Azure Stack HCI 安全注意事项Azure Stack HCI security considerations

适用于:Azure Stack HCI 版本 20H2;Windows Server 2019Applies to: Azure Stack HCI, version 20H2; Windows Server 2019

本主题介绍与 Azure Stack HCI 操作系统有关的安全注意事项并提供相关建议:This topic provides security considerations and recommendations related to the Azure Stack HCI operating system:

  • 第 1 部分介绍基本安全工具和技术,它们用于增强操作系统,保护数据和身份以有效地为你的组织构建安全基础。Part 1 covers basic security tools and technologies to harden the operating system, and protect data and identities to efficiently build a secure foundation for your organization.
  • 第 2 部分介绍通过 Azure 安全中心提供的资源。Part 2 covers resources available through the Azure Security Center.
  • 第 3 部分介绍更高级的安全注意事项,可帮助进一步优化你的组织在这些领域的安全状况。Part 3 covers more advanced security considerations to further strengthen the security posture of your organization in these areas.

为什么安全注意事项非常重要?Why are security considerations important?

从上层管理人员到信息工作者,安全会影响组织中的每个人。Security affects everyone in your organization from upper-level management to the information worker. 安全性不足对于组织来说是真正的风险,因为安全漏洞可能会破坏所有正常业务,并导致组织停摆。Inadequate security is a real risk for organizations, as a security breach can potentially disrupt all normal business and bring your organization to a halt. 越早检测到潜在攻击,就可以越快减轻安全方面的任何风险。The sooner that you can detect a potential attack, the faster you can mitigate any compromise in security.

在出于利用环境弱点的目的研究了这些弱点之后,攻击者通常可以在初步减弱环境安全防控后的 24 到 48 小时内提升权限,控制网络中的系统。After researching an environment's weak points to exploit them, an attacker can typically within 24 to 48 hours of the initial compromise escalate privileges to take control of systems on the network. 良好的安全措施可以增强环境中系统的防御能力,通过阻挡攻击者的行动,可将攻击者尝试控制系统所耗用的时间从数小时延长至数周甚至数月。Good security measures harden the systems in the environment to extend the time it takes an attacker to potentially take control from hours to weeks or even months by blocking the attacker's movements. 实施本主题中介绍的安全建议使你的组织能够尽快检测到和应对这类攻击。Implementing the security recommendations in this topic position your organization to detect and respond to such attacks as fast as possible.

第 1 部分:构建安全基础Part 1: Build a secure foundation

以下各节推荐可用于为环境中运行 Azure Stack HCI 操作系统的服务器构建安全基础的安全工具和技术。The following sections recommend security tools and technologies to build a secure foundation for the servers running the Azure Stack HCI operating system in your environment.

强化环境Harden the environment

本部分讨论如何保护在操作系统上运行的服务和虚拟机 (VM):This section discusses how to protect services and virtual machines (VMs) running on the operating system:

  • Azure Stack HCI 认证的硬件提供一致的安全启动、UEFI 和现成的 TPM 设置。Azure Stack HCI certified hardware provides consistent Secure Boot, UEFI, and TPM settings out of the box. 将基于虚拟化的安全性和经过认证的硬件结合起来,可帮助保护对安全性敏感的工作负载。Combining virtualization-based security and certified hardware helps protect security-sensitive workloads. 还可以将此受信任的基础结构连接到 Azure 安全中心,激活行为分析和报告,以应对快速变化的工作负载和威胁。You can also connect this trusted infrastructure to Azure Security Center to activate behavioral analytics and reporting to account for rapidly changing workloads and threats.

    • 安全启动是电脑行业开发的安全标准,旨在确保设备仅使用原始设备制造商 (OEM) 信任的软件进行启动。Secure boot is a security standard developed by the PC industry to help ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). 有关详细信息,请参阅安全启动To learn more, see Secure boot.
    • “统一可扩展固件接口 (UEFI)”可控制服务器的启动过程,然后将控制权传递给 Windows 或其他操作系统。United Extensible Firmware Interface (UEFI) controls the booting process of the server, and then passes control to either Windows or another operating system. 有关详细信息,请参阅 UEFI 固件要求To learn more, see UEFI firmware requirements.
    • 受信任的平台模块 (TPM) 技术提供基于硬件的安全性相关功能。Trusted Platform Module (TPM) technology provides hardware-based, security-related functions. TPM 芯片是一种安全的加密处理器,用于生成、存储加密密钥和限制密钥的使用。A TPM chip is a secure crypto-processor that generates, stores, and limits the use of cryptographic keys. 有关详细信息,请参阅受信任的平台模块技术概述To learn more, see Trusted Platform Module Technology Overview.
  • Device GuardCredential GuardDevice Guard and Credential Guard. Device Guard 可以防止不具有已知签名的恶意软件、未签名的代码以及可以访问内核的恶意软件捕获敏感信息或损坏系统。Device Guard protects against malware with no known signature, unsigned code, and malware that gains access to the kernel to either capture sensitive information or damage the system. Windows Defender 凭据保护使用基于虚拟化的安全性来隔离密钥,以便只有特权系统软件可以访问它们。Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.

    有关详细信息,请参阅管理 Windows Defender Credential Guard 并下载 Device Guard 和 Credential Guard 硬件就绪工具To learn more, see Manage Windows Defender Credential Guard and download the Device Guard and Credential Guard hardware readiness tool.

  • Windows固件更新在群集、服务器(包括来宾 VM)和电脑上非常重要,可帮助确保操作系统和系统硬件免受攻击者的影响。Windows and firmware updates are essential on clusters, servers (including guest VMs), and PCs to help ensure that both the operating system and system hardware are protected from attackers. 可以使用 Windows Admin Center 的“更新”工具将更新应用到各个系统。You can use the Windows Admin Center Updates tool to apply updates to individual systems. 如果你的硬件提供商提供用于获取驱动程序、固件和解决方案更新的 Windows Admin Center 支持,你可以在 Windows 更新的同时获取这些更新,否则需要直接从供应商处获取这些更新。If your hardware provider includes Windows Admin Center support for getting driver, firmware, and solution updates, you can get these updates at the same time as Windows updates, otherwise get them directly from your vendor.

    有关详细信息,请参阅更新群集To learn more, see Update the cluster.

    若要一次管理多个群集和服务器上的更新,请考虑订阅与 Windows Admin Center 集成的可选的 Azure 更新管理服务。To manage updates on multiple clusters and servers at a time, consider subscribing to the optional Azure Update Management service, which is integrated with Windows Admin Center. 有关详细信息,请参阅使用 Windows Admin Center 的 Azure 更新管理For more information, see Azure Update Management using Windows Admin Center.

保护数据Protect data

本部分讨论如何使用 Windows Admin Center 来保护操作系统上的数据和工作负载:This section discusses how to use Windows Admin Center to protect data and workloads on the operating system:

  • 用于存储空间的 BitLocker 可保护静态数据。BitLocker for Storage Spaces protects data at rest. 可以使用 BitLocker 为操作系统上存储空间数据卷的内容进行加密。You can use BitLocker to encrypt the contents of Storage Spaces data volumes on the operating system. 使用 BitLocker 保护数据有助于组织遵守政府、区域和特定于行业的标准,如 FIPS 140-2 和 HIPAA。Using BitLocker to protect data can help organizations stay compliant with government, regional, and industry-specific standards such as FIPS 140-2, and HIPAA.

    在 Windows Admin Center 中访问 BitLocker:To access BitLocker in Windows Admin Center:

    1. 连接到存储空间直通群集,然后在“工具”窗格上,选择“卷” 。Connect to a Storage Spaces Direct cluster, and then on the Tools pane, select Volumes.

    2. 在“卷”页上,选择“盘存”,然后在“可选功能”下,打开“加密 (BitLocker)”切换开关 。On the Volumes page, select Inventory, and then under Optional features, switch the Encryption (BitLocker) toggle on.

      用于启用 BitLocker 的切换开关

    3. 在“加密 (BitLocker)”弹出项中,选择“开始”,然后在“启用加密”页上,提供凭据以完成工作流 。On the Encryption (BitLocker) pop-up, select Start, and then on the Turn on Encryption page, provide your credentials to complete the workflow.

    备注

    如果显示“先安装 BitLocker 功能”弹出项,请按照其说明在群集中的每个服务器上安装该功能,然后重新启动服务器。If the Install BitLocker feature first pop-up displays, follow its instructions to install the feature on each server in the cluster, and then restart your servers.

  • Windows 网络的 SMB 加密可保护传输中的数据。SMB encryption for Windows networking protects data in transit. 服务器消息块 (SMB) 是一种网络文件共享协议,该协议允许计算机上的应用程序读取和写入文件,以及通过计算机网络中的服务器程序请求服务。Server Message Block (SMB) is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs on a computer network.

    若要启用 SMB 加密,请参阅 SMB 安全性增强 To enable SMB encryption, see SMB security enhancements.

  • Windows Admin Center 中的 Windows Defender 防病毒功能可保护客户端和服务器上的操作系统免受病毒、恶意软件、间谍软件和其他威胁的侵害。Windows Defender Antivirus in Windows Admin Center protects the operating system on clients and servers against viruses, malware, spyware, and other threats. 有关详细信息,请参阅 Windows Server 2016 和 2019 上的 Microsoft Defender 防病毒To learn more, see Microsoft Defender Antivirus on Windows Server 2016 and 2019.

保护标识Protect identities

本部分讨论如何使用 Windows Admin Center 来保护特权标识:This section discusses how to use Windows Admin Center to protect privileged identities:

  • 访问控制可以提高环境管理的安全性。Access control can improve the security of your management landscape. 如果使用的是 Windows Admin Center 服务器(相对于 Windows 10 电脑上运行的服务器),则可以控制对 Windows Admin Center 本身的两个级别的访问:网关用户和网关管理员。If you're using a Windows Admin Center server (vs. running on a Windows 10 PC), you can control two levels of access to Windows Admin Center itself: gateway users and gateway administrators. 网关管理员标识提供程序选项包括:Gateway administrator identity provider options include:

    • 用于强制执行智能卡身份验证的 Active Directory 或本地计算机组。Active Directory or local machine groups to enforce smartcard authentication.
    • 用于强制执行条件访问和多重身份验证的 Azure Active Directory。Azure Active Directory to enforce conditional access and multifactor authentication.

    有关详细信息,请参阅用户的 Windows 管理中心访问选项配置用户访问控制和权限To learn more, see User access options with Windows Admin Center and Configure User Access Control and Permissions.

  • 流往 Windows Admin Center 的浏览器流量使用 HTTPS。Browser traffic to Windows Admin Center uses HTTPS. 从 Windows Admin Center 流往托管服务器的流量通过“Windows 远程管理 (WinRM)”使用标准 PowerShell 和 Windows Management Instrumentation (WMI)。Traffic from Windows Admin Center to managed servers uses standard PowerShell and Windows Management Instrumentation (WMI) over Windows Remote Management (WinRM). Windows Admin Center 支持本地管理员密码解决方案 (LAPS)、基于资源的约束委派、使用 Active Directory (AD) 或 Microsoft Azure Active Directory (Azure AD) 的网关访问控制,以及用于管理目标服务器的基于角色的访问控制 (RBAC)。Windows Admin Center supports the Local Administrator Password Solution (LAPS), resource-based constrained delegation, gateway access control using Active Directory (AD) or Microsoft Azure Active Directory (Azure AD), and role-based access control (RBAC) for managing target servers.

    Windows Admin Center 支持 Microsoft Edge (Windows 10,版本 1709 或更高版本)、Google Chrome 和 Windows 10 上的 Microsoft Edge。Windows Admin Center supports Microsoft Edge (Windows 10, version 1709 or later), Google Chrome, and Microsoft Edge Insider on Windows 10. 可以在 Windows 10 电脑或 Windows 服务器上安装 Windows Admin Center。You can install Windows Admin Center on either a Windows 10 PC or a Windows server.

    如果在服务器上安装 Windows Admin Center,则它将作为网关运行,且在主机服务器上没有 UI。If you install Windows Admin Center on a server it runs as a gateway, with no UI on the host server. 在这种情况下,管理员可以通过 HTTPS 会话登录到服务器,该会话由主机上的自签名安全证书提供保护。In this scenario, administrators can log on to the server via an HTTPS session, secured by a self-signed security certificate on the host. 但是,更好的做法是使用来自受信任的证书颁发机构的适当 SSL 证书进行登录,因为受支持的浏览器会将自签名连接视为不安全,即使通过受信任的 VPN 连接到本地 IP 地址也是如此。However, it's better to use an appropriate SSL certificate from a trusted certificate authority for the sign-on process, because supported browsers treat a self-signed connection as unsecure, even if the connection is to a local IP address over a trusted VPN.

    若要了解有关组织的安装选项的更多信息,请参阅哪种类型的安装适合你?To learn more about installation options for your organization, see What type of installation is right for you?.

  • CredSSP 是一种身份验证提供程序,在少数情况下,Windows Admin Center 使用该身份验证提供程序将凭据传递给你要管理的特定服务器之外的计算机。CredSSP is an authentication provider that Windows Admin Center uses in a few cases to pass credentials to machines beyond the specific server you are targeting to manage. Windows Admin Center 当前需要 CredSSP 执行以下操作:Windows Admin Center currently requires CredSSP to:

    • 创建新群集。Create a new cluster.
    • 访问“更新”工具以使用“故障转移群集”或“群集感知更新”功能。Access the Updates tool to use either the Failover clustering or Cluster-Aware Updating features.
    • 管理 VM 中的非聚合 SMB 存储。Manage disaggregated SMB storage in VMs.

    有关详细地信息,请参阅 Windows Admin Center 是否使用 CredSSP?To learn more, see Does Windows Admin Center use CredSSP?

  • Windows Admin Center 中的基于角色的访问控制 (RBAC) 允许用户以有限的权限访问需要管理的服务器,而不是使其完全成为本地管理员。Role-based access control (RBAC) in Windows Admin Center allows users limited access to the servers they need to manage instead of making them full local administrators. 若要在 Windows Admin Center 中使用 RBAC,请为每个托管服务器配置一个 PowerShell Just Enough Administration 终结点。To use RBAC in Windows Admin Center, you configure each managed server with a PowerShell Just Enough Administration endpoint.

    有关详细信息,请参阅基于角色的访问控制Just Enough AdministrationTo learn more, see Role-based access control and Just Enough Administration.

  • Windows Admin Center 中可用于管理和保护标识的安全工具包括 Active Directory、证书、防火墙、本地用户和组等。Security tools in Windows Admin Center that you can use to manage and protect identities include Active Directory, Certificates, Firewall, Local Users and Groups, and more.

    有关详细信息,请参阅使用 Windows Admin Center 管理服务器To learn more, see Manage Servers with Windows Admin Center.

第 2 部分:使用 Azure 安全中心Part 2: Use Azure Security Center

Azure 安全中心是一个统一的基础结构安全管理系统,可增强数据中心的安全态势,并跨云和本地中的混合工作负载提供高级威胁防护。Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud and on premises. 安全中心为你提供了一些工具,可用于评估你的网络的安全状态、保护工作负载、发出安全警报,并遵循特定建议来缓解攻击影响并解决未来的威胁。Security Center provides you with tools to assess the security status of your network, protect workloads, raise security alerts, and follow specific recommendations to remediate attacks and address future threats. 通过利用 Azure 服务实现自动配置和提供保护,安全中心可以在云中高速执行所有这些服务,且没有部署开销。Security Center performs all of these services at high speed in the cloud with no deployment overhead through auto-provisioning and protection with Azure services.

安全中心通过在这些资源上安装 Log Analytics 代理来保护 Windows 服务器和 Linux 服务器的 VM。Security Center protects VMs for both Windows servers and Linux servers by installing the Log Analytics agent on these resources. Azure 将代理收集的事件与用于确保工作负载安全而执行的建议(强化任务)进行关联。Azure correlates events that the agents collect into recommendations (hardening tasks) that you perform to make your workloads secure. 基于安全最佳做法的强化任务包括管理和强制实施安全策略。The hardening tasks based on security best practices include managing and enforcing security policies. 然后,你可以通过安全中心的监视功能来跟踪结果,并随时间推移管理合规性和实施治理,同时减少所有资源的受攻击面。You can then track the results and manage compliance and governance over time through Security Center monitoring while reducing the attack surface across all of your resources.

管理用户对 Azure 资源和订阅的访问是 Azure 治理策略的重要组成部分。Managing who can access your Azure resources and subscriptions is an important part of your Azure governance strategy. Azure 基于角色的访问控制 (RBAC) 是在 Azure 中管理访问权限的主要方法。Azure role-based access control (RBAC) is the primary method of managing access in Azure. 有关详细信息,请参阅使用基于角色的访问控制管理对 Azure 环境的访问To learn more, see Manage access to your Azure environment with role-based access control.

通过 Windows Admin Center 使用安全中心需要 Azure 订阅。Working with Security Center through Windows Admin Center requires an Azure subscription. 若要开始,请参阅将 Azure 安全中心与 Windows 管理中心集成To get started, see Integrate Azure Security Center with Windows Admin Center.

注册后,在 Windows Admin Center 中访问安全中心:在“所有连接”页上,选择服务器或 VM,在“工具”下,选择“Azure 安全中心”,然后选择“登录到 Azure” 。After registering, access Security Center in Windows Admin Center: On the All Connections page, select a server or VM, under Tools, select Azure Security Center, and then select Sign into Azure.

有关详细信息,请参阅什么是 Azure 安全中心?To learn more, see What is Azure Security Center?

第 3 部分:添加高级安全Part 3: Add advanced security

以下各节推荐高级安全工具和技术,可帮助进一步强化在你的环境中运行 Azure Stack HCI 操作系统的服务器。The following sections recommend advanced security tools and technologies to further harden servers running the Azure Stack HCI operating system in your environment.

强化环境Harden the environment

  • 安全基线包括推荐的用于 Windows 防火墙、Windows Defender 的安全设置,还有很多其他内容。The security baselines include recommended security settings for Windows Firewall, Windows Defender, and many others.

    安全基线作为组策略对象 (GPO) 备份提供,可以将其导入 Active Directory 域服务 (AD DS),然后部署到已加入域的服务器以增强环境防御能力。The security baselines are provided as Group Policy Object (GPO) backups that you can import into Active Directory Domain Services (AD DS), and then deploy to domain-joined servers to harden the environment. 还可以使用本地脚本工具配置具有安全基线的独立(未加入域的)服务器。You can also use Local Script tools to configure standalone (non domain-joined) servers with security baselines. 若要开始使用安全基线,请下载 Microsoft 安全合规性工具包 1.0To get started using the security baselines, download the Microsoft Security Compliance Toolkit 1.0.

    有关详细信息,请参阅 Microsoft 安全基线To learn more, see Microsoft Security Baselines.

保护数据Protect data

  • 强化 Hyper-V 环境要求对 VM 上运行的 Windows Server 进行强化,这和强化物理服务器上运行的操作系统的方式一样。Hardening the Hyper-V environment requires hardening Windows Server running on a VM just as you would harden the operating system running on a physical server. 由于虚拟环境通常具有共享同一物理主机的多个 VM,因此必须同时保护物理主机和在其上运行的 VM。Because virtual environments typically have multiple VMs sharing the same physical host, it is imperative to protect both the physical host and the VMs running on it. 导致主机受影响的攻击者可以影响多个 VM,对工作负载和服务的影响更大。An attacker who compromises a host can affect multiple VMs with a greater impact on workloads and services. 本节讨论可用于在 Hyper-V 环境中强化 Windows Server 的以下方法:This section discusses the following methods that you can use to harden Windows Server in a Hyper-V environment:

    • 受保护的结构和受防护的 VM 通过阻止攻击者修改 VM 文件来增强 Hyper-V 环境中运行的 VM 的安全性。Guarded fabric and shielded VMs strengthen the security for VMs running in Hyper-V environments by preventing attackers from modifying VM files. 受保护的结构由一个主机保护服务 (HGS)(通常是三个节点的群集)、一个或多个受保护的主机以及一组受防护的 VM 组成。A guarded fabric consists of a Host Guardian Service (HGS) that is typically a cluster of three nodes, one or more guarded hosts, and a set of shielded VMs. “证明服务”评估主机请求的有效性,而“密钥保护服务”确定是否释放可供受保护主机用于启动受防护的 VM 的密钥。The Attestation Service evaluates the validity of hosts requests, while the Key Protection Service determines whether to release keys that the guarded hosts can use to start the shielded VM.

      有关详细信息,请参阅受保护的结构和受防护的 VM 概述To learn more, see Guarded fabric and shielded VMs overview.

    • Windows Server 中的虚拟受信任的平台模块 (vTPM) 支持 VM 的 TPM,它使你可以使用高级安全技术,例如 VM 中的 BitLocker。Virtual Trusted Platform Module (vTPM) in Windows Server supports TPM for VMs, which lets you use advanced security technologies, such as BitLocker in VMs. 你可以使用 Hyper-V 管理器或 Enable-VMTPM Windows PowerShell cmdlet 在任何第 2 代 Hyper-V VM 上启用 TPM 支持。You can enable TPM support on any Generation 2 Hyper-V VM by using either Hyper-V Manager or the Enable-VMTPM Windows PowerShell cmdlet.

      有关详细信息,请参阅 Enable-VMTPMTo learn more, see Enable-VMTPM.

    • Azure Stack HCI 和 Windows Server 中的软件定义网络 (SDN) 集中配置和管理物理和虚拟网络设备,例如数据中心中的路由器、交换机和网关。Software Defined Networking (SDN) in Azure Stack HCI and Windows Server centrally configures and manages physical and virtual network devices, such as routers, switches, and gateways in your datacenter. 虚拟网络元素(例如 Hyper-V 虚拟交换机、Hyper-V 网络虚拟化和 RAS 网关)的作用是充当 SDN 基础结构的构成部分。Virtual network elements, such as Hyper-V Virtual Switch, Hyper-V Network Virtualization, and RAS Gateway are designed to be integral elements of your SDN infrastructure.

      有关详细信息,请参阅软件定义的网络 (SDN)To learn more, see Software Defined Networking (SDN).

保护标识Protect identities

  • 本地管理员密码解决方案 (LAPS) 是一种轻型机制,适用于 Active Directory 加入域的系统,会定期将每台计算机的本地管理员帐户密码设置为新的随机值和唯一值。Local Administrator Password Solution (LAPS) is a lightweight mechanism for Active Directory domain-joined systems that periodically sets each computer’s local admin account password to a new random and unique value. 密码存储在 Active Directory 中的相应计算机对象上的安全机密属性中,只有专门的授权用户才能检索到它们。Passwords are stored in a secured confidential attribute on the corresponding computer object in Active Directory, where only specifically-authorized users can retrieve them. LAPS 使用本地帐户进行远程计算机管理,其应用方式与使用域帐户相比具有一些优势。LAPS uses local accounts for remote computer management in a way that offers some advantages over using domain accounts. 有关详细信息,请参阅远程使用本地帐户:LAPS 改变一切To learn more, see Remote Use of Local Accounts: LAPS Changes Everything.

    若要开始使用 LAPS,请下载本地管理员密码解决方案 (LAPS)To get started using LAPS, download Local Administrator Password Solution (LAPS).

  • Microsoft 高级威胁分析 (ATA) 是一种本地产品,可用于帮助检测尝试破坏特权标识的攻击者。Microsoft Advanced Threat Analytics (ATA) is an on-premises product that you can use to help detect attackers attempting to compromise privileged identities. ATA 会出于一些目的而分析网络流量,如进行身份验证、授权及遵守信息收集协议,例如 Kerberos 和 DNS。ATA parses network traffic for authentication, authorization, and information gathering protocols, such as Kerberos and DNS. ATA 使用这些数据来构建网络上用户和其他实体的行为配置文件,以检测异常和已知攻击模式。ATA uses the data to build behavioral profiles of users and other entities on the network to detect anomalies and known attack patterns.

    有关详细信息,请参阅什么是高级威胁分析?To learn more, see What is Advanced Threat Analytics?.

  • Windows Defender 远程 Credential Guard 通过远程桌面连接来保护凭据,方法是将 Kerberos 请求重定向回发出连接请求的设备。Windows Defender Remote Credential Guard protects credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. 它还为远程桌面会话提供单一登录 (SSO)。It also provides single sign-on (SSO) for Remote Desktop sessions. 在远程桌面会话期间,如果目标设备遭到入侵,凭据不会暴露,因为凭据和凭据衍生内容永远不会通过网络传递到目标设备。During a Remote Desktop session, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.

    有关详细信息,请参阅管理 Windows Defender Credential GuardTo learn more, see Manage Windows Defender Credential Guard.

后续步骤Next steps

有关安全性和法规符合性的详细信息,另请参阅:For more information on security and regulatory compliance, see also: