For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:. If you do not see your language, it is because a hotfix is not available for that language.
The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time DST bias.
Additionally, the dates and the times may change when you perform certain operations on the files. Important Windows Vista hotfixes and Windows Server hotfixes are included in the same packages. However, only "Windows Vista" is listed on the Hotfix Request page. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows Vista" on the page.
Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to. Service Pack 1 is integrated into the release version of Windows Server RTM milestone files have a 6. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
Important Windows 7 hotfixes and Windows Server R2 hotfixes are included in the same packages. Use the following ways to block Internet access:. Configure authenticating boundary proxy services, if they are deployed, to disallow administrator accounts from accessing the Internet. Configure boundary firewall or proxy services to disallow Internet access for the IP addresses that are assigned to dedicated administrative workstations. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections.
Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see AppLocker.
The following procedure describes how to block Internet access by creating a Group Policy Object GPO that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure.
To install administrative workstations in a domain and block Internet and email access minimum. As a domain administrator on a domain controller, open Active Directory Users and Computers, and create a new OU for administrative workstations. You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see Delegation of Administration in Active Directory.
Configure which members of accounts can log on locally to these administrative workstations as follows:. Double-click Allow log on locally , and then select the Define these policy settings check box.
Double-click Proxy Settings , select the Enable proxy settings check box, type Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows:. You can skip this step if you use another tool to deploy software updates. Also, if the public Microsoft Windows Update service only is used on the Internet, then these administrative workstations no longer receive updates. On each profile, ensure that the firewall is enabled and that inbound connections are set to Block all connections.
Install the Windows operating system on the workstations, give each workstation the same names as the computer accounts assigned to them, and then join them to the domain. It is a best practice to restrict administrators from using sensitive administrator accounts to sign in to lower-trust servers and workstations. This restriction prevents administrators from inadvertently increasing the risk of credential theft by signing in to a lower-trust computer.
Ensure that you either have local access to the domain controller or that you have built at least one dedicated administrative workstation. Restrict domain administrators from having logon access to servers and workstations.
Before starting this procedure, identify all OUs in the domain that contain workstations and servers. Any computers in OUs that are not identified will not restrict administrators with sensitive accounts from signing-in to them.
Restrict domain administrators from non-domain controller servers and workstations. Restrict server administrators from signing in to workstations, in addition to domain administrators. For this procedure, do not link accounts to the OU that contain workstations for administrators that perform administration duties only, and do not provide Internet or email access. For more information, see Create dedicated workstation hosts for administrators.
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. Configure the user rights to deny batch and service logon rights for domain administrators as follows:. Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with alternative means to run scheduled tasks or services.
Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy.
However, do not create a link to the Administrative Workstation OU if it is created for administrative workstations that are dedicated to administration duties only, and that are without Internet or email access. If you later extend this solution, do not deny logon rights for the Domain Users group. The Domain Users group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise Administrators. Although user accounts are not marked for delegation by default, accounts in an Active Directory domain can be trusted for delegation.
This means that a service or a computer that is trusted for delegation can impersonate an account that authenticates to them to access other resources across the network. For sensitive accounts, such as those belonging to members of the Administrators, Domain Admins, or Enterprise Admins groups in Active Directory, delegation can present a substantial risk of rights escalation. For example, if an account in the Domain Admins group is used to sign in to a compromised member server that is trusted for delegation, that server can request access to resources in the context of the Domain Admins account, and escalate the compromise of that member server to a domain compromise.
It is a best practice to configure the user objects for all sensitive accounts in Active Directory by selecting the Account is sensitive and cannot be delegated check box under Account options to prevent these accounts from being delegated.
For more information, see Setting for default local accounts in Active Directory. As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it. It is a best practice to strictly enforce restrictions on the domain controllers in your environment. This ensures that the domain controllers:.
One aspect of securing and managing domain controllers is to ensure that the default local user accounts are fully protected. It is of primary importance to restrict and secure all sensitive domain accounts, as described in the preceding sections.
Because domain controllers store credential password hashes of all accounts in the domain, they are high-value targets for malicious users.
When domain controllers are not well managed and secured by using restrictions that are strictly enforced, they can be compromised by malicious users. For example, a malicious user could steal sensitive domain administrator credentials from one domain controller, and then use these credentials to attack the domain and forest. In addition, installed applications and management agents on domain controllers might provide a path for escalating rights that malicious users can use to compromise the management service or administrators of that service.
The management tools and services, which your organization uses to manage domain controllers and their administrators, are equally important to the security of the domain controllers and the domain administrator accounts. Ensure that these services and administrators are fully secured with equal effort. Skip to main content. This browser is no longer supported.
Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign.
Important Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. Important Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section.
Note If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task. Note In this procedure, the workstations are dedicated to domain administrators. If you have feedback for TechNet Support, contact tnmff microsoft. Office Office Exchange Server. Not an IT pro? Resources for IT Professionals.
Sign in. United States English. Ask a question. Quick access. Search related threads. Step 7: You should have the Administrative Tools option on the Start menu.
From there, select any of the Active Directory tools. In newer versions of Windows 10, select the Start button then type active directory , and it should show up. This post has introduced it comprehensively for you. Hence, you may have an overall understanding of this tool. Here comes the end of the post.
Tip: To learn more information about the Windows system, you can go to the MiniTool official website.
0コメント