监管本地服务帐户Governing on-premises service accounts

Windows Active Directory 中有四种类型的本地服务帐户:There are four types of on-premises service accounts in Windows Active Directory:

监管服务帐户至关重要,其目的是:It is critical to govern service accounts closely to:

  • 根据服务帐户的用例要求和用途为其提供保护。Protect service accounts based on their use-case requirements and purpose.

  • 管理服务帐户及其凭据的生命周期。Manage the lifecycle of service accounts and their credentials.

  • 根据服务帐户面临的风险及其附带的权限对其进行评估。Assess service accounts based on the risk they'll be exposed to and the permissions they carry,

  • 确保 Active Directory 和 Azure Active Directory 中不存在已过时的、其权限可能产生广泛影响的服务帐户。Ensure that Active Directory and Azure Active Directory have no stale service accounts with potentially far-reaching permissions.

有关创建新服务帐户的原则Principles for creating a new service account

创建新的服务帐户时,请遵守以下准则。Use the following criteria when creating a new service account.

原理Principles 注意事项Considerations
服务帐户映射Service account mapping 将服务帐户关联到单个服务、应用程序或脚本。Tie the service account to a single service, application, or script.
所有权Ownership 确保该帐户有一个请求并承担责任的所有者。Ensure that there's an owner who requests and assumes responsibility for the account.
范围Scope 明确定义服务帐户的范围并预测其使用持续时间。Define the scope clearly and anticipate usage duration for the service account.
目的Purpose 出于单个特定目的创建服务帐户。Create service accounts for a single specific purpose.
PrivilegePrivilege 按如下所述应用最低特权原则:Apply the principle of least privilege by:
切勿将服务帐户分配给“管理员”等内置组。Never assigning them to built-in groups like administrators.
在适当情况下删除本地计算机特权。Removing local machine privileges where appropriate.
定制访问权限并使用 Active Directory 委托进行目录访问。Tailoring access and using Active Directory delegation for directory access.
使用粒度精细的访问权限。Using granular access permissions.
针对基于用户的服务帐户设置帐户过期时间和基于位置的限制Setting account expirations and location-based restrictions on user-based service accounts
监视和审核使用情况Monitor and audit use 监视登录数据,确保其与预期用途相匹配。Monitor sign-in data and ensure it matches the intended usage. 针对异常使用情况设置警报。Set alerts for anomalous usage.

针对用户帐户强制实施最低特权原则,并限制帐户滥用Enforce least privilege for user accounts and limit account overuse

对用作服务帐户的用户帐户使用以下设置:Use the following settings with user accounts used as service accounts:

  • 帐户过期:将服务帐户设置为在其评审期过后经过设置的一段时间后自动过期,除非确定它应该继续有效Account Expiry: set the service account to automatically expire a set time after its review period unless it's determined that it should continue

  • LogonWorkstations:在服务帐户可登录的位置方面限制其权限。LogonWorkstations: restrict permissions for where the service account can sign in. 如果服务帐户在计算机本地运行并只能访问该计算机上的资源,则限制它在其他任何位置登录。If it runs locally on a machine and accesses only resources on that machine, restrict it from logging on anywhere else.

  • 不能更改密码:通过将参数设置为 false,防止服务帐户更改其自身的密码。Cannot change password: prevent the service account from changing its own password by setting the parameter to false.

构建生命周期管理过程Build a lifecycle management process

为了保持服务帐户的安全性,必须从确定需求的那一时间起就开始对其进行管理,直到服务帐户授权已解除为止。To maintain security of your service accounts, you must manage them from the time you identify the need until they're decommissioned.

使用以下过程进行服务帐户的生命周期管理:Use the following process for lifecycle management of service accounts:

  1. 收集帐户的使用情况信息Collect usage information for the account
  2. 将服务帐户和应用加入配置管理数据库 (CMDB)Onboard the service account and app to configuration management database (CMDB)
  3. 执行风险评估或正式评审Perform risk assessment or formal review
  4. 创建服务帐户并应用限制。Create the service account and apply restrictions.
  5. 计划并执行定期评审。Schedule and perform recurring reviews. 根据需要调整权限和范围。Adjust permissions and scopes as necessary.
  6. 在适当情况下取消预配帐户。Deprovision account when appropriate.

收集服务帐户的使用情况信息Collect usage information for the service account

收集每个服务帐户的相关业务信息。Collect the relevant business information for each service account. 下表显示了至少要收集的信息,但你应该收集为了说明帐户是否应该存在而制定业务案例所需的全部信息。The below table shows minimum information to be collected, but you should collect everything necessary to make the business case for the accounts' existence.

数据Data 详细信息Details
“所有者”Owner 对服务帐户负责的用户或组User or group that is accountable for the service account
目的Purpose 服务帐户的用途Purpose of the service account
权限(范围)Permissions (Scopes) 预期权限集Expected set of permissions
配置管理数据库 (CMDB) 链接Configuration management database (CMDB) links 服务帐户与目标脚本/应用程序和所有者之间的交叉链接Cross-link service account with target script/application and owner(s)
风险Risk 基于安全风险评估给出的风险和业务影响性评分Risk and business impact scoring based on security risk assessment
生存期Lifetime 为帐户过期或重新认证启用计划的预期最长期限Anticipated maximum lifetime to enable scheduling of account expiration or recertification

理想情况下,请发出帐户自助服务的请求,并要求提供相关信息。Ideally, make the request for an account self-service, and require the relevant information. 所有者,可以是应用程序所有者或企业主、IT 成员或基础结构所有者。The owner, who can be an application or business owner, an IT member, or an infrastructure owner. 如果帐户已获批准,使用 Microsoft 窗体等工具发出此请求并要求提供相关信息可以轻松将信息移植到 CMDB 库存工具。Using a tool such as Microsoft forms for this request and associated information will make it easy to port it to your CMDB inventory tool if the account is approved.

将服务帐户加入 CMDBOnboard service account to CMDB

将收集的信息存储在 CMDB 类型的应用程序中。Store the collected information in a CMDB-type application. 除业务信息以外,还要包含与其他基础结构、应用和过程之间的所有依赖关系。In addition to the business information, include all dependencies to other infrastructure, apps, and processes. 此中心存储库可以简化以下工作:This central repository will make it easier to:

  • 评估风险。Assess risk.

  • 为服务帐户配置所需的限制。Configure the service account with required restrictions.

  • 了解相关的功能和安全依赖关系。Understand relevant functional and security dependencies.

  • 展开定期评审,确定安全需求和后续需求。Conduct regular reviews for security and continued need.

  • 联系所有者来评审、停用和更改服务帐户。Contact the owner(s) for reviewing, retiring, and changing the service account.

考虑创建一个用于运行网站并有权连接到一个或多个 SQL 数据库的服务帐户。Consider a service account that is used to run a web site and has privileges to connect to one or more SQL databases. 在 CMDB 中为此服务帐户存储的信息可能是:Information stored in your CMDB for this service account could be:

数据Data 详细信息Details
所有者、代理人Owner, Deputy John Bloom、Anna MayersJohn Bloom, Anna Mayers
目的Purpose 运行 HR 网页并连接到 HR 数据库。Run the HR webpage and connect to HR-databases. 可以模拟正在访问数据库的最终用户。Can impersonate end user when accessing databases.
权限、范围Permissions, Scopes HR-WEBServer:本地登录,运行网页HR-WEBServer: log on locally, run web page
HR-SQL1:本地登录,读取所有 HR* 数据库HR-SQL1: log on locally, Read on all HR* database
HR-SQL2:本地登录,读取所有 SALARY* 数据库HR-SQL2: log on locally, READ on SALARY* database
Cost CenterCost Center 883944883944
评估的风险Risk Assessed 中等;业务影响性:中等;私密信息;中等Medium; Business Impact: Medium; private information; Medium
帐户限制Account Restrictions 登录到:仅限前面所述的服务器;不能更改密码;MBI-Password 策略;Log on to: only aforementioned servers; Cannot change password; MBI-Password Policy;
生存期Lifetime 不受限制unrestricted
评审周期Review Cycle 一年两次(由所有者、安全团队、隐私部门执行)Bi-annually (by owner, by security team, by privacy)

对服务帐户的使用执行风险评估或正式评审Perform risk assessment or formal review of service account usage

根据帐户的权限和用途,评估该帐户在遭到入侵时对其关联的应用程序或服务以及基础结构可能带来的风险。Given its permissions and purpose, assess the risk the account may pose to its associated application or service and to your infrastructure if it is compromised. 同时考虑直接和间接风险。Consider both direct and indirect risk.

  • 对手可以直接访问哪些内容?What would an adversary gain direct access to?

  • 服务帐户可以访问其他哪些信息或系统?What other information or systems can the service account access?

  • 是否可以使用该帐户授予其他权限?Can the account be used to grant additional permissions?

  • 权限更改时如何知道这一情况?How will you know when permissions change?

风险评估在执行完成并进行了相关记录之后,可能会对以下方面产生影响:The risk assessment, once conducted and documented, may have impact on:

  • 帐户限制Account restrictions

  • 帐户生存期Account lifetime

  • 帐户评审要求(频率和评审者)Account review requirements (cadence and reviewers)

创建服务帐户并应用帐户限制Create a service account and apply account restrictions

仅在已将相关信息记录到 CMDB 并已执行风险评估之后,才创建服务帐户。Create service account only after relevant information is documented in your CMDB and you perform a risk assessment. 帐户限制应与风险评估相一致。Account restrictions should be aligned to risk assessment. 考虑与评估相关的以下限制:Consider the following restrictions when relevant to you assessment.:

准备好投入生产时,请通过安全方式授予对服务帐户的访问权限。When ready to put into production, grant access to the service account securely.

计划服务帐户的定期评审Schedule regular reviews of service accounts

对分类为中等风险和高风险的服务帐户设置定期评审。Set up regular reviews of service accounts classified as medium and high risk. 评审中应包括:Reviews should include:

  • 所有者证明为何需要继续使用该帐户,并给出需要特权和权限范围的理由。Owner attestation to the continued need for the account, and justification of privileges and scopes.

  • 由隐私和安全团队进行评审,包括上游和下游连接的评估。Review by privacy and security teams, including evaluation of upstream and downstream connections.

  • 审核的数据,确保数据仅用于预期用途Data from audits ensuring it is being used only for intended purposes

取消预配服务帐户Deprovision service accounts

在取消预配过程中,先删除权限和监视,然后在适当情况下删除帐户。In your deprovisioning process, first remove permissions and monitor, then remove the account if appropriate.

出现以下情况时需取消预配服务帐户:Deprovision service accounts when:

  • 为其创建了服务帐户的脚本或应用程序已停用。The script or application the service account was created for is retired.

  • 使用该服务帐户的脚本或应用程序中的功能(例如,访问特定的资源)已停用。The function within the script or application, which the service account is used for (for example, access to a specific resource) is retired.

  • 该服务帐户已替换为另一服务帐户。The service account has been replaced with a different service account.

删除所有权限后,请使用此过程删除帐户。After removing all permissions, use this process for removing the account.

  1. 取消预配关联的应用程序或脚本后,监视关联的服务帐户的登录和资源访问,以确保没有在其他过程中使用它。Once the associated application or script is deprovisioned, monitor sign-ins and resource access for the associated service account(s) to be sure it is not used in another process. 如果你确定不再需要该服务帐户,请转到下一步。If you are sure it is no longer needed, go to next step.

  2. 禁止该服务帐户登录,并确保不再需要该帐户。Disable the service account from signing in and be sure it is no longer needed. 创建一个业务策略,规定在哪个时间应保持禁用帐户。Create a business policy for the time accounts should remain disabled.

  3. 履行“保持禁用”策略后删除服务帐户。Delete the service account after the remain disabled policy is fulfilled.

    • 对于 MSA,可以使用 PowerShell 卸载服务帐户,或者从托管服务帐户容器中手动将其删除。For MSAs, you can uninstall it using PowerShell or delete manually from the managed service account container.

    • 对于计算机或用户帐户,可以从 Active Directory 中手动删除帐户。For computer or user accounts, you can manually delete the account from in Active Directory.

后续步骤Next steps

参阅以下文章,了解如何保护服务帐户See the following articles on securing service accounts