除了 Managed Microsoft AD 提供的安全措施之外,您也可以選擇在 Managed Microsoft AD VM 上套用 Microsoft 安全基準。這些基準是業界標準的安全性設定,Managed Microsoft AD 可在 Managed Microsoft AD 執行個體和網域控制站上套用這些設定。
建議您先查看這些基準,並在開發或測試 Managed Microsoft AD 執行個體上進行測試,再決定是否套用在正式版執行個體上。如要進一步瞭解這些基準或選擇套用這些設定,請與支援團隊聯絡。
安全監控和防護
我們會使用作業系統內建的防毒軟體,保護 Managed Microsoft AD 執行個體免於病毒和惡意軟體的侵害。防毒軟體會掃描受管理的 Microsoft AD VM,並偵測病毒、惡意軟體和間諜軟體等安全威脅。防毒軟體會記錄這些安全性事件,並在必要時進行分析及修復。
修補
Microsoft 會定期發布錯誤修正、安全性更新和功能改善。這些修補程式對於確保網域控制站保持最新狀態和安全至關重要。
受管理的 Microsoft AD 會先測試所有修補程式,再套用至網域控制器。在測試期間,受管理的 Microsoft AD 會驗證客戶的使用情境、可用性、安全性和可靠性。修補程式通過這些測試後,受管理的 Microsoft AD 就會在您的網域控制站上套用修補程式。
修補期間的服務可用性
套用修補和更新檔時,Active Directory 網域仍可供使用。不過,您無法在這些網域上執行任何變異操作,例如擴充結構定義、更新網域,以及連線至 SQL Server 或 Cloud SQL。此外,在您已啟動變更作業的網域中,Managed Microsoft AD 不會在作業完成前套用修補程式。
Managed Microsoft AD 會確保每個區域至少有兩個網域控制站,用於不同可用性區域中的網域。Managed Microsoft AD 一次只會更新一個網域控制站。每當網域控制站更新時,Managed Microsoft AD 就會新增並升級網域控制站,並套用最新的已驗證修補程式。新網域控制器達到正常狀態後,Managed Microsoft AD 會降級現有的網域控制器。當 Managed Microsoft AD 將新網域控制器升級時,新網域控制器就會開始使用。在 Managed Microsoft AD 降級舊網域控制器後,舊網域控制器就會停止提供要求。這個程序可確保每個區域隨時至少有兩個網域控制站在執行。
為確保應用程式可連線至有效的網域控制器,應用程式可以使用 Windows DC 定位服務。這樣一來,應用程式就能在自動修補程序期間重新連線至新的網域控制器。
修補時間表
我們的目標是在 Microsoft 發布 Windows Server 每月修補程式後的 21 個工作天內,在所有受管理的 Microsoft AD 網域控制站上測試並套用修補程式。不過,我們會優先處理並套用 Microsoft 在 15 個工作天內針對網域控制器發布的重大安全漏洞修補程式。
憑證輪替和加密
Managed Microsoft AD 會使用多種方法保護憑證。受管理的 Microsoft AD 會經常輪替憑證,並使用業界標準技術加密憑證。為管理 AD 而建立的憑證絕不會在各個執行個體之間共用。只有較小的支援團隊和自動化系統可以存取這些憑證。受管理的 Microsoft AD 會在刪除執行個體時銷毀這些憑證。
限制正式版權限
Managed Microsoft AD 採用多個系統和程序,確保Google Cloud 工程師對 Managed Microsoft AD 網域的存取權降到最低。只有少數值班工程師可以存取實際工作環境資料。他們只會在需要執行網域復原作業或進階疑難排解作業時,才會存取實際工作環境。這些存取權必須先經過驗證,才能繼續執行,然後 Managed Microsoft AD 會記錄並在內部稽核這些存取權。受管理的 Microsoft AD 會自動化大部分的存取權,以免存取 AD 資料。在極少數情況下,需要值班工程師才能從遠端存取網域控制器。在這些情況下,遠端存取作業會使用 Identity-Aware Proxy (IAP),而非公用網際網路。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# About security hardening\n\nThis topic explains the various measures that we take to harden Managed Service for Microsoft Active Directory and minimize security\nvulnerabilities.\n\nNo public internet access\n-------------------------\n\nTo improve security, Managed Microsoft AD is not exposed to the public\ninternet. Managed Microsoft AD makes all connections through private IP from\nauthorized networks:\n\n- Hosting: Managed Microsoft AD hosts every VM that runs Active Directory in their own\n [VPC](/vpc/docs), which isolates users from each other.\n\n- Connecting: You can use authorized networks to connect to\n Managed Microsoft AD through private IP. Managed Microsoft AD handles the\n [VPC peering](/vpc/docs/vpc-peering) for these connections.\n\n- Patching: Managed Microsoft AD applies Windows patches to the Managed Microsoft AD VMs without\n using public internet access. For more information about how Managed Microsoft AD\n handles patching, see [Patching](/managed-microsoft-ad/docs/hardening#patching).\n\nShielded VM\n-----------\n\n[Shielded VMs](/security/shielded-cloud/shielded-vm) are virtual\nmachines (VMs) hardened by a set of security controls that help defend against\nrootkits and bootkits. Shielded VM's features protect all Managed Microsoft AD VMs at no additional cost.\n\nOS image\n--------\n\nManaged Microsoft AD VMs are seeded from the [public Compute Engine Windows\nServer 2019 image](/compute/docs/images). These images have\n[Shielded VM](/security/shielded-cloud/shielded-vm) features enabled and are\noptimized for running on Compute Engine infrastructure.\n\nMicrosoft security baselines\n----------------------------\n\nIn addition to the security measures provided by Managed Microsoft AD, you can also opt in for applying Microsoft security baselines on your Managed Microsoft AD VMs. These baselines are industry-standard security configuration settings that Managed Microsoft AD can apply on your Managed Microsoft AD instances and domain controllers.\n\nWe recommend that you review these baselines and test them on your development or staging Managed Microsoft AD instances before opting to apply on the production instances. You can [contact support](/managed-microsoft-ad/docs/get-support) to learn more about these baselines or to opt in for applying these settings.\n\nSecurity monitoring and protection\n----------------------------------\n\nWe use the operating system's built-in antivirus to protect the Managed Microsoft AD instances against virus and malwares.\nThe antivirus scans your Managed Microsoft AD VMs and detects security threats, such as viruses, malware, and spyware.\nThe antivirus then logs these security events which we analyze and remediate if required.\n\nPatching\n--------\n\nMicrosoft releases bug fixes, security updates, and feature improvements on a regular basis.\nThese patches are crucial to keep your domain controllers up to date and safe.\n\nManaged Microsoft AD tests all these patches before applying them on your domain controllers.\nDuring testing, Managed Microsoft AD validates customer use cases, availability, security, and reliability.\nAfter a patch passes these tests, Managed Microsoft AD applies it on your domain controllers.\n\n### Availability during patching\n\nWhile applying the patches and updates, the Active Directory domain remains available.\nHowever, you can't perform any mutate operations on these domains, such as extending the schema, updating the domain, and connecting with SQL Server or Cloud SQL.\nAlso, Managed Microsoft AD doesn't apply patches to domains for which you have already initiated mutate operations until the operation is complete.\n\nManaged Microsoft AD ensures that there are at least two domain controllers running per region for a domain in different availability zones.\nManaged Microsoft AD updates one domain controller at a time.\nFor each domain controller update, Managed Microsoft AD adds and promotes a new domain controller, with the latest validated patch.\nAfter the new domain controller reaches a healthy state, Managed Microsoft AD demotes the existing domain controller.\nThe new domain controller comes into use when Managed Microsoft AD promotes it.\nThe old domain controller stops serving requests after Managed Microsoft AD demotes it.\nThis process ensures that there are at least two domain controllers running in each region at any time.\n\nTo ensure that your applications can reach the active domain controller, the applications can use the Windows DC locator service.\nThis enables your applications to reconnect with the new domain controllers during the automated patching process.\n\n### Patching schedule\n\nWe have the objective of testing and applying patches on all\nManaged Microsoft AD domain controllers within 21 business days of when\nMicrosoft releases a monthly patch for Windows Server. However, we prioritize\nand apply critical security vulnerability patches that Microsoft releases for\ndomain controllers within 15 business days.\n\nCredential rotation and encryption\n----------------------------------\n\nManaged Microsoft AD uses several methods to protect credentials.\nManaged Microsoft AD frequently rotates credentials and encrypts them using\nindustry-standard techniques. Credentials created for managing AD are never\nshared between instances. Only a smaller-sized support team and automated systems can access these credentials. Managed Microsoft AD destroys these credentials when it deletes the\ninstance.\n\nRestricted production access\n----------------------------\n\nManaged Microsoft AD employs multiple systems and processes to ensure that\nGoogle Cloud engineers have minimal access to the Managed Microsoft AD\ndomain. Only a small number of on-call engineers have access to production data.\nThey access production environment only to perform a recovery on a domain or advanced\ntroubleshooting. These accesses require a validated justification before they\ncan proceed, and then Managed Microsoft AD logs and audits them internally. Managed Microsoft AD\nautomates most accesses such that they cannot access AD data. In rare scenarios, there might\nbe a need for on-call engineers to remotely access domain controllers. In these\ncases, the remote accesses use\n[Identity-Aware Proxy (IAP)](/iap/docs/concepts-overview), not the public\ninternet."]]