deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-04-25 18:07:47 -04:00
parent b37c379f72
commit 368cadb75f
3 changed files with 103 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
windows/security/TOC.yml
View File

@ -327,104 +327,7 @@
- name: Windows Credential Theft Mitigation Guide Abstract
href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
- name: User security and secured identity
items:
- name: Overview
href: identity.md
- name: Windows credential theft mitigation guide
href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
- name: Passwordless
items:
- name: Windows Hello for Business ⇒
href: identity-protection/hello-for-business/index.yml
- name: FIDO 2 security keys
href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key?context=/windows/security/context/context
- name: Local Administrator Password Solution (LAPS)
href: /windows-server/identity/laps/laps-overview?context=/windows/security/context/context
- name: Enterprise Certificate Pinning
href: identity-protection/enterprise-certificate-pinning.md
- name: Credential Guard
items:
- name: Protect derived domain credentials with Credential Guard
href: identity-protection/credential-guard/credential-guard.md
- name: How Credential Guard works
href: identity-protection/credential-guard/credential-guard-how-it-works.md
- name: Requirements
href: identity-protection/credential-guard/credential-guard-requirements.md
- name: Manage Credential Guard
href: identity-protection/credential-guard/credential-guard-manage.md
- name: Credential Guard protection limits
href: identity-protection/credential-guard/credential-guard-protection-limits.md
- name: Considerations when using Credential Guard
href: identity-protection/credential-guard/credential-guard-considerations.md
- name: Additional mitigations
href: identity-protection/credential-guard/additional-mitigations.md
- name: Known issues
href: identity-protection/credential-guard/credential-guard-known-issues.md
- name: Remote Credential Guard
href: identity-protection/remote-credential-guard.md
- name: Configuring LSA Protection
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
- name: Technical support policy for lost or forgotten passwords
href: identity-protection/password-support-policy.md
- name: Access Control
items:
- name: Overview
href: identity-protection/access-control/access-control.md
- name: Local Accounts
href: identity-protection/access-control/local-accounts.md
- name: User Account Control (UAC)
items:
- name: Overview
href: identity-protection/user-account-control/user-account-control-overview.md
- name: How User Account Control works
href: identity-protection/user-account-control/how-user-account-control-works.md
- name: User Account Control security policy settings
href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
- name: User Account Control Group Policy and registry key settings
href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
- name: Smart Cards
href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
items:
- name: How Smart Card Sign-in Works in Windows
href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
items:
- name: Smart Card Architecture
href: identity-protection/smart-cards/smart-card-architecture.md
- name: Certificate Requirements and Enumeration
href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
- name: Smart Card and Remote Desktop Services
href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
- name: Smart Cards for Windows Service
href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
- name: Certificate Propagation Service
href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md
- name: Smart Card Removal Policy Service
href: identity-protection/smart-cards/smart-card-removal-policy-service.md
- name: Smart Card Tools and Settings
href: identity-protection/smart-cards/smart-card-tools-and-settings.md
items:
- name: Smart Cards Debugging Information
href: identity-protection/smart-cards/smart-card-debugging-information.md
- name: Smart Card Group Policy and Registry Settings
href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
- name: Smart Card Events
href: identity-protection/smart-cards/smart-card-events.md
- name: Virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
items:
- name: Understand and evaluate virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
items:
- name: Get started with virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
- name: Use virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
- name: Deploy virtual smart cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
- name: Evaluate virtual smart card security
href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
- name: Tpmvscmgr
href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
href: identity-protection/toc.yml
- name: Cloud services
items:
- name: Overview

1
windows/security/identity-protection/credential-guard/additional-mitigations.md
View File

@ -18,7 +18,6 @@ Credential theft attacks allow the attacker to steal secrets from one device and
Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.

102
windows/security/identity-protection/toc.yml Normal file
View File

@ -0,0 +1,102 @@
items:
- name: Overview
href: ../identity.md
- name: Windows credential theft mitigation guide
href: ../windows-credential-theft-mitigation-guide-abstract.md
- name: Passwordless
items:
- name: Windows Hello for Business ⇒
href: hello-for-business/index.yml
- name: FIDO 2 security keys ⇒
href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
- name: Local Administrator Password Solution (LAPS)
items:
- name: Windows LAPS licensing and requirements
href: ../../../includes/licensing/windows-defender-credential-guard.md
- name: Windows LAPS overview
href: /windows-server/identity/laps/laps-overview
- name: Enterprise Certificate Pinning
href: enterprise-certificate-pinning.md
- name: Credential Guard
items:
- name: Protect derived domain credentials with Credential Guard
href: credential-guard/credential-guard.md
- name: How Credential Guard works
href: credential-guard/credential-guard-how-it-works.md
- name: Requirements
href: credential-guard/credential-guard-requirements.md
- name: Manage Credential Guard
href: credential-guard/credential-guard-manage.md
- name: Credential Guard protection limits
href: credential-guard/credential-guard-protection-limits.md
- name: Considerations when using Credential Guard
href: credential-guard/credential-guard-considerations.md
- name: Additional mitigations
href: credential-guard/additional-mitigations.md
- name: Known issues
href: credential-guard/credential-guard-known-issues.md
- name: Remote Credential Guard
href: remote-credential-guard.md
- name: Configuring LSA Protection
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
- name: Technical support policy for lost or forgotten passwords
href: password-support-policy.md
- name: Access Control
items:
- name: Overview
href: access-control/access-control.md
- name: Local Accounts
href: access-control/local-accounts.md
- name: User Account Control (UAC)
items:
- name: Overview
href: user-account-control/user-account-control-overview.md
- name: How User Account Control works
href: user-account-control/how-user-account-control-works.md
- name: User Account Control security policy settings
href: user-account-control/user-account-control-security-policy-settings.md
- name: User Account Control Group Policy and registry key settings
href: user-account-control/user-account-control-group-policy-and-registry-key-settings.md
- name: Smart Cards
href: smart-cards/smart-card-windows-smart-card-technical-reference.md
items:
- name: How Smart Card Sign-in Works in Windows
href: smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
items:
- name: Smart Card Architecture
href: smart-cards/smart-card-architecture.md
- name: Certificate Requirements and Enumeration
href: smart-cards/smart-card-certificate-requirements-and-enumeration.md
- name: Smart Card and Remote Desktop Services
href: smart-cards/smart-card-and-remote-desktop-services.md
- name: Smart Cards for Windows Service
href: smart-cards/smart-card-smart-cards-for-windows-service.md
- name: Certificate Propagation Service
href: smart-cards/smart-card-certificate-propagation-service.md
- name: Smart Card Removal Policy Service
href: smart-cards/smart-card-removal-policy-service.md
- name: Smart Card Tools and Settings
href: smart-cards/smart-card-tools-and-settings.md
items:
- name: Smart Cards Debugging Information
href: smart-cards/smart-card-debugging-information.md
- name: Smart Card Group Policy and Registry Settings
href: smart-cards/smart-card-group-policy-and-registry-settings.md
- name: Smart Card Events
href: smart-cards/smart-card-events.md
- name: Virtual smart cards
href: virtual-smart-cards/virtual-smart-card-overview.md
items:
- name: Understand and evaluate virtual smart cards
href: virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
items:
- name: Get started with virtual smart cards
href: virtual-smart-cards/virtual-smart-card-get-started.md
- name: Use virtual smart cards
href: virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
- name: Deploy virtual smart cards
href: virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
- name: Evaluate virtual smart card security
href: virtual-smart-cards/virtual-smart-card-evaluate-security.md
- name: Tpmvscmgr
href: virtual-smart-cards/virtual-smart-card-tpmvscmgr.md