需要如何收集、使用及管理個人資料的重大變更複雜法規。The GDPR is a complex regulation that may require significant changes in how you gather, use and manage personal data. Microsoft 協助遵守複雜規範,我們針對長一段,並且準備 GDPR 時,我們是您在這個旅程合作夥伴。Microsoft has a long history of helping our customers comply with complex regulations, and when it comes to preparing for the GDPR, we are your partner on this journey.

GDPR 加上規則的組織提供的商品,並在歐洲經濟共同體(歐盟),或服務會收集和分析資料繫結至歐盟居民,不論生意的所在位置。The GDPR imposes rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where those businesses are located. 主要 GDPR 的項目之間如下所示:Among the key elements of the GDPR are the following:

  • 美化的個人私密權限。Enhanced personal privacy rights. 再加上的資料保護居民歐盟由確保他們的權限存取他們個人資料,若要清除該資料,以物件,以處理個人資料,並將它移到該資料的正確錯誤。Strengthened data protection for residents of EU by ensuring they have the right to access to their personal data, to correct inaccuracies in that data, to erase that data, to object to processing of their personal data, and to move it.

  • 增加保護個人資料的責任。Increased duty for protecting personal data. 強化的責任處理個人資料,並提供的組織的增加負責確保 compliance 的清晰度。Reinforced accountability of organizations that process personal data, providing increased clarity of responsibility in ensuring compliance.

  • 必要的個人資料違約報告。Mandatory personal data breach reporting. 控制個人資料的組織所需的風險權利和至不 undue 延遲,其排在主管授權的人員 freedoms 報告的個人資料破壞,其中可行,不超過一次 72 小時稍後便注意書面違約。Organizations that control personal data are required to report personal data breaches that pose a risk to the rights and freedoms of individuals to their supervisory authorities without undue delay, and, where feasible, no later than 72 hours once they become aware of the breach.

您可能會預期,請在 GDPR 可以影響重大在您的企業,可能會要求您更新的隱私權原則,實作和加強保護的資料控制和違反通知程序,高度透明原則,將部署與進一步投資 IT 和訓練。As you might anticipate, the GDPR can have a significant impact on your business, potentially requiring you to update privacy policies, implement and strengthen data protection controls and breach notification procedures, deploy highly transparent policies, and further invest in IT and training. Windows 10 的 Microsoft 可協助有效地且有效率部分下列需求。Microsoft Windows 10 can help you effectively and efficiently address some of these requirements.

個人化且機密資料Personal and sensitive data

為了 GDPR 符合您的一部分,您必須了解法規定義個人化且機密資料的方式,以及如何將這些定義關聯由您的組織的資料。As part of your effort to comply with the GDPR, you will need to understand how the regulation defines personal and sensitive data and how those definitions relate to data held by your organization. 根據您就無法探索建立該資料的位置,處理了解管理,並儲存。Based on that understanding you'll be able to discover where that data is created, processed, managed and stored.

GDPR 會認為您會發現或辨識自然連絡人相關的任何資訊的個人資料。The GDPR considers personal data to be any information related to an identified or identifiable natural person. 間接驗證和直接驗證(例如,您的法律名稱)可包括 (如的特定資訊,讓您可以清除這是您的資料參考)。That can include both direct identification (such as, your legal name) and indirect identification (such as, specific information that makes it clear it is you the data references). GDPR 也會清除您的個人資料的概念包含 online 識別碼(例如,行動裝置版裝置 Id IP 位址)並的位置資料。The GDPR also makes clear that the concept of personal data includes online identifiers (such as, IP addresses, mobile device IDs) and location data.

GDPR 導入定義特定起源資料(例如,個人基因順序)和生物特徵辨識資料。The GDPR introduces specific definitions for genetic data (such as, an individual’s gene sequence) and biometric data. 可能與生物特徵辨識資料,以及其他子類個人資料 (個人資料洩露涉及或種族原點、行政意見,宗教或明智信念或貿易後成員資格:關於健康; 或資料有關的資料個人的性生活或性方向)會被視為 GDPR 下方機密個人資料。Genetic data and biometric data along with other sub categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership: data concerning health; or data concerning a person’s sex life or sexual orientation) are treated as sensitive personal data under the GDPR. 就會提供美化的保護的機密的個人資料和通常需要個人明確同意這些資料的處理的位置。Sensitive personal data is afforded enhanced protections and generally requires an individual’s explicit consent where these data are to be processed.

辨識或辨識自然人(資料主旨)的相關資訊的範例Examples of info relating to an identified or identifiable natural person (data subject)

這份清單提供的資訊會透過 GDPR 調整數種類型的範例。This list provides examples of several types of info that will be regulated through GDPR. 這不是完整清單。This is not an exhaustive list.

  • 名稱Name

  • 驗證編號(例如,SSN)Identification number (such as, SSN)

  • 位置資料(例如,首頁的網址)Location data (such as, home address)

  • Online 識別碼(例如,電子郵件地址、畫面名稱、Id 裝置的 IP 位址)Online identifier (such as, e-mail address, screen names, IP address, device IDs)

  • Pseudonymous 資料(例如,使用按鍵找出個人)Pseudonymous data (such as, using a key to identify individuals)

  • 起源資料(例如,從個人的範例:)Genetic data (such as, biological samples from an individual)

  • 生物特徵辨識資料(例如,指紋,臉部辨識)Biometric data (such as, fingerprints, facial recognition)

開始使用它 GDPR compliance 之旅Getting started on the journey towards GDPR compliance

提供相關變得有多少是 GDPR 相容,因此極力建議您不要等候準備開始執法之前。Given how much is involved to become GDPR-compliant, we strongly recommend that you don't wait to prepare until enforcement begins. 現在應該會檢查您的隱私權和資料管理做法的規範。You should review your privacy and data management practices now. 我們建議您 GDPR 法規之旅開始來將焦點放在四個主要步驟:We recommend that you begin your journey to GDPR compliance by focusing on four key steps:

  • 探索。Discover. 找出您的個人資料,以及所在的位置。Identify what personal data you have and where it resides.

  • 管理。Manage. 管理個人資料使用與存取。Govern how personal data is used and accessed.

  • 保護。Protect. 建立安全性控制項,以避免、偵測,以及弱點及資料破壞回應。Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.

  • 報告。Report. 動作資料的要求,報告資料破壞,並保留必要的文件。Act on data requests, report data breaches, and keep required documentation.

    主要 GDPR 步驟 4 搭配運作的方式的相關圖表

我們已經針對每個步驟,所述工具範例、資源和功能各種 Microsoft 方案,可以用來協助您處理該步驟的需求。For each of the steps, we've outlined example tools, resources, and features in various Microsoft solutions, which can be used to help you address the requirements of that step. 本文章不是完整」方法」,我們已經隨附連結,以了解更多詳細資料,並的詳細資訊可在Microsoft 信任中心] GDPR 部分While this article isn't a comprehensive “how-to” guide, we've included links for you to find out more details, and more info is available in the GDPR section of the Microsoft Trust Center.

Windows Server 安全性與隱私權Windows Server security and privacy

GDPR 需要您執行的個人資料,以及處理系統的保護適當的技術與組織安全性措施。The GDPR requires you to implement appropriate technical and organizational security measures to protect personal data and processing systems. GDPR 處在,您的實體和 virtual 伺服器環境可能正在處理敏感的個人資料。In the context of the GDPR, your physical and virtual server environments are potentially processing personal and sensitive data. 任何作業或一組作業,例如資料收集、儲存和擷取,可以表示處理。Processing can mean any operation or set of operations, such as data collection, storage, and retrieval.

您的能力滿足此要求並執行適當的技術安全性措施必須反映您目前的越來越惡意 IT 環境中所面臨威脅。Your ability to meet this requirement and to implement appropriate technical security measures must reflect the threats you face in today’s increasingly hostile IT environment. 今天安全性威脅的地景是一種積極和 tenacious 威脅。Today’s security threat landscape is one of aggressive and tenacious threats. 在過去幾年,惡意攻擊大部分專注於社群辨識透過他們的攻擊或的暫時拍攝 offline 系統振奮活動似乎正在蓄勢。In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. 此後攻擊者動機有移向讓金錢,包括按住裝置和資料人質之前擁有者時要求的贖金。Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom.

現代化攻擊越來越對焦於大型診斷作業竊取;特定對象的系統降低可能導致的財務虧損;甚至 cyberterrorism 威脅的人員、企業及世界各地的國家興趣安全性。Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. 這些攻擊通常個人訓練和安全性專家,其中有些人的中使用的大型預算和看似無限制的人資源民族狀態。These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. 這些威脅需要種方式可以符合這個問題。Threats like these require an approach that can meet this challenge.

不只是這些威脅的風險維護控制項,您可能會任何個人或機密資料的能力,但它們也是您的整體企業材料風險。Not only are these threats a risk to your ability to maintain control of any personal or sensitive data you may have, but they are a material risk to your overall business as well. 請考慮將 McKinsey,Ponemon 協會、Verizon,而 Microsoft 從新的資料:Consider recent data from McKinsey, Ponemon Institute, Verizon, and Microsoft:

  • 平均成本類型的資料違約 GDPR 期待您回報為美元 3。5 M。The average cost of the type of data breach the GDPR will expect you to report is $3.5M.

  • 這些破壞 63%涉及低或遭竊 GDPR 的地址期待您的密碼。63% of these breaches involve weak or stolen passwords that the GDPR expects you to address.

  • 超過 300000 新的惡意程式碼範例建立,收攏則每天讓更多困難多多位址資料保護您的工作。Over 300,000 new malware samples are created and spread every day making your task to address data protection even more challenging.

如下所示最近勒索攻擊,一次稱為黑色特效藥網際網路,大目標可負擔得起支付更多,使用可能發生的大的影響,之後將攻擊。As seen with the recent Ransomware attacks, once called the black plague of the Internet, attackers are going after bigger targets that can afford to pay more, with potentially catastrophic consequences. GDPR 包含損失可讓您的系統,包括桌面和膝上型電腦,包含確實個人化且機密資料豐富的目標。The GDPR includes penalties that make your systems, including desktops and laptops, that contain personal and sensitive data rich targets indeed.

兩個主要的準則有指引,並繼續指南開發的 Windows:Two key principles have guided and continue to guide the development of Windows:

  • 安全性。Security. 我們的軟體與服務市集代表我們針對資料應該防止損壞和使用或修改只會在適當的方式。The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. 應以了解,並在組建加入他們的應用程式開發人員輕鬆安全性模型。Security models should be easy for developers to understand and build into their applications.

  • 隱私權。Privacy. 使用者必須在控制資料的使用方式。Users should be in control of how their data is used. 應該使用者原則,使用資訊。Policies for information use should be clear to the user. 時,及接收資訊,讓他們的使用時間的最佳使用時,使用者應該控制。Users should be in control of when and if they receive information to make best use of their time. 它應該能輕鬆使用者指定適當的方式使用它們傳送的資訊包括控制使用的電子郵件。It should be easy for users to specify appropriate use of their information including controlling the use of email they send.

Microsoft 大致 steadfast 對為最近 experience 由 Microsoft Satya Nadella,執行,這些原則Microsoft has remained steadfast against these principles as recently noted by Microsoft’s CEO, Satya Nadella,

]在世界持續變更企業需求的發展,是一致的一些事項:客戶的安全性和隱私權的要求。"As the world continues to change and business requirements evolve, some things are consistent: a customer’s demand for security and privacy.

為遵守 GDPR,了解您的實體和 virtual 伺服器建立、存取處理、儲存和管理可能符合個人資料的角色您工作,並在 GDPR 敏感性資料很重要。As you work to comply with the GDPR, understanding the role of your physical and virtual servers in creating, accessing, processing, storing and managing data that may qualify as personal and potentially sensitive data under the GDPR is important. Windows Server 提供功能可協助您遵守執行保護個人資料適當的技術與組織安全性措施 GDPR 需求。Windows Server provides capabilities that will help you comply with the GDPR requirements to implement appropriate technical and organizational security measures to protect personal data.

Windows Server 2016 的安全性狀態不閃電上。這是架構原則。The security posture of Windows Server 2016 isn’t a bolt-on; it’s an architectural principle. 同時,可以在四個主體最佳瞭解:And, it can be best understood in four principals:

  • 保護。Protect. 持續對焦和創新預防措施;封鎖已知的攻擊和已知的惡意程式碼。Ongoing focus and innovation on preventative measures; block known attacks and known malware.

  • 偵測到。Detect. 綜合監視工具,可協助您特別異常和回應更快的攻擊。Comprehensive monitoring tools to help you spot abnormalities and respond to attacks faster.

  • 回應。Respond. 前置回應和復原技術加上深度諮詢專業。Leading response and recovery technologies plus deep consulting expertise.

  • 找出。Isolate. 找出作業系統元件和資料密碼、限制系統管理員權限,以及嚴格測量主機健康。Isolate operating system components and data secrets, limit administrator privileges, and rigorously measure host health.

與 Windows Server 大幅改善您的能力保護、偵測與防禦的攻擊,會導致破壞資料類型。With Windows Server, your ability to protect, detect and defend against the types of attacks that can lead to data breaches is greatly improved. 指定違約通知中 GDPR 嚴格需求,確保您桌上型和膝上型電腦的系統的死守將降低面臨可能會導致高違約分析及通知的風險。Given the stringent requirements around breach notification within the GDPR, ensuring that your desktop and laptop systems are well defended will lower the risks you face that could result in costly breach analysis and notification.

一節,您將會看到 Windows Server 如何提供配合讓您 GDPR 法規之旅的「保護」階段的功能。In the section that follows, you will see how Windows Server provides capabilities that fit squarely in the "Protect" stage of your GDPR compliance journey. 這些功能分成三個保護案例:These capabilities fall into three protection scenarios:

  • 保護您的認證,限制系統管理員權限。Protect your credentials and limit administrator privileges. Windows Server 2016 協助實作這些變更,以協助防止為啟動點用於進一步侵入您的系統。Windows Server 2016 helps to implement these changes, to help prevent your system from being used as a launching point for further intrusions.

  • 安全作業系統來執行應用程式和基礎結構。Secure the operating system to run your apps and infrastructure. Windows Server 2016 提供防護,可協助封鎖執行惡意軟體,或利用弱點外部攻擊層的級。Windows Server 2016 provides layers of protection, which helps to block external attackers from running malicious software or exploiting vulnerabilities.

  • 安全模擬。Secure virtualization. Windows Server 2016 讓安全模擬,不但虛擬機器和保護 Fabric 使用。Windows Server 2016 enables secure virtualization, using Shielded Virtual Machines and Guarded Fabric. 這可協助您加密,並執行虛擬電腦上受信任的主機中您 fabric 好免受惡意攻擊保護它們。This helps you encrypt and run your virtual machines on trusted hosts in your fabric, better protecting them from malicious attacks.

這些功能,下方的更詳細的資訊尋找參考資料特定 GDPR 需求討論建置上方進階的裝置保護協助維護完整性和作業系統和資料的安全。These capabilities, discussed in more detail below with references to specific GDPR requirements, are built on top of advanced device protection that helps maintain the integrity and security of the operating system and data.

主要 GDPR 中提供資料保護設計及依預設,且符合這提供您能力幫助的功能,例如 BitLocker 裝置加密的 Windows 10 中。A key provision within the GDPR is data protection by design and by default, and helping with your ability to meet this provision are features within Windows 10 such as BitLocker Device Encryption. BitLocker 使用的受信任平台模組 (TPM) 技術,提供硬體式的安全性相關功能。BitLocker uses the Trusted Platform Module (TPM) technology, which provides hardware-based, security-related functions. 這個密碼編譯處理器晶片包括多個實體的安全機制,讓您竄改上,而無法竄改安全性功能的 TPM 惡意軟體。This crypto-processor chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM.

晶片包括多個實體的安全機制,讓您竄改上,而無法竄改安全性功能的 TPM 惡意軟體。The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. 主要優點使用 TPM 的技術是您可以:Some of the key advantages of using TPM technology are that you can:

  • 產生、儲存,並會限制使用的密碼編譯金鑰。Generate, store, and limit the use of cryptographic keys.

  • 使用 TPM 的唯一 RSA 鍵,燒錄其本身的平台裝置驗證使用 TPM 技術。Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.

  • 為了確保平台完整性拍攝或儲存安全性度量單位。Help to ensure platform integrity by taking and storing security measurements.

其他進階的裝置保護相關作業系統資料破壞不包含 Windows 信任開機,以協助維護系統確保惡意程式碼完整性是開始之前系統防禦無法。Additional advanced device protection relevant to your operating without data breaches include Windows Trusted Boot to help maintain the integrity of the system by ensuring malware is unable to start before system defenses.

Windows Server:支援您 GDPR 法規之旅Windows Server: Supporting your GDPR compliance journey

在 Windows Server 的關鍵功能可協助您有效率實作 GDPR 需要規範安全性和隱私權機制。Key features within Windows Server can help you to efficiently and effectively implement the security and privacy mechanisms the GDPR requires for compliance. 雖然這些功能的使用將不保證您遵守,他們支援您工作,若要這樣做。While the use of these features will not guarantee your compliance, they will support your efforts to do so.

伺服器作業系統位於組織的基礎結構,並從攻擊,可能竊取資料干擾您的企業建立的保護層級新的機會在策略層級。The server operating system sits at a strategic layer in an organization’s infrastructure, affording new opportunities to create layers of protection from attacks that could steal data and interrupt your business. 主要層面,例如所設計,資料保護,以及存取控制隱私權 GDPR 必須在 IT 基礎結構伺服器層級的問題。Key aspects of the GDPR such as Privacy by Design, Data Protection, and Access Control need to be addressed within your IT infrastructure at the server level.

使用此選項,來協助保護的身分、作業系統、以及模擬層級,Windows Server 2016 可協助封鎖用來取得您的系統違法存取一般的攻擊:遭竊認證、惡意程式碼,並危害的模擬 fabric。Working to help protect the identity, operating system, and virtualization layers, Windows Server 2016 helps block the common attack vectors used to gain illicit access to your systems: stolen credentials, malware, and a compromised virtualization fabric. 減少商務風險,除了安全性元件建置到 Windows Server 2016 協助位址合規需求的主要政府和 industry 規範安全性。In addition to reducing business risk, the security components built into Windows Server 2016 help address compliance requirements for key government and industry security regulations.

這些的身分、作業系統模擬保護可讓您更保護執行任何雲端,在 VM 與 Windows Server 資料中心及限制的攻擊危害認證、上市惡意程式碼,並保留在無法偵測能力您網路。These identity, operating system, and virtualization protections enable you to better protect your datacenter running Windows Server as a VM in any cloud, and limit the ability of attackers to compromise credentials, launch malware, and remain undetected in your network. 同樣地,為 HYPER-V 主機部署,Windows Server 2016 提供安全性保證模擬環境透過不但虛擬電腦和分散式的防火牆功能。Likewise, when deployed as a Hyper-V host, Windows Server 2016 offers security assurance for your virtualization environments through Shielded Virtual Machines and distributed firewall capabilities. 與 Windows Server 2016 伺服器作業系統並在您的資料中心安全性。With Windows Server 2016, the server operating system becomes an active participant in your datacenter security.

保護您的憑證,並限制系統管理員權限Protect your credentials and limit administrator privileges

控制存取權的個人資料及系統處理資料,是與 GDPR 特定需求包括存取的系統管理員的區域。Control over access to personal data, and the systems that process that data, is an area with the GDPR that has specific requirements including access by administrators. 有特殊權限的身分的任何帳號,在已提升權限,例如帳號網域系統管理員,企業系統管理員,本機系統管理員,或甚至進階使用者群組成員。Privileged identities are any accounts that have elevated privileges, such as user accounts that are members of the Domain Administrators, Enterprise Administrators, local Administrators, or even Power Users groups. 這類身分也可以包含帳號授與的權限直接,例如執行備份關機系統或在本機安全性原則主控台使用者權限指派節點中列出的其他權利。Such identities can also include accounts that have been granted privileges directly, such as performing backups, shutting down the system, or other rights listed in the User Rights Assignment node in the Local Security Policy console.

一般存取控制原則和中行 GDPR 使用,您需要這些特殊權限的身分免於潛在攻擊者的危害。As a general access control principle and in-line with the GDPR, you need to protect these privileged identities from compromise by potential attackers. 首先,請務必以了解如何身分的危害。然後您可以計劃防止取得這些特殊權限的身分存取攻擊。First, it's important to understand how identities are compromised; then you can plan to prevent attackers from gaining access to these privileged identities.

如何特殊權限的身分取得危害?How do privileged identities get compromised?

組織不必保護它們指導方針操作有特殊權限的身分可以取得影響。Privileged identities can get compromised when organizations don’t have guidelines to protect them. 以下是範例:The following are examples:

  • 更多的權限非必要。More privileges than are necessary. 其中一個最常見的問題會使用者有更多的權限超過所需執行的功能。One of the most common issues is that users have more privileges than are necessary to perform their job function. 例如,使用者管理 DNS 可能 AD 系統管理員。For example, a user who manages DNS might be an AD administrator. 最常,這是以避免的需求來設定不同的管理層級。Most often, this is done to avoid the need to configure different administration levels. 不過,如果受到這類帳號,攻擊者會自動有權限。However, if such an account is compromised, the attacker automatically has elevated privileges.

  • 持續登入以提高權限。Constantly signed in with elevated privileges. 另一個常見問題是以提高權限的使用者可以使用它無限制的時間。Another common issue is that users with elevated privileges can use it for an unlimited time. 這是很常見的 IT 專業人員登入桌上型電腦使用特殊權限的帳號,保持登入,並使用瀏覽網頁及使用電子郵件權限的 account (一般 IT 工作工作功能)。This is very common with IT pros who sign in to a desktop computer using a privileged account, stay signed in, and use the privileged account to browse the web and use email (typical IT work job functions). 無限制時持續時間的權限帳號 account 更容易遭到攻擊而增加帳號,將會受到危害的機會。Unlimited duration of privileged accounts makes the account more susceptible to attack and increases the odds that the account will be compromised.

  • 社交參考資料。Social engineering research. 大部分的認證威脅一開始先研究組織和社交透過再進行。Most credential threats start out by researching the organization and then conducted through social engineering. 例如攻擊者可能會執行組織的網路存取電子郵件網路釣魚攻擊危害合法帳號(但不一定提升權限的帳號)。For example, an attacker may perform an email phishing attack to compromise legitimate accounts (but not necessarily elevated accounts) that have access to an organization's network. 攻擊者再使用這些有效帳號,您網路上執行其他參考資料,並找出有特殊權限的帳號,可在執行管理工作。The attacker then uses these valid accounts to perform additional research on your network and to identify privileged accounts that can perform administrative tasks.

  • 利用帳號,以提升權限。Leverage accounts with elevated privileges. 使用中網路使用者標準模式、非提升權限帳號,甚至攻擊者可以存取帳號以提高權限。Even with a normal, non-elevated user account in the network, attackers can gain access to accounts with elevated permissions. 其中一個常見這樣的方法是使用 Pass Hash 或 Pass 權杖攻擊。One of the more common methods of doing so is by using the Pass-the-Hash or Pass-the-Token attacks. 如需有關 Pass--湊和其他認證竊取技術的詳細資訊,在上看到資源Pass--Hash (PtH) 頁面For more information on the Pass-the-Hash and other credential theft techniques, see the resources on the Pass-the-Hash (PtH) page.

當然,還有其他方法攻擊可用來找出並(與每日建立新的方法)危害身分特殊權限。There are of course other methods that attackers can use to identify and compromise privileged identities (with new methods being created every day). 請務必因此您將該名使用者最低權限帳號,以減少攻擊的能力來存取權限的身分登入的做法。It is therefore important that you establish practices for users to log on with least-privileged accounts to reduce the ability of attackers to gain access to privileged identities. 區段下概述的功能在 Windows Server 可以減少這些風險。The sections below outline functionality where Windows Server can mitigate these risks.

只是時間系統管理員 (JIT),只系統管理員 (JEA)Just-in-Time Admin (JIT) and Just Enough Admin (JEA)

雖然很重要,仍然可以系統管理員認證竊取以其他方式,包括社交、不滿的員工和暴力保護 Pass Hash 或 Pass 票證攻擊。While protecting against Pass-the-Hash or Pass-the-Ticket attacks is important, administrator credentials can still be stolen by other means, including social engineering, disgruntled employees, and brute force. 因此,除了隔離盡可能認證,您也可以方便在他們的入侵限制存取的系統管理員等級權限的方式。Therefore, in addition to isolating credentials as much as possible, you also want a way to limit the reach of administrator-level privileges in case they are compromised.

今天太多管理員帳號是責任的覆特殊權限,即使只有一個區域。Today, too many administrator accounts are over-privileged, even if they have only one area of responsibility. 例如,DNS 系統管理員,需要窄一組特殊權限管理的 DNS 伺服器,通常授與網域系統管理員等級權限。For example, a DNS administrator, who requires a very narrow set of privileges to manage DNS servers, is often granted domain admin-level privileges. 此外,因為這些認證會授與的免費提供,還有無限制多久使用。In addition, because these credentials are granted for perpetuity, there is no limit on how long they can be used.

不必要的網域系統管理員等級權限的每個 account 增加降低搜尋危害認證攻擊。Every account with unnecessary domain admin-level privileges increases your exposure to attackers seeking to compromise credentials. 最小化表面區域的攻擊,以您想要提供只特定將這項工作–所需的系統管理員權限,且僅供視窗中完成所需的時間。To minimize the surface area for attack, you want to provide only the specific set of rights that an admin needs to do the job – and only for the window of time needed to complete it.

使用只達到管理和僅時間管理,系統管理員可以要求所需的時間在必要的確切視窗特殊權限。Using Just Enough Administration and Just-in-Time Administration, administrators can request the specific privileges they need for the exact window of time required. DNS 系統管理員,例如使用 PowerShell 讓只達到管理可讓您建立有限的命令可供 DNS 管理。For a DNS administrator, for example, using PowerShell to enable Just Enough Administration lets you create a limited set of commands that are available for DNS management.

如果需要 DNS 系統管理員讓她伺服器的其中一個更新,她會要求管理使用 Microsoft 的身分管理員 2016 DNS 存取。If the DNS administrator needs to make an update to one of her servers, she would request access to manage DNS using Microsoft Identity Manager 2016. 要求工作流程可能包含例如雙因素驗證,這可能會要求權限授與之前,請先確認她身分系統管理員的行動裝置版手機呼叫核准程序。The request workflow can include an approval process such as two-factor authentication, which could call the administrator’s mobile phone to confirm her identity before granting the requested privileges. 之後,那些 DNS 權限提供 PowerShell 角色存取的 DNS 的特定時間範圍。Once granted, those DNS privileges provide access to the PowerShell role for DNS for a specific time span.

如果 DNS 系統管理員的憑證已遭竊,請想像本案例。Imagine this scenario if the DNS admin’s credentials were stolen. 首先,由於認證未連接到他們的系統管理員權限,攻擊者就無法存取 DNS 伺服器–或任何其他套件–進行變更。First, since the credentials have no admin privileges attached to them, the attacker wouldn’t be able to gain access to the DNS server – or any other systems – to make any changes. 如果攻擊者,嘗試要求權限的 DNS 伺服器,第二個雙因素驗證要求確認他們的身分。If the attacker tried to request privileges for the DNS server, second-factor authentication would ask them to confirm their identity. 因為它並不可能攻擊者 DNS 系統管理員的行動裝置版的手機,就會失敗驗證。Since it isn’t likely that the attacker has the DNS admin’s mobile phone, authentication would fail. 這會鎖定攻擊者退出系統,並警示 IT 組織認證可能會受到影響。This would lock the attacker out of the system, and alert the IT organization that the credentials might be compromised.

此外,免費許多組織中使用本機系統管理員密碼方案(圈)作為簡單但強大 JIT 管理機制其伺服器與 client 系統。In addition, many organizations use the free Local Administrator Password Solution (LAPS) as a simple yet powerful JIT administration mechanism for their server and client systems. 圈」功能提供管理本機 account 密碼的加入網域的電腦。The LAPS capability provides management of local account passwords of domain joined computers. 密碼儲存在 Active Directory(廣告),而且受及存取控制清單 (ACL),只有符合資格的使用者可以讀或要求其重設。Passwords are stored in Active Directory (AD) and protected by and Access Control List (ACL) so only eligible users can read it or request its reset.

如上所述Windows 認證竊取降低指南As noted in the Windows Credential Theft Mitigation Guide,

]的工具和技巧罪犯使用來執行認證竊取及重複使用攻擊改善、惡意攻擊者會尋找它達到他們目標變得更容易。認證竊取通常依賴操作做法或使用者的認證曝光,以便有效的防護功能需要位址人員、處理程序和技術整體方法。此外,這些攻擊依賴認證竊取之後危害以展開,或保存存取權,讓組織必須包含破壞快速實作防止攻擊自由地移動,並在未偵測到策略系統攻擊者危害的網路。"the tools and techniques criminals use to carry out credential theft and reuse attacks improve, malicious attackers are finding it easier to achieve their goals. Credential theft often relies on operational practices or user credential exposure, so effective mitigations require a holistic approach that addresses people, processes, and technology. In addition, these attacks rely on the attacker stealing credentials after compromising a system to expand or persist access, so organizations must contain breaches rapidly by implementing strategies that prevent attackers from moving freely and undetected in a compromised network.

Windows Server 重要考量已緩和認證竊取—尤其是衍生認證。An important design consideration for Windows Server was mitigating credential theft—in particular, derived credentials. Credential Guard,在 Windows 所設計,以避免發生硬體式隔離攻擊實作架構重大變更,而不只想要提供大幅改善的安全性防護衍生的認證竊取及重複使用防範它們。Credential Guard provides significantly improved security against derived credential theft and reuse by implementing a significant architectural change in Windows designed to help eliminate hardware-based isolation attacks rather than simply trying to defend against them.

使用 Windows Defender Credential Guard、NTLM,以及 Kerberos 保護衍生的認證使用模擬為基礎的安全性,請認證竊取攻擊技術,並在使用工具時都會被封鎖許多目標的攻擊。While using Windows Defender Credential Guard, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. 惡意程式碼執行的系統管理員權限的作業系統中無法擷取機密受到模擬為基礎的安全性。Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. 強大降低 Windows Defender Credential Guard 時,持續威脅的攻擊可能 shift 新攻擊技術,而且您也應該述,下列其他安全性策略和架構加入 Device Guard,將會。While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard, as described below, along with other security strategies and architectures.

Windows Defender Credential GuardWindows Defender Credential Guard

Windows Defender Credential Guard 隔離認證的詳細資訊,避免密碼 hashes 或 Kerberos 門票被攔截使用模擬為基礎的安全性。Windows Defender Credential Guard uses virtualization-based security to isolate credential information, preventing password hashes or Kerberos tickets from being intercepted. 它會使用全新隔離本機安全性授權單位 (LSA) 處理程序,也就是不容易作業系統的其餘部分。It uses an entirely new isolated Local Security Authority (LSA) process, which is not accessible to the rest of the operating system. 隔離 LSA 所使用的所有二進位檔是以之前他們在受保護的環境中,讓 Pass Hash 型攻擊完全無效的驗證憑證簽署。All binaries used by the isolated LSA are signed with certificates that are validated before launching them in the protected environment, making Pass-the-Hash type attacks completely ineffective.

使用 Windows Defender Credential Guard:Windows Defender Credential Guard uses:

  • (必要)模擬為基礎的安全性。Virtualization-based security (required). 還需要:Also required:

    • 64 位元 CPU64-bit CPU

    • CPU 模擬擴充功能,還有延伸的分頁表CPU virtualization extensions, plus extended page tables

    • Windows hypervisorWindows hypervisor

  • 安全開機(必要)Secure boot (required)

  • TPM 2.0「所謂或韌體(慣用-提供硬體繫結)TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)

您可以使用 Windows Defender Credential Guard 保護的認證和 Windows Server 2016 上的 credential 衍生保護身分特殊權限。You can use Windows Defender Credential Guard to help protect privileged identities by protecting the credentials and credential derivatives on Windows Server 2016. 如需有關 Windows Defender Credential Guard 需求的詳細資訊,請查看保護衍生使用 Windows Defender Credential Guard 網域認證For more information on Windows Defender Credential Guard requirements, see Protect derived domain credentials with Windows Defender Credential Guard.

Windows Defender 遠端 Credential GuardWindows Defender Remote Credential Guard

Windows Defender 遠端 Credential Guard Windows Server 2016 和 Windows 10 年度更新版上也有助於保護遠端電腦連接的使用者的認證。Windows Defender Remote Credential Guard on Windows Server 2016 and Windows 10 Anniversary Update also helps protect credentials for users with remote desktop connections. 之前,使用遠端桌面服務的任何人都必須登入本機電腦,就需要登入一次時他們執行連接遠端他們的目標電腦。Previously, anyone using Remote Desktop Services would have to log on to their local machine and then be required to log on again when they performed a remote connection to their target machine. 此第二個登入會傳遞給目標電腦,以 Pass Hash 公開它們的認證或 Pass 票證攻擊。This second login would pass credentials to the target machine, exposing them to Pass-the-Hash or Pass-the-Ticket attacks.

使用 Windows Defender 遠端 Credential Guard,Windows Server 2016 實作單一登入遠端桌面工作階段,而不需要重新輸入您的使用者名稱和密碼。With Windows Defender Remote Credential Guard, Windows Server 2016 implements single sign-on for Remote Desktop sessions, eliminating the requirement to re-enter your username and password. 改為,它會運用您已經已用來登入本機電腦的認證。Instead, it leverages the credentials that you’ve already used to log on to your local machine. 若要使用 Windows Defender 遠端 Credential Guard,遠端桌面 client 和 server 必須符合下列需求:To use Windows Defender Remote Credential Guard, the Remote Desktop client and server must meet the following requirements:

  • Active Directory domain 必須加入並在相同的網域或信任關係的網域。Must be joined to an Active Directory domain and be in the same domain or a domain with a trust relationship.

  • 必須使用 F:kerberos 驗證。Must use Kerberos authentication.

  • 至少必須執行 Windows 10 版本 1607 年或 Windows Server 2016。Must be running at least Windows 10 version 1607 or Windows Server 2016.

  • 需要遠端桌面傳統型 Windows 應用程式。The Remote Desktop classic Windows app is required. 遠端桌面通用 Windows 平台應用程式不支援 Windows Defender 遠端 Credential Guard。The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.

您可以使用遠端桌面伺服器,群組原則或遠端桌面連接上的參數遠端桌面 client 登錄設定可讓 Windows Defender 遠端 Credential Guard。You can enable Windows Defender Remote Credential Guard by using a registry setting on the Remote Desktop server and Group Policy or a Remote Desktop Connection parameter on the Remote Desktop client. 如需有關如何讓 Windows Defender 遠端 Credential Guard 的詳細資訊,請查看使用 Windows Defender 遠端 Credential Guard 保護遠端桌面認證For more information on enabling Windows Defender Remote Credential Guard, see Protect Remote Desktop credentials with Windows Defender Remote Credential Guard. 與 Windows Defender Credential Guard,您可以可協助保護特殊權限在 Windows Server 2016 上的身分使用 Windows Defender 遠端 Credential Guard。As with Windows Defender Credential Guard, you can use Windows Defender Remote Credential Guard to help protect privileged identities on Windows Server 2016.

保護您的 app 與基礎結構執行作業系統Secure the operating system to run your apps and infrastructure

防止充滿網路威脅也需要尋找並封鎖惡意程式碼和攻擊,以獲得控制權 subverting 您的基礎結構作業系統的標準做法。Preventing cyber threats also requires finding and blocking malware and attacks that seek to gain control by subverting the standard operating practices of your infrastructure. 作業系統或非預定,而非可行的方式執行的應用程式,可以取得攻擊,是否可能正在使用系統惡意執行動作。If attackers can get an operating system or application to run in a non-predetermined, non-viable way, they are likely using that system to take malicious actions. Windows Server 2016 提供封鎖外部攻擊執行惡意軟體,或利用弱點的保護層級。Windows Server 2016 provides layers of protection that block external attackers running malicious software or exploiting vulnerabilities. 作業系統拍下使用中的角色保護基礎結構和應用程式的提醒,指出不良系統活動系統管理員。The operating system takes an active role in protecting infrastructure and applications by alerting administrators to activity that indicates a system has been breached.

Windows Defender Device GuardWindows Defender Device Guard

Windows Server 2016 包含以確認您信任的軟體,可以在伺服器上執行的 Windows Defender Device Guard。Windows Server 2016 includes Windows Defender Device Guard to ensure that only trusted software can be run on the server. 使用模擬為基礎的安全性,它可以限制二進位檔可以執行系統根據組織的原則。Using virtualization-based security, it can limit what binaries can run on the system based on the organization’s policy. 如果指定二進位以外的任何嘗試執行時,Windows Server 2016 封鎖和,讓系統管理員可以查看已潛在違約登嘗試失敗。If anything, other than the specified binaries tries to run, Windows Server 2016 blocks it and logs the failed attempt so that administrators can see that there has been a potential breach. 違約通知是 GDPR compliance 需求不可或缺的一部份。Breach notification is a critical part of the requirements for GDPR compliance.

Windows Defender Device Guard 也整合 PowerShell,讓您可以授權的指令碼可在您的系統上執行。Windows Defender Device Guard is also integrated with PowerShell so that you can authorize which scripts can run on your system. 在舊版的 Windows Server、系統管理員可能會略過的程式碼完整性執法,只要將驗證碼的檔案從刪除原則。In earlier versions of Windows Server, administrators could bypass code integrity enforcement by simply deleting the policy from the code file. Windows Server 2016 的您可以設定,以便原則的簽署憑證的存取權的人員可以變更原則已由您的組織的原則。With Windows Server 2016, you can configure a policy that is signed by your organization so that only a person with access to the certificate that signed the policy can change the policy.

控制流程 GuardControl Flow Guard

Windows Server 2016 也包含一些類記憶體損壞攻擊建防護。Windows Server 2016 also includes built-in protection against some classes of memory corruption attacks. 修正您的伺服器很重要,但都有機會針對您尚未發現的弱點可能會開發的惡意程式碼。Patching your servers is important, but there is always a chance that malware could be developed for a vulnerability that has not yet been identified. 一些最常見的利用這些弱點方法是提供的特殊或極端資料,來執行程式。Some of the most common methods for exploiting these vulnerabilities are to provide unusual or extreme data to a running program. 例如,攻擊可以利用緩衝溢位弱點提供程式溢位區域的程式,按住回應保留比預期的更多輸入。For example, an attacker can exploit a buffer overflow vulnerability by providing more input to a program than expected and overrun the area reserved by the program to hold a response. 這可以損壞,可能會保留函式指標相鄰記憶體。This can corrupt adjacent memory that might hold a function pointer.

當程式呼叫透過這項功能時,它可以然後跳意外攻擊者所指定的位置。When the program calls through this function, it can then jump to an unintended location specified by the attacker. 這些攻擊也稱為的捷徑方向程式設計 (JOP) 攻擊。These attacks are also known as jump-oriented programming (JOP) attacks. 控制 Flow Guard 會防止 JOP 攻擊加上可執行–間接尤其是何種應用程式程式碼緊密限制通話的指示。Control Flow Guard prevents JOP attacks by placing tight restrictions on what application code can be executed – especially indirect call instructions. 新增輕量的安全性檢查,來找出應用程式中的功能是有效的目標間接通話的設定。It adds lightweight security checks to identify the set of functions in the application that are valid targets for indirect calls. 應用程式執行時,確認有效這些間接通話目標。When an application runs, it verifies that these indirect call targets are valid.

如果控制 Flow Guard 檢查失敗執行階段,Windows Server 2016 立即終止計畫,中斷任何利用嘗試間接通話不正確的位址。If the Control Flow Guard check fails at runtime, Windows Server 2016 immediately terminates the program, breaking any exploit that attempts to indirectly call an invalid address. 控制 Flow Guard 提供 Device Guard 重要額外的保護層級。Control Flow Guard provides an important additional layer of protection to Device Guard. 洩漏白色列出的應用程式,如果它能執行未選取的 Device Guard,因為信任篩選會看到該應用程式已簽署和會被視為 Device Guard。If a white-listed application has been compromised, it would be able to run unchecked by Device Guard, because the Device Guard screening would see that the application has been signed and is considered trusted.

但控制 Flow Guard 找出應用程式正在執行非預先定義的而非可行順序是否,因為攻擊會失敗,無法執行危害應用程式。But because Control Flow Guard can identify whether the application is executing in a non-predetermined, non-viable order, the attack would fail, preventing the compromised application from running. 在一起,這些保護進行很難插入 Windows Server 2016 上執行的軟體的惡意程式碼的攻擊。Together, these protections make it very difficult for attackers to inject malware into software running on Windows Server 2016.

建置處理個人資料的應用程式開發人員所建議自己的應用程式可以控制 Flow Guard(」設定)。Developers building applications where personal data will be handled are encouraged to enable Control Flow Guard (CFG) in their applications. Microsoft Visual Studio 2015、提供此功能,並「」設定感知」的 Windows 版本上執行-x86 和 x64 發行桌面和伺服器的 Windows 10 和「Windows 8.1 更新版 (KB3000850)。This feature is available in Microsoft Visual Studio 2015, and runs on "CFG-Aware" versions of Windows—the x86 and x64 releases for Desktop and Server of Windows 10 and Windows 8.1 Update (KB3000850). 您不需要」設定的支援,會正常執行非」設定功能的程式碼,讓」設定的程式碼,每個部分。You don't have to enable CFG for every part of your code, as a mixture of CFG enabled and non-CFG enabled code will execute fine. 但失敗以便」設定的程式碼所有可以開放縫隙保護。But failing to enable CFG for all code can open gaps in the protection. 此外,」設定正常地」」設定感知」版本的 Windows 功能 works 程式碼,因此與其完全相容。Furthermore, CFG enabled code works fine on "CFG-Unaware" versions of Windows and is therefore fully compatible with them.

Windows Defender 防毒軟體Windows Defender Antivirus

Windows Server 2016 包含 industry 開頭,使用偵測功能的 Windows Defender 阻擋已知的惡意程式碼。Windows Server 2016 includes the industry leading, active detection capabilities of Windows Defender to block known malware. Windows Defender 防毒軟體(防毒軟體)以及 Windows Defender Device Guard 和控制 Flow 保護來防止您的伺服器上安裝任何種類的惡意程式碼的運作方式。Windows Defender Antivirus (AV) works together with Windows Defender Device Guard and Control Flow Guard to prevent malicious code of any kind from being installed on your servers. 它已在 [預設–不需要執行任何動作來開始使用適用於系統管理員。It is turned on by default – the administrator does not need to take any action for it to start working. 也支援在 Windows Server 2016 中的各種伺服器角色最佳化 Windows Defender 防毒軟體。Windows Defender AV is also optimized to support the various server roles in Windows Server 2016. 在過去,攻擊使用例如 PowerShell 殼層稍二進位的惡意程式碼。In the past, attackers used shells such as PowerShell to launch malicious binary code. 在 Windows Server 2016,PowerShell 現在整合之前這是第一個程式碼掃描惡意程式碼,Windows Defender 防毒軟體。In Windows Server 2016, PowerShell is now integrated with Windows Defender AV to scan for malware before launching the code.

Windows Defender 防毒軟體是適用於桌上型電腦、筆記型電腦,與伺服器提供安全性和反惡意程式碼管理建反惡意程式碼方案。Windows Defender AV is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. 因為它在 Windows 8 中已經大幅改進 Windows Defender 防毒軟體。Windows Defender AV has been significantly improved since it was introduced in Windows 8. 在 Windows Server 的 Windows Defender 防毒軟體改善反惡意程式碼,使用多 pronged 的方法:Windows Defender Antivirus in Windows Server uses a multi-pronged approach to improve antimalware:

  • 雲端傳遞保護協助偵測及封鎖秒鐘,在新的惡意程式碼,即使惡意程式碼不會見過。Cloud-delivered protection helps detect and block new malware within seconds, even if the malware has never been seen before.

  • 豐富本機操作改善如何辨識的惡意程式碼。Rich local context improves how malware is identified. Windows Server 會告知 Windows Defender 防毒軟體專業的檔案和處理程序,但也 content 來自何處,它有已儲存的地方,例如 content 及更多有關。Windows Server informs Windows Defender AV not only about content like files and processes but also where the content came from, where it has been stored, and more.

  • 大量全球感應器協助讓 Windows Defender 防毒軟體目前注意即使是最新的惡意程式碼。Extensive global sensors help keep Windows Defender AV current and aware of even the newest malware. 這是兩種方式︰ 由豐富本機操作資料收集終點和集中分析資料。This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.

  • 竄改校正可協助保護 Windows Defender 防毒軟體本身不受惡意程式碼攻擊。Tamper proofing helps guard Windows Defender AV itself against malware attacks. 例如,Windows Defender 防毒軟體使用保護處理程序,會防止未受信任的處理程序嘗試竄改其登錄按鍵,Windows Defender 防毒軟體元件等等。For example, Windows Defender AV uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender AV components, its registry keys, and so on.

  • 企業級的功能提供給 IT 專業人員的工具和設定,讓 Windows Defender 防毒軟體企業級的反惡意程式碼方案的選項。Enterprise-level features give IT pros the tools and configuration options necessary to make Windows Defender AV an enterprise-class antimalware solution.

美化的安全性稽核Enhanced security auditing

Windows Server 2016 主動警示潛在違約嘗試提高的安全性稽核提供更多詳細的資訊,可用於更快速地攻擊偵測及法庭分析系統管理員。Windows Server 2016 actively alerts administrators to potential breach attempts with enhanced security auditing that provides more detailed information, which can be used for faster attack detection and forensic analysis. 事件登控制 Flow Guard,Windows Defender Device Guard,和在同一個位置,其他安全性功能讓您更容易系統管理員,若要判斷系統可能會風險。It logs events from Control Flow Guard, Windows Defender Device Guard, and other security features in one location, making it easier for administrators to determine what systems may be at risk.

新事件分類包括:New event categories include:

  • 稽核群組成員資格。Audit Group Membership. 可讓您稽核群組成員資格資訊的登入的使用者權杖中。Allows you to audit the group membership information in a user’s login token. 事件專列舉群組成員資格或查詢建立工作階段登入電腦上。Events are generated when group memberships are enumerated or queried on the PC where the login session was created.

  • 稽核 PnP 活動。Audit PnP Activity. 可讓您稽核當隨偵測到外部裝置–也可能包含惡意程式碼。Allows you to audit when plug and play detects an external device – which could contain malware. 系統硬體變更追蹤可 PnP 活動。PnP events can be used to track down changes in system hardware. 硬體廠商 Id 清單會包含在事件。A list of hardware vendor IDs is included in the event.

Windows Server 2016 輕鬆地整合安全性事件的事件管理 (SIEM) 系統,例如 Microsoft 作業管理套件 (OMS),這可以納入潛在破壞 intelligence 報告資訊。Windows Server 2016 integrates easily with security incident event management (SIEM) systems, such as Microsoft Operations Management Suite (OMS), which can incorporate the information into intelligence reports on potential breaches. 深度美化稽核所提供的資訊可讓找出並很快地潛在破壞回應安全性小組。The depth of information provided by the enhanced auditing enables security teams to identify and respond to potential breaches more quickly and effectively.

安全模擬Secure virtualization

今天企業虛擬化他們可以從 SQL Server sharepoint Active Directory 網域控制站的所有項目。Enterprises today virtualize everything they can, from SQL Server to SharePoint to Active Directory Domain Controllers. 虛擬電腦 (Vm) 只讓您更輕鬆地部署、管理服務,以及將您的基礎結構。Virtual machines (VMs) simply make it easier to deploy, manage, service, and automate your infrastructure. 但危害的模擬架構時安全性,變得很難防禦–新攻擊到目前為止。But when it comes to security, compromised virtualization fabrics have become a new attack vector that is hard to defend against – until now. GDPR 觀點,您應該保護 Vm 您想要保護實體伺服器包括 VM TPM 技術的相關的想法。From a GDPR perspective, you should think about protecting VMs as you would protect physical servers including the use of VM TPM technology.

Windows Server 2016 徹底變更企業如何保護模擬,包括讓您建立虛擬電腦只有在您自己的 fabric; 執行多個技術,協助保護的儲存空間、網路與主機裝置執行。Windows Server 2016 fundamentally changes how enterprises can secure virtualization, by including multiple technologies that allow you to create virtual machines that will run only on your own fabric; helping to protect from the storage, network, and host devices they run on.

護套的虛擬電腦Shielded Virtual Machines

相同的項目,請虛擬的電腦很容易找到,備份與複寫,也更容易修改,複製。The same things that make virtual machines so easy to migrate, backup, and replicate, also make them easier to modify and copy. 一樣只是一個檔案,所以它不受保護的網路,在 [儲存空間、備份,或其他地方。A virtual machine is just a file, so it is not protected on the network, in storage, in backups, or elsewhere. 另一個問題是–它們是否存放裝置的系統管理員或網路系統管理員–fabric 系統管理員,可以存取所有虛擬電腦。Another issue is that fabric administrators – whether they are a storage administrator or a network administrator – have access to all the virtual machines.

Fabric 危害系統管理員輕鬆造成資料洩露虛擬電腦上。A compromised administrator on the fabric can easily result in compromised data across virtual machines. 必須執行攻擊者的就是使用危害的認證複製到 USB 磁碟機他們喜歡任何 VM 檔案的它退出組織,其中那些 VM 檔案可以存取的任何其他系統。All the attacker must do is use the compromised credentials to copy whatever VM files they like onto a USB drive and walk it out of the organization, where those VM files can be accessed from any other system. 如果這些遭竊 Vm 其中一種 Active Directory 網域控制站,,例如攻擊者可能會輕鬆地檢視 content 並使用隨時可用暴力技術 crack Active Directory 資料庫中的密碼來最終給他們存取所有其他在您的基礎結構。If any one of those stolen VMs were an Active Directory domain controller, for example, the attacker could easily view the content and use readily available brute force techniques to crack the passwords in the Active Directory database, ultimately giving them access to everything else within your infrastructure.

Windows Server 2016 類似上述介紹不但虛擬機器 (不但 Vm) 可協助抵禦案例。Windows Server 2016 introduces Shielded Virtual Machines (Shielded VMs) to help protect against scenarios like the one just described. 護套的 Vm 包含 virtual TPM 裝置,讓組織虛擬機器適用於 BitLocker 加密,並確定他們只能在可協助抵禦危害的儲存空間、網路和主機系統管理員受信任的主機上執行。Shielded VMs include a virtual TPM device, which enables organizations to apply BitLocker Encryption to the virtual machines and ensure they run only on trusted hosts to help protect against compromised storage, network, and host administrators. 使用的支援整合可延伸韌體介面 (UEFI) 的韌體,而且有 virtual TPM 代 2 Vm 建立 Vm 護套。Shielded VMs are created using Generation 2 VMs, which support Unified Extensible Firmware Interface (UEFI) firmware and have virtual TPM.

主機監護人服務Host Guardian service

搭配不但 Vm 主機監護人服務是建立安全模擬 fabric 的必要元件。Alongside Shielded VMs, the Host Guardian Service is an essential component for creating a secure virtualization fabric. 它的工作是足以 HYPER-V 主機的健康狀態,才能它將會讓不但 VM 開機或移轉至該主機。Its job is to attest to the health of a Hyper-V host before it will allow a Shielded VM to boot or to migrate to that host. 它會不但 vm 的按鍵,並不會釋放他們就可以確信安全性健康狀態,直到。It holds the keys for Shielded VMs and will not release them until the security health is assured. 有兩種方式,您可以要求 HYPER-V 主機足以主機監護人服務。There are two ways that you can require Hyper-V hosts to attest to the Host Guardian Service.

第一次,而最安全的是硬體信任證明。The first, and most secure, is hardware-trusted attestation. 此方案需要您不但 Vm 的晶片 TPM 2.0 和 UEFI 2.3.1 的主機上執行。This solution requires that your Shielded VMs are running on hosts that have TPM 2.0 chips and UEFI 2.3.1. 這個硬體才能提供的測量的開機和主機監護人服務,以確保 HYPER-V 主機時所需的作業系統核心完整性資訊不遭到竄改。This hardware is required to provide the measured boot and operating system kernel integrity information required by the Host Guardian Service to ensure the Hyper-V host has not been tampered with.

IT 組織有另一種使用系統管理員受信任的證明,可能需要 TPM 2.0 硬體不如果您在組織中使用。IT organizations have the alternative of using Admin-trusted attestation, which may be desirable if TPM 2.0 hardware is not in use in your organization. 此證明模型很容易地部署因為主機只要放安全性群組,允許執行的安全性群組成員主機上的不但 Vm 設定主機監護人服務。This attestation model is easy to deploy because hosts are simply placed into a security group and the Host Guardian Service is configured to allow Shielded VMs to run on hosts that are members of the security group. 這種方法,就不複雜的度量單位以確保您的主機上遭到竄改。With this method, there is no complex measurement to ensure that the host machine hasn’t been tampered with. 不過,您就排除的加密 Vm 外門在 USB 磁碟機或 VM 將會在未經授權的主機上執行的可能性。However, you do eliminate the possibility of unencrypted VMs walking out the door on USB drives or that the VM will run on an unauthorized host. 這是因為 VM 的檔案不會在以外指定群組中的任何電腦上執行。This is because the VM files won't run on any machine other than those in the designated group. 如果您還不需要 TPM 2.0 硬體,您就可以開始管理員信任證明並切換硬體信任證明當升級您的硬體。If you do not yet have TPM 2.0 hardware, you can start with Admin-trusted attestation and switch to hardware-trusted attestation when your hardware is upgraded.

一樣信賴平台模組Virtual Machine Trusted Platform Module

Windows Server 2016 支援 TPM 虛擬電腦,可讓您虛擬電腦支援進階的安全性技術,例如 BitLocker® 磁碟機加密。Windows Server 2016 supports TPM for virtual machines, which allows you to support advanced security technologies such as BitLocker® Drive Encryption in virtual machines. 您可以使用 HYPER-V 管理員或 Enable-VMTPM Windows PowerShell cmdlet 讓任何代 2 HYPER-V 一樣 TPM 支援。You can enable TPM support on any Generation 2 Hyper-V virtual machine by using Hyper-V Manager or the Enable-VMTPM Windows PowerShell cmdlet.

您可以使用當地密碼編譯金鑰儲存在該主機上或儲存在該主機監護人服務保護 virtual TPM (vTPM)。You can protect virtual TPM (vTPM) by using the local crypto keys stored on the host or stored in the Host Guardian Service. 因此,當主機監護人服務需要更多的基礎結構,它也提供更多的保護。So, while the Host Guardian Service requires more infrastructure, it also provides more protection.

使用軟體定義網路分散式的網路防火牆Distributed network firewall using software-defined networking

改善模擬環境中的保護方式是區段的方式,可讓 Vm 按下以講話僅提供給特定的系統運作所需的網路。One way to improve protection in virtualized environments is to segment the network in a way that allows VMs to talk only to the specific systems required to function. 例如,如果您的應用程式,不需要連接網際網路,您可以磁碟分割,關閉它為目標,從外部攻擊排除這些系統。For example, if your application doesn’t need to connect with the Internet, you can partition it off, eliminating those systems as targets from external attackers. 軟體定義網路 (SDN) 在 Windows Server 2016 中的包含分散式的網路防火牆,可讓您動態建立可以電腦受到攻擊或網路外來自保護您的應用程式的安全性原則。The software-defined networking (SDN) in Windows Server 2016 includes a distributed network firewall that allows you to dynamically create the security policies that can protect your applications from attacks coming from inside or outside a network. 這個分散式的網路防火牆加入您的安全性,讓您可以找出您網路中的應用程式層級。This distributed network firewall adds layers to your security by enabling you to isolate your applications in the network. 可以隨時隨地套用原則,在您 virtual 網路基礎結構、隔離 VM-to-VM 流量、VM-to-host 流量或 VM-to-Internet 流量必要時–適用於已入侵個人系統或跨多個子網路以程式設計方式。Policies can be applied anywhere across your virtual network infrastructure, isolating VM-to-VM traffic, VM-to-host traffic, or VM-to-Internet traffic where necessary – either for individual systems that may have been compromised or programmatically across multiple subnets. Windows Server 2016 軟體定義網路功能也可讓您傳送或鏡像連入流量非 Microsoft virtual 裝置。Windows Server 2016 software-defined networking capabilities also enable you to route or mirror incoming traffic to non-Microsoft virtual appliances. 例如,您可能會選擇傳送您所有的電子郵件傳輸透過 Barracuda virtual 應用裝置的其他垃圾郵件篩選保護。For example, you could choose to send all your email traffic through a Barracuda virtual appliance for additional spam filtering protection. 這可讓您輕鬆地層額外的安全性這兩個上場所或在雲端中。This allows you to easily layer in additional security both on-premises or in the cloud.

伺服器其他 GDPR 注意事項Other GDPR considerations for servers

GDPR 包含明確需求,表示個人資料違約,違約通知]的前置意外或非法破壞遺失、變更,未經授權的洩漏,或存取、個人資料的安全性漏洞傳輸,儲存或否則處理。"The GDPR includes explicit requirements for breach notification where a personal data breach means, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. 當然,才能開始符合嚴格 GDPR 通知中 72 小時如果您無法偵測違約首先向前移動。Obviously, you can’t begin to move forward to meet the stringent GDPR notification requirements within 72 hours if you cannot detect the breach in the first place.

Windows 資訊安全中心白皮書記下在文章違約:處理進階威脅As noted in the Windows Security Center white paper, Post Breach: Dealing with Advanced Threats

]與前違約後違約假設違約已經發生–做為 flight 錄影機,犯罪場景調查 (CSI)。後 Post-breach 提供團隊安全性資訊及工具組需要找出,調查回應,否則會保持在未偵測到的攻擊,並使之下方。"Unlike pre-breach, post-breach assumes a breach has already occurred – acting as a flight recorder and Crime Scene Investigator (CSI). Post-breach provides security teams the information and toolset needed to identify, investigate, and respond to attacks that otherwise will stay undetected and below the radar.

在本區段中,我們將會看看 Windows Server 可協助您認識 GDPR 違約通知義務。In this section we will look at how Windows Server can help you meet your GDPR breach notification obligations. 這開始使用 Microsoft 所收集和分析供您參考可用的基礎威脅資料了解如何透過 Windows Defender 進階威脅防護 (ATP),該資料可以是您很重要。This starts with understanding the underlying threat data available to Microsoft that is gathered and analyzed for your benefit and how, through Windows Defender Advanced Threat Protection (ATP), that data can be critical to you.

見解安全性 telemetryInsightful security telemetry

幾乎二十,Microsoft 已被停用威脅到實用 intelligence 助其平台和保護針對可協助。For nearly two decades, Microsoft has been turning threats into useful intelligence that can help fortify its platform and protect customers. 今天,與提供的雲端廣大運算優點,我們會尋找使用受到威脅 intelligence 我們豐富 analytics 引擎保護針對我們的新方式。Today, with the immense computing advantages afforded by the cloud, we are finding new ways to use our rich analytics engines driven by threat intelligence to protect our customers.

套用自動化與手動程序,機器學習和人性化專家的組合,我們可以建立智慧安全性圖形,可從本身進化即時、減少我們整體的時間來偵測及回應上新的事件我們你。By applying a combination of automated and manual processes, machine learning and human experts, we can create an Intelligent Security Graph that learns from itself and evolves in real-time, reducing our collective time to detect and respond to new incidents across our products.

Microsoft Intelligence 安全性圖形

Microsoft 威脅 intelligence 的範圍跨越,實際上,數十億的資料的點數︰ 35 億訊息掃描每月 1 億針對企業和消費者區段存取 200 雲端服務及執行 14 億驗證每日。The scope of Microsoft’s threat intelligence spans, literally, billions of data points: 35 billion messages scanned monthly, 1 billion customers across enterprise and consumer segments accessing 200+ cloud services, and 14 billion authentications performed daily. 這項資料提取一起代表 Microsoft 建立智慧安全性圖形,可協助您保持安全、有效率維持和 GDPR 的需求動態的方式保護您的主要途徑。All this data is pulled together on your behalf by Microsoft to create the Intelligent Security Graph that can help you protect your front door in a dynamic way to stay secure, remain productive and meet the requirements of the GDPR.

偵測攻擊和法庭調查Detecting attacks and forensic investigation

最後,可能會違反甚至最佳端點防禦,cyberattacks 變得更加複雜,目標。Even the best endpoint defenses may be breached eventually, as cyberattacks become more sophisticated and targeted. 有兩個功能可用於協助潛在違約偵測-Windows Defender 進階威脅防護 (ATP) 和 Microsoft 進階威脅 Analytics (ATA)。Two capabilities can be used to help with potential breach detection - Windows Defender Advanced Threat Protection (ATP) and Microsoft Advanced Threat Analytics (ATA).

Windows Defender 進階威脅防護 (ATP) 可協助您偵測、調查及回應進階的攻擊和網路上的資料漏洞。Windows Defender Advanced Threat Protection (ATP) helps you detect, investigate, and respond to advanced attacks and data breaches on your networks. 類型的資料違約 GDPR 期待您透過技術的安全機制,確保持續機密性,完整性和個人資料的處理系統可用性抵禦。The types of data breach the GDPR expects you to protect against through technical security measures to ensure the ongoing confidentiality, integrity, and availability of personal data and processing systems.

Windows Defender ATP 的主要優點如下所示:Among the key benefits of Windows Defender ATP are the following:

  • 偵測無法偵測到項目。Detecting the undetectable. 建置深入作業系統核心、Windows 安全專家和唯一光學可從 1 億電腦和訊號跨所有 Microsoft 服務的感應器。Sensors built deep into the operating system kernel, Windows security experts, and unique optics from over 1 billion machines and signals across all Microsoft services.

  • 建置中,不螺栓上。Built in, not bolted on. 無,高效能與影響降到最低,雲端; 代理程式部署不容易管理。Agentless, with high performance and minimal impact, cloud-powered; easy management with no deployment.

  • 適用於 Windows 的安全性玻璃單一窗格。Single pane of glass for Windows security. 探索 6 個月的豐富、電腦的時間軸,Windows Defender ATP,Windows Defender 防毒軟體,Windows Defender Device Guard 統一安全性事件。Explore 6 months of rich, machine-timeline, unifying security events from Windows Defender ATP, Windows Defender Antivirus and Windows Defender Device Guard.

  • Microsoft 圖形的能力。Power of the Microsoft graph. 使用 Microsoft Intelligence 安全性圖形與 Office 365 ATP 裝機費,回溯及回應攻擊整合偵測及我們去探索。Leverages the Microsoft Intelligence Security Graph to integrate detection and exploration with Office 365 ATP subscription, to track back and respond to attacks.

深入了在Windows Defender ATP Creators Update 預覽的新功能的Read more at What’s new in the Windows Defender ATP Creators Update preview.

ATA 會先 product 協助偵測入侵身分是在組織中。ATA is an on-premises product that helps detect identity compromise in an organization. ATA 可以擷取和剖析網路流量的驗證、授權及資訊的收集通訊協定(例如 Kerberos、DNS、RPC、NTLM 及其他通訊協定)。ATA can capture and parse network traffic for authentication, authorization, and information gathering protocols (such as Kerberos, DNS, RPC, NTLM, and other protocols). ATA 建置網路上的使用者與其他項目相關行為設定檔,使其可以偵測異常和已知的攻擊模式以使用此資料。ATA uses this data to build a behavioral profile about users and other entities on a network so that it can detect anomalies and known attack patterns. 下表列出 ATA 所偵測到的攻擊類型。The following table lists the attack types detected by ATA.

攻擊類型Attack type 描述Description
惡意攻擊Malicious attacks 偵測到這些攻擊來尋找攻擊已知清單中的攻擊類型,包括:These attacks are detected by looking for attacks from a known list of attack types, including:
  • Pass-票 (PtT)Pass-the-Ticket (PtT)
  • Pass--Hash (PtH)Pass-the-Hash (PtH)
  • Overpass HashOverpass-the-Hash
  • 偽造的 PAC (MS14 068)Forged PAC (MS14-068)
  • 金色票證Golden Ticket
  • 惡意複寫Malicious replications
  • 偵察Reconnaissance
  • 暴力Brute force
  • 遠端執行Remote execution
這可以偵測到惡意攻擊的完整清單,其描述看到偵測到的項目可疑活動可以 ATA 嗎?.For a complete list of malicious attacks that can be detected and their description, see What Suspicious Activities Can ATA detect?.
不正常行為Abnormal behavior 這些攻擊使用行為的分析來偵測,並使用的機器學習找出有問題的活動,包括:These attacks are detected by using behavioral analysis and use machine learning to identify questionable activities, including:
  • 異常登入Anomalous logins
  • 未知的威脅。Unknown threats
  • 分享的密碼Password sharing
  • 側面移動Lateral movement
安全性問題和的風險Security issues and risks 偵測到這些攻擊來查看目前的網路和系統設定,包括:These attacks are detected by looking at current network and system configuration, including:
  • 中斷的信任Broken trust
  • 低通訊協定Weak protocols
  • 已知的通訊協定的安全漏洞Known protocol vulnerabilities

您可以使用 ATA,以協助偵測嘗試侵入您有權限的身分攻擊。You can use ATA to help detect attackers attempting to compromise privileged identities. 部署 ATA 的詳細資訊,會看到的計劃、設計和部署主題進階威脅 Analytics 文件,For more information on deploying ATA, see the Plan, Design, and Deploy topics in the Advanced Threat Analytics documentation.

免責聲明Disclaimer

這篇文章是發行的在 GDPR,議題為 Microsoft 解譯日期。This article is a commentary on the GDPR, as Microsoft interprets it, as of the date of publication. 我們已經花費很多時間使用 GDPR,並想要我們已經重視其意圖和意義有關的意見。We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its intent and meaning. 但 GDPR 的應用程式是高度事實特定,與並非所有方面解譯 GDPR 良好 settled。But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled.

如此一來,這篇文章係僅供參考,並應該不會依賴法律建議或來判斷要如何 GDPR 可能會套用到您與您的組織。As a result, this article is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. 我們鼓勵您合法限定專業版討論 GDPR,這適用於專為您的組織,以及如何使用最佳確保的相容性。We encourage you to work with a legally-qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance.

Microsoft 提供任何明示任何明示、默示或法定之擔保本文中的資訊。MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS ARTICLE. 這篇文章提供「為-是。」This article is provided “as-is.” 資訊和觀點,包括 URL 及其他網際網路網站參考資料,本文章中可能會變更且不另行通知。Information and views expressed in this article, including URL and other Internet website references, may change without notice.

本文章不提供您的任何 Microsoft 應用程式中的任何智慧屬性的任何法律權限。This article does not provide you with any legal rights to any intellectual property in any Microsoft product. 您可以複製並使用此文章內部,參考只能目的。You may copy and use this article for your internal, reference purposes only.

發行 2017 年 9 月Published September 2017
1.0Version 1.0
© 2017 Microsoft。© 2017 Microsoft. 所有,並保留一切權利。All rights reserved.