From afb44e928e89dbd9c0437d0ec9d574c7807b9ba6 Mon Sep 17 00:00:00 2001 From: TimShererWithAquent Date: Fri, 21 Aug 2020 12:15:26 -0700 Subject: [PATCH 01/16] Edit descriptions for SEO. --- .../hello-for-business/hello-hybrid-key-whfb-settings.md | 2 +- .../identity-protection/hello-for-business/hello-overview.md | 2 +- .../hello-for-business/hello-planning-guide.md | 2 +- .../identity-protection/hello-for-business/hello-videos.md | 2 +- .../hello-for-business/passwordless-strategy.md | 2 +- ...figure-diffie-hellman-protocol-over-ikev2-vpn-connections.md | 2 +- windows/security/identity-protection/vpn/vpn-authentication.md | 2 +- .../identity-protection/vpn/vpn-auto-trigger-profile.md | 2 +- windows/security/identity-protection/vpn/vpn-guide.md | 2 +- windows/security/identity-protection/vpn/vpn-name-resolution.md | 2 +- windows/security/identity-protection/vpn/vpn-routing.md | 2 +- .../security/identity-protection/vpn/vpn-security-features.md | 2 +- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- ...security-monitoring-recommendations-for-many-audit-events.md | 2 +- .../auditing/audit-other-privilege-use-events.md | 2 +- .../threat-protection/auditing/basic-security-audit-policies.md | 2 +- windows/security/threat-protection/auditing/event-4608.md | 2 +- windows/security/threat-protection/auditing/event-4615.md | 2 +- windows/security/threat-protection/auditing/event-4616.md | 2 +- windows/security/threat-protection/auditing/event-4625.md | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index d8eb2ac3ed..9103431811 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -1,6 +1,6 @@ --- title: Configure Hybrid Windows Hello for Business key trust Settings -description: Configuring Windows Hello for Business settings in hybrid key trust deployment. +description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 6a70672f7a..5d10205e13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business Overview (Windows 10) ms.reviewer: An overview of Windows Hello for Business -description: An overview of Windows Hello for Business +description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index c3acaa98e3..3fff407e34 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -1,6 +1,6 @@ --- title: Planning a Windows Hello for Business Deployment -description: A guide to planning a Windows Hello for Business deployment +description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 00eddf6eee..c53586ff18 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -1,6 +1,6 @@ --- title: Windows Hello for Business Videos -description: Windows Hello for Business Videos +description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10. keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 57238c3214..dd1b6b18e0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,6 +1,6 @@ --- title: Passwordless Strategy -description: Reducing Password Usage Surface +description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10. keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 22355b9383..6b9868b0f0 100644 --- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,6 +1,6 @@ --- title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) -description: Explains how to secure VPN connections for Diffie Hellman Group 2 +description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 9f6f6fa2a5..3fe2c08d57 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -1,6 +1,6 @@ --- title: VPN authentication options (Windows 10) -description: tbd +description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 09ca26d20e..81d9364aea 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -1,6 +1,6 @@ --- title: VPN auto-triggered profile options (Windows 10) -description: tbd +description: Learn about the types of auto-trigger rules for VPNs in Windows 10, which start a VPN when it is needed to access a resource. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index c72139b6db..cb543ad1cd 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -1,6 +1,6 @@ --- title: Windows 10 VPN technical guide (Windows 10) -description: Use this guide to configure VPN deployment for Windows 10. +description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index 5c277ef964..6ff26370e3 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -1,6 +1,6 @@ --- title: VPN name resolution (Windows 10) -description: tbd +description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index c8ce525e53..416bc57d04 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -1,6 +1,6 @@ --- title: VPN routing decisions (Windows 10) -description: tbd +description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 0ac0b47d38..d8f4768540 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -1,6 +1,6 @@ --- title: VPN security features (Windows 10) -description: tbd +description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 2314ea2eaf..9e07197ff8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -1,6 +1,6 @@ --- title: BitLocker Management Recommendations for Enterprises (Windows 10) -description: This topic explains recommendations for managing BitLocker. +description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index b062a6e72b..505da9bbb0 100644 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -1,6 +1,6 @@ --- title: Appendix A, Security monitoring recommendations for many audit events (Windows 10) -description: Appendix A, Security monitoring recommendations for many audit events +description: Learn about recommendations for the type of monitoring required for certain classes of security audit events. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index f6d870f605..9adb4cfd74 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -1,6 +1,6 @@ --- title: Audit Other Privilege Use Events (Windows 10) -description: This security policy setting is not used. +description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S). ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md index 1e73acf50d..3856637432 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md @@ -1,6 +1,6 @@ --- title: Basic security audit policies (Windows 10) -description: Before you implement auditing, you must decide on an auditing policy. +description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization. ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 22a7d07d71..337ef1defe 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -1,6 +1,6 @@ --- title: 4608(S) Windows is starting up. (Windows 10) -description: Describes security event 4608(S) Windows is starting up. +description: Describes security event 4608(S) Windows is starting up. This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index 9231f28b82..0490e0ae3e 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -1,6 +1,6 @@ --- title: 4615(S) Invalid use of LPC port. (Windows 10) -description: Describes security event 4615(S) Invalid use of LPC port. +description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 8681a67e8f..3f8ed0ecac 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -1,6 +1,6 @@ --- title: 4616(S) The system time was changed. (Windows 10) -description: Describes security event 4616(S) The system time was changed. +description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 08fcff8219..c345d192b5 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -1,6 +1,6 @@ --- title: 4625(F) An account failed to log on. (Windows 10) -description: Describes security event 4625(F) An account failed to log on. +description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy From eef195501e88c647152c4a2ee4b3828517fa2649 Mon Sep 17 00:00:00 2001 From: TimShererWithAquent Date: Mon, 24 Aug 2020 07:44:06 -0700 Subject: [PATCH 02/16] Additional fixes. --- windows/security/threat-protection/auditing/event-4608.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 337ef1defe..4fc5d6a6f8 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -1,6 +1,6 @@ --- title: 4608(S) Windows is starting up. (Windows 10) -description: Describes security event 4608(S) Windows is starting up. This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized. +description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy From 65914367ff0428ae6d0d442bfd8b74cda463ad08 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 14:51:16 -0700 Subject: [PATCH 03/16] Corrected heading and added necessary markup --- .../vpn/vpn-auto-trigger-profile.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 81d9364aea..6c9d93fb62 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -61,13 +61,14 @@ When the trigger occurs, VPN tries to connect. If an error occurs or any user in When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile and therefore only one user will be able to use the Always On triggers. -Preserving user Always On preference +## Preserving user Always On preference -Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. -Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference. -Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config -Value: AutoTriggerDisabledProfilesList -Type: REG_MULTI_SZ +Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value **AutoTriggerDisabledProfilesList**. +Should a management tool remove or add the same profile name back and set **AlwaysOn** to **true**, Windows will not check the box if the profile name exists in the following registry value in order to preserve user preference. + +**Key:** HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
+**Value:** AutoTriggerDisabledProfilesList
+**Type:** REG_MULTI_SZ ## Trusted network detection From 677bf739bfc4d0d7aa0e606af2f116a4f6af1bd9 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 14:58:15 -0700 Subject: [PATCH 04/16] Added a blank line between paragraphs --- .../security/identity-protection/vpn/vpn-auto-trigger-profile.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 6c9d93fb62..29c8f5e474 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -64,6 +64,7 @@ When a device has multiple profiles with Always On triggers, the user can specif ## Preserving user Always On preference Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value **AutoTriggerDisabledProfilesList**. + Should a management tool remove or add the same profile name back and set **AlwaysOn** to **true**, Windows will not check the box if the profile name exists in the following registry value in order to preserve user preference. **Key:** HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
From 0ddcce4d4c8df63abe43a925a8ea25547e286ebc Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 15:00:34 -0700 Subject: [PATCH 05/16] Applied [!NOTE] style and code block type --- windows/security/threat-protection/auditing/event-4608.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 4fc5d6a6f8..1403c1517c 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -30,12 +30,13 @@ This event is logged when LSASS.EXE process starts and the auditing subsystem is It typically generates during operating system startup process. -> **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. +> [!NOTE] +> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:*** -``` +```xml - - From 0a230c8f7c2a54a89d00f7bc74e5f9cd920c698b Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 15:03:38 -0700 Subject: [PATCH 06/16] Applied note styles and code block type --- .../security/threat-protection/auditing/event-4616.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 3f8ed0ecac..55900a59c2 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -32,12 +32,13 @@ This event is always logged regardless of the "Audit Security State Change" sub- You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions. -> **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. +> [!NOTE] +> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:*** -``` +```xml - - @@ -87,7 +88,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L - **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). +> [!NOTE] +> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation. @@ -161,7 +163,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L For 4616(S): The system time was changed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). +> [!IMPORTANT] +> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service. From 9e30dd929594d317fd7d91f3e0fdd2d4a919a252 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 15:16:52 -0700 Subject: [PATCH 07/16] Applied note styles, indented table in list item, appllied type to code block --- .../threat-protection/auditing/event-4625.md | 69 ++++++++++--------- 1 file changed, 37 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index c345d192b5..c74bb341be 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -32,12 +32,13 @@ It generates on the computer where logon attempt was made, for example, if logon This event generates on domain controllers, member servers, and workstations. -> **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. +> [!NOTE] +> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:*** -``` +```xml - - @@ -93,7 +94,8 @@ This event generates on domain controllers, member servers, and workstations. - **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). +> [!NOTE] +> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure. @@ -129,7 +131,8 @@ This event generates on domain controllers, member servers, and workstations. - **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). +> [!NOTE] +> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt. @@ -151,35 +154,36 @@ This event generates on domain controllers, member servers, and workstations. - **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value. -- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in “Table 12. Windows logon status codes.” +- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes. -| Status\\Sub-Status Code | Description | -|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0XC000005E | There are currently no logon servers available to service the logon request. | -| 0xC0000064 | User logon with misspelled or bad user account | -| 0xC000006A | User logon with misspelled or bad password | -| 0XC000006D | This is either due to a bad username or authentication information | -| 0XC000006E | Unknown user name or bad password. | -| 0xC000006F | User logon outside authorized hours | -| 0xC0000070 | User logon from unauthorized workstation | -| 0xC0000071 | User logon with expired password | -| 0xC0000072 | User logon to account disabled by administrator | -| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. | -| 0XC0000133 | Clocks between DC and other computer too far out of sync | -| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine | -| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. | -| 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. | -| 0xC0000193 | User logon with expired account | -| 0XC0000224 | User is required to change password at next logon | -| 0XC0000225 | Evidently a bug in Windows and not a risk | -| 0xC0000234 | User logon with account locked | -| 0XC00002EE | Failure Reason: An Error occurred during Logon | -| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. | -| 0x0 | Status OK. | + **Table 12: Windows logon status codes.** -> Table: Windows logon status codes. -> -> **Note**  To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK. + | Status\\Sub-Status Code | Description | + |-------------------------|------------------------------------------------------------------------------------------------------| + | 0XC000005E | There are currently no logon servers available to service the logon request. | + | 0xC0000064 | User logon with misspelled or bad user account | + | 0xC000006A | User logon with misspelled or bad password | + | 0XC000006D | This is either due to a bad username or authentication information | + | 0XC000006E | Unknown user name or bad password. | + | 0xC000006F | User logon outside authorized hours | + | 0xC0000070 | User logon from unauthorized workstation | + | 0xC0000071 | User logon with expired password | + | 0xC0000072 | User logon to account disabled by administrator | + | 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. | + | 0XC0000133 | Clocks between DC and other computer too far out of sync | + | 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine | + | 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. | + | 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. | + | 0xC0000193 | User logon with expired account | + | 0XC0000224 | User is required to change password at next logon | + | 0XC0000225 | Evidently a bug in Windows and not a risk | + | 0xC0000234 | User logon with account locked | + | 0XC00002EE | Failure Reason: An Error occurred during Logon | + | 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. | + | 0x0 | Status OK. | + +> [!NOTE] +> To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK. More information: @@ -241,7 +245,8 @@ More information: For 4625(F): An account failed to log on. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). +> [!IMPORTANT] +> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. From 7eee073fe84ca2e9ef70d35bacbb392eee5aff39 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 15:21:22 -0700 Subject: [PATCH 08/16] Added line breaks to make text follow the first image Before this, text ran down the right side of the image, narrowly. --- windows/security/threat-protection/auditing/event-4608.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 1403c1517c..1905a2e516 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -20,7 +20,7 @@ ms.author: dansimp - Windows Server 2016 -Event 4608 illustration +Event 4608 illustration

***Subcategory:*** [Audit Security State Change](audit-security-state-change.md) From bb8c5d8d46bad8b97c9654ee7b56568fb98e4e0f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 15:24:08 -0700 Subject: [PATCH 09/16] Added line breaks after image to cause text to follow Before this, text ran down the right side of the image, narrowly. --- windows/security/threat-protection/auditing/event-4616.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 55900a59c2..45dd88d4c2 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -20,7 +20,7 @@ ms.author: dansimp - Windows Server 2016 -Event 4616 illustration +Event 4616 illustration

***Subcategory:*** [Audit Security State Change](audit-security-state-change.md) From 49158fb3c5f81c431cf85c3c1757d1fb1e8341e0 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 15:25:11 -0700 Subject: [PATCH 10/16] Added line breaks after the image This prevents text from running down the right side in a narrow column and note boxes from overlaying the image. --- windows/security/threat-protection/auditing/event-4625.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index c74bb341be..0883373134 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -20,7 +20,7 @@ ms.author: dansimp - Windows Server 2016 -Event 4625 illustration +Event 4625 illustration

***Subcategories:*** [Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md) From b335d4a6d77c9cba7e20027575e226695abe383e Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 15:39:08 -0700 Subject: [PATCH 11/16] Changing text wrap on image --- windows/security/threat-protection/auditing/event-4625.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 0883373134..6a4b2c5844 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -20,7 +20,7 @@ ms.author: dansimp - Windows Server 2016 -Event 4625 illustration

+Event 4625 illustration ***Subcategories:*** [Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md) From e28be36ffef227a5f4daf8d8996343348ab28d1b Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 15:43:44 -0700 Subject: [PATCH 12/16] Changed text wrap on image --- windows/security/threat-protection/auditing/event-4608.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 1905a2e516..5f0730407d 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -20,7 +20,7 @@ ms.author: dansimp - Windows Server 2016 -Event 4608 illustration

+Event 4608 illustration ***Subcategory:*** [Audit Security State Change](audit-security-state-change.md) From 0099a85d81c5b24124062d83a23c08c7f046da37 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 15:44:26 -0700 Subject: [PATCH 13/16] Changed text wrap on image --- windows/security/threat-protection/auditing/event-4616.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 45dd88d4c2..eaa93363e3 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -20,7 +20,7 @@ ms.author: dansimp - Windows Server 2016 -Event 4616 illustration

+Event 4616 illustration ***Subcategory:*** [Audit Security State Change](audit-security-state-change.md) From 6d3a4aecb58905dc0caee14ad5e1b2b293a77f2d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 15:55:48 -0700 Subject: [PATCH 14/16] Indented tables and a note, restored lost bullet --- .../threat-protection/auditing/event-4625.md | 60 ++++++++++--------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 6a4b2c5844..d3eb7d0dc6 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -111,28 +111,30 @@ This event generates on domain controllers, member servers, and workstations. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. -**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field. +- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field. -| Logon Type | Logon Title | Description | -|-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 2 | Interactive | A user logged on to this computer. | -| 3 | Network | A user or computer logged on to this computer from the network. | -| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | -| 5 | Service | A service was started by the Service Control Manager. | -| 7 | Unlock | This workstation was unlocked. | -| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | -| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | -| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | -| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | -> Table: Windows Logon Types + **Table 11: Windows Logon Types** + + | Logon Type | Logon Title | Description | + |-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | 2 | Interactive | A user logged on to this computer. | + | 3 | Network | A user or computer logged on to this computer from the network. | + | 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | + | 5 | Service | A service was started by the Service Control Manager. | + | 7 | Unlock | This workstation was unlocked. | + | 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | + | 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | + | 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | + | 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | + **Account For Which Logon Failed:** - **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> [!NOTE] -> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). + > [!NOTE] + > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt. @@ -191,7 +193,7 @@ More information: **Process Information:** -- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): +- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

Task manager illustration @@ -282,17 +284,17 @@ For 4625(F): An account failed to log on. - Monitor for all events with the fields and values in the following table: -| **Field** | Value to monitor for | -|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | + | **Field** | Value to monitor for | + |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | From 054c6835ad2c55f7e45a69f168afd306525396d9 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 16:07:32 -0700 Subject: [PATCH 15/16] Indented a note in a list item --- windows/security/threat-protection/auditing/event-4616.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index eaa93363e3..3f700f0719 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -88,8 +88,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L - **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> [!NOTE] -> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). + > [!NOTE] + > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation. From 8c1e4d2baa880e269ac8a7013709504c69a496ad Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 26 Aug 2020 16:08:27 -0700 Subject: [PATCH 16/16] Indented a note in a list item --- windows/security/threat-protection/auditing/event-4625.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index d3eb7d0dc6..84cf52d450 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -94,8 +94,8 @@ This event generates on domain controllers, member servers, and workstations. - **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> [!NOTE] -> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). + > [!NOTE] + > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.