信任计算机和用户帐户可以执行委派Enable computer and user accounts to be trusted for delegation

04/19/2017

本文内容

适用范围Applies to

Windows 10Windows10

介绍 "允许计算机和用户帐户受信任以供委派安全策略" 策略设置的最佳做法、位置、值、策略管理和安全注意事项。Describes the best practices, location, values, policy management, and security considerations for the Enable computer and user accounts to be trusted for delegation security policy setting.

参考Reference

此策略设置确定哪些用户可以在用户或计算机对象上设置受信任委派设置。This policy setting determines which users can set the Trusted for Delegation setting on a user or computer object.

安全帐户委派提供连接到多台服务器的功能，并且每个服务器更改保留原始客户端的身份验证凭据。Security account delegation provides the ability to connect to multiple servers, and each server change retains the authentication credentials of the original client. 身份验证的委派是客户端和服务器应用程序在具有多个层时使用的一项功能。Delegation of authentication is a capability that client and server applications use when they have multiple tiers. 它允许面向公众的服务使用客户端凭据对应用程序或数据库服务进行身份验证。It allows a public-facing service to use client credentials to authenticate to an application or database service. 为使此配置成为可能，客户端和服务器必须在受信任委派的帐户下运行。For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation.

只有使计算机和用户帐户受信任的委派凭据的管理员才能设置委派。Only administrators who have the Enable computer and user accounts to be trusted for delegation credential can set up delegation. 域管理员和企业管理员拥有此凭据。Domain admins and Enterprise admins have this credential. 允许受信任的用户委派的过程取决于域的功能级别。The procedure to allow a user to be trusted for delegation depends on the functionality level of the domain.

授予此权限的用户或计算机对象必须具有帐户控制标志的写访问权限。The user or machine object that is granted this right must have write access to the account control flags. 在受信任委派的设备(或用户上下文)上运行的服务器进程可以使用客户端的委派凭据访问另一台计算机上的资源。A server process running on a device (or under a user context) that is trusted for delegation can access resources on another computer by using the delegated credentials of a client. 但是，客户端帐户必须对对象上的帐户控制标志具有写入访问权限。However, the client account must have Write access to the account control flags on the object.

常量： SeEnableDelegationPrivilegeConstant: SeEnableDelegationPrivilege

可能值Possible values

用户定义的帐户列表User-defined list of accounts

未定义Not defined

最佳实践Best practices

没有理由将此用户权限分配给属于域的成员服务器和工作站上的任何人，因为它在这些上下文中没有意义。There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. 它仅适用于域控制器和独立设备。It is only relevant on domain controllers and stand-alone devices.

位置Location

计算机 Configuration\Windows Settings\Security Settings\Local Policies\User 权限分配Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

默认值Default values

下表列出了最新支持的 Windows 版本的实际和有效的默认策略值。The following table lists the actual and effective default policy values for the most recent supported versions of Windows. 默认值也在策略的属性页上列出。Default values are also listed on the policy’s property page.

服务器类型或 GPOServer type or GPO

默认值Default value

默认域策略Default Domain Policy

未定义Not defined

默认域控制器策略Default Domain Controller Policy

未定义Not defined

独立服务器默认设置Stand-Alone Server Default Settings

未定义Not defined

域控制器有效默认设置Domain Controller Effective Default Settings

管理员Administrators

成员服务器有效的默认设置Member Server Effective Default Settings

管理员Administrators

客户端计算机有效的默认设置Client Computer Effective Default Settings

管理员Administrators

策略管理Policy management

本部分介绍可帮助你管理此策略的功能、工具和指南。This section describes features, tools and guidance to help you manage this policy.

修改此设置可能会影响与客户端、服务和应用程序的兼容性。Modifying this setting might affect compatibility with clients, services, and applications.

此策略设置不需要重启设备即可生效。A restart of the device is not required for this policy setting to be effective.

对帐户的用户权限分配的任何更改将在下次帐户的所有者登录时生效。Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

组策略Group Policy

此用户权限在默认域控制器组策略对象(GPO)和工作站和服务器的本地安全策略中定义。This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers.

按以下顺序通过组策略对象(GPO)应用设置，这将在下一个组策略更新时覆盖本地计算机上的设置：Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

本地策略设置Local policy settings

网站策略设置Site policy settings

域策略设置Domain policy settings

OU 策略设置OU policy settings

当本地设置灰显时，它表示当前控制该设置的 GPO。When a local setting is greyed out, it indicates that a GPO currently controls that setting.

备注

可在此处找到有关配置策略的详细信息。More information about configuring the policy can be found here.

安全注意事项Security considerations

本部分介绍攻击者如何利用一项功能或其配置，如何实施对策，以及对策实施可能产生的负面后果。This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

漏洞Vulnerability

误用 "允许计算机和用户帐户受信任以供委派" 用户权限可能会允许未经授权的用户模拟网络上的其他用户。Misuse of the Enable computer and user accounts to be trusted for delegation user right could allow unauthorized users to impersonate other users on the network. 攻击者可以利用此特权获取网络资源的访问权限，从而很难确定安全事件后发生的情况。An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident.

对策Countermeasure

只有在明确需要其功能时，才应将 "允许计算机和用户帐户受信任的委派" 用户权限分配给。The Enable computer and user accounts to be trusted for delegation user right should be assigned only if there is a clear need for its functionality. 分配此权限时，应调查受约束委派的使用，以控制委派帐户可以执行的操作。When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. 在域控制器上，此权限默认分配给管理员组。On domain controllers, this right is assigned to the Administrators group by default.

注意： 没有理由将此用户权限分配给属于域的成员服务器和工作站上的任何人，因为它在这些上下文中没有意义。Note: There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. 它仅在域控制器和独立计算机上相关。It is only relevant on domain controllers and stand-alone computers.

潜在影响Potential impact

无。None. "未定义" 是默认配置。Not defined is the default configuration.

相关主题Related topics