Udostępnij za pośrednictwem


Planning How to Secure the MBAM Websites

Dotyczy: Microsoft BitLocker Administration and Monitoring 2.5

This topic describes the following methods for securing the Microsoft BitLocker Administration and Monitoring (MBAM) 2,5 Administration and Monitoring Website and Self-Service Portal:

Method Required or optional?

Using certificates to secure MBAM websites

Optional, but highly recommended

Registering Service Principal Names (SPN) for the application pool account

Required

For more information about how to secure your MBAM deployment, see MBAM 2.5 Security Considerations.

Using certificates to secure MBAM websites

We recommend that you use a certificate to secure the communication between the:

  • MBAM Client and the web services

  • Browser and the Administration and Monitoring Website and the Self-Service Portal websites

For information about requesting and installing a certificate, see Configuring Internet Server Certificates.

Uwaga

You can configure the websites and web services on different servers only if you are using Windows PowerShell. If you use the MBAM Server Configuration wizard to configure the websites, you must configure the websites and the web services on the same server.

To secure the communication between the web services and the databases, we also recommend that you force encryption in SQL Server. For information about securing all connections to SQL Server, including communication between the web services and SQL Server, see Secure connections to SQL Server.

Registering SPNs for the application pool account

To enable the MBAM Servers to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal, you must register a Service Principal Name (SPN) for the host name under the domain account that you are using for the web application pool.

This topic contains instructions on how to register SPNs for the following types of host names:

  • Fully qualified domain name

  • NetBIOS name

  • Virtual name

Before you create SPNs for an initial MBAM installation

Review the information in the following table before you start creating SPNs.

Task or item More information

Create a service account in Active Directory Domain Services (AD DS).

The service account is a user account that you create in AD DS to provide security for the MBAM websites. The MBAM websites run under an application pool, whose identity is the name of the service account. The SPNs are then registered in the application pool account.

Uwaga

You must use the same application pool account for all web servers.

Verify that either the IIS-IUSRS group account or the application pool account has been granted the necessary rights.

To check this, follow these steps:

  1. Open the Local Security Policy editor and expand the Local Policies node.

  2. Select the User Rights Assignment node, and double-click the Impersonate a client after authentication and Log on as a batch job Group Policy settings in the right pane.

If you configure the MBAM websites by using a domain administrative account, MBAM will create the SPNs for you.

If you configure the MBAM websites by using a domain administrative account, follow the steps in this topic to register SPNs manually for the type of host name that you are using.

Registering SPNs when you use a fully qualified domain host name

If you use a fully qualified domain host name when you configure MBAM, you have to register only one SPN, as shown in the following example.

What you need to do Examples and more information

Register an SPN for the fully qualified domain name.

Setspn -s http/mybitlockerrecovery.contoso.com contoso\mbamapppooluser

The fully qualified host name is mybitlockerrecovery.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.

Configure constrained delegation for the SPN that you are registering for the application pool account.

Configuring Constrained Delegation

Registering SPNs when you use a NetBIOS host name

If you use a NetBIOS host name when you configure MBAM, register one SPN for the NetBIOS name, and another SPN for the fully qualified domain name, as shown in the following examples.

What you need to do Examples and more information

Register an SPN for the NetBIOS host name.

Setspn -s http/nbname01 contoso\mbamapppooluser

The NetBIOS host name is nbname01, and the domain account used for the web application pool is contoso\mbamapppooluser.

Register an SPN for the fully qualified domain name.

Setspn –s http/nbname01.corp.contoso.com contoso\mbamapppooluser

The fully qualified domain name is nbname01.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.

Configure constrained delegation for the SPNs that you are registering for the application pool account.

Configuring Constrained Delegation

Registering SPNs when you use a virtual host name

If you configure MBAM with a virtual host name that is a fully qualified domain name, register only one SPN for the virtual host name. If the virtual host name that you configure is not a fully qualified domain name, you must create a second SPN that specifies the fully qualified domain name, as described in the following examples.

What you need to do Examples and more information

If your virtual host name is a fully qualified domain name, as in this example, register only one SPN.

Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

In the example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.

Register this additional SPN if your virtual host name is not a fully qualified domain name.

Setspn -s http/mbamvirtual contoso\mbamapppooluser

In the example, the virtual host name is mbamvirtual, and the domain account used for the web application pool is contoso\mbamapppooluser.

Register this additional SPN if your virtual host name is not a fully qualified domain name.

Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

In the example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.

On the Domain Name Server (DNS) server, create an “A record” for the custom host name and point it to a web server or a load balancer.

See the “To configure DNS Host A Records” section in Configure DNS Host Records.

We recommend that you use A records instead of CNAMES. If you use CNAMES to point to the domain address, you must also register SPNs for the web server name in the application pool account.

Configure constrained delegation for the SPNs that you are registering for the application pool account.

Configuring Constrained Delegation

Registering an SPN when you upgrade from previous versions of MBAM

Complete the steps in this section only if you want to:

  • Upgrade from a previous version of MBAM.

  • Run the websites in MBAM 2.5 in a load-balanced or distributed configuration, and you are currently running in a configuration that is not load balanced.

If you already registered SPNs on the machine account rather than in an application pool account, MBAM uses the existing SPNs, and you cannot configure the websites in a load-balanced or distributed configuration.

What you need to do Examples and more information

Create an application pool account in Active Directory Domain Services (AD DS).

Remove the currently installed websites and web services.

Removing MBAM Server Features or Software

Remove SPNs from the machine account.

Setspn –d http/mbamwebserver mbamwebserver

Setspn –d http/mbamwebserver.contoso.com mbamwebserver

Register SPNs in the application pool account.

Follow the steps for Registering SPNs when you use a virtual host name.

Reconfigure the web applications and web services.

How to Configure the MBAM 2.5 Web Applications

Do one of the following, depending on the method you use for the configuration:

 

Method Details

MBAM Server Configuration wizard

Enter the application pool account in the Web service application pool domain account field.

Enable-MbamWebApplication Windows PowerShell cmdlet

Enter the account in the WebServiceApplicationPoolCredential parameter.

ImportantWażne
The host name that you enter must be the same name as the virtual host name for which you are creating the SPNs. Also, in your web farm, the host names and the application pool credentials must be the same on every server that you are configuring.

When MBAM configures the web applications, it will try to register the SPNs for you, but it can do so only if you have Domain Admin rights on the server on which you are installing MBAM. If you do not have these rights, you can complete the configuration, but you will have to set the SPNs after you configure MBAM.

Got a suggestion for MBAM?

Add or vote on suggestions here. For MBAM issues, use the MBAM TechNet Forum.

Zobacz też

Inne zasoby

Preparing your Environment for MBAM 2.5
MBAM 2.5 Deployment Prerequisites