diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 663ec20dc4..f7e3191aa7 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -6,6 +6,7 @@ ## [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md) ## [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) ## [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) +## [Manage Surface UEFI settings](manage-surface-uefi-settings.md) ## [Surface Data Eraser](microsoft-surface-data-eraser.md) ## [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) ### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) diff --git a/devices/surface/images/manage-surface-uefi-fig2.png b/devices/surface/images/manage-surface-uefi-fig2.png new file mode 100644 index 0000000000..6d8e4b41c8 Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig2.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig3.png b/devices/surface/images/manage-surface-uefi-fig3.png new file mode 100644 index 0000000000..4ae63c2a49 Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig3.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig4.png b/devices/surface/images/manage-surface-uefi-fig4.png new file mode 100644 index 0000000000..67866fcbf0 Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig4.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig5.png b/devices/surface/images/manage-surface-uefi-fig5.png new file mode 100644 index 0000000000..eae3212f76 Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig5.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig6.png b/devices/surface/images/manage-surface-uefi-fig6.png new file mode 100644 index 0000000000..a06c845a9c Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig6.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig7.png b/devices/surface/images/manage-surface-uefi-fig7.png new file mode 100644 index 0000000000..9af6d1beed Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig7.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig8.png b/devices/surface/images/manage-surface-uefi-fig8.png new file mode 100644 index 0000000000..d8c078cf59 Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig8.png differ diff --git a/devices/surface/images/manage-surface-uefi-figure-1.png b/devices/surface/images/manage-surface-uefi-figure-1.png new file mode 100644 index 0000000000..b87279bdd5 Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-figure-1.png differ diff --git a/devices/surface/index.md b/devices/surface/index.md index 2cbeff64cf..2a2598a5cd 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -62,18 +62,22 @@ For more information on planning for, deploying, and managing Surface devices in

Explore the available options to manage firmware and driver updates for Surface devices.

+

[Manage Surface UEFI settings](manage-surface-uefi-settings.md)

+

Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.

+ +

[Surface Data Eraser](microsoft-surface-data-eraser.md)

Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.

- +

[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)

See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.

- +

[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)

Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.

- +

[Surface Dock Updater](surface-dock-updater.md)

Get a detailed walkthrough of Microsoft Surface Dock Updater.

diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md new file mode 100644 index 0000000000..44428903c1 --- /dev/null +++ b/devices/surface/manage-surface-uefi-settings.md @@ -0,0 +1,138 @@ +--- +title: Manage Surface UEFI settings (Surface) +description: Use Surface UEFI settings to enable or disable devices or components, configure security settings, and adjust Surface device boot settings. +keywords: firmware, security, features, configure, hardware +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: devices, surface +author: miladCA +--- + +#Manage Surface UEFI settings + +Current and future generations of Surface devices, including Surface Pro 4 and Surface Book, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings. + +>**Note:**  Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI. + +You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot. + +##PC information + +On the **PC information** page, detailed information about your Surface device is provided: + +- **Model** – Your Surface device’s model will be displayed here, such as Surface Book or Surface Pro 4. The exact configuration of your device is not shown, (such as processor, disk size, or memory size). +- **UUID** – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management. + +- **Serial Number** – This number is used to identify this specific Surface device for asset tagging and support scenarios. +- **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://www.microsoft.com/en-us/download/details.aspx?id=44076). + +You will also find detailed information about the firmware of your Surface device. Surface devices have several internal components that each run different versions of firmware. The firmware version of each of the following devices is displayed on the **PC information** page (as shown in Figure 1): + +- System UEFI + +- SAM Controller + +- Intel Management Engine + +- System Embedded Controller + +- Touch Firmware + +*Figure 1. System information and firmware version information* + +![figure 1](images/manage-surface-uefi-figure-1.png) + +You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/en-us/support/install-update-activate/surface-update-history) for your device. + +##Security + +On the **Security** page of Surface UEFI settings, you can set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2): + +- Uppercase letters: A-Z + +- Lowercase letters: a-z + +- Numbers: 1-0 + +- Special characters: !@#$%^&*()?<>{}[]-_=+|.,;:’`” + +The password must be at least 6 characters and is case sensitive. + +*Figure 2. Add a password to protect Surface UEFI settings* + +![figure 2](images/manage-surface-uefi-fig2.png) + +On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library. + +*Figure 3. Configure Secure Boot* + +![figure 3](images/manage-surface-uefi-fig3.png) + +You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library. + +*Figure 4. Configure Surface UEFI security settings* + +![figure 4](images/manage-surface-uefi-fig4.png) + +##Devices + +On the **Devices** page you can enable or disable specific devices and components of your Surface device. Devices that you can enable or disable on this page include: + +- Docking and USB Ports + +- MicroSD or SD Card Slot + +- Rear Camera + +- Front Camera + +- Infrared (IR) Camera + +- Wi-Fi and Bluetooth + +- Onboard Audio (Speakers and Microphone) + +Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5. + +*Figure 5. Enable and disable specific devices* + +![figure 5](images/manage-surface-uefi-fig5.png) + +##Boot configuration + +On the **Boot Configuration** page, you can change the order of your boot devices and/or enable or disable boot of the following devices: + +- Windows Boot Manager + +- USB Storage + +- PXE Network + +- Internal Storage + +You can boot from a specific device immediately, or you can swipe left on that device’s entry in the list using the touchscreen. You can also boot immediately to a USB device or USB Ethernet adapter when the Surface device is powered off by pressing the **Volume Down** button and the **Power** button simultaneously. + +For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 6. + +*Figure 6. Configure the boot order for your Surface device* + +![figure 6](images/manage-surface-uefi-fig6.png) + +You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only. + +##About + +The **About** page displays regulatory information, such as compliance with FCC rules, as shown in Figure 7. + +*Figure 7. Regulatory information is displayed on the About page* + +![figure 7](images/manage-surface-uefi-fig7.png) + +##Exit + +Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8. + +*Figure 8. Click Restart Now to exit Surface UEFI and restart the device* + +![figure 8](images/manage-surface-uefi-fig8.png) diff --git a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md index 926c8832ea..214bc1763d 100644 --- a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md +++ b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md @@ -2,20 +2,28 @@ title: AD DS schema extensions to support TPM backup (Windows 10) description: This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization. ms.assetid: beb7097c-e674-4eab-b8e2-6f67c85d1f3f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AD DS schema extensions to support TPM backup + **Applies to** - Windows 10 + This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization. + ## Why a schema extension is needed + The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. The following are the two schema extensions that you can use to bring your Windows Server 2008 R2 domain to parity with Windows Server 2012: + ### TpmSchemaExtension.ldf + This schema extension brings parity with the Windows Server 2012 schema and is required if you want to store the TPM owner authorization value for a computer running Windows 8 in a Windows Server 2008 R2 AD DS domain. With this extension the TPM owner authorization information will be stored in a separate TPM object linked to the corresponding computer object. + ``` syntax #=============================================================================== # @@ -212,11 +220,13 @@ dn: CN=TPM Devices,DC=X changetype: add objectClass: msTPM-InformationObjectsContainer ``` + You should be aware that only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. If you are planning to support such scenarios, you will need to update the schema further as shown in the schema extension example, TpmSchemaExtensionACLChanges.ldf. + ### TpmSchemaExtensionACLChanges.ldf + This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. -**Important**   -After implementing this schema update, any computer in the domain can update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth). When using this extension, perform a regular backup of the TPM objects and enable auditing to track the changes for these objects. +> **Important**  After implementing this schema update, any computer in the domain can update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth). When using this extension, perform a regular backup of the TPM objects and enable auditing to track the changes for these objects.   ``` syntax #=============================================================================== diff --git a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index 3de0486b5b..c05eb4ebd2 100644 --- a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -2,17 +2,22 @@ title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10) description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Add rules for packaged apps to existing AppLocker rule-set + **Applies to** - Windows 10 + This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). + You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center. + RSAT comes with the Group Policy Management Console which allows you to edit the GPO or GPOs where your existing AppLocker policy are authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.     diff --git a/windows/keep-secure/add-workstations-to-domain.md b/windows/keep-secure/add-workstations-to-domain.md index a03bb784f4..7cdeb90a8b 100644 --- a/windows/keep-secure/add-workstations-to-domain.md +++ b/windows/keep-secure/add-workstations-to-domain.md @@ -2,90 +2,94 @@ title: Add workstations to domain (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting. ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Add workstations to domain + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Add workstations to domain** security policy setting. + ## Reference + This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to ten workstations to the domain. Adding a machine account to the domain allows the device to participate in Active Directory-based networking. + Constant: SeMachineAccountPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Configure this setting so that only authorized members of the IT team are allowed to add devices to the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignment\\ + ### Default values + By default, this setting allows access for Authenticated Users on domain controllers, and it is not defined on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Not Defined

Stand-Alone Server Default Settings

Not Defined

Domain Controller Effective Default Settings

Authenticated Users

Member Server Effective Default Settings

Not Defined

Client Computer Effective Default Settings

Not Defined

-  + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined | +| Default Domain Controller Policy | Not Defined | +| Stand-Alone Server Default Settings | Not Defined | +| Domain Controller Effective Default Settings | Authenticated Users | +| Member Server Effective Default Settings | Not Defined | +| Client Computer Effective Default Settings | Not Defined | + ## Policy management + Users can also join a computer to a domain if they have the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they have the **Add workstations to domain** user right. + Furthermore, machine accounts that are created by means of the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created by means of permissions on the computer’s container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This policy has the following security considerations: + ### Vulnerability -The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group. + +The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative +privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group. + ### Countermeasure + Configure this setting so that only authorized members of the IT team are allowed to add computers to the domain. + ### Potential impact + For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It does not affect existing computers unless they are removed from and then added to the domain. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/adjust-memory-quotas-for-a-process.md b/windows/keep-secure/adjust-memory-quotas-for-a-process.md index b97b1d7de9..4568ef9fe0 100644 --- a/windows/keep-secure/adjust-memory-quotas-for-a-process.md +++ b/windows/keep-secure/adjust-memory-quotas-for-a-process.md @@ -2,101 +2,91 @@ title: Adjust memory quotas for a process (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting. ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Adjust memory quotas for a process + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Adjust memory quotas for a process** security policy setting. + ## Reference + This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis. + This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers. + Constant: SeIncreaseQuotaPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + 1. Restrict the **Adjust memory quotas for a process** user right to only users who require the ability to adjust memory quotas to perform their jobs. 2. If this user right is necessary for a user account, it can be assigned to a local machine account instead of to a domain account. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignment\\ + ### Default values + By default, members of the Administrators, Local Service, and Network Service groups have this right. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Administrators

-

Local Service

-

Network Service

Default Domain Controller Policy

Administrators

-

Local Service

-

Network Service

Stand-Alone Server Default Settings

Administrators

-

Local Service

-

Network Service

Domain Controller Effective Default Settings

Administrators

-

Local Service

-

Network Service

Member Server Effective Default Settings

Administrators

-

Local Service

-

Network Service

Client Computer Effective Default Settings

Administrators

-

Local Service

-

Network Service

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Administrators
Local Service
Network Service | +| Default Domain Controller Policy | Administrators
Local Service
Network Service | +| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service | +| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service | +| Member Server Effective Default Settings | Administrators
Local Service
Network Service | +| Client Computer Effective Default Settings | Administrators
Local Service
Network Service |   ## Policy management + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A user with the **Adjust memory quotas for a process** privilege can reduce the amount of memory that is available to any process, which could cause business-critical network applications to become slow or to fail. This privilege could be used by a malicious user to start a denial-of-service (DoS) attack. + ### Countermeasure + Restrict the **Adjust memory quotas for a process** user right to users who require it to perform their jobs, such as application administrators who maintain database management systems or domain administrators who manage the organization's directory and its supporting infrastructure. + ### Potential impact + Organizations that have not restricted users to roles with limited privileges may find it difficult to impose this countermeasure. Also, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Adjust memory quotas for a process** user right to additional accounts that are required by those components. IIS requires that this privilege be explicitly assigned to the IWAM\_<ComputerName>, Network Service, and Service accounts. Otherwise, this countermeasure should have no impact on most computers. If this user right is necessary for a user account, it can be assigned to a local computer account instead of to a domain account. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/administer-applocker.md b/windows/keep-secure/administer-applocker.md index c9bbf2a122..232b69b1ef 100644 --- a/windows/keep-secure/administer-applocker.md +++ b/windows/keep-secure/administer-applocker.md @@ -2,98 +2,66 @@ title: Administer AppLocker (Windows 10) description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Administer AppLocker + **Applies to** - Windows 10 + This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. + AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. Using AppLocker, you can: + - Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file. - Assign a rule to a security group or an individual user. - Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe). - Use audit-only mode to deploy the policy and understand its impact before enforcing it. - Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten. - Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets. -**Note**   -For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). +> **Note**  For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).   ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Maintain AppLocker policies](maintain-applocker-policies.md)

This topic describes how to maintain rules within AppLocker policies.

[Edit an AppLocker policy](edit-an-applocker-policy.md)

This topic for IT professionals describes the steps required to modify an AppLocker policy.

[Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)

This topic discusses the steps required to test an AppLocker policy prior to deployment.

[Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)

This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.

[Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md)

This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.

[Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)

This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.

[Optimize AppLocker performance](optimize-applocker-performance.md)

This topic for IT professionals describes how to optimize AppLocker policy enforcement.

[Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)

This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.

[Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)

This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.

[Working with AppLocker rules](working-with-applocker-rules.md)

This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.

[Working with AppLocker policies](working-with-applocker-policies.md)

This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.

-  + +| Topic | Description | +| - | - | +| [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. | +| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. | +| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. | +| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. | +| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. | +| [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) | This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. | +| [Optimize AppLocker performance](optimize-applocker-performance.md) | This topic for IT professionals describes how to optimize AppLocker policy enforcement. | +| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. | +| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. | +| [Working with AppLocker rules](working-with-applocker-rules.md) | This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. | +| [Working with AppLocker policies](working-with-applocker-policies.md) | This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. | + ## Using the MMC snap-ins to administer AppLocker + You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc). + ### Administer Applocker using Group Policy + You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer. + 1. Open the Group Policy Management Console (GPMC). 2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**. 3. In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for. + ### Administer AppLocker on the local PC + 1. Click **Start**, type **local security policy**, and then click **Local Security Policy**. 2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 3. In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for. + ## Using Windows PowerShell to administer AppLocker + For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](http://technet.microsoft.com/library/hh847210.aspx).     diff --git a/windows/keep-secure/administer-security-policy-settings.md b/windows/keep-secure/administer-security-policy-settings.md index 7bf3505369..59bc1ce37f 100644 --- a/windows/keep-secure/administer-security-policy-settings.md +++ b/windows/keep-secure/administer-security-policy-settings.md @@ -2,28 +2,39 @@ title: Administer security policy settings (Windows 10) description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. ms.assetid: 7617d885-9d28-437a-9371-171197407599 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Administer security policy settings + **Applies to** - Windows 10 + This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. + Security policy settings should be used as part of your overall security implementation to help secure domain controllers, servers, client devices, and other resources in your organization. + Security settings policies are rules that you can configure on a device, or multiple devices, for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in (Gpedit.msc) allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, and organizational units, and they enable administrators to manage security settings for multiple computers from any device joined to the domain. + Security settings can control: + - User authentication to a network or device. - The resources that users are permitted to access. - Whether to record a user’s or group’s actions in the event log. - Membership in a group. + For info about each setting, including descriptions, default settings, and management and security considerations, see [Security policy settings reference](security-policy-settings-reference.md). + To manage security configurations for multiple computers, you can use one of the following options: - Edit specific security settings in a GPO. - Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security. + ## What’s changed in how settings are administered? + Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered. @@ -82,7 +93,9 @@ Over time, new ways to manage security policy settings have been introduced, whi
  ## Using the Local Security Policy snap-in + The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features: + - Account Policies - Local Policies - Windows Firewall with Advanced Security @@ -92,26 +105,40 @@ The Local Security Policy snap-in (Secpol.msc) restricts the view of local polic - Application Control Policies - IP Security Policies on Local Computer - Advanced Audit Policy Configuration + Policies set locally might be overwritten if the computer is joined to the domain. + The Local Security Policy snap-in is part of the Security Configuration Manager tool set. For info about other tools in this tool set, see [Working with the Security Configuration Manager](#bkmk-scmtool) in this topic. + ## Using the secedit command-line tool + The secedit command-line tool works with security templates and provides six primary functions: + - The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server. - The **Analyze** parameter compares the server’s security configuration with the selected template. - The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also. - The **Export** parameter allows you to export the settings from a database into a security settings template. - The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue. - The **Generate Rollback** parameter saves the server’s current security settings into a security template so it can be used to restore most of the server’s security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template. + ## Using the Security Compliance Manager + The Security Compliance Manager is a downloadable tool that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and for Microsoft applications. It contains a complete database of recommended security settings, methods to customize your baselines, and the option to implement those settings in multiple formats—including XLS, GPOs, Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP). The Security Compliance Manager is used to export the baselines to your environment to automate the security baseline deployment and compliance verification process. + **To administer security policies by using the Security Compliance Manager** + 1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](http://blogs.technet.com/b/secguide/) blog. 2. Read the relevant security baseline documentation that is included in this tool. 3. Download and import the relevant security baselines. The installation process steps you through baseline selection. 4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines. + ## Using the Security Configuration Wizard -The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller. + +The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. +SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller. + The following are considerations for using SCW: + - SCW disables unnecessary services and provides Windows Firewall with Advanced Security support. - Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file. - You can deploy security policies that you create with SCW by using Group Policy. @@ -119,19 +146,25 @@ The following are considerations for using SCW: - SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles. - All apps that use the IP protocol and ports must be running on the server when you run SCW. - In some cases, you must be connected to the Internet to use the links in the SCW help. -**Note**   -The SCW is available only on Windows Server and only applicable to server installations. +> **Note**  The SCW is available only on Windows Server and only applicable to server installations.   The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to: + - Create a security policy that can be applied to any server on your network. - Edit an existing security policy. - Apply an existing security policy. - Roll back the last applied security policy. + The Security Policy Wizard configures services and network security based on the server’s role, as well as configures auditing and registry settings. + For more information about SCW, including procedures, see [Security Configuration Wizard](http://technet.microsoft.com/library/cc754997.aspx). + ## Working with the Security Configuration Manager + The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain. + For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](http://technet.microsoft.com/library/cc758219(WS.10).aspx). + The following table lists the features of the Security Configuration Manager. @@ -169,18 +202,32 @@ The following table lists the features of the Security Configuration Manager.
  ### Security Configuration and Analysis + Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security. + ### Security analysis + The state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security. + Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time. -Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. + +Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security +Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. + ### Security configuration + Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template. + ### Security templates + With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It is a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in does not introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration. + Importing a security template to a Group Policy Object eases domain administration by configuring security for a domain or organizational unit at once. + To apply a security template to your local device, you can use Security Configuration and Analysis or the secedit command-line tool. + Security templates can be used to define: + - Account Policies - Password Policy - Account Lockout Policy @@ -194,67 +241,105 @@ Security templates can be used to define: - System Services: Startup and permissions for system services - Registry: Permissions for registry keys - File System: Permissions for folders and files + Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template. + ### Security settings extension to Group Policy + Organizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain. + Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control: + - How users are authenticated to a network or device - What resources users are authorized to use. - Whether or not a user's or group's actions are recorded in the event log. - Group membership. + You can change the security configuration on multiple computers in two ways: + - Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object. - Change a few select settings with security settings. + ### Local Security Policy + A security policy is a combination of security settings that affect the security on a device. You can use your local security policy to edit account policies and local policies on your local device + With the local security policy, you can control: + - Who accesses your device. - What resources users are authorized to use on your device. - Whether or not a user’s or group's actions are recorded in the event log. + If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence. + 1. Organizational unit policy 2. Domain policy 3. Site policy 4. Local computer policy + If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts. + ### Using the Security Configuration Manager + For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](http://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about: + - [Applying security settings](#bkmk-applysecsettings) - [Importing and exporting security templates](#bkmk-impexpsectmpl) - [Analyzing security and viewing results](#bkmk-anasecviewresults) - [Resolving security discrepancies](#bkmk-resolvesecdiffs) - [Automating security configuration tasks](#bkmk-autoseccfgtasks) + ### Applying security settings + Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object: + - When a device is restarted, the settings on that device will be refreshed. - To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe. + **Precedence of a policy when more than one policy is applied to a computer** + For security settings that are defined by more than one policy, the following order of precedence is observed: + 1. Organizational Unit Policy 2. Domain Policy 3. Site Policy 4. Local computer Policy -For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence. -**Note**   -Use gpresult.exe to find out what policies are applied to a device and in what order. + +For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override +both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence. +> **Note**  Use gpresult.exe to find out what policies are applied to a device and in what order. For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.   **Persistence in security settings** + Security settings may still persist even if a setting is no longer defined in the policy that originally applied it. + Persistence in security settings occurs when: + - The setting has not been previously defined for the device. - The setting is for a registry object. - The setting is for a file system object. + All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing." + Registry and file settings will maintain the values applied through policy until that setting is set to other values. + **Filtering security settings based on group membership** + You can also decide what users or groups will or will not have a Group Policy Object applied to them regardless of what computer they have logged onto by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy. + ### Importing and exporting security templates + Security Configuration and Analysis provides the ability to import and export security templates into or from a database. + If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature provides the ability to save the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object. + ### Analyzing security and viewing results + Security Configuration and Analysis performs security analysis by comparing the current state of system security against an *analysis database*. During creation, the analysis database uses at least one security template. If you choose to import more than one security template, the database will merge the various templates and create one composite template. It resolves conflicts in order of import; the last template that is imported takes precedence. + Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click **Properties**. + @@ -292,18 +377,24 @@ Security Configuration and Analysis displays the analysis results by security ar
  If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis. + To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template. + ### Resolving security discrepancies + You can resolve discrepancies between analysis database and system settings by: + - Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**. - Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels. - Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system. Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file. You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object. + ### Automating security configuration tasks + By calling the secedit.exe tool at a command prompt from a batch file or automatic task scheduler, you can use it to automatically create and apply templates, and analyze system security. You can also run it dynamically from a command prompt. Secedit.exe is useful when you have multiple devices on which security must be analyzed or configured, and you need to perform these tasks during off-hours. + ## Working with Group Policy tools + Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop. -  -  diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md index 5f82176445..5b5faf0b14 100644 --- a/windows/keep-secure/advanced-security-audit-policy-settings.md +++ b/windows/keep-secure/advanced-security-audit-policy-settings.md @@ -2,52 +2,74 @@ title: Advanced security audit policy settings (Windows 10) description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Advanced security audit policy settings + **Applies to** - Windows 10 + This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. + The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as: + - A group administrator has modified settings or data on servers that contain finance information. - An employee within a defined group has accessed an important file. - The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access. + You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy. + These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity. Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories: + **Account Logon** + Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories: + - [Audit Credential Validation](audit-credential-validation.md) - [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) - [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md) - [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md) + **Account Management** + The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories: + - [Audit Application Group Management](audit-application-group-management.md) - [Audit Computer Account Management](audit-computer-account-management.md) - [Audit Distribution Group Management](audit-distribution-group-management.md) - [Audit Other Account Management Events](audit-other-account-management-events.md) - [Audit Security Group Management](audit-security-group-management.md) - [Audit User Account Management](audit-user-account-management.md) + **Detailed Tracking** + Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories: + - [Audit DPAPI Activity](audit-dpapi-activity.md) - [Audit PNP activity](audit-pnp-activity.md) - [Audit Process Creation](audit-process-creation.md) - [Audit Process Termination](audit-process-termination.md) - [Audit RPC Events](audit-rpc-events.md) + **DS Access** + DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories: + - [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md) - [Audit Directory Service Access](audit-directory-service-access.md) - [Audit Directory Service Changes](audit-directory-service-changes.md) - [Audit Directory Service Replication](audit-directory-service-replication.md) + **Logon/Logoff** + Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories: + - [Audit Account Lockout](audit-account-lockout.md) - [Audit User/Device Claims](audit-user-device-claims.md) - [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md) @@ -59,10 +81,15 @@ Logon/Logoff security policy settings and audit events allow you to track attemp - [Audit Network Policy Server](audit-network-policy-server.md) - [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md) - [Audit Special Logon](audit-special-logon.md) + **Object Access** + Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses. + Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess). + This category includes the following subcategories: + - [Audit Application Generated](audit-application-generated.md) - [Audit Certification Services](audit-certification-services.md) - [Audit Detailed File Share](audit-detailed-file-share.md) @@ -77,35 +104,46 @@ This category includes the following subcategories: - [Audit Removable Storage](audit-removable-storage.md) - [Audit SAM](audit-sam.md) - [Audit Central Access Policy Staging](audit-central-access-policy-staging.md) + **Policy Change** + Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories: + - [Audit Audit Policy Change](audit-audit-policy-change.md) - [Audit Authentication Policy Change](audit-authentication-policy-change.md) - [Audit Authorization Policy Change](audit-authorization-policy-change.md) - [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md) - [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md) - [Audit Other Policy Change Events](audit-other-policy-change-events.md) + **Privilege Use** + Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories: + - [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md) - [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) - [Audit Other Privilege Use Events](audit-other-privilege-use-events.md) + **System** + System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories: + - [Audit IPsec Driver](audit-ipsec-driver.md) - [Audit Other System Events](audit-other-system-events.md) - [Audit Security State Change](audit-security-state-change.md) - [Audit Security System Extension](audit-security-system-extension.md) - [Audit System Integrity](audit-system-integrity.md) + **Global Object Access** + Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type. Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect. + Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access. -**Note**   -If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy. + +> **Note:**  If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object +Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.   This category includes the following subcategories: - [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md) - [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) -  -  diff --git a/windows/keep-secure/advanced-security-auditing-faq.md b/windows/keep-secure/advanced-security-auditing-faq.md index e41d1389f7..eef52f8d63 100644 --- a/windows/keep-secure/advanced-security-auditing-faq.md +++ b/windows/keep-secure/advanced-security-auditing-faq.md @@ -2,16 +2,20 @@ title: Advanced security auditing FAQ (Windows 10) description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Advanced security auditing FAQ + **Applies to** - Windows 10 + This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. + - [What is Windows security auditing and why might I want to use it?](#bkmk-1) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#bkmk-2) - [What is the interaction between basic audit policy settings and advanced audit policy settings?](#bkmk-3) @@ -30,100 +34,118 @@ This topic for the IT professional lists questions and answers about understandi - [What are the best tools to model and manage audit policy?](#bkmk-17) - [Where can I find information about all the possible events that I might receive?](#bkmk-11) - [Where can I find more detailed information?](#bkmk-18) + ## What is Windows security auditing and why might I want to use it? + Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities. + Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities. + ## What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration? + The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. + There are a number of additional differences between the security audit policy settings in these two locations. -There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking. + +There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy +Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking. + In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing. + The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later. + ## What is the interaction between basic audit policy settings and advanced audit policy settings? + Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings. + Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied. -**Important**   -Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting. + +> **Important**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting. + If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.   ## How are audit settings merged by Group Policy? + By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level. + For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing). + The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Auditing subcategorySetting configured in an OU GPO (higher priority)Setting configured in a domain GPO (lower priority)Resulting policy for the target computer

Detailed File Share Auditing

Success

Failure

Success

Process Creation Auditing

Disabled

Success

Disabled

Logon Auditing

Success

Failure

Failure

-  + + +| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer | +| - | - | - | -| +| Detailed File Share Auditing | Success | Failure | Success | +| Process Creation Auditing | Disabled | Success | Disabled | +| Logon Auditing | Success | Failure | Failure | + ## What is the difference between an object DACL and an object SACL? + All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs: + - A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access - A system access control list (SACL) that controls how access is audited + The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access. + If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied. + ## Why are audit policies applied on a per-computer basis rather than per user? + In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer. + In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user. + However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. + ## What are the differences in auditing functionality between versions of Windows? + Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings. + ## Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server? + To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported. + ## What is the difference between success and failure events? Is something wrong if I get a failure audit? + A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully. + A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully. + The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password. + ## How can I set an audit policy that affects all objects on a computer? + System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL. Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy. + ## How do I figure out why someone was able to access a resource? + Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting. + ## How do I know when changes are made to access control settings, by whom, and what the changes were? + To track access control changes on computers running Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs: - **Audit File System** subcategory: Enable for success, failure, or success and failure - **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure - A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor + In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory. + ## How can I roll back security audit policies from the advanced audit policy to the basic audit policy? + Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings: + 1. Set all Advanced Audit Policy subcategories to **Not configured**. 2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller. 3. Reconfigure and apply the basic audit policy settings. + Unless you complete all of these steps, the basic audit policy settings will not be restored. + ## How can I monitor if changes are made to audit policy settings? + Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place: + - Permissions and audit settings on the audit policy object are changed - The system audit policy is changed - Security event sources are registered or unregistered @@ -131,20 +153,31 @@ Changes to security audit policies are critical security events. You can use the - The value of **CrashOnAuditFail** is modified - Audit settings on a file or registry key are changed - A Special Groups list is changed + ## How can I minimize the number of events that are generated? + Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md). + ## What are the best tools to model and manage audit policies? + The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies. On an individual computer, the Auditpol command-line tool can be used to complete a number of important audit policy–related management tasks. + In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data. + ## Where can I find information about all the possible events that I might receive? + Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources: + - [Windows 8 and Windows Server 2012 Security Event Details](http://www.microsoft.com/download/details.aspx?id=35753) - [Security Audit Events for Windows 7 and Windows Server 2008 R2](http://go.microsoft.com/fwlink/p/?linkid=157780) - [Security Audit Events for Windows Server 2008 and Windows Vista](http://go.microsoft.com/fwlink/p/?linkid=121868) - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + ## Where can I find more detailed information? + To learn more about security audit policies, see the following resources: + - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) - [Security Monitoring and Attack Detection Planning Guide](http://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx) - [Security Audit Events for Windows 7 and Windows Server 2008 R2](http://go.microsoft.com/fwlink/p/?linkid=157780) diff --git a/windows/keep-secure/advanced-security-auditing.md b/windows/keep-secure/advanced-security-auditing.md index b0a362ac4a..5ed85a625d 100644 --- a/windows/keep-secure/advanced-security-auditing.md +++ b/windows/keep-secure/advanced-security-auditing.md @@ -2,48 +2,26 @@ title: Advanced security audit policies (Windows 10) description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently. ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Advanced security audit policies + **Applies to** - Windows 10 + Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)

This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.

[Advanced security auditing FAQ](advanced-security-auditing-faq.md)

This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.

[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)

This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.

[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)

This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.

-  -  -  + +| Topic | Description | +| - | - | +| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies | +| [Advanced security auditing FAQ](advanced-security-auditing-faq.md) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. +| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. +| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md index 997c23bdaa..fdfa7ab402 100644 --- a/windows/keep-secure/allow-log-on-locally.md +++ b/windows/keep-secure/allow-log-on-locally.md @@ -2,118 +2,106 @@ title: Allow log on locally (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting. ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Allow log on locally + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Allow log on locally** security policy setting. + ## Reference + This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller. -**Note**   -Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right. +> **Note:**  Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right.   Constant: SeInteractiveLogonRight + ### Possible values + - User-defined list of accounts - Not Defined + By default, the members of the following groups have this right on workstations and servers: + - Administrators - Backup Operators - Users + By default, the members of the following groups have this right on domain controllers: + - Account Operators - Administrators - Backup Operators - Print Operators - Server Operators + ### Best practices + 1. Restrict this user right to legitimate users who must log on to the console of the device. 2. If you selectively remove default groups, you can limit the abilities of users who are assigned to specific administrative roles in your organization. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Account Operators

-

Administrators

-

Backup Operators

-

Print Operators

-

Server Operators

Stand-Alone Server Default Settings

Administrators

-

Backup Operators

-

Users

Domain Controller Effective Default Settings

Account Operators

-

Administrators

-

Backup Operators

-

Print Operators

-

Server Operators

Member Server Effective Default Settings

Administrators

-

Backup Operators

-

Users

Client Computer Effective Default Settings

Administrators

-

Backup Operators

-

Users

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not Defined | +| Default Domain Controller Policy | Account Operators
Administrators
Backup Operators
Print Operators
Server Operators | +| Stand-Alone Server Default Settings| Administrators
Backup Operators
Users | +| Domain Controller Effective Default Settings | Account Operators
Administrators
Backup Operators
Print Operators
Server Operators | +| Member Server Effective Default Settings | Administrators
Backup Operators
Users | +| Client Computer Effective Default Settings | Administrators
Backup Operators
Users |   ## Policy management + Restarting the device is not required to implement this change. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Modifying this setting might affect compatibility with clients, services, and applications. Use caution when removing service accounts that are used by components and by programs on member devices and on domain controllers in the domain from the default domain controller's policy. Also use caution when removing users or security groups that log on to the console of member devices in the domain, or removing service accounts that are defined in the local Security Accounts Manager (SAM) database of member devices or of workgroup devices. If you want to grant a user account the ability to log on locally to a domain controller, you must make that user a member of a group that already has the **Allowed logon locally** system right or grant the right to that user account. The domain controllers in the domain share the Default Domain Controllers Group Policy Object (GPO). When you grant an account the **Allow logon locally** right, you are allowing that account to log on locally to all domain controllers in the domain. If the Users group is listed in the **Allow log on locally** setting for a GPO, all domain users can log on locally. The Users built-in group contains Domain Users as a member. + ### Group Policy + Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any account with the **Allow log on locally** user right can log on to the console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. + ### Countermeasure + For domain controllers, assign the **Allow log on locally** user right only to the Administrators group. For other server roles, you may choose to add Backup Operators in addition to Administrators. For end-user computers, you should also assign this right to the Users group. Alternatively, you can assign groups such as Account Operators, Server Operators, and Guests to the **Deny log on locally** user right. + ### Potential impact + If you remove these default groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Allow log on locally** user right to additional accounts that are required by those components. IIS requires that this user right be assigned to the IUSR\_*<ComputerName>* account. You should confirm that delegated activities are not adversely affected by any changes that you make to the **Allow log on locally** user rights assignments. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md index 53a391cc89..cc51c9cbea 100644 --- a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md @@ -2,97 +2,99 @@ title: Allow log on through Remote Desktop Services (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting. ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Allow log on through Remote Desktop Services + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Allow log on through Remote Desktop Services** security policy setting. + ## Reference + This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server. + Constant: SeRemoteInteractiveLogonRight + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers. The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

-

Remote Desktop Users

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

-

Remote Desktop Users

Client Computer Effective Default Settings

Administrators

-

Remote Desktop Users

-  + + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined | +| Default Domain Controller Policy | Administrators | +| Stand-Alone Server Default Settings | Administrators
Remote Desktop Users | +| Domain Controller Effective Default Settings | Administrators | +| Member Server Effective Default Settings | Administrators
Remote Desktop Users | +| Client Computer Effective Default Settings | Administrators
Remote Desktop Users | + ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Group Policy + To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the **Allow log on through Remote Desktop Services** right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server. + To exclude users or groups, you can assign the **Deny log on through Remote Desktop Services** user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the **Allow log on through Remote Desktop Services** user right. + For more information, see [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md). + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any account with the **Allow log on through Remote Desktop Services** user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. + ### Countermeasure + For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups. -**Caution**   -For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default. + +> **Caution:**  For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.   Alternatively, you can assign the **Deny log on through Remote Desktop Services** user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the **Deny log on through Remote Desktop Services** user right. + ### Potential impact + Removal of the **Allow log on through Remote Desktop Services** user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) + +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/applocker-architecture-and-components.md b/windows/keep-secure/applocker-architecture-and-components.md index e91704b0e9..39e8bbf34c 100644 --- a/windows/keep-secure/applocker-architecture-and-components.md +++ b/windows/keep-secure/applocker-architecture-and-components.md @@ -2,25 +2,38 @@ title: AppLocker architecture and components (Windows 10) description: This topic for IT professional describes AppLocker’s basic architecture and its major components. ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker architecture and components + **Applies to** - Windows 10 + This topic for IT professional describes AppLocker’s basic architecture and its major components. + AppLocker relies on the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions. + AppLocker provides three ways to intercept and validate if a file is allowed to execute according to an AppLocker policy. + **A new process is created** + When a new process is created, such as an executable file or a Universal Windows app is run, AppLocker invokes the Application Identity component to calculate the attributes of the main executable file used to create a new process. It then updates the new process's token with these attributes and checks the AppLocker policy to verify that the executable file is allowed to run. + **A DLL is loaded** + When a new DLL loads, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process. + **A script is run** + Before a script file is run, the script host (for example. for .ps1 files the script host is PowerShell) invokes AppLocker to verify the script. AppLocker invokes the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it is allowed to run. In each case, the actions taken by AppLocker are written to the event log. + ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) + +- [AppLocker technical reference](applocker-technical-reference.md)     diff --git a/windows/keep-secure/applocker-functions.md b/windows/keep-secure/applocker-functions.md index 38ca82ba69..d3ab5362dd 100644 --- a/windows/keep-secure/applocker-functions.md +++ b/windows/keep-secure/applocker-functions.md @@ -2,18 +2,24 @@ title: AppLocker functions (Windows 10) description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker functions + **Applies to** - Windows 10 + This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. + ## Functions + The following list includes the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2 and links to current documentation on MSDN: + - [SaferGetPolicyInformation Function](http://go.microsoft.com/fwlink/p/?LinkId=159781) - [SaferCreateLevel Function](http://go.microsoft.com/fwlink/p/?LinkId=159782) - [SaferCloseLevel Function](http://go.microsoft.com/fwlink/p/?LinkId=159783) @@ -22,52 +28,23 @@ The following list includes the SRP functions beginning with Windows Server 200 - [SaferGetLevelInformation Function](http://go.microsoft.com/fwlink/p/?LinkId=159787) - [SaferRecordEventLogEntry Function](http://go.microsoft.com/fwlink/p/?LinkId=159789) - [SaferiIsExecutableFileType Function](http://go.microsoft.com/fwlink/p/?LinkId=159790) + ## Security level ID + AppLocker and SRP use the security level IDs to stipulate the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Security level IDSRPAppLocker

SAFER_LEVELID_FULLYTRUSTED

Supported

Supported

SAFER_LEVELID_NORMALUSER

Supported

Not supported

SAFER_LEVELID_CONSTRAINED

Supported

Not supported

SAFER_LEVELID_UNTRUSTED

Supported

Not supported

SAFER_LEVELID_DISALLOWED

Supported

Supported

+ +| Security level ID | SRP | AppLocker | +| - | - | - | +| SAFER_LEVELID_FULLYTRUSTED | Supported | Supported | +| SAFER_LEVELID_NORMALUSER | Supported | Not supported | +| SAFER_LEVELID_CONSTRAINED | Supported | Not supported | +| SAFER_LEVELID_UNTRUSTED | Supported | Not supported | +| SAFER_LEVELID_DISALLOWED | Supported | Supported |   In addition, URL zone ID is not supported in AppLocker. + ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) + +- [AppLocker technical reference](applocker-technical-reference.md)     diff --git a/windows/keep-secure/applocker-overview.md b/windows/keep-secure/applocker-overview.md index 27ac2175a6..6918af6f1e 100644 --- a/windows/keep-secure/applocker-overview.md +++ b/windows/keep-secure/applocker-overview.md @@ -2,42 +2,66 @@ title: AppLocker (Windows 10) description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker + **Applies to** - Windows 10 + This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. + AppLocker can help you: + - Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash. - Assign a rule to a security group or an individual user. - Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe). - Use audit-only mode to deploy the policy and understand its impact before enforcing it. - Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object. - Simplify creating and managing AppLocker rules by using Windows PowerShell. + AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios: + - **Application inventory** + AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically. + - **Protection against unwanted software** + AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running. + - **Licensing conformance** + AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users. + - **Software standardization** + AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment. + - **Manageability improvement** + AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies. + ## New and changed functionality + To find out what's new in AppLocker for Windows 10, see [What's new in AppLocker?](../whats-new/applocker.md) + ## When to use AppLocker + In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access. + However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls. + AppLocker is ideal for organizations that currently use Group Policy to manage their PCs. + The following are examples of scenarios in which AppLocker can be used: + - Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users. - An app is no longer supported by your organization, so you need to prevent it from being used by everyone. - The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat. @@ -47,116 +71,67 @@ The following are examples of scenarios in which AppLocker can be used: - A single user or small group of users needs to use a specific app that is denied for all others. - Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps. - In addition to other measures, you need to control the access to sensitive data through app usage. + AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. + ## System requirements + AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. Group Policy is required to distribute Group Policy Objects that contain AppLocker policies. For more info, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). + AppLocker rules can be created on domain controllers. + ## Installing AppLocker + AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC). -**Note**   -The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature. + +> **Note:**  The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.   ### Using AppLocker on Server Core + AppLocker on Server Core installations is not supported. + ### Virtualization considerations + You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails. + ### Security considerations + Application control policies specify which apps are allowed to run on the local computer. + The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer. + The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers. + A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies. + For additional information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md). + When you use AppLocker to create application control policies, you should be aware of the following security considerations: + - Who has the rights to set AppLocker policies? - How do you validate that the policies are enforced? - What events should you audit? + For reference in your security planning, the following table identifies the baseline settings for a PC with AppLocker installed: - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SettingDefault value

Accounts created

None

Authentication method

Not applicable

Management interfaces

AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell

Ports opened

None

Minimum privileges required

Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects.

Protocols used

Not applicable

Scheduled Tasks

Appidpolicyconverter.exe is put in a scheduled task to be run on demand.

Security Policies

None required. AppLocker creates security policies.

System Services required

Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation.

Storage of credentials

None

+ +| Setting | Default value | +| - | - | +| Accounts created | None | +| Authentication method | Not applicable | +| Management interfaces | AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell | +| Ports opened | None | +| Minimum privileges required | Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects. | +| Protocols used | Not applicable | +| Scheduled Tasks | Appidpolicyconverter.exe is put in a scheduled task to be run on demand. | +| Security Policies | None required. AppLocker creates security policies. | +| System Services required |Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. | +| Storage of credentials | None |   ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Administer AppLocker](administer-applocker.md)

This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.

[AppLocker design guide](applocker-policies-design-guide.md)

This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.

[AppLocker deployment guide](applocker-policies-deployment-guide.md)

This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.

[AppLocker technical reference](applocker-technical-reference.md)

This overview topic for IT professionals provides links to the topics in the technical reference.

-  -  -  + +| Topic | Description | +| - | - | +| [Administer AppLocker](administer-applocker.md) | This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. | +| [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. | +| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. | +| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. | diff --git a/windows/keep-secure/applocker-policies-deployment-guide.md b/windows/keep-secure/applocker-policies-deployment-guide.md index b9f0050193..f0bce74c2a 100644 --- a/windows/keep-secure/applocker-policies-deployment-guide.md +++ b/windows/keep-secure/applocker-policies-deployment-guide.md @@ -2,20 +2,29 @@ title: AppLocker deployment guide (Windows 10) description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + + # AppLocker deployment guide + **Applies to** - Windows 10 + This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. + This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change. + This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see [Using Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) in this guide. To understand if AppLocker is the correct application control solution for you, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). + ## Prerequisites to deploying AppLocker policies + The following are prerequisites or recommendations to deploying policies: + - Understand the capabilities of AppLocker: - [AppLocker](applocker-overview.md) - Document your application control policy deployment plan by addressing these tasks: @@ -27,43 +36,18 @@ The following are prerequisites or recommendations to deploying policies: - [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md) + ## Contents of this guide + This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running any of the supported versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)

This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.

[Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md)

This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.

[Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md)

This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.

[Create Your AppLocker policies](create-your-applocker-policies.md)

This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.

[Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)

This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.

-  -  -  + +| Topic | Description | +| - | - | +| [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) | This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. | +| [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) | This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. | +| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. | +| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. | +| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. | + diff --git a/windows/keep-secure/applocker-policies-design-guide.md b/windows/keep-secure/applocker-policies-design-guide.md index b36e9be24e..7954db3edb 100644 --- a/windows/keep-secure/applocker-policies-design-guide.md +++ b/windows/keep-secure/applocker-policies-design-guide.md @@ -2,63 +2,36 @@ title: AppLocker design guide (Windows 10) description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker design guide + **Applies to** - Windows 10 + This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. + This guide provides important designing and planning information for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group. + This guide does not cover the deployment of application control policies by using Software Restriction Policies (SRP). However, SRP is discussed as a deployment option in conjunction with AppLocker policies. For info about these options, see [Determine your application control objectives](determine-your-application-control-objectives.md). + To understand if AppLocker is the correct application control solution for your organization, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)

This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.

[Determine your application control objectives](determine-your-application-control-objectives.md)

This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.

[Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)

This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.

[Select the types of rules to create](select-types-of-rules-to-create.md)

This topic lists resources you can use when selecting your application control policy rules by using AppLocker.

[Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)

This overview topic describes the process to follow when you are planning to deploy AppLocker rules.

[Plan for AppLocker policy management](plan-for-applocker-policy-management.md)

This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.

[Create your AppLocker planning document](create-your-applocker-planning-document.md)

This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.

+ +| Topic | Description | +| - | - | +| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. | +| [Determine your application control objectives](determine-your-application-control-objectives.md) | This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. | +| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. | +| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. | +| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you are planning to deploy AppLocker rules. | +| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. | +| [Create your AppLocker planning document](create-your-applocker-planning-document.md) | This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. |   After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. -  -  +  \ No newline at end of file diff --git a/windows/keep-secure/applocker-policy-use-scenarios.md b/windows/keep-secure/applocker-policy-use-scenarios.md index 3c538ffbf1..ce30809f52 100644 --- a/windows/keep-secure/applocker-policy-use-scenarios.md +++ b/windows/keep-secure/applocker-policy-use-scenarios.md @@ -2,29 +2,47 @@ title: AppLocker policy use scenarios (Windows 10) description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker policy use scenarios + **Applies to** - Windows 10 + This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. + AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker can be categorized as follows: + 1. **App inventory** + AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand app usage and access. + 2. **Protection against unwanted software** + AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not specifically identified by its publisher, installation path, or file hash, the attempt to run the application fails. + 3. **Licensing conformance** + AppLocker can provide an inventory of software usage within your organization, so you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements. + 4. **Software standardization** + AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment. + 5. **Manageability improvement** - AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers. + + AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use + the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers. + ### Use scenarios + The following are examples of scenarios in which AppLocker can be used: + - Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage. - The security policy for application usage has changed, and you need to evaluate where and when those deployed apps are being accessed. - Your organization's security policy dictates the use of only licensed software, so you need to determine which apps are not licensed or prevent unauthorized users from running licensed software. @@ -37,7 +55,8 @@ The following are examples of scenarios in which AppLocker can be used: - A single user or small group of users needs to use a specific app that is denied for all others. - Some computers in your organization are shared by people who have different software usage needs. - In addition to other measures, you need to control the access to sensitive data through app usage. + ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) +- [AppLocker technical reference](applocker-technical-reference.md)     diff --git a/windows/keep-secure/applocker-processes-and-interactions.md b/windows/keep-secure/applocker-processes-and-interactions.md index 19857f7670..0243055da8 100644 --- a/windows/keep-secure/applocker-processes-and-interactions.md +++ b/windows/keep-secure/applocker-processes-and-interactions.md @@ -2,64 +2,97 @@ title: AppLocker processes and interactions (Windows 10) description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker processes and interactions + **Applies to** - Windows 10 + This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. + ## How policies are implemented by AppLocker + AppLocker policies are collections of AppLocker rules that might contain any one of the enforcement settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure. + The AppLocker policy is enforced on a computer through the Application Identity service, which is the engine that evaluates the policies. If the service is not running, policies will not be enforced. The Application Identity service returns the information from the binary—even if product or binary names are empty—to the results pane of the Local Security Policy snap-in. + AppLocker policies are stored in a security descriptor format according to Application Identity service requirements. It uses file path, hash, or fully qualified binary name attributes to form allow or deny actions on a rule. Each rule is stored as an access control entry (ACE) in the security descriptor and contains the following information: + - Either an allow or a deny ACE ("XA" or "XD" in security descriptor definition language (SDDL) form). - The user security identifier (SID) that this rule is applicable to. (The default is the authenticated user SID, or "AU" in SDDL.) - The rule condition containing the **appid** attributes. + For example, an SDDL for a rule that allows all files in the %windir% directory to run uses the following format: XA;;FX;;;AU;(APPID://PATH == "%windir%\\\*"). + An AppLocker policy for DLLs and executable files is read and cached by kernel mode code, which is part of appid.sys. Whenever a new policy is applied, appid.sys is notified by a policy converter task. For other file types, the AppLocker policy is read every time a **SaferIdentifyLevel** call is made. + ### Understanding AppLocker rules + An AppLocker rule is a control placed on a file to govern whether or not it is allowed to run for a specific user or group. Rules apply to five different types, or collections, of files: + - An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications. - A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js. - A Windows Installer rule controls whether a user or group can run files with a file name extension of .msi, mst and .msp (Windows Installer patch). - A DLL rule controls whether a user or group can run files with a file name extension of .dll and .ocx. - A packaged app and packaged app installer rule controls whether a user or group can run or install a packaged app. A Packaged app installer has the .appx extension. + There are three different types of conditions that can be applied to rules: + - A publisher condition on a rule controls whether a user or group can run files from a specific software publisher. The file must be signed. - A path condition on a rule controls whether a user or group can run files from within a specific directory or its subdirectories. - A file hash condition on a rule controls whether a user or group can run files with matching encrypted hashes. - + - [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) + An AppLocker rule collection is a set of rules that apply to one of the following types: executable files, Windows Installer files, scripts, DLLs, and packaged apps. + - [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) + Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash. + - [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md) - [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md) - [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md) - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. + - [Executable rules in AppLocker](executable-rules-in-applocker.md) - [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) - [Script rules in AppLocker](script-rules-in-applocker.md) - [DLL rules in AppLocker](dll-rules-in-applocker.md) - [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) - [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) + You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow only a subset of a user group to use an application, you can create a special rule for that subset. + - [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) and [Understanding AppLocker allow and deny actions on Rules](understanding-applocker-allow-and-deny-actions-on-rules.md) + Each AppLocker rule collection functions as an allowed list of files. + ### Understanding AppLocker policies + An AppLocker policy is a set of rule collections and their corresponding configured enforcement settings that have been applied to one or more computers. + - [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) + Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. + ### Understanding AppLocker and Group Policy + Group Policy can be used to create, modify, and distribute AppLocker policies in separate objects or in combination with other policies. + - [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) - When Group Policy is used to distribute AppLocker policies, rule collections that are not configured will be enforced. Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied. + + When Group Policy is used to distribute AppLocker policies, rule collections that are not configured will be enforced. Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. + AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied. + ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) -  -  + +- [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/keep-secure/applocker-settings.md b/windows/keep-secure/applocker-settings.md index 527922ad1c..77509f8e43 100644 --- a/windows/keep-secure/applocker-settings.md +++ b/windows/keep-secure/applocker-settings.md @@ -2,61 +2,32 @@ title: AppLocker settings (Windows 10) description: This topic for the IT professional lists the settings used by AppLocker. ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker settings + **Applies to** - Windows 10 + This topic for the IT professional lists the settings used by AppLocker. + The following table describes the settings and values used by AppLocker. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SettingValue

Registry path

Policies are stored in \HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2

Firewall ports

Not applicable

Security policies

Custom created, no default

Group Policy settings

Custom created, no default

Network ports

Not applicable

Service accounts

Not applicable

Performance counters

Not applicable

+ +| Setting | Value | +| - | - | +| Registry path | Policies are stored in **HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2** | +| Firewall ports | Not applicable | +| Security policies | Custom created, no default | +| Group Policy settings | Custom created, no default | +| Network ports | Not applicable | +| Service accounts | Not applicable | +| Performance counters | Not applicable |   ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) -  -  + +- [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/keep-secure/applocker-technical-reference.md b/windows/keep-secure/applocker-technical-reference.md index 415b5baa88..164a159782 100644 --- a/windows/keep-secure/applocker-technical-reference.md +++ b/windows/keep-secure/applocker-technical-reference.md @@ -2,72 +2,32 @@ title: AppLocker technical reference (Windows 10) description: This overview topic for IT professionals provides links to the topics in the technical reference. ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker technical reference + **Applies to** - Windows 10 + This overview topic for IT professionals provides links to the topics in the technical reference. AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[What Is AppLocker?](what-is-applocker.md)

This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.

[Requirements to use AppLocker](requirements-to-use-applocker.md)

This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.

[AppLocker policy use scenarios](applocker-policy-use-scenarios.md)

This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.

[How AppLocker works](how-applocker-works-techref.md)

This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.

[AppLocker architecture and components](applocker-architecture-and-components.md)

This topic for IT professional describes AppLocker’s basic architecture and its major components.

[AppLocker processes and interactions](applocker-processes-and-interactions.md)

This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.

[AppLocker functions](applocker-functions.md)

This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.

[Security considerations for AppLocker](security-considerations-for-applocker.md)

This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.

[Tools to Use with AppLocker](tools-to-use-with-applocker.md)

This topic for the IT professional describes the tools available to create and administer AppLocker policies.

[AppLocker Settings](applocker-settings.md)

This topic for the IT professional lists the settings used by AppLocker.

-  -  -  + +| Topic | Description | +| - | - | +| [What Is AppLocker?](what-is-applocker.md) | This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. | +| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. | +| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. | +| [How AppLocker works](how-applocker-works-techref.md) | This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. | +| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLocker’s basic architecture and its major components. | +| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. | +| [AppLocker functions](applocker-functions.md) | This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. | +| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. | +| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This topic for the IT professional describes the tools available to create and administer AppLocker policies. | +| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. | diff --git a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md index cf1717d5af..5828778660 100644 --- a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -2,19 +2,24 @@ title: Apply a basic audit policy on a file or folder (Windows 10) description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Apply a basic audit policy on a file or folder + **Applies to** - Windows 10 + You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. To complete this procedure, you must be logged on as a member of the built-in Administrators group or you must have been granted the **Manage auditing and security log** right. + **To apply or modify auditing policy settings for a local file or folder** -1. 2.Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab. + +1. Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab. 2. Click **Advanced**. 3. In the **Advanced Security Settings** dialog box, click the **Auditing** tab, and then click **Continue**. 4. Do one of the following: @@ -25,9 +30,11 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit successful events, click **Success.** - To audit failure events, click **Fail.** - To audit all events, click **All.** -**Important**  Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited. + +> **Important:**  Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.   ## Additional considerations + - After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes. - You can set up file and folder auditing only on NTFS drives. - Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer. diff --git a/windows/keep-secure/audit-account-lockout.md b/windows/keep-secure/audit-account-lockout.md index 206ac496c6..6c7ebbb0e2 100644 --- a/windows/keep-secure/audit-account-lockout.md +++ b/windows/keep-secure/audit-account-lockout.md @@ -2,41 +2,35 @@ title: Audit Account Lockout (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Account Lockout + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the advanced security audit policy setting, **Audit Account Lockout**, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. + If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts. + Account lockout events are essential for understanding user activity and detecting potential attacks. + Event volume: Low + Default setting: Success - ---- - - - - - - - - - - - - -
Event IDEvent message

4625

An account failed to log on.

+ +| Event ID | Event message | +| - | - | +| 4625 | An account failed to log on. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-application-generated.md b/windows/keep-secure/audit-application-generated.md index 23e33b3b6b..f7c31ca13a 100644 --- a/windows/keep-secure/audit-application-generated.md +++ b/windows/keep-secure/audit-application-generated.md @@ -2,54 +2,39 @@ title: Audit Application Generated (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Application Generated + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Application Generated**, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). + The following events can generate audit activity: + - Creation, deletion, or initialization of an application client context - Application operations + Applications that are designed to use the Windows Auditing APIs can use this subcategory to log auditing events that are related to those APIs. The level, volume, relevance, and importance of these audit events depend on the application that generates them. The operating system logs the events as they are generated by the application. + Event volume: Depends on the installed app's use of the Windows Auditing APIs + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4665

An attempt was made to create an application client context.

4666

An application attempted an operation:

4667

An application client context was deleted.

4668

An application was initialized.

+ +| Event ID | Event message | +| - | - | +| 4665 | An attempt was made to create an application client context. | +| 4666 | An application attempted an operation: | +| 4667 | An application client context was deleted. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-application-group-management.md b/windows/keep-secure/audit-application-group-management.md index 15d44e5eab..3055b72f6d 100644 --- a/windows/keep-secure/audit-application-group-management.md +++ b/windows/keep-secure/audit-application-group-management.md @@ -2,77 +2,42 @@ title: Audit Application Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed. ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Application Group Management + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Application Group Management**, which determines whether the operating system generates audit events when application group management tasks are performed. + Application group management tasks include: + - An application group is created, changed, or deleted. - A member is added to or removed from an application group. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4783

A basic application group was created.

-

4784

A basic application group was changed.

-

4785

A member was added to a basic application group.

-

4786

A member was removed from a basic application group.

-

4787

A non-member was added to a basic application group.

-

4788

A non-member was removed from a basic application group.

-

4789

A basic application group was deleted.

-

4790

An LDAP query group was created.

-

+ +| Event ID | Event message | +| - | - | +| 4783 | A basic application group was created. | +| 4784 | A basic application group was changed. | +| 4785 | A member was added to a basic application group. | +| 4786 | A member was removed from a basic application group. | +| 4787 | A non-member was added to a basic application group. | +| 4788 | A non-member was removed from a basic application group. | +| 4789 | A basic application group was deleted. | +| 4790 | An LDAP query group was created. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-audit-policy-change.md b/windows/keep-secure/audit-audit-policy-change.md index beb42d48f1..65b7d6261e 100644 --- a/windows/keep-secure/audit-audit-policy-change.md +++ b/windows/keep-secure/audit-audit-policy-change.md @@ -2,95 +2,54 @@ title: Audit Audit Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy. ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Audit Policy Change + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Audit Policy Change**, which determines whether the operating system generates audit events when changes are made to audit policy. + Changes to audit policy that are audited include: + - Changing permissions and audit settings on the audit policy object (by using **auditpol /set /sd**). - Changing the system audit policy. - Registering and unregistering security event sources. - Changing per-user audit settings. - Changing the value of **CrashOnAuditFail**. - Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key). - **Note**   - SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change. + + > **Note:** SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.   - Changing anything in the Special Groups list. -**Important**   -Changes to the audit policy are critical security events. + +> **Important:**  Changes to the audit policy are critical security events.   Event volume: Low + Default: Success - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4715

The audit policy (SACL) on an object was changed.

4719

System audit policy was changed.

4817

Auditing settings on an object were changed.

-
-Note   -

This event is logged only on computers running the supported versions of the Windows operating system.

-
-
-  -

4902

The Per-user audit policy table was created.

4904

An attempt was made to register a security event source.

4905

An attempt was made to unregister a security event source.

4906

The CrashOnAuditFail value has changed.

4907

Auditing settings on object were changed.

4908

Special Groups Logon table modified.

4912

Per User Audit Policy was changed.

+ +| Event ID | Event message | +| - | - | +| 4715 | The audit policy (SACL) on an object was changed. | +| 4719 | System audit policy was changed. | +| 4817 | Auditing settings on an object were changed.
**Note: ** This event is logged only on computers running the supported versions of the Windows operating system. | +| 4902 | The Per-user audit policy table was created. | +| 4904 | An attempt was made to register a security event source. | +| 4905 | An attempt was made to unregister a security event source. | +| 4906 | The CrashOnAuditFail value has changed. | +| 4907 | Auditing settings on object were changed. | +| 4908 | Special Groups Logon table modified. | +| 4912 | Per User Audit Policy was changed. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md index d9e3f7d10d..767ec7c30a 100644 --- a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md +++ b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md @@ -2,192 +2,117 @@ title: Audit Audit the access of global system objects (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting. ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit: Audit the access of global system objects + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting. + ## Reference + If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS® devices. If you also enable the [Audit object access](basic-audit-object-access.md) audit setting, access to these system objects is audited. + Global system objects, also known as "base system objects" or "base named objects," are temporary kernel objects that have had names assigned to them by the application or system component that created them. These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope and, therefore, visible to all processes on the device. These objects all have a security descriptor; but typically, they do not have a NULL SACL. If you enable this policy setting and it takes effect at startup time, the kernel assigns a SACL to these objects when they are created. + The threat is that a globally visible named object, if incorrectly secured, might be acted on by a malicious program that knows the name of the object. For instance, if a synchronization object such as a mutex has a poorly constructed discretionary access control list (DACL), a malicious program can access that mutex by name and cause the program that created it to malfunction. However, the risk of this occurring is very low. + Enabling this policy setting can generate a large number of security events, especially on busy domain controllers and application servers. This might cause servers to respond slowly and force the security log to record numerous events of little significance. Auditing for access to global system objects is an all-or-nothing affair; there is no way to filter which events get recorded and which do not. Even if an organization has the resources to analyze events generated when this policy setting is enabled, it is unlikely to have the source code or a description of what each named object is used for; therefore, it is unlikely that many organizations could benefit from enabling this policy setting. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Use the advanced security audit policy option, [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access, to reduce the number of unrelated audit events that you generate. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Disabled | +| DC Effective Default Settings | Disabled | +| Member Server Effective Default Settings | Disabled | +| Client Computer Effective Default Settings | Disabled |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ### Auditing + To audit attempts to access global system objects, you can use one of two security audit policy settings: + - [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access - [Audit object access](basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy + If possible, use the Advanced Security Audit Policy option to reduce the number of unrelated audit events that you generate. + If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated: - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4659

A handle to an object was requested with intent to delete.

4660

An object was deleted.

4661

A handle to an object was requested.

4663

An attempt was made to access an object.

-  -If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

560

Access was granted to an already existing object.

562

A handle to an object was closed.

563

An attempt was made to open an object with the intent to delete it.

-
-Note   -

This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().

-
-
-  -

564

A protected object was deleted.

565

Access was granted to an already existing object type.

567

A permission associated with a handle was used.

-
-Note   -

A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.

-
-
-  -

569

The resource manager in Authorization Manager attempted to create a client context.

570

A client attempted to access an object.

-
-Note   -

An event will be generated for every attempted operation on the object.

-
-
-  -
+ +| Event ID | Event message | +| - | - | +| 4659 | A handle to an object was requested with intent to delete. | +| 4660 | An object was deleted. | +| 4661 | A handle to an object was requested. | +| 4663 | An attempt was made to access an object. |   +If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated: + +| Event ID | Event message | +| - | - | +| 560 | Access was granted to an already existing object. | +| 562 | A handle to an object was closed. | +| 563 | An attempt was made to open an object with the intent to delete it.
**Note: **This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() | +| 564 | A protected object was deleted. | +| 565 | Access was granted to an already existing object type. | +| 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. | +| 569 | The resource manager in Authorization Manager attempted to create a client context. | +| 570 | A client attempted to access an object.
**Note: ** An event will be generated for every attempted operation on the object. | + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A globally visible named object, if incorrectly secured, could be acted upon by malicious software by using the name of the object. For instance, if a synchronization object such as a mutex had a poorly chosen discretionary access control list (DACL), malicious software could access that mutex by name and cause the program that created it to malfunction. However, the risk of such an occurrence is very low. + ### Countermeasure + Enable the **Audit: Audit the access of global system objects** setting. + ### Potential impact + If you enable the **Audit: Audit the access of global system objects** setting, a large number of security events could be generated, especially on busy domain controllers and application servers. Such an occurrence could cause servers to respond slowly and force the Security log to record numerous events of little significance. This policy setting can only be enabled or disabled, and there is no way to choose which events are recorded from this setting. Even organizations that have the resources to analyze events that are generated by this policy setting are not likely to have the source code or a description of what each named object is used for. Therefore, it is unlikely that most organizations would benefit by enabling this policy setting. To reduce the number of audit events generated, use the advanced audit policy. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md index d028cb4d3e..49b518da5a 100644 --- a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -2,85 +2,86 @@ title: Audit Audit the use of Backup and Restore privilege (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting. ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit: Audit the use of Backup and Restore privilege + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting. + ## Reference + The **Audit: Audit the use of Backup and Restore privilege** policy setting determines whether to audit the use of all user rights, including Backup and Restore, when the **Audit privilege use** policy setting is configured. Enabling both policy settings generates an audit event for every file that is backed up or restored. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set **Audit: Audit the use of Backup and Restore privilege** to Disabled. Enabling this policy setting can generate a large number of security events, which might cause servers to respond slowly and force the security event log to record numerous events of little significance. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Disabled | +| DC Effective Default Settings | Disabled | +| Member Server Effective Default Settings | Disabled | +| Client Computer Effective Default Settings | Disabled |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Auditing + Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users use backup or restore user rights, those events will not be audited. + Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner. + Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md), which can help you manage the number of events generated. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When the backup and restore function is used, it creates a copy of the file system that is identical to the target of the backup. Making regular backup and restore volumes is an important part of your incident response plan. However, a malicious user could use a legitimate backup copy to gain access to information or to impersonate a legitimate network resource to compromise your enterprise. + ### Countermeasure + Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner. For more information about configuring this key, see Microsoft Knowledge Base article [100879](http://go.microsoft.com/fwlink/p/?LinkId=100879). + ### Potential impact + If you enable this policy setting, a large number of security events could be generated, which could cause servers to respond slowly and force the security event log to record numerous events of little significance. If you increase the security event log size to reduce the chances of a system shutdown, an excessively large log file may affect system performance. + ## Related topics -[Security Options](security-options.md) + +- [Security Options](security-options.md)     diff --git a/windows/keep-secure/audit-authentication-policy-change.md b/windows/keep-secure/audit-authentication-policy-change.md index 81c47c8ea2..e26a96a284 100644 --- a/windows/keep-secure/audit-authentication-policy-change.md +++ b/windows/keep-secure/audit-authentication-policy-change.md @@ -2,21 +2,26 @@ title: Audit Authentication Policy Change (Windows 10) description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy. ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Authentication Policy Change + **Applies to** - Windows 10 + This topic for the IT professional describes this Advanced Security Audit policy setting, **Audit Authentication Policy Change**, which determines whether the operating system generates audit events when changes are made to authentication policy. + Changes made to authentication policy include: + - Creation, modification, and removal of forest and domain trusts. - Changes to Kerberos policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**. - **Note**   - The audit event is logged when the policy is applied, not when settings are modified by the administrator. + + > **Note:**  The audit event is logged when the policy is applied, not when settings are modified by the administrator.   - When any of the following user rights is granted to a user or group: - **Access this computer from the network** @@ -25,61 +30,27 @@ Changes made to authentication policy include: - **Logon as a batch job** - **Logon as a service** - Namespace collision, such as when an added trust collides with an existing namespace name. + This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups. + Event volume: Low + Default: Success - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4713

Kerberos policy was changed.

4716

Trusted domain information was modified.

4717

System security access was granted to an account.

4718

System security access was removed from an account.

4739

Domain Policy was changed.

4864

A namespace collision was detected.

4865

A trusted forest information entry was added.

4866

A trusted forest information entry was removed.

4867

A trusted forest information entry was modified.

+ +| Event ID | Event message | +| - | - | +| 4713 | Kerberos policy was changed. | +| 4716 | Trusted domain information was modified. | +| 4717 | System security access was granted to an account. | +| 4718 | System security access was removed from an account. | +| 4739 | Domain Policy was changed. | +| 4864 | A namespace collision was detected. | +| 4865 | A trusted forest information entry was added. | +| 4866 | A trusted forest information entry was removed. | +| 4867 | A trusted forest information entry was modified. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + + - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md index 56c26436a8..3bff0a5dd9 100644 --- a/windows/keep-secure/audit-authorization-policy-change.md +++ b/windows/keep-secure/audit-authorization-policy-change.md @@ -2,63 +2,39 @@ title: Audit Authorization Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Authorization Policy Change + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Authorization Policy Change**, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. + Authorization policy changes that can be audited include: + - Assigning or removing user rights (privileges) such as **SeCreateTokenPrivilege**, except for the system access rights that are audited by using the [Audit Authentication Policy Change](audit-authentication-policy-change.md) subcategory. - Changing the Encrypting File System (EFS) policy. -<<<<<<< HEAD -Event volume: Low -======= Event volume: Very high ->>>>>>> master Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4704

A user right was assigned.

4705

A user right was removed.

4706

A new trust was created to a domain.

4707

A trust to a domain was removed.

4714

Encrypted data recovery policy was changed.

+ +| Event ID | Event message | +| - | - | +| 4704 | A user right was assigned. | +| 4705 | A user right was removed. | +| 4706 | A new trust was created to a domain. | +| 4707 | A trust to a domain was removed. | +| 4714 | Encrypted data recovery policy was changed. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-central-access-policy-staging.md b/windows/keep-secure/audit-central-access-policy-staging.md index 525c573cb3..e53abd2a09 100644 --- a/windows/keep-secure/audit-central-access-policy-staging.md +++ b/windows/keep-secure/audit-central-access-policy-staging.md @@ -2,38 +2,30 @@ title: Audit Central Access Policy Staging (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy. ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Central Access Policy Staging + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Central Access Policy Staging**, which determines permissions on a Central Access Policy. + Event volume: Medium + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

4818

Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy

+ +| Event ID | Event message | +| - | - | +| 4818 | Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-certification-services.md b/windows/keep-secure/audit-certification-services.md index 4d94779c67..f23bdde027 100644 --- a/windows/keep-secure/audit-certification-services.md +++ b/windows/keep-secure/audit-certification-services.md @@ -2,17 +2,22 @@ title: Audit Certification Services (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Certification Services + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Certification Services**, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. + Examples of AD CS operations include: + - AD CS starts, shuts down, is backed up, or is restored. - Certificate revocation list (CRL)-related tasks are performed. - Certificates are requested, issued, or revoked. @@ -24,149 +29,49 @@ Examples of AD CS operations include: - Security permissions for AD CS role services are modified. - Keys are archived, imported, or retrieved. - The OCSP Responder Service is started or stopped. + Monitoring these operational events is important to ensure that AD CS role services are functioning properly. + Event volume: Low to medium on servers that host AD CS role services + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4868

The certificate manager denied a pending certificate request.

4869

Certificate Services received a resubmitted certificate request.

4870

Certificate Services revoked a certificate.

4871

Certificate Services received a request to publish the certificate revocation list (CRL).

4872

Certificate Services published the certificate revocation list (CRL).

4873

A certificate request extension changed.

4874

One or more certificate request attributes changed.

4875

Certificate Services received a request to shut down.

4876

Certificate Services backup started.

4877

Certificate Services backup completed.

4878

Certificate Services restore started.

4879

Certificate Services restore completed.

4880

Certificate Services started.

4881

Certificate Services stopped.

4882

The security permissions for Certificate Services changed.

4883

Certificate Services retrieved an archived key.

4884

Certificate Services imported a certificate into its database.

4885

The audit filter for Certificate Services changed.

4886

Certificate Services received a certificate request.

4887

Certificate Services approved a certificate request and issued a certificate.

4888

Certificate Services denied a certificate request.

4889

Certificate Services set the status of a certificate request to pending.

4890

The certificate manager settings for Certificate Services changed.

4891

A configuration entry changed in Certificate Services.

4892

A property of Certificate Services changed.

4893

Certificate Services archived a key.

4894

Certificate Services imported and archived a key.

4895

Certificate Services published the CA certificate to Active Directory Domain Services.

4896

One or more rows have been deleted from the certificate database.

4897

Role separation enabled:

4898

Certificate Services loaded a template.

+ +| Event ID | Event message | +| - | - | +| 4868 | The certificate manager denied a pending certificate request. | +| 4869 | Certificate Services received a resubmitted certificate request. | +| 4870 | Certificate Services revoked a certificate. | +| 4871 | Certificate Services received a request to publish the certificate revocation list (CRL). | +| 4872 | Certificate Services published the certificate revocation list (CRL). | +| 4873 | A certificate request extension changed. | +| 4874 | One or more certificate request attributes changed. | +| 4875 | Certificate Services received a request to shut down. | +| 4876 | Certificate Services backup started. | +| 4877 | Certificate Services backup completed. | +| 4878 | Certificate Services restore started. | +| 4879 | Certificate Services restore completed. | +| 4880 | Certificate Services started. | +| 4881 | Certificate Services stopped. | +| 4882 | The security permissions for Certificate Services changed. | +| 4883 | Certificate Services retrieved an archived key. | +| 4884 | Certificate Services imported a certificate into its database. | +| 4885 | The audit filter for Certificate Services changed. | +| 4886 | Certificate Services received a certificate request. | +| 4887 | Certificate Services approved a certificate request and issued a certificate. | +| 4888 | Certificate Services denied a certificate request. | +| 4889 | Certificate Services set the status of a certificate request to pending. | +| 4890 | The certificate manager settings for Certificate Services changed. | +| 4891 | A configuration entry changed in Certificate Services. | +| 4892 | A property of Certificate Services changed. | +| 4893 | Certificate Services archived a key. | +| 4894 | Certificate Services imported and archived a key. | +| 4895 | Certificate Services published the CA certificate to Active Directory Domain Services. | +| 4896 | One or more rows have been deleted from the certificate database. | +| 4897 | Role separation enabled: | +| 4898 | Certificate Services loaded a template. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-computer-account-management.md b/windows/keep-secure/audit-computer-account-management.md index 60524de373..5211936625 100644 --- a/windows/keep-secure/audit-computer-account-management.md +++ b/windows/keep-secure/audit-computer-account-management.md @@ -2,47 +2,34 @@ title: Audit Computer Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Computer Account Management + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Computer Account Management**, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. + This policy setting is useful for tracking account-related changes to computers that are members of a domain. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4741

A computer account was created.

4742

A computer account was changed.

4743

A computer account was deleted.

+ +| Event ID | Event message | +| - | - | +| 4741 | A computer account was created. | +| 4742 | A computer account was changed. | +| 4743 | A computer account was deleted. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md index add71830c8..7f4232806f 100644 --- a/windows/keep-secure/audit-credential-validation.md +++ b/windows/keep-secure/audit-credential-validation.md @@ -2,59 +2,42 @@ title: Audit Credential Validation (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Credential Validation + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the advanced security audit policy setting, **Audit Credential Validation**, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. + These events occur on the computer that is authoritative for the credentials as follows: + - For domain accounts, the domain controller is authoritative. - For local accounts, the local computer is authoritative. + Event volume: High on domain controllers -Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events. + +Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they +may occur in conjunction with or on separate computers from Logon and Logoff events. + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4774

An account was mapped for logon.

-

4775

An account could not be mapped for logon.

-

4776

The domain controller attempted to validate the credentials for an account.

-

4777

The domain controller failed to validate the credentials for an account.

-

+ +| Event ID | Event message | +| - | - | +| 4774 | An account was mapped for logon. | +| 4775 | An account could not be mapped for logon. | +| 4776 | The domain controller attempted to validate the credentials for an account. | +| 4777 | The domain controller failed to validate the credentials for an account. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-detailed-directory-service-replication.md b/windows/keep-secure/audit-detailed-directory-service-replication.md index 99ff8d4881..ae2e46a570 100644 --- a/windows/keep-secure/audit-detailed-directory-service-replication.md +++ b/windows/keep-secure/audit-detailed-directory-service-replication.md @@ -8,61 +8,33 @@ ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft --- + # Audit Detailed Directory Service Replication + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Detailed Directory Service Replication**, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. + This audit subcategory can be useful to diagnose replication issues. + Event volume: These events can create a very high volume of event data. + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4928

An Active Directory replica source naming context was established.

4929

An Active Directory replica source naming context was removed.

4930

An Active Directory replica source naming context was modified.

4931

An Active Directory replica destination naming context was modified.

4934

Attributes of an Active Directory object were replicated.

4935

Replication failure begins.

4936

Replication failure ends.

4937

A lingering object was removed from a replica.

+ +| Event ID | Event message | +| - | - | +| 4928 | An Active Directory replica source naming context was established. | +| 4929 | An Active Directory replica source naming context was removed. | +| 4930 | An Active Directory replica source naming context was modified. | +| 4931 | An Active Directory replica destination naming context was modified. | +| 4934 | Attributes of an Active Directory object were replicated. | +| 4935 | Replication failure begins. | +| 4936 | Replication failure ends. | +| 4937 | A lingering object was removed from a replica. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md index b4376be5d3..f60e4dd5f2 100644 --- a/windows/keep-secure/audit-detailed-file-share.md +++ b/windows/keep-secure/audit-detailed-file-share.md @@ -2,42 +2,33 @@ title: Audit Detailed File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder. ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Detailed File Share + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Detailed File Share**, which allows you to audit attempts to access files and folders on a shared folder. + The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client computer and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. -**Note**   -There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. +> **Note:**  There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.   Event volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

5145

A network share object was checked to see whether the client can be granted desired access.

+ +| Event ID | Event message | +| - | - | +| 5145 | A network share object was checked to see whether the client can be granted desired access. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md index 7448d1b505..230dce9a69 100644 --- a/windows/keep-secure/audit-directory-service-access.md +++ b/windows/keep-secure/audit-directory-service-access.md @@ -2,42 +2,33 @@ title: Audit Directory Service Access (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Directory Service Access + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Access**, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. + These events are similar to the Directory Service Access events in previous versions of the Windows Server operating systems. -**Important**   -Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings. +> **Important:**  Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings.   Event volume: High on servers running AD DS role services; none on client computers + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

4662

An operation was performed on an object.

+ +| Event ID | Event message | +| - | - | +| 4662 | An operation was performed on an object. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md index a474407c2f..361827a614 100644 --- a/windows/keep-secure/audit-directory-service-changes.md +++ b/windows/keep-secure/audit-directory-service-changes.md @@ -2,65 +2,48 @@ title: Audit Directory Service Changes (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Directory Service Changes + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Changes**, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). + The types of changes that are reported are: + - Create - Delete - Modify - Move - Undelete + Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. -**Important**   -Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. + +> **Important:**  Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.   This subcategory only logs events on domain controllers. Changes to Active Directory objects are important events to track in order to understand the state of the network policy. + Event volume: High on domain controllers; none on client computers + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

5136

A directory service object was modified.

5137

A directory service object was created.

5138

A directory service object was undeleted.

5139

A directory service object was moved.

5141

A directory service object was deleted.

+ +| Event ID | Event message | +| - | - | +| 5136 | A directory service object was modified. | +| 5137 | A directory service object was created. | +| 5138 | A directory service object was undeleted. | +| 5139 | A directory service object was moved. | +| 5141 | A directory service object was deleted. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-directory-service-replication.md b/windows/keep-secure/audit-directory-service-replication.md index 907f50fda7..9f09abada9 100644 --- a/windows/keep-secure/audit-directory-service-replication.md +++ b/windows/keep-secure/audit-directory-service-replication.md @@ -2,42 +2,31 @@ title: Audit Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Directory Service Replication + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Replication**, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. + Event volume: Medium on domain controllers; none on client computers + Default: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

4932

Synchronization of a replica of an Active Directory naming context has begun.

4933

Synchronization of a replica of an Active Directory naming context has ended.

+ +| Event ID | Event Message | +| - | - | +| 4932 | Synchronization of a replica of an Active Directory naming context has begun. | +| 4933 | Synchronization of a replica of an Active Directory naming context has ended. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-distribution-group-management.md b/windows/keep-secure/audit-distribution-group-management.md index 91c5876a9c..1e259424ed 100644 --- a/windows/keep-secure/audit-distribution-group-management.md +++ b/windows/keep-secure/audit-distribution-group-management.md @@ -2,97 +2,51 @@ title: Audit Distribution Group Management (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks. ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Distribution Group Management + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Distribution Group Management**, which determines whether the operating system generates audit events for specific distribution-group management tasks. + Tasks for distribution-group management that can be audited include: + - A distribution group is created, changed, or deleted. - A member is added to or removed from a distribution group. + This subcategory to which this policy belongs is logged only on domain controllers. -**Note**   -Distribution groups cannot be used to manage access control permissions. +> **Note:**  Distribution groups cannot be used to manage access control permissions.   Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4744

A security-disabled local group was created.

4745

A security-disabled local group was changed.

4746

A member was added to a security-disabled local group.

4747

A member was removed from a security-disabled local group.

4748

A security-disabled local group was deleted.

4749

A security-disabled global group was created.

4750

A security-disabled global group was changed.

4751

A member was added to a security-disabled global group.

4752

A member was removed from a security-disabled global group.

4753

A security-disabled global group was deleted.

4759

A security-disabled universal group was created.

4760

A security-disabled universal group was changed.

4761

A member was added to a security-disabled universal group.

4762

A member was removed from a security-disabled universal group.

-  -## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +| Event ID | Event message | +| - | - | +| 4744 | A security-disabled local group was created. | +| 4745 | A security-disabled local group was changed. | +| 4746 | A member was added to a security-disabled local group. | +| 4747 | A member was removed from a security-disabled local group. | +| 4748 | A security-disabled local group was deleted. | +| 4749 | A security-disabled global group was created. | +| 4750 | A security-disabled global group was changed. | +| 4751 | A member was added to a security-disabled global group. | +| 4752 | A member was removed from a security-disabled global group. | +| 4753 | A security-disabled global group was deleted. | +| 4759 | A security-disabled universal group was created. | +| 4760 | A security-disabled universal group was changed. | +| 4761 | A member was added to a security-disabled universal group. | +| 4762 | A member was removed from a security-disabled universal group. | + + ## Related topics + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-dpapi-activity.md b/windows/keep-secure/audit-dpapi-activity.md index 0d82bf9af5..1e7c77ac71 100644 --- a/windows/keep-secure/audit-dpapi-activity.md +++ b/windows/keep-secure/audit-dpapi-activity.md @@ -2,53 +2,37 @@ title: Audit DPAPI Activity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit DPAPI Activity + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit DPAPI Activity**, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). DPAPI is used to protect secret information such as stored passwords and key information. For more information about DPAPI, see [Windows Data Protection](http://go.microsoft.com/fwlink/p/?linkid=121720) (http://go.microsoft.com/fwlink/p/?linkid=121720). + Event volume: Low + Default: Not configured + If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4692

Backup of data protection master key was attempted.

4693

Recovery of data protection master key was attempted.

4694

Protection of auditable protected data was attempted.

4695

Unprotection of auditable protected data was attempted.

+ +| Event ID | Event message | +| - | - | +| 4692 | Backup of data protection master key was attempted. | +| 4693 | Recovery of data protection master key was attempted. | +| 4694 | Protection of auditable protected data was attempted. | +| 4695 | Unprotection of auditable protected data was attempted. |   ## Related resource -[Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md) + +- [Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-file-share.md b/windows/keep-secure/audit-file-share.md index e1d039ce4d..8040bc118a 100644 --- a/windows/keep-secure/audit-file-share.md +++ b/windows/keep-secure/audit-file-share.md @@ -2,66 +2,39 @@ title: Audit File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed. ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit File Share + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File Share**, which determines whether the operating system generates audit events when a file share is accessed. + Audit events are not generated when shares are created, deleted, or when share permissions change. -**Note**   -There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited. +> **Note:**  There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.   Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. + Event volume: High on a file server or domain controller (due to SYSVOL access by client computers for policy processing) + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

5140

A network share object was accessed.

-
-Note   -

This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

-
-
-  -

5142

A network share object was added.

5143

A network share object was modified.

5144

A network share object was deleted.

5168

SPN check for SMB/SMB2 failed.

+ +| Event ID | Event message | +| - |- | +| 5140 | A network share object was accessed.
**Note:** This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. | +| 5142 | A network share object was added. | +| 5143 | A network share object was modified. | +| 5144 | A network share object was deleted. | +| 5168 | SPN check for SMB/SMB2 failed. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md index 1eaab87e2c..53faccfac6 100644 --- a/windows/keep-secure/audit-file-system.md +++ b/windows/keep-secure/audit-file-system.md @@ -2,51 +2,39 @@ title: Audit File System (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects. ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy +ms.pagetype: security ms.sitesec: library author: brianlic-msft --- + # Audit File System + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File System**, which determines whether the operating system generates audit events when users attempt to access file system objects. Audit events are generated only for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. + These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring. + Event volume: Varies, depending on how file system SACLs are configured + No audit events are generated for the default file system SACLs. + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4664

An attempt was made to create a hard link.

4985

The state of a transaction has changed.

5051

A file was virtualized.

+ +| Event ID | Event message | +| - | - | +| 4664 | An attempt was made to create a hard link. | +| 4985 | The state of a transaction has changed. | +| 5051 | A file was virtualized. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-filtering-platform-connection.md b/windows/keep-secure/audit-filtering-platform-connection.md index 4931fa3cd4..a23961c6d9 100644 --- a/windows/keep-secure/audit-filtering-platform-connection.md +++ b/windows/keep-secure/audit-filtering-platform-connection.md @@ -2,80 +2,48 @@ title: Audit Filtering Platform Connection (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Filtering Platform Connection + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Connection**, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. + Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). + This security policy enables you to audit the following types of actions: + - The Windows Firewall service blocks an application from accepting incoming connections on the network. - The Windows Filtering Platform allows or blocks a connection. - The Windows Filtering Platform permits or blocks a bind to a local port. - The Windows Filtering Platform permits or blocks an application or service from listening for incoming connections on a port. + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

5031

The Windows Firewall Service blocked an application from accepting incoming connections on the network.

5140

A network share object was accessed.

5150

The Windows Filtering Platform blocked a packet.

5151

A more restrictive Windows Filtering Platform filter has blocked a packet.

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

5156

The Windows Filtering Platform has allowed a connection.

5157

The Windows Filtering Platform has blocked a connection.

5158

The Windows Filtering Platform has permitted a bind to a local port.

5159

The Windows Filtering Platform has blocked a bind to a local port.

+ +| Event ID | Event message | +| - | - | +| 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. | +| 5140 | A network share object was accessed. | +| 5150 | The Windows Filtering Platform blocked a packet. | +| 5151 | A more restrictive Windows Filtering Platform filter has blocked a packet. | +| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. | +| 5155 | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. | +| 5156 | The Windows Filtering Platform has allowed a connection. | +| 5157 | The Windows Filtering Platform has blocked a connection. | +| 5158 | The Windows Filtering Platform has permitted a bind to a local port. | +| 5159 | The Windows Filtering Platform has blocked a bind to a local port. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-filtering-platform-packet-drop.md b/windows/keep-secure/audit-filtering-platform-packet-drop.md index e9afd9f620..fda5bc89e7 100644 --- a/windows/keep-secure/audit-filtering-platform-packet-drop.md +++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md @@ -2,44 +2,35 @@ title: Audit Filtering Platform Packet Drop (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. ms.assetid: 95457601-68d1-4385-af20-87916ddab906 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Filtering Platform Packet Drop + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Packet Drop**, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. + Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). + A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to computers on your network. + Event volume: High + Default setting: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

5152

The Windows Filtering Platform blocked a packet.

5153

A more restrictive Windows Filtering Platform filter has blocked a packet.

+ +| Event ID | Event message | +| - | - | +| 5152 | The Windows Filtering Platform blocked a packet. | +| 5153 | A more restrictive Windows Filtering Platform filter has blocked a packet. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-filtering-platform-policy-change.md b/windows/keep-secure/audit-filtering-platform-policy-change.md index 07394011e0..97f04007ea 100644 --- a/windows/keep-secure/audit-filtering-platform-policy-change.md +++ b/windows/keep-secure/audit-filtering-platform-policy-change.md @@ -2,24 +2,33 @@ title: Audit Filtering Platform Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Filtering Platform Policy Change + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Policy Change**, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. + Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). + This security policy setting determines whether the operating system generates audit events for: + - IPsec services status. - Changes to IPsec settings. - Status and changes to the Windows Filtering Platform engine and providers. - IPsec Policy Agent service activities. + Event volume: Low + Default: Not configured + @@ -210,6 +219,7 @@ Default: Not configured
  ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md index dd5a17ef22..2ceff2fa34 100644 --- a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md @@ -2,90 +2,94 @@ title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting. ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting. + ## Reference + You can manage your audit policy in a more precise way by using audit policy subcategories. + There are over 40 auditing subcategories that provide precise details about activities on a device. For info about these subcategories, see the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md). + ### Possible values + - Enabled - Disabled + ### Best practices + - Leave the setting enabled. This provides the ability to audit events at the category level without revising a policy. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Enabled | +| DC Effective Default Settings | Enabled | +| Member Server Effective Default Settings | Enabled | +| Client Computer Effective Default Settings | Enabled |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ### Auditing + To manage an audit policy by using subcategories without requiring a change to Group Policy, the SCENoApplyLegacyAuditPolicy registry value , prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. + If the category level audit policy that is set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set. + ### Command-line tools + You can use auditpol.exe to display and manage audit policies from a command prompt. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events, and the key information that needed to be audited was difficult to find. + ### Countermeasure + Enable audit policy subcategories as needed to track specific events. + ### Potential impacts -If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the **SCENoApplyLegacyAuditPolicy** key. -**Important**   -Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance. + +If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the +**SCENoApplyLegacyAuditPolicy** key. +> **Important:**  Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.   ## Related topics -[Security Options](security-options.md) + +- [Security Options](security-options.md)     diff --git a/windows/keep-secure/audit-group-membership.md b/windows/keep-secure/audit-group-membership.md index 795f24a6ef..bfbd5e7887 100644 --- a/windows/keep-secure/audit-group-membership.md +++ b/windows/keep-secure/audit-group-membership.md @@ -2,43 +2,37 @@ title: Audit Group Membership (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC. ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Group Membership + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Group Membership**, which enables you to audit group memberships when they are enumerated on the client PC. + This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. + For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -**Note**  You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. +> **Note:**  You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**.   Multiple events are generated if the group membership information cannot fit in a single security audit event + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

4627

Group membership information.

+ +| Event ID | Event message | +| - | - | +| 4627 | Group membership information. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md index e168f2a962..da8a48ee26 100644 --- a/windows/keep-secure/audit-handle-manipulation.md +++ b/windows/keep-secure/audit-handle-manipulation.md @@ -2,50 +2,37 @@ title: Audit Handle Manipulation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed. ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Handle Manipulation + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Handle Manipulation**, which determines whether the operating system generates audit events when a handle to an object is opened or closed. + Only objects with configured system access control lists (SACLs) generate these events, and only if the attempted handle operation matches the SACL. -**Important**   -Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md). + +> **Important:**  Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md).   + Event volume: High, depending on how SACLs are configured + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4656

A handle to an object was requested.

4658

The handle to an object was closed.

4690

An attempt was made to duplicate a handle to an object.

+ +| Event ID | Event message | +| - | - | +| 4656 | A handle to an object was requested. | +| 4658 | The handle to an object was closed. | +| 4690 | An attempt was made to duplicate a handle to an object. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-ipsec-driver.md b/windows/keep-secure/audit-ipsec-driver.md index 7c7fd0de22..7394906faa 100644 --- a/windows/keep-secure/audit-ipsec-driver.md +++ b/windows/keep-secure/audit-ipsec-driver.md @@ -2,87 +2,53 @@ title: Audit IPsec Driver (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver. ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit IPsec Driver + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit IPsec Driver**, which determines whether the operating system generates audit events for the activities of the IPsec driver. + The IPsec driver, using the IP Filter List from the active IPsec policy, watches for outbound IP packets that must be secured and inbound IP packets that must be verified and decrypted. This security policy setting reports on the following activities of the IPsec driver: + - Startup and shutdown of IPsec services. - Packets dropped due to integrity-check failure. - Packets dropped due to replay-check failure. - Packets dropped due to being in plaintext. - Packets received with an incorrect Security Parameter Index (SPI). (This can indicate malfunctioning hardware or interoperability problems.) - Failure to process IPsec filters. + A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems. + Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. + Event volume: Medium + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4960

IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.

4961

IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.

4962

IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

4963

IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

4965

IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.

5478

IPsec Services has started successfully.

5479

IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

5480

IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

5483

IPsec Services failed to initialize RPC server. IPsec Services could not be started.

5484

IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

5485

IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

+ +| Event ID | Event message | +| - | - | +| 4960 | IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. | +| 4961 | IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. | +| 4962 | IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. | +| 4963 | IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. | +| 4965 | IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. | +| 5478 | IPsec Services has started successfully. | +| 5479 | IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. | +| 5480 | IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. | +| 5483 | IPsec Services failed to initialize RPC server. IPsec Services could not be started. | +| 5484 | IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. | +| 5485 | IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-ipsec-extended-mode.md b/windows/keep-secure/audit-ipsec-extended-mode.md index 9b316c69be..89f0857940 100644 --- a/windows/keep-secure/audit-ipsec-extended-mode.md +++ b/windows/keep-secure/audit-ipsec-extended-mode.md @@ -2,106 +2,41 @@ title: Audit IPsec Extended Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit IPsec Extended Mode + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Extended Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. + IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers. -AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation. AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications. + +AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation. +AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications. + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4978

During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

4979

IPsec Main Mode and Extended Mode security associations were established.

-
-Note   -

This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information.

-
-
-  -

4980

IPsec Main Mode and Extended Mode security associations were established.

-
-Note   -

This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information:

-
-
-  -

4981

IPsec Main Mode and Extended Mode security associations were established.

-
-Note   -

This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information.

-
-
-  -

4982

IPsec Main Mode and Extended Mode security associations were established.

-
-Note   -

This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information.

-
-
-  -

4983

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

-
-Note   -

This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information.

-
-
-  -

4984

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

-
-Note   -

This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information.

-
-
-  -
+ +| Event ID | Event message | +| - | - | +| 4978 | During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. | +| 4979 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information. | +| 4980 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information: | +| 4981 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information. | +| 4982 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information. | +| 4983 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information. | +| 4984 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-ipsec-main-mode.md b/windows/keep-secure/audit-ipsec-main-mode.md index 2f62f592fd..203307a841 100644 --- a/windows/keep-secure/audit-ipsec-main-mode.md +++ b/windows/keep-secure/audit-ipsec-main-mode.md @@ -2,87 +2,42 @@ title: Audit IPsec Main Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit IPsec Main Mode + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Main Mode**, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. + IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers. AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation. Main Mode Internet Key Exchange (IKE) negotiation establishes a secure channel, known as the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), between two computers. To establish the secure channel, Main Mode negotiation determines a set of cryptographic protection suites, exchanges keying material to establish the shared secret key, and authenticates computer identities. + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4646

Security ID: %1

4650

An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.

4651

An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.

4652

An IPsec Main Mode negotiation failed.

-
-Note   -

This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information.

-
-
-  -

4653

An IPsec Main Mode negotiation failed.

-
-Note   -

This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information.

-
-
-  -

4655

An IPsec Main Mode security association ended.

4976

During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

5049

An IPsec Security Association was deleted.

5453

An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

+ +| Event ID | Event message | +| - | - | +| 4646 | Security ID: %1 | +| 4650 | An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. | +| 4651 | An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. | +| 4652 | An IPsec Main Mode negotiation failed.
**Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information. | +| 4653 | An IPsec Main Mode negotiation failed.
**Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. | +| 4655 | An IPsec Main Mode security association ended. | +| 4976 | During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. | +| 5049 | An IPsec Security Association was deleted. | +| 5453 | An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-ipsec-quick-mode.md b/windows/keep-secure/audit-ipsec-quick-mode.md index 969ea8f4d6..79de06ad17 100644 --- a/windows/keep-secure/audit-ipsec-quick-mode.md +++ b/windows/keep-secure/audit-ipsec-quick-mode.md @@ -2,49 +2,36 @@ title: Audit IPsec Quick Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit IPsec Quick Mode + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Quick Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. + IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers. AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation. Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs that are created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specified IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange. + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4977

During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

5451

An IPsec Quick Mode security association was established.

5452

An IPsec Quick Mode security association ended.

+ +| Event ID | Event message | +|- |- | +| 4977 | During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.| +| 5451 | An IPsec Quick Mode security association was established.| +| 5452 | An IPsec Quick Mode security association ended.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-kerberos-authentication-service.md b/windows/keep-secure/audit-kerberos-authentication-service.md index 59067e3f7a..85498b7404 100644 --- a/windows/keep-secure/audit-kerberos-authentication-service.md +++ b/windows/keep-secure/audit-kerberos-authentication-service.md @@ -2,48 +2,35 @@ title: Audit Kerberos Authentication Service (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Kerberos Authentication Service + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Authentication Service**, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. + If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts. + Event volume: High on Kerberos Key Distribution Center servers + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4768

A Kerberos authentication ticket (TGT) was requested.

4771

Kerberos preauthentication failed.

4772

A Kerberos authentication ticket request failed.

+ +| Event ID | Event message | +| - | - | +| 4768 | A Kerberos authentication ticket (TGT) was requested. | +| 4771 | Kerberos preauthentication failed. | +| 4772 | A Kerberos authentication ticket request failed. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-kerberos-service-ticket-operations.md b/windows/keep-secure/audit-kerberos-service-ticket-operations.md index b174f61378..5f00cf260a 100644 --- a/windows/keep-secure/audit-kerberos-service-ticket-operations.md +++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md @@ -2,46 +2,37 @@ title: Audit Kerberos Service Ticket Operations (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests. ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Kerberos Service Ticket Operations + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Service Ticket Operations**, which determines whether the operating system generates security audit events for Kerberos service ticket requests. + Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity. + Event volume: + - High on a domain controller that is in a Key Distribution Center (KDC) - Low on domain members + Default: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

4769

A Kerberos service ticket was requested.

4770

A Kerberos service ticket was renewed.

+ +| Event ID | Event message | +| - | - | +| 4769 | A Kerberos service ticket was requested. | +| 4770 | A Kerberos service ticket was renewed. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-kernel-object.md b/windows/keep-secure/audit-kernel-object.md index 646f5f6d75..783f4c3e18 100644 --- a/windows/keep-secure/audit-kernel-object.md +++ b/windows/keep-secure/audit-kernel-object.md @@ -2,56 +2,40 @@ title: Audit Kernel Object (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Kernel Object + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kernel Object**, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. + Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers. + Typically, kernel objects are given SACLs only if the **AuditBaseObjects** or **AuditBaseDirectories** auditing options are enabled. -**Note**   -The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects. + +> **Note:**  The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects.   Event volume: High if you have enabled one of the Global Object Access Auditing settings + Default setting: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4659

A handle to an object was requested with intent to delete.

4660

An object was deleted.

4661

A handle to an object was requested.

4663

An attempt was made to access an object.

+ +| Event ID | Event message | +| - | - | +| 4659 | A handle to an object was requested with intent to delete. | +| 4660 | An object was deleted. | +| 4661 | A handle to an object was requested. | +| 4663 | An attempt was made to access an object. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md index feac0833b9..05aee8928a 100644 --- a/windows/keep-secure/audit-logoff.md +++ b/windows/keep-secure/audit-logoff.md @@ -2,48 +2,38 @@ title: Audit Logoff (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated. ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Logoff + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logoff**, which determines whether the operating system generates audit events when logon sessions are terminated. + These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to. -**Note**   -There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. + +> **Note: **  There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.   Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated. + Event volume: Low + Default: Success - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

4634

An account was logged off.

4647

User initiated logoff.

+ +| Event ID | Event message | +| - | - | +| 4634 | An account was logged off. | +| 4647 | User initiated logoff. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-logon.md b/windows/keep-secure/audit-logon.md index 396d8cc641..fb98f6691c 100644 --- a/windows/keep-secure/audit-logon.md +++ b/windows/keep-secure/audit-logon.md @@ -2,57 +2,44 @@ title: Audit Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer. ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Logon + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logon**, which determines whether the operating system generates audit events when a user attempts to log on to a computer. + These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed. + The following events are recorded: + - Logon success and failure. - Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the Runas command. - Security identifiers (SIDs) are filtered. + Logon events are essential to tracking user activity and detecting potential attacks. + Event volume: Low on a client computer; medium on a domain controller or network server + Default: Success for client computers; success and failure for servers - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4624

An account was successfully logged on.

4625

An account failed to log on.

4648

A logon was attempted using explicit credentials.

4675

SIDs were filtered.

+ +| Event ID | Event message | +| - | - | +| 4624 | An account was successfully logged on. | +| 4625 | An account failed to log on. | +| 4648 | A logon was attempted using explicit credentials. | +| 4675 | SIDs were filtered. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md index c038f872bd..67760b944f 100644 --- a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md +++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md @@ -2,98 +2,54 @@ title: Audit MPSSVC Rule-Level Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit MPSSVC Rule-Level Policy Change + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit MPSSVC Rule-Level Policy Change**, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). + The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against malware. The tracked activities include: + - Active policies when the Windows Firewall service starts. - Changes to Windows Firewall rules. - Changes to the Windows Firewall exception list. - Changes to Windows Firewall settings. - Rules ignored or not applied by the Windows Firewall service. - Changes to Windows Firewall Group Policy settings. + Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4944

The following policy was active when the Windows Firewall started.

4945

A rule was listed when the Windows Firewall started.

4946

A change has been made to Windows Firewall exception list. A rule was added.

4947

A change has been made to Windows Firewall exception list. A rule was modified.

4948

A change has been made to Windows Firewall exception list. A rule was deleted.

4949

Windows Firewall settings were restored to the default values.

4950

A Windows Firewall setting has changed.

4951

A rule has been ignored because its major version number was not recognized by Windows Firewall.

4952

Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.

4953

A rule has been ignored by Windows Firewall because it could not parse the rule.

4954

Windows Firewall Group Policy settings have changed. The new settings have been applied.

4956

Windows Firewall has changed the active profile.

4957

Windows Firewall did not apply the following rule:

4958

Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:

+ +| Event ID | Event message | +| - | - | +| 4944 | The following policy was active when the Windows Firewall started. | +| 4945 | A rule was listed when the Windows Firewall started. | +| 4946 | A change has been made to Windows Firewall exception list. A rule was added. | +| 4947 | A change has been made to Windows Firewall exception list. A rule was modified. | +| 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. | +| 4949 | Windows Firewall settings were restored to the default values. | +| 4950 | A Windows Firewall setting has changed. | +| 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. | +| 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. | +| 4953 | A rule has been ignored by Windows Firewall because it could not parse the rule. | +| 4954 | Windows Firewall Group Policy settings have changed. The new settings have been applied. | +| 4956 | Windows Firewall has changed the active profile. | +| 4957 | Windows Firewall did not apply the following rule: | +| 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-network-policy-server.md b/windows/keep-secure/audit-network-policy-server.md index 1a7b659ed3..5f060ff57e 100644 --- a/windows/keep-secure/audit-network-policy-server.md +++ b/windows/keep-secure/audit-network-policy-server.md @@ -2,71 +2,40 @@ title: Audit Network Policy Server (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Network Policy Server + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Network Policy Server**, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). + NAP events can be used to help understand the overall health of the network. + Event volume: Medium to high on servers that are running Network Policy Server (NPS); moderate on other servers or on client computers + Default: Success and failure - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

6272

Network Policy Server granted access to a user.

6273

Network Policy Server denied access to a user.

6274

Network Policy Server discarded the request for a user.

6275

Network Policy Server discarded the accounting request for a user.

6276

Network Policy Server quarantined a user.

6277

Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

6278

Network Policy Server granted full access to a user because the host met the defined health policy.

6279

Network Policy Server locked the user account due to repeated failed authentication attempts.

6280

Network Policy Server unlocked the user account.

+ +| Event ID | Event message | +| - | - | +| 6272 | Network Policy Server granted access to a user. | +| 6273 | Network Policy Server denied access to a user. | +| 6274 | Network Policy Server discarded the request for a user. | +| 6275 | Network Policy Server discarded the accounting request for a user. | +| 6276 | Network Policy Server quarantined a user. | +| 6277 | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. | +| 6278 | Network Policy Server granted full access to a user because the host met the defined health policy. | +| 6279 | Network Policy Server locked the user account due to repeated failed authentication attempts. | +| 6280 | Network Policy Server unlocked the user account. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md index 086e940d66..e1321ebc6a 100644 --- a/windows/keep-secure/audit-non-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md @@ -2,17 +2,22 @@ title: Audit Non-Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Non-Sensitive Privilege Use + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Non-Sensitive Privilege Use**, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. + The following privileges are non-sensitive: + - **Access Credential Manager as a trusted caller** - **Access this computer from the network** - **Add workstations to domain** @@ -43,37 +48,21 @@ The following privileges are non-sensitive: - **Remove computer from docking station** - **Shut down the system** - **Synchronize directory service data** + If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts. + Event volume: Very high + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4672

Special privileges assigned to new logon.

4673

A privileged service was called.

4674

An operation was attempted on a privileged object.

+ +| Event ID | Event message | +| - | - | +| 4672 | Special privileges assigned to new logon. | +| 4673 | A privileged service was called. | +| 4674 | An operation was attempted on a privileged object. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-account-logon-events.md b/windows/keep-secure/audit-other-account-logon-events.md index d924a8af0d..57eaa771fa 100644 --- a/windows/keep-secure/audit-other-account-logon-events.md +++ b/windows/keep-secure/audit-other-account-logon-events.md @@ -2,86 +2,53 @@ title: Audit Other Account Logon Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Account Logon Events + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Other Account Logon Events**, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. + Examples can include the following: + - Remote Desktop session disconnections - New Remote Desktop sessions - Locking and unlocking a workstation - Invoking a screen saver - Dismissing a screen saver - Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice - **Note**   - This condition could be caused by a network misconfiguration. + + > **Note:**  This condition could be caused by a network misconfiguration.   - Access to a wireless network granted to a user or computer account - Access to a wired 802.1x network granted to a user or computer account + Event volume: Varies, depending on system use + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4649

A replay attack was detected.

4778

A session was reconnected to a Window Station.

4779

A session was disconnected from a Window Station.

4800

The workstation was locked.

4801

The workstation was unlocked.

4802

The screen saver was invoked.

4803

The screen saver was dismissed.

5378

The requested credentials delegation was disallowed by policy.

5632

A request was made to authenticate to a wireless network.

5633

A request was made to authenticate to a wired network.

+ +| Event ID | Event message | +| - | - | +| 4649 | A replay attack was detected. | +| 4778 | A session was reconnected to a Window Station. | +| 4779 | A session was disconnected from a Window Station. | +| 4800 | The workstation was locked. | +| 4801 | The workstation was unlocked. | +| 4802 | The screen saver was invoked. | +| 4803 | The screen saver was dismissed. | +| 5378 | The requested credentials delegation was disallowed by policy. | +| 5632 | A request was made to authenticate to a wireless network. | +| 5633 | A request was made to authenticate to a wired network. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-account-management-events.md b/windows/keep-secure/audit-other-account-management-events.md index a5929d83f0..737c91e478 100644 --- a/windows/keep-secure/audit-other-account-management-events.md +++ b/windows/keep-secure/audit-other-account-management-events.md @@ -2,49 +2,38 @@ title: Audit Other Account Management Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events. ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Account Management Events + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Account Management Events**, which determines whether the operating system generates user account management audit events. + Events can be generated for user account management auditing when: + - The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data. - The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied. - Changes are made to domain policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** or **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**. -**Note**   -These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator. +> **Note:**  These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator.   Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent Message Summary

4782

The password hash for an account was accessed.

4793

The Password Policy Checking API was called.

+ +| Event ID | Event message | +| - | - | +| 4782 | The password hash for an account was accessed. | +| 4793 | The Password Policy Checking API was called. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-logonlogoff-events.md b/windows/keep-secure/audit-other-logonlogoff-events.md index d1068bc02c..14b371601d 100644 --- a/windows/keep-secure/audit-other-logonlogoff-events.md +++ b/windows/keep-secure/audit-other-logonlogoff-events.md @@ -2,82 +2,50 @@ title: Audit Other Logon/Logoff Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events. ms.assetid: 76d987cd-1917-4907-a739-dd642609a458 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Logon/Logoff Events + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Logon/Logoff Events**, which determines whether Windows generates audit events for other logon or logoff events. + These other logon or logoff events include: + - A Remote Desktop session connects or disconnects. - A workstation is locked or unlocked. - A screen saver is invoked or dismissed. - A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration. - A user is granted access to a wireless network. It can either be a user account or the computer account. - A user is granted access to a wired 802.1x network. It can either be a user account or the computer account. + Logon events are essential to understanding user activity and detecting potential attacks. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4649

A replay attack was detected.

4778

A session was reconnected to a Window Station.

4779

A session was disconnected from a Window Station.

4800

The workstation was locked.

4801

The workstation was unlocked.

4802

The screen saver was invoked.

4803

The screen saver was dismissed.

5378

The requested credentials delegation was disallowed by policy.

5632

A request was made to authenticate to a wireless network.

5633

A request was made to authenticate to a wired network.

+ +| Event ID | Event message | +| - | - | +| 4649 | A replay attack was detected. | +| 4778 | A session was reconnected to a Window Station. | +| 4779 | A session was disconnected from a Window Station. | +| 4800 | The workstation was locked. | +| 4801 | The workstation was unlocked. | +| 4802 | The screen saver was invoked. | +| 4803 | The screen saver was dismissed. | +| 5378 | The requested credentials delegation was disallowed by policy. | +| 5632 | A request was made to authenticate to a wireless network. | +| 5633 | A request was made to authenticate to a wired network. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-object-access-events.md b/windows/keep-secure/audit-other-object-access-events.md index 0a0b4e92c2..71b1ee1965 100644 --- a/windows/keep-secure/audit-other-object-access-events.md +++ b/windows/keep-secure/audit-other-object-access-events.md @@ -2,92 +2,55 @@ title: Audit Other Object Access Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Object Access Events + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Object Access Events**, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. + For scheduler jobs, the following actions are audited: + - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. + For COM+ objects, the following actions are audited: + - Catalog object added. - Catalog object updated. - Catalog object deleted. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4671

An application attempted to access a blocked ordinal through the TBS.

4691

Indirect access to an object was requested.

4698

A scheduled task was created.

4699

A scheduled task was deleted.

4700

A scheduled task was enabled.

4701

A scheduled task was disabled.

4702

A scheduled task was updated.

5148

The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.

5149

The DoS attack has subsided and normal processing is being resumed.

5888

An object in the COM+ Catalog was modified.

5889

An object was deleted from the COM+ Catalog.

5890

An object was added to the COM+ Catalog.

+ +| Event ID | Event message | +| - | - | +| 4671 | An application attempted to access a blocked ordinal through the TBS. | +| 4691 | Indirect access to an object was requested. | +| 4698 | A scheduled task was created. | +| 4699 | A scheduled task was deleted. | +| 4700 | A scheduled task was enabled. | +| 4701 | A scheduled task was disabled. | +| 4702 | A scheduled task was updated. | +| 5148 | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. | +| 5149 | The DoS attack has subsided and normal processing is being resumed. | +| 5888 | An object in the COM+ Catalog was modified. | +| 5889 | An object was deleted from the COM+ Catalog. | +| 5890 | An object was added to the COM+ Catalog. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-policy-change-events.md b/windows/keep-secure/audit-other-policy-change-events.md index 297f8250bb..7e2c53404a 100644 --- a/windows/keep-secure/audit-other-policy-change-events.md +++ b/windows/keep-secure/audit-other-policy-change-events.md @@ -2,95 +2,50 @@ title: Audit Other Policy Change Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Policy Change Events + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Policy Change Events**, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. + These other activities in the Policy Change category that can be audited include: + - Trusted Platform Module (TPM) configuration changes. - Kernel-mode cryptographic self tests. - Cryptographic provider operations. - Cryptographic context operations or modifications. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4670

Permissions on an object were changed.

4909

The local policy settings for the TBS were changed.

4910

The group policy settings for the TBS were changed.

5063

A cryptographic provider operation was attempted.

5064

A cryptographic context operation was attempted.

5065

A cryptographic context modification was attempted.

5066

A cryptographic function operation was attempted.

5067

A cryptographic function modification was attempted.

5068

A cryptographic function provider operation was attempted.

5069

A cryptographic function property operation was attempted.

5070

A cryptographic function property modification was attempted.

5447

A Windows Filtering Platform filter has been changed.

6144

Security policy in the group policy objects has been applied successfully.

6145

One or more errors occurred while processing security policy in the group policy objects.

+ +| Event ID | Event message | +| - | - | +| 4670 | Permissions on an object were changed. | +| 4909 | The local policy settings for the TBS were changed. | +| 4910 | The group policy settings for the TBS were changed. | +| 5063 | A cryptographic provider operation was attempted. | +| 5064 | A cryptographic context operation was attempted. | +| 5065 | A cryptographic context modification was attempted. | +| 5066 | A cryptographic function operation was attempted. | +| 5067 | A cryptographic function modification was attempted. | +| 5068 | A cryptographic function provider operation was attempted. | +| 5069 | A cryptographic function property operation was attempted. | +| 5070 | A cryptographic function property modification was attempted. | +| 5447 | A Windows Filtering Platform filter has been changed. | +| 6144 | Security policy in the group policy objects has been applied successfully. | +| 6145 | One or more errors occurred while processing security policy in the group policy objects. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-privilege-use-events.md b/windows/keep-secure/audit-other-privilege-use-events.md index 145e348e6e..839251f763 100644 --- a/windows/keep-secure/audit-other-privilege-use-events.md +++ b/windows/keep-secure/audit-other-privilege-use-events.md @@ -2,17 +2,21 @@ title: Audit Other Privilege Use Events (Windows 10) description: This security policy setting is not used. ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Privilege Use Events + **Applies to** - Windows 10 + This security policy setting is not used. + ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-system-events.md b/windows/keep-secure/audit-other-system-events.md index 26c8610d85..2b28658209 100644 --- a/windows/keep-secure/audit-other-system-events.md +++ b/windows/keep-secure/audit-other-system-events.md @@ -2,129 +2,59 @@ title: Audit Other System Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events. ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other System Events + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other System Events**, which determines whether the operating system audits various system events. + The system events in this category include: + - Startup and shutdown of the Windows Firewall service and driver. - Security policy processing by the Windows Firewall service. - Cryptography key file and migration operations. -**Important**   -Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats. + +> **Important:**  Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats.   Event volume: Low + Default: Success and failure - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

5024

The Windows Firewall Service has started successfully.

5025

The Windows Firewall Service has been stopped.

5027

The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.

5028

The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.

5029

The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.

5030

The Windows Firewall Service failed to start.

5032

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

5033

The Windows Firewall Driver has started successfully.

5034

The Windows Firewall Driver has been stopped.

5035

The Windows Firewall Driver failed to start.

5037

The Windows Firewall Driver detected critical runtime error. Terminating.

5058

Key file operation.

5059

Key migration operation.

6400

BranchCache: Received an incorrectly formatted response while discovering availability of content.

6401

BranchCache: Received invalid data from a peer. Data discarded.

6402

BranchCache: The message to the hosted cache offering it data is incorrectly formatted.

6403

BranchCache: The hosted cache sent an incorrectly formatted response to the client.

6404

BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.

6405

BranchCache: %2 instance(s) of event id %1 occurred.

6406

%1 registered to Windows Firewall to control filtering for the following: %2

6407

1%

6408

Registered product %1 failed and Windows Firewall is now controlling the filtering for %2

+ +| Event ID | Event message | +| - | - | +| 5024 | The Windows Firewall Service has started successfully. | +| 5025 | The Windows Firewall Service has been stopped. | +| 5027 | The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. | +| 5028 | The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. | +| 5029 | The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. | +| 5030 | The Windows Firewall Service failed to start. | +| 5032 | Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.| +| 5033 | The Windows Firewall Driver has started successfully. | +| 5034 | The Windows Firewall Driver has been stopped. | +| 5035 | The Windows Firewall Driver failed to start. | +| 5037 | The Windows Firewall Driver detected critical runtime error. Terminating.| +| 5058 | Key file operation. | +| 5059 | Key migration operation.| +| 6400 | BranchCache: Received an incorrectly formatted response while discovering availability of content.| +| 6401 | BranchCache: Received invalid data from a peer. Data discarded. | +| 6402 | BranchCache: The message to the hosted cache offering it data is incorrectly formatted.| +| 6403 | BranchCache: The hosted cache sent an incorrectly formatted response to the client. | +| 6404 | BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.| +| 6405 | BranchCache: %2 instance(s) of event id %1 occurred. | +| 6406 | %1 registered to Windows Firewall to control filtering for the following: %2| +| 6407 | 1% | +| 6408 | Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-pnp-activity.md b/windows/keep-secure/audit-pnp-activity.md index b0b235fa4c..aef1c0ae47 100644 --- a/windows/keep-secure/audit-pnp-activity.md +++ b/windows/keep-secure/audit-pnp-activity.md @@ -2,40 +2,32 @@ title: Audit PNP Activity (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device. ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit PNP Activity + **Applies to** - Windows 10 -\[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\] + This topic for the IT professional describes the advanced security audit policy setting, **Audit PNP Activity**, which determines when plug and play detects an external device. + A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a PC a PnP event is triggered. + Event volume: Varies, depending on how the computer is used + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

6416

A new external device was recognized by the system.

+ +| Event ID | Event message | +| - | - | +| 6416 | A new external device was recognized by the system. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-policy.md b/windows/keep-secure/audit-policy.md index 8456383cb7..87cf555f43 100644 --- a/windows/keep-secure/audit-policy.md +++ b/windows/keep-secure/audit-policy.md @@ -2,29 +2,36 @@ title: Audit Policy (Windows 10) description: Provides information about basic audit policies that are available in Windows and links to information about each setting. ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Policy + **Applies to** - Windows 10 + Provides information about basic audit policies that are available in Windows and links to information about each setting. + The security audit policy settings under **Security Settings\\Local Policies\\Audit Policy** provide broad security audit capabilities for client devices and servers that cannot use advanced security audit policy settings. + The basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** are: -[Audit account logon events](basic-audit-account-logon-events.md) -[Audit account management](basic-audit-account-management.md) -[Audit directory service access](basic-audit-directory-service-access.md) -[Audit logon events](basic-audit-logon-events.md) -[Audit object access](basic-audit-object-access.md) -[Audit policy change](basic-audit-policy-change.md) -[Audit privilege use](basic-audit-privilege-use.md) -[Audit process tracking](basic-audit-process-tracking.md) -[Audit system events](basic-audit-system-events.md) +- [Audit account logon events](basic-audit-account-logon-events.md) +- [Audit account management](basic-audit-account-management.md) +- [Audit directory service access](basic-audit-directory-service-access.md) +- [Audit logon events](basic-audit-logon-events.md) +- [Audit object access](basic-audit-object-access.md) +- [Audit policy change](basic-audit-policy-change.md) +- [Audit privilege use](basic-audit-privilege-use.md) +- [Audit process tracking](basic-audit-process-tracking.md) +- [Audit system events](basic-audit-system-events.md) + ## Related topics -[Configure security policy settings](how-to-configure-security-policy-settings.md) -[Security auditing](security-auditing-overview.md) + +- [Configure security policy settings](how-to-configure-security-policy-settings.md) +- [Security auditing](security-auditing-overview.md)     diff --git a/windows/keep-secure/audit-process-creation.md b/windows/keep-secure/audit-process-creation.md index 46977396e4..dbe4b6bc69 100644 --- a/windows/keep-secure/audit-process-creation.md +++ b/windows/keep-secure/audit-process-creation.md @@ -2,44 +2,34 @@ title: Audit Process Creation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts). ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Process Creation + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Creation**, which determines whether the operating system generates audit events when a process is created (starts). + These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process. + Event volume: Low to medium, depending on system usage + Default: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

4688

A new process has been created.

4696

A primary token was assigned to a process.

+ +| Event ID | Event message | +| - | - | +| 4688 | A new process has been created.| +| 4696 | A primary token was assigned to a process.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-process-termination.md b/windows/keep-secure/audit-process-termination.md index ed81065dfb..4208a938c3 100644 --- a/windows/keep-secure/audit-process-termination.md +++ b/windows/keep-secure/audit-process-termination.md @@ -2,42 +2,37 @@ title: Audit Process Termination (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process. ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Process Termination + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Termination**, which determines whether the operating system generates audit events when an attempt is made to end a process. + Success audits record successful attempts and Failure audits record unsuccessful attempts. + If you do not configure this policy setting, no audit event is generated when a process ends. + This policy setting can help you track user activity and understand how the computer is used. + Event volume: Varies, depending on how the computer is used + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

4689

A process has exited.

-  + +| Event ID | Event message | +| - | - | +| 4689 | A process has exited. | + ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-registry.md b/windows/keep-secure/audit-registry.md index e7b6bdba50..40ea22bf27 100644 --- a/windows/keep-secure/audit-registry.md +++ b/windows/keep-secure/audit-registry.md @@ -2,45 +2,37 @@ title: Audit Registry (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects. ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Registry + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Registry**, which determines whether the operating system generates audit events when users attempt to access registry objects. + Audit events are generated only for objects that have configured system access control lists (SACLs) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. -If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL. + +If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching +SACL. + Event volume: Low to medium, depending on how registry SACLs are configured + Default: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

4657

A registry value was modified.

5039

A registry key was virtualized.

+ +| Event ID | Event message | +| - | - | +| 4657 | A registry value was modified. | +| 5039 | A registry key was virtualized. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md index d260df3000..1892857f3e 100644 --- a/windows/keep-secure/audit-removable-storage.md +++ b/windows/keep-secure/audit-removable-storage.md @@ -2,18 +2,24 @@ title: Audit Removable Storage (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive. ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Removable Storage + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines when there is a read or a write to a removable drive. + Event volume: Low + Default: Not configured + @@ -117,6 +123,7 @@ Default: Not configured
  ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-rpc-events.md b/windows/keep-secure/audit-rpc-events.md index 1fca2ed810..dfb512694b 100644 --- a/windows/keep-secure/audit-rpc-events.md +++ b/windows/keep-secure/audit-rpc-events.md @@ -2,39 +2,32 @@ title: Audit RPC Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit RPC Events + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit RPC Events**, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. + RPC is a technology for creating distributed client/server programs. RPC is an interprocess communication technique that enables client and server software to communicate. For more information, see [What Is RPC?](http://technet.microsoft.com/library/cc787851.aspx). + Event volume: High on RPC servers + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

5712

A Remote Procedure Call (RPC) was attempted.

+ +| Event ID | Event message | +| - | - | +| 5712 | A Remote Procedure Call (RPC) was attempted. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-sam.md b/windows/keep-secure/audit-sam.md index 47d6014e77..c682e87a89 100644 --- a/windows/keep-secure/audit-sam.md +++ b/windows/keep-secure/audit-sam.md @@ -2,66 +2,52 @@ title: Audit SAM (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit SAM + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit SAM**, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. + The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer. + SAM objects include the following: + - SAM\_ALIAS: A local group - SAM\_GROUP: A group that is not a local group - SAM\_USER: A user account - SAM\_DOMAIN: A domain - SAM\_SERVER: A computer account + If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts. -**Note**   -Only the SACL for SAM\_SERVER can be modified. + +> **Note:**  Only the SACL for SAM\_SERVER can be modified.   Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events. + Event volume: High on domain controllers -**Note**   -For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698). + +> **Note:**  For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698).   Default setting: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4659

A handle to an object was requested with intent to delete.

4660

An object was deleted.

4661

A handle to an object was requested.

4663

An attempt was made to access an object.

+ +| Event ID | Event message | +| - | - | +| 4659 | A handle to an object was requested with intent to delete.| +| 4660 | An object was deleted. | +| 4661 | A handle to an object was requested.| +| 4663 | An attempt was made to access an object.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-security-group-management.md b/windows/keep-secure/audit-security-group-management.md index e4ca2e798d..65d91ba967 100644 --- a/windows/keep-secure/audit-security-group-management.md +++ b/windows/keep-secure/audit-security-group-management.md @@ -2,103 +2,52 @@ title: Audit Security Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed. ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Security Group Management + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Security Group Management**, which determines whether the operating system generates audit events when specific security group management tasks are performed. + Tasks for security group management include: + - A security group is created, changed, or deleted. - A member is added to or removed from a security group. - A group's type is changed. Security groups can be used for access control permissions and also as distribution lists. + Event volume: Low + Default: Success - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4727

A security-enabled global group was created.

4728

A member was added to a security-enabled global group.

4729

A member was removed from a security-enabled global group.

4730

A security-enabled global group was deleted.

4731

A security-enabled local group was created.

4732

A member was added to a security-enabled local group.

4733

A member was removed from a security-enabled local group.

4734

A security-enabled local group was deleted.

4735

A security-enabled local group was changed.

4737

A security-enabled global group was changed.

4754

A security-enabled universal group was created.

4755

A security-enabled universal group was changed.

4756

A member was added to a security-enabled universal group.

4757

A member was removed from a security-enabled universal group.

4758

A security-enabled universal group was deleted.

4764

A group's type was changed.

-  + +| Event ID | Event message | +| - | - | +| 4727 | A security-enabled global group was created. | +| 4728 | A member was added to a security-enabled global group. | +| 4729 | A member was removed from a security-enabled global group. | +| 4730 | A security-enabled global group was deleted. | +| 4731 | A security-enabled local group was created. | +| 4732 | A member was added to a security-enabled local group.| +| 4733 | A member was removed from a security-enabled local group.| +| 4734 | A security-enabled local group was deleted. | +| 4735 | A security-enabled local group was changed. | +| 4737 | A security-enabled global group was changed. | +| 4754 | A security-enabled universal group was created.| +| 4755 | A security-enabled universal group was changed. | +| 4756 | A member was added to a security-enabled universal group.| +| 4757 | A member was removed from a security-enabled universal group.| +| 4758 | A security-enabled universal group was deleted. | +| 4764 | A group's type was changed. | + ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-security-state-change.md b/windows/keep-secure/audit-security-state-change.md index 916b17b447..efda133f49 100644 --- a/windows/keep-secure/audit-security-state-change.md +++ b/windows/keep-secure/audit-security-state-change.md @@ -2,65 +2,44 @@ title: Audit Security State Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system. ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Security State Change + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security State Change**, which determines whether Windows generates audit events for changes in the security state of a system. + Changes in the security state of the operating system include: + - System startup and shutdown. - Change of system time. - System recovery from **CrashOnAuditFail**. This event is logged after a system reboots following **CrashOnAuditFail**. - **Important**   - Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**. + + > **Important:**  Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**.   System startup and shutdown events are important for understanding system usage. + Event volume: Low + Default: Success - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent Message SummaryMinimum Requirement

4608

Windows is starting up.

Windows Vista, Windows Server 2008

4609

Windows is shutting down.

Windows Vista, Windows Server 2008

4616

The system time was changed.

Windows Vista, Windows Server 2008

4621

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Windows Vista, Windows Server 2008

+ +| Event ID | Event message summary | Minimum requirement | +| - | - | - | +| 4608 | Windows is starting up. | Windows Vista, Windows Server 2008 | +| 4609 | Windows is shutting down. | Windows Vista, Windows Server 2008 | +| 4616 | The system time was changed.| Windows Vista, Windows Server 2008 | +| 4621 | Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.| Windows Vista, Windows Server 2008 |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-security-system-extension.md b/windows/keep-secure/audit-security-system-extension.md index 2144df19fb..e605195736 100644 --- a/windows/keep-secure/audit-security-system-extension.md +++ b/windows/keep-secure/audit-security-system-extension.md @@ -2,62 +2,43 @@ title: Audit Security System Extension (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions. ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Security System Extension + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security System Extension**, which determines whether the operating system generates audit events related to security system extensions. + Changes to security system extensions in the operating system include the following activities: - A security extension code is loaded (such as an authentication, notification, or security package). A security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM. - A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. -**Important**   -Attempts to install or load security system extensions or services are critical system events that could indicate a security breach. + +> **Important:**  Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.   Event volume: Low + These events are expected to appear more on a domain controller than on client computers or member servers. + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4610

An authentication package has been loaded by the Local Security Authority.

4611

A trusted logon process has been registered with the Local Security Authority.

4614

A notification package has been loaded by the Security Account Manager.

4622

A security package has been loaded by the Local Security Authority.

4697

A service was installed in the system.

+ +| Event ID | Event message | +| - | - | +| 4610 | An authentication package has been loaded by the Local Security Authority. | +| 4611 | A trusted logon process has been registered with the Local Security Authority.| +| 4614 | A notification package has been loaded by the Security Account Manager. | +| 4622 | A security package has been loaded by the Local Security Authority. | +| 4697 | A service was installed in the system. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-sensitive-privilege-use.md b/windows/keep-secure/audit-sensitive-privilege-use.md index 5b79f7bf21..2c7cd5a902 100644 --- a/windows/keep-secure/audit-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-sensitive-privilege-use.md @@ -2,63 +2,51 @@ title: Audit Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Sensitive Privilege Use + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Sensitive Privilege Use**, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. + Actions that can be audited include: - A privileged service is called. - One of the following privileges is called: - **Act as part of the operating system** - **Back up files and directories** - **Create a token object** - **Debug programs** - **Enable computer and user accounts to be trusted for delegation** - **Generate security audits** - **Impersonate a client after authentication** - **Load and unload device drivers** - **Manage auditing and security log** - **Modify firmware environment values** - **Replace a process-level token** - **Restore files and directories** - **Take ownership of files or other objects** + - **Act as part of the operating system** + - **Back up files and directories** + - **Create a token object** + - **Debug programs** + - **Enable computer and user accounts to be trusted for delegation** + - **Generate security audits** + - **Impersonate a client after authentication** + - **Load and unload device drivers** + - **Manage auditing and security log** + - **Modify firmware environment values** + - **Replace a process-level token** + - **Restore files and directories** + - **Take ownership of files or other objects** + If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts. + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4672

Special privileges assigned to new logon.

4673

A privileged service was called.

4674

An operation was attempted on a privileged object.

+ +| Event ID | Event message | +| - | - | +| 4672 | Special privileges assigned to new logon.| +| 4673 | A privileged service was called. | +| 4674 | An operation was attempted on a privileged object.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 6d797a0b65..5ce9aeecf7 100644 --- a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -2,18 +2,24 @@ title: Audit Shut down system immediately if unable to log security audits (Windows 10) description: Describes the best practices, location, values, management practices, and security considerations for the Audit Shut down system immediately if unable to log security audits security policy setting. ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit: Shut down system immediately if unable to log security audits + **Applies to** - Windows 10 + Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting. + ## Reference + The **Audit: Shut down system immediately if unable to log security audits** policy setting determines whether the system shuts down if it is unable to log security events. This policy setting is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log those events. Microsoft has chosen to meet this requirement by halting the system and displaying a Stop message in the case of a failure of the auditing system. Enabling this policy setting stops the system if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the value of **Retention method for security log** is **Do not overwrite events (clear log manually)** or **Overwrite events by days**. + With **Audit: Shut down system immediately if unable to log security audits** set to **Enabled**, if the security log is full and an existing entry cannot be overwritten, the following Stop message appears: @@ -28,72 +34,67 @@ With **Audit: Shut down system immediately if unable to log security audits** se
  To recover, you must log on, archive the log (optional), clear the log, and reset this option as desired. + If the computer is unable to record events to the security log, critical evidence or important troubleshooting information might not be available for review after a security incident. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Depending on your security audit requirements, you can enable the **Audit: Shut down system immediately if unable to log security audits** setting to ensure that security auditing information is captured for review. However, enabling this setting will increase the number of events logged. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined +| Default Domain Controler Policy | Not defined +| Stand-Alone Server Default Settings | Disabled +| DC Effective Default Settings | Disabled +| Member Server Effective Default Settings | Disabled +| Client Computer Effective Default Settings | Disabled   ## Policy management + This section describes features and tools that are available to help you manage this policy. The administrative burden of enabling this policy setting can be very high, especially if you also set the **Retention method for security log** to **Do not overwrite events (clear log manually)**. This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial-of-service threat, because a server can be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security log. Additionally, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system will guarantee that the file system's integrity will be maintained during a sudden system shutdown, it cannot guarantee that every data file for every application will still be in a usable form when the system is restarted. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with clients, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If the computer is unable to record events to the security event log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of security event log events to purposely force a shutdown. + ### Countermeasure + Enable the **Audit: Shut down system immediately if unable to log security audits** setting to ensure that security auditing information is captured for review. + ### Potential impact + If you enable this policy setting, the administrative burden can be significant, especially if you also configure the **Retention method for the Security log** to **Do not overwrite events** (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security event log. Also, because the shutdown is abrupt, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system maintains its integrity when this type of computer shutdown occurs, there is no guarantee that every data file for every application will still be in a usable form when the device restarts. + ## Related topics -[Security Options](security-options.md) + +- [Security Options](security-options.md)     diff --git a/windows/keep-secure/audit-special-logon.md b/windows/keep-secure/audit-special-logon.md index 5a3e24b4b7..439cf91d3d 100644 --- a/windows/keep-secure/audit-special-logon.md +++ b/windows/keep-secure/audit-special-logon.md @@ -2,43 +2,38 @@ title: Audit Special Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances. ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Special Logon + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Special Logon**, which determines whether the operating system generates audit events under special sign on (or log on) circumstances. + This security policy setting determines whether the operating system generates audit events when: + - A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - A member of a special group logs on. Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on. The administrator can set a list of group security identifiers (SIDs) in the registry. If any of these SIDs is added to a token during logon and this auditing subcategory is enabled, a security event is logged. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/p/?linkid=120183). + Users holding special privileges can potentially make changes to the system. We recommend that you track their activity. + Event volume: Low + Default: Success - ---- - - - - - - - - - - - - -
Event IDEvent message

4964

Special groups have been assigned to a new logon.

+ +| Event ID | Event message | +| - | - | +| 4964 | Special groups have been assigned to a new logon.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-system-integrity.md b/windows/keep-secure/audit-system-integrity.md index afe5957ade..dfc2666ebf 100644 --- a/windows/keep-secure/audit-system-integrity.md +++ b/windows/keep-secure/audit-system-integrity.md @@ -2,88 +2,51 @@ title: Audit System Integrity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem. ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit System Integrity + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit System Integrity**, which determines whether the operating system audits events that violate the integrity of the security subsystem. + Activities that violate the integrity of the security subsystem include the following: + - Audited events are lost due to a failure of the auditing system. - A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space. - A remote procedure call (RPC) integrity violation is detected. - A code integrity violation with an invalid hash value of an executable file is detected. - Cryptographic tasks are performed. -**Important**   -Violations of security subsystem integrity are critical and could indicate a potential security attack. + +> **Important:**  Violations of security subsystem integrity are critical and could indicate a potential security attack.   Event volume: Low + Default: Success and failure - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4612

Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

4615

Invalid use of LPC port.

4618

A monitored security event pattern has occurred.

4816

RPC detected an integrity violation while decrypting an incoming message.

5038

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

5056

A cryptographic self-test was performed.

5057

A cryptographic primitive operation failed.

5060

Verification operation failed.

5061

Cryptographic operation.

5062

A kernel-mode cryptographic self-test was performed.

6281

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

+ +| Event ID | Event message | +| - | - | +| 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. | +| 4615 | Invalid use of LPC port. | +| 4618 | A monitored security event pattern has occurred.| +| 4816 | RPC detected an integrity violation while decrypting an incoming message.| +| 5038 | Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.| +| 5056 | A cryptographic self-test was performed. | +| 5057 | A cryptographic primitive operation failed.| +| 5060 | Verification operation failed. | +| 5061 | Cryptographic operation. | +| 5062 | A kernel-mode cryptographic self-test was performed.| +| 6281 | Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-user-account-management.md b/windows/keep-secure/audit-user-account-management.md index 1a863efc9a..1f05f3085b 100644 --- a/windows/keep-secure/audit-user-account-management.md +++ b/windows/keep-secure/audit-user-account-management.md @@ -2,106 +2,56 @@ title: Audit User Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed. ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit User Account Management + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit User Account Management**, which determines whether the operating system generates audit events when specific user account management tasks are performed. + Tasks that are audited for user account management include: + - A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked. - A user account password is set or changed. - Security identifier (SID) history is added to a user account. - The Directory Services Restore Mode password is set. - Permissions are changed on accounts that are members of administrator groups. - Credential Manager credentials are backed up or restored. + This policy setting is essential for tracking events that involve provisioning and managing user accounts. + Event volume: Low + Default: Success - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4720

A user account was created.

4722

A user account was enabled.

4723

An attempt was made to change an account's password.

4724

An attempt was made to reset an account's password.

4725

A user account was disabled.

4726

A user account was deleted.

4738

A user account was changed.

4740

A user account was locked out.

4765

SID History was added to an account.

4766

An attempt to add SID History to an account failed.

4767

A user account was unlocked.

4780

The ACL was set on accounts which are members of administrators groups.

4781

The name of an account was changed:

4794

An attempt was made to set the Directory Services Restore Mode.

5376

Credential Manager credentials were backed up.

5377

Credential Manager credentials were restored from a backup.

+ +| Event ID | Event message | +| - | - | +| 4720 | A user account was created. | +| 4722 | A user account was enabled. | +| 4723 | An attempt was made to change an account's password.| +| 4724 | An attempt was made to reset an account's password. | +| 4725 | A user account was disabled. | +| 4726 | A user account was deleted. | +| 4738 | A user account was changed. | +| 4740 | A user account was locked out.| +| 4765 | SID History was added to an account.| +| 4766 | An attempt to add SID History to an account failed.| +| 4767 | A user account was unlocked. | +| 4780 | The ACL was set on accounts which are members of administrators groups.| +| 4781 | The name of an account was changed: | +| 4794 | An attempt was made to set the Directory Services Restore Mode.| +| 5376 | Credential Manager credentials were backed up. | +| 5377 | Credential Manager credentials were restored from a backup.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-user-device-claims.md b/windows/keep-secure/audit-user-device-claims.md index 29bc724e09..254bfb2c7d 100644 --- a/windows/keep-secure/audit-user-device-claims.md +++ b/windows/keep-secure/audit-user-device-claims.md @@ -2,18 +2,24 @@ title: Audit User/Device Claims (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims. ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit User/Device Claims + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit User/Device Claims**, which enables you to audit security events that are generated by user and device claims. + Event volume: + Default: Not configured + @@ -52,6 +58,7 @@ Default: Not configured
  ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md index 6e95c6fea2..2cddb14842 100644 --- a/windows/keep-secure/back-up-files-and-directories.md +++ b/windows/keep-secure/back-up-files-and-directories.md @@ -2,108 +2,109 @@ title: Back up files and directories (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Back up files and directories + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting. + ## Reference + This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a backup tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply. + This user right is similar to granting the following permissions to the user or group you have selected on all files and folders on the system: + - Traverse Folder/Execute File - List Folder/Read Data - Read Attributes - Read Extended Attributes - Read Permissions + Default on workstations and servers: + - Administrators - Backup Operators + Default on domain controllers: + - Administrators - Backup Operators - Server Operators + Constant: SeBackupPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + 1. Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users. 2. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this right is granted to Administrators and Backup Operators on workstations and servers. On domain controllers, Administrators, Backup Operators, and Server Operators have this right. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Administrators

-

Backup Operators

-

Server Operators

Stand-Alone Server Default Settings

Administrators

-

Backup Operators

Domain Controller Effective Default Settings

Administrators

-

Backup Operators

-

Server Operators

Member Server Effective Default Settings

Administrators

-

Backup Operators

Client Computer Effective Default Settings

Administrators

-

Backup Operators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined | +| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators| +| Stand-Alone Server Default Settings | Administrators
Backup Operators| +| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators| +| Member Server Effective Default Settings | Administrators
Backup Operators| +| Client Computer Effective Default Settings | Administrators
Backup Operators|   ## Policy management + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can back up data from a device could take the backup media to a non-domain computer on which they have administrative privileges, and then restore the data. They could take ownership of the files and view any unencrypted data that is contained within the backup set. + ### Countermeasure + Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right. + ### Potential impact + Changes in the membership of the groups that have the **Back up files and directories** user right could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that authorized backup administrators can still perform backup operations. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) + +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md index dfc256208f..5f46d91a0d 100644 --- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md @@ -2,90 +2,128 @@ title: Backup the TPM recovery Information to AD DS (Windows 10) description: This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer. ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Backup the TPM recovery Information to AD DS + **Applies to** - Windows 10 + This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer. + ## About administering TPM remotely + Backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer. For example, administrators might want to reset the TPM to the manufacturer’s defaults when they decommission or repurpose computers, without having to be present at the computer. + You can use AD DS to store TPM owner information for use in recovery situations where the TPM owner has forgotten the password or where you must take control of the TPM. There is only one TPM owner password per computer; therefore, the hash of the TPM owner password can be stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of **ms-TPM-OwnerInformation**. -**Note**   -The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64–encoded. The actual owner password is not stored. + +> **Note:**  The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64–encoded. The actual owner password is not stored.   Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). + This topic contains procedures, some of which are dependent on Visual Basic scripts, to recover TPM information and decommission TPM on remote computers. Sample scripts are available, which you can customize to meet the requirements of your environment. + In this topic: + 1. [Check status of prerequisites](#bkmk-prereqs) 2. [Set permissions to back up password information](#bkmk-setperms) 3. [Configure Group Policy to back up TPM recovery information in AD DS](#bkmk-configuregp) 4. [Use AD DS to recover TPM information](#bkmk-useit) 5. [Sample scripts](#bkmk-adds-tpm-scripts) + ## Check status of prerequisites + Before you begin your backup, ensure that the following prerequisites are met: + 1. All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with the updated schema. - **Tip**   - For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). + + > **Tip:**  For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).   2. You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions. + ## Set permissions to back up password information + This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#bkmk-add-tpmselfwriteace) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added. + This script is run on the domain controller that you will use to administer the TPM recovery information, and it operates under the following assumptions: + - You have domain administrator credentials to set permissions for the top-level domain object. - Your target domain is the same as the domain for the user account that is running the script. For example, running the script as TESTDOMAIN\\admin will extend permissions for TESTDOMAIN. - **Note**   - You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example: + + > **Note:**  You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example: `LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com`   - Your domain is configured so that permissions are inherited from the top-level domain object to targeted computer objects. - Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions. You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute. + + Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions. + You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute. + **To add an ACE to allow TPM recovery information backup** + 1. Open the sample script **Add-TPMSelfWriteACE.vbs**. + The script contains a permission extension, and you must modify the value of **strPathToDomain** by using your domain name. + 2. Save your modifications to the script. 3. Type the following at a command prompt, and then press ENTER: + **cscript Add-TPMSelfWriteACE.vbs** + This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows the computer (SELF) to write to the **ms-TPM-OwnerInformation** attribute for computer objects in the domain. Complete the following procedure to check that the correct permissions are set and to remove TPM and BitLocker ACEs from the top-level domain, if necessary. + **Manage ACEs configured on TPM schema objects** + 1. Open the sample script **List-ACEs.vbs**. 2. Modify **List-ACEs.vbs**. + You must modify: - Value of **strPathToDomain**: Use your domain name. - Filter options: The script sets a filter to address BitLocker and TPM schema objects, so you must modify **If IsFilterActive ()** if you want to list or remove other schema objects. + 3. Save your modifications to the script. 4. Type the following at a command prompt, and then press ENTER: + **cscript List-ACEs.vbs** + With this script you can optionally remove ACEs from BitLocker and TPM schema objects on the top-level domain. + ## Configure Group Policy to back up TPM recovery information in AD DS + Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain. + **To enable local policy setting to back up TPM recovery information to AD DS** + 1. Sign in to a domain-joined computer by using a domain account that is a member of the local Administrators group. 2. Open the Local Group Policy Editor (gpedit.msc), and in the console tree, navigate to **Computer Configuration\\Administrative Templates\\System**. 3. Click **Trusted Platform Module Services**. 4. Double-click **Turn on TPM backup to Active Directory Domain Services**. 5. Click **Enabled**, and then click **OK**. -**Important**   -When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds. +> **Important:**  When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.   ## Use AD DS to recover TPM information + When you need to recover the TPM owner information from AD DS and use it to manage the TPM, you need to read the **ms-TPM-OwnerInformation** object from AD DS, and then manually create a TPM owner password backup file that can be supplied when TPM owner credentials are required. + **To obtain TPM owner backup information from AD DS and create a password file** + 1. Sign in to a domain controller by using domain administrator credentials. 2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer. 3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step. 4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**. + The expected output is a string that is the hash of the password that you created earlier. - **Note**   - If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute. + > **Note:**  If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute. + The only exception to this requirement is that if users are the Creator Owner of computer objects that they join to the domain, they can possibly read the TPM owner information for their computer objects.   5. Open Notepad or another text editor, and copy the following code sample into the file, and replace *TpmOwnerPasswordHash* with the string that you recorded in the previous step. + ``` syntax