mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 05:47:23 +00:00
Merge pull request #5288 from MicrosoftDocs/master
Publish 06/14/2021, 10:30 AM
This commit is contained in:
Diana Hanson
GitHub
commit
079dedf29b
@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file
|
||||
> [!NOTE]
|
||||
> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
|
||||
|
||||
> [!NOTE]
|
||||
> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
|
||||
|
||||
### Multiple Windows editions
|
||||
|
||||
The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
|
||||
@ -456,4 +459,4 @@ Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
|
||||
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
|
||||
|
||||
Write-Output "$(Get-TS): Media refresh completed!"
|
||||
```
|
||||
```
|
||||
|
||||
@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou
|
||||
Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
|
||||
|
||||
This list shouldn’t include any servers listed in your Internal proxy servers list.
|
||||
Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
|
||||
Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
|
||||
Separate multiple resources with the ";" delimiter.
|
||||
|
||||
```console
|
||||
@ -497,8 +497,8 @@ proxy.contoso.com:80;proxy2.contoso.com:443
|
||||
|
||||
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
|
||||
|
||||
This list shouldn’t include any servers listed in your Proxy servers list.
|
||||
Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
|
||||
This list shouldn’t include any servers listed in your Proxy servers list.
|
||||
Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
|
||||
Separate multiple resources with the ";" delimiter.
|
||||
|
||||
```console
|
||||
|
||||
@ -44,51 +44,51 @@ set this value to **No auditing**, in the **Properties** dialog box for this pol
|
||||
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
|
||||
|
||||
|
||||
| Account management events | Description |
|
||||
|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| 624 | A user account was created. |
|
||||
| 627 | A user password was changed. |
|
||||
| 628 | A user password was set. |
|
||||
| 630 | A user account was deleted. |
|
||||
| 631 | A global group was created. |
|
||||
| 632 | A member was added to a global group. |
|
||||
| 633 | A member was removed from a global group. |
|
||||
| 634 | A global group was deleted. |
|
||||
| 635 | A new local group was created. |
|
||||
| 636 | A member was added to a local group. |
|
||||
| 637 | A member was removed from a local group. |
|
||||
| 638 | A local group was deleted. |
|
||||
| 639 | A local group account was changed. |
|
||||
| 641 | A global group account was changed. |
|
||||
| 642 | A user account was changed. |
|
||||
| 643 | A domain policy was modified. |
|
||||
| 644 | A user account was auto locked. |
|
||||
| 645 | A computer account was created. |
|
||||
| 646 | A computer account was changed. |
|
||||
| 647 | A computer account was deleted. |
|
||||
| 648 | A local security group with security disabled was created.<br>**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. |
|
||||
| 649 | A local security group with security disabled was changed. |
|
||||
| 650 | A member was added to a security-disabled local security group. |
|
||||
| 651 | A member was removed from a security-disabled local security group. |
|
||||
| 652 | A security-disabled local group was deleted. |
|
||||
| 653 | A security-disabled global group was created. |
|
||||
| 645 | A security-disabled global group was changed. |
|
||||
| 655 | A member was added to a security-disabled global group. |
|
||||
| 656 | A member was removed from a security-disabled global group. |
|
||||
| 657 | A security-disabled global group was deleted. |
|
||||
| 658 | A security-enabled universal group was created. |
|
||||
| 659 | A security-enabled universal group was changed. |
|
||||
| 660 | A member was added to a security-enabled universal group. |
|
||||
| 661 | A member was removed from a security-enabled universal group. |
|
||||
| 662 | A security-enabled universal group was deleted. |
|
||||
| 663 | A security-disabled universal group was created. |
|
||||
| 664 | A security-disabled universal group was changed. |
|
||||
| 665 | A member was added to a security-disabled universal group. |
|
||||
| 666 | A member was removed from a security-disabled universal group. |
|
||||
| 667 | A security-disabled universal group was deleted. |
|
||||
| 668 | A group type was changed. |
|
||||
| 684 | Set the security descriptor of members of administrative groups. |
|
||||
| 685 | Set the security descriptor of members of administrative groups.<br>**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
|
||||
| Account management events | Description |
|
||||
| :-----------------------: | :---------- |
|
||||
| 4720 | A user account was created. |
|
||||
| 4723 | A user password was changed. |
|
||||
| 4724 | A user password was set. |
|
||||
| 4726 | A user account was deleted. |
|
||||
| 4727 | A global group was created. |
|
||||
| 4728 | A member was added to a global group. |
|
||||
| 4729 | A member was removed from a global group. |
|
||||
| 4730 | A global group was deleted. |
|
||||
| 4731 | A new local group was created. |
|
||||
| 4732 | A member was added to a local group. |
|
||||
| 4733 | A member was removed from a local group. |
|
||||
| 4734 | A local group was deleted. |
|
||||
| 4735 | A local group account was changed. |
|
||||
| 4737 | A global group account was changed. |
|
||||
| 4738 | A user account was changed. |
|
||||
| 4739 | A domain policy was modified. |
|
||||
| 4740 | A user account was auto locked. |
|
||||
| 4741 | A computer account was created. |
|
||||
| 4742 | A computer account was changed. |
|
||||
| 4743 | A computer account was deleted. |
|
||||
| 4744 | A local security group with security disabled was created.<br> **Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks |
|
||||
| 4745 | A local security group with security disabled was changed. |
|
||||
| 4746 | A member was added to a security-disabled local security group. |
|
||||
| 4747 | A member was removed from a security-disabled local security group. |
|
||||
| 4748 | A security-disabled local group was deleted. |
|
||||
| 4749 | A security-disabled global group was created. |
|
||||
| 4750 | A security-disabled global group was changed. |
|
||||
| 4751 | A member was added to a security-disabled global group. |
|
||||
| 4752 | A member was removed from a security-disabled global group. |
|
||||
| 4753 | A security-disabled global group was deleted. |
|
||||
| 4754 | A security-enabled universal group was created. |
|
||||
| 4755 | A security-enabled universal group was changed. |
|
||||
| 4756 | A member was added to a security-enabled universal group. |
|
||||
| 4757 | A member was removed from a security-enabled universal group. |
|
||||
| 4758 | A security-enabled universal group was deleted. |
|
||||
| 4759 | A security-disabled universal group was created. |
|
||||
| 4760 | A security-disabled universal group was changed. |
|
||||
| 4761 | A member was added to a security-disabled universal group. |
|
||||
| 4762 | A member was removed from a security-disabled universal group. |
|
||||
| 4763 | A security-disabled universal group was deleted. |
|
||||
| 4764 | A group type was changed. |
|
||||
| 4780 | Set the security descriptor of members of administrative groups. |
|
||||
| 685 | Set the security descriptor of members of administrative groups.<br> **Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -14,17 +14,20 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 06/11/2021
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Access this computer from the network - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting.
|
||||
|
||||
> [!WARNING]
|
||||
> If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the **Access this computer from the network** policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).
|
||||
@ -43,6 +46,7 @@ Constant: SeNetworkLogonRight
|
||||
|
||||
- On desktop devices or member servers, grant this right only to users and administrators.
|
||||
- On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators.
|
||||
- On failover clusters, make sure this right is granted to authenticated users.
|
||||
- This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead.
|
||||
|
||||
### Location
|
||||
@ -104,6 +108,8 @@ from servers in the domain if members of the **Domain Users** group are included
|
||||
|
||||
If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network.
|
||||
|
||||
If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly.
|
||||
|
||||
## Related topics
|
||||
[User Rights Assignment](user-rights-assignment.md)
|
||||
|
||||
|
||||
@ -41,6 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
|
||||
|--------|-----------|
|
||||
| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. |
|
||||
| 8029 | Block script/MSI file |
|
||||
| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). |
|
||||
| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
|
||||
|
||||
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
|
||||
@ -109,7 +110,7 @@ A list of other relevant event IDs and their corresponding description.
|
||||
| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. |
|
||||
| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
|
||||
| 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. |
|
||||
| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs|
|
||||
| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. |
|
||||
| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. |
|
||||
| 3097 | The Code Integrity policy cannot be refreshed. |
|
||||
| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
|
||||
|
||||
@ -137,6 +137,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
|
||||
|
||||
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
|
||||
|
||||
> [!NOTE]
|
||||
> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
|
||||
|
||||
## More information about hashes
|
||||
|
||||
### Why does scan create four hash rules per XML file?
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user