From bd5fee450507cd0ed920a34a70da7da123be6e29 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Tue, 24 Jan 2017 13:40:13 -0800 Subject: [PATCH 01/11] Updated a link that had gotten stale --- windows/keep-secure/windows-defender-in-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md index 7ad3e53061..58ecb02cde 100644 --- a/windows/keep-secure/windows-defender-in-windows-10.md +++ b/windows/keep-secure/windows-defender-in-windows-10.md @@ -18,7 +18,7 @@ author: jasesso Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. This topic provides an overview of Windows Defender, including a list of system requirements and new features. -For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx). +For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). Take advantage of Windows Defender by configuring settings and definitions using the following tools: - Microsoft Active Directory *Group Policy* for settings From f2cb79ccb3bf7e4efe45de3a22e52b070172e843 Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 24 Jan 2017 14:06:49 -0800 Subject: [PATCH 02/11] changed back to local security authority --- ...-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index a47a3fcb64..032e04c1ad 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -29,7 +29,7 @@ The credentials are also cleaned up when the WiFi or VPN connection is disconnec When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations). -WinInet will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. +The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. If the app is not UWP, it does not matter. But if it is a UWP app, it will look at the device capability for Enterprise Authentication. If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. From 8f295e850dcb06a45318839658810800454f949d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 24 Jan 2017 14:19:43 -0800 Subject: [PATCH 03/11] adding MSIT case study video --- windows/keep-secure/credential-guard.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index eaabf72651..27813be3bc 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -917,6 +917,7 @@ write-host $tmp -Foreground Red - [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel) - [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert) - [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode) +- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard) - [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382) - [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx) - [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx) From 0ccc81b12cfc8ff8ea4d4f21df06c642a5dae4bb Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 24 Jan 2017 15:06:32 -0800 Subject: [PATCH 04/11] c --- windows/deploy/windows-10-poc.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md index c4b3f18fce..8eb0b551c8 100644 --- a/windows/deploy/windows-10-poc.md +++ b/windows/deploy/windows-10-poc.md @@ -507,13 +507,17 @@ Notes:
### Resize VHD -**Important**: You should take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. +
+**Enhanced session mode** + +**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. To verify that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt: 
Set-VMhost -EnableEnhancedSessionMode $TRUE
-If enhanced session mode was not previously enabled, you must close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. +>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. +
The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. From b944130ed838b7eb41304f4ad9199e2f0af76b66 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 Jan 2017 15:14:29 -0800 Subject: [PATCH 05/11] minor update on arcsight url --- ...ure-arcsight-windows-defender-advanced-threat-protection.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index 89b4b13d30..a682992574 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -79,7 +79,8 @@ The following steps assume that you have completed all the required steps in [Be Type in the name of the client property file. It must match the client property file. Events URL - Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
**For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts + Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME +
**For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME Authentication Type OAuth 2 From 15f5900dc3abf0b4e5cd251b1cccdeba2a2ca950 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 24 Jan 2017 15:20:44 -0800 Subject: [PATCH 06/11] c --- windows/deploy/windows-10-poc.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md index 8eb0b551c8..382cb7335c 100644 --- a/windows/deploy/windows-10-poc.md +++ b/windows/deploy/windows-10-poc.md @@ -517,6 +517,7 @@ To verify that enhanced session mode is enabled on the Hyper-V host, type the fo 
Set-VMhost -EnableEnhancedSessionMode $TRUE
>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. +
The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. From 5977f0e042b4798be09f0ea8bf8cce31b57c6148 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 24 Jan 2017 15:29:26 -0800 Subject: [PATCH 07/11] c --- windows/deploy/windows-10-poc.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md index 382cb7335c..5d70b65ecb 100644 --- a/windows/deploy/windows-10-poc.md +++ b/windows/deploy/windows-10-poc.md @@ -507,8 +507,8 @@ Notes:
### Resize VHD -
-**Enhanced session mode** +
+**Enhanced session mode** **Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. @@ -518,7 +518,7 @@ To verify that enhanced session mode is enabled on the Hyper-V host, type the fo >If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. -
+
The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. From b7c129f44fba27d70afab2315c7a45e5c916bc2a Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Tue, 24 Jan 2017 16:11:21 -0800 Subject: [PATCH 08/11] Replaced blue-and-orange graphics w updated tables --- ...oose-the-right-bitlocker-countermeasure.md | 105 ++++++++++++++++-- 1 file changed, 95 insertions(+), 10 deletions(-) diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md index 0293f672ae..1c6c64a34a 100644 --- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md +++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md @@ -17,20 +17,105 @@ author: brianlic-msft This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks. You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication. -Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default -settings. +Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings. -![how to choose best countermeasures for windows 7](images/bitlockerprebootprotection-counterwin7.jpg) + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

Windows 8.1
without TPM

 +

Windows 8.1 Certified
(with TPM)

+

Bootkits and
Rootkits

Without TPM, boot integrity checking is not available

Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings

+

Brute Force
Sign-in

Secure by default, and can be improved with account lockout Group Policy

Secure by default, and can be improved with account lockout and device lockout Group Policy settings

+

DMA
Attacks

If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in

If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in

+

Hyberfil.sys
Attacks

Secure by default; hyberfil.sys secured on encrypted volume

Secure by default; hyberfil.sys secured on encrypted volume

+

Memory
Remanence
Attacks

Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication

Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication

-**Figure 2.** How to choose the best countermeasures for Windows 7 +**Table 1.**  How to choose the best countermeasures for Windows 8.1 -![how to choose countermeasures for windows 8](images/bitlockerprebootprotection-counterwin8.jpg) + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

Windows 10
without TPM

 +

Windows 10 Certified
(with TPM)

+

Bootkits and
Rootkits

Without TPM, boot integrity checking is not available

Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings

+

Brute Force
Sign-in

Secure by default, and can be improved with account lockout Group Policy

Secure by default, and can be improved with account lockout and device lockout Group Policy settings

+

DMA
Attacks

If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in

Secure by default; certified devices do not expose vulnerable DMA busses.
Can be additionally secured by deploying policy to restrict DMA devices:

+ +
+

Hyberfil.sys
Attacks

Secure by default; hyberfil.sys secured on encrypted volume

Secure by default; hyberfil.sys secured on encrypted volume

+

Memory
Remanence
Attacks

Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication

Password protect the firmware and ensure Secure Boot is enabled.
The most effective mitigation, which we advise for high-security devices, is to configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.

-**Figure 3.** How to choose the best countermeasures for Windows 8 - -![how to choose countermeasures for windows 8.1](images/bitlockerprebootprotection-counterwin81.jpg) - -**Figure 4.** How to choose the best countermeasures for Windows 8.1 +**Table 2.**  How to choose the best countermeasures for Windows 10 The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. From 301b0528f454dc7001e59e6f1ee4553815766a60 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 24 Jan 2017 16:32:23 -0800 Subject: [PATCH 09/11] add link to showcase --- .../keep-secure/windows-defender-advanced-threat-protection.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md index 3dc835c6a2..0a9feddff7 100644 --- a/windows/keep-secure/windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md @@ -93,3 +93,6 @@ Topic | Description [Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP. [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required. [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP. + +## Related topic +[Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats) From d4527a428f4c66b6047246329bdf89749fb39e76 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 24 Jan 2017 17:00:44 -0800 Subject: [PATCH 10/11] c --- windows/deploy/windows-10-poc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md index 5d70b65ecb..fceb199fec 100644 --- a/windows/deploy/windows-10-poc.md +++ b/windows/deploy/windows-10-poc.md @@ -153,7 +153,7 @@ The lab architecture is summarized in the following diagram: [Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
[Download VHD and ISO files](#download-vhd-and-iso-files)
-[Convert PC to VHD](#convert-pc-to-vhd)
+[Convert PC to VM](#convert-pc-to-vm)
[Resize VHD](#resize-vhd)
[Configure Hyper-V](#configure-hyper-v)
[Configure VMs](#configure-vms)
From 23e01327d3fadecc38bc772d42e293d13dcb229e Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 24 Jan 2017 17:13:59 -0800 Subject: [PATCH 11/11] c --- windows/deploy/windows-10-poc.md | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md index e6f72ef213..fceb199fec 100644 --- a/windows/deploy/windows-10-poc.md +++ b/windows/deploy/windows-10-poc.md @@ -512,29 +512,13 @@ Notes:
**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. -<<<<<<< HEAD -To verify that enhanced session mode is enabled on your Hyper-V host, type the following command at an elevated Windows PowerShell prompt: - -
Set-VMhost -EnableEnhancedSessionMode $TRUE
- -If enhanced session mode was previously disabled, you must close and re-open VM connections after enabling it. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. -======= To verify that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt: 
Set-VMhost -EnableEnhancedSessionMode $TRUE
-<<<<<<< HEAD -If enhanced session mode was not previously enabled, you must close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. ->>>>>>> vso-7992313a -======= >If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. -<<<<<<< HEAD -
->>>>>>> vso-7992313a -=======
->>>>>>> vso-7992313a The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images.