Windows Seva 2016: Umembala Wogwira Ntchito Wamtundu Wochepa

 

Masiku ano Funsani Mtsogoleri, Ndikuwonetsani momwe mungagwiritsire ntchito makina ogwiritsa ntchito magulu a Active Directory.

Mtundu woyang'anira wa Just-in-Time (JIT) udayambitsidwa mu Windows Server 2016 ndipo imalola oyang'anira makina kuti apatse ogwiritsa ntchito mwayi kwakanthawi kochepa. Kuphatikiza ku PowerShell Zowonongeka-Zowonongeka (JEA), yomwe imalola olemba kuti adziwe mndandanda wa cmdlets, magawo, ndi ma modules mu gawo la PowerShell, JIT imakhala ndi zolinga ziwiri. Choyamba ndikuteteza mwayi wokhalapo kumene ogwiritsa ntchito apatsidwa maudindo apamwamba kwa nthawi yayitali kapena yosafunikira. Ndipo kachiwiri, kupeŵa mwayi wapadera wopatsa mwayi umene ungafunikire kanthawi kochepa chabe.

Kukhoza kuwonjezera ogwiritsa ntchito ku magulu okhala ndi nthawi yamoyo (TTL) mtengo ndi mbali ya JIT chitsanzo. Izi zikhonza kukhala zothandiza pa zochitika zomwe mulibe zofunikira zomwe mungakhazikitsire zovomerezeka za Microsoft ku JIT ulamuliro koma mungakonde kupindula ndi umembala wa gulu la Active Directory (AD).

Kuti mumve zambiri PAM mu Windows Malangizo a Server 2016 ndi Microsoft pakukhazikitsa kayendetsedwe ka JIT, onani Windows Server vNext Privileged Access Management pa Petri IT Chidziwitso.

Gwiritsani Ulo Wogwirizanitsa wa Active Directory Group

Sindikuwonetsani momwe mungakhalire ndi Chikhulupiliro Chofunika (PIM) kapena momwe mungakonzere akuluakulu a Shadow koma momwe mungagwiritsire ntchito ogwiritsa ntchito ku magulu a AD ndikuwachotseratu patapita nthawi.

Onjezerani akaunti ku gulu la Active Directory ndi mtengo wokhala nawo moyo (Mawu a Chithunzi: Russell Smith)

Onjezerani Akaunti ku Gulu Lotsatila Lotsata Lomwe liri ndi Phindu la Nthawi-to-Live (Mawu a Chithunzi: Russell Smith)

Musanagwiritse ntchito magulu a AD osakhalitsa, muyenera kuwapatsa mwayi wothandizira kupeza mwayi, womwe ndi mwayi wa AD. Zosintha zomwe zaperekedwa ku domeni yanu pamene muwonjezerapo mbali ya PAM ndizosasinthika. Cholinga cha PAM chinapangidwa kuti chigwiritsidwe ntchito mu madera a bastion osati madera opanga, choncho muyenera kusankha ngati mukufuna kuwonjezera pazomwe mukupanga.

Lowetsani kwa wolamulira wotsogolera ntchito pogwiritsa ntchito akaunti yomwe ili ndi chilolezo chosinthira chiwembu cha AD. Bwerezerani ad.contoso.com ndi dzina la domain limene mukufuna kusintha.

Thandizani -DOptionalFeature 'Chidindo Chachidindo Choyendetsa Ntchito' -Scope ForestOrConfigurationSet -Talget ad.contoso.com

Tsopano tiyeni tiwonjezereko akaunti ku gulu la Akaunti ya Akaunti ndi TTL ya maminiti 15. Bwerezerani russells ndi dzina la akaunti ya AD mukufuna kuwonjezera pa gululo.

$ Time = New-TimeSpan -Miniti 15 Add-ADGroupMember -Identity 'Account Operators' -Amembala russells -MemberTimeToLive $ Time

Kuti tiwone ngati nkhaniyo yowonjezedwa, tigwiritse ntchito Get-ADGroup kuti tisonyeze mamembala a gulu ndi ziyanjano zawo za TTL:

Gulu la Ogwiritsira Ntchito Lamulo-Gwiritsani Ntchito-Wogwira Ntchito -ShowMemberTimeToLive

Onani kuti membala katundu wa chinthu chobwezeretsedwa amasonyeza mamembala a gulu ndi ma TTL awo. Mu domeni yanga, Akaunti ya Akaunti ali ndi membala mmodzi. Mtengo wa TTL umasonyezedwa mu masekondi. Ngati muthamanganso Get-ADGroup pambuyo pa maminiti a 15, mudzawona kuti akaunti ya osuta yomwe mwaiwonjezera ku Account Operators idzachotsedwa.

Dziwani kuti kuwonjezera akaunti ku magulu a AD, monga Akaunti, angayambitse adminCount malingaliro kuti akaunti ya osuta ikhale yosinthidwa kukhala 1 ngati nkhaniyo ili mu gulu lalitali mokwanira njira ya AdminSDHolder kupanga akaunti kukhala chinthu chotetezedwa. Pamene akaunti imachotsedwa pagulu, a adminCount malingaliro akhala akukhazikitsidwa ku 1.

Chotsatira Windows Seva 2016: Umembala Wogwira Ntchito Wamtundu Wochepa adawonekera poyamba Petri.