保护计算机帐户Securing computer accounts

计算机帐户(或 LocalSystem 帐户)是一个具有高特权的内置帐户,可访问本地计算机上的几乎所有资源。The computer account, or LocalSystem account, is a built-in, highly privileged account with access to virtually all resources on the local computer. 此帐户不与任何已登录的用户帐户关联。This account is not associated with any signed-on user account. 以 LocalSystem 身份运行的服务通过向远程服务器提供计算机的凭据来访问网络资源。Services running as LocalSystem access network resources by presenting the computer's credentials to remote servers. 它以 <domain_name><computer_name>$ 形式提供凭据。It presents credentials in the form <domain_name><computer_name>$. 计算机帐户的预定义名称是 NT AUTHORITY\SYSTEM。A computer account’s pre-defined name is NT AUTHORITY\SYSTEM. 它可用于启动某个服务并为该服务提供安全性上下文。It can be used to start a service and provide security context for that service.

图 4Picture 4

使用计算机帐户的优势Benefits of using the computer account

计算机帐户提供以下优势。The computer account provides the following benefits.

  • 不受限制的本地访问:计算机帐户提供对计算机本地资源的完全访问权限。Unrestricted local access: The computer account provides complete access to the machine’s local resources.

  • 自动化密码管理:使用计算机帐户,你不再需要手动更改密码。Automatic password management: The computer account removes the need for you to manually change passwords. 相反,此帐户是 Active Directory 的成员,帐户密码会自动更改。Instead, this account is a member of Active Directory and the account password is changed automatically. 使用它时,也不需要为服务注册服务主体名称。It also eliminates the need to register the service principal name for the service.

  • 有限的计算机外访问权限:Active Directory 域服务中的默认访问控制列表 (ACL) 允许计算机帐户进行极少的访问。Limited access rights off-machine: The default Access Control List (ACL) in Active Directory Domain Services permits minimal access for computer accounts. 如果此服务受到黑客攻击,攻击者只能对你的网络上的资源进行有限的访问。If this service were to be hacked, it would only have limited access to resources on your network.

评估计算机帐户的安全状况Assess security posture of computer accounts

使用计算机帐户时的潜在挑战和相关的缓解措施。Potential challenges and associated mitigations when using computer accounts.

问题Issues 缓解措施Mitigations
在计算机离开并重新加入域时,计算机帐户会被删除并重新创建。Computer accounts are subject to deletion and recreation when the computer leaves and rejoins the domain. 使用此页上提供的示例脚本验证是否需要将计算机添加到 AD 组,并验证已将哪个计算机帐户添加到某个组。Validate the need to add a computer to an AD group and verify which computer account has been added to a group using the example scripts provided on this page.
如果你将计算机帐户添加到某个组,则在该计算机上作为 LocalSystem 运行的所有服务都将被授予该组的访问权限。If you add a computer account to a group, all services running as LocalSystem on that computer are given access rights of the group. 请严格选择你的计算机帐户的组成员身份。Be selective of the group memberships of your computer account. 避免使计算机帐户成为任何域管理员组的成员,因为关联的服务对 Active Directory 域服务具有完全访问权限。Avoid making computer accounts members of any domain administrator groups because the associated service has complete access to Active Directory Domain Services.
LocalSystem 的网络默认值不正确Improper network defaults for LocalSystem 不要假设计算机帐户对网络资源具有默认的有限访问权限。Do not assume that the computer account has the default limited access to network resources. 相反,请仔细检查此帐户的组成员身份。Instead, check group memberships for this account carefully.
作为 LocalSystem 运行的未知服务Unknown services running as LocalSystem 确保在 LocalSystem 帐户下运行的所有服务都是 Microsoft 服务或第三方的受信任服务。Ensure that all services running under the LocalSystem account are Microsoft services or trusted services from third parties.

查找在计算机帐户下运行的服务Find services running under the computer account

使用以下 PowerShell cmdlet 查找在 LocalSystem 上下文下运行的服务Use the following PowerShell cmdlet to find services running under LocalSystem context


Get-WmiObject win32_service | select Name, StartName | Where-Object {($_.StartName -eq "LocalSystem")}

查找是特定组的成员的计算机帐户Find Computers accounts that are members of a specific group

可以使用以下 PowerShell cmdlet 查找是特定组的成员的计算机帐户。Use the following PowerShell cmdlet to find computer accounts that are member of a specific group.


```Get-ADComputer -Filter {Name -Like "*"} -Properties MemberOf | Where-Object {[STRING]$_.MemberOf -like "Your_Group_Name_here*"} | Select Name, MemberOf

查找是特权组的成员的计算机帐户Find Computers accounts that are members of privileged groups

可以使用以下 PowerShell cmdlet 查找是标识管理员组(Domain Admins、Enterprise Admins、Administrators)的成员的计算机帐户。Use the following PowerShell cmdlet to find computer accounts that are member of Identity Administrators groups (Domain Admins, Enterprise Admins, Administrators)

Get-ADGroupMember -Identity Administrators -Recursive | Where objectClass -eq "computer"

从计算机帐户移动Move from computer accounts

重要

计算机帐户是高特权帐户,只应在服务需要对计算机上的本地资源进行无限制访问时使用,并且你不能使用托管服务帐户 (MSA)。Computer accounts are highly privileged accounts and should be used only when your service needs unrestricted access to local resources on the machine, and you cannot use a managed service account (MSA).

  • 请与服务所有者核实其服务是否可以使用 MSA 运行,并使用组托管服务帐户 (gMSA) 或独立的托管服务帐户(sMSA)(如果你的服务支持该帐户)。Check with your service owner if their service can be run using an MSA, and use a group managed service account (gMSA) or a standalone managed service account (sMSA) if your service supports it.

  • 请使用其权限恰好足够运行你的服务的域用户帐户。Use a domain user account with just the privileges needed to run your service.

后续步骤Next Steps

参阅以下文章,了解如何保护服务帐户See the following articles on securing service accounts