diff --git a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md index ce3d50eac0..6c14b5a06f 100644 --- a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md +++ b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md @@ -2,90 +2,96 @@ title: Network access Allow anonymous SID/Name translation (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Allow anonymous SID/Name translation security policy setting. ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Allow anonymous SID/Name translation + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting. + ## Reference + This policy setting enables or disables the ability of an anonymous user to request security identifier (SID) attributes for another user. + If this policy setting is enabled, a user might use the well-known Administrators SID to get the real name of the built-in Administrator account, even if the account has been renamed. That person might then use the account name to initiate a brute-force password-guessing attack. + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - Enabled + An anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects the SID-to-name translation as well as the name-to-SID translation + - Disabled + Prevents an anonymous user from requesting the SID attribute for another user. + - Not defined + ### Best practices + - Set this policy to Disabled. This is the default value on member computers; therefore, it will have no impact on them. The default value for domain controllers is Enabled. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Note defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Note defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Disabled| +| Client Computer Effective Default Settings | Disabled|   ### Operating system version differences + The default value of this setting has changed between operating systems as follows: + - The default on domain controllers running Windows Server 2003 R2 or earlier was set to Enabled. - The default on domain controllers running Windows Server 2008 and later is set to Disabled. + ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with client computers, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password-guessing attack. + ### Countermeasure + Disable the **Network access: Allow anonymous SID/Name translation** setting. + ### Potential impact + Disabled is the default configuration for this policy setting on member devices; therefore, it has no impact on them. The default configuration for domain controllers is Enabled. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index 95f97f704f..52eb452b76 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -2,85 +2,86 @@ title: Network access Do not allow anonymous enumeration of SAM accounts and shares (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts and shares security policy setting. ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Do not allow anonymous enumeration of SAM accounts and shares + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. + ## Reference + This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON. + This policy setting has no impact on domain controllers. Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - Enabled + - Disabled + No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. However, an unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks. + - Not defined + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflicts + Even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON (on systems earlier than Windows Server 2008 and Windows Vista). + ### Group Policy + This policy has no impact on domain controllers. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks. + ### Countermeasure + Enable the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** setting. + ### Potential impact + It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index 2324359e3a..20f6455173 100644 --- a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -2,85 +2,88 @@ title: Network access Do not allow anonymous enumeration of SAM accounts (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting. ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- + # Network access: Do not allow anonymous enumeration of SAM accounts + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. + ## Reference + This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. + This policy setting has no impact on domain controllers. + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - Enabled + - Disabled + No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. + - Not defined + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings| Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflicts + Even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON (on systems earlier than Windows Server 2008 and Windows Vista). + ### Group Policy + This policy has no impact on domain controllers. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An unauthorized user could anonymously list account names and use the information to perform social engineering attacks or attempt to guess passwords. Social engineering attackers try to deceive users in some way to obtain passwords or some form of security information. + ### Countermeasure + Enable the **Network access: Do not allow anonymous enumeration of SAM accounts** setting. + ### Potential impact + It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 16fa1842da..ec12a8c647 100644 --- a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -2,91 +2,95 @@ title: Network access Do not allow storage of passwords and credentials for network authentication (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Do not allow storage of passwords and credentials for network authentication security policy setting. ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Do not allow storage of passwords and credentials for network authentication + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. + ## Reference + This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. + ### Possible values + - Enabled + Credential Manager does not store passwords and credentials on the device + - Disabled + Credential Manager will store passwords and credentials on this computer for later use for domain authentication. + - Not defined + ### Best practices + It is a recommended practice to disable the ability of the Windows operating system to cache credentials on any device where credentials are not needed. Evaluate your servers and workstations to determine the requirements. Cached credentials are designed primarily to be used on laptops that require domain credentials when disconnected from the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Disabled

Default domain controller policy

Disabled

Stand-alone server default settings

Disabled

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Effective GPO default settings on client computers

Not defined

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Disabled| +| Default domain controller policy| Disabled| +| Stand-alone server default settings | Disabled| +| Domain controller effective default settings| Not defined| +| Member server effective default settings | Not defined| +| Effective GPO default settings on client computers | Not defined|   ### Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + A restart of the device is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Passwords that are cached can be accessed by the user when logged on to the device. Although this information may sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords and forwards them to another, unauthorized user. -**Note**   -The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies. + +>**Note:**  The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies.   Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. By using one of these utilities, an attacker can authenticate by using the overwritten value. + Overwriting the administrator's password does not help the attacker access data that is encrypted by using that password. Also, overwriting the password does not help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password does not help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) will not decrypt. + ### Countermeasure + Enable the **Network access: Do not allow storage of passwords and credentials for network authentication** setting. + To limit the number of changed domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. + When you try to log on to a domain from a Windows-based client device, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC registry entry. + ### Potential impact + Users are forced to type passwords whenever they log on to their Microsoft Account or other network resources that are not accessible to their domain account. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory–based domain account. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md index 84c96fe8a5..eedd57751a 100644 --- a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -2,83 +2,83 @@ title: Network access Let Everyone permissions apply to anonymous users (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Let Everyone permissions apply to anonymous users security policy setting. ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Let Everyone permissions apply to anonymous users + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. + ## Reference + This policy setting determines what additional permissions are granted for anonymous connections to the device. If you enable this policy setting, anonymous users can enumerate the names of domain accounts and shared folders and perform certain other activities. This capability is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. + By default, the token that is created for anonymous connections does not include the Everyone SID. Therefore, permissions that are assigned to the Everyone group do not apply to anonymous users. + ### Possible values + - Enabled + The Everyone SID is added to the token that is created for anonymous connections, and anonymous users can access any resource for which the Everyone group has been assigned permissions. + - Disabled + The Everyone SID is removed from the token that is created for anonymous connections. + - Not defined + ### Best practices + - Set this policy to **Disabled**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Polices\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks. + ### Countermeasure + Disable the **Network access: Let Everyone permissions apply to anonymous users** setting. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md index 3046386e99..ab8eff2298 100644 --- a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -2,129 +2,91 @@ title: Network access Named Pipes that can be accessed anonymously (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Named Pipes that can be accessed anonymously security policy setting. ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Named Pipes that can be accessed anonymously + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. + ## Reference + This policy setting determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access. + Restricting access over named pipes such as COMNAP and LOCATOR helps prevent unauthorized access to the network. + ### Possible values + - User-defined list of shared folders - Not defined + ### Best practices + - Set this policy to a null value; that is, enable the policy setting, but do not enter named pipes in the text box. This will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Netlogon, samr, lsarpc

Stand-Alone Server Default Settings

Null

DC Effective Default Settings

Netlogon, samr, lsarpc

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Netlogon, samr, lsarpc| +| Stand-Alone Server Default Settings | Null| +| DC Effective Default Settings | Netlogon, samr, lsarpc| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + For this policy setting to take effect, you must also enable the [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + You can restrict access over named pipes such as COMNAP and LOCATOR to help prevent unauthorized access to the network. The following list describes available named pipes and their purpose. These pipes were granted anonymous access in earlier versions of Windows and some legacy applications may still use them. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Named pipePurpose

COMNAP

SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.

COMNODE

SNA Server named pipe.

SQL\QUERY

Default named pipe for SQL Server.

SPOOLSS

Named pipe for the Print Spooler service.

EPMAPPER

End Point Mapper named pipe.

LOCATOR

Remote Procedure Call Locator service named pipe.

TrlWks

Distributed Link Tracking Client named pipe.

TrkSvr

Distributed Link Tracking Server named pipe.

+ +| Named pipe | Purpose | +| - | - | +| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.| +| COMNODE| SNA Server named pipe.| +| SQL\QUERY | Default named pipe for SQL Server.| +| SPOOLSS | Named pipe for the Print Spooler service.| +| EPMAPPER | End Point Mapper named pipe.| +| LOCATOR | Remote Procedure Call Locator service named pipe.| +| TrlWks | Distributed Link Tracking Client named pipe.| +| TrkSvr | Distributed Link Tracking Server named pipe.|   ### Countermeasure + Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but do not specify named pipes in the text box). + ### Potential impact + This configuration disables null-session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes no longer function. This may break trust between Windows Server 2003 domains in a mixed mode environment. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md index c4154f266c..d7a01b9e6e 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -2,69 +2,57 @@ title: Network access Remotely accessible registry paths and subpaths (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network access Remotely accessible registry paths and subpaths security policy setting. ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Remotely accessible registry paths and subpaths + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. + ## Reference + This policy setting determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions. -The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive, and they help protect it from access by unauthorized users. + +The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive, +and they help protect it from access by unauthorized users. + To allow remote access, you must also enable the Remote Registry service. + ### Possible values + - User-defined list of paths - Not Defined + ### Best practices + - Set this policy to a null value; that is, enable the policy setting, but do not enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

See the following registry key combination

DC Effective Default Settings

See the following registry key combination

Member Server Effective Default Settings

See the following registry key combination

Client Computer Effective Default Settings

See the following registry key combination

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | See the following registry key combination| +| DC Effective Default Settings | See the following registry key combination| +| Member Server Effective Default Settings | See the following registry key combination| +| Client Computer Effective Default Settings | See the following registry key combination|   The combination of all the following registry keys apply to the previous settings: + 1. System\\CurrentControlSet\\Control\\Print\\Printers 2. System\\CurrentControlSet\\Services\\Eventlog 3. Software\\Microsoft\\OLAP Server @@ -76,22 +64,33 @@ The combination of all the following registry keys apply to the previous setting 9. System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration 10. Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib 11. System\\CurrentControlSet\\Services\\SysmonLog + ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The registry contains sensitive device configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs that are assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack. + ### Countermeasure + Configure the **Network access: Remotely accessible registry paths and sub-paths** setting to a null value (enable the setting but do not enter any paths in the text box). + ### Potential impact + Remote management tools such as MBSA and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail. -**Note**   -If you want to allow remote access, you must also enable the Remote Registry service. + +>**Note:**  If you want to allow remote access, you must also enable the Remote Registry service.   ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md index 33f15de3de..86fd1783e9 100644 --- a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md +++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md @@ -2,88 +2,86 @@ title: Network access Remotely accessible registry paths (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Remotely accessible registry paths security policy setting. ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Remotely accessible registry paths + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting. + ## Reference + This policy setting determines which registry paths are accessible when an application or process references the WinReg key to determine access permissions. + The registry is a database for device configuration information, much of which is sensitive. A malicious user can use the registry to facilitate unauthorized activities. To reduce the risk of this happening, suitable access control lists (ACLs) are assigned throughout the registry to help protect it from access by unauthorized users. + To allow remote access, you must also enable the Remote Registry service. + ### Possible values + - User-defined list of paths - Not Defined + ### Best practices + - Set this policy to a null value; that is, enable the policy setting but do not enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

See the following registry key combination

DC Effective Default Settings

See the following registry key combination

Member Server Effective Default Settings

See the following registry key combination

Client Computer Effective Default Settings

See the following registry key combination

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | See the following registry key combination| +| DC Effective Default Settings | See the following registry key combination| +| Member Server Effective Default Settings | See the following registry key combination| +| Client Computer Effective Default Settings | See the following registry key combination|   The combination of all the following registry keys apply to the previous settings: + 1. System\\CurrentControlSet\\Control\\ProductOptions 2. System\\CurrentControlSet\\Control\\Server Applications 3. Software\\Microsoft\\Windows NT\\CurrentVersion + ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + An attacker could use information in the registry to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users. + ### Countermeasure + Configure the **Network access: Remotely accessible registry paths** setting to a null value (enable the setting, but do not enter any paths in the text box). + ### Potential impact + Remote management tools such as the Microsoft Baseline Security Analyzer (MBSA) and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail. -**Note**   -If you want to allow remote access, you must also enable the Remote Registry service. + +>**Note:**  If you want to allow remote access, you must also enable the Remote Registry service.   ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index ab84cb8711..84be70c08b 100644 --- a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -2,81 +2,78 @@ title: Network access Restrict anonymous access to Named Pipes and Shares (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Restrict anonymous access to Named Pipes and Shares security policy setting. ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Restrict anonymous access to Named Pipes and Shares + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. + ## Reference -This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources. + +This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key +**HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources. + Null sessions are a weakness that can be exploited through the various shared folders on the devices in your environment. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set this policy to Enabled. Enabling this policy setting restricts null session access to unauthenticated users to all server pipes and shared folders except those listed in the **NullSessionPipes** and **NullSessionShares** registry entries. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings | Enabled| +| Client Computer Effective Default Settings| Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Null sessions are a weakness that can be exploited through shared folders (including the default shared folders) on devices in your environment. + ### Countermeasure + Enable the **Network access: Restrict anonymous access to Named Pipes and Shares** setting. + ### Potential impact + You can enable this policy setting to restrict null-session access for unauthenticated users to all server pipes and shared folders except those that are listed in the NullSessionPipes and NullSessionShares entries. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md index 604898a019..b4505320e4 100644 --- a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md @@ -2,79 +2,74 @@ title: Network access Shares that can be accessed anonymously (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Shares that can be accessed anonymously security policy setting. ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Shares that can be accessed anonymously + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. + ## Reference + This policy setting determines which shared folders can be accessed by anonymous users. + ### Possible values + - User-defined list of shared folders - Not Defined + ### Best practices + - Set this policy to a null value. There should be little impact because this is the default value. All users will have to be authenticated before they can access shared resources on the server. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any shared folders that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data. + ### Countermeasure + Configure the **Network access: Shares that can be accessed anonymously** setting to a null value. + ### Potential impact + There should be little impact because this is the default configuration. Only authenticated users have access to shared resources on the server. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md index c1f32eb9c3..fee079071d 100644 --- a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md @@ -2,88 +2,85 @@ title: Network access Sharing and security model for local accounts (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network access Sharing and security model for local accounts security policy setting. ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network access: Sharing and security model for local accounts + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. + ## Reference + This policy setting determines how network logons that use local accounts are authenticated. If you configure this policy setting to Classic, network logons that use local account credentials authenticate with those credentials. If you configure this policy setting to Guest only, network logons that use local accounts are automatically mapped to the Guest account. The Classic model provides precise control over access to resources, and it enables you to grant different types of access to different users for the same resource. Conversely, the Guest only model treats all users equally, and they all receive the same level of access to a given resource, which can be either Read Only or Modify. -**Note**   -This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services. + +>**Note:**  This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services. When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used.   When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This means that they will probably be unable to write to shared folders. Although this does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources. + ### Possible values + - Classic - Local users authenticate as themselves - Guest only - Local users authenticate as Guest - Not defined + ### Best practices + 1. For network servers, set this policy to **Classic - local users authenticate as themselves**. 2. On end-user systems, set this policy to **Guest only - local users authenticate as Guest**. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Classic (local users authenticate as themselves)

DC Effective Default Settings

Classic (local users authenticate as themselves)

Member Server Effective Default Settings

Classic (local users authenticate as themselves)

Client Computer Effective Default Settings

Classic (local users authenticate as themselves)

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)| +| DC Effective Default Settings | Classic (local users authenticate as themselves)| +| Member Server Effective Default Settings | Classic (local users authenticate as themselves)| +| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + With the Guest only model, any user who can authenticate to your device over the network does so with Guest privileges, which probably means that they do not have Write access to shared resources on that device. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources. + ### Countermeasure + For network servers, configure the **Network access: Sharing and security model for local accounts setting** to **Classic – local users authenticate as themselves**. On end-user computers, configure this policy setting to **Guest only – local users authenticate as guest**. + ### Potential impact + None. This is the default configuration. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-list-manager-policies.md b/windows/keep-secure/network-list-manager-policies.md index 931739dc93..11de5e4da7 100644 --- a/windows/keep-secure/network-list-manager-policies.md +++ b/windows/keep-secure/network-list-manager-policies.md @@ -2,50 +2,75 @@ title: Network List Manager policies (Windows 10) description: Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network List Manager policies + **Applies to** - Windows 10 + Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. + To configure Network List Manager Policies for one device, you can use the Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in, and edit the local computer policy. The Network List Manager Policies are located at the following path in Group Policy Object Editor: **Computer Configuration | Windows Settings | Security Settings | Network List Manager Policies** + To configure Network List Manager Policies for many computers, such as for all of the Domain Computers in an Active Directory domain, follow Group Policy documentation to learn how to edit the policies for the object that you require. The path to the Network List Manager Policies is the same as the path listed above. + ### Policy settings for Network List Manager Policies + The following policy settings are provided for Network List Manager Policies. These policy settings are located in the details pane of the Group Policy Object Editor, in **Network Name**. + ### Unidentified Networks -This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting: + +This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the +network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting: + - **Location type**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not apply a location type to unidentified network connections. - **Private**. If you select this option, this policy setting applies a location type of Private to unidentified network connections. A private network, such as a home or work network, is a location type that assumes that you trust the other computers on the network. Do not select this item if there is a possibility that an active, unidentified network is in a public place. + - **Public**. If you select this option, this policy setting applies a location type of Public to unidentified network connections. A public network, such as a wireless network at an airport or coffee shop, is a location type that assumes that you do not trust the other computers on the network. + - **User permissions**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the location for unidentified network connections. - **User can change location**. If you select this option, this policy setting allows users to change an unidentified network connection location from Private to Public or from Public to Private. - **User cannot change location**. If you select this option, this policy setting does not allow users to change the location of an unidentified network connection. + ### Identifying Networks + This policy setting allows you to configure the **Network Location** for networks that are in a temporary state while Windows works to identify the network and location type. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting: + - **Location type**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not apply a location type to network connections that are in the process of being identified by Windows. - **Private**. If you select this option, this policy setting applies a location type of Private to network connections that are in the process of being identified. A private network, such as a home or work network, is a location type that assumes that you trust the other devices on the network. Do not select this item if there is a possibility that an active, unidentified network is in a public place. - **Public**. If you select this option, this policy setting applies a location type of Public to network connections that are in the process of being identified by Windows. A public network, such as a wireless network at an airport or coffee shop, is a location type that assumes that you do not trust the other devices on the network. + ### All Networks + This policy setting allows you to specify the **User Permissions** that control whether users can change the network name, location, or icon, for all networks to which the user connects. You can configure the following items for this policy setting: + - **Network name**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the network name for all network connections. - **User can change name**. If you select this option, users can change the network name for all networks to which they connect. - **User cannot change name**. If you select this option, users cannot change the network name for any networks to which they connect. + - **Network location**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the location for all network connections. - **User can change location**. If you select this option, this policy setting allows users to change all network locations from Private to Public or from Public to Private. - **User cannot change location**. If you select this option, this policy setting does not allow users to change the location for any networks to which they connect. + - **Network icon**. For this item, the following options are available: + - **Not configured**. If you select this option, this policy setting does not specify whether users can change the network icon for all network connections. - **User can change icon**. If you select this option, this policy setting allows users to change the network icon for all networks to which the user connects. - **User cannot change icon**. If you select this option, this policy setting does not allow users to change the network icon for any networks to which the user connects. -  -  diff --git a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 532768f78b..929606cb16 100644 --- a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -2,115 +2,87 @@ title: Network security Allow Local System to use computer identity for NTLM (Windows 10) description: Describes the location, values, policy management, and security considerations for the Network security Allow Local System to use computer identity for NTLM security policy setting. ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Allow Local System to use computer identity for NTLM + **Applies to** - Windows 10 + Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. + ## Reference + When services connect to devices that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. + When a service connects with the device identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.) + ### Possible values - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
SettingWindows Server 2008 and Windows VistaAt least Windows Server 2008 R2 and Windows 7

Enabled

Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.

Services running as Local System that use Negotiate will use the computer identity. This is the default behavior.

Disabled

Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.

Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.

Neither

Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.

Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.

+ +| Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 | +| - | - | +| Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. | +| Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.| +|Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.|   ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy object (GPO)Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not applicable

Member server effective default settings

Not applicable

Effective GPO default settings on client computers

Not defined

+ +| Server type or Group Policy object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not applicable| +| Member server effective default settings | Not applicable| +| Effective GPO default settings on client computers | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflict considerations + The policy [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md), if enabled, will allow NTLM or Kerberos authentication to be used when a system service attempts authentication. This will increase the success of interoperability at the expense of security. + The anonymous authentication behavior is different for Windows Server 2008 and Windows Vista than later versions of Windows. Configuring and applying this policy setting on those systems might not produce the same results. + ### Group Policy + This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When a service connects to computers running versions of Windows earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will use NULL session. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. + When a service connects with the computer identity, signing and encryption are supported to provide data protection. When a service connects with a NULL session, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. + ### Countermeasure + You can configure the **Network security: Allow Local System to use computer identity for NTLM** security policy setting to allow Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + ### Potential impact + If you do not configure this policy setting on Windows Server 2008 and Windows Vista, services running as Local System that use the default credentials will use the NULL session and revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008. Beginning with Windows Server 2008 R2 and Windows 7, the system allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md index 393c0a9382..34b487bba3 100644 --- a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md @@ -2,78 +2,75 @@ title: Network security Allow LocalSystem NULL session fallback (Windows 10) description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting. ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Allow LocalSystem NULL session fallback + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting. + ## Reference -This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility. + +This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local +System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility. + ### Possible values + - **Enabled** + When a service running as Local System connects with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. This increases application compatibility, but it degrades the level of security. + - **Disabled** - When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a NULL session will still have full use of session security. + + When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a + NULL session will still have full use of session security. + - Not defined. When this policy is not defined, the default takes effect. This is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it is Disabled otherwise. + ### Best practices + When services connect with the device identity, signing and encryption are supported to provide data protection. When services connect with a NULL session, this level of data protection is not provided. However, you will need to evaluate your environment to determine the Windows operating system versions that you support. If this policy is enabled, some services may not be able to authenticate. + This policy applies to Windows Server 2008 and Windows Vista (SP1 and later). When your environment no longer requires support for Windows NT 4, this policy should be disabled. By default, it is disabled in Windows 7 and Windows Server 2008 R2 and later. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not applicable

Member server effective default settings

Not applicable

Effective GPO default settings on client computers

Not applicable

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not applicable| +| Member server effective default settings | Not applicable | +| Effective GPO default settings on client computers | Not applicable|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If this setting is Enabled, when a service connects with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. Data that is intended to be protected might be exposed. + ### Countermeasure + You can configure the computer to use the computer identity for Local System with the policy **Network security: Allow Local System to use computer identity for NTLM**. If that is not possible, this policy can be used to prevent data from being exposed in transit if it was protected with a well-known key. + ### Potential impact + If you enable this policy, services that use NULL session with Local System could fail to authenticate because they will be prohibited from using signing and encryption. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index a5ffb6243d..a381d1388c 100644 --- a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -2,83 +2,79 @@ title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10) description: Describes the best practices, location, and values for the Network Security Allow PKU2U authentication requests to this computer to use online identities security policy setting. ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Allow PKU2U authentication requests to this computer to use online identities + **Applies to** - Windows 10 + Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. + ## Reference + Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system, and it supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. + When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. -**Note**   -The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**. + +>**Note:**  The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**.   This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later. + ### Possible values + - **Enabled** + This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. + - **Disabled** + This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. + - Not set. Not configuring this policy prevents online IDs from being used to authenticate the user. This is the default on domain-joined devices + ### Best practices + Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or do not configure this policy to exclude online identities from being used to authenticate. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Disabled

Member server effective default settings

Disabled

Effective GPO default settings on client computers

Disabled

+ +| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Disabled| +| Member server effective default settings | Disabled| +| Effective GPO default settings on client computers | Disabled|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft Account, so that account can log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this is beneficial for workgroups or home groups, using this feature in a domain-joined environment might circumvent your established security policies. + ### Countermeasure + Set this policy to Disabled or do not configure this security policy for domain-joined devices. + ### Potential impact + If you do not set or disable this policy, the PKU2U protocol will not be used to authenticate between peer devices, which forces users to follow domain defined access control policies. If you enable this policy, you will allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This will allow users to share resources between devices + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md index 6fa8240e2e..7ca22f98c0 100644 --- a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -2,128 +2,89 @@ title: Network security Configure encryption types allowed for Kerberos Win7 only (Windows 10) description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting. ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Configure encryption types allowed for Kerberos Win7 only + **Applies to** - Windows 10 + Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. + ## Reference + This policy setting allows you to set the encryption types that the Kerberos protocol is allowed to use. If it is not selected, the encryption type will not be allowed. This setting might affect compatibility with client computers or services and applications. Multiple selections are permitted. + For more information, see [article 977321](http://support.microsoft.com/kb/977321) in the Microsoft Knowledge Base. + The following table lists and explains the allowed encryption types. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Encryption typeDescription and version support

DES_CBC_CRC

Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function

-

Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default.

DES_CBC_MD5

Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function

-

Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default.

RC4_HMAC_MD5

Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function

-

Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

AES128_HMAC_SHA1

Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).

-

Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

AES256_HMAC_SHA1

Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).

-

Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Future encryption types

Reserved by Microsoft for additional encryption types that might be implemented.

+ +| Encryption type | Description and version support | +| - | - | +| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES| by default. +| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. | +| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.| +| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. | +| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. | +| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|   ### Possible values + + The encryption type options include: + - DES\_CBC\_CRC - DES\_CBC\_MD5 - RC4\_HMAC\_MD5 - AES128\_HMAC\_SHA1 - AES256\_HMAC\_SHA1 - Future encryption types + As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented. + ### Best practices + You must analyze your environment to determine which encryption types will be supported and then select those that meet that evaluation. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or Group Policy Object (GPO)Default value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

None of these encryption types that are available in this policy are allowed.

Member server effective default settings

None of these encryption types that are available in this policy are allowed.

Effective GPO default settings on client computers

None of these encryption types that are available in this policy are allowed.

+| Server type or Group Policy Object (GPO) | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy| Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.| +| Member server effective default settings | None of these encryption types that are available in this policy are allowed.| +| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.|   ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008. + +Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running +Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008. + ### Countermeasure + Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites. + ### Potential impact + If you do not select any of the encryption types, computers running Windows Server 2008 R2 and Windows 7 might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol. + If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows. Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index 97a0897fcf..95b335005c 100644 --- a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -2,82 +2,78 @@ title: Network security Do not store LAN Manager hash value on next password change (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Do not store LAN Manager hash value on next password change security policy setting. ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Do not store LAN Manager hash value on next password change + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. + ## Reference + This policy setting determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed. Hash values are a representation of the password after the encryption algorithm is applied that corresponds to the format that is specified by the algorithm. To decrypt the hash value, the encryption algorithm must be determined and then reversed. The LAN Manager hash is relatively weak and prone to attack compared to the cryptographically stronger NTLM hash. Because the LM hash is stored on the local device in the security database, the passwords can be compromised if the security database, Security Accounts Manager (SAM), is attacked. + By attacking the SAM file, attackers can potentially gain access to user names and password hashes. Attackers can use a password-cracking tool to determine what the password is. After they have access to this information, they can use it to gain access to resources on your network by impersonating users. Enabling this policy setting will not prevent these types of attacks, but it will make them much more difficult. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + 1. Set **Network security: Do not store LAN Manager hash value on next password change** to **Enabled**. 2. Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Enabled| +| DC Effective Default Settings | Enabled| +| Member Server Effective Default Settings|Enabled| +| Client Computer Effective Default Settings | Enabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + The SAM file can be targeted by attackers who seek access to user names and password hashes. Such attacks use special tools to discover passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks are not prevented by enabling this policy setting because LAN Manager hashes are much weaker than NTLM hashes, but it is much more difficult for these attacks to succeed. + ### Countermeasure + Enable the **Network security: Do not store LAN Manager hash value on next password change** setting. Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed. + ### Potential impact + Some non-Microsoft applications might not be able to connect to the system. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md index 410ead1171..f6dd03a829 100644 --- a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md @@ -2,83 +2,83 @@ title: Network security Force logoff when logon hours expire (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Force logoff when logon hours expire security policy setting. ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Force logoff when logon hours expire + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. + ## Reference + This security setting determines whether to disconnect users who are connected to the local device outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. + This policy setting does not apply to administrator accounts, but it behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy Object (GPO), even if there is a different account policy that is applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member devices) also receive the same account policy for their local accounts. However, local account policies for member devices can be different from the domain account policy by defining an account policy for the organizational unit that contains the member devices. Kerberos settings are not applied to member devices. + ### Possible values + - Enabled + When enabled, this policy causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. + - Disabled + When disabled, this policy allows for the continuation of an established client session after the client's logon hours have expired. + - Not defined + ### Best practices + - Set **Network security: Force logoff when logon hours expire** to Enabled. SMB sessions will be terminated on member servers when a user's logon time expires, and the user will be unable to log on to the system until their next scheduled access time begins. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Disabled

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Disabled| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Disabled| +| DC Effective Default Settings | Disabled| +| Member Server Effective Default Settings | Disabled| +| Client Computer Effective Default Settings | Disabled|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If you disable this policy setting, users can remain connected to the computer outside of their allotted logon hours. + ### Countermeasure + Enable the **Network security: Force logoff when logon hours expire** setting. This policy setting does not apply to administrator accounts. + ### Potential impact + When a user's logon time expires, SMB sessions terminate. The user cannot log on to the device until the next scheduled access time commences. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-lan-manager-authentication-level.md b/windows/keep-secure/network-security-lan-manager-authentication-level.md index 1b3103d943..5d8a5343aa 100644 --- a/windows/keep-secure/network-security-lan-manager-authentication-level.md +++ b/windows/keep-secure/network-security-lan-manager-authentication-level.md @@ -2,25 +2,34 @@ title: Network security LAN Manager authentication level (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security LAN Manager authentication level security policy setting. ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: LAN Manager authentication level + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting. + ## Reference + This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal devices together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2). + LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it is the protocol that is used to authenticate all client devices running the Windows operating system when they perform the following operations: + - Join a domain - Authenticate between Active Directory forests - Authenticate to domains based on earlier versions of the Windows operating system - Authenticate to computers that do not run Windows operating systems, beginning with Windows 2000 - Authenticate to computers that are not in the domain + ### Possible values + - Send LM & NTLM responses - Send LM & NTLM - use NTLMv2 session security if negotiated - Send NTLM responses only @@ -28,114 +37,68 @@ LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it is - Send NTLMv2 responses only. Refuse LM - Send NTLMv2 responses only. Refuse LM & NTLM - Not Defined -The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SettingDescriptionRegistry security level

Send LM & NTLM responses

Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

0

Send LM & NTLM – use NTLMv2 session security if negotiated

Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1

Send NTLM response only

Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2

Send NTLMv2 response only

Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

3

Send NTLMv2 response only. Refuse LM

Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.

4

Send NTLMv2 response only. Refuse LM & NTLM

Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.

5

+ +The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the +authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting. + +| Setting | Description | Registry security level | +| - | - | - | +| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0| +| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1| +| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2| +| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3| +| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.| 4| +| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.| 5|   ### Best practices + - Best practices are dependent on your specific security and authentication requirements. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Send NTLMv2 response only

DC Effective Default Settings

Send NTLMv2 response only

Member Server Effective Default Settings

Send NTLMv2 response only

Client Computer Effective Default Settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Send NTLMv2 response only| +| DC Effective Default Settings | Send NTLMv2 response only| +| Member Server Effective Default Settings | Send NTLMv2 response only| +| Client Computer Effective Default Settings | Not defined|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with client devices, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + In Windows 7 and Windows Vista, this setting is undefined. In Windows Server 2008 R2 and later, this setting is configured to **Send NTLMv2 responses only**. + ### Countermeasure + Configure the **Network security: LAN Manager Authentication Level** setting to **Send NTLMv2 responses only**. Microsoft and a number of independent organizations strongly recommend this level of authentication when all client computers support NTLMv2. + ### Potential impact + Client devices that do not support NTLMv2 authentication cannot authenticate in the domain and access domain resources by using LM and NTLM. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-ldap-client-signing-requirements.md b/windows/keep-secure/network-security-ldap-client-signing-requirements.md index 533858f613..5207e6e65f 100644 --- a/windows/keep-secure/network-security-ldap-client-signing-requirements.md +++ b/windows/keep-secure/network-security-ldap-client-signing-requirements.md @@ -2,87 +2,86 @@ title: Network security LDAP client signing requirements (Windows 10) description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: LDAP client signing requirements + **Applies to** - Windows 10 + This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. + ## Reference + This policy setting determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests. The levels of data signing are described in the following list: + - **None**. The LDAP BIND request is issued with the caller-specified options. - **Negotiate signing**. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options. - **Require signing**. This level is the same as **Negotiate signing**. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed. + Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. + ### Possible values + - None - Negotiate signing - Require signature - Not Defined + ### Best practices + - Set **Domain controller: LDAP server signing requirements** to **Require signature**. If you set the server to require LDAP signatures, you must also set the client devices to do so. Not setting the client devices will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Negotiate signing

DC Effective Default Settings

Negotiate signing

Member Server Effective Default Settings

Negotiate signing

Client Computer Effective Default Settings

Negotiate signing

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Negotiate signing| +| DC Effective Default Settings | Negotiate signing| +| Member Server Effective Default Settings | Negotiate signing| +| Client Computer Effective Default Settings | Negotiate signing|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with client devices, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client computer and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers. + ### Countermeasure + Configure the **Network security: LDAP server signing requirements** setting to **Require signature**. + ### Potential impact + If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md index 1fcbb6bbc4..ba6527767f 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md @@ -2,83 +2,83 @@ title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting. ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. + ## Reference + This policy setting allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security. These values are dependent on the **Network security: LAN Manager Authentication Level policy** setting value. + ### Possible values + - Require NTLMv2 session security + The connection fails if strong encryption (128-bit) is not negotiated. + - Require 128-bit encryption + The connection fails if the NTLMv2 protocol is not negotiated. + ### Best practices + Practices in setting this policy are dependent on your security requirements. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Require 128-bit encryption

DC Effective Default Settings

Require 128-bit encryption

Member Server Effective Default Settings

Require 128-bit encryption

Client Computer Effective Default Settings

Require 128-bit encryption

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Require 128-bit encryption| +| DC Effective Default Settings | Require 128-bit encryption| +| Member Server Effective Default Settings | Require 128-bit encryption| +| Client Computer Effective Default Settings | Require 128-bit encryption|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy conflicts + The settings for this security policy are dependent on the **Network security: LAN Manager Authentication Level policy** setting value. For info about this policy, see [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md). + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Network traffic that uses the NTLM Security Support Provider (NTLM SSP) could be exposed such that an attacker who has gained access to the network can create man-in-the-middle attacks. + ### Countermeasure + Enable all options that are available for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients policy** setting. + ### Potential impact + Client devices that enforce these settings cannot communicate with older servers that do not support them. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index 581c58aa2d..6bd65a6591 100644 --- a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -2,83 +2,81 @@ title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting. ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Minimum session security for NTLM SSP based (including secure RPC) servers + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. + ## Reference + This policy setting allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security. These values are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) policy setting value. + Setting all of these values for this policy setting will help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by a malicious user who has gained access to the same network. That is, these settings help protect against man-in-the-middle attacks. + ### Possible values + - Require 128-bit encryption. The connection fails if strong encryption (128-bit) is not negotiated. - Require NTLMv2 session security. The connection fails if the NTLMv2 protocol is not negotiated. - Not Defined. + ### Best practices + - Enable all values that are available for this security policy. Legacy client devices that do not support these policy settings will be unable to communicate with the server. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Require 128-bit encryption

DC Effective Default Settings

Require 128-bit encryption

Member Server Effective Default Settings

Require 128-bit encryption

Client Computer Effective Default Settings

Require 128-bit encryption

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined| +| Default Domain Controller Policy| Not defined| +| Stand-Alone Server Default Settings | Require 128-bit encryption| +| DC Effective Default Settings | Require 128-bit encryption| +| Member Server Effective Default Settings | Require 128-bit encryption| +| Client Computer Effective Default Settings | Require 128-bit encryption|   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Policy dependencies + The settings for this security policy are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) setting value. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Network traffic that uses the NTLM Security Support Provider (NTLM SSP) could be exposed such that an attacker who has gained access to the network can create man-in-the-middle attacks. + ### Countermeasure + Enable all options that are available for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** policy setting. + ### Potential impact + Older client devices that do not support these security settings cannot communicate with the computer on which this policy is set. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index 64151c9c05..ca5c6d20da 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -2,91 +2,101 @@ title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add remote server exceptions for NTLM authentication security policy setting. ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting. + ## Reference + The **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** policy setting allows you to create an exception list of remote servers to which client devices are allowed to use NTLM authentication if the [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) policy setting is configured. + If you configure this policy setting, you can define a list of remote servers to which client devices are allowed to use NTLM authentication. + If you do not configure this policy setting, no exceptions will be applied, and if [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, NTLM authentication attempts from the client devices will fail. + List the NetBIOS server names that are used by the applications as the naming format, one per line. To ensure exceptions, the names that are used by all applications need to be in the list. A single asterisk (\*) can be used anywhere in the string as a wildcard character. + ### Possible values + - User-defined list of remote servers + When you enter a list of remote servers to which clients are allowed to use NTLM authentication, the policy is defined and enabled. + - Not defined + If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. + ### Best practices + 1. First enforce the [Network Security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) or [Network Security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) policy setting and then review the operational event log to understand which servers are involved in these authentication attempts so you can decide which servers to exempt. + 2. After you have set the server exception list, enforce the [Network Security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) or [Network Security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) policy setting and then review the operational event log again before setting the policies to block NTLM traffic. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings| Not defined|   ## Policy management + This section describes the features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy through Group Policy takes precedence over the setting on the local device. If the Group Policy setting is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if your server exception list is functioning as intended. Audit and block events are recorded on this device in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -When it has been determined that the NTLM authentication protocol should not be used from a client device to any remote servers because you are required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked. + +When it has been determined that the NTLM authentication protocol should not be used from a client device to any remote servers because you are required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: +Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked. + If you define an exception list of servers to which client devices are allowed to use NTLM authentication, then NTLM authentication traffic will continue to flow between those client applications and servers. The servers then are vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM. + ### Countermeasure -When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote servers in your environment. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication. + +When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote +servers in your environment. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication. + ### Potential impact + Defining a list of servers for this policy setting will enable NTLM authentication traffic from the client application that uses those servers, and this might result in a security vulnerability. + If this list is not defined and [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, then client applications that use NTLM will fail to authenticate to those servers that they have previously used. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index a9dd8ee023..8a29a1cbad 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -2,91 +2,101 @@ title: Network security Restrict NTLM Add server exceptions in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add server exceptions in this domain security policy setting. ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Add server exceptions in this domain + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting. + ## Reference + The **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting allows you to create an exception list of servers in this domain to which client device are allowed to use NTLM pass-through authentication if any of the deny options are set in the [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) policy setting. + If you configure this policy setting, you can define a list of servers in this domain to which client devices are allowed to use NTLM authentication. + If you do not configure this policy setting, no exceptions will be applied, and if **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, all NTLM authentication attempts in the domain will fail. + List the NetBIOS server names as the naming format, one per line. A single asterisk (\*) can be used anywhere in the string as a wildcard character. + ### Possible values + - User-defined list of servers + When you enter a list of servers in this domain to which clients are allowed to use NTLM authentication, the policy is defined and enabled. + - Not defined + If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. + ### Best practices + 1. First enforce the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the operational event log to understand what domain controllers are involved in these authentication attempts so you can decide which servers to exempt. 2. After you have set the server exception list, enforce the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the operational event log again before setting the policies to block NTLM traffic. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined | +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy via Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if your server exception list is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability -When it has been determined that the NTLM authentication protocol should not be used within a domain because you are required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request. -If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM. + +When it has been determined that the NTLM authentication protocol should not be used within a domain because you are required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: +[Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request. + +If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security +weaknesses in NTLM. + ### Countermeasure -When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. + +When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you will have to determine on a +case-by-case basis if NTLM authentication still minimally meets your security requirements. + ### Potential impact + Defining a list of servers for this policy setting will enable NTLM authentication traffic between those servers might result in a security vulnerability. + If this list is not defined and **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, then NTLM authentication will fail on those pass-through servers in the domain that they have previously used + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index 1f01809e6d..30716f504d 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -2,93 +2,104 @@ title: Network security Restrict NTLM Audit incoming NTLM traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit incoming NTLM traffic security policy setting. ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Audit incoming NTLM traffic + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Audit incoming NTLM traffic** policy setting allows you to audit incoming NTLM traffic. + When this audit policy is enabled within Group Policy, it is enforced on any server where that Group Policy is distributed. The events will be recorded in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. + When you enable this policy on a server, only authentication traffic to that server will be logged. -When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic in your environment, and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**. + +When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it does not actually block any traffic. Therefore, you can use it effectively to understand the +authentication traffic in your environment, and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**. + ### Possible values + - Disable + The server on which this policy is set will not log events for incoming NTLM traffic. + - Enable auditing for domain accounts + The server on which this policy is set will log events for NTLM pass-through authentication requests only for accounts in the domain that would be blocked when the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy setting is set to **Deny all domain accounts**. + - Enable auditing for all accounts + The server on which this policy is set will log events for all NTLM authentication requests that would be blocked when the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy setting is set to **Deny all accounts**. + - Not defined + This is the same as **Disable**, and it results in no auditing of NTLM traffic. + ### Best practices + Depending on your environment and the duration of your testing, monitor the log size regularly. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. + There are no security audit event policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Enabling this policy setting will reveal through logging which servers and client computers within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only. + ### Countermeasure + Restrict access to the log files when this policy setting is enabled in your production environment. + ### Potential impact + If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index 6f7df9f011..4bda1da37a 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -2,92 +2,101 @@ title: Network security Restrict NTLM Audit NTLM authentication in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit NTLM authentication in this domain security policy setting. ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Audit NTLM authentication in this domain + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting allows you to audit on the domain controller NTLM authentication in that domain. + When you enable this policy setting on the domain controller, only authentication traffic to that domain controller will be logged. + When you enable this audit policy, it functions in the same way as the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic to your domain controllers and when you are ready to block that traffic, you can enable the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting and select **Deny for domain accounts to domain servers**, **Deny for domain servers**, or **Deny for domain accounts**. + ### Possible values + - **Disable** + The domain controller on which this policy is set will not log events for incoming NTLM traffic. + - **Enable for domain accounts to domain servers** + The domain controller on which this policy is set will log events for NTLM authentication logon attempts for accounts in the domain to domain servers when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts to domain servers**. + - **Enable for domain accounts** + The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**. + - Not defined + This is the same as **Disable** and results in no auditing of NTLM traffic. + ### Best practices + Depending on your environment and the duration of your testing, monitor the operational event log size regularly. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. + There are no security audit event policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + +NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the +Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Enabling this policy setting will reveal through logging which devices within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only. ### Countermeasure + Restrict access to the log files when this policy setting is enabled in your production environment. + ### Potential impact + If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 500af92295..270051f5d3 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -2,90 +2,99 @@ title: Network security Restrict NTLM Incoming NTLM traffic (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Incoming NTLM traffic security policy setting. ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Incoming NTLM traffic + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Incoming NTLM traffic** policy setting allows you to deny or allow incoming NTLM traffic from client computers, other member servers, or a domain controller. + ### Possible values + - **Allow all** + The server will allow all NTLM authentication requests. + - **Deny all domain accounts** + The server will deny NTLM authentication requests for domain logon, return an NTLM blocked error message to the client device, and log the error, but the server will allow local account logon. + + - **Deny all accounts** + The server will deny NTLM authentication requests from all incoming traffic (whether domain account logon or local account logon), return an NTLM blocked error message to the client device, and log the error. + - Not defined + This is the same as **Allow all**, and the server will allow all NTLM authentication requests. + ### Best practices + If you select **Deny all domain accounts** or **Deny all accounts**, incoming NTLM traffic to the member server will be restricted. It is better to set the **Network Security: Restrict NTLM: Audit Incoming NTLM traffic** policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and subsequently what client applications are using NTLM. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined | +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no Security Audit Event policies that can be configured to view event output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Malicious attacks on NTLM authentication traffic that result in a compromised server can occur only if the server handles NTLM requests. If those requests are denied, brute force attacks on NTLM are eliminated. + ### Countermeasure + When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, you can select one of several options that this security policy setting offers to restrict NTLM usage. + ### Potential impact -If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md). + +If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that +you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md). + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index 27500c1d95..8389b3ad72 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -2,95 +2,108 @@ title: Network security Restrict NTLM NTLM authentication in this domain (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM NTLM authentication in this domain security policy setting. ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: NTLM authentication in this domain + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy setting does not affect interactive logon to this domain controller. + ### Possible values + - **Disable** + The domain controller will allow all NTLM pass-through authentication requests within the domain. + - **Deny for domain accounts to domain servers** + The domain controller will deny all NTLM authentication logon attempts using accounts from this domain to all servers in the domain. The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + NTLM can be used if the users are connecting to other domains. This depends on if any Restrict NTLM policies have been set on those domains. + - **Deny for domain accounts** + Only the domain controller will deny all NTLM authentication logon attempts from domain accounts and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + - **Deny for domain servers** + The domain controller will deny NTLM authentication requests to all servers in the domain and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. Servers that are not joined to the domain will not be affected if this policy setting is configured. + - **Deny all** + The domain controller will deny all NTLM pass-through authentication requests from its servers and for its accounts and return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + - Not defined + The domain controller will allow all NTLM authentication requests in the domain where the policy is deployed. + ### Best practices + If you select any of the deny options, incoming NTLM traffic to the domain will be restricted. First, set the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the Operational log to understand what authentication attempts are made to the member servers. You can then add those member server names to a server exception list by using the [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md) policy setting. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not configured

Default domain controller policy

Not configured

Stand-alone server default settings

Not configured

Domain controller effective default settings

Not configured

Member server effective default settings

Not configured

Client computer effective default settings

Not configured

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not configured| +| Default domain controller policy | Not configured| +| Stand-alone server default settings | Not configured| +| Domain controller effective default settings | Not configured| +| Member server effective default settings | Not configured | +| Client computer effective default settings | Not configured|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit event policies that can be configured to view output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Malicious attacks on NTLM authentication traffic resulting in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated. + ### Countermeasure -When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage within the domain. + +When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage +within the domain. + ### Potential impact + If you configure this policy setting, numerous NTLM authentication requests could fail within the domain, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit NTLM authentication in this domain** to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md). + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index b73aff9db6..439657d395 100644 --- a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -2,93 +2,100 @@ title: Network security Restrict NTLM Outgoing NTLM traffic to remote servers (Windows 10) description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Outgoing NTLM traffic to remote servers security policy setting. ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers + **Applies to** - Windows 10 + Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. + ## Reference + The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system. -**Warning**   -Modifying this policy setting may affect compatibility with client computers, services, and applications. + +>**Warning:**  Modifying this policy setting may affect compatibility with client computers, services, and applications.   ### Possible values + - **Allow all** + The device can authenticate identities to a remote server by using NTLM authentication because no restrictions exist. + - **Audit all** + The device that sends the NTLM authentication request to a remote server logs an event for each request. This allows you to identify those servers that receive NTLM authentication requests from the client device + - **Deny all** + The device cannot authenticate any identities to a remote server by using NTLM authentication. You can use the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting to define a list of remote servers to which client devices are allowed to use NTLM authentication while denying others. This setting will also log an event on the device that is making the authentication request. + - Not defined + This is the same as **Allow all**, and the device will allow all NTLM authentication requests when the policy is deployed. + ### Best practices + If you select **Deny all**, the client device cannot authenticate identities to a remote server by using NTLM authentication. First, select **Audit all** and then review the operational event log to understand which servers are involved in these authentication attempts. You can then add those server names to a server exception list by using the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default domain policy

Not defined

Default domain controller policy

Not defined

Stand-alone server default settings

Not defined

Domain controller effective default settings

Not defined

Member server effective default settings

Not defined

Client computer effective default settings

Not defined

+ +| Server type or GPO | Default value | +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Client computer effective default settings | Not defined|   ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy. + ### Group Policy + Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. + ### Auditing + View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. + There are no security audit event policies that can be configured to view event output from this policy. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. + ### Vulnerability + Malicious attacks on NTLM authentication traffic that result in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated. + ### Countermeasure + When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, then you can select from several options to restrict NTLM usage to servers. + ### Potential impact -If you configure this policy setting to deny all requests, numerous NTLM authentication requests to remote servers could fail, which could degrade productivity. Before implementing this restriction through this policy setting, select **Audit all** so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md). + +If you configure this policy setting to deny all requests, numerous NTLM authentication requests to remote servers could fail, which could degrade productivity. Before implementing this restriction through this policy setting, select **Audit all** so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) +. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md)