Windows Server 2016: Kumvetsetsa Zoyang'anira Zachitetezo cha Microsoft

 

Microsoft Konzani Zero-Day Windows Cholakwika Chomwe Chinasankhidwa ndi Google

Masiku ano Funsani Mtsogoleri, Ndikuyang'ana pa malingaliro a Microsoft kuti ateteze nkhalango zachilendo za Active Directory pogwiritsa ntchito njira Yake Yowonjezera Chakudya Chachilengedwe (ESAE).

Si chinsinsi kuti chitetezo chimakhala mutu waukulu kwa mabungwe a malo omwe akugwiritsidwa ntchito pa intaneti lero koma kupeza malo omwe alipo kale a Active Directory (AD) nkhalango zingakhale zovuta pa zifukwa ziwiri. Nthaŵi zambiri, nkhalango zopanga zitsamba zitha kusokonezeka kale. Ndipo njira yokhayo yotsimikizira kuti hackers alibe ulamuliro ndi kumanganso nkhalango poyambira. Iyi ndi ntchito yomwe ndi yamtengo wapatali komanso yopanda nzeru nthawi zambiri. Chachiwiri, sikutheka kuumitsa nkhalango zopanga zokwanira kuti zithetse chitetezo chokwanira kwa anthu omwe ali ndi mbiri. Kuchita zimenezi kungasokoneze kagwiritsidwe ntchito muzolamulira.

Kuti athane ndi mavutowa, zatsopano mu Windows Server 2016, kuphatikiza ma Shadow Principals ndi magulu a AD a nthawi yayitali, amathandizira mabizinesi kuyang'anira nkhalango za Active Directory (AD) pogwiritsa ntchito nkhalango yolimba ya AD yoyang'anira. Yankho lathunthu la Microsoft pa izi ndi ESAE. Sikuti ESAE imalola kuti chitetezo chokha chigwiritsidwe ntchito kumaakaunti apadera komanso imaperekanso mwayi wamaakaunti ogwiritsa ntchito m'nkhalango yoyang'anira yomwe imapatsidwa mwayi woyang'anira nkhalango.

Kupititsa patsogolo Zowonongeka Kwachitukuko Forest Forest (Image Credit: Microsoft)

Kupititsa patsogolo Kutetezedwa Kwachitukuko Chakudya Chakudya cha Forest Forest (Credit Image: Microsoft)

Kuti mudziwe zambiri pa JIT ulamuliro, magulu a AD osakhalitsa, ndi Chidziwitso Chachidziwitso Chakudziwika (PIM), onani Windows Server vNext Privileged Access Management ndi Windows Server 2016: Khazikitsani Mwayi mwayi Management pa Petri IT Chidziwitso.

ESAE Administration Administration Practice Best Practices

In Windows Server 2016: Khazikitsani Mwayi mwayi Management on Petri, Ndinafotokozera njira zoyenera kukhazikitsa nkhalango ya ESAE, kukonzekera PIM kudalira nkhalango yomwe ikupezekapo, ndikukhazikitsa akuluakulu a Shadow kuti alole kuti ogwira ntchito ku ESAE azilamulira nkhalango kuti athe kupeza nthawi yochepa yopita ku nkhalango yopanga.

Kukula ndi Kukhwima

Chifukwa nkhalango yomwe imayendetsa nkhalango imatha kuyendetsa nkhalango, zimakhala zofunikira kuonetsetsa kuti nkhalangoyi imakhala yotetezeka. Njira imodzi yochitira zimenezi ndiyo kuchepetsa kukula kwake. Masamba a admin sayenera kugwiritsidwa ntchito kulandira ntchito kapena ntchito zomwe sizigwirizana ndi ntchito yaikulu ya m'nkhalango. Kuonetsetsa kuti dera la admin limakhala loperewera poyendetsa nkhani zapadera ndikuonetsetsa kuti kuwonjezetsa nkhalango zina sikumapangitsa kuti zinthu zikhale zovuta kumalo anu omwe simungapewe.

Nkhalango yopangira ntchito iyenera kukonzedweratu ndi nkhalango imodzi ya PIM kapena dera lokhazikika ku nkhalango ya admin. Zolinga zina mu nkhalango yopanga zofunikira zingafunike kuti kudalira njira ziwiri ndi nkhalango ya admin.

Ogwiritsira ntchito m'nkhalango ya admin omwe apatsidwa mwayi wopita ku nkhalango zogwirira ntchito sayenera kukhala ndi mbiri yambiri m'nkhalango ya admin. Ayenera kukhala ogwiritsa ntchito nthawi zonse. Ndipo kulumikizana kwa kayendetsedwe ka nkhalango ya admin ayenera kuyang'aniridwa mosamala pogwiritsa ntchito njira zamanja. Masamba a admin ayenera kutsekedwa pansi pogwiritsira ntchito chitetezo chomwe chimaperekedwa mu Toolkit Microsoft Security Compliance Toolkit ndi ma update OS akugwiritsidwa ntchito mwamsanga pamene alipo.

Kufikira ku nkhalango ya admin kuyenera kuchitidwa kuchokera ku malo ogwira ntchito opindulitsa. Malo ogwira ntchito makamaka omwe anaumitsa kuti agwiritsidwe ntchito ndi akaunti za forest forest. Njira zina zogwiritsira ntchito chitetezo ziyenera kugwiritsidwa ntchito pofuna kuteteza nkhalango ya admin, kuphatikizapo BitLocker full-drive encryption, kusungidwa kwa makina, kusungidwa kwa phukusi la USB, Kutetezeka kwachitetezo, kutsimikiziridwa kwambiri, chitetezo cha thupi, ndi mankhwala osokoneza bongo.

Gawo la Gulu

Pogwiritsira ntchito Oyendetsa Shadow, mungapatse ogwiritsa ntchito m'nkhalango ogwira ntchito zapamwamba OTHANDIZA OTHANDIZA OTHANDIZA OTHANDIZA OTHANDIZA PAKATI PA ZINTHU ZONSE. Chiletso chimodzi ndi chakuti ogwiritsa ntchito m'nkhalango ya admin akupereka mwayi umenewu sangathe kusintha Polinga la Gulu monga ogwiritsa ntchito m'nkhalango zakunja. Chifukwa Admins Domain ndi gulu lonse, ogwiritsa ntchito kuchokera m'nkhalango zakunja sangathe kuwonjezeredwa. Chimene chikutanthauza kuchita ndikuti pamene mutha kuwonjezera munthu wogwiritsa ntchito msampha wa admin ku Shadow Principal yomwe ikuyimira gulu la Admins gulu mu nkhalango yopanga, pamene malo osungirako masitima apamwamba akugwiritsidwa ntchito, amapatsidwa maudindo .

Kuti mulole ogwiritsira ntchito m'nkhalango ya admin kusintha GLP (Group Policy Objects) (GPOs), muyenera kusintha zilolezo za chitetezo pazitsulo za AD pa GPO iliyonse (CN = {GPO_GUID}, CN = System, DC = madera ...) pogwiritsa ntchito ADSI Edit. Kuonetsetsa kuti ogwiritsa ntchito m'nkhalango ya admin angathe kupanga ndi kusintha ma GPO atsopano m'nkhalango yopangira, muyenera kusintha Zosintha Zosintha malingaliro pa chinthu cha Group Policy chogwiritsira ntchito classScema mu forest forest schema. Kuti mudziwe zambiri zokhudza kusintha mavoti a GPO, onani webusaiti ya Microsoft Pano.

Microsoft Identity Manager

Kufikira mwayi wopita ku nkhalango zoyenera kuyenera kuyendetsedwa pogwiritsa ntchito kayendedwe ka ntchito. Microsoft Identity Manager (MIM) mwachibadwa chithandizo chovomerezeka koma chiyenera kukhala chilolezo chosiyana.

MIM imalola mabungwe kukhazikitsa magulu omwe ali ndi "mamembala" omwe ali nawo. Pamene wogwiritsa ntchito amafunikira mwayi wopita ku nkhalango yosungirako ntchito, awo omwe angakhale nawo m'gulu la nkhalango akhoza 'kuchitidwa' kwa nthawi yochepa pogwiritsa ntchito MIM.

Zida zaukadaulo zofunika kukhazikitsa ESAE zikuphatikizidwa kunja kwa bokosi mu Windows Server 2016. Nkhalango yopanga iyenera kuti ikuyenda Windows Server 2012 R2 kapena Windows Server 2016 yogwira msinkhu Directory Directory. MIM siyofunikira. Mutha kugwiritsa ntchito yankho lanu lakunyumba kuti mugwiritse ntchito mayendedwe kapena kugwiritsa ntchito njira yodziwitsira munthu wina.

Gwira pa Security

M'dziko lokongola, Active Directory ndi chitetezo cha seva chingakhale chofunika kwambiri ndipo chophika kuchokera ku chiyambi. Makampani opanga makampani nthawi zambiri amatha kusintha popanda kulingalira za chitetezo. Ndipo kuyambira ndi kawirikawiri kusankha. Sewero la ESAE la Microsoft ndilolumikizana chifukwa pamene limaphatikizapo zovuta, zomwe zingasinthidwe mwa kuchepetsa kukula kwa nkhalango. Ikhoza kukhazikitsa chitetezo kwa madera opangira.

ESAE ikhoza kugwira ntchito kwa makampani ambiri koma izo sizigwira ntchito kulikonse. Sizinthu zonse zomwe zingagwiritsidwe ntchito ndi ogwiritsa ntchito m'nkhalango zakunja. Pazochitikazi, mungaganizire ntchito yapadera ya ESAE. Microsoft sakugawana ndendende momwe imachitira ESAE yake. Ndipo ngakhale zofunikira zamakono zili zophweka kuti zitheke, ESAE ndi yofunika kwambiri ngati mumatsatira njira zabwino kuti muteteze nkhalango ya admin.

Ngati mukufuna zambiri zamomwe mungakhazikitsire ESAE pogwiritsa ntchito Windows Akuluakulu a Server 2016 Shadow ndi PIM trust, onetsetsani kuti mwatuluka Windows Server 2016: Khazikitsani Mwayi mwayi Management pa Petri IT Chidziwitso.

Chotsatira Windows Server 2016: Kumvetsetsa Zoyang'anira Zachitetezo cha Microsoft adawonekera poyamba Petri.