From 16df0417918d1b57dbad9bc9a3fcead151e9014f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 21 Mar 2019 09:36:02 -0700 Subject: [PATCH 1/3] removed default bullet point --- .../identity-protection/vpn/vpn-conditional-access.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index e69b8ed62c..69944937b7 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -10,7 +10,7 @@ ms.author: pashort manager: elizapo ms.reviewer: ms.localizationpriority: medium -ms.date: 01/26/2019 +ms.date: 03/21/2019 --- # VPN and conditional access @@ -32,11 +32,7 @@ Conditional Access Platform components used for Device Compliance include the fo - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. -- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. - - Additional details regarding the Azure AD issued short-lived certificate: - - The default lifetime is 60 minutes and is configurable - - When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection +- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued. - [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. From e9afffc2928a94bc85bf626910fac3490f8c1131 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 22 Mar 2019 16:06:40 -0700 Subject: [PATCH 2/3] updated suggestions --- .../intelligence/supply-chain-malware.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md index 82d2b453d7..38333fd918 100644 --- a/windows/security/threat-protection/intelligence/supply-chain-malware.md +++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md @@ -48,15 +48,15 @@ To learn more about supply chain attacks, read this blog post called [attack inc ### For software vendors and developers -* Take steps to ensure your apps are not compromised. - -* Maintain a secure and up-to-date infrastructure. Restrict access to critical build systems. +* Maintain a highly secure build and update infrastructure. * Immediately apply security patches for OS and software. - + * Implement mandatory integrity controls to ensure only trusted tools run. * Require multi-factor authentication for admins. - -* Build secure software update processes as part of the software development lifecycle. - +* Build secure software updaters as part of the software development lifecycle. + * Require SSL for update channels and implement certificate pinning. + * Sign everything, including configuration files, scripts, XML files, and packages. + * Check for digital signatures, and don’t let the software updater accept generic input and commands. * Develop an incident response process for supply chain attacks. + * Disclose supply chain incidents and notify customers with accurate and timely information For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file From 74925d2d65ae06b5695eb3ea2fd04e918679690a Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 22 Mar 2019 16:44:03 -0700 Subject: [PATCH 3/3] better spacing --- .../threat-protection/intelligence/supply-chain-malware.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md index 38333fd918..dc3bb6897e 100644 --- a/windows/security/threat-protection/intelligence/supply-chain-malware.md +++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md @@ -52,10 +52,12 @@ To learn more about supply chain attacks, read this blog post called [attack inc * Immediately apply security patches for OS and software. * Implement mandatory integrity controls to ensure only trusted tools run. * Require multi-factor authentication for admins. + * Build secure software updaters as part of the software development lifecycle. * Require SSL for update channels and implement certificate pinning. * Sign everything, including configuration files, scripts, XML files, and packages. * Check for digital signatures, and don’t let the software updater accept generic input and commands. + * Develop an incident response process for supply chain attacks. * Disclose supply chain incidents and notify customers with accurate and timely information