From 368cadb75f48b908fe2e5013e385af50bd7db9e9 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 25 Apr 2023 18:07:47 -0400 Subject: [PATCH] updates --- windows/security/TOC.yml | 99 +---------------- .../additional-mitigations.md | 1 - windows/security/identity-protection/toc.yml | 102 ++++++++++++++++++ 3 files changed, 103 insertions(+), 99 deletions(-) create mode 100644 windows/security/identity-protection/toc.yml diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 1bd19e107d..73cbaf7b9b 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -327,104 +327,7 @@ - name: Windows Credential Theft Mitigation Guide Abstract href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md - name: User security and secured identity - items: - - name: Overview - href: identity.md - - name: Windows credential theft mitigation guide - href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md - - name: Passwordless - items: - - name: Windows Hello for Business ⇒ - href: identity-protection/hello-for-business/index.yml - - name: FIDO 2 security keys - href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key?context=/windows/security/context/context - - name: Local Administrator Password Solution (LAPS) - href: /windows-server/identity/laps/laps-overview?context=/windows/security/context/context - - name: Enterprise Certificate Pinning - href: identity-protection/enterprise-certificate-pinning.md - - name: Credential Guard - items: - - name: Protect derived domain credentials with Credential Guard - href: identity-protection/credential-guard/credential-guard.md - - name: How Credential Guard works - href: identity-protection/credential-guard/credential-guard-how-it-works.md - - name: Requirements - href: identity-protection/credential-guard/credential-guard-requirements.md - - name: Manage Credential Guard - href: identity-protection/credential-guard/credential-guard-manage.md - - name: Credential Guard protection limits - href: identity-protection/credential-guard/credential-guard-protection-limits.md - - name: Considerations when using Credential Guard - href: identity-protection/credential-guard/credential-guard-considerations.md - - name: Additional mitigations - href: identity-protection/credential-guard/additional-mitigations.md - - name: Known issues - href: identity-protection/credential-guard/credential-guard-known-issues.md - - name: Remote Credential Guard - href: identity-protection/remote-credential-guard.md - - name: Configuring LSA Protection - href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json - - name: Technical support policy for lost or forgotten passwords - href: identity-protection/password-support-policy.md - - name: Access Control - items: - - name: Overview - href: identity-protection/access-control/access-control.md - - name: Local Accounts - href: identity-protection/access-control/local-accounts.md - - name: User Account Control (UAC) - items: - - name: Overview - href: identity-protection/user-account-control/user-account-control-overview.md - - name: How User Account Control works - href: identity-protection/user-account-control/how-user-account-control-works.md - - name: User Account Control security policy settings - href: identity-protection/user-account-control/user-account-control-security-policy-settings.md - - name: User Account Control Group Policy and registry key settings - href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md - - name: Smart Cards - href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md - items: - - name: How Smart Card Sign-in Works in Windows - href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md - items: - - name: Smart Card Architecture - href: identity-protection/smart-cards/smart-card-architecture.md - - name: Certificate Requirements and Enumeration - href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md - - name: Smart Card and Remote Desktop Services - href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md - - name: Smart Cards for Windows Service - href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md - - name: Certificate Propagation Service - href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md - - name: Smart Card Removal Policy Service - href: identity-protection/smart-cards/smart-card-removal-policy-service.md - - name: Smart Card Tools and Settings - href: identity-protection/smart-cards/smart-card-tools-and-settings.md - items: - - name: Smart Cards Debugging Information - href: identity-protection/smart-cards/smart-card-debugging-information.md - - name: Smart Card Group Policy and Registry Settings - href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md - - name: Smart Card Events - href: identity-protection/smart-cards/smart-card-events.md - - name: Virtual smart cards - href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md - items: - - name: Understand and evaluate virtual smart cards - href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md - items: - - name: Get started with virtual smart cards - href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md - - name: Use virtual smart cards - href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md - - name: Deploy virtual smart cards - href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md - - name: Evaluate virtual smart card security - href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md - - name: Tpmvscmgr - href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md + href: identity-protection/toc.yml - name: Cloud services items: - name: Overview diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index ca9c7acd52..32967fd8b7 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -18,7 +18,6 @@ Credential theft attacks allow the attacker to steal secrets from one device and Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. **To enable Kerberos armoring for restricting domain users to specific domain-joined devices** - - Users need to be in domains that are running Windows Server 2012 R2 or higher - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. - All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml new file mode 100644 index 0000000000..316d992db0 --- /dev/null +++ b/windows/security/identity-protection/toc.yml @@ -0,0 +1,102 @@ +items: + - name: Overview + href: ../identity.md + - name: Windows credential theft mitigation guide + href: ../windows-credential-theft-mitigation-guide-abstract.md + - name: Passwordless + items: + - name: Windows Hello for Business ⇒ + href: hello-for-business/index.yml + - name: FIDO 2 security keys ⇒ + href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key + - name: Local Administrator Password Solution (LAPS) + items: + - name: Windows LAPS licensing and requirements + href: ../../../includes/licensing/windows-defender-credential-guard.md + - name: Windows LAPS overview + href: /windows-server/identity/laps/laps-overview + - name: Enterprise Certificate Pinning + href: enterprise-certificate-pinning.md + - name: Credential Guard + items: + - name: Protect derived domain credentials with Credential Guard + href: credential-guard/credential-guard.md + - name: How Credential Guard works + href: credential-guard/credential-guard-how-it-works.md + - name: Requirements + href: credential-guard/credential-guard-requirements.md + - name: Manage Credential Guard + href: credential-guard/credential-guard-manage.md + - name: Credential Guard protection limits + href: credential-guard/credential-guard-protection-limits.md + - name: Considerations when using Credential Guard + href: credential-guard/credential-guard-considerations.md + - name: Additional mitigations + href: credential-guard/additional-mitigations.md + - name: Known issues + href: credential-guard/credential-guard-known-issues.md + - name: Remote Credential Guard + href: remote-credential-guard.md + - name: Configuring LSA Protection + href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json + - name: Technical support policy for lost or forgotten passwords + href: password-support-policy.md + - name: Access Control + items: + - name: Overview + href: access-control/access-control.md + - name: Local Accounts + href: access-control/local-accounts.md + - name: User Account Control (UAC) + items: + - name: Overview + href: user-account-control/user-account-control-overview.md + - name: How User Account Control works + href: user-account-control/how-user-account-control-works.md + - name: User Account Control security policy settings + href: user-account-control/user-account-control-security-policy-settings.md + - name: User Account Control Group Policy and registry key settings + href: user-account-control/user-account-control-group-policy-and-registry-key-settings.md + - name: Smart Cards + href: smart-cards/smart-card-windows-smart-card-technical-reference.md + items: + - name: How Smart Card Sign-in Works in Windows + href: smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md + items: + - name: Smart Card Architecture + href: smart-cards/smart-card-architecture.md + - name: Certificate Requirements and Enumeration + href: smart-cards/smart-card-certificate-requirements-and-enumeration.md + - name: Smart Card and Remote Desktop Services + href: smart-cards/smart-card-and-remote-desktop-services.md + - name: Smart Cards for Windows Service + href: smart-cards/smart-card-smart-cards-for-windows-service.md + - name: Certificate Propagation Service + href: smart-cards/smart-card-certificate-propagation-service.md + - name: Smart Card Removal Policy Service + href: smart-cards/smart-card-removal-policy-service.md + - name: Smart Card Tools and Settings + href: smart-cards/smart-card-tools-and-settings.md + items: + - name: Smart Cards Debugging Information + href: smart-cards/smart-card-debugging-information.md + - name: Smart Card Group Policy and Registry Settings + href: smart-cards/smart-card-group-policy-and-registry-settings.md + - name: Smart Card Events + href: smart-cards/smart-card-events.md + - name: Virtual smart cards + href: virtual-smart-cards/virtual-smart-card-overview.md + items: + - name: Understand and evaluate virtual smart cards + href: virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md + items: + - name: Get started with virtual smart cards + href: virtual-smart-cards/virtual-smart-card-get-started.md + - name: Use virtual smart cards + href: virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md + - name: Deploy virtual smart cards + href: virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md + - name: Evaluate virtual smart card security + href: virtual-smart-cards/virtual-smart-card-evaluate-security.md + - name: Tpmvscmgr + href: virtual-smart-cards/virtual-smart-card-tpmvscmgr.md \ No newline at end of file