使用 RC4 秘密金鑰阻止 Kerberos 變更密碼Preventing Kerberos change password that uses RC4 secret keys

適用於:Windows Server(以每年次通道)、Windows Server 2016、Windows Server 2008 R2 和 Windows Server 2008Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2008 R2, and Windows Server 2008

本主題適用於 IT 專業人員解釋惡意使用者帳號控制可能會導致 Kerberos 通訊協定一些限制。This topic for the IT professional explains some limitations in the Kerberos protocol that could lead to a malicious user taking control of a user’s account. 還有 Kerberos 網路驗證服務 (V5) 標準 (RFC 4120),這是已知業界攻擊可以驗證使用者或變更密碼使用者的攻擊者知道使用者的金鑰,在限制。There is a limitation in the Kerberos Network Authentication Service (V5) standard (RFC 4120), which is well-known within the industry, whereby an attacker can authenticate as a user or change that user’s password if the attacker knows the user’s secret key.

在每個 RFC 4757 Kerberos 密碼變更交換驗證擁有的使用者的密碼衍生 Kerberos 密碼金鑰(RC4 和進階加密標準 [好一段] 的預設值)。Possession of a user’s password-derived Kerberos secret keys (RC4 and Advanced Encryption Standard [AES] by default) is validated during the Kerberos password change exchange per RFC 4757. 使用者純文字密碼不提供以金鑰 Distribution 中心 (KDC),並預設 Active Directory 網域控制站不擁有一份適用於帳號純文字密碼。The user’s plaintext password is never provided to the Key Distribution Center (KDC), and by default, Active Directory domain controllers do not possess a copy of plaintext passwords for accounts. 如果不支援的網域控制站 Kerberos 加密類型,該私密金鑰無法用來變更密碼。If the domain controller does not support a Kerberos encryption type, that secret key cannot be used to change the password.

在本主題的開頭套用至清單中指定的 Windows 作業系統,有三種方式可以封鎖變更密碼 Kerberos 使用 RC4 秘密按鍵的功能:In the Windows operating systems designated in the Applies To list at the beginning of this topic, there are three ways to block the ability to change passwords by using Kerberos with RC4 secret keys:

  • 設定使用者 account 包含 account 選項智慧卡,才互動式登入。Configure the user account to include the account option Smart card is required for interactive logon. 此限制使用者只登使用有效的智慧卡,會拒絕 RC4 驗證服務要求(需求為)。This limits the user to only signing in with a valid smart card so that RC4 authentication service requests (AS-REQs) are rejected. 若要設定 account 選項,在帳號上, 按一下滑鼠右鍵按一下屬性,帳號,並按一下 Account] 索引標籤。To set the account options on an account, right-click on the account, the click Properties, and click the Account tab.

  • 停用所有網域控制站 Kerberos RC4 支援。Disable RC4 support for Kerberos on all domain controllers. 這需要的 Windows Server 2008 網域功能層級和所有 Kerberos 戶端、應用程式的伺服器和的網域信任關係必須都支援好一段環境。This requires a minimum of a Windows Server 2008 domain functional level and an environment where all Kerberos clients, application servers, and trust relationships to and from the domain must support AES. Windows Server 2008 和 Windows Vista 中引進好一段的支援。Support for AES was introduced in Windows Server 2008 and Windows Vista.

    [!NOTE] 還有停用,可能會導致電腦重新開機 RC4 的已知的問題。There is a known issue with disabling RC4 which can cause the system to restart. 請查看下列 hotfix:See the following hotfixes:

  • 部署網域設定 Windows Server 2012 R2 網域功能等級或更高版本,並設定的使用者的受保護的使用者安全性群組成員。Deploy domains set to Windows Server 2012 R2 domain functional level or higher, and configure users as members of the Protected Users security group. 由於這項功能會中斷不只是 RC4 Kerberos 通訊協定的使用量,查看資源在下列也看到一節。Because this feature disrupts more than just RC4 usage in the Kerberos protocol, see resources in the following See also section.

也了See Also