Back to Details

configuring-active-directory-tiered-model

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Configuring Active Directory Tiered Model

配置Active Directory分层模型

Overview

概述

Implement Microsoft's Enhanced Security Admin Environment (ESAE) tiered administration model for Active Directory. Covers Tier 0/1/2 separation, privileged access workstations (PAWs), administrative forest design, authentication policy silos, and credential theft mitigation.
为Active Directory实施微软增强安全管理环境(ESAE)分层管理模型。涵盖Tier 0/1/2分离、特权访问工作站(PAWs)、管理林设计、身份验证策略隔离以及凭证窃取缓解措施。

When to Use

使用场景

  • When deploying or configuring configuring active directory tiered model capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation
  • 在您的环境中部署或配置Active Directory分层模型功能时
  • 建立符合合规要求的安全控制措施时
  • 构建或改进该领域的安全架构时
  • 进行需要此实施的安全评估时

Prerequisites

前提条件

  • Familiarity with identity access management concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities
  • 熟悉身份访问管理(IAM)概念与工具
  • 能够访问测试或实验室环境以安全执行操作
  • 安装有Python 3.8+及所需依赖项
  • 拥有任何测试活动的适当授权

Objectives

目标

  • Implement comprehensive configuring active directory tiered model capability
  • Establish automated discovery and monitoring processes
  • Integrate with enterprise IAM and security tools
  • Generate compliance-ready documentation and reports
  • Align with NIST 800-53 access control requirements
  • 实现全面的Active Directory分层模型配置能力
  • 建立自动化发现与监控流程
  • 与企业IAM及安全工具集成
  • 生成符合合规要求的文档与报告
  • 对齐NIST 800-53访问控制要求

Security Controls

安全控制措施

ControlNIST 800-53Description
Account ManagementAC-2Lifecycle management
Access EnforcementAC-3Policy-based access control
Least PrivilegeAC-6Minimum necessary permissions
Audit LoggingAU-3Authentication and access events
IdentificationIA-2User and service identification
控制项NIST 800-53描述
账户管理AC-2生命周期管理
访问强制AC-3基于策略的访问控制
最小权限AC-6必要的最小权限
审计日志AU-3身份验证与访问事件
身份识别IA-2用户与服务身份识别

Verification

验证

  • Implementation tested in non-production environment
  • Security policies configured and enforced
  • Audit logging enabled and forwarding to SIEM
  • Documentation and runbooks complete
  • Compliance evidence generated
  • 在非生产环境中测试实施效果
  • 安全策略已配置并强制执行
  • 审计日志已启用并转发至SIEM
  • 文档与运行手册已完成
  • 已生成合规证据