mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-24 14:53:44 +00:00
New TOC for docs.microsoft.com
This commit is contained in:
Brian Lich
GitHub
4
windows/keep-secure/.vscode/settings.json
vendored
4
windows/keep-secure/.vscode/settings.json
vendored
@ -1,4 +0,0 @@
|
||||
// Place your settings in this file to overwrite default and user settings.
|
||||
{
|
||||
"update.channel": "none",
|
||||
}
|
||||
@ -1,976 +0,0 @@
|
||||
# [Keep Windows 10 secure](index.md)
|
||||
## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
|
||||
## [Windows Hello for Business](hello-identity-verification.md)
|
||||
### [How Windows Hello for Business works](hello-how-it-works.md)
|
||||
### [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
|
||||
### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
|
||||
### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
|
||||
### [Windows Hello and password changes](hello-and-password-changes.md)
|
||||
### [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
|
||||
### [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
|
||||
### [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
|
||||
## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
|
||||
## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
|
||||
## [Device Guard deployment guide](device-guard-deployment-guide.md)
|
||||
### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
|
||||
### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
|
||||
### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
|
||||
### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
|
||||
#### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
|
||||
#### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
|
||||
#### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
|
||||
#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
|
||||
#### [Deploy Managed Installer for Device Guard](deploy-managed-installer-for-device-guard.md)
|
||||
### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
|
||||
## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
|
||||
## [Protect derived domain credentials with Credential Guard](credential-guard.md)
|
||||
### [How Credential Guard works](credential-guard-how-it-works.md)
|
||||
### [Credential Guard Requirements](credential-guard-requirements.md)
|
||||
### [Manage Credential Guard](credential-guard-manage.md)
|
||||
### [Credential Guard protection limits](credential-guard-protection-limits.md)
|
||||
### [Considerations when using Credential Guard](credential-guard-considerations.md)
|
||||
### [Credential Guard: Additional mitigations](additional-mitigations.md)
|
||||
## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
|
||||
## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md)
|
||||
### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
|
||||
#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
|
||||
##### [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
|
||||
##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
|
||||
#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
|
||||
#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
|
||||
#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md)
|
||||
### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
|
||||
### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
|
||||
### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
|
||||
### [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
|
||||
### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
|
||||
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
|
||||
#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md)
|
||||
#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md)
|
||||
#### [Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md)
|
||||
## [Windows Defender SmartScreen](windows-defender-smartscreen-overview.md)
|
||||
### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)
|
||||
### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen-set-individual-device.md)
|
||||
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
|
||||
## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
|
||||
## [VPN technical guide](vpn-guide.md)
|
||||
### [VPN connection types](vpn-connection-type.md)
|
||||
### [VPN routing decisions](vpn-routing.md)
|
||||
### [VPN authentication options](vpn-authentication.md)
|
||||
### [VPN and conditional access](vpn-conditional-access.md)
|
||||
### [VPN name resolution](vpn-name-resolution.md)
|
||||
### [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
|
||||
### [VPN security features](vpn-security-features.md)
|
||||
### [VPN profile options](vpn-profile-options.md)
|
||||
## [Windows security baselines](windows-security-baselines.md)
|
||||
## [Security technologies](security-technologies.md)
|
||||
### [Access Control Overview](access-control.md)
|
||||
#### [Dynamic Access Control Overview](dynamic-access-control.md)
|
||||
#### [Security identifiers](security-identifiers.md)
|
||||
#### [Security Principals](security-principals.md)
|
||||
#### [Local Accounts](local-accounts.md)
|
||||
#### [Active Directory Accounts](active-directory-accounts.md)
|
||||
#### [Microsoft Accounts](microsoft-accounts.md)
|
||||
#### [Service Accounts](service-accounts.md)
|
||||
#### [Active Directory Security Groups](active-directory-security-groups.md)
|
||||
#### [Special Identities](special-identities.md)
|
||||
### [AppLocker](applocker-overview.md)
|
||||
#### [Administer AppLocker](administer-applocker.md)
|
||||
##### [Maintain AppLocker policies](maintain-applocker-policies.md)
|
||||
##### [Edit an AppLocker policy](edit-an-applocker-policy.md)
|
||||
##### [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
|
||||
##### [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
|
||||
##### [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md)
|
||||
##### [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
|
||||
##### [Optimize AppLocker performance](optimize-applocker-performance.md)
|
||||
##### [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
|
||||
##### [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
|
||||
##### [Working with AppLocker rules](working-with-applocker-rules.md)
|
||||
###### [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
|
||||
###### [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
|
||||
###### [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
|
||||
###### [Create AppLocker default rules](create-applocker-default-rules.md)
|
||||
###### [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
|
||||
###### [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md)
|
||||
###### [Delete an AppLocker rule](delete-an-applocker-rule.md)
|
||||
###### [Edit AppLocker rules](edit-applocker-rules.md)
|
||||
###### [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
|
||||
###### [Enforce AppLocker rules](enforce-applocker-rules.md)
|
||||
###### [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
|
||||
##### [Working with AppLocker policies](working-with-applocker-policies.md)
|
||||
###### [Configure the Application Identity service](configure-the-application-identity-service.md)
|
||||
###### [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
|
||||
###### [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
|
||||
###### [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)
|
||||
###### [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)
|
||||
###### [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
|
||||
###### [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
|
||||
###### [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
|
||||
###### [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)
|
||||
###### [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md)
|
||||
###### [Merge AppLocker policies manually](merge-applocker-policies-manually.md)
|
||||
###### [Refresh an AppLocker policy](refresh-an-applocker-policy.md)
|
||||
###### [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
|
||||
#### [AppLocker design guide](applocker-policies-design-guide.md)
|
||||
##### [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
|
||||
##### [Determine your application control objectives](determine-your-application-control-objectives.md)
|
||||
##### [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
|
||||
###### [Document your app list](document-your-application-list.md)
|
||||
##### [Select the types of rules to create](select-types-of-rules-to-create.md)
|
||||
###### [Document your AppLocker rules](document-your-applocker-rules.md)
|
||||
##### [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
||||
###### [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
|
||||
###### [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
|
||||
###### [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)
|
||||
##### [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
||||
###### [Document your application control management processes](document-your-application-control-management-processes.md)
|
||||
##### [Create your AppLocker planning document](create-your-applocker-planning-document.md)
|
||||
#### [AppLocker deployment guide](applocker-policies-deployment-guide.md)
|
||||
##### [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
|
||||
##### [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md)
|
||||
##### [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md)
|
||||
##### [Create Your AppLocker policies](create-your-applocker-policies.md)
|
||||
###### [Create Your AppLocker rules](create-your-applocker-rules.md)
|
||||
##### [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
|
||||
###### [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
|
||||
####### [Determine which apps are digitally signed on a reference device](determine-which-applications-are-digitally-signed-on-a-reference-computer.md)
|
||||
####### [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
|
||||
#### [AppLocker technical reference](applocker-technical-reference.md)
|
||||
##### [What Is AppLocker?](what-is-applocker.md)
|
||||
##### [Requirements to use AppLocker](requirements-to-use-applocker.md)
|
||||
##### [AppLocker policy use scenarios](applocker-policy-use-scenarios.md)
|
||||
##### [How AppLocker works](how-applocker-works-techref.md)
|
||||
###### [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
|
||||
###### [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
|
||||
###### [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
|
||||
###### [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
|
||||
###### [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
|
||||
####### [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
|
||||
####### [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
|
||||
####### [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
|
||||
###### [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
|
||||
####### [Executable rules in AppLocker](executable-rules-in-applocker.md)
|
||||
####### [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
|
||||
####### [Script rules in AppLocker](script-rules-in-applocker.md)
|
||||
####### [DLL rules in AppLocker](dll-rules-in-applocker.md)
|
||||
####### [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
|
||||
##### [AppLocker architecture and components](applocker-architecture-and-components.md)
|
||||
##### [AppLocker processes and interactions](applocker-processes-and-interactions.md)
|
||||
##### [AppLocker functions](applocker-functions.md)
|
||||
##### [Security considerations for AppLocker](security-considerations-for-applocker.md)
|
||||
##### [Tools to Use with AppLocker](tools-to-use-with-applocker.md)
|
||||
###### [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md)
|
||||
##### [AppLocker Settings](applocker-settings.md)
|
||||
### [BitLocker](bitlocker-overview.md)
|
||||
#### [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md)
|
||||
#### [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
|
||||
#### [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
|
||||
#### [BitLocker basic deployment](bitlocker-basic-deployment.md)
|
||||
#### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)
|
||||
#### [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
|
||||
#### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
|
||||
#### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
|
||||
#### [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
|
||||
#### [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
|
||||
#### [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)
|
||||
#### [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
|
||||
##### [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
|
||||
##### [BitLocker Countermeasures](bitlocker-countermeasures.md)
|
||||
##### [Choose the Right BitLocker Countermeasure](choose-the-right-bitlocker-countermeasure.md)
|
||||
#### [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
|
||||
### [Encrypted Hard Drive](encrypted-hard-drive.md)
|
||||
### [Enterprise Certificate Pinning](enterprise-certificate-pinning.md)
|
||||
### [Security auditing](security-auditing-overview.md)
|
||||
#### [Basic security audit policies](basic-security-audit-policies.md)
|
||||
##### [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)
|
||||
##### [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md)
|
||||
##### [View the security event log](view-the-security-event-log.md)
|
||||
##### [Basic security audit policy settings](basic-security-audit-policy-settings.md)
|
||||
###### [Audit account logon events](basic-audit-account-logon-events.md)
|
||||
###### [Audit account management](basic-audit-account-management.md)
|
||||
###### [Audit directory service access](basic-audit-directory-service-access.md)
|
||||
###### [Audit logon events](basic-audit-logon-events.md)
|
||||
###### [Audit object access](basic-audit-object-access.md)
|
||||
###### [Audit policy change](basic-audit-policy-change.md)
|
||||
###### [Audit privilege use](basic-audit-privilege-use.md)
|
||||
###### [Audit process tracking](basic-audit-process-tracking.md)
|
||||
###### [Audit system events](basic-audit-system-events.md)
|
||||
#### [Advanced security audit policies](advanced-security-auditing.md)
|
||||
##### [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
|
||||
##### [Advanced security auditing FAQ](advanced-security-auditing-faq.md)
|
||||
###### [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md)
|
||||
##### [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
|
||||
###### [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md)
|
||||
###### [Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md)
|
||||
###### [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)
|
||||
###### [Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md)
|
||||
###### [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)
|
||||
###### [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)
|
||||
###### [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)
|
||||
###### [Monitor claim types](monitor-claim-types.md)
|
||||
##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
|
||||
###### [Audit Credential Validation](audit-credential-validation.md)
|
||||
####### [Event 4774 S, F: An account was mapped for logon.](event-4774.md)
|
||||
####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md)
|
||||
####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md)
|
||||
####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md)
|
||||
###### [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
|
||||
####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](event-4768.md)
|
||||
####### [Event 4771 F: Kerberos pre-authentication failed.](event-4771.md)
|
||||
####### [Event 4772 F: A Kerberos authentication ticket request failed.](event-4772.md)
|
||||
###### [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
|
||||
####### [Event 4769 S, F: A Kerberos service ticket was requested.](event-4769.md)
|
||||
####### [Event 4770 S: A Kerberos service ticket was renewed.](event-4770.md)
|
||||
####### [Event 4773 F: A Kerberos service ticket request failed.](event-4773.md)
|
||||
###### [Audit Other Account Logon Events](audit-other-account-logon-events.md)
|
||||
###### [Audit Application Group Management](audit-application-group-management.md)
|
||||
###### [Audit Computer Account Management](audit-computer-account-management.md)
|
||||
####### [Event 4741 S: A computer account was created.](event-4741.md)
|
||||
####### [Event 4742 S: A computer account was changed.](event-4742.md)
|
||||
####### [Event 4743 S: A computer account was deleted.](event-4743.md)
|
||||
###### [Audit Distribution Group Management](audit-distribution-group-management.md)
|
||||
####### [Event 4749 S: A security-disabled global group was created.](event-4749.md)
|
||||
####### [Event 4750 S: A security-disabled global group was changed.](event-4750.md)
|
||||
####### [Event 4751 S: A member was added to a security-disabled global group.](event-4751.md)
|
||||
####### [Event 4752 S: A member was removed from a security-disabled global group.](event-4752.md)
|
||||
####### [Event 4753 S: A security-disabled global group was deleted.](event-4753.md)
|
||||
###### [Audit Other Account Management Events](audit-other-account-management-events.md)
|
||||
####### [Event 4782 S: The password hash an account was accessed.](event-4782.md)
|
||||
####### [Event 4793 S: The Password Policy Checking API was called.](event-4793.md)
|
||||
###### [Audit Security Group Management](audit-security-group-management.md)
|
||||
####### [Event 4731 S: A security-enabled local group was created.](event-4731.md)
|
||||
####### [Event 4732 S: A member was added to a security-enabled local group.](event-4732.md)
|
||||
####### [Event 4733 S: A member was removed from a security-enabled local group.](event-4733.md)
|
||||
####### [Event 4734 S: A security-enabled local group was deleted.](event-4734.md)
|
||||
####### [Event 4735 S: A security-enabled local group was changed.](event-4735.md)
|
||||
####### [Event 4764 S: A group’s type was changed.](event-4764.md)
|
||||
####### [Event 4799 S: A security-enabled local group membership was enumerated.](event-4799.md)
|
||||
###### [Audit User Account Management](audit-user-account-management.md)
|
||||
####### [Event 4720 S: A user account was created.](event-4720.md)
|
||||
####### [Event 4722 S: A user account was enabled.](event-4722.md)
|
||||
####### [Event 4723 S, F: An attempt was made to change an account's password.](event-4723.md)
|
||||
####### [Event 4724 S, F: An attempt was made to reset an account's password.](event-4724.md)
|
||||
####### [Event 4725 S: A user account was disabled.](event-4725.md)
|
||||
####### [Event 4726 S: A user account was deleted.](event-4726.md)
|
||||
####### [Event 4738 S: A user account was changed.](event-4738.md)
|
||||
####### [Event 4740 S: A user account was locked out.](event-4740.md)
|
||||
####### [Event 4765 S: SID History was added to an account.](event-4765.md)
|
||||
####### [Event 4766 F: An attempt to add SID History to an account failed.](event-4766.md)
|
||||
####### [Event 4767 S: A user account was unlocked.](event-4767.md)
|
||||
####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](event-4780.md)
|
||||
####### [Event 4781 S: The name of an account was changed.](event-4781.md)
|
||||
####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](event-4794.md)
|
||||
####### [Event 4798 S: A user's local group membership was enumerated.](event-4798.md)
|
||||
####### [Event 5376 S: Credential Manager credentials were backed up.](event-5376.md)
|
||||
####### [Event 5377 S: Credential Manager credentials were restored from a backup.](event-5377.md)
|
||||
###### [Audit DPAPI Activity](audit-dpapi-activity.md)
|
||||
####### [Event 4692 S, F: Backup of data protection master key was attempted.](event-4692.md)
|
||||
####### [Event 4693 S, F: Recovery of data protection master key was attempted.](event-4693.md)
|
||||
####### [Event 4694 S, F: Protection of auditable protected data was attempted.](event-4694.md)
|
||||
####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](event-4695.md)
|
||||
###### [Audit PNP Activity](audit-pnp-activity.md)
|
||||
####### [Event 6416 S: A new external device was recognized by the System.](event-6416.md)
|
||||
####### [Event 6419 S: A request was made to disable a device.](event-6419.md)
|
||||
####### [Event 6420 S: A device was disabled.](event-6420.md)
|
||||
####### [Event 6421 S: A request was made to enable a device.](event-6421.md)
|
||||
####### [Event 6422 S: A device was enabled.](event-6422.md)
|
||||
####### [Event 6423 S: The installation of this device is forbidden by system policy.](event-6423.md)
|
||||
####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](event-6424.md)
|
||||
###### [Audit Process Creation](audit-process-creation.md)
|
||||
####### [Event 4688 S: A new process has been created.](event-4688.md)
|
||||
####### [Event 4696 S: A primary token was assigned to process.](event-4696.md)
|
||||
###### [Audit Process Termination](audit-process-termination.md)
|
||||
####### [Event 4689 S: A process has exited.](event-4689.md)
|
||||
###### [Audit RPC Events](audit-rpc-events.md)
|
||||
####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](event-5712.md)
|
||||
###### [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
|
||||
####### [Event 4928 S, F: An Active Directory replica source naming context was established.](event-4928.md)
|
||||
####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](event-4929.md)
|
||||
####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](event-4930.md)
|
||||
####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](event-4931.md)
|
||||
####### [Event 4934 S: Attributes of an Active Directory object were replicated.](event-4934.md)
|
||||
####### [Event 4935 F: Replication failure begins.](event-4935.md)
|
||||
####### [Event 4936 S: Replication failure ends.](event-4936.md)
|
||||
####### [Event 4937 S: A lingering object was removed from a replica.](event-4937.md)
|
||||
###### [Audit Directory Service Access](audit-directory-service-access.md)
|
||||
####### [Event 4662 S, F: An operation was performed on an object.](event-4662.md)
|
||||
####### [Event 4661 S, F: A handle to an object was requested.](event-4661.md)
|
||||
###### [Audit Directory Service Changes](audit-directory-service-changes.md)
|
||||
####### [Event 5136 S: A directory service object was modified.](event-5136.md)
|
||||
####### [Event 5137 S: A directory service object was created.](event-5137.md)
|
||||
####### [Event 5138 S: A directory service object was undeleted.](event-5138.md)
|
||||
####### [Event 5139 S: A directory service object was moved.](event-5139.md)
|
||||
####### [Event 5141 S: A directory service object was deleted.](event-5141.md)
|
||||
###### [Audit Directory Service Replication](audit-directory-service-replication.md)
|
||||
####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](event-4932.md)
|
||||
####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](event-4933.md)
|
||||
###### [Audit Account Lockout](audit-account-lockout.md)
|
||||
####### [Event 4625 F: An account failed to log on.](event-4625.md)
|
||||
###### [Audit User/Device Claims](audit-user-device-claims.md)
|
||||
####### [Event 4626 S: User/Device claims information.](event-4626.md)
|
||||
###### [Audit Group Membership](audit-group-membership.md)
|
||||
####### [Event 4627 S: Group membership information.](event-4627.md)
|
||||
###### [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
|
||||
###### [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
|
||||
###### [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
|
||||
###### [Audit Logoff](audit-logoff.md)
|
||||
####### [Event 4634 S: An account was logged off.](event-4634.md)
|
||||
####### [Event 4647 S: User initiated logoff.](event-4647.md)
|
||||
###### [Audit Logon](audit-logon.md)
|
||||
####### [Event 4624 S: An account was successfully logged on.](event-4624.md)
|
||||
####### [Event 4625 F: An account failed to log on.](event-4625.md)
|
||||
####### [Event 4648 S: A logon was attempted using explicit credentials.](event-4648.md)
|
||||
####### [Event 4675 S: SIDs were filtered.](event-4675.md)
|
||||
###### [Audit Network Policy Server](audit-network-policy-server.md)
|
||||
###### [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
|
||||
####### [Event 4649 S: A replay attack was detected.](event-4649.md)
|
||||
####### [Event 4778 S: A session was reconnected to a Window Station.](event-4778.md)
|
||||
####### [Event 4779 S: A session was disconnected from a Window Station.](event-4779.md)
|
||||
####### [Event 4800 S: The workstation was locked.](event-4800.md)
|
||||
####### [Event 4801 S: The workstation was unlocked.](event-4801.md)
|
||||
####### [Event 4802 S: The screen saver was invoked.](event-4802.md)
|
||||
####### [Event 4803 S: The screen saver was dismissed.](event-4803.md)
|
||||
####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](event-5378.md)
|
||||
####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](event-5632.md)
|
||||
####### [Event 5633 S, F: A request was made to authenticate to a wired network.](event-5633.md)
|
||||
###### [Audit Special Logon](audit-special-logon.md)
|
||||
####### [Event 4964 S: Special groups have been assigned to a new logon.](event-4964.md)
|
||||
####### [Event 4672 S: Special privileges assigned to new logon.](event-4672.md)
|
||||
###### [Audit Application Generated](audit-application-generated.md)
|
||||
###### [Audit Certification Services](audit-certification-services.md)
|
||||
###### [Audit Detailed File Share](audit-detailed-file-share.md)
|
||||
####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](event-5145.md)
|
||||
###### [Audit File Share](audit-file-share.md)
|
||||
####### [Event 5140 S, F: A network share object was accessed.](event-5140.md)
|
||||
####### [Event 5142 S: A network share object was added.](event-5142.md)
|
||||
####### [Event 5143 S: A network share object was modified.](event-5143.md)
|
||||
####### [Event 5144 S: A network share object was deleted.](event-5144.md)
|
||||
####### [Event 5168 F: SPN check for SMB/SMB2 failed.](event-5168.md)
|
||||
###### [Audit File System](audit-file-system.md)
|
||||
####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
|
||||
####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
|
||||
####### [Event 4660 S: An object was deleted.](event-4660.md)
|
||||
####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
|
||||
####### [Event 4664 S: An attempt was made to create a hard link.](event-4664.md)
|
||||
####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
|
||||
####### [Event 5051: A file was virtualized.](event-5051.md)
|
||||
####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
|
||||
###### [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
|
||||
####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](event-5031.md)
|
||||
####### [Event 5150: The Windows Filtering Platform blocked a packet.](event-5150.md)
|
||||
####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](event-5151.md)
|
||||
####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](event-5154.md)
|
||||
####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](event-5155.md)
|
||||
####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](event-5156.md)
|
||||
####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](event-5157.md)
|
||||
####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](event-5158.md)
|
||||
####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](event-5159.md)
|
||||
###### [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
|
||||
####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](event-5152.md)
|
||||
####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](event-5153.md)
|
||||
###### [Audit Handle Manipulation](audit-handle-manipulation.md)
|
||||
####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](event-4690.md)
|
||||
###### [Audit Kernel Object](audit-kernel-object.md)
|
||||
####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
|
||||
####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
|
||||
####### [Event 4660 S: An object was deleted.](event-4660.md)
|
||||
####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
|
||||
###### [Audit Other Object Access Events](audit-other-object-access-events.md)
|
||||
####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](event-4671.md)
|
||||
####### [Event 4691 S: Indirect access to an object was requested.](event-4691.md)
|
||||
####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](event-5148.md)
|
||||
####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](event-5149.md)
|
||||
####### [Event 4698 S: A scheduled task was created.](event-4698.md)
|
||||
####### [Event 4699 S: A scheduled task was deleted.](event-4699.md)
|
||||
####### [Event 4700 S: A scheduled task was enabled.](event-4700.md)
|
||||
####### [Event 4701 S: A scheduled task was disabled.](event-4701.md)
|
||||
####### [Event 4702 S: A scheduled task was updated.](event-4702.md)
|
||||
####### [Event 5888 S: An object in the COM+ Catalog was modified.](event-5888.md)
|
||||
####### [Event 5889 S: An object was deleted from the COM+ Catalog.](event-5889.md)
|
||||
####### [Event 5890 S: An object was added to the COM+ Catalog.](event-5890.md)
|
||||
###### [Audit Registry](audit-registry.md)
|
||||
####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
|
||||
####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
|
||||
####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
|
||||
####### [Event 4660 S: An object was deleted.](event-4660.md)
|
||||
####### [Event 4657 S: A registry value was modified.](event-4657.md)
|
||||
####### [Event 5039: A registry key was virtualized.](event-5039.md)
|
||||
####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
|
||||
###### [Audit Removable Storage](audit-removable-storage.md)
|
||||
###### [Audit SAM](audit-sam.md)
|
||||
####### [Event 4661 S, F: A handle to an object was requested.](event-4661.md)
|
||||
###### [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
|
||||
####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](event-4818.md)
|
||||
###### [Audit Audit Policy Change](audit-audit-policy-change.md)
|
||||
####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
|
||||
####### [Event 4715 S: The audit policy, SACL, on an object was changed.](event-4715.md)
|
||||
####### [Event 4719 S: System audit policy was changed.](event-4719.md)
|
||||
####### [Event 4817 S: Auditing settings on object were changed.](event-4817.md)
|
||||
####### [Event 4902 S: The Per-user audit policy table was created.](event-4902.md)
|
||||
####### [Event 4906 S: The CrashOnAuditFail value has changed.](event-4906.md)
|
||||
####### [Event 4907 S: Auditing settings on object were changed.](event-4907.md)
|
||||
####### [Event 4908 S: Special Groups Logon table modified.](event-4908.md)
|
||||
####### [Event 4912 S: Per User Audit Policy was changed.](event-4912.md)
|
||||
####### [Event 4904 S: An attempt was made to register a security event source.](event-4904.md)
|
||||
####### [Event 4905 S: An attempt was made to unregister a security event source.](event-4905.md)
|
||||
###### [Audit Authentication Policy Change](audit-authentication-policy-change.md)
|
||||
####### [Event 4706 S: A new trust was created to a domain.](event-4706.md)
|
||||
####### [Event 4707 S: A trust to a domain was removed.](event-4707.md)
|
||||
####### [Event 4716 S: Trusted domain information was modified.](event-4716.md)
|
||||
####### [Event 4713 S: Kerberos policy was changed.](event-4713.md)
|
||||
####### [Event 4717 S: System security access was granted to an account.](event-4717.md)
|
||||
####### [Event 4718 S: System security access was removed from an account.](event-4718.md)
|
||||
####### [Event 4739 S: Domain Policy was changed.](event-4739.md)
|
||||
####### [Event 4864 S: A namespace collision was detected.](event-4864.md)
|
||||
####### [Event 4865 S: A trusted forest information entry was added.](event-4865.md)
|
||||
####### [Event 4866 S: A trusted forest information entry was removed.](event-4866.md)
|
||||
####### [Event 4867 S: A trusted forest information entry was modified.](event-4867.md)
|
||||
###### [Audit Authorization Policy Change](audit-authorization-policy-change.md)
|
||||
####### [Event 4703 S: A user right was adjusted.](event-4703.md)
|
||||
####### [Event 4704 S: A user right was assigned.](event-4704.md)
|
||||
####### [Event 4705 S: A user right was removed.](event-4705.md)
|
||||
####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
|
||||
####### [Event 4911 S: Resource attributes of the object were changed.](event-4911.md)
|
||||
####### [Event 4913 S: Central Access Policy on the object was changed.](event-4913.md)
|
||||
###### [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
|
||||
###### [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
|
||||
####### [Event 4944 S: The following policy was active when the Windows Firewall started.](event-4944.md)
|
||||
####### [Event 4945 S: A rule was listed when the Windows Firewall started.](event-4945.md)
|
||||
####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](event-4946.md)
|
||||
####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](event-4947.md)
|
||||
####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](event-4948.md)
|
||||
####### [Event 4949 S: Windows Firewall settings were restored to the default values.](event-4949.md)
|
||||
####### [Event 4950 S: A Windows Firewall setting has changed.](event-4950.md)
|
||||
####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](event-4951.md)
|
||||
####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](event-4952.md)
|
||||
####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](event-4953.md)
|
||||
####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](event-4954.md)
|
||||
####### [Event 4956 S: Windows Firewall has changed the active profile.](event-4956.md)
|
||||
####### [Event 4957 F: Windows Firewall did not apply the following rule.](event-4957.md)
|
||||
####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](event-4958.md)
|
||||
###### [Audit Other Policy Change Events](audit-other-policy-change-events.md)
|
||||
####### [Event 4714 S: Encrypted data recovery policy was changed.](event-4714.md)
|
||||
####### [Event 4819 S: Central Access Policies on the machine have been changed.](event-4819.md)
|
||||
####### [Event 4826 S: Boot Configuration Data loaded.](event-4826.md)
|
||||
####### [Event 4909: The local policy settings for the TBS were changed.](event-4909.md)
|
||||
####### [Event 4910: The group policy settings for the TBS were changed.](event-4910.md)
|
||||
####### [Event 5063 S, F: A cryptographic provider operation was attempted.](event-5063.md)
|
||||
####### [Event 5064 S, F: A cryptographic context operation was attempted.](event-5064.md)
|
||||
####### [Event 5065 S, F: A cryptographic context modification was attempted.](event-5065.md)
|
||||
####### [Event 5066 S, F: A cryptographic function operation was attempted.](event-5066.md)
|
||||
####### [Event 5067 S, F: A cryptographic function modification was attempted.](event-5067.md)
|
||||
####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](event-5068.md)
|
||||
####### [Event 5069 S, F: A cryptographic function property operation was attempted.](event-5069.md)
|
||||
####### [Event 5070 S, F: A cryptographic function property modification was attempted.](event-5070.md)
|
||||
####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](event-5447.md)
|
||||
####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](event-6144.md)
|
||||
####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](event-6145.md)
|
||||
###### [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
|
||||
####### [Event 4673 S, F: A privileged service was called.](event-4673.md)
|
||||
####### [Event 4674 S, F: An operation was attempted on a privileged object.](event-4674.md)
|
||||
####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
|
||||
###### [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
|
||||
####### [Event 4673 S, F: A privileged service was called.](event-4673.md)
|
||||
####### [Event 4674 S, F: An operation was attempted on a privileged object.](event-4674.md)
|
||||
####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
|
||||
###### [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
|
||||
####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
|
||||
###### [Audit IPsec Driver](audit-ipsec-driver.md)
|
||||
###### [Audit Other System Events](audit-other-system-events.md)
|
||||
####### [Event 5024 S: The Windows Firewall Service has started successfully.](event-5024.md)
|
||||
####### [Event 5025 S: The Windows Firewall Service has been stopped.](event-5025.md)
|
||||
####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](event-5027.md)
|
||||
####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](event-5028.md)
|
||||
####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](event-5029.md)
|
||||
####### [Event 5030 F: The Windows Firewall Service failed to start.](event-5030.md)
|
||||
####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](event-5032.md)
|
||||
####### [Event 5033 S: The Windows Firewall Driver has started successfully.](event-5033.md)
|
||||
####### [Event 5034 S: The Windows Firewall Driver was stopped.](event-5034.md)
|
||||
####### [Event 5035 F: The Windows Firewall Driver failed to start.](event-5035.md)
|
||||
####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](event-5037.md)
|
||||
####### [Event 5058 S, F: Key file operation.](event-5058.md)
|
||||
####### [Event 5059 S, F: Key migration operation.](event-5059.md)
|
||||
####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](event-6400.md)
|
||||
####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](event-6401.md)
|
||||
####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](event-6402.md)
|
||||
####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](event-6403.md)
|
||||
####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](event-6404.md)
|
||||
####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](event-6405.md)
|
||||
####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](event-6406.md)
|
||||
####### [Event 6407: 1%.](event-6407.md)
|
||||
####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](event-6408.md)
|
||||
####### [Event 6409: BranchCache: A service connection point object could not be parsed.](event-6409.md)
|
||||
###### [Audit Security State Change](audit-security-state-change.md)
|
||||
####### [Event 4608 S: Windows is starting up.](event-4608.md)
|
||||
####### [Event 4616 S: The system time was changed.](event-4616.md)
|
||||
####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](event-4621.md)
|
||||
###### [Audit Security System Extension](audit-security-system-extension.md)
|
||||
####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](event-4610.md)
|
||||
####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](event-4611.md)
|
||||
####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](event-4614.md)
|
||||
####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](event-4622.md)
|
||||
####### [Event 4697 S: A service was installed in the system.](event-4697.md)
|
||||
###### [Audit System Integrity](audit-system-integrity.md)
|
||||
####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](event-4612.md)
|
||||
####### [Event 4615 S: Invalid use of LPC port.](event-4615.md)
|
||||
####### [Event 4618 S: A monitored security event pattern has occurred.](event-4618.md)
|
||||
####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](event-4816.md)
|
||||
####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](event-5038.md)
|
||||
####### [Event 5056 S: A cryptographic self-test was performed.](event-5056.md)
|
||||
####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](event-5062.md)
|
||||
####### [Event 5057 F: A cryptographic primitive operation failed.](event-5057.md)
|
||||
####### [Event 5060 F: Verification operation failed.](event-5060.md)
|
||||
####### [Event 5061 S, F: Cryptographic operation.](event-5061.md)
|
||||
####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](event-6281.md)
|
||||
####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](event-6410.md)
|
||||
###### [Other Events](other-events.md)
|
||||
####### [Event 1100 S: The event logging service has shut down.](event-1100.md)
|
||||
####### [Event 1102 S: The audit log was cleared.](event-1102.md)
|
||||
####### [Event 1104 S: The security log is now full.](event-1104.md)
|
||||
####### [Event 1105 S: Event log automatic backup.](event-1105.md)
|
||||
####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](event-1108.md)
|
||||
###### [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
|
||||
###### [Registry (Global Object Access Auditing) ](registry-global-object-access-auditing.md)
|
||||
###### [File System (Global Object Access Auditing) ](file-system-global-object-access-auditing.md)
|
||||
### [Security policy settings](security-policy-settings.md)
|
||||
#### [Administer security policy settings](administer-security-policy-settings.md)
|
||||
##### [Network List Manager policies](network-list-manager-policies.md)
|
||||
#### [Configure security policy settings](how-to-configure-security-policy-settings.md)
|
||||
#### [Security policy settings reference](security-policy-settings-reference.md)
|
||||
##### [Account Policies](account-policies.md)
|
||||
###### [Password Policy](password-policy.md)
|
||||
####### [Enforce password history](enforce-password-history.md)
|
||||
####### [Maximum password age](maximum-password-age.md)
|
||||
####### [Minimum password age](minimum-password-age.md)
|
||||
####### [Minimum password length](minimum-password-length.md)
|
||||
####### [Password must meet complexity requirements](password-must-meet-complexity-requirements.md)
|
||||
####### [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md)
|
||||
###### [Account Lockout Policy](account-lockout-policy.md)
|
||||
####### [Account lockout duration](account-lockout-duration.md)
|
||||
####### [Account lockout threshold](account-lockout-threshold.md)
|
||||
####### [Reset account lockout counter after](reset-account-lockout-counter-after.md)
|
||||
###### [Kerberos Policy](kerberos-policy.md)
|
||||
####### [Enforce user logon restrictions](enforce-user-logon-restrictions.md)
|
||||
####### [Maximum lifetime for service ticket](maximum-lifetime-for-service-ticket.md)
|
||||
####### [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md)
|
||||
####### [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md)
|
||||
####### [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md)
|
||||
##### [Audit Policy](audit-policy.md)
|
||||
##### [Security Options](security-options.md)
|
||||
###### [Accounts: Administrator account status](accounts-administrator-account-status.md)
|
||||
###### [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md)
|
||||
###### [Accounts: Guest account status](accounts-guest-account-status.md)
|
||||
###### [Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
|
||||
###### [Accounts: Rename administrator account](accounts-rename-administrator-account.md)
|
||||
###### [Accounts: Rename guest account](accounts-rename-guest-account.md)
|
||||
###### [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md)
|
||||
###### [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md)
|
||||
###### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md)
|
||||
###### [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
|
||||
###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
|
||||
###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
|
||||
###### [Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)
|
||||
###### [Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md)
|
||||
###### [Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md)
|
||||
###### [Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
|
||||
###### [Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
|
||||
###### [Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)
|
||||
###### [Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)
|
||||
###### [Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md)
|
||||
###### [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
|
||||
###### [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
|
||||
###### [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
|
||||
###### [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)
|
||||
###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
|
||||
###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
|
||||
###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
|
||||
###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
|
||||
###### [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)
|
||||
###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
|
||||
###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
|
||||
###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
|
||||
###### [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)
|
||||
###### [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)
|
||||
###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
|
||||
###### [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)
|
||||
###### [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
|
||||
###### [Interactive logon: Require smart card](interactive-logon-require-smart-card.md)
|
||||
###### [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md)
|
||||
###### [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
|
||||
###### [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
|
||||
###### [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
|
||||
###### [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
|
||||
###### [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
|
||||
###### [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
|
||||
###### [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
|
||||
###### [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
|
||||
###### [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)
|
||||
###### [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)
|
||||
###### [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
|
||||
###### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
|
||||
###### [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
|
||||
###### [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)
|
||||
###### [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)
|
||||
###### [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)
|
||||
###### [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)
|
||||
###### [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
|
||||
###### [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)
|
||||
###### [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)
|
||||
###### [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
|
||||
###### [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)
|
||||
###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
|
||||
###### [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)
|
||||
###### [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
|
||||
###### [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)
|
||||
###### [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)
|
||||
###### [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md)
|
||||
###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
|
||||
###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
|
||||
###### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
|
||||
###### [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
|
||||
###### [Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
|
||||
###### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
|
||||
###### [Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)
|
||||
###### [Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
|
||||
###### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
|
||||
###### [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)
|
||||
###### [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
|
||||
###### [Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
|
||||
###### [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)
|
||||
###### [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
|
||||
###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
|
||||
###### [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
|
||||
###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)
|
||||
###### [System settings: Optional subsystems](system-settings-optional-subsystems.md)
|
||||
###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
|
||||
###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
|
||||
###### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
|
||||
###### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
|
||||
###### [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
|
||||
###### [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)
|
||||
###### [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
|
||||
###### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
|
||||
###### [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)
|
||||
###### [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
|
||||
###### [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
|
||||
##### [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md)
|
||||
##### [User Rights Assignment](user-rights-assignment.md)
|
||||
###### [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md)
|
||||
###### [Access this computer from the network](access-this-computer-from-the-network.md)
|
||||
###### [Act as part of the operating system](act-as-part-of-the-operating-system.md)
|
||||
###### [Add workstations to domain](add-workstations-to-domain.md)
|
||||
###### [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md)
|
||||
###### [Allow log on locally](allow-log-on-locally.md)
|
||||
###### [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)
|
||||
###### [Back up files and directories](back-up-files-and-directories.md)
|
||||
###### [Bypass traverse checking](bypass-traverse-checking.md)
|
||||
###### [Change the system time](change-the-system-time.md)
|
||||
###### [Change the time zone](change-the-time-zone.md)
|
||||
###### [Create a pagefile](create-a-pagefile.md)
|
||||
###### [Create a token object](create-a-token-object.md)
|
||||
###### [Create global objects](create-global-objects.md)
|
||||
###### [Create permanent shared objects](create-permanent-shared-objects.md)
|
||||
###### [Create symbolic links](create-symbolic-links.md)
|
||||
###### [Debug programs](debug-programs.md)
|
||||
###### [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)
|
||||
###### [Deny log on as a batch job](deny-log-on-as-a-batch-job.md)
|
||||
###### [Deny log on as a service](deny-log-on-as-a-service.md)
|
||||
###### [Deny log on locally](deny-log-on-locally.md)
|
||||
###### [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)
|
||||
###### [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)
|
||||
###### [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md)
|
||||
###### [Generate security audits](generate-security-audits.md)
|
||||
###### [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)
|
||||
###### [Increase a process working set](increase-a-process-working-set.md)
|
||||
###### [Increase scheduling priority](increase-scheduling-priority.md)
|
||||
###### [Load and unload device drivers](load-and-unload-device-drivers.md)
|
||||
###### [Lock pages in memory](lock-pages-in-memory.md)
|
||||
###### [Log on as a batch job](log-on-as-a-batch-job.md)
|
||||
###### [Log on as a service](log-on-as-a-service.md)
|
||||
###### [Manage auditing and security log](manage-auditing-and-security-log.md)
|
||||
###### [Modify an object label](modify-an-object-label.md)
|
||||
###### [Modify firmware environment values](modify-firmware-environment-values.md)
|
||||
###### [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md)
|
||||
###### [Profile single process](profile-single-process.md)
|
||||
###### [Profile system performance](profile-system-performance.md)
|
||||
###### [Remove computer from docking station](remove-computer-from-docking-station.md)
|
||||
###### [Replace a process level token](replace-a-process-level-token.md)
|
||||
###### [Restore files and directories](restore-files-and-directories.md)
|
||||
###### [Shut down the system](shut-down-the-system.md)
|
||||
###### [Synchronize directory service data](synchronize-directory-service-data.md)
|
||||
###### [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md)
|
||||
### [Smart Cards](smart-card-windows-smart-card-technical-reference.md)
|
||||
#### [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
|
||||
##### [Smart Card Architecture](smart-card-architecture.md)
|
||||
##### [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
|
||||
##### [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
|
||||
##### [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
|
||||
##### [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
|
||||
##### [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
|
||||
#### [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
|
||||
##### [Smart Cards Debugging Information](smart-card-debugging-information.md)
|
||||
##### [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
|
||||
##### [Smart Card Events](smart-card-events.md)
|
||||
### [Trusted Platform Module](trusted-platform-module-top-node.md)
|
||||
#### [Trusted Platform Module Overview](trusted-platform-module-overview.md)
|
||||
#### [TPM fundamentals](tpm-fundamentals.md)
|
||||
#### [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
|
||||
#### [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md)
|
||||
#### [Manage TPM commands](manage-tpm-commands.md)
|
||||
#### [Manage TPM lockout](manage-tpm-lockout.md)
|
||||
#### [Change the TPM owner password](change-the-tpm-owner-password.md)
|
||||
#### [View status, clear, or troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md)
|
||||
#### [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md)
|
||||
#### [TPM recommendations](tpm-recommendations.md)
|
||||
### [User Account Control](user-account-control-overview.md)
|
||||
#### [How User Account Control works](how-user-account-control-works.md)
|
||||
#### [User Account Control security policy settings](user-account-control-security-policy-settings.md)
|
||||
#### [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md)
|
||||
### [Virtual Smart Cards](virtual-smart-card-overview.md)
|
||||
#### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
|
||||
##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
|
||||
##### [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
|
||||
##### [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
|
||||
##### [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
|
||||
#### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
|
||||
### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
|
||||
#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
|
||||
#### [Preview features](preview-windows-defender-advanced-threat-protection.md)
|
||||
#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
|
||||
#### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
|
||||
#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
|
||||
###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
|
||||
###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
|
||||
###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
|
||||
####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
|
||||
###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
|
||||
##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
#### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
|
||||
#### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
|
||||
##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
|
||||
##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
###### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
|
||||
###### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph)
|
||||
###### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline)
|
||||
##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
|
||||
##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
|
||||
##### [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
|
||||
##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
|
||||
###### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts)
|
||||
###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
|
||||
###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
|
||||
###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
|
||||
##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
|
||||
##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
|
||||
##### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
|
||||
###### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
|
||||
####### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
|
||||
####### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
|
||||
####### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
|
||||
####### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
|
||||
###### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
|
||||
####### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
|
||||
####### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
|
||||
####### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
|
||||
####### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
|
||||
####### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
|
||||
######## [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
|
||||
######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
|
||||
######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
|
||||
#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
|
||||
##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
|
||||
##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
|
||||
##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
|
||||
#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
|
||||
##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
|
||||
##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
|
||||
##### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
|
||||
##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
|
||||
###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
|
||||
###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
|
||||
#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md)
|
||||
##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
##### [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
|
||||
#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
|
||||
#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
|
||||
#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
|
||||
#### [Windows Defender Antivirus compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
### [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
|
||||
#### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
|
||||
#### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus-on-windows-server-2016.md)
|
||||
#### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus-compatibility.md)
|
||||
#### [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
|
||||
#### [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
|
||||
##### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
|
||||
###### [Deployment guide for VDI environments](deployment-vdi-windows-defender-antivirus.md)
|
||||
##### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
|
||||
##### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
|
||||
###### [Manage protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
|
||||
###### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
|
||||
###### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
|
||||
###### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
|
||||
###### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
|
||||
#### [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
|
||||
##### [Utilize Microsoft cloud-provided protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
|
||||
###### [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
|
||||
###### [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
|
||||
###### [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md)
|
||||
###### [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
|
||||
###### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
|
||||
##### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
|
||||
###### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
|
||||
###### [Enable and configure always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
|
||||
##### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
|
||||
###### [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
|
||||
###### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
|
||||
###### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
|
||||
#### [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
|
||||
##### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
|
||||
###### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
|
||||
###### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
|
||||
###### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md)
|
||||
##### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
|
||||
##### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
|
||||
##### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
|
||||
##### [Configure and run scans](run-scan-windows-defender-antivirus.md)
|
||||
##### [Review scan results](review-scan-results-windows-defender-antivirus.md)
|
||||
##### [Run and review the results of a Windows Defender Offline scan](windows-defender-offline.md)
|
||||
#### [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)
|
||||
#### [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
|
||||
##### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)
|
||||
##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)
|
||||
##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)
|
||||
##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)
|
||||
##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-windows-defender-antivirus.md)
|
||||
### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
|
||||
#### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
|
||||
#### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
|
||||
#### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
|
||||
#### [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md)
|
||||
##### [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
|
||||
##### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
|
||||
###### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
|
||||
###### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
|
||||
###### [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
|
||||
###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-devices.md)
|
||||
##### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
|
||||
###### [Basic Firewall Policy Design](basic-firewall-policy-design.md)
|
||||
###### [Domain Isolation Policy Design](domain-isolation-policy-design.md)
|
||||
###### [Server Isolation Policy Design](server-isolation-policy-design.md)
|
||||
###### [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
|
||||
##### [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
|
||||
###### [Firewall Policy Design Example](firewall-policy-design-example.md)
|
||||
###### [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
|
||||
###### [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
|
||||
###### [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
|
||||
##### [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
|
||||
###### [Gathering the Information You Need](gathering-the-information-you-need.md)
|
||||
####### [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
|
||||
####### [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
|
||||
####### [Gathering Information about Your Computers](gathering-information-about-your-devices.md)
|
||||
####### [Gathering Other Relevant Information](gathering-other-relevant-information.md)
|
||||
###### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md)
|
||||
##### [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
|
||||
###### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
|
||||
###### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
|
||||
####### [Exemption List](exemption-list.md)
|
||||
####### [Isolated Domain](isolated-domain.md)
|
||||
####### [Boundary Zone](boundary-zone.md)
|
||||
####### [Encryption Zone](encryption-zone.md)
|
||||
###### [Planning Server Isolation Zones](planning-server-isolation-zones.md)
|
||||
###### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
|
||||
###### [Documenting the Zones](documenting-the-zones.md)
|
||||
###### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
|
||||
####### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
|
||||
####### [Planning Network Access Groups](planning-network-access-groups.md)
|
||||
####### [Planning the GPOs](planning-the-gpos.md)
|
||||
######## [Firewall GPOs](firewall-gpos.md)
|
||||
######### [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
|
||||
######## [Isolated Domain GPOs](isolated-domain-gpos.md)
|
||||
######### [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
|
||||
######### [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
|
||||
######## [Boundary Zone GPOs](boundary-zone-gpos.md)
|
||||
######### [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
|
||||
######## [Encryption Zone GPOs](encryption-zone-gpos.md)
|
||||
######### [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
|
||||
######## [Server Isolation GPOs](server-isolation-gpos.md)
|
||||
####### [Planning GPO Deployment](planning-gpo-deployment.md)
|
||||
##### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
|
||||
#### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
|
||||
##### [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md)
|
||||
##### [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
|
||||
##### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
|
||||
##### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
|
||||
###### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)
|
||||
###### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)
|
||||
###### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)
|
||||
##### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
|
||||
###### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)
|
||||
###### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)
|
||||
###### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)
|
||||
###### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
|
||||
##### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
|
||||
###### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
|
||||
###### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
|
||||
##### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
|
||||
##### [Procedures Used in This Guide](procedures-used-in-this-guide.md)
|
||||
###### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
|
||||
###### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
|
||||
###### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
|
||||
###### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
|
||||
###### [Configure Authentication Methods](configure-authentication-methods.md)
|
||||
###### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
|
||||
###### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
|
||||
###### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
|
||||
###### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
|
||||
###### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
|
||||
###### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
|
||||
###### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
|
||||
###### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
|
||||
###### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
|
||||
###### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
|
||||
###### [Create a Group Policy Object](create-a-group-policy-object.md)
|
||||
###### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
|
||||
###### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
|
||||
###### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
|
||||
###### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
|
||||
###### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
|
||||
###### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
|
||||
###### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
|
||||
###### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
|
||||
###### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
|
||||
###### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
|
||||
###### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
|
||||
###### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
|
||||
###### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
|
||||
###### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
|
||||
###### [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
|
||||
###### [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
|
||||
###### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
|
||||
###### [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
|
||||
###### [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
|
||||
###### [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
|
||||
###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
|
||||
## [Enterprise security guides](windows-10-enterprise-security-guides.md)
|
||||
### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
|
||||
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
|
||||
### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
|
||||
### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
|
||||
## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)
|
||||
@ -1,137 +0,0 @@
|
||||
---
|
||||
title: Access Control Overview (Windows 10)
|
||||
description: Access Control Overview
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
---
|
||||
|
||||
# Access Control Overview
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
|
||||
|
||||
## <a href="" id="bkmk-over"></a>Feature description
|
||||
|
||||
|
||||
Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource.
|
||||
|
||||
Shared resources are available to users and groups other than the resource’s owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
|
||||
|
||||
Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce access control in the following ways:
|
||||
|
||||
- Deny access to unauthorized users and groups
|
||||
|
||||
- Set well-defined limits on the access that is provided to authorized users and groups
|
||||
|
||||
Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.
|
||||
|
||||
This content set contains:
|
||||
|
||||
- [Dynamic Access Control Overview](dynamic-access-control.md)
|
||||
|
||||
- [Security identifiers](security-identifiers.md)
|
||||
|
||||
- [Security Principals](security-principals.md)
|
||||
|
||||
- [Local Accounts](local-accounts.md)
|
||||
|
||||
- [Active Directory Accounts](active-directory-accounts.md)
|
||||
|
||||
- [Microsoft Accounts](microsoft-accounts.md)
|
||||
|
||||
- [Service Accounts](service-accounts.md)
|
||||
|
||||
- [Active Directory Security Groups](active-directory-security-groups.md)
|
||||
|
||||
## <a href="" id="bkmk-app"></a>Practical applications
|
||||
|
||||
|
||||
Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:
|
||||
|
||||
- Protect a greater number and variety of network resources from misuse.
|
||||
|
||||
- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs.
|
||||
|
||||
- Enable users to access resources from a variety of devices in numerous locations.
|
||||
|
||||
- Update users’ ability to access resources on a regular basis as an organization’s policies change or as users’ jobs change.
|
||||
|
||||
- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones).
|
||||
|
||||
- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs.
|
||||
|
||||
## Permissions
|
||||
|
||||
|
||||
Permissions define the type of access that is granted to a user or group for an object or object property. For example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat.
|
||||
|
||||
By using the access control user interface, you can set NTFS permissions for objects such as files, Active Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user, group, or computer. It is a good practice to assign permissions to groups because it improves system performance when verifying access to an object.
|
||||
|
||||
For any object, you can grant permissions to:
|
||||
|
||||
- Groups, users, and other objects with security identifiers in the domain.
|
||||
|
||||
- Groups and users in that domain and any trusted domains.
|
||||
|
||||
- Local groups and users on the computer where the object resides.
|
||||
|
||||
The permissions attached to an object depend on the type of object. For example, the permissions that can be attached to a file are different from those that can be attached to a registry key. Some permissions, however, are common to most types of objects. These common permissions are:
|
||||
|
||||
- Read
|
||||
|
||||
- Modify
|
||||
|
||||
- Change owner
|
||||
|
||||
- Delete
|
||||
|
||||
When you set permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print.
|
||||
|
||||
When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](http://technet.microsoft.com/library/cc770962.aspx).
|
||||
|
||||
**Note**
|
||||
Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](http://technet.microsoft.com/library/cc754178.aspx).
|
||||
|
||||
|
||||
|
||||
### Ownership of objects
|
||||
|
||||
An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership](http://technet.microsoft.com/library/cc732983.aspx).
|
||||
|
||||
### Inheritance of permissions
|
||||
|
||||
Inheritance allows administrators to easily assign and manage permissions. This feature automatically causes objects within a container to inherit all the inheritable permissions of that container. For example, the files within a folder inherit the permissions of the folder. Only permissions marked to be inherited will be inherited.
|
||||
|
||||
## User rights
|
||||
|
||||
|
||||
User rights grant specific privileges and sign-in rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
|
||||
|
||||
User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
|
||||
|
||||
For more information about user rights, see [User Rights Assignment](user-rights-assignment.md).
|
||||
|
||||
## Object auditing
|
||||
|
||||
|
||||
With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer.
|
||||
|
||||
For more information about auditing, see [Security Auditing Overview](security-auditing-overview.md).
|
||||
|
||||
## See also
|
||||
|
||||
- For more information about access control and authorization, see [Access Control and Authorization Overview](https://technet.microsoft.com/en-us/library/jj134043(v=ws.11).aspx).
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1,85 +0,0 @@
|
||||
---
|
||||
title: Access Credential Manager as a trusted caller (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Access Credential Manager as a trusted caller security policy setting.
|
||||
ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Access Credential Manager as a trusted caller
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Access Credential Manager as a trusted caller** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Access Credential Manager as a trusted caller** policy setting is used by Credential Manager during backup and restore. No accounts should have this privilege because it is assigned only to the Winlogon service. Saved credentials of users may be compromised if this privilege is given to other entities.
|
||||
|
||||
Constant: SeTrustedCredManAccessPrivilege
|
||||
|
||||
### Possible values
|
||||
|
||||
- User-defined list of accounts
|
||||
- Not defined
|
||||
|
||||
### Best practices
|
||||
|
||||
- Do not modify this policy setting from the default.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
|
||||
|
||||
### Default values
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default domain policy | Not defined |
|
||||
| Default domain controller policy | Not defined |
|
||||
| Stand-alone server default settings | Not defined |
|
||||
| Domain controller effective default settings | Not defined |
|
||||
| Member server effective default settings | Not defined |
|
||||
| Client computer effective default settings | Not defined |
|
||||
|
||||
## Policy management
|
||||
|
||||
This section describes features, tools, and guidance to help you manage this policy.
|
||||
|
||||
A restart of the computer is not required for this policy setting to be effective.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
### Group Policy
|
||||
|
||||
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
|
||||
1. Local policy settings
|
||||
2. Site policy settings
|
||||
3. Domain policy settings
|
||||
4. OU policy settings
|
||||
|
||||
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
If an account is given this user right, the user of the account may create an application that calls into Credential Manager and is returned the credentials for another user.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Do not define the **Access Credential Manager as a trusted caller** policy setting for any accounts besides Credential Manager.
|
||||
|
||||
### Potential impact
|
||||
|
||||
None. Not defined is the default configuration.
|
||||
|
||||
## Related topics
|
||||
[User Rights Assignment](user-rights-assignment.md)
|
||||
|
||||
@ -1,101 +0,0 @@
|
||||
---
|
||||
title: Access this computer from the network - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
|
||||
ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Access this computer from the network - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).
|
||||
|
||||
Users, devices, and service accounts gain or lose the **Access this computer from network** user right by being explicitly or implicitly added or removed from a security group that has been granted this user right. For example, a user account or a machine account may be explicitly added to a custom security group or a built-in security group, or it may be implicitly added by Windows to a computed security group such as Domain Users, Authenticated Users, or Enterprise Domain Controllers.
|
||||
By default, user accounts and machine accounts are granted the **Access this computer from network** user right when computed groups such as Authenticated Users, and for domain controllers, the Enterprise Domain Controllers group, are defined in the default domain controllers Group Policy Object (GPO).
|
||||
|
||||
Constant: SeNetworkLogonRight
|
||||
|
||||
### Possible values
|
||||
|
||||
- User-defined list of accounts
|
||||
- Not defined
|
||||
|
||||
### Best practices
|
||||
|
||||
- On desktop devices or member servers, grant this right only to users and administrators.
|
||||
- On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators.
|
||||
- This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
|
||||
|
||||
|Server type of GPO | Default value |
|
||||
| - | - |
|
||||
| Default domain policy | Not defined |
|
||||
| Default domain controller policy | Everyone, Administrators, Authenticated Users, Enterprise Domain Controllers, Pre-Windows 2000 Compatible Access |
|
||||
| Stand-alone server default settings |Everyone, Administrators, Users, Backup Operators |
|
||||
| Domain controller effective default settings | Everyone, Administrators, Authenticated Users, Enterprise Domain Controllers, Pre-Windows 2000 Compatible Access |
|
||||
| Member server effective default settings | Everyone, Administrators, Users, Backup Operators |
|
||||
| Client computer effective default settings |Everyone, Administrators, Users, Backup Operators |
|
||||
|
||||
## Policy management
|
||||
|
||||
When modifying this user right, the following actions might cause users and services to experience network access issues:
|
||||
|
||||
- Removing the Enterprise Domain Controllers security group
|
||||
- Removing the Authenticated Users group or an explicit group that allows users, computers, and service accounts the user right to connect to computers over the network
|
||||
- Removing all user and machine accounts
|
||||
|
||||
A restart of the device is not required for this policy setting to be effective.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
### Group Policy
|
||||
|
||||
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
|
||||
|
||||
1. Local policy settings
|
||||
2. Site policy settings
|
||||
3. Domain policy settings
|
||||
4. OU policy settings
|
||||
|
||||
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Users who can connect from their device to the network can access resources on target devices for which they have permission. For example, the **Access this computer from the network** user right is required for users to connect to shared printers and folders. If this user right is assigned to the **Everyone** group, anyone in the group can read the files in those shared folders. This situation is unlikely because the groups created by a default installation of at least Windows Server 2008 R2 or Windows 7 do not include the **Everyone** group. However, if a device is upgraded and the original device includes the **Everyone** group as part of its defined users and groups, that group is transitioned as part of the upgrade process and is present on the device.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who log on to the domain can access resources that are shared
|
||||
from servers in the domain if members of the **Domain Users** group are included in the local **Users** group.
|
||||
|
||||
> **Note** If you are using IPsec to help secure network communications in your organization, ensure that a group that includes machine accounts is given this right. This right is required for successful computer authentication. Assigning this right to **Authenticated Users** or **Domain Computers** meets this requirement.
|
||||
|
||||
### Potential impact
|
||||
|
||||
If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network.
|
||||
|
||||
## Related topics
|
||||
[User Rights Assignment](user-rights-assignment.md)
|
||||
|
||||
|
||||
@ -1,70 +0,0 @@
|
||||
---
|
||||
title: Account lockout duration (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Account lockout duration security policy setting.
|
||||
ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Account lockout duration
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Account lockout duration** policy setting determines the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. The available range is from 1 through 99,999 minutes. A value of 0 specifies that the account will be locked out until an administrator explicitly unlocks it. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md).
|
||||
This policy setting is dependent on the **Account lockout threshold** policy setting that is defined, and it must be greater than or equal to the value specified for the [Reset account lockout counter after](reset-account-lockout-counter-after.md) policy setting.
|
||||
|
||||
### Possible values
|
||||
|
||||
- A user-defined number of minutes from 0 through 99,999
|
||||
- Not defined
|
||||
|
||||
If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If th **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
|
||||
|
||||
It is advisable to set **Account lockout duration** to approximately 30 minutes. To specify that the account will never be locked out, set the value to 0. To configure the value for this policy setting so that it never automatically unlocks the account might seem like a good idea; however, doing so can increase the number of requests that your organization’s Help Desk receives to unlock accounts that were locked by mistake.
|
||||
|
||||
### Location
|
||||
|
||||
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or Group Policy Object (GPO) | Default value |
|
||||
| - | - |
|
||||
| Default domain policy | Not defined |
|
||||
| Default domain controller policy | Not defined |
|
||||
| Stand-alone server default settings | Not applicable |
|
||||
| Domain controller effective default settings | Not defined |
|
||||
| Member server effective default settings | Not defined |
|
||||
| Client computer effective default settings | Not applicable |
|
||||
|
||||
## Security considerations
|
||||
|
||||
More than a few unsuccessful password submissions during an attempt to log on to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track logon attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
A denial-of-service (DoS) condition can be created if an attacker abuses the [Account lockout threshold](account-lockout-threshold.md) policy setting and repeatedly attempts to log on with a specific account. After you configure the Account lockout threshold policy setting, the account will be locked out after the specified number of failed attempts. If you configure the **Account lockout duration** policy setting to 0, the account remains locked until you unlock it manually.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Configure the **Account lockout duration** policy setting to an appropriate value for your environment. To specify that the account will remain locked until you manually unlock it, configure the value to 0. When the **Account lockout duration** policy setting is configured to a nonzero value, automated attempts to guess account passwords are delayed for this interval before resuming attempts against a specific account. Using this setting in combination with the [Account lockout threshold](account-lockout-threshold.md) policy setting makes automated password guessing attempts more difficult.
|
||||
|
||||
### Potential impact
|
||||
|
||||
Configuring the **Account lockout duration** policy setting to 0 so that accounts cannot be automatically unlocked can increase the number of requests that your organization's Help Desk receives to unlock accounts that were locked by mistake.
|
||||
|
||||
## Related topics
|
||||
|
||||
[Account Lockout Policy](account-lockout-policy.md)
|
||||
|
||||
|
||||
@ -1,35 +0,0 @@
|
||||
---
|
||||
title: Account Lockout Policy (Windows 10)
|
||||
description: Describes the Account Lockout Policy settings and links to information about each policy setting.
|
||||
ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Account Lockout Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the Account Lockout Policy settings and links to information about each policy setting.
|
||||
|
||||
Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached. The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**.
|
||||
|
||||
The following topics provide a discussion of each policy setting's implementation and best practices considerations, policy location, default values for the server type or Group Policy Object (GPO), relevant differences in operating system versions, and security considerations (including the possible vulnerabilities of each policy setting), countermeasures that you can implement, and the potential impact of implementing the countermeasures.
|
||||
|
||||
## In this section
|
||||
|
||||
| Topic | Description |
|
||||
| - | - |
|
||||
| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
|
||||
| [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. |
|
||||
| [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |
|
||||
|
||||
## Related topics
|
||||
|
||||
[Configure security policy settings](how-to-configure-security-policy-settings.md)
|
||||
|
||||
|
||||
@ -1,105 +0,0 @@
|
||||
---
|
||||
title: Account lockout threshold (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting.
|
||||
ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Account lockout threshold
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Account lockout threshold** policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the [Account lockout duration](account-lockout-duration.md) policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md).
|
||||
|
||||
Failed password attempts on workstations or member servers that have been locked by using CTRL+ALT+DELETE or password-protected screen savers do not count as failed sign-in attempts unless [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) is set to **Enabled**. If Interactive logon: Require Domain Controller authentication to unlock workstation is enabled, repeated failed password attempts to unlock the workstation will count against the account lockout threshold.
|
||||
|
||||
Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks.
|
||||
However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account.
|
||||
|
||||
### Possible values
|
||||
|
||||
It is possible to configure the following values for the **Account lockout threshold** policy setting:
|
||||
- A user-defined number from 0 through 999
|
||||
- Not defined
|
||||
|
||||
Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this topic
|
||||
|
||||
### Best practices
|
||||
|
||||
The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, a setting above 4 and below 10 could be an acceptable starting point for your organization.
|
||||
> **Important:** Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic.
|
||||
|
||||
### Location
|
||||
|
||||
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default policy values. Default values are also listed on the property page for the policy setting.
|
||||
|
||||
| Server type or Group Policy Object (GPO) | Default value |
|
||||
| - | - |
|
||||
| Default domain policy | 0 invalid sign-in attempts |
|
||||
| Default domain controller policy | Not defined |
|
||||
| Stand-alone server default settings | 0 invalid sign-in attempts |
|
||||
| Domain controller effective default settings | 0 invalid sign-in attempts |
|
||||
| Member server effective default settings |0 invalid sign-in attempts |
|
||||
| Effective GPO default settings on client computers |0 invalid sign-in attempts |
|
||||
|
||||
### Policy management
|
||||
|
||||
This section describes features and tools that are available to help you manage this policy setting.
|
||||
|
||||
### Restart requirements
|
||||
|
||||
None. Changes to this policy setting become effective without a computer restart when they are saved locally or distributed through Group Policy.
|
||||
|
||||
### <a href="" id="bkmk-impleconsiderations"></a>Implementation considerations
|
||||
|
||||
Implementation of this policy setting is dependent on your operational environment. You should consider threat vectors, deployed operating systems, and deployed apps, for example:
|
||||
- The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. You should set the account lockout threshold in consideration of the known and perceived risk of those threats.
|
||||
- When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases.
|
||||
- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign-in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Brute force password attacks can use automated methods to try millions of password combinations for any user account. The effectiveness of such attacks can be almost eliminated if you limit the number of failed sign-in attempts that can be performed.
|
||||
However, a DoS attack could be performed on a domain that has an account lockout threshold configured. An attacker could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the account lockout threshold, the attacker might be able to lock every account without needing any special privileges or being authenticated in the network.
|
||||
|
||||
> **Note:** Offline password attacks are not countered by this policy setting.
|
||||
|
||||
### <a href="" id="bkmk-countermeasure"></a>Countermeasure
|
||||
|
||||
Because vulnerabilities can exist when this value is configured and when it is not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
|
||||
- Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met:
|
||||
- The password policy setting requires all users to have complex passwords of 8 or more characters.
|
||||
- A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occur in the environment.
|
||||
- Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
|
||||
|
||||
A good recommendation for such a configuration is 50 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but does not prevent a DoS attack. We recommend this option if your organization cannot implement complex password requirements and an audit policy that alerts administrators to a series of failed sign-in attempts.
|
||||
Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it is needed to help mitigate massive lockouts caused by an attack on your systems.
|
||||
|
||||
### Potential impact
|
||||
|
||||
If this policy setting is enabled, a locked account is not usable until it is reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate a number of additional Help Desk calls.
|
||||
|
||||
If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that an malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place.
|
||||
|
||||
If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts.
|
||||
|
||||
## Related topics
|
||||
[Account Lockout Policy](account-lockout-policy.md)
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
---
|
||||
title: Account Policies (Windows 10)
|
||||
description: An overview of account policies in Windows and provides links to policy descriptions.
|
||||
ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Account Policies
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
An overview of account policies in Windows and provides links to policy descriptions.
|
||||
|
||||
All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.
|
||||
> **Note:** Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
|
||||
|
||||
The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU account policy nor a domain policy applies.
|
||||
|
||||
## In this section
|
||||
|
||||
| Topic | Description |
|
||||
| - | - |
|
||||
| [Password Policy](password-policy.md) | An overview of password policies for Windows and links to information for each policy setting. |
|
||||
| [Account Lockout Policy](account-lockout-policy.md) | Describes the Account Lockout Policy settings and links to information about each policy setting. |
|
||||
| [Kerberos Policy](kerberos-policy.md) | Describes the Kerberos Policy settings and provides links to policy setting descriptions. |
|
||||
|
||||
## Related topics
|
||||
|
||||
[Configure security policy settings](how-to-configure-security-policy-settings.md)
|
||||
@ -1,106 +0,0 @@
|
||||
---
|
||||
title: Accounts Administrator account status (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Accounts Administrator account status security policy setting.
|
||||
ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Accounts: Administrator account status
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
This security setting determines whether the local administrator account is enabled or disabled.
|
||||
|
||||
If you try to enable the administrator account after it has been disabled, and if the current administrator password does not meet the password requirements, you cannot enable the account. In this case, an alternative member of the Administrators group must reset the password on the administrator account.
|
||||
|
||||
If you disable this policy setting, and one of the following conditions exists on the computer, the administrator account is not disabled.
|
||||
1. No other local administrator account exists
|
||||
2. The administrator account is currently in use
|
||||
3. All other local administrator accounts are:
|
||||
1. Disabled
|
||||
2. Listed in the [Deny log on locally](deny-log-on-locally.md) User Rights Assignment
|
||||
|
||||
If the current administrator password does not meet the password requirements, you will not be able to enable the administrator account again after it has been disabled. In this case, another member of the Administrators group must set the password on the administrator account.
|
||||
|
||||
### Possible values
|
||||
- Enabled
|
||||
- Disabled
|
||||
- Not defined
|
||||
|
||||
By default, this setting is **Not defined** on domain controllers and **Enabled** on stand-alone servers.
|
||||
|
||||
### Best practices
|
||||
|
||||
- Disabling the administrator account can become a maintenance issue under certain circumstances. For example, in a domain environment, if the secure channel that constitutes your connection fails for any reason, and there is no other local administrator account, you must restart the computer in safe mode to fix the problem that broke your connection status.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| Default Domain Policy | Not defined |
|
||||
| Default Domain Controller Policy |Not defined |
|
||||
| Stand-Alone Server Default Settings | Enabled |
|
||||
| DC Effective Default Settings | Enabled |
|
||||
| Member Server Effective Default Settings | Enabled |
|
||||
| Client Computer Effective Default Settings | Disabled |
|
||||
|
||||
## Policy management
|
||||
|
||||
Disabling the administrator account can become a maintenance issue under certain circumstances. Reasons that an organization might consider disabling the built-in administrator account include:
|
||||
|
||||
- For some organizations, periodically changing the passwords for local accounts can be a daunting management challenge.
|
||||
- By default, the administrator account cannot be locked—no matter how many failed attempts to sign in a user accrues. This makes it a prime target for brute-force, password-guessing attacks.
|
||||
- This account has a well-known security identifier (SID). Some non-Microsoft tools allow you to authenticate over the network by specifying the SID rather than the account name. This means that even if you rename the administrator account, a malicious user could start a brute-force attack by using the SID.
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
|
||||
### Safe mode considerations
|
||||
|
||||
When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. If the computer is joined to a domain, the disabled administrator account is not enabled.
|
||||
If the administrator account is disabled, you can still access the computer by using safe mode with the current administrative credentials. For example, if a failure occurs using a secure channel with a domain-joined computer, and there is no other local administrator account, you must restart the device in safe mode to fix the failure.
|
||||
|
||||
### How to access a disabled Administrator account
|
||||
|
||||
You can use the following methods to access a disabled Administrator account:
|
||||
- When there is only one local administrator account that is disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that computer.
|
||||
- When there are local administrator accounts in addition to the built-in account, start the computer in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that device. An alternate method is to sign in to Windows by using another local
|
||||
Administrator account that was created.
|
||||
- When multiple domain-joined servers have a disabled local Administrator account that can be accessed in safe mode, you can remotely run psexec by using the following command: **net user administrator /active: no**.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The built-in administrator account cannot be locked out no matter how many failed logons it accrues, which makes it a prime target for brute-force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID), and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on. All other accounts that are members of the Administrator's group have the safeguard of locking out the account if the number of failed logons exceeds its configured maximum.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Disable the **Accounts: Administrator account status** setting so that the built-in Administrator account cannot be used in a normal system startup.
|
||||
If it is very difficult to maintain a regular schedule for periodic password changes for local accounts, you can disable the built-in administrator account instead of relying on regular password changes to protect it from attack.
|
||||
|
||||
### Potential impact
|
||||
|
||||
Maintenance issues can arise under certain circumstances if you disable the administrator account. For example, if the secure channel between a member computer and the domain controller fails in a domain environment for any reason and there is no other local administrator account, you must restart in safe mode to fix the problem that caused the secure channel to fail.
|
||||
If the current administrator password does not meet the password requirements, you cannot enable the administrator account after it is disabled. If this situation occurs, another member of the administrators group must set the password on the administrator account.
|
||||
|
||||
## Related topics
|
||||
|
||||
[Security Options](security-options.md)
|
||||
@ -1,86 +0,0 @@
|
||||
---
|
||||
title: Accounts Block Microsoft accounts (Windows 10)
|
||||
description: Describes the best practices, location, values, management, and security considerations for the Accounts Block Microsoft accounts security policy setting.
|
||||
ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Accounts: Block Microsoft accounts
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
This policy setting prevents users from adding new Microsoft accounts on a device.
|
||||
|
||||
If you click the **Users can’t add Microsoft accounts** setting option, users will not be able to switch a local account to a Microsoft account, or connect a domain account to a Microsoft account to drive sync, roaming, or other background services. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. Users will still be able to add app-specific Microsoft accounts for use with consumer apps. To block this use, turn off the ability to install consumer apps or the Store.
|
||||
|
||||
If you click the **Users can’t add or log on with Microsoft accounts** setting option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator to log on to a computer and manage the system.
|
||||
|
||||
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
|
||||
|
||||
### Possible values
|
||||
- This policy is disabled
|
||||
- Users can’t add Microsoft accounts
|
||||
- Users can’t add or log on with Microsoft accounts
|
||||
|
||||
By default, this setting is not defined on domain controllers and disabled on stand-alone servers.
|
||||
|
||||
### Best practices
|
||||
|
||||
- By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users.
|
||||
- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Not defined |
|
||||
| Default Domain Controller Policy | Not defined |
|
||||
| Stand-Alone Server Default Settings | Disabled |
|
||||
| DC Effective Default Settings | Disabled |
|
||||
| Member Server Effective Default Settings | Disabled |
|
||||
| Client Computer Effective Default Settings | Disabled |
|
||||
|
||||
## Policy management
|
||||
|
||||
This section describes features and tools that are available to help you manage this policy.
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Although Microsoft accounts are password-protected, they also have the potential of greater exposure outside of the enterprise. Additionally, if the owner of a Microsoft account is not easily distinguishable, auditing and forensics become more difficult.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Require only domain accounts in your enterprise by limiting the use of Microsoft accounts. Click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a device, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
|
||||
|
||||
### Potential impact
|
||||
|
||||
Establishing greater control over accounts in your organization can give you more secure management capabilities, including procedures around password resets.
|
||||
|
||||
## Related topics
|
||||
|
||||
[Security Options](security-options.md)
|
||||
|
||||
|
||||
@ -1,71 +0,0 @@
|
||||
---
|
||||
title: Accounts Guest account status - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting.
|
||||
ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Accounts: Guest account status - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Accounts: Guest account status** policy setting determines whether the Guest account is enabled or disabled.
|
||||
This account allows unauthenticated network users to gain access to the system by logging on as a Guest with no password. Unauthorized users can access any resources that are accessible to the Guest account over the network. This means that any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network. This can lead to the exposure or corruption of data.
|
||||
|
||||
### Possible values
|
||||
|
||||
- Enabled
|
||||
- Disabled
|
||||
- Not defined
|
||||
|
||||
### Best practices
|
||||
|
||||
Set **Accounts: Guest account status** to Disabled so that the built-in Guest account is no longer usable. All network users will have to authenticate before they can access shared resources on the system. If the Guest account is disabled and [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md) is set to **Guest only**, network logons—such as those performed by the SMB Service—will fail.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Not defined |
|
||||
| Default Domain Controller Policy | Not defined |
|
||||
| Stand-Alone Server Default Settings | Disabled |
|
||||
| DC Effective Default Settings | Disabled |
|
||||
| Member Server Effective Default Settings | Disabled |
|
||||
| Client Computer Effective Default Settings | Disabled |
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The default Guest account allows unauthenticated network users to log on as a Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group are accessible over the network, which could lead to the exposure or corruption of data.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Disable the **Accounts: Guest account status** setting so that the built-in Guest account cannot be used.
|
||||
|
||||
### Potential impact
|
||||
|
||||
All network users must be authenticated before they can access shared resources. If you disable the Guest account and the **Network Access: Sharing and Security Model** option is set to **Guest Only**, network logons, such as those performed by the Microsoft Network Server (SMB Service), fail. This policy setting should have little impact on most organizations because it is the default setting starting with Windows Vista and Windows Server 2003.
|
||||
|
||||
## Related topics
|
||||
|
||||
[Security Options](security-options.md)
|
||||
|
||||
|
||||
@ -1,90 +0,0 @@
|
||||
---
|
||||
title: Accounts Limit local account use of blank passwords to console logon only (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Accounts Limit local account use of blank passwords to console logon only security policy setting.
|
||||
ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Accounts: Limit local account use of blank passwords to console logon only
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Accounts: Limit local account use of blank passwords to console logon only** policy setting determines whether remote interactive logons by network services such as Remote Desktop Services, Telnet, and File Transfer Protocol (FTP) are allowed for local accounts that have blank passwords. If this policy setting is enabled, a local account must have a nonblank password to be used to perform an interactive or network logon from a remote client.
|
||||
|
||||
This policy setting does not affect interactive logons that are performed physically at the console or logons that use domain accounts. It is possible for non-Microsoft applications that use remote interactive logons to bypass this policy setting.
|
||||
Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures. Nevertheless, if a user with the ability to create new accounts creates one that has bypassed your domain-based password policy settings, that account might have a blank password. For example, a user could build a stand-alone system, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the account name can then use accounts with blank passwords to log on to systems.
|
||||
|
||||
Devices that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the device can log on by using a user account that does not have a password. This is especially important for portable devices.
|
||||
|
||||
If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
|
||||
|
||||
### Possible values
|
||||
|
||||
- Enabled
|
||||
- Disabled
|
||||
- Not defined
|
||||
|
||||
### Best practices
|
||||
|
||||
- It is advisable to set **Accounts: Limit local account use of blank passwords to console logon only** to Enabled.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Not defined |
|
||||
| Default Domain Controller Policy | Not defined |
|
||||
| Stand-Alone Server Default Settings | Enabled |
|
||||
| DC Effective Default Settings | Enabled |
|
||||
| Member Server Effective Default Settings | Enabled |
|
||||
| Client Computer Effective Default Settings | Enabled |
|
||||
|
||||
## Policy management
|
||||
|
||||
This section describes features and tools that are available to help you manage this policy.
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
|
||||
### Policy conflict considerations
|
||||
|
||||
The policy as distributed through the GPO takes precedence over the locally configured policy setting on a computer joined to a domain. On the domain controller, use ADSI Edit or the dsquery command to determine effective minimum password length.
|
||||
|
||||
### Group Policy
|
||||
|
||||
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Blank passwords are a serious threat to computer security, and they should be forbidden through organizational policy and suitable technical measures. Starting with Windows Server 2003, the default settings for Active Directory domains require complex passwords of at least seven characters, and eight characters starting with Windows Server 2008. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Enable the **Accounts: Limit local account use of blank passwords to console logon only** setting.
|
||||
|
||||
### Potential impact
|
||||
|
||||
None. This is the default configuration.
|
||||
|
||||
## Related topics
|
||||
[Security Options](security-options.md)
|
||||
@ -1,88 +0,0 @@
|
||||
---
|
||||
title: Accounts Rename administrator account (Windows 10)
|
||||
description: This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
|
||||
ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Accounts: Rename administrator account
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Accounts: Rename administrator account** policy setting determines whether a different account name is associated with the security identifier (SID) for the administrator account.
|
||||
|
||||
Because the administrator account exists on all Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), renaming the account makes it slightly more difficult for attackers to guess this user name and password combination.
|
||||
|
||||
Rename the Administrator account by specifying a value for the **Accounts: Rename administrator account** policy setting.
|
||||
|
||||
### Possible values
|
||||
- User-defined text
|
||||
- Not defined
|
||||
|
||||
### Best practices
|
||||
- Be sure to inform users who are authorized to use this account of the new account name.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Not defined |
|
||||
| Default Domain Controller Policy | Not defined |
|
||||
| Stand-Alone Server Default Settings | Administrator |
|
||||
| DC Effective Default Settings | Administrator |
|
||||
| Member Server Effective Default Settings | Administrator |
|
||||
| Client Computer Effective Default Settings | Administrator |
|
||||
|
||||
## Policy management
|
||||
|
||||
This section describes features and tools that are available to help you manage this policy.
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
|
||||
|
||||
### Policy conflict considerations
|
||||
|
||||
None.
|
||||
|
||||
### Group Policy
|
||||
|
||||
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The Administrator account exists on all versions Windows 10 for desktop editions. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Beginning with Windows Vista, the person who installs the operating system specifies an account that is the first member of the Administrator group and has full rights to configure the computer so this countermeasure is applied by default on new installations. If a device is upgraded from a previous version of Windows, the account with the name administrator is retained with all the rights and privileges that were defined for the account in the previous installation.
|
||||
|
||||
The built-in administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the administrator account a popular target for brute-force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Specify a new name in the **Accounts: Rename administrator account** setting to rename the Administrator account.
|
||||
|
||||
### Potential impact
|
||||
|
||||
You must provide users who are authorized to use this account with the new account name. (The guidance for this setting assumes that the Administrator account was not disabled.)
|
||||
|
||||
## Related topics
|
||||
|
||||
[Security Options](security-options.md)
|
||||
|
||||
|
||||
@ -1,87 +0,0 @@
|
||||
---
|
||||
title: Accounts Rename guest account - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting.
|
||||
ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Accounts: Rename guest account - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Accounts: Rename guest account** policy setting determines whether a different account name is associated with the security identifier (SID) for the Guest account.
|
||||
|
||||
### Possible values
|
||||
|
||||
- *User-defined text*
|
||||
- Guest
|
||||
|
||||
### Best practices
|
||||
|
||||
1. For devices in unsecured locations, renaming the account makes it more difficult for unauthorized users to guess it.
|
||||
2. For computers in secured or trusted locations, keeping the name of the account as Guest provides consistency among devices
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Guest |
|
||||
| Default Domain Controller Policy | Guest |
|
||||
| Stand-Alone Server Default Settings | Guest |
|
||||
| DC Effective Default Settings | Guest |
|
||||
| Member Server Effective Default Settings | Guest |
|
||||
| Client Computer Effective Default Settings | *User-defined text* |
|
||||
|
||||
## Policy management
|
||||
|
||||
This section describes features and tools that are available to help you manage this policy.
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
|
||||
### Policy conflict considerations
|
||||
|
||||
None.
|
||||
|
||||
### Group Policy
|
||||
|
||||
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The guest account exists in all Windows server and client operating system versions beginning with Windows Server 2003 and Windows XP Professional. Because the account name is well known, it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges
|
||||
or install software that could be used for a later attack on your system.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Specify a new name in the **Accounts: Rename guest account** setting to rename the Guest account. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
|
||||
|
||||
### Potential impact
|
||||
|
||||
There should be little impact because the Guest account is disabled by default in Windows 2000 Server, Windows Server 2003, and Windows XP. For later operating systems, the policy is enabled with **Guest** as the default.
|
||||
|
||||
## Related topics
|
||||
|
||||
[Security Options](security-options.md)
|
||||
|
||||
|
||||
@ -1,83 +0,0 @@
|
||||
---
|
||||
title: Act as part of the operating system (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Act as part of the operating system security policy setting.
|
||||
ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Act as part of the operating system
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Act as part of the operating system** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Act as part of the operating system** policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right. Potential access is not limited to what is associated with the user by default. The calling process may request that arbitrary additional privileges be added to the access token. The calling process may also build an access token that does not provide a primary identity for auditing in the system event logs.
|
||||
Constant: SeTcbPrivilege
|
||||
|
||||
### Possible values
|
||||
- User-defined list of accounts
|
||||
- Not defined
|
||||
|
||||
### Best practices
|
||||
- Do not assign this right to any user accounts. Only assign this user right to trusted users.
|
||||
- If a service requires this user right, configure the service to log on by using the local System account, which inherently includes this user right. Do not create a separate account and assign this user right to it.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default domain policy | Not defined |
|
||||
| Default domain controller policy| Not defined |
|
||||
| Stand-alone server default settings | Not defined |
|
||||
| Domain controller effective default settings | Not defined |
|
||||
| Member server effective default settings | Not defined |
|
||||
| Client computer effective default settings | Not defined |
|
||||
|
||||
## Policy management
|
||||
|
||||
A restart of the device is not required for this policy setting to be effective.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
### Group Policy
|
||||
|
||||
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
|
||||
1. Local policy settings
|
||||
2. Site policy settings
|
||||
3. Domain policy settings
|
||||
4. OU policy settings
|
||||
|
||||
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The **Act as part of the operating system** user right is extremely powerful. Users with this user right can take complete control of the device and erase evidence of their activities.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Restrict the **Act as part of the operating system** user right to as few accounts as possible—it should not even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which inherently includes this privilege. Do not create a separate account and assign this user right to it.
|
||||
|
||||
### Potential impact
|
||||
|
||||
There should be little or no impact because the **Act as part of the operating system** user right is rarely needed by any accounts other than the Local System account.
|
||||
|
||||
## Related topics
|
||||
[User Rights Assignment](user-rights-assignment.md)
|
||||
|
||||
@ -1,851 +0,0 @@
|
||||
---
|
||||
title: Active Directory Accounts (Windows 10)
|
||||
description: Active Directory Accounts
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
---
|
||||
|
||||
# Active Directory Accounts
|
||||
|
||||
**Applies to**
|
||||
- Windows Server 2016
|
||||
|
||||
Windows Server operating systems are installed with default local accounts. In addition, you can create user accounts to meet the requirements of your organization. This reference topic for the IT professional describes the Windows Server default local accounts that are stored locally on the domain controller and are used in Active Directory.
|
||||
|
||||
This reference topic does not describe default local user accounts for a member or standalone server or for a Windows client. For more information, see [Local Accounts](local-accounts.md).
|
||||
|
||||
## About this topic
|
||||
|
||||
|
||||
This topic describes the following:
|
||||
|
||||
- [Default local accounts in Active Directory](#sec-ad-default-accounts)
|
||||
|
||||
- [Administrator account](#sec-administrator)
|
||||
|
||||
- [Guest account](#sec-guest)
|
||||
|
||||
- [HelpAssistant account (installed with a Remote Assistance session)](#sec-helpassistant)
|
||||
|
||||
- [KRBTGT account](#sec-krbtgt)
|
||||
|
||||
- [Settings for default local accounts in Active Directory](#sec-account-settings)
|
||||
|
||||
- [Manage default local accounts in Active Directory](#sec-manage-local-accounts)
|
||||
|
||||
- [Restrict and protect sensitive domain accounts](#sec-restrict-protect-accounts)
|
||||
|
||||
- [Separate administrator accounts from user accounts](#task1-separate-admin-accounts)
|
||||
|
||||
- [Create dedicated workstation hosts without Internet and email access](#task2-admin-workstations)
|
||||
|
||||
- [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon)
|
||||
|
||||
- [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation)
|
||||
|
||||
- [Secure and manage domain controllers](#sec-secure-manage-dcs)
|
||||
|
||||
## <a href="" id="sec-ad-default-accounts"></a>Default local accounts in Active Directory
|
||||
|
||||
|
||||
Default local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed and the domain is created. These default local accounts have counterparts in Active Directory. These accounts also have domain-wide access and are completely separate from the default local user accounts for a member or standalone server.
|
||||
|
||||
You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller. These accounts are local to the domain. After the default local accounts are installed, they are stored in the Users container in Active Directory Users and Computers. It is a best practice to keep the default local accounts in the User container and not attempt to move these accounts, for example, to a different organizational unit (OU).
|
||||
|
||||
The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. The HelpAssistant account is installed when a Remote Assistance session is established. The following sections describe the default local accounts and their use in Active Directory.
|
||||
|
||||
Primarily, default local accounts do the following:
|
||||
|
||||
- Let the domain represent, identify, and authenticate the identity of the user that is assigned to the account by using unique credentials (user name and password). It is a best practice to assign each user to a single account to ensure maximum security. Multiple users are not allowed to share one account. A user account lets a user sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain.
|
||||
|
||||
- Authorize (grant or deny) access to resources. After a user’s credentials have been authenticated, the user is authorized to access the network and domain resources based on the user’s explicitly assigned rights on the resource.
|
||||
|
||||
- Audit the actions that are carried out on a user account.
|
||||
|
||||
In Active Directory, default local accounts are used by administrators to manage domain and member servers directly and from dedicated administrative workstations. Active Directory accounts provide access to network resources. Active Directory User accounts and Computer accounts can represent a physical entity, such as a computer or person, or act as dedicated service accounts for some applications.
|
||||
|
||||
Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md).
|
||||
|
||||
On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals](security-principals.md).
|
||||
|
||||
A security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below.
|
||||
|
||||
Some of the default local accounts are protected by a background process that periodically checks and applies a specific security descriptor. A security descriptor is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the default local accounts or groups is overwritten with the protected settings.
|
||||
|
||||
This security descriptor is present on the AdminSDHolder object. If you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object to ensure that it is applied consistently. Be careful when making these modifications, because you are also changing the default settings that are applied to all of your protected accounts.
|
||||
|
||||
## <a href="" id="sec-administrator"></a>Administrator account
|
||||
|
||||
|
||||
The Administrator account is a default account that is used in all versions of the Windows operating system on every computer and device. The Administrator account is used by the system administrator for tasks that require administrative credentials. This account cannot be deleted or locked out, but the account can be renamed or disabled.
|
||||
|
||||
The Administrator account gives the user complete access (Full Control permissions) of the files, directories, services, and other resources that are on that local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. Administrator can also be used to take control of local resources at any time simply by changing the user rights and permissions. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions.
|
||||
|
||||
**Account group membership**
|
||||
|
||||
The Administrator account has membership in the default security groups as described in the Administrator account attributes table later in this topic.
|
||||
|
||||
The security groups ensure that you can control administrator rights without having to change each Administrator account. In most instances, you do not have to change the basic settings for this account. However, you might have to change its advanced settings, such as membership in particular groups.
|
||||
|
||||
**Security considerations**
|
||||
|
||||
After installation of the server operating system, your first task is to set up the Administrator account properties securely. This includes setting up an especially long, strong password, and securing the Remote control and Remote Desktop Services profile settings.
|
||||
|
||||
The Administrator account can also be disabled when it is not required. Renaming or disabling the Administrator account makes it more difficult for malicious users to try to gain access to the account. However, even when the Administrator account is disabled, it can still be used to gain access to a domain controller by using safe mode.
|
||||
|
||||
On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin account is used to sign in to the domain controller and this account requires a strong password. The Domain Admin account gives you access to domain resources.
|
||||
|
||||
**Note**
|
||||
When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to manage the operating system when you first install it. By using this approach, you can set up the operating system without getting locked out. Generally, you do not need to use the account after installation. You can only create local user accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards.
|
||||
|
||||
|
||||
|
||||
When Active Directory is installed on the first domain controller in the domain, the Administrator account is created for Active Directory. The Administrator account is the most powerful account in the domain. It is given domain-wide access and administrative rights to administer the computer and the domain, and it has the most extensive rights and permissions over the domain. The person who installs Active Directory Domain Services on the computer creates the password for this account during the installation.
|
||||
|
||||
**Administrator account attributes**
|
||||
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
<col width="50%" />
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th>Attribute</th>
|
||||
<th>Value</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p>Well-Known SID/RID</p></td>
|
||||
<td><p>S-1-5-<domain>-500</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Type</p></td>
|
||||
<td><p>User</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Default container</p></td>
|
||||
<td><p>CN=Users, DC=<domain>, DC=</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Default members</p></td>
|
||||
<td><p>N/A</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Default member of</p></td>
|
||||
<td><p>Administrators, Domain Admins, Enterprise Administrators, Domain Users. Note that the Primary Group ID of all user accounts is Domain Users.</p>
|
||||
<p>Group Policy Creator Owners, and Schema Admins in Active Directory</p>
|
||||
<p>Domain Users group</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Protected by ADMINSDHOLDER?</p></td>
|
||||
<td><p>Yes</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Safe to move out of default container?</p></td>
|
||||
<td><p>Yes</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Safe to delegate management of this group to non-service administrators?</p></td>
|
||||
<td><p>No</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
## <a href="" id="sec-guest"></a>Guest account
|
||||
|
||||
|
||||
The Guest account is a default local account has limited access to the computer and is disabled by default. The Guest account cannot be deleted or disabled, and the account name cannot be changed. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password.
|
||||
|
||||
The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain.
|
||||
|
||||
**Account group membership**
|
||||
|
||||
The Guest account has membership in the default security groups that are described in the following Guest account attributes table. By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server, and the Domain Guests global group, which lets a user sign in to a domain.
|
||||
|
||||
A member of the Administrators group or Domain Admins group can set up a user with a Guest account on one or more computers.
|
||||
|
||||
**Security considerations**
|
||||
|
||||
Because the Guest account can provide anonymous access, it is a security risk. It also has a well-known SID. For this reason, it is a best practice to leave the Guest account disabled, unless its use is required and then only with restricted rights and permissions for a very limited period of time.
|
||||
|
||||
When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access:
|
||||
|
||||
- Do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
|
||||
|
||||
- Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
|
||||
|
||||
- Do not use the Guest account when the server has external network access or access to other computers.
|
||||
|
||||
If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you might want to rename the account as an added security precaution.
|
||||
|
||||
In addition, an administrator is responsible for managing the Guest account. The administrator monitors the Guest account, disables the Guest account when it is no longer in use, and changes or removes the password as needed.
|
||||
|
||||
For details about the Guest account attributes, see the following table.
|
||||
|
||||
**Guest account attributes**
|
||||
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
<col width="50%" />
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th>Attribute</th>
|
||||
<th>Value</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p>Well-Known SID/RID</p></td>
|
||||
<td><p>S-1-5-<domain>-501</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Type</p></td>
|
||||
<td><p>User</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Default container</p></td>
|
||||
<td><p>CN=Users, DC=<domain>, DC=</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Default members</p></td>
|
||||
<td><p>None</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Default member of</p></td>
|
||||
<td><p>Guests, Domain Guests</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Protected by ADMINSDHOLDER?</p></td>
|
||||
<td><p>No</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Safe to move out of default container?</p></td>
|
||||
<td><p>Can be moved out, but we do not recommend it.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
|
||||
<td><p>No</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
## <a href="" id="sec-helpassistant"></a>HelpAssistant account (installed with a Remote Assistance session)
|
||||
|
||||
|
||||
The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
|
||||
|
||||
HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
|
||||
|
||||
**Security considerations**
|
||||
|
||||
The SIDs that pertain to the default HelpAssistant account include:
|
||||
|
||||
- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.
|
||||
|
||||
- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
|
||||
|
||||
For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
|
||||
|
||||
For details about the HelpAssistant account attributes, see the following table.
|
||||
|
||||
**HelpAssistant account attributes**
|
||||
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
<col width="50%" />
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th>Attribute</th>
|
||||
<th>Value</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p>Well-Known SID/RID</p></td>
|
||||
<td><p>S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon)</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Type</p></td>
|
||||
<td><p>User</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Default container</p></td>
|
||||
<td><p>CN=Users, DC=<domain>, DC=</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Default members</p></td>
|
||||
<td><p>None</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Default member of</p></td>
|
||||
<td><p>Domain Guests</p>
|
||||
<p>Guests</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Protected by ADMINSDHOLDER?</p></td>
|
||||
<td><p>No</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Safe to move out of default container?</p></td>
|
||||
<td><p>Can be moved out, but we do not recommend it.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
|
||||
<td><p>No</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
## <a href="" id="sec-krbtgt"></a>KRBTGT account
|
||||
|
||||
|
||||
The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.
|
||||
|
||||
KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.
|
||||
|
||||
Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.
|
||||
|
||||
### KRBTGT account maintenance considerations
|
||||
|
||||
A strong password is assigned to the KRBTGT account automatically. Be sure that you change the password on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
|
||||
|
||||
On occasion, the KRBTGT account password requires a reset, for example, when an attempt to change the password on the KRBTGT account fails. In order to resolve this issue, you reset the KRBTGT user account password twice by using Active Directory Users and Computers. You must reset the password twice because the KRBTGT account stores only two of the most recent passwords in the password history. By resetting the password twice, you effectively clear all passwords from the password history.
|
||||
|
||||
Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
|
||||
|
||||
After you reset the KRBTGT password, ensure that event ID 6 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
|
||||
|
||||
### Security considerations
|
||||
|
||||
It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken. After you reset the KRBTGT account, another domain controller cannot replicate this account password by using an old password.
|
||||
|
||||
An organization suspecting domain compromise of the KRBTGT account should consider the use of professional incident response services. The impact to restore the ownership of the account is domain-wide and labor intensive an should be undertaken as part of a larger recovery effort.
|
||||
|
||||
The KRBTGT password is the key from which all trust in Kerberos chains up to. Resetting the KRBTGT password is similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in almost all subsequent Kerberos operations will be affected.
|
||||
|
||||
For all account types (users, computers, and services)
|
||||
|
||||
- All the TGTs that are already issued and distributed will be invalid because the DCs will reject them. These tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the tickets become invalid.
|
||||
|
||||
- All currently authenticated sessions that logged on users have established (based on their service tickets) to a resource (such as a file share, SharePoint site, or Exchange server) are good until the service ticket is required to re-authenticate.
|
||||
|
||||
- NTLM authenticated connections are not affected
|
||||
|
||||
Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected.
|
||||
|
||||
**Important**
|
||||
Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
|
||||
|
||||
For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
|
||||
|
||||
### Read-only domain controllers and the KRBTGT account
|
||||
|
||||
Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy.
|
||||
|
||||
After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.
|
||||
|
||||
### KRBTGT account attributes
|
||||
|
||||
For details about the KRBTGT account attributes, see the following table.
|
||||
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
<col width="50%" />
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th>Attribute</th>
|
||||
<th>Value</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p>Well-Known SID/RID</p></td>
|
||||
<td><p>S-1-5-<domain>-502</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Type</p></td>
|
||||
<td><p>User</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Default container</p></td>
|
||||
<td><p>CN=Users, DC=<domain>, DC=</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Default members</p></td>
|
||||
<td><p>None</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Default member of</p></td>
|
||||
<td><p>Domain Users group. Note that the Primary Group ID of all user accounts is Domain Users.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Protected by ADMINSDHOLDER?</p></td>
|
||||
<td><p>Yes</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Safe to move out of default container?</p></td>
|
||||
<td><p>Can be moved out, but we do not recommend it.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
|
||||
<td><p>No</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
## <a href="" id="sec-account-settings"></a>Settings for default local accounts in Active Directory
|
||||
|
||||
|
||||
Each default local account in Active Directory has a number of account settings that you can use to configure password settings and security-specific information, as described in the following table.
|
||||
|
||||
**Settings for default local accounts in Active Directory**
|
||||
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
<col width="50%" />
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th>Account settings</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p>User must change password at next logon</p></td>
|
||||
<td><p>Forces a password change the next time that the user logs signs in to the network. Use this option when you want to ensure that the user is the only person to know his or her password.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>User cannot change password</p></td>
|
||||
<td><p>Prevents the user from changing the password. Use this option when you want to maintain control over a user account, such as for a Guest or temporary account.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Password never expires</p></td>
|
||||
<td><p>Prevents a user password from expiring. It is a best practice to enable this option with service accounts and to use strong passwords.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Store passwords using reversible encryption</p></td>
|
||||
<td><p>Provides support for applications that use protocols requiring knowledge of the plaintext form of the user’s password for authentication purposes.</p>
|
||||
<p>This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Account is disabled</p></td>
|
||||
<td><p>Prevents the user from signing in with the selected account. As an administrator, you can use disabled accounts as templates for common user accounts.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Smart card is required for interactive logon</p></td>
|
||||
<td><p>Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.</p>
|
||||
<p>When this attribute is applied on the account, the effect is as follows:</p>
|
||||
<ul>
|
||||
<li><p>The attribute only restricts initial authentication for interactive logon and Remote Desktop logon. When interactive or Remote Desktop logon requires a subsequent network logon, such as with a domain credential, an NT Hash provided by the domain controller is used to complete the smartcard authentication process</p></li>
|
||||
<li><p>Each time the attribute is enabled on an account, the account’s current password hash value is replaced with a 128-bit random number. This invalidates the use of any previously configured passwords for the account. The value does not change after that unless a new password is set or the attribute is disabled and re-enabled.</p></li>
|
||||
<li><p>Accounts with this attribute cannot be used to start services or run scheduled tasks.</p></li>
|
||||
</ul></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Account is trusted for delegation</p></td>
|
||||
<td><p>Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the <strong>Delegation</strong> tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the <strong>setspn</strong> command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Account is sensitive and cannot be delegated</p></td>
|
||||
<td><p>Gives control over a user account, such as for a Guest account or a temporary account. This option can be used if this account cannot be assigned for delegation by another account.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Use DES encryption types for this account</p></td>
|
||||
<td><p>Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).</p>
|
||||
<div class="alert">
|
||||
<strong>Note</strong>
|
||||
<p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx).</p>
|
||||
</div>
|
||||
<div>
|
||||
|
||||
</div></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Do not require Kerberos preauthentication</p></td>
|
||||
<td><p>Provides support for alternate implementations of the Kerberos protocol. Because preauthentication provides additional security, use caution when enabling this option. Note that domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time.</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
## <a href="" id="sec-manage-local-accounts"></a>Manage default local accounts in Active Directory
|
||||
|
||||
|
||||
After the default local accounts are installed, these accounts reside in the Users container in Active Directory Users and Computers. Default local accounts can be created, disabled, reset, and deleted by using the Active Directory Users and Computers Microsoft Management Console (MMC) and by using command-line tools.
|
||||
|
||||
You can use Active Directory Users and Computers to assign rights and permissions on a given local domain controller, and that domain controller only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. In contrast, an access permission is a rule that is associated with an object, usually a file, folder, or printer, that regulates which users can have access to the object and in what manner.
|
||||
|
||||
For more information about creating and managing local user accounts in Active Directory, see [Manage Local Users](http://technet.microsoft.com/library/cc731899.aspx).
|
||||
|
||||
You can also use Active Directory Users and Computers on a domain controller to target remote computers that are not domain controllers on the network.
|
||||
|
||||
You can obtain recommendations from Microsoft for domain controller configurations that you can distribute by using the Security Compliance Manager (SCM) tool. For more information, see [Microsoft Security Compliance Manager](http://technet.microsoft.com/library/cc677002.aspx).
|
||||
|
||||
Some of the default local user accounts are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This security descriptor is present on the AdminSDHolder object.
|
||||
|
||||
This means, when you want to modify the permissions on a service administrator group or on any of its member accounts, you are also required to modify the security descriptor on the AdminSDHolder object. This approach ensures that the permissions are applied consistently. Be careful when you make these modifications, because this action can also affect the default settings that are applied to all of your protected administrative accounts.
|
||||
|
||||
## <a href="" id="sec-restrict-protect-accounts"></a>Restrict and protect sensitive domain accounts
|
||||
|
||||
|
||||
Restricting and protecting domain accounts in your domain environment requires you to adopt and implement the following best practices approach:
|
||||
|
||||
- Strictly limit membership to the Administrators, Domain Admins, and Enterprise Admins groups.
|
||||
|
||||
- Stringently control where and how domain accounts are used.
|
||||
|
||||
Member accounts in the Administrators, Domain Admins, and Enterprise Admins groups in a domain or forest are high-value targets for malicious users. It is a best practice to strictly limit membership to these administrator groups to the smallest number of accounts in order to limit any exposure. Restricting membership in these groups reduces the possibility that an administrator might unintentionally misuse these credentials and create a vulnerability that malicious users can exploit.
|
||||
|
||||
Moreover, it is a best practice to stringently control where and how sensitive domain accounts are used. Restrict the use of Domain Admins accounts and other administrator accounts to prevent them from being used to sign in to management systems and workstations that are secured at the same level as the managed systems. When administrator accounts are not restricted in this manner, each workstation from which a domain administrator signs in provides another location that malicious users can exploit.
|
||||
|
||||
Implementing these best practices is separated into the following tasks:
|
||||
|
||||
- [Separate administrator accounts from user accounts](#task1-separate-admin-accounts)
|
||||
|
||||
- [Create dedicated workstation hosts for administrators](#task2-admin-workstations)
|
||||
|
||||
- [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon)
|
||||
|
||||
- [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation)
|
||||
|
||||
Note that, to provide for instances where integration challenges with the domain environment are expected, each task is described according to the requirements for a minimum, better, and ideal implementation. As with all significant changes to a production environment, ensure that you test these changes thoroughly before you implement and deploy them. Then stage the deployment in a manner that allows for a rollback of the change in case technical issues occur.
|
||||
|
||||
### <a href="" id="task1-separate-admin-accounts"></a>Separate administrator accounts from user accounts
|
||||
|
||||
Restrict Domain Admins accounts and other sensitive accounts to prevent them from being used to sign in to lower trust servers and workstations. Restrict and protect administrator accounts by segregating administrator accounts from standard user accounts, by separating administrative duties from other tasks, and by limiting the use of these accounts. Create dedicated accounts for administrative personnel who require administrator credentials to perform specific administrative tasks, and then create separate accounts for other standard user tasks, according to the following guidelines:
|
||||
|
||||
- **Privileged account**. Allocate administrator accounts to perform the following administrative duties only:
|
||||
|
||||
- **Minimum**. Create separate accounts for domain administrators, enterprise administrators, or the equivalent with appropriate administrator rights in the domain or forest. Use accounts that have been granted sensitive administrator rights only to administer domain data and domain controllers.
|
||||
|
||||
- **Better**. Create separate accounts for administrators that have reduced administrative rights, such as accounts for workstation administrators, and accounts with user rights over designated Active Directory organizational units (OUs).
|
||||
|
||||
- **Ideal**. Create multiple, separate accounts for an administrator who has a variety of job responsibilities that require different trust levels. Set up each administrator account with significantly different user rights, such as for workstation administration, server administration and domain administration, to let the administrator sign in to given workstations, servers and domain controllers based strictly on his or her job responsibilities.
|
||||
|
||||
- **Standard user account**. Grant standard user rights for standard user tasks, such as email, web browsing, and using line-of-business (LOB) applications. These accounts should not be granted administrator rights.
|
||||
|
||||
**Important**
|
||||
Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section.
|
||||
|
||||
|
||||
|
||||
### <a href="" id="task2-admin-workstations"></a>Create dedicated workstation hosts without Internet and email access
|
||||
|
||||
Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers. A workstation that is connected to the Internet and has email and web browsing access is regularly exposed to compromise through phishing, downloading, and other types of Internet attacks. Because of these threats, it is a best practice to set these administrators up by using workstations that are dedicated to administrative duties only, and not provide access to the Internet, including email and web browsing. For more information, see [Separate administrator accounts from user accounts](#task1-separate-admin-accounts).
|
||||
|
||||
**Note**
|
||||
If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task.
|
||||
|
||||
|
||||
|
||||
- **Minimum**. Build dedicated administrative workstations and block Internet access on those workstations including web browsing and email. Use the following ways to block Internet access:
|
||||
|
||||
- Configure authenticating boundary proxy services, if they are deployed, to disallow administrator accounts from accessing the Internet.
|
||||
|
||||
- Configure boundary firewall or proxy services to disallow Internet access for the IP addresses that are assigned to dedicated administrative workstations.
|
||||
|
||||
- Block outbound access to the boundary proxy servers in the Windows Firewall.
|
||||
|
||||
The instructions for meeting this minimum requirement are described in the following procedure.
|
||||
|
||||
- **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections.
|
||||
|
||||
- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](applocker-overview.md).
|
||||
|
||||
The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
|
||||
|
||||
**Note**
|
||||
In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure.
|
||||
|
||||
**To install administrative workstations in a domain and block Internet and email access (minimum)**
|
||||
|
||||
1. As a domain administrator on a domain controller, open Active Directory Users and Computers, and create a new OU for administrative workstations.
|
||||
|
||||
2. Create computer accounts for the new workstations.
|
||||
|
||||
> **Note** You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
|
||||
|
||||
|
||||
|
||||
3. Close Active Directory Users and Computers.
|
||||
|
||||
4. Start the **Group Policy Management** Console (GPMC).
|
||||
|
||||
5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**.
|
||||
|
||||
|
||||
|
||||
6. Name the GPO, and > **OK**.
|
||||
|
||||
7. Expand the GPO, right-click the new GPO, and > **Edit**.
|
||||
|
||||
|
||||
|
||||
8. Configure which members of accounts can log on locally to these administrative workstations as follows:
|
||||
|
||||
1. Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**.
|
||||
|
||||
2. Double-click **Allow log on locally**, and then select the **Define these policy settings** check box.
|
||||
|
||||
3. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**.
|
||||
|
||||
4. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
|
||||
|
||||
**Important**
|
||||
These instructions assume that the workstation is to be dedicated to domain administrators.
|
||||
|
||||
|
||||
|
||||
5. Click **Add User or Group**, type **Administrators**, and > **OK**.
|
||||
|
||||
|
||||
|
||||
9. Configure the proxy configuration:
|
||||
|
||||
1. Navigate to User Configuration\\Policies\\Windows Settings\\Internet Explorer, and > **Connection**.
|
||||
|
||||
2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**.
|
||||
|
||||
|
||||
|
||||
10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows:
|
||||
|
||||
1. Navigate to Computer Configuration\\Policies\\Administrative Templates\\System, and > **Group Policy**.
|
||||
|
||||
2. Double-click **User Group Policy loopback policy processing mode**, and > **Enabled**.
|
||||
|
||||
3. Select **Merge Mode**, and > **OK**.
|
||||
|
||||
11. Configure software updates as follows:
|
||||
|
||||
1. Navigate to Computer Configuration\\Policies\\Administrative Templates\\Windows Components, and then click **Windows Update**.
|
||||
|
||||
2. Configure Windows Update settings as described in the following table.
|
||||
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
<col width="50%" />
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p><strong>Windows Update Setting</strong></p></td>
|
||||
<td><p><strong>Configuration</strong></p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Allow Automatic Updates immediate installation</p></td>
|
||||
<td><p>Enabled</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Configure Automatic Updates</p></td>
|
||||
<td><p>Enabled<br>4 - Auto download and schedule the installation<br>0 - Every day 03:00</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Enable Windows Update Power Management to automatically wake up the system to install scheduled updates</p></td>
|
||||
<td><p>Enabled</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Specify intranet Microsoft Update service location</p></td>
|
||||
<td><p>Enabled http://<WSUSServername> http://<WSUSServername> Where <WSUSServername> is the DNS name or IP address of the Windows Server Update Services (WSUS) in the environment.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Automatic Updates detection frequency</p></td>
|
||||
<td><p>6 hours</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Re-prompt for restart with scheduled installations</p></td>
|
||||
<td><p>1 minute</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Delay restart for scheduled installations</p></td>
|
||||
<td><p>5 minutes</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
> **Note** This step assumes that Windows Server Update Services (WSUS) is installed and configured in the environment. You can skip this step if you use another tool to deploy software updates. Also, if the public Microsoft Windows Update service only is used on the Internet, then these administrative workstations no longer receive updates.
|
||||
|
||||
12. Configure the inbound firewall to block all connections as follows:
|
||||
|
||||
1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**.
|
||||
|
||||
|
||||
|
||||
2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**.
|
||||
|
||||
|
||||
|
||||
3. Click **OK** to complete the configuration.
|
||||
|
||||
13. Close the Group Policy Management Console.
|
||||
|
||||
14. Install the Windows operating system on the workstations, give each workstation the same names as the computer accounts assigned to them, and then join them to the domain.
|
||||
|
||||
### <a href="" id="task3-restrict-admin-logon"></a>Restrict administrator logon access to servers and workstations
|
||||
|
||||
It is a best practice to restrict administrators from using sensitive administrator accounts to sign in to lower-trust servers and workstations. This restriction prevents administrators from inadvertently increasing the risk of credential theft by signing in to a lower-trust computer.
|
||||
|
||||
**Important**
|
||||
Ensure that you either have local access to the domain controller or that you have built at least one dedicated administrative workstation.
|
||||
|
||||
|
||||
|
||||
Restrict logon access to lower-trust servers and workstations by using the following guidelines:
|
||||
|
||||
- **Minimum**. Restrict domain administrators from having logon access to servers and workstations. Before starting this procedure, identify all OUs in the domain that contain workstations and servers. Any computers in OUs that are not identified will not restrict administrators with sensitive accounts from signing-in to them.
|
||||
|
||||
- **Better**. Restrict domain administrators from non-domain controller servers and workstations.
|
||||
|
||||
- **Ideal**. Restrict server administrators from signing in to workstations, in addition to domain administrators.
|
||||
|
||||
**Note**
|
||||
For this procedure, do not link accounts to the OU that contain workstations for administrators that perform administration duties only, and do not provide Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations)
|
||||
|
||||
|
||||
|
||||
**To restrict domain administrators from workstations (minimum)**
|
||||
|
||||
1. As a domain administrator, open the Group Policy Management Console (GPMC).
|
||||
|
||||
2. Open **Group Policy Management**, and expand *<forest>*\\Domains\\*<domain>*, and then expand to **Group Policy Objects**.
|
||||
|
||||
3. Right-click **Group Policy Objects**, and > **New**.
|
||||
|
||||
|
||||
|
||||
4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**.
|
||||
|
||||
|
||||
|
||||
5. Right-click **New GPO**, and > **Edit**.
|
||||
|
||||
6. Configure user rights to deny logon locally for domain administrators.
|
||||
|
||||
7. Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**, and perform the following:
|
||||
|
||||
1. Double-click **Deny logon locally**, and > **Define these policy settings**.
|
||||
|
||||
2. Click **Add User or Group**, click **Browse**, type **Enterprise Admins**, and > **OK**.
|
||||
|
||||
3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**.
|
||||
|
||||
|
||||
|
||||
**Note**
|
||||
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
|
||||
|
||||
|
||||
4. Click **OK** to complete the configuration.
|
||||
|
||||
8. Configure the user rights to deny batch and service logon rights for domain administrators as follows:
|
||||
|
||||
**Note**
|
||||
Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with alternative means to run scheduled tasks or services.
|
||||
|
||||
|
||||
|
||||
1. Double-click **Deny logon as a batch job**, and > **Define these policy settings**.
|
||||
|
||||
2. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**.
|
||||
|
||||
3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
|
||||
|
||||
|
||||
|
||||
**Note**
|
||||
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
|
||||
|
||||
|
||||
4. Double-click **Deny logon as a service**, and > **Define these policy settings**.
|
||||
|
||||
5. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**.
|
||||
|
||||
6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
|
||||
|
||||
|
||||
|
||||
**Note**
|
||||
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
|
||||
|
||||
|
||||
9. Link the GPO to the first Workstations OU.
|
||||
|
||||
Navigate to the *<forest>*\\Domains\\*<domain>*\\OU Path, and then:
|
||||
|
||||
1. Right-click the workstation OU, and then > **Link an Existing GPO**.
|
||||
|
||||
|
||||
|
||||
2. Select the GPO that you just created, and > **OK**.
|
||||
|
||||
|
||||
|
||||
10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy.
|
||||
|
||||
11. Link all other OUs that contain workstations.
|
||||
|
||||
However, do not create a link to the Administrative Workstation OU if it is created for administrative workstations that are dedicated to administration duties only, and that are without Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations).
|
||||
|
||||
**Important**
|
||||
If you later extend this solution, do not deny logon rights for the **Domain Users** group. The **Domain Users** group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise Administrators.
|
||||
|
||||
|
||||
|
||||
### <a href="" id="task4-disable-account-delegation"></a>Disable the account delegation right for sensitive administrator accounts
|
||||
|
||||
Although user accounts are not marked for delegation by default, accounts in an Active Directory domain can be trusted for delegation. This means that a service or a computer that is trusted for delegation can impersonate an account that authenticates to them to access other resources across the network.
|
||||
|
||||
For sensitive accounts, such as those belonging to members of the Administrators, Domain Admins, or Enterprise Admins groups in Active Directory, delegation can present a substantial risk of rights escalation. For example, if an account in the Domain Admins group is used to sign in to a compromised member server that is trusted for delegation, that server can request access to resources in the context of the Domain Admins account, and escalate the compromise of that member server to a domain compromise.
|
||||
|
||||
It is a best practice to configure the user objects for all sensitive accounts in Active Directory by selecting the **Account is sensitive and cannot be delegated** check box under **Account options** to prevent these accounts from being delegated. For more information, see [Setting for default local accounts in Active Directory](#sec-account-settings).
|
||||
|
||||
As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it.
|
||||
|
||||
|
||||
|
||||
## <a href="" id="sec-secure-manage-dcs"></a>Secure and manage domain controllers
|
||||
|
||||
|
||||
It is a best practice to strictly enforce restrictions on the domain controllers in your environment. This ensures that the domain controllers:
|
||||
|
||||
1. Run only required software
|
||||
|
||||
2. Required software is regularly updated
|
||||
|
||||
3. Are configured with the appropriate security settings
|
||||
|
||||
One aspect of securing and managing domain controllers is to ensure that the default local user accounts are fully protected. It is of primary importance to restrict and secure all sensitive domain accounts, as described in the preceding sections.
|
||||
|
||||
Because domain controllers store credential password hashes of all accounts in the domain, they are high-value targets for malicious users. When domain controllers are not well managed and secured by using restrictions that are strictly enforced, they can be compromised by malicious users. For example, a malicious user could steal sensitive domain administrator credentials from one domain controller, and then use these credentials to attack the domain and forest.
|
||||
|
||||
In addition, installed applications and management agents on domain controllers might provide a path for escalating rights that malicious users can use to compromise the management service or administrators of that service. The management tools and services, which your organization uses to manage domain controllers and their administrators, are equally important to the security of the domain controllers and the domain administrator accounts. Ensure that these services and administrators are fully secured with equal effort.
|
||||
|
||||
## See also
|
||||
|
||||
- [Security Principals](security-principals.md)
|
||||
|
||||
- [Access Control Overview](access-control.md)
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,83 +0,0 @@
|
||||
---
|
||||
title: Add Production Devices to the Membership Group for a Zone (Windows 10)
|
||||
description: Add Production Devices to the Membership Group for a Zone
|
||||
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Add Production Devices to the Membership Group for a Zone
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
|
||||
|
||||
**Caution**
|
||||
For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode.
|
||||
|
||||
|
||||
|
||||
The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
|
||||
|
||||
Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
|
||||
|
||||
**Administrative credentials**
|
||||
|
||||
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
|
||||
|
||||
In this topic:
|
||||
|
||||
- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group)
|
||||
|
||||
- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
|
||||
|
||||
- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
|
||||
|
||||
## To add domain devices to the GPO membership group
|
||||
|
||||
1. Open Active Directory Users and Computers.
|
||||
|
||||
2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group.
|
||||
|
||||
3. In the details pane, double-click the GPO membership group to which you want to add computers.
|
||||
|
||||
4. Select the **Members** tab, and then click **Add**.
|
||||
|
||||
5. Type **Domain Computers** in the text box, and then click **OK**.
|
||||
|
||||
6. Click **OK** to close the group properties dialog box.
|
||||
|
||||
After a computer is a member of the group, you can force a Group Policy refresh on the computer.
|
||||
|
||||
## To refresh Group Policy on a device
|
||||
|
||||
From an elevated command prompt, type the following:
|
||||
|
||||
``` syntax
|
||||
gpupdate /target:computer /force
|
||||
```
|
||||
|
||||
After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
|
||||
|
||||
## To see which GPOs are applied to a device
|
||||
|
||||
From an elevated command prompt, type the following:
|
||||
|
||||
``` syntax
|
||||
gpresult /r /scope:computer
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1,23 +0,0 @@
|
||||
---
|
||||
title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10)
|
||||
description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
|
||||
ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Add rules for packaged apps to existing AppLocker rule-set
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
|
||||
|
||||
You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center.
|
||||
|
||||
RSAT comes with the Group Policy Management Console which allows you to edit the GPO or GPOs where your existing AppLocker policy are authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.
|
||||
|
||||
|
||||
@ -1,77 +0,0 @@
|
||||
---
|
||||
title: Add Test Devices to the Membership Group for a Zone (Windows 10)
|
||||
description: Add Test Devices to the Membership Group for a Zone
|
||||
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Add Test Devices to the Membership Group for a Zone
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
|
||||
|
||||
Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it is supposed to receive.
|
||||
|
||||
**Administrative credentials**
|
||||
|
||||
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
|
||||
|
||||
In this topic:
|
||||
|
||||
- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups)
|
||||
|
||||
- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
|
||||
|
||||
- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
|
||||
|
||||
## To add test devices to the GPO membership groups
|
||||
|
||||
1. Open Active Directory Users and Computers.
|
||||
|
||||
2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account.
|
||||
|
||||
3. In the details pane, double-click the GPO membership group to which you want to add devices.
|
||||
|
||||
4. Select the **Members** tab, and then click **Add**.
|
||||
|
||||
5. Type the name of the device in the text box, and then click **OK**.
|
||||
|
||||
6. Repeat steps 5 and 6 for each additional device account or group that you want to add.
|
||||
|
||||
7. Click **OK** to close the group properties dialog box.
|
||||
|
||||
After a device is a member of the group, you can force a Group Policy refresh on the device.
|
||||
|
||||
## To refresh Group Policy on a device
|
||||
|
||||
From a elevated command prompt, run the following:
|
||||
|
||||
``` syntax
|
||||
gpupdate /target:device /force
|
||||
```
|
||||
|
||||
After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
|
||||
|
||||
## To see which GPOs are applied to a device
|
||||
|
||||
From an elevated command prompt, run the following:
|
||||
|
||||
``` syntax
|
||||
gpresult /r /scope:computer
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1,95 +0,0 @@
|
||||
---
|
||||
title: Add workstations to domain (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting.
|
||||
ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Add workstations to domain
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management and security considerations for the **Add workstations to domain** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to ten workstations to the domain.
|
||||
Adding a machine account to the domain allows the device to participate in Active Directory-based networking.
|
||||
|
||||
Constant: SeMachineAccountPrivilege
|
||||
|
||||
### Possible values
|
||||
|
||||
- User-defined list of accounts
|
||||
- Not Defined
|
||||
|
||||
### Best practices
|
||||
|
||||
- Configure this setting so that only authorized members of the IT team are allowed to add devices to the domain.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignment\\
|
||||
|
||||
### Default values
|
||||
|
||||
By default, this setting allows access for Authenticated Users on domain controllers, and it is not defined on stand-alone servers.
|
||||
|
||||
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Not Defined |
|
||||
| Default Domain Controller Policy | Not Defined |
|
||||
| Stand-Alone Server Default Settings | Not Defined |
|
||||
| Domain Controller Effective Default Settings | Authenticated Users |
|
||||
| Member Server Effective Default Settings | Not Defined |
|
||||
| Client Computer Effective Default Settings | Not Defined |
|
||||
|
||||
## Policy management
|
||||
|
||||
Users can also join a computer to a domain if they have the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they have the **Add workstations to domain** user right.
|
||||
|
||||
Furthermore, machine accounts that are created by means of the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created by means of permissions on the computer’s container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right.
|
||||
|
||||
A restart of the device is not required for this policy setting to be effective.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
### Group Policy
|
||||
|
||||
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
|
||||
|
||||
1. Local policy settings
|
||||
2. Site policy settings
|
||||
3. Domain policy settings
|
||||
4. OU policy settings
|
||||
|
||||
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This policy has the following security considerations:
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative
|
||||
privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Configure this setting so that only authorized members of the IT team are allowed to add computers to the domain.
|
||||
|
||||
### Potential impact
|
||||
|
||||
For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It does not affect existing computers unless they are removed from and then added to the domain.
|
||||
|
||||
## Related topics
|
||||
- [User Rights Assignment](user-rights-assignment.md)
|
||||
|
||||
|
||||
@ -1,612 +0,0 @@
|
||||
---
|
||||
title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
|
||||
description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: explore
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
localizationpriority: high
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
## Additional mitigations
|
||||
|
||||
Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
|
||||
|
||||
### Restricting domain users to specific domain-joined devices
|
||||
|
||||
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
|
||||
|
||||
#### Kerberos armoring
|
||||
|
||||
Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
|
||||
|
||||
**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
|
||||
|
||||
- Users need to be in domains that are running Windows Server 2012 R2 or higher
|
||||
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
|
||||
- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
|
||||
|
||||
#### Protecting domain-joined device secrets
|
||||
|
||||
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
|
||||
|
||||
Domain-joined device certificate authentication has the following requirements:
|
||||
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
|
||||
- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
|
||||
- KDC EKU present
|
||||
- DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
|
||||
- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
|
||||
- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
|
||||
|
||||
##### Deploying domain-joined device certificates
|
||||
|
||||
To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
|
||||
|
||||
For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
|
||||
|
||||
**Creating a new certificate template**
|
||||
|
||||
1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
|
||||
2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
|
||||
3. Right-click the new template, and then click **Properties**.
|
||||
4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
|
||||
5. Click **Client Authentication**, and then click **Remove**.
|
||||
6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
|
||||
- Name: Kerberos Client Auth
|
||||
- Object Identifier: 1.3.6.1.5.2.3.4
|
||||
7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
|
||||
8. Under **Issuance Policies**, click**High Assurance**.
|
||||
9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
|
||||
|
||||
Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
|
||||
|
||||
**Enrolling devices in a certificate**
|
||||
|
||||
Run the following command:
|
||||
``` syntax
|
||||
CertReq -EnrollCredGuardCert MachineAuthentication
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> You must restart the device after enrolling the machine authentication certificate.
|
||||
|
||||
##### How a certificate issuance policy can be used for access control
|
||||
|
||||
Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
|
||||
|
||||
**To see the issuance policies available**
|
||||
|
||||
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
|
||||
From a Windows PowerShell command prompt, run the following command:
|
||||
|
||||
``` syntax
|
||||
.\get-IssuancePolicy.ps1 –LinkedToGroup:All
|
||||
```
|
||||
|
||||
**To link an issuance policy to a universal security group**
|
||||
|
||||
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
|
||||
From a Windows PowerShell command prompt, run the following command:
|
||||
|
||||
``` syntax
|
||||
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"<name of issuance policy>" –groupOU:"<Name of OU to create>" –groupName:”<name of Universal security group to create>"
|
||||
```
|
||||
|
||||
#### Restricting user sign on
|
||||
|
||||
So we now have completed the following:
|
||||
|
||||
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
|
||||
- Mapped that policy to a universal security group or claim
|
||||
- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
|
||||
|
||||
Authentication policies have the following requirements:
|
||||
- User accounts are in a Windows Server 2012 domain functional level or higher domain.
|
||||
|
||||
**Creating an authentication policy restricting users to the specific universal security group**
|
||||
|
||||
1. Open Active Directory Administrative Center.
|
||||
2. Click **Authentication**, click **New**, and then click **Authentication Policy**.
|
||||
3. In the **Display name** box, enter a name for this authentication policy.
|
||||
4. Under the **Accounts** heading, click **Add**.
|
||||
5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
|
||||
6. Under the **User Sign On** heading, click the **Edit** button.
|
||||
7. Click **Add a condition**.
|
||||
8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**.
|
||||
9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
|
||||
10. Click **OK** to close the **Edit Access Control Conditions** box.
|
||||
11. Click **OK** to create the authentication policy.
|
||||
12. Close Active Directory Administrative Center.
|
||||
|
||||
> [!NOTE]
|
||||
> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
|
||||
|
||||
##### Discovering authentication failures due to authentication policies
|
||||
|
||||
To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
|
||||
|
||||
To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
|
||||
|
||||
### Appendix: Scripts
|
||||
|
||||
Here is a list of scripts mentioned in this topic.
|
||||
|
||||
#### <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority
|
||||
|
||||
Save this script file as get-IssuancePolicy.ps1.
|
||||
|
||||
``` syntax
|
||||
#######################################
|
||||
## Parameters to be defined ##
|
||||
## by the user ##
|
||||
#######################################
|
||||
Param (
|
||||
$Identity,
|
||||
$LinkedToGroup
|
||||
)
|
||||
#######################################
|
||||
## Strings definitions ##
|
||||
#######################################
|
||||
Data getIP_strings {
|
||||
# culture="en-US"
|
||||
ConvertFrom-StringData -stringdata @'
|
||||
help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
|
||||
help2 = Usage:
|
||||
help3 = The following parameter is mandatory:
|
||||
help4 = -LinkedToGroup:<yes|no|all>
|
||||
help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
|
||||
help6 = "no" will return only Issuance Policies that are not currently linked to any group.
|
||||
help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
|
||||
help8 = The following parameter is optional:
|
||||
help9 = -Identity:<Name, Distinguished Name or Display Name of the Issuance Policy that you want to retrieve>. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
|
||||
help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
|
||||
help11 = Examples:
|
||||
errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
|
||||
ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
|
||||
ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
|
||||
ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
|
||||
LinkedIPs = The following Issuance Policies are linked to groups:
|
||||
displayName = displayName : {0}
|
||||
Name = Name : {0}
|
||||
dn = distinguishedName : {0}
|
||||
InfoName = Linked Group Name: {0}
|
||||
InfoDN = Linked Group DN: {0}
|
||||
NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
|
||||
'@
|
||||
}
|
||||
##Import-LocalizedData getIP_strings
|
||||
import-module ActiveDirectory
|
||||
#######################################
|
||||
## Help ##
|
||||
#######################################
|
||||
function Display-Help {
|
||||
""
|
||||
$getIP_strings.help1
|
||||
""
|
||||
$getIP_strings.help2
|
||||
""
|
||||
$getIP_strings.help3
|
||||
" " + $getIP_strings.help4
|
||||
" " + $getIP_strings.help5
|
||||
" " + $getIP_strings.help6
|
||||
" " + $getIP_strings.help7
|
||||
""
|
||||
$getIP_strings.help8
|
||||
" " + $getIP_strings.help9
|
||||
""
|
||||
$getIP_strings.help10
|
||||
""
|
||||
""
|
||||
$getIP_strings.help11
|
||||
" " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
|
||||
" " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
|
||||
" " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
|
||||
""
|
||||
}
|
||||
$root = get-adrootdse
|
||||
$domain = get-addomain -current loggedonuser
|
||||
$configNCDN = [String]$root.configurationNamingContext
|
||||
if ( !($Identity) -and !($LinkedToGroup) ) {
|
||||
display-Help
|
||||
break
|
||||
}
|
||||
if ($Identity) {
|
||||
$OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
|
||||
if ($OIDs -eq $null) {
|
||||
$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
|
||||
write-host $errormsg -ForegroundColor Red
|
||||
}
|
||||
foreach ($OID in $OIDs) {
|
||||
if ($OID."msDS-OIDToGroupLink") {
|
||||
# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
|
||||
$groupDN = $OID."msDS-OIDToGroupLink"
|
||||
$group = get-adgroup -Identity $groupDN
|
||||
$groupName = $group.Name
|
||||
# Analyze the group
|
||||
if ($group.groupCategory -ne "Security") {
|
||||
$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
|
||||
write-host $errormsg -ForegroundColor Red
|
||||
}
|
||||
if ($group.groupScope -ne "Universal") {
|
||||
$errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
|
||||
write-host $errormsg -ForegroundColor Red
|
||||
}
|
||||
$members = Get-ADGroupMember -Identity $group
|
||||
if ($members) {
|
||||
$errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
|
||||
write-host $errormsg -ForegroundColor Red
|
||||
foreach ($member in $members) {
|
||||
write-host " " $member -ForeGroundColor Red
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return $OIDs
|
||||
break
|
||||
}
|
||||
if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
|
||||
$LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
|
||||
$LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
|
||||
write-host ""
|
||||
write-host "*****************************************************"
|
||||
write-host $getIP_strings.LinkedIPs
|
||||
write-host "*****************************************************"
|
||||
write-host ""
|
||||
if ($LinkedOIDs -ne $null){
|
||||
foreach ($OID in $LinkedOIDs) {
|
||||
# Display basic information about the Issuance Policies
|
||||
""
|
||||
$getIP_strings.displayName -f $OID.displayName
|
||||
$getIP_strings.Name -f $OID.Name
|
||||
$getIP_strings.dn -f $OID.distinguishedName
|
||||
# Get the linked group.
|
||||
$groupDN = $OID."msDS-OIDToGroupLink"
|
||||
$group = get-adgroup -Identity $groupDN
|
||||
$getIP_strings.InfoName -f $group.Name
|
||||
$getIP_strings.InfoDN -f $groupDN
|
||||
# Analyze the group
|
||||
$OIDName = $OID.displayName
|
||||
$groupName = $group.Name
|
||||
if ($group.groupCategory -ne "Security") {
|
||||
$errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
|
||||
write-host $errormsg -ForegroundColor Red
|
||||
}
|
||||
if ($group.groupScope -ne "Universal") {
|
||||
$errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
|
||||
write-host $errormsg -ForegroundColor Red
|
||||
}
|
||||
$members = Get-ADGroupMember -Identity $group
|
||||
if ($members) {
|
||||
$errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
|
||||
write-host $errormsg -ForegroundColor Red
|
||||
foreach ($member in $members) {
|
||||
write-host " " $member -ForeGroundColor Red
|
||||
}
|
||||
}
|
||||
write-host ""
|
||||
}
|
||||
}else{
|
||||
write-host "There are no issuance policies that are mapped to a group"
|
||||
}
|
||||
if ($LinkedToGroup -eq "yes") {
|
||||
return $LinkedOIDs
|
||||
break
|
||||
}
|
||||
}
|
||||
if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
|
||||
$LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
|
||||
$NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
|
||||
write-host ""
|
||||
write-host "*********************************************************"
|
||||
write-host $getIP_strings.NonLinkedIPs
|
||||
write-host "*********************************************************"
|
||||
write-host ""
|
||||
if ($NonLinkedOIDs -ne $null) {
|
||||
foreach ($OID in $NonLinkedOIDs) {
|
||||
# Display basic information about the Issuance Policies
|
||||
write-host ""
|
||||
$getIP_strings.displayName -f $OID.displayName
|
||||
$getIP_strings.Name -f $OID.Name
|
||||
$getIP_strings.dn -f $OID.distinguishedName
|
||||
write-host ""
|
||||
}
|
||||
}else{
|
||||
write-host "There are no issuance policies which are not mapped to groups"
|
||||
}
|
||||
if ($LinkedToGroup -eq "no") {
|
||||
return $NonLinkedOIDs
|
||||
break
|
||||
}
|
||||
}
|
||||
```
|
||||
> [!NOTE]
|
||||
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
|
||||
|
||||
#### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
|
||||
|
||||
Save the script file as set-IssuancePolicyToGroupLink.ps1.
|
||||
|
||||
``` syntax
|
||||
#######################################
|
||||
## Parameters to be defined ##
|
||||
## by the user ##
|
||||
#######################################
|
||||
Param (
|
||||
$IssuancePolicyName,
|
||||
$groupOU,
|
||||
$groupName
|
||||
)
|
||||
#######################################
|
||||
## Strings definitions ##
|
||||
#######################################
|
||||
Data ErrorMsg {
|
||||
# culture="en-US"
|
||||
ConvertFrom-StringData -stringdata @'
|
||||
help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
|
||||
help2 = Usage:
|
||||
help3 = The following parameters are required:
|
||||
help4 = -IssuancePolicyName:<name or display name of the issuance policy that you want to link to a group>
|
||||
help5 = -groupName:<name of the group you want to link the issuance policy to>. If no name is specified, any existing link to a group is removed from the Issuance Policy.
|
||||
help6 = The following parameter is optional:
|
||||
help7 = -groupOU:<Name of the Organizational Unit dedicated to the groups which are linked to issuance policies>. If this parameter is not specified, the group is looked for or created in the Users container.
|
||||
help8 = Examples:
|
||||
help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
|
||||
help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
|
||||
MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
|
||||
NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
|
||||
IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
|
||||
MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
|
||||
confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
|
||||
OUCreationSuccess = Organizational Unit "{0}" successfully created.
|
||||
OUcreationError = Error: Organizational Unit "{0}" could not be created.
|
||||
OUFoundSuccess = Organizational Unit "{0}" was successfully found.
|
||||
multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
|
||||
confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
|
||||
groupCreationSuccess = Univeral Security group "{0}" successfully created.
|
||||
groupCreationError = Error: Univeral Security group "{0}" could not be created.
|
||||
GroupFound = Group "{0}" was successfully found.
|
||||
confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
|
||||
UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
|
||||
UnlinkError = Removing the link failed.
|
||||
UnlinkExit = Exiting without removing the link from the issuance policy to the group.
|
||||
IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
|
||||
ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
|
||||
ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
|
||||
ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
|
||||
ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
|
||||
LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
|
||||
LinkError = The certificate issuance policy could not be linked to the specified group.
|
||||
ExitNoLinkReplacement = Exiting without setting the new link.
|
||||
'@
|
||||
}
|
||||
# import-localizeddata ErrorMsg
|
||||
function Display-Help {
|
||||
""
|
||||
write-host $ErrorMsg.help1
|
||||
""
|
||||
write-host $ErrorMsg.help2
|
||||
""
|
||||
write-host $ErrorMsg.help3
|
||||
write-host "`t" $ErrorMsg.help4
|
||||
write-host "`t" $ErrorMsg.help5
|
||||
""
|
||||
write-host $ErrorMsg.help6
|
||||
write-host "`t" $ErrorMsg.help7
|
||||
""
|
||||
""
|
||||
write-host $ErrorMsg.help8
|
||||
""
|
||||
write-host $ErrorMsg.help9
|
||||
".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
|
||||
""
|
||||
write-host $ErrorMsg.help10
|
||||
'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
|
||||
""
|
||||
}
|
||||
# Assumption: The group to which the Issuance Policy is going
|
||||
# to be linked is (or is going to be created) in
|
||||
# the domain the user running this script is a member of.
|
||||
import-module ActiveDirectory
|
||||
$root = get-adrootdse
|
||||
$domain = get-addomain -current loggedonuser
|
||||
if ( !($IssuancePolicyName) ) {
|
||||
display-Help
|
||||
break
|
||||
}
|
||||
#######################################
|
||||
## Find the OID object ##
|
||||
## (aka Issuance Policy) ##
|
||||
#######################################
|
||||
$searchBase = [String]$root.configurationnamingcontext
|
||||
$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
|
||||
if ($OID -eq $null) {
|
||||
$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
|
||||
write-host $tmp -ForeGroundColor Red
|
||||
break;
|
||||
}
|
||||
elseif ($OID.GetType().IsArray) {
|
||||
$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
|
||||
write-host $tmp -ForeGroundColor Red
|
||||
break;
|
||||
}
|
||||
else {
|
||||
$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
|
||||
write-host $tmp -ForeGroundColor Green
|
||||
}
|
||||
#######################################
|
||||
## Find the container of the group ##
|
||||
#######################################
|
||||
if ($groupOU -eq $null) {
|
||||
# default to the Users container
|
||||
$groupContainer = $domain.UsersContainer
|
||||
}
|
||||
else {
|
||||
$searchBase = [string]$domain.DistinguishedName
|
||||
$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
|
||||
if ($groupContainer.count -gt 1) {
|
||||
$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
|
||||
write-host $tmp -ForegroundColor Red
|
||||
break;
|
||||
}
|
||||
elseif ($groupContainer -eq $null) {
|
||||
$tmp = $ErrorMsg.confirmOUcreation
|
||||
write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
|
||||
$userChoice = read-host
|
||||
if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
|
||||
new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
|
||||
if ($?){
|
||||
$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
|
||||
write-host $tmp -ForegroundColor Green
|
||||
}
|
||||
else{
|
||||
$tmp = $ErrorMsg.OUCreationError -f $groupOU
|
||||
write-host $tmp -ForeGroundColor Red
|
||||
break;
|
||||
}
|
||||
$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
|
||||
}
|
||||
else {
|
||||
break;
|
||||
}
|
||||
}
|
||||
else {
|
||||
$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
|
||||
write-host $tmp -ForegroundColor Green
|
||||
}
|
||||
}
|
||||
#######################################
|
||||
## Find the group ##
|
||||
#######################################
|
||||
if (($groupName -ne $null) -and ($groupName -ne "")){
|
||||
##$searchBase = [String]$groupContainer.DistinguishedName
|
||||
$searchBase = $groupContainer
|
||||
$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
|
||||
if ($group -ne $null -and $group.gettype().isarray) {
|
||||
$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
|
||||
write-host $tmp -ForeGroundColor Red
|
||||
break;
|
||||
}
|
||||
elseif ($group -eq $null) {
|
||||
$tmp = $ErrorMsg.confirmGroupCreation
|
||||
write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
|
||||
$userChoice = read-host
|
||||
if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
|
||||
new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
|
||||
if ($?){
|
||||
$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
|
||||
write-host $tmp -ForegroundColor Green
|
||||
}else{
|
||||
$tmp = $ErrorMsg.groupCreationError -f $groupName
|
||||
write-host $tmp -ForeGroundColor Red
|
||||
break
|
||||
}
|
||||
$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
|
||||
}
|
||||
else {
|
||||
break;
|
||||
}
|
||||
}
|
||||
else {
|
||||
$tmp = $ErrorMsg.GroupFound -f $group.Name
|
||||
write-host $tmp -ForegroundColor Green
|
||||
}
|
||||
}
|
||||
else {
|
||||
#####
|
||||
## If the group is not specified, we should remove the link if any exists
|
||||
#####
|
||||
if ($OID."msDS-OIDToGroupLink" -ne $null) {
|
||||
$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
|
||||
write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
|
||||
$userChoice = read-host
|
||||
if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
|
||||
set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
|
||||
if ($?) {
|
||||
$tmp = $ErrorMsg.UnlinkSuccess
|
||||
write-host $tmp -ForeGroundColor Green
|
||||
}else{
|
||||
$tmp = $ErrorMsg.UnlinkError
|
||||
write-host $tmp -ForeGroundColor Red
|
||||
}
|
||||
}
|
||||
else {
|
||||
$tmp = $ErrorMsg.UnlinkExit
|
||||
write-host $tmp
|
||||
break
|
||||
}
|
||||
}
|
||||
else {
|
||||
$tmp = $ErrorMsg.IPNotLinked
|
||||
write-host $tmp -ForeGroundColor Yellow
|
||||
}
|
||||
break;
|
||||
}
|
||||
#######################################
|
||||
## Verify that the group is ##
|
||||
## Universal, Security, and ##
|
||||
## has no members ##
|
||||
#######################################
|
||||
if ($group.GroupScope -ne "Universal") {
|
||||
$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
|
||||
write-host $tmp -ForeGroundColor Red
|
||||
break;
|
||||
}
|
||||
if ($group.GroupCategory -ne "Security") {
|
||||
$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
|
||||
write-host $tmp -ForeGroundColor Red
|
||||
break;
|
||||
}
|
||||
$members = Get-ADGroupMember -Identity $group
|
||||
if ($members -ne $null) {
|
||||
$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
|
||||
write-host $tmp -ForeGroundColor Red
|
||||
foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
|
||||
break;
|
||||
}
|
||||
#######################################
|
||||
## We have verified everything. We ##
|
||||
## can create the link from the ##
|
||||
## Issuance Policy to the group. ##
|
||||
#######################################
|
||||
if ($OID."msDS-OIDToGroupLink" -ne $null) {
|
||||
$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
|
||||
write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
|
||||
$userChoice = read-host
|
||||
if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
|
||||
$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
|
||||
set-adobject -Identity $OID -Replace $tmp
|
||||
if ($?) {
|
||||
$tmp = $Errormsg.LinkSuccess
|
||||
write-host $tmp -Foreground Green
|
||||
}else{
|
||||
$tmp = $ErrorMsg.LinkError
|
||||
write-host $tmp -Foreground Red
|
||||
}
|
||||
} else {
|
||||
$tmp = $Errormsg.ExitNoLinkReplacement
|
||||
write-host $tmp
|
||||
break
|
||||
}
|
||||
}
|
||||
else {
|
||||
$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
|
||||
set-adobject -Identity $OID -Add $tmp
|
||||
if ($?) {
|
||||
$tmp = $Errormsg.LinkSuccess
|
||||
write-host $tmp -Foreground Green
|
||||
}else{
|
||||
$tmp = $ErrorMsg.LinkError
|
||||
write-host $tmp -Foreground Red
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
|
||||
|
||||
## See also
|
||||
|
||||
**Deep Dive into Credential Guard: Related videos**
|
||||
|
||||
[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
|
||||
@ -1,92 +0,0 @@
|
||||
---
|
||||
title: Adjust memory quotas for a process (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting.
|
||||
ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Adjust memory quotas for a process
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Adjust memory quotas for a process** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.
|
||||
|
||||
This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers.
|
||||
|
||||
Constant: SeIncreaseQuotaPrivilege
|
||||
|
||||
### Possible values
|
||||
|
||||
- User-defined list of accounts
|
||||
- Not Defined
|
||||
|
||||
### Best practices
|
||||
|
||||
1. Restrict the **Adjust memory quotas for a process** user right to only users who require the ability to adjust memory quotas to perform their jobs.
|
||||
2. If this user right is necessary for a user account, it can be assigned to a local machine account instead of to a domain account.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignment\\
|
||||
|
||||
### Default values
|
||||
|
||||
By default, members of the Administrators, Local Service, and Network Service groups have this right.
|
||||
|
||||
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Administrators<br>Local Service<br>Network Service |
|
||||
| Default Domain Controller Policy | Administrators<br>Local Service<br>Network Service |
|
||||
| Stand-Alone Server Default Settings | Administrators<br>Local Service<br>Network Service |
|
||||
| Domain Controller Effective Default Settings | Administrators<br>Local Service<br>Network Service |
|
||||
| Member Server Effective Default Settings | Administrators<br>Local Service<br>Network Service |
|
||||
| Client Computer Effective Default Settings | Administrators<br>Local Service<br>Network Service |
|
||||
|
||||
## Policy management
|
||||
|
||||
A restart of the device is not required for this policy setting to be effective.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
### Group Policy
|
||||
|
||||
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
|
||||
|
||||
1. Local policy settings
|
||||
2. Site policy settings
|
||||
3. Domain policy settings
|
||||
4. OU policy settings
|
||||
|
||||
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
A user with the **Adjust memory quotas for a process** privilege can reduce the amount of memory that is available to any process, which could cause business-critical network applications to become slow or to fail. This privilege could be used by a malicious user to start a denial-of-service (DoS) attack.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Restrict the **Adjust memory quotas for a process** user right to users who require it to perform their jobs, such as application administrators who maintain database management systems or domain administrators who manage the organization's directory and its supporting infrastructure.
|
||||
|
||||
### Potential impact
|
||||
|
||||
Organizations that have not restricted users to roles with limited privileges may find it difficult to impose this countermeasure. Also, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Adjust memory quotas for a process** user right to additional accounts that are required by those components. IIS requires that this privilege be explicitly assigned to the IWAM\_<ComputerName>, Network Service, and Service accounts. Otherwise, this countermeasure should have no impact on most computers. If this user right is necessary for a user account, it can be assigned to a local computer account instead of to a domain account.
|
||||
|
||||
## Related topics
|
||||
- [User Rights Assignment](user-rights-assignment.md)
|
||||
|
||||
|
||||
@ -1,67 +0,0 @@
|
||||
---
|
||||
title: Administer AppLocker (Windows 10)
|
||||
description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
|
||||
ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Administer AppLocker
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
|
||||
|
||||
AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:
|
||||
|
||||
- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
|
||||
- Assign a rule to a security group or an individual user.
|
||||
- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe).
|
||||
- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
|
||||
- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.
|
||||
- Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.
|
||||
> **Note** For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
|
||||
|
||||
## In this section
|
||||
|
||||
| Topic | Description |
|
||||
| - | - |
|
||||
| [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. |
|
||||
| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. |
|
||||
| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. |
|
||||
| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
|
||||
| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
|
||||
| [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) | This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. |
|
||||
| [Optimize AppLocker performance](optimize-applocker-performance.md) | This topic for IT professionals describes how to optimize AppLocker policy enforcement. |
|
||||
| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
|
||||
| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
|
||||
| [Working with AppLocker rules](working-with-applocker-rules.md) | This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
|
||||
| [Working with AppLocker policies](working-with-applocker-policies.md) | This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. |
|
||||
|
||||
## <a href="" id="bkmk-using-snapins"></a>Using the MMC snap-ins to administer AppLocker
|
||||
|
||||
You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
|
||||
|
||||
### Administer Applocker using Group Policy
|
||||
|
||||
You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
|
||||
|
||||
1. Open the Group Policy Management Console (GPMC).
|
||||
2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**.
|
||||
3. In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
|
||||
|
||||
### Administer AppLocker on the local PC
|
||||
|
||||
1. Click **Start**, type **local security policy**, and then click **Local Security Policy**.
|
||||
2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
|
||||
3. In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
|
||||
|
||||
## Using Windows PowerShell to administer AppLocker
|
||||
|
||||
For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](http://technet.microsoft.com/library/hh847210.aspx).
|
||||
|
||||
|
||||
@ -1,400 +0,0 @@
|
||||
---
|
||||
title: Administer security policy settings (Windows 10)
|
||||
description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
|
||||
ms.assetid: 7617d885-9d28-437a-9371-171197407599
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Administer security policy settings
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
|
||||
|
||||
Security policy settings should be used as part of your overall security implementation to help secure domain controllers, servers, client devices, and other resources in your organization.
|
||||
|
||||
Security settings policies are rules that you can configure on a device, or multiple devices, for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in (Gpedit.msc) allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, and organizational units, and they enable administrators to manage security settings for multiple computers from any device joined to the domain.
|
||||
|
||||
Security settings can control:
|
||||
|
||||
- User authentication to a network or device.
|
||||
- The resources that users are permitted to access.
|
||||
- Whether to record a user’s or group’s actions in the event log.
|
||||
- Membership in a group.
|
||||
|
||||
For info about each setting, including descriptions, default settings, and management and security considerations, see [Security policy settings reference](security-policy-settings-reference.md).
|
||||
|
||||
To manage security configurations for multiple computers, you can use one of the following options:
|
||||
- Edit specific security settings in a GPO.
|
||||
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security.
|
||||
|
||||
## <a href="" id="what-s-changed-in-how-settings-are-administered-"></a>What’s changed in how settings are administered?
|
||||
|
||||
Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered.
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
<col width="50%" />
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th align="left">Tool or feature</th>
|
||||
<th align="left">Description and use</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>[Security Policy snap-in](#bkmk-secpol)</p></td>
|
||||
<td align="left"><p>Secpol.msc</p>
|
||||
<p>MMC snap-in designed to manage only security policy settings.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>[Security editor command line tool](#bkmk-secedit)</p></td>
|
||||
<td align="left"><p>Secedit.exe</p>
|
||||
<p>Configures and analyzes system security by comparing your current configuration to specified security templates.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>[Security Compliance Manager](#bkmk-scm)</p></td>
|
||||
<td align="left"><p>Tool download</p>
|
||||
<p>A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>[Security Configuration Wizard](#bkmk-scw)</p></td>
|
||||
<td align="left"><p>Scw.exe</p>
|
||||
<p>SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>[Security Configuration Manager tool](#bkmk-scmtool)</p></td>
|
||||
<td align="left"><p>This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>[Group Policy](#bkmk-grouppolicy)</p></td>
|
||||
<td align="left"><p>Gpmc.msc and Gpedit.msc</p>
|
||||
<p>The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Software Restriction Policies</p>
|
||||
<p>See [Administer Software Restriction Policies](http://technet.microsoft.com/library/hh994606.aspx).</p></td>
|
||||
<td align="left"><p>Gpedit.msc</p>
|
||||
<p>Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>AppLocker</p>
|
||||
<p>See [Administer AppLocker](administer-applocker.md).</p></td>
|
||||
<td align="left"><p>Gpedit.msc</p>
|
||||
<p>Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
## <a href="" id="bkmk-secpol"></a>Using the Local Security Policy snap-in
|
||||
|
||||
The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features:
|
||||
|
||||
- Account Policies
|
||||
- Local Policies
|
||||
- Windows Firewall with Advanced Security
|
||||
- Network List Manager Policies
|
||||
- Public Key Policies
|
||||
- Software Restriction Policies
|
||||
- Application Control Policies
|
||||
- IP Security Policies on Local Computer
|
||||
- Advanced Audit Policy Configuration
|
||||
|
||||
Policies set locally might be overwritten if the computer is joined to the domain.
|
||||
|
||||
The Local Security Policy snap-in is part of the Security Configuration Manager tool set. For info about other tools in this tool set, see [Working with the Security Configuration Manager](#bkmk-scmtool) in this topic.
|
||||
|
||||
## <a href="" id="bkmk-secedit"></a>Using the secedit command-line tool
|
||||
|
||||
The secedit command-line tool works with security templates and provides six primary functions:
|
||||
|
||||
- The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server.
|
||||
- The **Analyze** parameter compares the server’s security configuration with the selected template.
|
||||
- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also.
|
||||
- The **Export** parameter allows you to export the settings from a database into a security settings template.
|
||||
- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue.
|
||||
- The **Generate Rollback** parameter saves the server’s current security settings into a security template so it can be used to restore most of the server’s security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
|
||||
|
||||
## <a href="" id="bkmk-scm"></a>Using the Security Compliance Manager
|
||||
|
||||
The Security Compliance Manager is a downloadable tool that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and for Microsoft applications. It contains a complete database of recommended security settings, methods to customize your baselines, and the option to implement those settings in multiple formats—including XLS, GPOs, Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP). The Security Compliance Manager is used to export the baselines to your environment to automate the security baseline deployment and compliance verification process.
|
||||
|
||||
**To administer security policies by using the Security Compliance Manager**
|
||||
|
||||
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](http://blogs.technet.com/b/secguide/) blog.
|
||||
2. Read the relevant security baseline documentation that is included in this tool.
|
||||
3. Download and import the relevant security baselines. The installation process steps you through baseline selection.
|
||||
4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
|
||||
|
||||
## <a href="" id="bkmk-scw"></a>Using the Security Configuration Wizard
|
||||
|
||||
The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy.
|
||||
SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller.
|
||||
|
||||
The following are considerations for using SCW:
|
||||
|
||||
- SCW disables unnecessary services and provides Windows Firewall with Advanced Security support.
|
||||
- Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file.
|
||||
- You can deploy security policies that you create with SCW by using Group Policy.
|
||||
- SCW does not install or uninstall the features necessary for the server to perform a role. You can install server role-specific features through Server Manager.
|
||||
- SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles.
|
||||
- All apps that use the IP protocol and ports must be running on the server when you run SCW.
|
||||
- In some cases, you must be connected to the Internet to use the links in the SCW help.
|
||||
> **Note** The SCW is available only on Windows Server and only applicable to server installations.
|
||||
|
||||
The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to:
|
||||
|
||||
- Create a security policy that can be applied to any server on your network.
|
||||
- Edit an existing security policy.
|
||||
- Apply an existing security policy.
|
||||
- Roll back the last applied security policy.
|
||||
|
||||
The Security Policy Wizard configures services and network security based on the server’s role, as well as configures auditing and registry settings.
|
||||
|
||||
For more information about SCW, including procedures, see [Security Configuration Wizard](http://technet.microsoft.com/library/cc754997.aspx).
|
||||
|
||||
## <a href="" id="bkmk-scmtool"></a>Working with the Security Configuration Manager
|
||||
|
||||
The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.
|
||||
|
||||
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](http://technet.microsoft.com/library/cc758219(WS.10).aspx).
|
||||
|
||||
The following table lists the features of the Security Configuration Manager.
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
<col width="50%" />
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th align="left">Security Configuration Manager tools</th>
|
||||
<th align="left">Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>[Security Configuration and Analysis](#bkmk-seccfgana)</p></td>
|
||||
<td align="left"><p>Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>[Security templates](#bkmk-sectmpl)</p></td>
|
||||
<td align="left"><p>Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>[Security Settings extension to Group Policy](#bkmk-secextensions)</p></td>
|
||||
<td align="left"><p>Edits individual security settings on a domain, site, or organizational unit.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>[Local Security Policy](#bkmk-localsecpol)</p></td>
|
||||
<td align="left"><p>Edits individual security settings on your local computer.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Secedit</p></td>
|
||||
<td align="left"><p>Automates security configuration tasks at a command prompt.</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
### <a href="" id="bkmk-seccfgana"></a>Security Configuration and Analysis
|
||||
|
||||
Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security.
|
||||
|
||||
### <a href="" id="h2-359808543"></a>Security analysis
|
||||
|
||||
The state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security.
|
||||
|
||||
Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time.
|
||||
|
||||
Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security
|
||||
Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals.
|
||||
|
||||
### <a href="" id="h2-359810173"></a>Security configuration
|
||||
|
||||
Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template.
|
||||
|
||||
### <a href="" id="bkmk-sectmpl"></a>Security templates
|
||||
|
||||
With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It is a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in does not introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration.
|
||||
|
||||
Importing a security template to a Group Policy Object eases domain administration by configuring security for a domain or organizational unit at once.
|
||||
|
||||
To apply a security template to your local device, you can use Security Configuration and Analysis or the secedit command-line tool.
|
||||
|
||||
Security templates can be used to define:
|
||||
|
||||
- Account Policies
|
||||
- Password Policy
|
||||
- Account Lockout Policy
|
||||
- Kerberos Policy
|
||||
- Local Policies
|
||||
- Audit Policy
|
||||
- User Rights Assignment
|
||||
- Security Options
|
||||
- Event Log: Application, system, and security Event Log settings
|
||||
- Restricted Groups: Membership of security-sensitive groups
|
||||
- System Services: Startup and permissions for system services
|
||||
- Registry: Permissions for registry keys
|
||||
- File System: Permissions for folders and files
|
||||
|
||||
Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template.
|
||||
|
||||
### <a href="" id="bkmk-secextensions"></a>Security settings extension to Group Policy
|
||||
|
||||
Organizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain.
|
||||
|
||||
Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control:
|
||||
|
||||
- How users are authenticated to a network or device
|
||||
- What resources users are authorized to use.
|
||||
- Whether or not a user's or group's actions are recorded in the event log.
|
||||
- Group membership.
|
||||
|
||||
You can change the security configuration on multiple computers in two ways:
|
||||
|
||||
- Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object.
|
||||
- Change a few select settings with security settings.
|
||||
|
||||
### <a href="" id="bkmk-localsecpol"></a>Local Security Policy
|
||||
|
||||
A security policy is a combination of security settings that affect the security on a device. You can use your local security policy to edit account policies and local policies on your local device
|
||||
|
||||
With the local security policy, you can control:
|
||||
|
||||
- Who accesses your device.
|
||||
- What resources users are authorized to use on your device.
|
||||
- Whether or not a user’s or group's actions are recorded in the event log.
|
||||
|
||||
If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence.
|
||||
|
||||
1. Organizational unit policy
|
||||
2. Domain policy
|
||||
3. Site policy
|
||||
4. Local computer policy
|
||||
|
||||
If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts.
|
||||
|
||||
### Using the Security Configuration Manager
|
||||
|
||||
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](http://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about:
|
||||
|
||||
- [Applying security settings](#bkmk-applysecsettings)
|
||||
- [Importing and exporting security templates](#bkmk-impexpsectmpl)
|
||||
- [Analyzing security and viewing results](#bkmk-anasecviewresults)
|
||||
- [Resolving security discrepancies](#bkmk-resolvesecdiffs)
|
||||
- [Automating security configuration tasks](#bkmk-autoseccfgtasks)
|
||||
|
||||
### <a href="" id="bkmk-applysecsettings"></a>Applying security settings
|
||||
|
||||
Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object:
|
||||
|
||||
- When a device is restarted, the settings on that device will be refreshed.
|
||||
- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe.
|
||||
|
||||
**Precedence of a policy when more than one policy is applied to a computer**
|
||||
|
||||
For security settings that are defined by more than one policy, the following order of precedence is observed:
|
||||
|
||||
1. Organizational Unit Policy
|
||||
2. Domain Policy
|
||||
3. Site Policy
|
||||
4. Local computer Policy
|
||||
|
||||
For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override
|
||||
both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
|
||||
> **Note** Use gpresult.exe to find out what policies are applied to a device and in what order.
|
||||
For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
|
||||
|
||||
**Persistence in security settings**
|
||||
|
||||
Security settings may still persist even if a setting is no longer defined in the policy that originally applied it.
|
||||
|
||||
Persistence in security settings occurs when:
|
||||
|
||||
- The setting has not been previously defined for the device.
|
||||
- The setting is for a registry object.
|
||||
- The setting is for a file system object.
|
||||
|
||||
All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing."
|
||||
|
||||
Registry and file settings will maintain the values applied through policy until that setting is set to other values.
|
||||
|
||||
**Filtering security settings based on group membership**
|
||||
|
||||
You can also decide what users or groups will or will not have a Group Policy Object applied to them regardless of what computer they have logged onto by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy.
|
||||
|
||||
### <a href="" id="bkmk-impexpsectmpl"></a>Importing and exporting security templates
|
||||
|
||||
Security Configuration and Analysis provides the ability to import and export security templates into or from a database.
|
||||
|
||||
If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature provides the ability to save the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object.
|
||||
|
||||
### <a href="" id="bkmk-anasecviewresults"></a>Analyzing security and viewing results
|
||||
|
||||
Security Configuration and Analysis performs security analysis by comparing the current state of system security against an *analysis database*. During creation, the analysis database uses at least one security template. If you choose to import more than one security template, the database will merge the various templates and create one composite template. It resolves conflicts in order of import; the last template that is imported takes precedence.
|
||||
|
||||
Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click **Properties**.
|
||||
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
<col width="50%" />
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th align="left">Visual flag</th>
|
||||
<th align="left">Meaning</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Red X</p></td>
|
||||
<td align="left"><p>The entry is defined in the analysis database and on the system, but the security setting values do not match.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>Green check mark</p></td>
|
||||
<td align="left"><p>The entry is defined in the analysis database and on the system and the setting values match.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Question mark</p></td>
|
||||
<td align="left"><p>The entry is not defined in the analysis database and, therefore, was not analyzed.</p>
|
||||
<p>If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>Exclamation point</p></td>
|
||||
<td align="left"><p>This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>No highlight</p></td>
|
||||
<td align="left"><p>The item is not defined in the analysis database or on the system.</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis.
|
||||
|
||||
To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template.
|
||||
|
||||
### <a href="" id="bkmk-resolvesecdiffs"></a>Resolving security discrepancies
|
||||
|
||||
You can resolve discrepancies between analysis database and system settings by:
|
||||
|
||||
- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
|
||||
- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels.
|
||||
- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
|
||||
Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
|
||||
You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
|
||||
|
||||
### <a href="" id="bkmk-autoseccfgtasks"></a>Automating security configuration tasks
|
||||
|
||||
By calling the secedit.exe tool at a command prompt from a batch file or automatic task scheduler, you can use it to automatically create and apply templates, and analyze system security. You can also run it dynamically from a command prompt.
|
||||
Secedit.exe is useful when you have multiple devices on which security must be analyzed or configured, and you need to perform these tasks during off-hours.
|
||||
|
||||
## <a href="" id="bkmk-grouppolicy"></a>Working with Group Policy tools
|
||||
|
||||
Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop.
|
||||
@ -1,30 +0,0 @@
|
||||
---
|
||||
title: Turn on advanced features in Windows Defender ATP
|
||||
description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection.
|
||||
keywords: advanced features, preferences setup, block file
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: mjcaparas
|
||||
localizationpriority: high
|
||||
---
|
||||
# Turn on advanced features in Windows Defender ATP
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
|
||||
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
|
||||
3. Click **Save preferences**.
|
||||
|
||||
## Related topics
|
||||
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
@ -1,149 +0,0 @@
|
||||
---
|
||||
title: Advanced security audit policy settings (Windows 10)
|
||||
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
|
||||
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Advanced security audit policy settings
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
|
||||
|
||||
The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
|
||||
|
||||
- A group administrator has modified settings or data on servers that contain finance information.
|
||||
- An employee within a defined group has accessed an important file.
|
||||
- The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
|
||||
|
||||
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.
|
||||
|
||||
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
|
||||
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
|
||||
|
||||
## Account Logon
|
||||
|
||||
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
|
||||
|
||||
- [Audit Credential Validation](audit-credential-validation.md)
|
||||
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
|
||||
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
|
||||
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
|
||||
|
||||
## Account Management
|
||||
|
||||
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
|
||||
|
||||
- [Audit Application Group Management](audit-application-group-management.md)
|
||||
- [Audit Computer Account Management](audit-computer-account-management.md)
|
||||
- [Audit Distribution Group Management](audit-distribution-group-management.md)
|
||||
- [Audit Other Account Management Events](audit-other-account-management-events.md)
|
||||
- [Audit Security Group Management](audit-security-group-management.md)
|
||||
- [Audit User Account Management](audit-user-account-management.md)
|
||||
|
||||
## Detailed Tracking
|
||||
|
||||
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
|
||||
|
||||
- [Audit DPAPI Activity](audit-dpapi-activity.md)
|
||||
- [Audit PNP activity](audit-pnp-activity.md)
|
||||
- [Audit Process Creation](audit-process-creation.md)
|
||||
- [Audit Process Termination](audit-process-termination.md)
|
||||
- [Audit RPC Events](audit-rpc-events.md)
|
||||
|
||||
## DS Access
|
||||
|
||||
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
|
||||
|
||||
- [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
|
||||
- [Audit Directory Service Access](audit-directory-service-access.md)
|
||||
- [Audit Directory Service Changes](audit-directory-service-changes.md)
|
||||
- [Audit Directory Service Replication](audit-directory-service-replication.md)
|
||||
|
||||
## Logon/Logoff
|
||||
|
||||
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
|
||||
|
||||
- [Audit Account Lockout](audit-account-lockout.md)
|
||||
- [Audit User/Device Claims](audit-user-device-claims.md)
|
||||
- [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
|
||||
- [Audit Group Membership](audit-group-membership.md)
|
||||
- [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
|
||||
- [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
|
||||
- [Audit Logoff](audit-logoff.md)
|
||||
- [Audit Logon](audit-logon.md)
|
||||
- [Audit Network Policy Server](audit-network-policy-server.md)
|
||||
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
|
||||
- [Audit Special Logon](audit-special-logon.md)
|
||||
|
||||
## Object Access
|
||||
|
||||
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
|
||||
|
||||
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
|
||||
|
||||
This category includes the following subcategories:
|
||||
|
||||
- [Audit Application Generated](audit-application-generated.md)
|
||||
- [Audit Certification Services](audit-certification-services.md)
|
||||
- [Audit Detailed File Share](audit-detailed-file-share.md)
|
||||
- [Audit File Share](audit-file-share.md)
|
||||
- [Audit File System](audit-file-system.md)
|
||||
- [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
|
||||
- [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
|
||||
- [Audit Handle Manipulation](audit-handle-manipulation.md)
|
||||
- [Audit Kernel Object](audit-kernel-object.md)
|
||||
- [Audit Other Object Access Events](audit-other-object-access-events.md)
|
||||
- [Audit Registry](audit-registry.md)
|
||||
- [Audit Removable Storage](audit-removable-storage.md)
|
||||
- [Audit SAM](audit-sam.md)
|
||||
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
|
||||
|
||||
## Policy Change
|
||||
|
||||
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
|
||||
|
||||
- [Audit Audit Policy Change](audit-audit-policy-change.md)
|
||||
- [Audit Authentication Policy Change](audit-authentication-policy-change.md)
|
||||
- [Audit Authorization Policy Change](audit-authorization-policy-change.md)
|
||||
- [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
|
||||
- [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
|
||||
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
|
||||
|
||||
## Privilege Use
|
||||
|
||||
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
|
||||
|
||||
- [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
|
||||
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
|
||||
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
|
||||
|
||||
## System
|
||||
|
||||
System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
|
||||
|
||||
- [Audit IPsec Driver](audit-ipsec-driver.md)
|
||||
- [Audit Other System Events](audit-other-system-events.md)
|
||||
- [Audit Security State Change](audit-security-state-change.md)
|
||||
- [Audit Security System Extension](audit-security-system-extension.md)
|
||||
- [Audit System Integrity](audit-system-integrity.md)
|
||||
|
||||
## Global Object Access Auditing
|
||||
|
||||
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
|
||||
Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
|
||||
|
||||
Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.
|
||||
|
||||
> **Note:** If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object
|
||||
Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
|
||||
|
||||
This category includes the following subcategories:
|
||||
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
|
||||
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
|
||||
@ -1,186 +0,0 @@
|
||||
---
|
||||
title: Advanced security auditing FAQ (Windows 10)
|
||||
description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
|
||||
ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Advanced security auditing FAQ
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
|
||||
|
||||
- [What is Windows security auditing and why might I want to use it?](#bkmk-1)
|
||||
- [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#bkmk-2)
|
||||
- [What is the interaction between basic audit policy settings and advanced audit policy settings?](#bkmk-3)
|
||||
- [How are audit settings merged by Group Policy?](#bkmk-4)
|
||||
- [What is the difference between an object DACL and an object SACL?](#bkmk-14)
|
||||
- [Why are audit policies applied on a per-computer basis rather than per user?](#bkmk-13)
|
||||
- [What are the differences in auditing functionality between versions of Windows?](#bkmk-12)
|
||||
- [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#bkmk-15)
|
||||
- [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#bkmk-5)
|
||||
- [How can I set an audit policy that affects all objects on a computer?](#bkmk-6)
|
||||
- [How do I figure out why someone was able to access a resource?](#bkmk-7)
|
||||
- [How do I know when changes are made to access control settings, by whom, and what the changes were?](#bkmk-8)
|
||||
- [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#bkmk-19)
|
||||
- [How can I monitor if changes are made to audit policy settings?](#bkmk-10)
|
||||
- [How can I minimize the number of events that are generated?](#bkmk-16)
|
||||
- [What are the best tools to model and manage audit policy?](#bkmk-17)
|
||||
- [Where can I find information about all the possible events that I might receive?](#bkmk-11)
|
||||
- [Where can I find more detailed information?](#bkmk-18)
|
||||
|
||||
## <a href="" id="bkmk-1"></a>What is Windows security auditing and why might I want to use it?
|
||||
|
||||
Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities.
|
||||
|
||||
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
|
||||
|
||||
## <a href="" id="bkmk-2"></a>What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
|
||||
|
||||
The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
|
||||
|
||||
There are a number of additional differences between the security audit policy settings in these two locations.
|
||||
|
||||
There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
|
||||
Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.
|
||||
|
||||
In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
|
||||
|
||||
The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later.
|
||||
|
||||
## <a href="" id="bkmk-3"></a>What is the interaction between basic audit policy settings and advanced audit policy settings?
|
||||
|
||||
Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
|
||||
|
||||
Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied.
|
||||
|
||||
> **Important** Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
|
||||
|
||||
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
|
||||
|
||||
## <a href="" id="bkmk-4"></a>How are audit settings merged by Group Policy?
|
||||
|
||||
By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
|
||||
|
||||
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
|
||||
|
||||
The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
|
||||
|
||||
|
||||
| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
|
||||
| - | - | - | -|
|
||||
| Detailed File Share Auditing | Success | Failure | Success |
|
||||
| Process Creation Auditing | Disabled | Success | Disabled |
|
||||
| Logon Auditing | Success | Failure | Failure |
|
||||
|
||||
## <a href="" id="bkmk-14"></a>What is the difference between an object DACL and an object SACL?
|
||||
|
||||
All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
|
||||
|
||||
- A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
|
||||
- A system access control list (SACL) that controls how access is audited
|
||||
|
||||
The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
|
||||
|
||||
If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
|
||||
|
||||
## <a href="" id="bkmk-13"></a>Why are audit policies applied on a per-computer basis rather than per user?
|
||||
|
||||
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
|
||||
|
||||
In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
|
||||
|
||||
However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
|
||||
|
||||
## <a href="" id="bkmk-12"></a>What are the differences in auditing functionality between versions of Windows?
|
||||
|
||||
Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings.
|
||||
|
||||
## <a href="" id="bkmk-15"></a>Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server?
|
||||
|
||||
To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported.
|
||||
|
||||
## <a href="" id="bkmk-5"></a>What is the difference between success and failure events? Is something wrong if I get a failure audit?
|
||||
|
||||
A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
|
||||
|
||||
A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.
|
||||
|
||||
The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password.
|
||||
|
||||
## <a href="" id="bkmk-6"></a>How can I set an audit policy that affects all objects on a computer?
|
||||
|
||||
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
|
||||
Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
|
||||
|
||||
## <a href="" id="bkmk-7"></a>How do I figure out why someone was able to access a resource?
|
||||
|
||||
Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
|
||||
|
||||
## <a href="" id="bkmk-8"></a>How do I know when changes are made to access control settings, by whom, and what the changes were?
|
||||
|
||||
To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
|
||||
- **Audit File System** subcategory: Enable for success, failure, or success and failure
|
||||
- **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
|
||||
- A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
|
||||
|
||||
In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory.
|
||||
|
||||
## <a href="" id="bkmk-19"></a>How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
|
||||
|
||||
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
|
||||
|
||||
1. Set all Advanced Audit Policy subcategories to **Not configured**.
|
||||
2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
|
||||
3. Reconfigure and apply the basic audit policy settings.
|
||||
|
||||
Unless you complete all of these steps, the basic audit policy settings will not be restored.
|
||||
|
||||
## <a href="" id="bkmk-10"></a>How can I monitor if changes are made to audit policy settings?
|
||||
|
||||
Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place:
|
||||
|
||||
- Permissions and audit settings on the audit policy object are changed
|
||||
- The system audit policy is changed
|
||||
- Security event sources are registered or unregistered
|
||||
- Per-user audit settings are changed
|
||||
- The value of **CrashOnAuditFail** is modified
|
||||
- Audit settings on a file or registry key are changed
|
||||
- A Special Groups list is changed
|
||||
|
||||
## <a href="" id="bkmk-16"></a>How can I minimize the number of events that are generated?
|
||||
|
||||
Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md).
|
||||
|
||||
## <a href="" id="bkmk-17"></a>What are the best tools to model and manage audit policies?
|
||||
|
||||
The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies.
|
||||
On an individual computer, the Auditpol command-line tool can be used to complete a number of important audit policy–related management tasks.
|
||||
|
||||
In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
|
||||
|
||||
## <a href="" id="bkmk-11"></a>Where can I find information about all the possible events that I might receive?
|
||||
|
||||
Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources:
|
||||
|
||||
- [Windows 8 and Windows Server 2012 Security Event Details](http://www.microsoft.com/download/details.aspx?id=35753)
|
||||
- [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
|
||||
- [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?linkid=121868)
|
||||
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
|
||||
|
||||
## <a href="" id="bkmk-18"></a>Where can I find more detailed information?
|
||||
|
||||
To learn more about security audit policies, see the following resources:
|
||||
|
||||
- [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
|
||||
- [Security Monitoring and Attack Detection Planning Guide](http://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx)
|
||||
- [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
|
||||
- [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?LinkId=121868)
|
||||
|
||||
|
||||
@ -1,27 +0,0 @@
|
||||
---
|
||||
title: Advanced security audit policies (Windows 10)
|
||||
description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently.
|
||||
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Advanced security audit policies
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently.
|
||||
When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
|
||||
|
||||
## In this section
|
||||
|
||||
| Topic | Description |
|
||||
| - | - |
|
||||
| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies |
|
||||
| [Advanced security auditing FAQ](advanced-security-auditing-faq.md) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
|
||||
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
|
||||
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
|
||||
@ -1,119 +0,0 @@
|
||||
---
|
||||
title: View and organize the Windows Defender ATP Alerts queue
|
||||
description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts.
|
||||
keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: mjcaparas
|
||||
localizationpriority: high
|
||||
---
|
||||
|
||||
# View and organize the Windows Defender Advanced Threat Protection Alerts queue
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In any of the queues, you'll see details such as the severity of alerts and the number of machines where the alerts were seen.
|
||||
|
||||
Alerts are organized in queues by their workflow status or assignment:
|
||||
|
||||
- **New**
|
||||
- **In progress**
|
||||
- **Resolved**
|
||||
- **Assigned to me**
|
||||
|
||||
To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
|
||||
|
||||
> [!NOTE]
|
||||
> By default, the queues are sorted from newest to oldest.
|
||||
|
||||
## Sort and filter the alerts
|
||||
You can sort and filter the alerts by using the available filters or clicking columns that allows you to sort the view in ascending or descending order.
|
||||
|
||||
|
||||
|
||||
Highlighted area|Area name|Description
|
||||
:---|:---|:---
|
||||
1 | Alert filters | Filter the list of alerts by severity, detection source, time period, or change the view from flat to grouped.
|
||||
2 | Alert selected | Select an alert to bring up the **Alert management** to manage and see details about the alert.
|
||||
3 | Alert management pane | View and manage alerts without leaving the alerts queue view.
|
||||
|
||||
### Sort, filter, and group the alerts list
|
||||
You can use the following filters to limit the list of alerts displayed during an investigation:
|
||||
|
||||
**Severity**</br>
|
||||
|
||||
Alert severity | Description
|
||||
:---|:---
|
||||
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
|
||||
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
|
||||
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
|
||||
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
|
||||
|
||||
Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
|
||||
|
||||
**Detection source**</br>
|
||||
- Windows Defender AV
|
||||
- Windows Defender ATP
|
||||
|
||||
>[!NOTE]
|
||||
>The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
|
||||
|
||||
**Time period**</br>
|
||||
- 1 day
|
||||
- 3 days
|
||||
- 7 days
|
||||
- 30 days
|
||||
- 6 months
|
||||
|
||||
**View**</br>
|
||||
- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top.
|
||||
- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating alerts together.
|
||||
|
||||
The group view allows for efficient alert triage and management.
|
||||
|
||||
### Use the Alert management pane
|
||||
Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
|
||||
|
||||
You can take immediate action on an alert and see details about an alert in the **Alert management** pane:
|
||||
|
||||
- Change the status of an alert from new, to in progress, or resolved.
|
||||
- Specify the alert classification from true alert or false alert.
|
||||
Selecting true alert displays the **Determination** drop-down list to provide additional information about the true alert:
|
||||
- APT
|
||||
- Malware
|
||||
- Security personnel
|
||||
- Security testing
|
||||
- Unwanted software
|
||||
- Other
|
||||
- Assign the alert to yourself if the alert is not yet assigned.
|
||||
- View related activity on the machine.
|
||||
- Add and view comments about the alert.
|
||||
|
||||
>[!NOTE]
|
||||
>You can also access the **Alert management** pane from the machine details view by selecting an alert in the **Alerts related to this machine** section.
|
||||
|
||||
### Bulk edit alerts
|
||||
Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one action.
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
|
||||
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
|
||||
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
|
||||
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
|
||||
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
|
||||
@ -1,107 +0,0 @@
|
||||
---
|
||||
title: Allow log on locally - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
|
||||
ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Allow log on locally - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Allow log on locally** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.
|
||||
> **Note:** Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right.
|
||||
|
||||
Constant: SeInteractiveLogonRight
|
||||
|
||||
### Possible values
|
||||
|
||||
- User-defined list of accounts
|
||||
- Not Defined
|
||||
|
||||
By default, the members of the following groups have this right on workstations and servers:
|
||||
|
||||
- Administrators
|
||||
- Backup Operators
|
||||
- Users
|
||||
|
||||
By default, the members of the following groups have this right on domain controllers:
|
||||
|
||||
- Account Operators
|
||||
- Administrators
|
||||
- Backup Operators
|
||||
- Print Operators
|
||||
- Server Operators
|
||||
|
||||
### Best practices
|
||||
|
||||
1. Restrict this user right to legitimate users who must log on to the console of the device.
|
||||
2. If you selectively remove default groups, you can limit the abilities of users who are assigned to specific administrative roles in your organization.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy| Not Defined |
|
||||
| Default Domain Controller Policy | Account Operators<br>Administrators<br>Backup Operators<br>Print Operators<br>Server Operators |
|
||||
| Stand-Alone Server Default Settings| Administrators<br>Backup Operators<br>Users |
|
||||
| Domain Controller Effective Default Settings | Account Operators<br>Administrators<br>Backup Operators<br>Print Operators<br>Server Operators |
|
||||
| Member Server Effective Default Settings | Administrators<br>Backup Operators<br>Users |
|
||||
| Client Computer Effective Default Settings | Administrators<br>Backup Operators<br>Users |
|
||||
|
||||
## Policy management
|
||||
|
||||
Restarting the device is not required to implement this change.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
Modifying this setting might affect compatibility with clients, services, and applications. Use caution when removing service accounts that are used by components and by programs on member devices and on domain controllers in the domain from the default domain controller's policy. Also use caution when removing users or security groups that log on to the console of member devices in the domain, or removing service accounts that are defined in the local Security Accounts Manager (SAM) database of member devices or of workgroup devices.
|
||||
If you want to grant a user account the ability to log on locally to a domain controller, you must make that user a member of a group that already has the **Allowed logon locally** system right or grant the right to that user account.
|
||||
The domain controllers in the domain share the Default Domain Controllers Group Policy Object (GPO). When you grant an account the **Allow logon locally** right, you are allowing that account to log on locally to all domain controllers in the domain.
|
||||
If the Users group is listed in the **Allow log on locally** setting for a GPO, all domain users can log on locally. The Users built-in group contains Domain Users as a member.
|
||||
|
||||
### Group Policy
|
||||
|
||||
Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:
|
||||
|
||||
1. Local policy settings
|
||||
2. Site policy settings
|
||||
3. Domain policy settings
|
||||
4. OU policy settings
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Any account with the **Allow log on locally** user right can log on to the console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
For domain controllers, assign the **Allow log on locally** user right only to the Administrators group. For other server roles, you may choose to add Backup Operators in addition to Administrators. For end-user computers, you should also assign this right to the Users group.
|
||||
Alternatively, you can assign groups such as Account Operators, Server Operators, and Guests to the **Deny log on locally** user right.
|
||||
|
||||
### Potential impact
|
||||
|
||||
If you remove these default groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Allow log on locally** user right to additional accounts that are required by those components. IIS requires that this user right be assigned to the IUSR\_*<ComputerName>* account. You should confirm that delegated activities are not adversely affected by any changes that you make to the **Allow log on locally** user rights assignments.
|
||||
|
||||
## Related topics
|
||||
- [User Rights Assignment](user-rights-assignment.md)
|
||||
|
||||
|
||||
@ -1,100 +0,0 @@
|
||||
---
|
||||
title: Allow log on through Remote Desktop Services (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.
|
||||
ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Allow log on through Remote Desktop Services
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Allow log on through Remote Desktop Services** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.
|
||||
|
||||
Constant: SeRemoteInteractiveLogonRight
|
||||
|
||||
### Possible values
|
||||
|
||||
- User-defined list of accounts
|
||||
- Not Defined
|
||||
|
||||
### Best practices
|
||||
|
||||
- To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
|
||||
|
||||
### Default values
|
||||
|
||||
By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers.
|
||||
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
|
||||
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Not Defined |
|
||||
| Default Domain Controller Policy | Administrators |
|
||||
| Stand-Alone Server Default Settings | Administrators<br>Remote Desktop Users |
|
||||
| Domain Controller Effective Default Settings | Administrators |
|
||||
| Member Server Effective Default Settings | Administrators<br>Remote Desktop Users |
|
||||
| Client Computer Effective Default Settings | Administrators<br>Remote Desktop Users |
|
||||
|
||||
## Policy management
|
||||
|
||||
This section describes different features and tools available to help you manage this policy.
|
||||
|
||||
### Group Policy
|
||||
|
||||
To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the **Allow log on through Remote Desktop Services** right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server.
|
||||
|
||||
To exclude users or groups, you can assign the **Deny log on through Remote Desktop Services** user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the **Allow log on through Remote Desktop Services** user right.
|
||||
|
||||
For more information, see [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md).
|
||||
|
||||
A restart of the device is not required for this policy setting to be effective.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:
|
||||
|
||||
1. Local policy settings
|
||||
2. Site policy settings
|
||||
3. Domain policy settings
|
||||
4. OU policy settings
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Any account with the **Allow log on through Remote Desktop Services** user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
|
||||
|
||||
> **Caution:** For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
|
||||
|
||||
Alternatively, you can assign the **Deny log on through Remote Desktop Services** user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the **Deny log on through Remote Desktop Services** user right.
|
||||
|
||||
### Potential impact
|
||||
|
||||
Removal of the **Allow log on through Remote Desktop Services** user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [User Rights Assignment](user-rights-assignment.md)
|
||||
|
||||
|
||||
@ -1,81 +0,0 @@
|
||||
---
|
||||
title: Windows Defender ATP alert API fields
|
||||
description: Understand how the alert API fields map to the values in the Windows Defender ATP portal.
|
||||
keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: mjcaparas
|
||||
localizationpriority: high
|
||||
---
|
||||
|
||||
# Windows Defender ATP alert API fields
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
|
||||
|
||||
|
||||
## Alert API fields and portal mapping
|
||||
Field numbers match the numbers in the images below.
|
||||
|
||||
Portal label | SIEM field name | Description
|
||||
:---|:---|:---
|
||||
1 | LinkToWDATP | Link back to the alert page in Windows Defender ATP
|
||||
2 | Alert ID | Alert ID visible in the link: `https://securitycenter.windows.com/alert/<alert id>`
|
||||
3 | AlertTitle | Alert title
|
||||
4 | Actor | Actor name
|
||||
5 | AlertTime | Last time the alert was observed
|
||||
6 | Severity | Alert severity
|
||||
7 | Category | Alert category
|
||||
8 | Status in queue | Alert status in queue
|
||||
9 | ComputerDnsName| Computer DNS name and machine name
|
||||
10| IoaDefinitionId | (Internal only) <br><br> ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
|
||||
11 | UserName | The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated.
|
||||
12 | FileName | File name
|
||||
13 | FileHash | Sha1 of file observed
|
||||
14 | FilePath | File path
|
||||
15 | IpAddress | IP of the IOC (when relevant)
|
||||
16 | URL | URL of the IOC (when relevant)
|
||||
17 | FullId | (Internal only) <br><br> Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
|
||||
18 | AlertPart | (Internal only) <br><br> Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
|
||||
19 | LastProccesedTimeUtc | (Internal only) <br><br> Time the alert was last processed in Windows Defender ATP.
|
||||
20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard)
|
||||
21 | ThreatCategory| Windows Defender AV threat category
|
||||
22 | ThreatFamily | Windows Defender AV family name
|
||||
23 | RemediationAction | Windows Defender AV threat category |
|
||||
24 | WasExecutingWhileDetected | Indicates if a file was running while being detected.
|
||||
25| RemediationIsSuccess | Indicates if an alert was successfully remediated.
|
||||
26 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available)
|
||||
27 | Md5 | Md5 of file observed (when available)
|
||||
28 | Sha256 | Sha256 of file observed (when available)
|
||||
29 | ThreatName | Windows Defender AV threat name
|
||||
|
||||
>[!NOTE]
|
||||
> Fields #21-29 are related to Windows Defender Antivirus alerts.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
|
||||
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
|
||||
@ -1,135 +0,0 @@
|
||||
---
|
||||
title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
|
||||
description: How unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) networking policies, app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
|
||||
keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: explore
|
||||
ms.pagetype: security
|
||||
ms.sitesec: library
|
||||
author: eross-msft
|
||||
localizationpriority: high
|
||||
---
|
||||
|
||||
# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10, version 1607 and later
|
||||
- Windows 10 Mobile
|
||||
|
||||
Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
|
||||
|
||||
To avoid the automatic encryption of data, developers can enlighten apps by adding and compiling code using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
|
||||
|
||||
- Don’t use common controls for saving files.
|
||||
- Don’t use common controls for text boxes.
|
||||
- Simultaneously work on personal and corporate data (for example, contact apps that display personal and corporate data in a single view or a browser that displays personal and corporate web pages on tabs within a single instance).
|
||||
|
||||
We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business (LOB) apps.
|
||||
|
||||
>[!Note]
|
||||
>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/en-us/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
|
||||
|
||||
## Unenlightened app behavior
|
||||
This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
|
||||
|
||||
<table>
|
||||
<tr>
|
||||
<th>App rule setting</th>
|
||||
<th align="center" colspan="2">Networking policy configuration</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<th> </th>
|
||||
<th align="center">Name-based policies, without the /*AppCompat*/ string</th>
|
||||
<th align="center">Name-based policies, using the /*AppCompat*/ string or proxy-based policies</th>
|
||||
</tr>
|
||||
<tr align="left">
|
||||
<td><strong>Not required.</strong> App connects to enterprise cloud resources directly, using an IP address.</td>
|
||||
<td>
|
||||
<ul>
|
||||
<li>App is entirely blocked from both personal and enterprise cloud resources.</li>
|
||||
<li>No encryption is applied.</li>
|
||||
<li>App can’t access local Work files.</li>
|
||||
</ul>
|
||||
</td>
|
||||
<td>
|
||||
<ul>
|
||||
<li>App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.</li>
|
||||
<li>No encryption is applied.</li>
|
||||
<li>App can’t access local Work files.</li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
<tr align="left">
|
||||
<td><strong>Not required.</strong> App connects to enterprise cloud resources, using a hostname.</td>
|
||||
<td colspan="2">
|
||||
<ul>
|
||||
<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.</li>
|
||||
<li>No encryption is applied.</li>
|
||||
<li>App can’t access local Work files.</li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
<tr align="left">
|
||||
<td><strong>Allow.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
|
||||
<td colspan="2">
|
||||
<ul>
|
||||
<li>App can access both personal and enterprise cloud resources.</li>
|
||||
<li>Auto-encryption is applied.</li>
|
||||
<li>App can access local Work files.</li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
<tr align="left" colspan="2">
|
||||
<td><strong>Exempt.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
|
||||
<td colspan="2">
|
||||
<ul>
|
||||
<li>App can access both personal and enterprise cloud resources.</li>
|
||||
<li>No encryption is applied.</li>
|
||||
<li>App can access local Work files.</li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
## Enlightened app behavior
|
||||
This table includes info about how enlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
|
||||
|
||||
<table>
|
||||
<tr>
|
||||
<th>App rule setting</th>
|
||||
<th>Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><strong>Not required.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
|
||||
<td>
|
||||
<ul>
|
||||
<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.</li>
|
||||
<li>No encryption is applied.</li>
|
||||
<li>App can't access local Work files.</li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><strong>Allow.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
|
||||
<td>
|
||||
<ul>
|
||||
<li>App can access both personal and enterprise cloud resources.</li>
|
||||
<li>App protects work data and leaves personal data unprotected.</li>
|
||||
<li>App can access local Work files.</li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><strong>Exempt.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
|
||||
<td>
|
||||
<ul>
|
||||
<li>App can access both personal and enterprise cloud resources.</li>
|
||||
<li>App protects work data and leaves personal data unprotected.</li>
|
||||
<li>App can access local Work files.</li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
>[!NOTE]
|
||||
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
|
||||
@ -1,93 +0,0 @@
|
||||
---
|
||||
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
|
||||
description: Appendix A Sample GPO Template Files for Settings Used in this Guide
|
||||
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Appendix A: Sample GPO Template Files for Settings Used in this Guide
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
|
||||
|
||||
To manually create the file, build the settings under **Computer Configuration**, **Preferences**, **Windows Settings**, **Registry**. After you have created the settings, drag the container to the desktop. An .xml file is created there.
|
||||
|
||||
To import an .xml file to GPMC, drag it and drop it on the **Registry** node under **Computer Configuration**, **Preferences**, **Windows Settings**. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide.
|
||||
|
||||
The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.
|
||||
|
||||
>**Note:** The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
|
||||
|
||||
``` syntax
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
|
||||
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Server and Domain Isolation Settings">
|
||||
|
||||
<Registry
|
||||
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
|
||||
name="Enable PMTU Discovery"
|
||||
status="EnablePMTUDiscovery"
|
||||
image="12"
|
||||
changed="2008-05-30 20:37:37"
|
||||
uid="{52C38FD7-A081-404C-A8EA-B24A9614D0B5}"
|
||||
desc="<b>Enable PMTU Discovery</b><p>
|
||||
This setting configures whether computers can use PMTU
|
||||
discovery on the network.<p>
|
||||
<b>1</b> -- Enable<br>
|
||||
<b>0</b> -- Disable"
|
||||
bypassErrors="1">
|
||||
<Properties
|
||||
action="U"
|
||||
displayDecimal="1"
|
||||
default="0"
|
||||
hive="HKEY_LOCAL_MACHINE"
|
||||
key="System\CurrentControlSet\Services\TCPIP\Parameters"
|
||||
name="EnablePMTUDiscovery" type="REG_DWORD" value="00000001"/>
|
||||
</Registry>
|
||||
|
||||
<Registry
|
||||
clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
|
||||
name="IPsec Default Exemptions (Vista and W2K8)"
|
||||
status="NoDefaultExempt"
|
||||
image="12"
|
||||
changed="2008-05-30 20:33:32"
|
||||
uid="{AE5C505D-283E-4060-9A55-70659DFD56B6}"
|
||||
desc="<b>IPsec Default Exemptions for Windows Server 2008
|
||||
and later</b><p>
|
||||
This setting determines which network traffic type is exempt
|
||||
from any IPsec authentication requirements.<p>
|
||||
<b>0</b>: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP<br>
|
||||
<b>1</b>: Exempts multicast, broadcast, ISAKMP<br>
|
||||
<b>2</b>: Exempts RSVP, Kerberos, ISAKMP<br>
|
||||
<b>3</b>: Exempts ISAKMP only"
|
||||
bypassErrors="1">
|
||||
<Properties
|
||||
action="U"
|
||||
displayDecimal="1"
|
||||
default="0"
|
||||
hive="HKEY_LOCAL_MACHINE"
|
||||
key="SYSTEM\CurrentControlSet\Services\PolicyAgent"
|
||||
name="NoDefaultExempt"
|
||||
type="REG_DWORD"
|
||||
value="00000003"/>
|
||||
<Filters>
|
||||
<FilterOs
|
||||
bool="AND" not="0"
|
||||
class="NT" version="VISTA"
|
||||
type="NE" edition="NE" sp="NE"/>
|
||||
<FilterOs
|
||||
bool="OR" not="0"
|
||||
class="NT" version="2K8"
|
||||
type="NE" edition="NE" sp="NE"/>
|
||||
</Filters>
|
||||
</Registry>
|
||||
|
||||
</Collection>
|
||||
```
|
||||
@ -1,29 +0,0 @@
|
||||
---
|
||||
title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
|
||||
description: Appendix A, Security monitoring recommendations for many audit events
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Appendix A: Security monitoring recommendations for many audit events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix.
|
||||
|
||||
| **Type of monitoring required** | **Recommendation** |
|
||||
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
|
||||
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
|
||||
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
|
||||
| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the whitelist of accounts. |
|
||||
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
|
||||
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
|
||||
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
|
||||
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
|
||||
@ -1,39 +0,0 @@
|
||||
---
|
||||
title: AppLocker architecture and components (Windows 10)
|
||||
description: This topic for IT professional describes AppLocker’s basic architecture and its major components.
|
||||
ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# AppLocker architecture and components
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for IT professional describes AppLocker’s basic architecture and its major components.
|
||||
|
||||
AppLocker relies on the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions.
|
||||
|
||||
AppLocker provides three ways to intercept and validate if a file is allowed to execute according to an AppLocker policy.
|
||||
|
||||
**A new process is created**
|
||||
|
||||
When a new process is created, such as an executable file or a Universal Windows app is run, AppLocker invokes the Application Identity component to calculate the attributes of the main executable file used to create a new process. It then updates the new process's token with these attributes and checks the AppLocker policy to verify that the executable file is allowed to run.
|
||||
|
||||
**A DLL is loaded**
|
||||
|
||||
When a new DLL loads, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process.
|
||||
|
||||
**A script is run**
|
||||
|
||||
Before a script file is run, the script host (for example. for .ps1 files the script host is PowerShell) invokes AppLocker to verify the script. AppLocker invokes the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it is allowed to run. In each case, the actions taken by AppLocker are written to the event log.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [AppLocker technical reference](applocker-technical-reference.md)
|
||||
|
||||
|
||||
@ -1,50 +0,0 @@
|
||||
---
|
||||
title: AppLocker functions (Windows 10)
|
||||
description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
|
||||
ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# AppLocker functions
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
|
||||
|
||||
## Functions
|
||||
|
||||
The following list includes the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2 and links to current documentation on MSDN:
|
||||
|
||||
- [SaferGetPolicyInformation Function](https://go.microsoft.com/fwlink/p/?LinkId=159781)
|
||||
- [SaferCreateLevel Function](https://go.microsoft.com/fwlink/p/?LinkId=159782)
|
||||
- [SaferCloseLevel Function](https://go.microsoft.com/fwlink/p/?LinkId=159783)
|
||||
- [SaferIdentifyLevel Function](https://go.microsoft.com/fwlink/p/?LinkId=159784)
|
||||
- [SaferComputeTokenFromLevel Function](https://go.microsoft.com/fwlink/p/?LinkId=159785)
|
||||
- [SaferGetLevelInformation Function](https://go.microsoft.com/fwlink/p/?LinkId=159787)
|
||||
- [SaferRecordEventLogEntry Function](https://go.microsoft.com/fwlink/p/?LinkId=159789)
|
||||
- [SaferiIsExecutableFileType Function](https://go.microsoft.com/fwlink/p/?LinkId=159790)
|
||||
|
||||
## Security level ID
|
||||
|
||||
AppLocker and SRP use the security level IDs to stipulate the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker.
|
||||
|
||||
| Security level ID | SRP | AppLocker |
|
||||
| - | - | - |
|
||||
| SAFER_LEVELID_FULLYTRUSTED | Supported | Supported |
|
||||
| SAFER_LEVELID_NORMALUSER | Supported | Not supported |
|
||||
| SAFER_LEVELID_CONSTRAINED | Supported | Not supported |
|
||||
| SAFER_LEVELID_UNTRUSTED | Supported | Not supported |
|
||||
| SAFER_LEVELID_DISALLOWED | Supported | Supported |
|
||||
|
||||
In addition, URL zone ID is not supported in AppLocker.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [AppLocker technical reference](applocker-technical-reference.md)
|
||||
|
||||
|
||||
@ -1,138 +0,0 @@
|
||||
---
|
||||
title: AppLocker (Windows 10)
|
||||
description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
|
||||
ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
localizationpriority: high
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# AppLocker
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
|
||||
|
||||
AppLocker can help you:
|
||||
|
||||
- Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
|
||||
- Assign a rule to a security group or an individual user.
|
||||
- Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
|
||||
- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
|
||||
- Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
|
||||
- Simplify creating and managing AppLocker rules by using Windows PowerShell.
|
||||
|
||||
AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
|
||||
|
||||
- **Application inventory**
|
||||
|
||||
AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
|
||||
|
||||
- **Protection against unwanted software**
|
||||
|
||||
AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running.
|
||||
|
||||
- **Licensing conformance**
|
||||
|
||||
AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
|
||||
|
||||
- **Software standardization**
|
||||
|
||||
AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.
|
||||
|
||||
- **Manageability improvement**
|
||||
|
||||
AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
|
||||
|
||||
## New and changed functionality
|
||||
|
||||
To find out what's new in AppLocker for Windows 10, see [What's new in AppLocker?](../whats-new/applocker.md)
|
||||
|
||||
## When to use AppLocker
|
||||
|
||||
In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
|
||||
|
||||
However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run.
|
||||
Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls.
|
||||
|
||||
AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.
|
||||
|
||||
The following are examples of scenarios in which AppLocker can be used:
|
||||
|
||||
- Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
|
||||
- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
|
||||
- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
|
||||
- The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
|
||||
- A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
|
||||
- Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
|
||||
- A single user or small group of users needs to use a specific app that is denied for all others.
|
||||
- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
|
||||
- In addition to other measures, you need to control the access to sensitive data through app usage.
|
||||
|
||||
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
|
||||
|
||||
## System requirements
|
||||
|
||||
AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. Group Policy is required to distribute Group Policy Objects that contain AppLocker policies. For more info, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
|
||||
|
||||
AppLocker rules can be created on domain controllers.
|
||||
|
||||
## Installing AppLocker
|
||||
|
||||
AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
|
||||
|
||||
> **Note:** The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
|
||||
|
||||
### Using AppLocker on Server Core
|
||||
|
||||
AppLocker on Server Core installations is not supported.
|
||||
|
||||
### Virtualization considerations
|
||||
|
||||
You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails.
|
||||
|
||||
### Security considerations
|
||||
|
||||
Application control policies specify which apps are allowed to run on the local computer.
|
||||
|
||||
The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
|
||||
|
||||
The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
|
||||
|
||||
A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
|
||||
|
||||
For additional information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md).
|
||||
|
||||
When you use AppLocker to create application control policies, you should be aware of the following security considerations:
|
||||
|
||||
- Who has the rights to set AppLocker policies?
|
||||
- How do you validate that the policies are enforced?
|
||||
- What events should you audit?
|
||||
|
||||
For reference in your security planning, the following table identifies the baseline settings for a PC with AppLocker installed:
|
||||
|
||||
| Setting | Default value |
|
||||
| - | - |
|
||||
| Accounts created | None |
|
||||
| Authentication method | Not applicable |
|
||||
| Management interfaces | AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell |
|
||||
| Ports opened | None |
|
||||
| Minimum privileges required | Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects. |
|
||||
| Protocols used | Not applicable |
|
||||
| Scheduled Tasks | Appidpolicyconverter.exe is put in a scheduled task to be run on demand. |
|
||||
| Security Policies | None required. AppLocker creates security policies. |
|
||||
| System Services required |Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. |
|
||||
| Storage of credentials | None |
|
||||
|
||||
## In this section
|
||||
|
||||
| Topic | Description |
|
||||
| - | - |
|
||||
| [Administer AppLocker](administer-applocker.md) | This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. |
|
||||
| [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
|
||||
| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
|
||||
| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |
|
||||
@ -1,53 +0,0 @@
|
||||
---
|
||||
title: AppLocker deployment guide (Windows 10)
|
||||
description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
|
||||
ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
|
||||
# AppLocker deployment guide
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
|
||||
|
||||
This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change.
|
||||
|
||||
This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see [Using Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) in this guide. To understand if AppLocker is the correct application control solution for you, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
|
||||
|
||||
## Prerequisites to deploying AppLocker policies
|
||||
|
||||
The following are prerequisites or recommendations to deploying policies:
|
||||
|
||||
- Understand the capabilities of AppLocker:
|
||||
- [AppLocker](applocker-overview.md)
|
||||
- Document your application control policy deployment plan by addressing these tasks:
|
||||
- [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
|
||||
- [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
|
||||
- [Determine your application control objectives](determine-your-application-control-objectives.md)
|
||||
- [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
|
||||
- [Select types of rules to create](select-types-of-rules-to-create.md)
|
||||
- [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
||||
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
|
||||
- [Create your AppLocker planning document](create-your-applocker-planning-document.md)
|
||||
|
||||
## Contents of this guide
|
||||
|
||||
This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running any of the supported versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
|
||||
|
||||
## In this section
|
||||
|
||||
| Topic | Description |
|
||||
| - | - |
|
||||
| [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) | This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. |
|
||||
| [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) | This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. |
|
||||
| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. |
|
||||
| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. |
|
||||
| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. |
|
||||
|
||||
@ -1,37 +0,0 @@
|
||||
---
|
||||
title: AppLocker design guide (Windows 10)
|
||||
description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
|
||||
ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# AppLocker design guide
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
|
||||
|
||||
This guide provides important designing and planning information for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group.
|
||||
|
||||
This guide does not cover the deployment of application control policies by using Software Restriction Policies (SRP). However, SRP is discussed as a deployment option in conjunction with AppLocker policies. For info about these options, see [Determine your application control objectives](determine-your-application-control-objectives.md).
|
||||
|
||||
To understand if AppLocker is the correct application control solution for your organization, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
|
||||
## In this section
|
||||
|
||||
| Topic | Description |
|
||||
| - | - |
|
||||
| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. |
|
||||
| [Determine your application control objectives](determine-your-application-control-objectives.md) | This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. |
|
||||
| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. |
|
||||
| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. |
|
||||
| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you are planning to deploy AppLocker rules. |
|
||||
| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
|
||||
| [Create your AppLocker planning document](create-your-applocker-planning-document.md) | This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. |
|
||||
|
||||
After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
|
||||
|
||||
@ -1,62 +0,0 @@
|
||||
---
|
||||
title: AppLocker policy use scenarios (Windows 10)
|
||||
description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
|
||||
ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# AppLocker policy use scenarios
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
|
||||
|
||||
AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker can be categorized as follows:
|
||||
|
||||
1. **App inventory**
|
||||
|
||||
AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand app usage and access.
|
||||
|
||||
2. **Protection against unwanted software**
|
||||
|
||||
AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not specifically identified by its publisher, installation path, or file hash, the attempt to run the application fails.
|
||||
|
||||
3. **Licensing conformance**
|
||||
|
||||
AppLocker can provide an inventory of software usage within your organization, so you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements.
|
||||
|
||||
4. **Software standardization**
|
||||
|
||||
AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.
|
||||
|
||||
5. **Manageability improvement**
|
||||
|
||||
AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use
|
||||
the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers.
|
||||
|
||||
### Use scenarios
|
||||
|
||||
The following are examples of scenarios in which AppLocker can be used:
|
||||
|
||||
- Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage.
|
||||
- The security policy for application usage has changed, and you need to evaluate where and when those deployed apps are being accessed.
|
||||
- Your organization's security policy dictates the use of only licensed software, so you need to determine which apps are not licensed or prevent unauthorized users from running licensed software.
|
||||
- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
|
||||
- Your organization needs to restrict the use of Universal Windows apps to just those your organization approves of or develops.
|
||||
- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
|
||||
- The license to an app has been revoked or is expired in your organization, so you need to prevent it from being used by everyone.
|
||||
- A new app or a new version of an app is deployed, and you need to allow certain groups to use it.
|
||||
- Specific software tools are not allowed within the organization, or only specific users have access to those tools.
|
||||
- A single user or small group of users needs to use a specific app that is denied for all others.
|
||||
- Some computers in your organization are shared by people who have different software usage needs.
|
||||
- In addition to other measures, you need to control the access to sensitive data through app usage.
|
||||
|
||||
## Related topics
|
||||
- [AppLocker technical reference](applocker-technical-reference.md)
|
||||
|
||||
|
||||
@ -1,98 +0,0 @@
|
||||
---
|
||||
title: AppLocker processes and interactions (Windows 10)
|
||||
description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
|
||||
ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# AppLocker processes and interactions
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
|
||||
|
||||
## How policies are implemented by AppLocker
|
||||
|
||||
AppLocker policies are collections of AppLocker rules that might contain any one of the enforcement settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure.
|
||||
|
||||
The AppLocker policy is enforced on a computer through the Application Identity service, which is the engine that evaluates the policies. If the service is not running, policies will not be enforced. The Application Identity service returns the information from the binary—even if product or binary names are empty—to the results pane of the Local Security Policy snap-in.
|
||||
|
||||
AppLocker policies are stored in a security descriptor format according to Application Identity service requirements. It uses file path, hash, or fully qualified binary name attributes to form allow or deny actions on a rule. Each rule is stored as an access control entry (ACE) in the security descriptor and contains the following information:
|
||||
|
||||
- Either an allow or a deny ACE ("XA" or "XD" in security descriptor definition language (SDDL) form).
|
||||
- The user security identifier (SID) that this rule is applicable to. (The default is the authenticated user SID, or "AU" in SDDL.)
|
||||
- The rule condition containing the **appid** attributes.
|
||||
|
||||
For example, an SDDL for a rule that allows all files in the %windir% directory to run uses the following format: XA;;FX;;;AU;(APPID://PATH == "%windir%\\\*").
|
||||
|
||||
An AppLocker policy for DLLs and executable files is read and cached by kernel mode code, which is part of appid.sys. Whenever a new policy is applied, appid.sys is notified by a policy converter task. For other file types, the AppLocker policy is read every time a **SaferIdentifyLevel** call is made.
|
||||
|
||||
### Understanding AppLocker rules
|
||||
|
||||
An AppLocker rule is a control placed on a file to govern whether or not it is allowed to run for a specific user or group. Rules apply to five different types, or collections, of files:
|
||||
|
||||
- An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications.
|
||||
- A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js.
|
||||
- A Windows Installer rule controls whether a user or group can run files with a file name extension of .msi, mst and .msp (Windows Installer patch).
|
||||
- A DLL rule controls whether a user or group can run files with a file name extension of .dll and .ocx.
|
||||
- A packaged app and packaged app installer rule controls whether a user or group can run or install a packaged app. A Packaged app installer has the .appx extension.
|
||||
|
||||
There are three different types of conditions that can be applied to rules:
|
||||
|
||||
- A publisher condition on a rule controls whether a user or group can run files from a specific software publisher. The file must be signed.
|
||||
- A path condition on a rule controls whether a user or group can run files from within a specific directory or its subdirectories.
|
||||
- A file hash condition on a rule controls whether a user or group can run files with matching encrypted hashes.
|
||||
|
||||
- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
|
||||
|
||||
An AppLocker rule collection is a set of rules that apply to one of the following types: executable files, Windows Installer files, scripts, DLLs, and packaged apps.
|
||||
|
||||
- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
|
||||
|
||||
Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash.
|
||||
|
||||
- [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
|
||||
- [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
|
||||
- [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
|
||||
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
|
||||
|
||||
AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.
|
||||
|
||||
- [Executable rules in AppLocker](executable-rules-in-applocker.md)
|
||||
- [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
|
||||
- [Script rules in AppLocker](script-rules-in-applocker.md)
|
||||
- [DLL rules in AppLocker](dll-rules-in-applocker.md)
|
||||
- [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
|
||||
- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
|
||||
|
||||
You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow only a subset of a user group to use an application, you can create a special rule for that subset.
|
||||
|
||||
- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) and [Understanding AppLocker allow and deny actions on Rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
|
||||
|
||||
Each AppLocker rule collection functions as an allowed list of files.
|
||||
|
||||
### Understanding AppLocker policies
|
||||
|
||||
An AppLocker policy is a set of rule collections and their corresponding configured enforcement settings that have been applied to one or more computers.
|
||||
|
||||
- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
|
||||
|
||||
Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced.
|
||||
|
||||
### Understanding AppLocker and Group Policy
|
||||
|
||||
Group Policy can be used to create, modify, and distribute AppLocker policies in separate objects or in combination with other policies.
|
||||
|
||||
- [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
|
||||
|
||||
When Group Policy is used to distribute AppLocker policies, rule collections that are not configured will be enforced. Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules.
|
||||
AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [AppLocker technical reference](applocker-technical-reference.md)
|
||||
@ -1,33 +0,0 @@
|
||||
---
|
||||
title: AppLocker settings (Windows 10)
|
||||
description: This topic for the IT professional lists the settings used by AppLocker.
|
||||
ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# AppLocker settings
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for the IT professional lists the settings used by AppLocker.
|
||||
|
||||
The following table describes the settings and values used by AppLocker.
|
||||
|
||||
| Setting | Value |
|
||||
| - | - |
|
||||
| Registry path | Policies are stored in **HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2** |
|
||||
| Firewall ports | Not applicable |
|
||||
| Security policies | Custom created, no default |
|
||||
| Group Policy settings | Custom created, no default |
|
||||
| Network ports | Not applicable |
|
||||
| Service accounts | Not applicable |
|
||||
| Performance counters | Not applicable |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [AppLocker technical reference](applocker-technical-reference.md)
|
||||
@ -1,33 +0,0 @@
|
||||
---
|
||||
title: AppLocker technical reference (Windows 10)
|
||||
description: This overview topic for IT professionals provides links to the topics in the technical reference.
|
||||
ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# AppLocker technical reference
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This overview topic for IT professionals provides links to the topics in the technical reference.
|
||||
AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
|
||||
|
||||
## In this section
|
||||
|
||||
| Topic | Description |
|
||||
| - | - |
|
||||
| [What Is AppLocker?](what-is-applocker.md) | This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. |
|
||||
| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. |
|
||||
| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. |
|
||||
| [How AppLocker works](how-applocker-works-techref.md) | This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. |
|
||||
| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLocker’s basic architecture and its major components. |
|
||||
| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. |
|
||||
| [AppLocker functions](applocker-functions.md) | This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. |
|
||||
| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. |
|
||||
| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This topic for the IT professional describes the tools available to create and administer AppLocker policies. |
|
||||
| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. |
|
||||
@ -1,42 +0,0 @@
|
||||
---
|
||||
title: Apply a basic audit policy on a file or folder (Windows 10)
|
||||
description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
|
||||
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Apply a basic audit policy on a file or folder
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
|
||||
To complete this procedure, you must be logged on as a member of the built-in Administrators group or you must have been granted the **Manage auditing and security log** right.
|
||||
|
||||
**To apply or modify auditing policy settings for a local file or folder**
|
||||
|
||||
1. Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab.
|
||||
2. Click **Advanced**.
|
||||
3. In the **Advanced Security Settings** dialog box, click the **Auditing** tab, and then click **Continue**.
|
||||
4. Do one of the following:
|
||||
- To set up auditing for a new user or group, click **Add**. Click **Select a principal**, type the name of the user or group that you want, and then click **OK**.
|
||||
- To remove auditing for an existing group or user, click the group or user name, click **Remove**, click **OK**, and then skip the rest of this procedure.
|
||||
- To view or change auditing for an existing group or user, click its name, and then click **Edit.**
|
||||
5. In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes:
|
||||
- To audit successful events, click **Success.**
|
||||
- To audit failure events, click **Fail.**
|
||||
- To audit all events, click **All.**
|
||||
|
||||
> **Important:** Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
|
||||
|
||||
## Additional considerations
|
||||
|
||||
- After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes.
|
||||
- You can set up file and folder auditing only on NTFS drives.
|
||||
- Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
|
||||
|
||||
|
||||
@ -1,80 +0,0 @@
|
||||
---
|
||||
title: Assign user access to the Windows Defender ATP portal
|
||||
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
|
||||
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: mjcaparas
|
||||
localizationpriority: high
|
||||
---
|
||||
|
||||
# Assign user access to the Windows Defender ATP portal
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Azure Active Directory
|
||||
- Office 365
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles.
|
||||
|
||||
## Assign user access using Azure PowerShell
|
||||
You can assign users with one of the following levels of permissions:
|
||||
- Full access (Read and Write)
|
||||
- Read only access
|
||||
|
||||
### Before you begin
|
||||
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
|
||||
|
||||
> [!NOTE]
|
||||
> You need to run the PowerShell cmdlets in an elevated command-line.
|
||||
|
||||
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
|
||||
|
||||
|
||||
|
||||
**Full access** <br>
|
||||
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
|
||||
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
|
||||
|
||||
**Read only access** <br>
|
||||
Users with read only access can log in, view all alerts, and related information.
|
||||
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
|
||||
Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
|
||||
|
||||
Use the following steps to assign security roles:
|
||||
|
||||
- For **read and write** access, assign users to the security administrator role by using the following command:
|
||||
```text
|
||||
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
|
||||
```
|
||||
- For **read only** access, assign users to the security reader role by using the following command:
|
||||
```text
|
||||
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
|
||||
```
|
||||
|
||||
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
|
||||
|
||||
## Assign user access using the Azure portal
|
||||
|
||||
1. Go to the [Azure portal](https://portal.azure.com).
|
||||
|
||||
2. Select **Azure Active Directory**.
|
||||
|
||||
3. Select **Manage** > **Users and groups**.
|
||||
|
||||
4. Select **Manage** > **All users**.
|
||||
|
||||
5. Search or select the user you want to assign the role to.
|
||||
|
||||
6. Select **Manage** > **Directory role**.
|
||||
|
||||
7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
|
||||
|
||||
|
||||
@ -1,70 +0,0 @@
|
||||
---
|
||||
title: Assign Security Group Filters to the GPO (Windows 10)
|
||||
description: Assign Security Group Filters to the GPO
|
||||
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Assign Security Group Filters to the GPO
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
|
||||
|
||||
>**Important:** This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
|
||||
|
||||
|
||||
|
||||
**Administrative credentials**
|
||||
|
||||
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.
|
||||
|
||||
In this topic:
|
||||
|
||||
- [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo)
|
||||
|
||||
- [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo)
|
||||
|
||||
## To allow members of a group to apply a GPO
|
||||
|
||||
Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO.
|
||||
|
||||
1. Open the Group Policy Management console.
|
||||
|
||||
2. In the navigation pane, find and then click the GPO that you want to modify.
|
||||
|
||||
3. In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**.
|
||||
|
||||
>**Note:** You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify.
|
||||
|
||||
4. Click **Add**.
|
||||
|
||||
5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
|
||||
|
||||
## To prevent members of a group from applying a GPO
|
||||
|
||||
Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain.
|
||||
|
||||
1. Open the Group Policy Management console.
|
||||
|
||||
2. In the navigation pane, find and then click the GPO that you want to modify.
|
||||
|
||||
3. In the details pane, click the **Delegation** tab.
|
||||
|
||||
4. Click **Advanced**.
|
||||
|
||||
5. Under the **Group or user names** list, click **Add**.
|
||||
|
||||
6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
|
||||
|
||||
7. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**.
|
||||
|
||||
8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**.
|
||||
|
||||
9. The group appears in the list with **Custom** permissions.
|
||||
@ -1,38 +0,0 @@
|
||||
---
|
||||
title: Audit Account Lockout (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
|
||||
ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Account Lockout
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
|
||||
|
||||
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.
|
||||
|
||||
Account lockout events are essential for understanding user activity and detecting potential attacks.
|
||||
|
||||
**Event volume**: Low.
|
||||
|
||||
This subcategory failure logon attempts, when account was already locked out.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
|
||||
| Member Server | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
|
||||
| Workstation | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4625](event-4625.md)(F): An account failed to log on.
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
---
|
||||
title: Audit Application Generated (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
|
||||
ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Application Generated
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx).
|
||||
|
||||
Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
|
||||
| Member Server | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
|
||||
| Workstation | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
## 4665: An attempt was made to create an application client context.
|
||||
|
||||
## 4666: An application attempted an operation.
|
||||
|
||||
## 4667: An application client context was deleted.
|
||||
|
||||
## 4668: An application was initialized.
|
||||
|
||||
@ -1,50 +0,0 @@
|
||||
---
|
||||
title: Audit Application Group Management (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed.
|
||||
ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Application Group Management
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions.
|
||||
|
||||
[Application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx).
|
||||
|
||||
Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
|
||||
| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. |
|
||||
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
|
||||
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
|
||||
|
||||
## 4783(S): A basic application group was created.
|
||||
|
||||
## 4784(S): A basic application group was changed.
|
||||
|
||||
## 4785(S): A member was added to a basic application group.
|
||||
|
||||
## 4786(S): A member was removed from a basic application group.
|
||||
|
||||
## 4787(S): A non-member was added to a basic application group.
|
||||
|
||||
## 4788(S): A non-member was removed from a basic application group.
|
||||
|
||||
## 4789(S): A basic application group was deleted.
|
||||
|
||||
## 4790(S): An LDAP query group was created.
|
||||
|
||||
## 4791(S): An LDAP query group was changed.
|
||||
|
||||
## 4792(S): An LDAP query group was deleted.
|
||||
|
||||
@ -1,80 +0,0 @@
|
||||
---
|
||||
title: Audit Audit Policy Change (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy.
|
||||
ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Audit Policy Change
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy.
|
||||
|
||||
**Event volume**: Low.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
Changes to audit policy that are audited include:
|
||||
|
||||
- Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd” command).
|
||||
|
||||
- Changing the system audit policy.
|
||||
|
||||
- Registering and unregistering security event sources.
|
||||
|
||||
- Changing per-user audit settings.
|
||||
|
||||
- Changing the value of CrashOnAuditFail.
|
||||
|
||||
- Changing audit settings on an object (for example, modifying the system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) for a file or registry key).
|
||||
|
||||
> **Note** [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
|
||||
|
||||
- Changing anything in the Special Groups list.
|
||||
|
||||
The following events will be enabled with Success auditing in this subcategory:
|
||||
|
||||
- 4902(S): The Per-user audit policy table was created.
|
||||
|
||||
- 4907(S): Auditing settings on object were changed.
|
||||
|
||||
- 4904(S): An attempt was made to register a security event source.
|
||||
|
||||
- 4905(S): An attempt was made to unregister a security event source.
|
||||
|
||||
All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting.
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4715](event-4715.md)(S): The audit policy (SACL) on an object was changed.
|
||||
|
||||
- [4719](event-4719.md)(S): System audit policy was changed.
|
||||
|
||||
- [4817](event-4817.md)(S): Auditing settings on object were changed.
|
||||
|
||||
- [4902](event-4902.md)(S): The Per-user audit policy table was created.
|
||||
|
||||
- [4906](event-4906.md)(S): The CrashOnAuditFail value has changed.
|
||||
|
||||
- [4907](event-4907.md)(S): Auditing settings on object were changed.
|
||||
|
||||
- [4908](event-4908.md)(S): Special Groups Logon table modified.
|
||||
|
||||
- [4912](event-4912.md)(S): Per User Audit Policy was changed.
|
||||
|
||||
- [4904](event-4904.md)(S): An attempt was made to register a security event source.
|
||||
|
||||
- [4905](event-4905.md)(S): An attempt was made to unregister a security event source.
|
||||
|
||||
@ -1,118 +0,0 @@
|
||||
---
|
||||
title: Audit Audit the access of global system objects (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting.
|
||||
ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Audit: Audit the access of global system objects
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS® devices. If you also enable the [Audit object access](basic-audit-object-access.md) audit setting, access to these system objects is audited.
|
||||
|
||||
Global system objects, also known as "base system objects" or "base named objects," are temporary kernel objects that have had names assigned to them by the application or system component that created them. These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope and, therefore, visible to all processes on the device. These objects all have a security descriptor; but typically, they do not have a NULL SACL. If you enable this policy setting and it takes effect at startup time, the kernel assigns a SACL to these objects when they are created.
|
||||
|
||||
The threat is that a globally visible named object, if incorrectly secured, might be acted on by a malicious program that knows the name of the object. For instance, if a synchronization object such as a mutex has a poorly constructed discretionary access control list (DACL), a malicious program can access that mutex by name and cause the program that created it to malfunction. However, the risk of this occurring is very low.
|
||||
|
||||
Enabling this policy setting can generate a large number of security events, especially on busy domain controllers and application servers. This might cause servers to respond slowly and force the security log to record numerous events of little significance. Auditing for access to global system objects is an all-or-nothing affair; there is no way to filter which events get recorded and which do not. Even if an organization has the resources to analyze events generated when this policy setting is enabled, it is unlikely to have the source code or a description of what each named object is used for; therefore, it is unlikely that many organizations could benefit from enabling this policy setting.
|
||||
|
||||
### Possible values
|
||||
|
||||
- Enabled
|
||||
- Disabled
|
||||
- Not defined
|
||||
|
||||
### Best practices
|
||||
|
||||
- Use the advanced security audit policy option, [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access, to reduce the number of unrelated audit events that you generate.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Not defined |
|
||||
| Default Domain Controller Policy | Not defined |
|
||||
| Stand-Alone Server Default Settings | Disabled |
|
||||
| DC Effective Default Settings | Disabled |
|
||||
| Member Server Effective Default Settings | Disabled |
|
||||
| Client Computer Effective Default Settings | Disabled |
|
||||
|
||||
## Policy management
|
||||
|
||||
This section describes features and tools that are available to help you manage this policy.
|
||||
|
||||
### Restart requirement
|
||||
|
||||
A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy.
|
||||
|
||||
### Group Policy
|
||||
|
||||
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
|
||||
|
||||
### Auditing
|
||||
|
||||
To audit attempts to access global system objects, you can use one of two security audit policy settings:
|
||||
|
||||
- [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access
|
||||
- [Audit object access](basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy
|
||||
|
||||
If possible, use the Advanced Security Audit Policy option to reduce the number of unrelated audit events that you generate.
|
||||
|
||||
If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated:
|
||||
|
||||
| Event ID | Event message |
|
||||
| - | - |
|
||||
| 4659 | A handle to an object was requested with intent to delete. |
|
||||
| 4660 | An object was deleted. |
|
||||
| 4661 | A handle to an object was requested. |
|
||||
| 4663 | An attempt was made to access an object. |
|
||||
|
||||
If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated:
|
||||
|
||||
| Event ID | Event message |
|
||||
| - | - |
|
||||
| 560 | Access was granted to an already existing object. |
|
||||
| 562 | A handle to an object was closed. |
|
||||
| 563 | An attempt was made to open an object with the intent to delete it.<br>**Note: **This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() |
|
||||
| 564 | A protected object was deleted. |
|
||||
| 565 | Access was granted to an already existing object type. |
|
||||
| 567 | A permission associated with a handle was used.<br>**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
|
||||
| 569 | The resource manager in Authorization Manager attempted to create a client context. |
|
||||
| 570 | A client attempted to access an object.<br>**Note: ** An event will be generated for every attempted operation on the object. |
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
A globally visible named object, if incorrectly secured, could be acted upon by malicious software by using the name of the object. For instance, if a synchronization object such as a mutex had a poorly chosen discretionary access control list (DACL), malicious software could access that mutex by name and cause the program that created it to malfunction. However, the risk of such an occurrence is very low.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Enable the **Audit: Audit the access of global system objects** setting.
|
||||
|
||||
### Potential impact
|
||||
|
||||
If you enable the **Audit: Audit the access of global system objects** setting, a large number of security events could be generated, especially on busy domain controllers and application servers. Such an occurrence could cause servers to respond slowly and force the Security log to record numerous events of little significance. This policy setting can only be enabled or disabled, and there is no way to choose which events are recorded from this setting. Even organizations that have the resources to analyze events that are generated by this policy setting are not likely to have the source code or a description of what each named object is used for. Therefore, it is unlikely that most organizations would benefit by enabling this policy setting.
|
||||
To reduce the number of audit events generated, use the advanced audit policy.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Security Options](security-options.md)
|
||||
@ -1,87 +0,0 @@
|
||||
---
|
||||
title: Audit Audit the use of Backup and Restore privilege (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting.
|
||||
ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Audit: Audit the use of Backup and Restore privilege
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
The **Audit: Audit the use of Backup and Restore privilege** policy setting determines whether to audit the use of all user rights, including Backup and Restore, when the **Audit privilege use** policy setting is configured. Enabling both policy settings generates an audit event for every file that is backed up or restored.
|
||||
|
||||
### Possible values
|
||||
|
||||
- Enabled
|
||||
- Disabled
|
||||
- Not defined
|
||||
|
||||
### Best practices
|
||||
|
||||
- Set **Audit: Audit the use of Backup and Restore privilege** to Disabled. Enabling this policy setting can generate a large number of security events, which might cause servers to respond slowly and force the security event log to record numerous events of little significance.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Not defined |
|
||||
| Default Domain Controller Policy | Not defined |
|
||||
| Stand-Alone Server Default Settings | Disabled |
|
||||
| DC Effective Default Settings | Disabled |
|
||||
| Member Server Effective Default Settings | Disabled |
|
||||
| Client Computer Effective Default Settings | Disabled |
|
||||
|
||||
## Policy management
|
||||
|
||||
This section describes features and tools that are available to help you manage this policy.
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
|
||||
|
||||
### Auditing
|
||||
|
||||
Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users use backup or restore user rights, those events will not be audited.
|
||||
|
||||
Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner.
|
||||
|
||||
Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md), which can help you manage the number of events generated.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
When the backup and restore function is used, it creates a copy of the file system that is identical to the target of the backup. Making regular backup and restore volumes is an important part of your incident response plan. However, a malicious user could use a legitimate backup copy to gain access to information or to impersonate a legitimate network resource to compromise your enterprise.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner.
|
||||
For more information about configuring this key, see Microsoft Knowledge Base article [100879](https://go.microsoft.com/fwlink/p/?LinkId=100879).
|
||||
|
||||
### Potential impact
|
||||
|
||||
If you enable this policy setting, a large number of security events could be generated, which could cause servers to respond slowly and force the security event log to record numerous events of little significance. If you increase the security event log size to reduce the chances of a system shutdown, an excessively large log file may affect system performance.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Security Options](security-options.md)
|
||||
|
||||
|
||||
@ -1,76 +0,0 @@
|
||||
---
|
||||
title: Audit Authentication Policy Change (Windows 10)
|
||||
description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy.
|
||||
ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Authentication Policy Change
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy.
|
||||
|
||||
Changes made to authentication policy include:
|
||||
|
||||
- Creation, modification, and removal of forest and domain trusts.
|
||||
|
||||
- Changes to Kerberos policy under Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy.
|
||||
|
||||
- When any of the following user logon rights is granted to a user or group:
|
||||
|
||||
- Access this computer from the network
|
||||
|
||||
- Allow logon locally
|
||||
|
||||
- Allow logon through Remote Desktop
|
||||
|
||||
- Logon as a batch job
|
||||
|
||||
- Logon as a service
|
||||
|
||||
- Namespace collision, such as when an added trust collides with an existing namespace name.
|
||||
|
||||
This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.
|
||||
|
||||
**Event volume**: Low.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | No | Yes | No | On domain controllers, it is important to enable Success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | Yes | No | Yes | No | On member servers it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | Yes | No | Yes | No | On workstations it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4670](event-4670.md)(S): Permissions on an object were changed
|
||||
|
||||
- [4706](event-4706.md)(S): A new trust was created to a domain.
|
||||
|
||||
- [4707](event-4707.md)(S): A trust to a domain was removed.
|
||||
|
||||
- [4716](event-4716.md)(S): Trusted domain information was modified.
|
||||
|
||||
- [4713](event-4713.md)(S): Kerberos policy was changed.
|
||||
|
||||
- [4717](event-4717.md)(S): System security access was granted to an account.
|
||||
|
||||
- [4718](event-4718.md)(S): System security access was removed from an account.
|
||||
|
||||
- [4739](event-4739.md)(S): Domain Policy was changed.
|
||||
|
||||
- [4864](event-4864.md)(S): A namespace collision was detected.
|
||||
|
||||
- [4865](event-4865.md)(S): A trusted forest information entry was added.
|
||||
|
||||
- [4866](event-4866.md)(S): A trusted forest information entry was removed.
|
||||
|
||||
- [4867](event-4867.md)(S): A trusted forest information entry was modified.
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
---
|
||||
title: Audit Authorization Policy Change (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
|
||||
ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Authorization Policy Change
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4703](event-4703.md)(S): A user right was adjusted.
|
||||
|
||||
- [4704](event-4704.md)(S): A user right was assigned.
|
||||
|
||||
- [4705](event-4705.md)(S): A user right was removed.
|
||||
|
||||
- [4670](event-4670.md)(S): Permissions on an object were changed.
|
||||
|
||||
- [4911](event-4911.md)(S): Resource attributes of the object were changed.
|
||||
|
||||
- [4913](event-4913.md)(S): Central Access Policy on the object was changed.
|
||||
|
||||
**Event volume**: Medium to High.
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
---
|
||||
title: Audit Central Access Policy Staging (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy.
|
||||
ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Central Access Policy Staging
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object.
|
||||
|
||||
If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows:
|
||||
|
||||
- Success audits, when configured, record access attempts when the current central access policy grants access, but the proposed policy denies access.
|
||||
|
||||
- Failure audits, when configured, record access attempts when:
|
||||
|
||||
- The current central access policy does not grant access, but the proposed policy grants access.
|
||||
|
||||
- A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
|
||||
|
||||
@ -1,118 +0,0 @@
|
||||
---
|
||||
title: Audit Certification Services (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (ADÂ CS) operations are performed.
|
||||
ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Certification Services
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
|
||||
|
||||
Examples of AD CS operations include:
|
||||
|
||||
- AD CS starts, shuts down, is backed up, or is restored.
|
||||
|
||||
- Certificate revocation list (CRL)-related tasks are performed.
|
||||
|
||||
- Certificates are requested, issued, or revoked.
|
||||
|
||||
- Certificate manager settings for AD CS are changed.
|
||||
|
||||
- The configuration and properties of the certification authority (CA) are changed.
|
||||
|
||||
- AD CS templates are modified.
|
||||
|
||||
- Certificates are imported.
|
||||
|
||||
- A CA certificate is published to Active Directory Domain Services.
|
||||
|
||||
- Security permissions for AD CS role services are modified.
|
||||
|
||||
- Keys are archived, imported, or retrieved.
|
||||
|
||||
- The OCSP Responder Service is started or stopped.
|
||||
|
||||
Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
|
||||
|
||||
**Event volume: Low to medium on servers that provide AD CS role services.**
|
||||
|
||||
Role-specific subcategories are outside the scope of this document.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
|
||||
| Member Server | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
|
||||
| Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. |
|
||||
|
||||
## 4868: The certificate manager denied a pending certificate request.
|
||||
|
||||
## 4869: Certificate Services received a resubmitted certificate request.
|
||||
|
||||
## 4870: Certificate Services revoked a certificate.
|
||||
|
||||
## 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
|
||||
|
||||
## 4872: Certificate Services published the certificate revocation list (CRL).
|
||||
|
||||
## 4873: A certificate request extension changed.
|
||||
|
||||
## 4874: One or more certificate request attributes changed.
|
||||
|
||||
## 4875: Certificate Services received a request to shut down.
|
||||
|
||||
## 4876: Certificate Services backup started.
|
||||
|
||||
## 4877: Certificate Services backup completed.
|
||||
|
||||
## 4878: Certificate Services restore started.
|
||||
|
||||
## 4879: Certificate Services restore completed.
|
||||
|
||||
## 4880: Certificate Services started.
|
||||
|
||||
## 4881: Certificate Services stopped.
|
||||
|
||||
## 4882: The security permissions for Certificate Services changed.
|
||||
|
||||
## 4883: Certificate Services retrieved an archived key.
|
||||
|
||||
## 4884: Certificate Services imported a certificate into its database.
|
||||
|
||||
## 4885: The audit filter for Certificate Services changed.
|
||||
|
||||
## 4886: Certificate Services received a certificate request.
|
||||
|
||||
## 4887: Certificate Services approved a certificate request and issued a certificate.
|
||||
|
||||
## 4888: Certificate Services denied a certificate request.
|
||||
|
||||
## 4889: Certificate Services set the status of a certificate request to pending.
|
||||
|
||||
## 4890: The certificate manager settings for Certificate Services changed.
|
||||
|
||||
## 4891: A configuration entry changed in Certificate Services.
|
||||
|
||||
## 4892: A property of Certificate Services changed.
|
||||
|
||||
## 4893: Certificate Services archived a key.
|
||||
|
||||
## 4894: Certificate Services imported and archived a key.
|
||||
|
||||
## 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
|
||||
|
||||
## 4896: One or more rows have been deleted from the certificate database.
|
||||
|
||||
## 4897: Role separation enabled.
|
||||
|
||||
## 4898: Certificate Services loaded a template.
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
---
|
||||
title: Audit Computer Account Management (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
|
||||
ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Computer Account Management
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
|
||||
|
||||
This policy setting is useful for tracking account-related changes to computers that are members of a domain.
|
||||
|
||||
**Event volume**: Low on domain controllers.
|
||||
|
||||
This subcategory allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | No | Yes | No | We recommend monitoring changes to critical computer objects in Active Directory, such as domain controllers, administrative workstations, and critical servers. It's especially important to be informed if any critical computer account objects are deleted.<br>Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object, and when the action was taken.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
|
||||
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4741](event-4741.md)(S): A computer account was created.
|
||||
|
||||
- [4742](event-4742.md)(S): A computer account was changed.
|
||||
|
||||
- [4743](event-4743.md)(S): A computer account was deleted.
|
||||
|
||||
@ -1,52 +0,0 @@
|
||||
---
|
||||
title: Audit Credential Validation (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
|
||||
ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Credential Validation
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
|
||||
|
||||
These events occur on the computer that is authoritative for the credentials as follows:
|
||||
|
||||
- For domain accounts, the domain controller is authoritative.
|
||||
|
||||
- For local accounts, the local computer is authoritative.
|
||||
|
||||
**Event volume**:
|
||||
|
||||
- High on domain controllers.
|
||||
|
||||
- Low on member servers and workstations.
|
||||
|
||||
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.
|
||||
|
||||
The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | Yes | Yes | Yes | Expected volume of events is high for domain controllers, because this subcategory will generate events when an authentication attempt is made using any domain account and NTLM authentication. <br>IF – We recommend Success auditing to keep track of domain-account authentication events using the NTLM protocol. Expect a high volume of events. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Just collecting Success auditing events in this subcategory for future use in case of a security incident is not very useful, because events in this subcategory are not always informative.<br>We recommend Failure auditing, to collect information about failed authentication attempts using domain accounts and the NTLM authentication protocol. |
|
||||
| Member Server | Yes | Yes | Yes | Yes | Expected volume of events is low for member servers, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
|
||||
| Workstation | Yes | Yes | Yes | Yes | Expected volume of events is low for workstations, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4774](event-4774.md)(S, F): An account was mapped for logon.
|
||||
|
||||
- [4775](event-4775.md)(F): An account could not be mapped for logon.
|
||||
|
||||
- [4776](event-4776.md)(S, F): The computer attempted to validate the credentials for an account.
|
||||
|
||||
- [4777](event-4777.md)(F): The domain controller failed to validate the credentials for an account.
|
||||
|
||||
@ -1,48 +0,0 @@
|
||||
---
|
||||
title: Audit Detailed Directory Service Replication (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Detailed Directory Service Replication, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
|
||||
ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Detailed Directory Service Replication
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
|
||||
|
||||
This audit subcategory can be useful to diagnose replication issues.
|
||||
|
||||
**Event volume**: These events can create a very high volume of event data on domain controllers.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. |
|
||||
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4928](event-4928.md)(S, F): An Active Directory replica source naming context was established.
|
||||
|
||||
- [4929](event-4929.md)(S, F): An Active Directory replica source naming context was removed.
|
||||
|
||||
- [4930](event-4930.md)(S, F): An Active Directory replica source naming context was modified.
|
||||
|
||||
- [4931](event-4931.md)(S, F): An Active Directory replica destination naming context was modified.
|
||||
|
||||
- [4934](event-4934.md)(S): Attributes of an Active Directory object were replicated.
|
||||
|
||||
- [4935](event-4935.md)(F): Replication failure begins.
|
||||
|
||||
- [4936](event-4936.md)(S): Replication failure ends.
|
||||
|
||||
- [4937](event-4937.md)(S): A lingering object was removed from a replica.
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
---
|
||||
title: Audit Detailed File Share (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder.
|
||||
ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Detailed File Share
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
|
||||
|
||||
The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
|
||||
|
||||
There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
|
||||
|
||||
**Event volume**:
|
||||
|
||||
- High on file servers.
|
||||
|
||||
- High on domain controllers because of SYSVOL network access required by Group Policy.
|
||||
|
||||
- Low on member servers and workstations.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share.<br>We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. |
|
||||
| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.<br>The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
|
||||
| Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.<br>The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [5145](event-5145.md)(S, F): A network share object was checked to see whether client can be granted desired access.
|
||||
|
||||
@ -1,36 +0,0 @@
|
||||
---
|
||||
title: Audit Directory Service Access (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (ADÂ DS) object is accessed.
|
||||
ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Directory Service Access
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
|
||||
|
||||
**Event volume**: High on servers running AD DS role services.
|
||||
|
||||
This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. |
|
||||
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4662](event-4662.md)(S, F): An operation was performed on an object.
|
||||
|
||||
- [4661](event-4661.md)(S, F): A handle to an object was requested.
|
||||
|
||||
@ -1,48 +0,0 @@
|
||||
---
|
||||
title: Audit Directory Service Changes (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (ADÂ DS).
|
||||
ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Directory Service Changes
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
|
||||
|
||||
Auditing of directory service objects can provide information about the old and new properties of the objects that were changed.
|
||||
|
||||
Audit events are generated only for objects with configured system access control lists ([SACLs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)), and only when they are accessed in a manner that matches their [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
|
||||
|
||||
This subcategory only logs events on domain controllers.
|
||||
|
||||
**Event volume**: High on domain controllers.
|
||||
|
||||
This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or deleted.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) container or Domain Admins group objects. <br>This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [5136](event-5136.md)(S): A directory service object was modified.
|
||||
|
||||
- [5137](event-5137.md)(S): A directory service object was created.
|
||||
|
||||
- [5138](event-5138.md)(S): A directory service object was undeleted.
|
||||
|
||||
- [5139](event-5139.md)(S): A directory service object was moved.
|
||||
|
||||
- [5141](event-5141.md)(S): A directory service object was deleted.
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
---
|
||||
title: Audit Directory Service Replication (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
|
||||
ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Directory Service Replication
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
|
||||
|
||||
**Event volume**: Medium on domain controllers.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. |
|
||||
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4932](event-4932.md)(S): Synchronization of a replica of an Active Directory naming context has begun.
|
||||
|
||||
- [4933](event-4933.md)(S, F): Synchronization of a replica of an Active Directory naming context has ended.
|
||||
|
||||
@ -1,70 +0,0 @@
|
||||
---
|
||||
title: Audit Distribution Group Management (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks.
|
||||
ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Distribution Group Management
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
|
||||
|
||||
This subcategory generates events only on domain controllers.
|
||||
|
||||
**Event volume**: Low on domain controllers.
|
||||
|
||||
This subcategory allows you to audit events generated by changes to distribution groups such as the following:
|
||||
|
||||
- Distribution group is created, changed, or deleted.
|
||||
|
||||
- Member is added or removed from a distribution group.
|
||||
|
||||
If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A group’s type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | No | IF | No | IF - Typically actions related to distribution groups have low security relevance, much more important to monitor Security Group changes. But if you want to monitor for critical distribution groups changes, such as member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
|
||||
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4749](event-4749.md)(S): A security-disabled global group was created.
|
||||
|
||||
- [4750](event-4750.md)(S): A security-disabled global group was changed.
|
||||
|
||||
- [4751](event-4751.md)(S): A member was added to a security-disabled global group.
|
||||
|
||||
- [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
|
||||
|
||||
- [4753](event-4753.md)(S): A security-disabled global group was deleted.
|
||||
|
||||
**4759(S): A security-disabled universal group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4759 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
|
||||
|
||||
**4760(S): A security-disabled universal group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4760 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
|
||||
|
||||
**4761(S): A member was added to a security-disabled universal group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4761 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
|
||||
|
||||
**4762(S): A member was removed from a security-disabled universal group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4762 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
|
||||
|
||||
**4763(S): A security-disabled universal group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4763 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
|
||||
|
||||
**4744(S): A security-disabled local group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4744 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
|
||||
|
||||
**4745(S): A security-disabled local group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4745 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
|
||||
|
||||
**4746(S): A member was added to a security-disabled local group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4746 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
|
||||
|
||||
**4747(S): A member was removed from a security-disabled local group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4747 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
|
||||
|
||||
**4748(S): A security-disabled local group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4748 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
---
|
||||
title: Audit DPAPI Activity (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
|
||||
ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit DPAPI Activity
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx)).
|
||||
|
||||
**Event volume**: Low.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
|
||||
| Member Server | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
|
||||
| Workstation | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4692](event-4692.md)(S, F): Backup of data protection master key was attempted.
|
||||
|
||||
- [4693](event-4693.md)(S, F): Recovery of data protection master key was attempted.
|
||||
|
||||
- [4694](event-4694.md)(S, F): Protection of auditable protected data was attempted.
|
||||
|
||||
- [4695](event-4695.md)(S, F): Unprotection of auditable protected data was attempted.
|
||||
|
||||
@ -1,50 +0,0 @@
|
||||
---
|
||||
title: Audit File Share (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed.
|
||||
ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit File Share
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks.
|
||||
|
||||
There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
|
||||
|
||||
Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access.
|
||||
|
||||
**Event volume**:
|
||||
|
||||
- High on file servers.
|
||||
|
||||
- High on domain controllers because of SYSVOL network access required by Group Policy.
|
||||
|
||||
- Low on member servers and workstations.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing for domain controllers, because it’s important to track deletion, creation, and modification events for network shares.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
|
||||
| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification, and access attempts to network share objects.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
|
||||
| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification and access attempts to network share objects.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [5140](event-5140.md)(S, F): A network share object was accessed.
|
||||
|
||||
- [5142](event-5142.md)(S): A network share object was added.
|
||||
|
||||
- [5143](event-5143.md)(S): A network share object was modified.
|
||||
|
||||
- [5144](event-5144.md)(S): A network share object was deleted.
|
||||
|
||||
- [5168](event-5168.md)(F): SPN check for SMB/SMB2 failed.
|
||||
|
||||
@ -1,58 +0,0 @@
|
||||
---
|
||||
title: Audit File System (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects.
|
||||
ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit File System
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
|
||||
|
||||
Audit events are generated only for objects that have configured system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
|
||||
|
||||
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL.
|
||||
|
||||
These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring.
|
||||
|
||||
**Event volume**: Varies, depending on how file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s are configured.
|
||||
|
||||
No audit events are generated for the default file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s.
|
||||
|
||||
This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions.
|
||||
|
||||
Only one event, “[4658](event-4658.md): The handle to an object was closed,” depends on the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory (Success auditing must be enabled). All other events generate without any additional configuration.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.<br>Failure events can show you unsuccessful attempts to access specific file system objects.<br>Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. |
|
||||
| Member Server | IF | IF | IF | IF | |
|
||||
| Workstation | IF | IF | IF | IF | |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4656](event-4656.md)(S, F): A handle to an object was requested.
|
||||
|
||||
- [4658](event-4658.md)(S): The handle to an object was closed.
|
||||
|
||||
- [4660](event-4660.md)(S): An object was deleted.
|
||||
|
||||
- [4663](event-4663.md)(S): An attempt was made to access an object.
|
||||
|
||||
- [4664](event-4664.md)(S): An attempt was made to create a hard link.
|
||||
|
||||
- [4985](event-4985.md)(S): The state of a transaction has changed.
|
||||
|
||||
- [5051](event-5051.md)(-): A file was virtualized.
|
||||
|
||||
- [4670](event-4670.md)(S): Permissions on an object were changed.
|
||||
|
||||
@ -1,52 +0,0 @@
|
||||
---
|
||||
title: Audit Filtering Platform Connection (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
|
||||
ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Filtering Platform Connection
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
|
||||
|
||||
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
|
||||
|
||||
This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications.
|
||||
|
||||
**Event volume**: High.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
|
||||
| Member Server | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
|
||||
| Workstation | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [5031](event-5031.md)(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
|
||||
|
||||
- [5150](event-5150.md)(-): The Windows Filtering Platform blocked a packet.
|
||||
|
||||
- [5151](event-5151.md)(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
|
||||
|
||||
- [5154](event-5154.md)(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
|
||||
|
||||
- [5155](event-5155.md)(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
|
||||
|
||||
- [5156](event-5156.md)(S): The Windows Filtering Platform has permitted a connection.
|
||||
|
||||
- [5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection.
|
||||
|
||||
- [5158](event-5158.md)(S): The Windows Filtering Platform has permitted a bind to a local port.
|
||||
|
||||
- [5159](event-5159.md)(F): The Windows Filtering Platform has blocked a bind to a local port.
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
---
|
||||
title: Audit Filtering Platform Packet Drop (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
|
||||
ms.assetid: 95457601-68d1-4385-af20-87916ddab906
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Filtering Platform Packet Drop
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
|
||||
|
||||
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
|
||||
|
||||
A high rate of dropped packets *may* indicate that there have been attempts to gain unauthorized access to computers on your network.
|
||||
|
||||
**Event volume**: High.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
|
||||
| Member Server | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
|
||||
| Workstation | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [5152](event-5152.md)(F): The Windows Filtering Platform blocked a packet.
|
||||
|
||||
- [5153](event-5153.md)(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
|
||||
|
||||
@ -1,118 +0,0 @@
|
||||
---
|
||||
title: Audit Filtering Platform Policy Change (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
|
||||
ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Filtering Platform Policy Change
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following:
|
||||
|
||||
- IPsec services status.
|
||||
|
||||
- Changes to IPsec policy settings.
|
||||
|
||||
- Changes to Windows Filtering Platform Base Filtering Engine policy settings.
|
||||
|
||||
- Changes to WFP providers and engine.
|
||||
|
||||
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
|
||||
|
||||
This subcategory is outside the scope of this document.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
|
||||
| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. |
|
||||
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
|
||||
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
|
||||
|
||||
## 4709(S): IPsec Services was started.
|
||||
|
||||
## 4710(S): IPsec Services was disabled.
|
||||
|
||||
## 4711(S): May contain any one of the following:
|
||||
|
||||
## 4712(F): IPsec Services encountered a potentially serious failure.
|
||||
|
||||
## 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
|
||||
|
||||
## 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
|
||||
|
||||
## 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
|
||||
|
||||
## 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
|
||||
|
||||
## 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
|
||||
|
||||
## 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
|
||||
|
||||
## 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
|
||||
|
||||
## 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
|
||||
|
||||
## 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
|
||||
|
||||
## 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
|
||||
|
||||
## 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
|
||||
|
||||
## 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
|
||||
|
||||
## 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
|
||||
|
||||
## 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
|
||||
|
||||
## 5446(S): A Windows Filtering Platform callout has been changed.
|
||||
|
||||
## 5448(S): A Windows Filtering Platform provider has been changed.
|
||||
|
||||
## 5449(S): A Windows Filtering Platform provider context has been changed.
|
||||
|
||||
## 5450(S): A Windows Filtering Platform sub-layer has been changed.
|
||||
|
||||
## 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
|
||||
|
||||
## 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
|
||||
|
||||
## 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
|
||||
|
||||
## 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
|
||||
|
||||
## 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
|
||||
|
||||
## 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
|
||||
|
||||
## 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
|
||||
|
||||
## 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
|
||||
|
||||
## 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
|
||||
|
||||
## 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
|
||||
|
||||
## 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
|
||||
|
||||
## 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
|
||||
|
||||
## 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
|
||||
|
||||
## 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
|
||||
|
||||
## 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
|
||||
|
||||
## 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
|
||||
|
||||
## 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
|
||||
|
||||
## 5477(F): PAStore Engine failed to add quick mode filter.
|
||||
|
||||
@ -1,95 +0,0 @@
|
||||
---
|
||||
title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting.
|
||||
ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
You can manage your audit policy in a more precise way by using audit policy subcategories.
|
||||
|
||||
There are over 40 auditing subcategories that provide precise details about activities on a device. For info about these subcategories, see the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
|
||||
|
||||
### Possible values
|
||||
|
||||
- Enabled
|
||||
- Disabled
|
||||
|
||||
### Best practices
|
||||
|
||||
- Leave the setting enabled. This provides the ability to audit events at the category level without revising a policy.
|
||||
|
||||
### Location
|
||||
|
||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or GPO | Default value |
|
||||
| - | - |
|
||||
| Default Domain Policy | Not defined |
|
||||
| Default Domain Controller Policy | Not defined |
|
||||
| Stand-Alone Server Default Settings | Enabled |
|
||||
| DC Effective Default Settings | Enabled |
|
||||
| Member Server Effective Default Settings | Enabled |
|
||||
| Client Computer Effective Default Settings | Enabled |
|
||||
|
||||
## Policy management
|
||||
|
||||
This section describes features and tools that are available to help you manage this policy.
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
|
||||
### Group Policy
|
||||
|
||||
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
|
||||
|
||||
### Auditing
|
||||
|
||||
To manage an audit policy by using subcategories without requiring a change to Group Policy, the SCENoApplyLegacyAuditPolicy registry value , prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.
|
||||
|
||||
If the category level audit policy that is set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set.
|
||||
|
||||
### Command-line tools
|
||||
|
||||
You can use auditpol.exe to display and manage audit policies from a command prompt.
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events, and the key information that needed to be audited was difficult to find.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Enable audit policy subcategories as needed to track specific events.
|
||||
|
||||
### Potential impacts
|
||||
|
||||
If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the
|
||||
**SCENoApplyLegacyAuditPolicy** key.
|
||||
> **Important:** Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Security Options](security-options.md)
|
||||
|
||||
|
||||
@ -1,44 +0,0 @@
|
||||
---
|
||||
title: Audit Group Membership (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC.
|
||||
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Group Membership
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Group Membership enables you to audit group memberships when they are enumerated on the client computer.
|
||||
|
||||
This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
|
||||
|
||||
For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
|
||||
|
||||
You must also enable the [Audit Logon](audit-logon.md) subcategory.
|
||||
|
||||
Multiple events are generated if the group membership information cannot fit in a single security audit event
|
||||
|
||||
**Event volume**:
|
||||
|
||||
- Low on a client computer.
|
||||
|
||||
- Medium on a domain controller or network servers.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4627](event-4627.md)(S): Group membership information.
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
---
|
||||
title: Audit Handle Manipulation (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
|
||||
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Handle Manipulation
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions.
|
||||
|
||||
**Event volume**: High.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
|
||||
| Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
|
||||
| Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4658](event-4658.md)(S): The handle to an object was closed.
|
||||
|
||||
- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
|
||||
|
||||
## 4658(S): The handle to an object was closed.
|
||||
|
||||
This event doesn’t generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “[4658](event-4658.md)(S): The handle to an object was closed” in the Audit File System subcategory.
|
||||
|
||||
@ -1,66 +0,0 @@
|
||||
---
|
||||
title: Audit IPsec Driver (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver.
|
||||
ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit IPsec Driver
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
|
||||
|
||||
- Startup and shutdown of the IPsec services.
|
||||
|
||||
- Network packets dropped due to integrity check failure.
|
||||
|
||||
- Network packets dropped due to replay check failure.
|
||||
|
||||
- Network packets dropped due to being in plaintext.
|
||||
|
||||
- Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated.
|
||||
|
||||
- Inability to process IPsec filters.
|
||||
|
||||
A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
|
||||
|
||||
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter.
|
||||
|
||||
This subcategory is outside the scope of this document.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
|
||||
| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
|
||||
| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
|
||||
|
||||
## 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
|
||||
|
||||
## 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
|
||||
|
||||
## 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
|
||||
|
||||
## 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
|
||||
|
||||
## 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
|
||||
|
||||
## 5478(S): IPsec Services has started successfully.
|
||||
|
||||
## 5479(): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
|
||||
|
||||
## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
|
||||
|
||||
## 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
|
||||
|
||||
## 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
|
||||
|
||||
## 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
---
|
||||
title: Audit IPsec Extended Mode (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
|
||||
ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit IPsec Extended Mode
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
|
||||
|
||||
Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
|
||||
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
|
||||
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
|
||||
|
||||
## 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
|
||||
|
||||
## 4979: IPsec Main Mode and Extended Mode security associations were established.
|
||||
|
||||
## 4980: IPsec Main Mode and Extended Mode security associations were established.
|
||||
|
||||
## 4981: IPsec Main Mode and Extended Mode security associations were established.
|
||||
|
||||
## 4982: IPsec Main Mode and Extended Mode security associations were established.
|
||||
|
||||
## 4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
|
||||
|
||||
## 4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
|
||||
|
||||
@ -1,46 +0,0 @@
|
||||
---
|
||||
title: Audit IPsec Main Mode (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
|
||||
ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit IPsec Main Mode
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
|
||||
|
||||
Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
|
||||
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
|
||||
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
|
||||
|
||||
## 4646: Security ID: %1
|
||||
|
||||
## 4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
|
||||
|
||||
## 4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
|
||||
|
||||
## 4652: An IPsec Main Mode negotiation failed.
|
||||
|
||||
## 4653: An IPsec Main Mode negotiation failed.
|
||||
|
||||
## 4655: An IPsec Main Mode security association ended.
|
||||
|
||||
## 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
|
||||
|
||||
## 5049: An IPsec Security Association was deleted.
|
||||
|
||||
## 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
---
|
||||
title: Audit IPsec Quick Mode (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
|
||||
ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit IPsec Quick Mode
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
|
||||
|
||||
Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
|
||||
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
|
||||
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
|
||||
|
||||
## 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
|
||||
|
||||
## 5451: An IPsec Quick Mode security association was established.
|
||||
|
||||
## 5452: An IPsec Quick Mode security association ended.
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
---
|
||||
title: Audit Kerberos Authentication Service (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
|
||||
ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Kerberos Authentication Service
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
|
||||
|
||||
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts.
|
||||
|
||||
**Event volume**: High on Kerberos Key Distribution Center servers.
|
||||
|
||||
This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed Pre-Authentications, due to wrong user password or when the user’s password has expired.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, because you will see all Kerberos Authentication requests (TGT requests), which are a part of domain account logons. Also, you can see the IP address from which this account requested a TGT, when TGT was requested, which encryption type was used and so on.<br>We recommend Failure auditing, because you will see all failed requests with wrong password, username, revoked certificate, and so on. You will also be able to detect Kerberos issues or possible attack attempts. <br>Expected volume is high on domain controllers. |
|
||||
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4768](event-4768.md)(S, F): A Kerberos authentication ticket (TGT) was requested.
|
||||
|
||||
- [4771](event-4771.md)(F): Kerberos pre-authentication failed.
|
||||
|
||||
- [4772](event-4772.md)(F): A Kerberos authentication ticket request failed.
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
---
|
||||
title: Audit Kerberos Service Ticket Operations (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
|
||||
ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Kerberos Service Ticket Operations
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests.
|
||||
|
||||
Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity.
|
||||
|
||||
**Event volume**: Very High on Kerberos Key Distribution Center servers.
|
||||
|
||||
This subcategory contains events about issued TGSs and failed TGS requests.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
|
||||
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4769](event-4769.md)(S, F): A Kerberos service ticket was requested.
|
||||
|
||||
- [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
|
||||
|
||||
- [4773](event-4773.md)(F): A Kerberos service ticket request failed.
|
||||
|
||||
@ -1,46 +0,0 @@
|
||||
---
|
||||
title: Audit Kernel Object (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
|
||||
ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Kernel Object
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
|
||||
|
||||
Only kernel objects with a matching system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) generate security audit events. The audits generated are usually useful only to developers.
|
||||
|
||||
Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.
|
||||
|
||||
The “[Audit: Audit the access of global system objects](https://technet.microsoft.com/en-us/library/jj852233.aspx)” policy setting controls the default SACL of kernel objects.
|
||||
|
||||
**Event volume**: High.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
|
||||
| Member Server | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
|
||||
| Workstation | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4656](event-4656.md)(S, F): A handle to an object was requested.
|
||||
|
||||
- [4658](event-4658.md)(S): The handle to an object was closed.
|
||||
|
||||
- [4660](event-4660.md)(S): An object was deleted.
|
||||
|
||||
- [4663](event-4663.md)(S): An attempt was made to access an object.
|
||||
|
||||
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
---
|
||||
title: Audit Logoff (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated.
|
||||
ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Logoff
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
|
||||
|
||||
These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to.
|
||||
|
||||
There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
|
||||
|
||||
Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated.
|
||||
|
||||
**Event volume**: Low.
|
||||
|
||||
This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4634](event-4634.md)(S): An account was logged off.
|
||||
|
||||
- [4647](event-4647.md)(S): User initiated logoff.
|
||||
|
||||
@ -1,54 +0,0 @@
|
||||
---
|
||||
title: Audit Logon (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
|
||||
ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Logon
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer.
|
||||
|
||||
These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed.
|
||||
|
||||
The following events are recorded:
|
||||
|
||||
- Logon success and failure.
|
||||
|
||||
- Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the **RunAs** command.
|
||||
|
||||
- Security identifiers (SIDs) are filtered.
|
||||
|
||||
Logon events are essential to tracking user activity and detecting potential attacks.
|
||||
|
||||
**Event volume**:
|
||||
|
||||
- Low on a client computer.
|
||||
|
||||
- Medium on a domain controllers or network servers.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
|
||||
| Member Server | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
|
||||
| Workstation | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4624](event-4624.md)(S): An account was successfully logged on.
|
||||
|
||||
- [4625](event-4625.md)(F): An account failed to log on.
|
||||
|
||||
- [4648](event-4648.md)(S): A logon was attempted using explicit credentials.
|
||||
|
||||
- [4675](event-4675.md)(S): SIDs were filtered.
|
||||
|
||||
@ -1,74 +0,0 @@
|
||||
---
|
||||
title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
|
||||
ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit MPSSVC Rule-Level Policy Change
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
|
||||
|
||||
The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against malware. The tracked activities include:
|
||||
|
||||
- Active policies when the Windows Firewall service starts.
|
||||
|
||||
- Changes to Windows Firewall rules.
|
||||
|
||||
- Changes to the Windows Firewall exception list.
|
||||
|
||||
- Changes to Windows Firewall settings.
|
||||
|
||||
- Rules ignored or not applied by the Windows Firewall service.
|
||||
|
||||
- Changes to Windows Firewall Group Policy settings.
|
||||
|
||||
Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
|
||||
|
||||
**Event volume**: Medium.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
|
||||
| Member Server | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
|
||||
| Workstation | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4944](event-4944.md)(S): The following policy was active when the Windows Firewall started.
|
||||
|
||||
- [4945](event-4945.md)(S): A rule was listed when the Windows Firewall started.
|
||||
|
||||
- [4946](event-4946.md)(S): A change has been made to Windows Firewall exception list. A rule was added.
|
||||
|
||||
- [4947](event-4947.md)(S): A change has been made to Windows Firewall exception list. A rule was modified.
|
||||
|
||||
- [4948](event-4948.md)(S): A change has been made to Windows Firewall exception list. A rule was deleted.
|
||||
|
||||
- [4949](event-4949.md)(S): Windows Firewall settings were restored to the default values.
|
||||
|
||||
- [4950](event-4950.md)(S): A Windows Firewall setting has changed.
|
||||
|
||||
- [4951](event-4951.md)(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
|
||||
|
||||
- [4952](event-4952.md)(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
|
||||
|
||||
- [4953](event-4953.md)(F): A rule has been ignored by Windows Firewall because it could not parse the rule.
|
||||
|
||||
- [4954](event-4954.md)(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
|
||||
|
||||
- [4956](event-4956.md)(S): Windows Firewall has changed the active profile.
|
||||
|
||||
- [4957](event-4957.md)(F): Windows Firewall did not apply the following rule:
|
||||
|
||||
- [4958](event-4958.md)(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
|
||||
|
||||
@ -1,54 +0,0 @@
|
||||
---
|
||||
title: Audit Network Policy Server (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
|
||||
ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Network Policy Server
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
|
||||
|
||||
If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
|
||||
|
||||
This subcategory generates events only if NAS or IAS role is installed on the server.
|
||||
|
||||
NAP events can be used to help understand the overall health of the network.
|
||||
|
||||
**Event volume**: Medium to High on servers that are running [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS).
|
||||
|
||||
Role-specific subcategories are outside the scope of this document.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
|
||||
| Member Server | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
|
||||
| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role cannot be installed on client OS. |
|
||||
|
||||
## 6272: Network Policy Server granted access to a user.
|
||||
|
||||
## 6273: Network Policy Server denied access to a user.
|
||||
|
||||
## 6274: Network Policy Server discarded the request for a user.
|
||||
|
||||
## 6275: Network Policy Server discarded the accounting request for a user.
|
||||
|
||||
## 6276: Network Policy Server quarantined a user.
|
||||
|
||||
## 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
|
||||
|
||||
## 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
|
||||
|
||||
## 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
|
||||
|
||||
## 6280: Network Policy Server unlocked the user account.
|
||||
|
||||
@ -1,84 +0,0 @@
|
||||
---
|
||||
title: Audit Non Sensitive Privilege Use (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
|
||||
ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Non Sensitive Privilege Use
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Non Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
|
||||
|
||||
- Access Credential Manager as a trusted caller
|
||||
|
||||
- Add workstations to domain
|
||||
|
||||
- Adjust memory quotas for a process
|
||||
|
||||
- Bypass traverse checking
|
||||
|
||||
- Change the system time
|
||||
|
||||
- Change the time zone
|
||||
|
||||
- Create a page file
|
||||
|
||||
- Create global objects
|
||||
|
||||
- Create permanent shared objects
|
||||
|
||||
- Create symbolic links
|
||||
|
||||
- Force shutdown from a remote system
|
||||
|
||||
- Increase a process working set
|
||||
|
||||
- Increase scheduling priority
|
||||
|
||||
- Lock pages in memory
|
||||
|
||||
- Modify an object label
|
||||
|
||||
- Perform volume maintenance tasks
|
||||
|
||||
- Profile single process
|
||||
|
||||
- Profile system performance
|
||||
|
||||
- Remove computer from docking station
|
||||
|
||||
- Shut down the system
|
||||
|
||||
- Synchronize directory service data
|
||||
|
||||
This subcategory also contains informational events from filesystem Transaction Manager.
|
||||
|
||||
If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts.
|
||||
|
||||
**Event volume**: Very High.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
|
||||
| Member Server | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
|
||||
| Workstation | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4673](event-4673.md)(S, F): A privileged service was called.
|
||||
|
||||
- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
|
||||
|
||||
- [4985](event-4985.md)(S): The state of a transaction has changed.
|
||||
|
||||
|
||||
|
||||
@ -1,28 +0,0 @@
|
||||
---
|
||||
title: Audit Other Account Logon Events (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
|
||||
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Other Account Logon Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
**General Subcategory Information:**
|
||||
|
||||
This auditing subcategory does not contain any events. It is intended for future use.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
|
||||
| Member Server | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
|
||||
| Workstation | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
---
|
||||
title: Audit Other Account Management Events (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events.
|
||||
ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Other Account Management Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Other Account Management Events determines whether the operating system generates user account management audit events.
|
||||
|
||||
**Event volume:** Typically Low on all types of computers.
|
||||
|
||||
This subcategory allows you to audit next events:
|
||||
|
||||
- The password hash of a user account was accessed. This happens during an Active Directory Management Tool password migration.
|
||||
|
||||
- The Password Policy Checking API was called. Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.”<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | No | No | No | No | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | No | No | No | No | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4782](event-4782.md)(S): The password hash an account was accessed.
|
||||
|
||||
- [4793](event-4793.md)(S): The Password Policy Checking API was called.
|
||||
|
||||
@ -1,66 +0,0 @@
|
||||
---
|
||||
title: Audit Other Logon/Logoff Events (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events.
|
||||
ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Other Logon/Logoff Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.
|
||||
|
||||
These other logon or logoff events include:
|
||||
|
||||
- A Remote Desktop session connects or disconnects.
|
||||
|
||||
- A workstation is locked or unlocked.
|
||||
|
||||
- A screen saver is invoked or dismissed.
|
||||
|
||||
- A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
|
||||
|
||||
- A user is granted access to a wireless network. It can be either a user account or the computer account.
|
||||
|
||||
- A user is granted access to a wired 802.1x network. It can be either a user account or the computer account.
|
||||
|
||||
Logon events are essential to understanding user activity and detecting potential attacks.
|
||||
|
||||
**Event volume**: Low.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
|
||||
| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
|
||||
| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4649](event-4649.md)(S): A replay attack was detected.
|
||||
|
||||
- [4778](event-4778.md)(S): A session was reconnected to a Window Station.
|
||||
|
||||
- [4779](event-4779.md)(S): A session was disconnected from a Window Station.
|
||||
|
||||
- [4800](event-4800.md)(S): The workstation was locked.
|
||||
|
||||
- [4801](event-4801.md)(S): The workstation was unlocked.
|
||||
|
||||
- [4802](event-4802.md)(S): The screen saver was invoked.
|
||||
|
||||
- [4803](event-4803.md)(S): The screen saver was dismissed.
|
||||
|
||||
- [5378](event-5378.md)(F): The requested credentials delegation was disallowed by policy.
|
||||
|
||||
- [5632](event-5632.md)(S): A request was made to authenticate to a wireless network.
|
||||
|
||||
- [5633](event-5633.md)(S): A request was made to authenticate to a wired network.
|
||||
|
||||
@ -1,54 +0,0 @@
|
||||
---
|
||||
title: Audit Other Object Access Events (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
|
||||
ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Other Object Access Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.
|
||||
|
||||
**Event volume**: Low.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICPM DoS attack. |
|
||||
| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICPM DoS attack. |
|
||||
| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICPM DoS attack. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4671](event-4671.md)(-): An application attempted to access a blocked ordinal through the TBS.
|
||||
|
||||
- [4691](event-4691.md)(S): Indirect access to an object was requested.
|
||||
|
||||
- [5148](event-5148.md)(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
|
||||
|
||||
- [5149](event-5149.md)(F): The DoS attack has subsided and normal processing is being resumed.
|
||||
|
||||
- [4698](event-4698.md)(S): A scheduled task was created.
|
||||
|
||||
- [4699](event-4699.md)(S): A scheduled task was deleted.
|
||||
|
||||
- [4700](event-4700.md)(S): A scheduled task was enabled.
|
||||
|
||||
- [4701](event-4701.md)(S): A scheduled task was disabled.
|
||||
|
||||
- [4702](event-4702.md)(S): A scheduled task was updated.
|
||||
|
||||
- [5888](event-5888.md)(S): An object in the COM+ Catalog was modified.
|
||||
|
||||
- [5889](event-5889.md)(S): An object was deleted from the COM+ Catalog.
|
||||
|
||||
- [5890](event-5890.md)(S): An object was added to the COM+ Catalog.
|
||||
|
||||
@ -1,62 +0,0 @@
|
||||
---
|
||||
title: Audit Other Policy Change Events (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
|
||||
ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Other Policy Change Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.
|
||||
|
||||
**Event volume**: Low.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
|
||||
| Member Server | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
|
||||
| Workstation | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4714](event-4714.md)(S): Encrypted data recovery policy was changed.
|
||||
|
||||
- [4819](event-4819.md)(S): Central Access Policies on the machine have been changed.
|
||||
|
||||
- [4826](event-4826.md)(S): Boot Configuration Data loaded.
|
||||
|
||||
- [4909](event-4909.md)(-): The local policy settings for the TBS were changed.
|
||||
|
||||
- [4910](event-4910.md)(-): The group policy settings for the TBS were changed.
|
||||
|
||||
- [5063](event-5063.md)(S, F): A cryptographic provider operation was attempted.
|
||||
|
||||
- [5064](event-5064.md)(S, F): A cryptographic context operation was attempted.
|
||||
|
||||
- [5065](event-5065.md)(S, F): A cryptographic context modification was attempted.
|
||||
|
||||
- [5066](event-5066.md)(S, F): A cryptographic function operation was attempted.
|
||||
|
||||
- [5067](event-5067.md)(S, F): A cryptographic function modification was attempted.
|
||||
|
||||
- [5068](event-5068.md)(S, F): A cryptographic function provider operation was attempted.
|
||||
|
||||
- [5069](event-5069.md)(S, F): A cryptographic function property operation was attempted.
|
||||
|
||||
- [5070](event-5070.md)(S, F): A cryptographic function property modification was attempted.
|
||||
|
||||
- [5447](event-5447.md)(S): A Windows Filtering Platform filter has been changed.
|
||||
|
||||
- [6144](event-6144.md)(S): Security policy in the group policy objects has been applied successfully.
|
||||
|
||||
- [6145](event-6145.md)(F): One or more errors occurred while processing security policy in the group policy objects.
|
||||
|
||||
@ -1,32 +0,0 @@
|
||||
---
|
||||
title: Audit Other Privilege Use Events (Windows 10)
|
||||
description: This security policy setting is not used.
|
||||
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Other Privilege Use Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------|
|
||||
| Domain Controller | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. |
|
||||
| Member Server | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. |
|
||||
| Workstation | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4985](event-4674.md)(S): The state of a transaction has changed.
|
||||
|
||||
|
||||
|
||||
@ -1,88 +0,0 @@
|
||||
---
|
||||
title: Audit Other System Events (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events.
|
||||
ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Other System Events
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures.
|
||||
|
||||
Audit Other System Events determines whether the operating system audits various system events.
|
||||
|
||||
The system events in this category include:
|
||||
|
||||
- Startup and shutdown of the Windows Firewall service and driver.
|
||||
|
||||
- Security policy processing by the Windows Firewall service.
|
||||
|
||||
- Cryptography key file and migration operations.
|
||||
|
||||
- BranchCache events.
|
||||
|
||||
**Event volume**: Low.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
|
||||
| Member Server | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
|
||||
| Workstation | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [5024](event-5024.md)(S): The Windows Firewall Service has started successfully.
|
||||
|
||||
- [5025](event-5025.md)(S): The Windows Firewall Service has been stopped.
|
||||
|
||||
- [5027](event-5027.md)(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
|
||||
|
||||
- [5028](event-5028.md)(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
|
||||
|
||||
- [5029](event-5029.md)(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
|
||||
|
||||
- [5030](event-5030.md)(F): The Windows Firewall Service failed to start.
|
||||
|
||||
- [5032](event-5032.md)(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
|
||||
|
||||
- [5033](event-5033.md)(S): The Windows Firewall Driver has started successfully.
|
||||
|
||||
- [5034](event-5034.md)(S): The Windows Firewall Driver was stopped.
|
||||
|
||||
- [5035](event-5035.md)(F): The Windows Firewall Driver failed to start.
|
||||
|
||||
- [5037](event-5037.md)(F): The Windows Firewall Driver detected critical runtime error. Terminating.
|
||||
|
||||
- [5058](event-5058.md)(S, F): Key file operation.
|
||||
|
||||
- [5059](event-5059.md)(S, F): Key migration operation.
|
||||
|
||||
- [6400](event-6400.md)(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
|
||||
|
||||
- [6401](event-6401.md)(-): BranchCache: Received invalid data from a peer. Data discarded.
|
||||
|
||||
- [6402](event-6402.md)(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
|
||||
|
||||
- [6403](event-6403.md)(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
|
||||
|
||||
- [6404](event-6404.md)(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
|
||||
|
||||
- [6405](event-6405.md)(-): BranchCache: %2 instance(s) of event id %1 occurred.
|
||||
|
||||
- [6406](event-6406.md)(-): %1 registered to Windows Firewall to control filtering for the following: %2
|
||||
|
||||
- [6407](event-6407.md)(-): 1%
|
||||
|
||||
- [6408](event-6408.md)(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2
|
||||
|
||||
- [6409](event-6408.md)(-): BranchCache: A service connection point object could not be parsed.
|
||||
|
||||
@ -1,46 +0,0 @@
|
||||
---
|
||||
title: Audit PNP Activity (Windows 10)
|
||||
description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device.
|
||||
ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit PNP Activity
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit PNP Activity determines when Plug and Play detects an external device.
|
||||
|
||||
A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
|
||||
|
||||
**Event volume**: Varies, depending on how the computer is used. Typically Low.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [6416](event-6416.md)(S): A new external device was recognized by the System
|
||||
|
||||
- [6419](event-6419.md)(S): A request was made to disable a device
|
||||
|
||||
- [6420](event-6420.md)(S): A device was disabled.
|
||||
|
||||
- [6421](event-6421.md)(S): A request was made to enable a device.
|
||||
|
||||
- [6422](event-6422.md)(S): A device was enabled.
|
||||
|
||||
- [6423](event-6423.md)(S): The installation of this device is forbidden by system policy.
|
||||
|
||||
- [6424](event-6424.md)(S): The installation of this device was allowed, after having previously been forbidden by policy.
|
||||
|
||||
@ -1,37 +0,0 @@
|
||||
---
|
||||
title: Audit Policy (Windows 10)
|
||||
description: Provides information about basic audit policies that are available in Windows and links to information about each setting.
|
||||
ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Audit Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Provides information about basic audit policies that are available in Windows and links to information about each setting.
|
||||
|
||||
The security audit policy settings under **Security Settings\\Local Policies\\Audit Policy** provide broad security audit capabilities for client devices and servers that cannot use advanced security audit policy settings.
|
||||
|
||||
The basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** are:
|
||||
- [Audit account logon events](basic-audit-account-logon-events.md)
|
||||
- [Audit account management](basic-audit-account-management.md)
|
||||
- [Audit directory service access](basic-audit-directory-service-access.md)
|
||||
- [Audit logon events](basic-audit-logon-events.md)
|
||||
- [Audit object access](basic-audit-object-access.md)
|
||||
- [Audit policy change](basic-audit-policy-change.md)
|
||||
- [Audit privilege use](basic-audit-privilege-use.md)
|
||||
- [Audit process tracking](basic-audit-process-tracking.md)
|
||||
- [Audit system events](basic-audit-system-events.md)
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
|
||||
- [Security auditing](security-auditing-overview.md)
|
||||
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
---
|
||||
title: Audit Process Creation (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts).
|
||||
ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Process Creation
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Process Creation determines whether the operating system generates audit events when a process is created (starts).
|
||||
|
||||
These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process.
|
||||
|
||||
**Event volume**: Low to Medium, depending on system usage.
|
||||
|
||||
This subcategory allows you to audit events generated when a process is created or starts. The name of the application and user that created the process is also audited.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4688](event-4688.md)(S): A new process has been created.
|
||||
|
||||
- [4696](event-4696.md)(S): A primary token was assigned to process.
|
||||
|
||||
@ -1,36 +0,0 @@
|
||||
---
|
||||
title: Audit Process Termination (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process.
|
||||
ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Process Termination
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Process Termination determines whether the operating system generates audit events when process has exited.
|
||||
|
||||
Success audits record successful attempts and Failure audits record unsuccessful attempts.
|
||||
|
||||
This policy setting can help you track user activity and understand how the computer is used.
|
||||
|
||||
**Event volume**: Low to Medium, depending on system usage.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4689](event-4689.md)(S): A process has exited.
|
||||
|
||||
@ -1,46 +0,0 @@
|
||||
---
|
||||
title: Audit Registry (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects.
|
||||
ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
author: Mir0sh
|
||||
---
|
||||
|
||||
# Audit Registry
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
|
||||
Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
|
||||
|
||||
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL.
|
||||
|
||||
**Event volume**: Low to Medium, depending on how registry SACLs are configured.
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.<br>Failure events can show you unsuccessful attempts to access specific registry objects.<br>Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. |
|
||||
| Member Server | IF | IF | IF | IF | |
|
||||
| Workstation | IF | IF | IF | IF | |
|
||||
|
||||
**Events List:**
|
||||
|
||||
- [4663](event-4663.md)(S): An attempt was made to access an object.
|
||||
|
||||
- [4656](event-4656.md)(S, F): A handle to an object was requested.
|
||||
|
||||
- [4658](event-4658.md)(S): The handle to an object was closed.
|
||||
|
||||
- [4660](event-4660.md)(S): An object was deleted.
|
||||
|
||||
- [4657](event-4657.md)(S): A registry value was modified.
|
||||
|
||||
- [5039](event-5039.md)(-): A registry key was virtualized.
|
||||
|
||||
- [4670](event-4670.md)(S): Permissions on an object were changed.
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user