安全性通过Active Directory中的Web应用程序 [英] Security for a web app through Active Directory

问题描述

下面是一个情况，我目前正在处理。我工作的一个Web项目，其安全性被捆绑与Active Directory。这意味着在技术上当您通过我们添加一个新用户到服务器上的Active Directory应用程序添加用户。现在的问题是，这是一个好的做法呢？

Here is a situation I am currently addressing. I am working on a Web project with its security being tied up with the Active Directory. Which means technically when you add a user through the application we are adding a new user to the Active Directory on the Server. Now my question is, is this a good practise?

在这一点上我觉得vulnerabilty这是你可以做一个远程桌面上部署服务器与您通过应用程序创建的帐户（请纠正我，如果我错了）的。但我只是想确认一下，我才告知我的建筑师。

At this point I think of a vulnerabilty which is you could do a remote desktop on to the deployment server with the account you created through the Application (Please correct me if I am wrong). But I just want to confirm this before I could inform this to my Architect.

任何建议会深深AP preciated。

Any suggestions will be deeply appreciated.

等待你的答复。

推荐答案

如果Web应用程序有权限在Active Directory帐户，那么这意味着Web应用程序presumably与（可能是有限的）管理的帐户权限Active Directory域。有可能被用于各种各样的不好的事情，如果你不小心。

If the web application has permission to create accounts in Active Directory, then this means that the web application presumably has an account with (possibly limited) administrative rights to the Active Directory domain. That could potentially be used for all sorts of bad things if you're not careful.

如果你要进行，那么第一步，如果你还没有这样做，就是要委派管理权限到Web应用程序的帐户，它只能创建一个特定的OU中的帐户。请参见这篇文章了解详细信息，或谷歌搜索等说明。

If you're going to proceed, then the first step, if you haven't already done so, is to delegate administrative rights to your web application's account so that it can only create accounts within a particular OU. See this article for details, or search Google for other descriptions.

您或许还需要设置组策略和组成员进一步限制新创建的帐户（例如，禁用远程桌面），你会想这样做，不依赖于一种方式Web应用程序做正确的事（作为一个额外的安全层情况下，Web应用程序被破坏）。

You'll probably also want to set up Group Policy and group memberships to further restrict the newly created accounts (for example, disabling Remote Desktop), and you'll want to do so in a way that doesn't rely on the web application doing the right thing (as an extra layer of security in case the web application is compromised).

ServerFault 将是一个更好的地方，了解有关Active Directory的安全模型，以及如何最好地设置这些不同的限制。

ServerFault would be a better place to find out about Active Directory's security model and how to best set up these various restrictions.

最后，如果你不这样做的需要有您的Active Directory域中自动创建的用户，那么你应该考虑其他方法。如果你只打算使用Active Directory作为用户身份验证的稳定，坚固的来源，例如，那么你可以使用的 Active Directory轻型目录服务（以前称为Active Directory应用程序模式），以获得活动目录的功能，在您的域的安全性没有任何影响。

Finally, if you don't need to have users automatically created within your Active Directory domain, then you should consider other approaches. If you're only looking to use Active Directory as a stable, robust source of user authentication, for example, then you can use Active Directory Lightweight Directory Services (formerly known as Active Directory Application Mode) to get Active Directory's functionality without any affect on your domain's security.

这篇关于安全性通过Active Directory中的Web应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！