Planning How to Secure the MBAM Websites
Dotyczy: Microsoft BitLocker Administration and Monitoring 2.5
This topic describes the following methods for securing the Microsoft BitLocker Administration and Monitoring (MBAM) 2,5 Administration and Monitoring Website and Self-Service Portal:
| Method | Required or optional? |
|---|---|
Using certificates to secure MBAM websites |
Optional, but highly recommended |
Registering Service Principal Names (SPN) for the application pool account |
Required |
For more information about how to secure your MBAM deployment, see MBAM 2.5 Security Considerations.
Using certificates to secure MBAM websites
We recommend that you use a certificate to secure the communication between the:
MBAM Client and the web services
Browser and the Administration and Monitoring Website and the Self-Service Portal websites
For information about requesting and installing a certificate, see Configuring Internet Server Certificates.
Uwaga
You can configure the websites and web services on different servers only if you are using Windows PowerShell. If you use the MBAM Server Configuration wizard to configure the websites, you must configure the websites and the web services on the same server.
To secure the communication between the web services and the databases, we also recommend that you force encryption in SQL Server. For information about securing all connections to SQL Server, including communication between the web services and SQL Server, see Secure connections to SQL Server.
Registering SPNs for the application pool account
To enable the MBAM Servers to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal, you must register a Service Principal Name (SPN) for the host name under the domain account that you are using for the web application pool.
This topic contains instructions on how to register SPNs for the following types of host names:
Fully qualified domain name
NetBIOS name
Virtual name
Before you create SPNs for an initial MBAM installation
Review the information in the following table before you start creating SPNs.
| Task or item | More information |
|---|---|
Create a service account in Active Directory Domain Services (AD DS). |
The service account is a user account that you create in AD DS to provide security for the MBAM websites. The MBAM websites run under an application pool, whose identity is the name of the service account. The SPNs are then registered in the application pool account. Uwaga You must use the same application pool account for all web servers. |
Verify that either the IIS-IUSRS group account or the application pool account has been granted the necessary rights. |
To check this, follow these steps:
|
If you configure the MBAM websites by using a domain administrative account, MBAM will create the SPNs for you. |
If you configure the MBAM websites by using a domain administrative account, follow the steps in this topic to register SPNs manually for the type of host name that you are using. |
Registering SPNs when you use a fully qualified domain host name
If you use a fully qualified domain host name when you configure MBAM, you have to register only one SPN, as shown in the following example.
| What you need to do | Examples and more information |
|---|---|
Register an SPN for the fully qualified domain name. |
The fully qualified host name is mybitlockerrecovery.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser. |
Configure constrained delegation for the SPN that you are registering for the application pool account. |
Registering SPNs when you use a NetBIOS host name
If you use a NetBIOS host name when you configure MBAM, register one SPN for the NetBIOS name, and another SPN for the fully qualified domain name, as shown in the following examples.
| What you need to do | Examples and more information |
|---|---|
Register an SPN for the NetBIOS host name. |
The NetBIOS host name is nbname01, and the domain account used for the web application pool is contoso\mbamapppooluser. |
Register an SPN for the fully qualified domain name. |
The fully qualified domain name is nbname01.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser. |
Configure constrained delegation for the SPNs that you are registering for the application pool account. |
Registering SPNs when you use a virtual host name
If you configure MBAM with a virtual host name that is a fully qualified domain name, register only one SPN for the virtual host name. If the virtual host name that you configure is not a fully qualified domain name, you must create a second SPN that specifies the fully qualified domain name, as described in the following examples.
| What you need to do | Examples and more information |
|---|---|
If your virtual host name is a fully qualified domain name, as in this example, register only one SPN. |
In the example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser. |
Register this additional SPN if your virtual host name is not a fully qualified domain name. |
In the example, the virtual host name is mbamvirtual, and the domain account used for the web application pool is contoso\mbamapppooluser. |
Register this additional SPN if your virtual host name is not a fully qualified domain name. |
In the example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser. |
On the Domain Name Server (DNS) server, create an “A record” for the custom host name and point it to a web server or a load balancer. |
See the “To configure DNS Host A Records” section in Configure DNS Host Records. We recommend that you use A records instead of CNAMES. If you use CNAMES to point to the domain address, you must also register SPNs for the web server name in the application pool account. |
Configure constrained delegation for the SPNs that you are registering for the application pool account. |
Registering an SPN when you upgrade from previous versions of MBAM
Complete the steps in this section only if you want to:
Upgrade from a previous version of MBAM.
Run the websites in MBAM 2.5 in a load-balanced or distributed configuration, and you are currently running in a configuration that is not load balanced.
If you already registered SPNs on the machine account rather than in an application pool account, MBAM uses the existing SPNs, and you cannot configure the websites in a load-balanced or distributed configuration.
| What you need to do | Examples and more information | ||||||||
|---|---|---|---|---|---|---|---|---|---|
Create an application pool account in Active Directory Domain Services (AD DS). |
|||||||||
Remove the currently installed websites and web services. |
|||||||||
Remove SPNs from the machine account. |
|
||||||||
Register SPNs in the application pool account. |
Follow the steps for Registering SPNs when you use a virtual host name. |
||||||||
Reconfigure the web applications and web services. |
|||||||||
Do one of the following, depending on the method you use for the configuration:
|
When MBAM configures the web applications, it will try to register the SPNs for you, but it can do so only if you have Domain Admin rights on the server on which you are installing MBAM. If you do not have these rights, you can complete the configuration, but you will have to set the SPNs after you configure MBAM. |
.gif "Important")
WażneGot a suggestion for MBAM?
Add or vote on suggestions here. For MBAM issues, use the MBAM TechNet Forum.
Zobacz też
Inne zasoby
Preparing your Environment for MBAM 2.5
MBAM 2.5 Deployment Prerequisites