Active Directory 服务帐户简介Introduction to Active Directory service accounts

服务具有主要安全标识,该标识决定本地和网络资源的访问权限。A service has a primary security identity that determines the access rights for local and network resources. Microsoft Win32 服务的安全性上下文由用于启动该服务的服务帐户确定。The security context for a Microsoft Win32 service is determined by the service account that is used to start the service. 服务帐户用于:A service account is used to:

  • 标识并验证服务identify and authenticate a service
  • 成功启动服务successfully start a service
  • 访问或执行代码或应用程序access or execute code or an application
  • 启动进程。start a process.

本地服务帐户的类型Types of on-premises service accounts

根据用例,你可以使用托管服务帐户 (MSA)、计算机帐户或用户帐户来运行服务。Based on your use case, you can use a managed service account (MSA), a computer account, or a user account to run a service. 必须测试服务,以确认他们可以使用托管服务帐户。Services must be tested to confirm they can use a managed service account. 如果可以,应使用托管服务帐户。If they can, you should use one.

组 MSA 帐户Group MSA accounts

对于在本地环境中运行的服务,请尽可能使用组托管服务帐户 (gMSA)。Use group managed service accounts (gMSAs) whenever possible for services running in your on-premises environment. gMSA 为在服务器场或网络负载均衡器后面运行的服务提供了单一标识解决方案。gMSAs provide a single identity solution for a service running on a server farm, or behind a network load balancer. 它们还可用于在的单一服务器上运行的服务。They can also be used for a service running on a single server. gMSA 具有必须满足的特定要求gMSAs have specific requirements that must be met

独立 MSA 帐户Standalone MSA accounts

如果无法使用 gMSA,请使用独立托管服务帐户 (sMSA)。If you can't use a gMSA, use a standalone managed service accounts(sMSA). sMSA 至少需要 Windows Server 2008R2。sMSAs require at least Windows Server 2008R2. 与 gMSA 不同,sMSA 只能在一个服务器上运行。Unlike gMSAs, sMSAs run only on one server. 它们可用于该服务器上的多个服务。They can be used for multiple services on that server.

计算机帐户Computer account

如果无法使用 MSA,请使用计算机帐户进行调查。If you can't use an MSA, investigate using a computer accounts. LocalSystem 帐户是预定义的本地帐户,该帐户在本地计算机上具有广泛的权限,并充当网络上的计算机标识。The LocalSystem account is a predefined local account that has extensive privileges on the local computer, and acts as the computer identity on the network.
以 LocalSystem 帐户身份运行的服务通过使用计算机帐户的凭据(格式为 <domain_name><computer_name>)访问网络资源。‎Services that run as a LocalSystem account access network resource by using the credentials of the computer account in the format <domain_name><computer_name>.

NT AUTHORITY\SYSTEM 是 LocalSystem 帐户的预定义名称。NT AUTHORITY\SYSTEM is the predefined name for the LocalSystem account. 它可用于启动某个服务并为该服务提供安全性上下文。It can be used to start a service and provide the security context for that service.

备注

使用计算机帐户时,无法判断计算机上的哪个服务正在使用该帐户,因此无法审核正在进行更改的服务。When a computer account is used, you cannot tell which service on the computer is using that account, and therefore cannot audit which service is making changes.

用户帐户User account

如果无法使用 MSA,请使用用户帐户进行调查。If you can't use an MSA, investigate using a user accounts. 用户帐户可以是域用户帐户或本地用户帐户。User accounts can be a domain user account or a local user account.

域用户帐户支持服务充分利用 Windows 和 Microsoft Active Directory 域服务的服务安全功能。A domain user account enables the service to take full advantage of the service security features of Windows and Microsoft Active Directory Domain Services. 该服务将向帐户授予本地和网络访问权限。The service will have the local and network access granted to the account. 它还将拥有该帐户所属的任何组的权限。It will also have the permissions of any groups of which the account is a member. 域服务帐户支持 Kerberos 相互身份验证。Domain service accounts support Kerberos mutual authentication.

本地用户帐户(名称格式:“.\UserName”)仅存在于主计算机的 SAM 数据库中,它在 Active Directory 域服务中没有用户对象。A local user account (name format: ".\UserName") exists only in the SAM database of the host computer; it doesn't have a user object in Active Directory Domain Services. 域不能对本地帐户进行身份验证。A local account can't be authenticated by the domain. 因此,在本地用户帐户的安全性上下文中运行的服务不能访问网络资源(匿名用户除外)。So, a service that runs in the security context of a local user account doesn't have access to network resources (except as an anonymous user). 在本地用户上下文中运行的服务不支持 Kerberos 相互身份验证,即提供服务的客户端对服务进行身份验证。Services running in the local user context can't support Kerberos mutual authentication in which the service is authenticated by its clients. 出于上述原因,本地用户帐户通常不适用于启用目录的服务。For these reasons, local user accounts are typically inappropriate for directory-enabled services.

重要

服务帐户不应是任何特权组的成员,因为特权组成员身份会授予可能带来安全风险的权限。Service accounts should not be members of any privileged groups, as privileged group membership confers permissions that may be a security risk. 出于审核和安全目的,每个服务都应有自己的服务帐户。Each service should have its own service account for auditing and security purposes.

选择正确的服务帐户类型Choose the right type of service account

条件Criteria gMSAgMSA sMSAsMSA 计算机帐户Computer account 用户帐户User account
应用在单一服务器上运行App runs on single server Yes 是。Yes. 如果可能,请使用 gMSAUse a gMSA if possible 是的。Yes. 如果可能,请使用 MSAUse an MSA if possible 是的。Yes. 如果可能,请使用 MSA。Use MSA if possible.
应用在多个服务器上运行App runs on multiple servers Yes No 不能。No. 帐户与服务器相关联Account is tied to the server 是的。Yes. 如果可能,请使用 MSA。Use MSA if possible.
应用在负载均衡器后运行App runs behind load balancers Yes No No 可以。Yes. 仅在不能使用 gMSA 时使用Use only if you can't use a gMSA
应用在 Windows Server 2008 R2 上运行App runs on Windows Server 2008 R2 No Yes 是。Yes. 如果可能,请使用 MSA。Use MSA if possible. 是的。Yes. 如果可能,请使用 MSA。Use MSA if possible.
在 Windows Server 2012 上运行Runs on Windows server 2012 Yes 是。Yes. 如果可能,请使用 gMSAUse gMSA if possible 是的。Yes. 如果可能,请使用 MSAUse MSA if possible 是的。Yes. 如果可能,请使用 MSA。Use MSA if possible.
要求将服务帐户限制为单一服务器Requirement to restrict service account to single server No Yes 是。Yes. 如果可能,请使用 sMSAUse sMSA if possible 不能。No.

使用服务器日志和 PowerShell 进行调查Use server logs and PowerShell to investigate

可以使用服务器日志来确定运行应用程序的服务器及其数量。You can use server logs to determine which servers, and how many servers, an application is running on.

可以运行以下 PowerShell 命令,获取网络中所有服务器的 Windows Server 版本的列表。You can run the following PowerShell command to get a listing of the Windows Server version for all servers on your network.


Get-ADComputer -Filter 'operatingsystem -like "*server*" -and enabled -eq "true"' `

-Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address |

sort-Object -Property Operatingsystem |

Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address |

Out-GridView

查找本地服务帐户Find on-premises service accounts

建议将前缀(如“svc”)添加We recommend that you add a prefix such as “svc.” 到用作服务帐户的所有帐户。To all accounts used as service accounts. 此命名约定使它们更易于查找和管理。This naming convention will make them easier to find and manage. 还应考虑对服务帐户和服务帐户的所有者使用说明属性,这可以是团队别名或安全团队所有者。Also consider the use of a description attribute for the service account and the owner of the service account, this may be a team alias or security team owner.

查找本地服务帐户是确保其安全性的关键所在。Finding on-premises service accounts is key to ensuring their security. 而且,对于非 MSA 帐户而言,这可能很困难。And, it can be difficult for non-MSA accounts. 建议审查有权访问你的重要本地资源的所有帐户,并确定哪些计算机或用户帐户可以作为服务帐户。We recommend reviewing all the accounts that have access to your important on-premises resources, and determining which computer or user accounts may be acting as service accounts. 还可以使用以下方法来查找帐户。You can also use the following methods to find accounts.

  • 每种类型的帐户的相关文章都提供查找该帐户类型的详细步骤。The articles for each type of account have detailed steps for finding that account type. 有关这些文章的链接,请参阅本文的“后续步骤”部分。For links to these articles, see the Next steps section of this article.

文档服务帐户Document service accounts

在本地环境中找到服务帐户后,请记录每个帐户的以下信息。Once you have found the service accounts in your on-premises environment, document the following information about each account.

  • 所有者。The owner. 负责维护帐户的人员。The person accountable for maintaining the account.

  • 用途。The purpose. 帐户表示的应用程序或其他用途。The application the account represents, or other purpose.

  • 权限范围。Permission scopes. 它具有什么权限,它应该具有哪些权限?What permissions does it have, and should it have? 如果它是某个组的成员,该怎么办?What if any groups is it a member of?

  • 风险状况。Risk profile. 如果该帐户泄露,对你的业务有什么风险?What is the risk to your business if this account is compromised? 如果风险很高,请使用 MSA。If high risk, use an MSA.

  • 预期的生存期和定期证明。Anticipated lifetime and periodic attestation. 你预计该帐户可以使用多长时间?How long do you anticipate this account being live? 所有者必须多久对持续的需求进行一次审查和证明?How often must the owner review and attest to ongoing need?

  • 密码安全性。Password security. 适用于存储密码的用户和本地计算机帐户。For user and local computer accounts, where the password is stored. 确保密码安全,并记录谁有权访问。Ensure passwords are kept secure, and document who has access. 请考虑使用 Privileged Identity Management 来保护存储的密码。Consider using Privileged Identity Management to secure stored passwords.

后续步骤Next steps

请参阅以下文章,了解如何保护服务帐户See the following articles on securing service accounts