mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 21:03:42 +00:00
Acrolinx Enhancement Effort
This commit is contained in:
Siddarth Mandalika
@ -29,11 +29,11 @@ ms.technology: windows-sec
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
|
||||
|
||||
After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.
|
||||
After enabling you understand how to design and deploy your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they aren't behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature.
|
||||
|
||||
## WDAC Events Overview
|
||||
|
||||
Windows Defender Application Control generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
|
||||
Windows Defender Application Control generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC doesn't generate events when a binary is allowed; however, there's the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
|
||||
|
||||
WDAC events are generated under two locations:
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ In most organizations, information is the most valuable asset, and ensuring that
|
||||
|
||||
Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).
|
||||
|
||||
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
|
||||
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
|
||||
|
||||
> [!NOTE]
|
||||
> Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
|
||||
|
||||
@ -28,11 +28,11 @@ The **App and browser control** section contains information and settings for Wi
|
||||
|
||||
In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection).
|
||||
|
||||
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
|
||||
You can also choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
|
||||
|
||||
## Prevent users from making changes to the Exploit protection area in the App & browser control section
|
||||
|
||||
You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out or not appear if you enable this setting. Users will still have access to other settings in the App & browser control section, such as those for Windows Defender SmartScreen, unless those options have been configured separately.
|
||||
You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out or not appear if you enable this setting. Users will still have access to other settings in the App & browser control section, such as those settings for Windows Defender SmartScreen, unless those options have been configured separately.
|
||||
|
||||
You can only prevent users from modifying Exploit protection settings by using Group Policy.
|
||||
|
||||
@ -51,9 +51,9 @@ You can only prevent users from modifying Exploit protection settings by using G
|
||||
|
||||
## Hide the App & browser control section
|
||||
|
||||
You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
|
||||
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
|
||||
|
||||
This can only be done in Group Policy.
|
||||
This section can be hidden only by using Group Policy.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
|
||||
|
||||
@ -25,19 +25,19 @@ ms.technology: windows-sec
|
||||
- Windows 11
|
||||
|
||||
|
||||
The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
|
||||
The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
|
||||
|
||||
The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
|
||||
|
||||
|
||||
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
|
||||
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
|
||||
|
||||
|
||||
## Hide the Device performance & health section
|
||||
|
||||
You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
|
||||
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
|
||||
|
||||
This can only be done in Group Policy.
|
||||
This section can be hidden only by using Group Policy.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>### Requirements
|
||||
@ -46,7 +46,7 @@ This can only be done in Group Policy.
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
5. Expand the tree to **Windows components > Windows Security > Device performance and health**.
|
||||
|
||||
|
||||
@ -25,18 +25,18 @@ ms.technology: windows-sec
|
||||
|
||||
The **Device security** section contains information and settings for built-in device security.
|
||||
|
||||
You can choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
|
||||
You can choose to hide the section from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
|
||||
|
||||
## Hide the Device security section
|
||||
|
||||
You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
|
||||
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**.
|
||||
2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
|
||||
|
||||
3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
|
||||
|
||||
@ -57,7 +57,7 @@ If you don't want users to be able to click the **Clear TPM** button in the Wind
|
||||
|
||||
1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**.
|
||||
2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
|
||||
|
||||
3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
|
||||
|
||||
@ -70,7 +70,7 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
|
||||
|
||||
1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**.
|
||||
2. In **Group Policy Management Editor**, go to **Computer configuration** and then select **Administrative templates**.
|
||||
|
||||
3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Family options in the Windows Security app
|
||||
description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options are not intended for business environments.
|
||||
description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
|
||||
keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
@ -24,18 +24,18 @@ ms.technology: windows-sec
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments.
|
||||
The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
|
||||
|
||||
Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
|
||||
|
||||
In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to this section.
|
||||
In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
|
||||
|
||||
|
||||
## Hide the Family options section
|
||||
|
||||
You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
|
||||
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
|
||||
|
||||
This can only be done in Group Policy.
|
||||
This section can be hidden only by using Group Policy.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>### Requirements
|
||||
@ -44,7 +44,7 @@ This can only be done in Group Policy.
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
5. Expand the tree to **Windows components > Windows Security > Family options**.
|
||||
|
||||
|
||||
@ -30,9 +30,9 @@ In Windows 10, version 1709 and later, the section can be hidden from users of t
|
||||
|
||||
## Hide the Firewall & network protection section
|
||||
|
||||
You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
|
||||
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
|
||||
|
||||
This can only be done in Group Policy.
|
||||
This section can be hidden only by using Group Policy.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>### Requirements
|
||||
@ -41,7 +41,7 @@ This can only be done in Group Policy.
|
||||
|
||||
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
5. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ ms.technology: windows-sec
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
|
||||
The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
|
||||
|
||||
In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
|
||||
|
||||
@ -40,9 +40,9 @@ You can only use Group Policy to change these settings.
|
||||
|
||||
## Use Group Policy to hide non-critical notifications
|
||||
|
||||
You can hide notifications that describe regular events related to the health and security of the machine. These are notifications that do not require an action from the machine's user. It can be useful to hide these notifications if you find they are too numerous or you have other status reporting on a larger scale (such as Update Compliance or Microsoft Endpoint Configuration Manager reporting).
|
||||
You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Update Compliance or Microsoft Endpoint Configuration Manager reporting).
|
||||
|
||||
This can only be done in Group Policy.
|
||||
These notifications can be hidden only by using Group Policy.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>
|
||||
@ -52,9 +52,9 @@ This can only be done in Group Policy.
|
||||
|
||||
2. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would be **Windows components > Windows Defender Security Center > Notifications**
|
||||
5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**
|
||||
|
||||
6. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
|
||||
|
||||
@ -63,9 +63,9 @@ This can only be done in Group Policy.
|
||||
|
||||
## Use Group Policy to hide all notifications
|
||||
|
||||
You can hide all notifications that are sourced from the Windows Security app. This may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
|
||||
You can hide all notifications that are sourced from the Windows Security app. This option may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
|
||||
|
||||
This can only be done in Group Policy.
|
||||
These notifications can be hidden only by using Group Policy.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>
|
||||
@ -73,9 +73,9 @@ This can only be done in Group Policy.
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below the path would be **Windows components > Windows Defender Security Center > Notifications**.
|
||||
5. Expand the tree to **Windows components > Windows Security > Notifications**. For Windows 10 version 1803 and below, the path would be **Windows components > Windows Defender Security Center > Notifications**.
|
||||
|
||||
> [!NOTE]
|
||||
> For Windows 10 version 2004 and above the path would be **Windows components > Windows Security > Notifications**.
|
||||
@ -104,16 +104,16 @@ This can only be done in Group Policy.
|
||||
| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification|
|
||||
| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification|
|
||||
| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification|
|
||||
| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification|
|
||||
| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
|
||||
| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
|
||||
| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification|
|
||||
| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
|
||||
| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
|
||||
| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |Virus & threat protection notification|
|
||||
| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |Virus & threat protection notification|
|
||||
| OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |Virus & threat protection notification|
|
||||
| Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |Virus & threat protection notification|
|
||||
| Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |Virus & threat protection notification|
|
||||
| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |Virus & threat protection notification|
|
||||
| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No |Virus & threat protection notification|
|
||||
| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus didn't find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |Virus & threat protection notification|
|
||||
| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus didn't find any threats since your last summary. | RECAP_NO_THREATS | No |Virus & threat protection notification|
|
||||
| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification|
|
||||
| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification|
|
||||
| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification|
|
||||
@ -122,7 +122,7 @@ This can only be done in Group Policy.
|
||||
| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
|
||||
| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification|
|
||||
| Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No |Firewall and network protection notification|
|
||||
| Ransomware specific detection | Microsoft Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |Virus & threat protection notification|
|
||||
| Ransomware specific detection | Microsoft Defender Antivirus has detected threats, which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |Virus & threat protection notification|
|
||||
| ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No |Firewall and network protection notification|
|
||||
| ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification|
|
||||
| CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No |Firewall and network protection notification|
|
||||
|
||||
@ -24,7 +24,7 @@ ms.technology: windows-sec
|
||||
|
||||
The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
|
||||
|
||||
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in case of a ransomware attack.
|
||||
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. These settings include Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions if there's a ransomware attack.
|
||||
|
||||
IT administrators and IT pros can get more configuration information from these articles:
|
||||
|
||||
@ -35,14 +35,14 @@ IT administrators and IT pros can get more configuration information from these
|
||||
- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
|
||||
- [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
|
||||
|
||||
You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
|
||||
You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
|
||||
|
||||
|
||||
## Hide the Virus & threat protection section
|
||||
|
||||
You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
|
||||
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
|
||||
|
||||
This can only be done in Group Policy.
|
||||
This section can be hidden only by using Group Policy.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>### Requirements
|
||||
@ -51,7 +51,7 @@ This can only be done in Group Policy.
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
|
||||
|
||||
@ -66,9 +66,9 @@ This can only be done in Group Policy.
|
||||
|
||||
## Hide the Ransomware protection area
|
||||
|
||||
You can choose to hide the **Ransomware protection** area by using Group Policy. The area will not appear on the **Virus & threat protection** section of the Windows Security app.
|
||||
You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
|
||||
|
||||
This can only be done in Group Policy.
|
||||
This area can be hidden only by using Group Policy.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>### Requirements
|
||||
@ -77,7 +77,7 @@ This can only be done in Group Policy.
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
3. In **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
|
||||
|
||||
|
||||
@ -29,11 +29,11 @@ ms.technology: windows-sec
|
||||
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
|
||||
|
||||
**Caution**
|
||||
For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode.
|
||||
For GPOs that contain connection security rules that prevent unauthenticated connections, ensure you set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Don't change the boundary zone GPO to require mode.
|
||||
|
||||
|
||||
|
||||
The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
|
||||
The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To define this setting successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
|
||||
|
||||
Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
|
||||
|
||||
@ -67,7 +67,7 @@ After a computer is a member of the group, you can force a Group Policy refresh
|
||||
|
||||
## To refresh Group Policy on a device
|
||||
|
||||
From an elevated command prompt, type the following:
|
||||
From an elevated command prompt, type the following command:
|
||||
|
||||
``` syntax
|
||||
gpupdate /target:computer /force
|
||||
@ -77,7 +77,7 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to
|
||||
|
||||
## To see which GPOs are applied to a device
|
||||
|
||||
From an elevated command prompt, type the following:
|
||||
From an elevated command prompt, type the following command:
|
||||
|
||||
``` syntax
|
||||
gpresult /r /scope:computer
|
||||
|
||||
@ -25,9 +25,9 @@ ms.technology: windows-sec
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
|
||||
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device.
|
||||
|
||||
Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it is supposed to receive.
|
||||
Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it's supposed to receive.
|
||||
|
||||
**Administrative credentials**
|
||||
|
||||
@ -53,7 +53,7 @@ In this topic:
|
||||
|
||||
5. Type the name of the device in the text box, and then click **OK**.
|
||||
|
||||
6. Repeat steps 5 and 6 for each additional device account or group that you want to add.
|
||||
6. Repeat steps 5 and 6 for each extra device account or group that you want to add.
|
||||
|
||||
7. Click **OK** to close the group properties dialog box.
|
||||
|
||||
@ -61,7 +61,7 @@ After a device is a member of the group, you can force a Group Policy refresh on
|
||||
|
||||
## To refresh Group Policy on a device
|
||||
|
||||
From a elevated command prompt, run the following:
|
||||
From an elevated command prompt, run the following command:
|
||||
|
||||
``` syntax
|
||||
gpupdate /target:device /force
|
||||
@ -71,7 +71,7 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to
|
||||
|
||||
## To see which GPOs are applied to a device
|
||||
|
||||
From an elevated command prompt, run the following:
|
||||
From an elevated command prompt, run the following command:
|
||||
|
||||
``` syntax
|
||||
gpresult /r /scope:computer
|
||||
|
||||
@ -24,13 +24,13 @@ ms.technology: windows-sec
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
|
||||
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but don't have a host-based firewall enabled on each device in the organization.
|
||||
|
||||
The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped.
|
||||
The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that doesn't match the rules is dropped.
|
||||
|
||||
Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the device that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted.
|
||||
|
||||
Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:
|
||||
Many network administrators don't want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs don't require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:
|
||||
|
||||
- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
|
||||
|
||||
@ -42,7 +42,7 @@ Many network administrators do not want to tackle the difficult task of determin
|
||||
|
||||
For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
|
||||
|
||||
With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
|
||||
With a few exceptions, the firewall can be enabled on all configurations. Therefore, we recommend that you enable the firewall on every device in your organization. The term "device" includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
|
||||
|
||||
> [!CAUTION]
|
||||
> Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
|
||||
@ -51,11 +51,11 @@ By default, in new installations, Windows Defender Firewall with Advanced Securi
|
||||
|
||||
If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
|
||||
|
||||
Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft.
|
||||
Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft.
|
||||
|
||||
An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation.
|
||||
|
||||
After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
|
||||
After implementing this design, you'll have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
|
||||
|
||||
@ -43,7 +43,7 @@ When you open the Windows Defender Firewall for the first time, you can see the
|
||||
|
||||
*Figure 1: Windows Defender Firewall*
|
||||
|
||||
1. **Domain profile**: Used for networks where there is a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC
|
||||
1. **Domain profile**: Used for networks where there's a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC
|
||||
|
||||
2. **Private profile**: Designed for and best used
|
||||
in private networks such as a home network
|
||||
@ -69,7 +69,7 @@ For more on configuring basic firewall settings, see [Turn on Windows Firewall a
|
||||
|
||||
In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.
|
||||
|
||||
This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
|
||||
This rule-adding task can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
|
||||
|
||||
|
||||
|
||||
@ -89,11 +89,11 @@ allowing these inbound exceptions.
|
||||
|
||||
2. Explicit block rules will take precedence over any conflicting allow rules.
|
||||
|
||||
3. More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)
|
||||
3. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)
|
||||
|
||||
Because of 1 and 2, it is important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
|
||||
Because of 1 and 2, it's important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
|
||||
|
||||
A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
|
||||
A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
|
||||
|
||||
> [!NOTE]
|
||||
> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above.
|
||||
@ -102,13 +102,13 @@ A general security best practice when creating inbound rules is to be as specifi
|
||||
|
||||
### Inbound allow rules
|
||||
|
||||
When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there is a default block action in Windows Defender Firewall, it is necessary to create inbound exception rules to allow this traffic. It is common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule.
|
||||
When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there's a default block action in Windows Defender Firewall, it's necessary to create inbound exception rules to allow this traffic. It's common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule.
|
||||
|
||||
If there are no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network.
|
||||
If there's no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network.
|
||||
|
||||
- If the user has admin permissions, they will be prompted. If they respond *No* or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic.
|
||||
- If the user has admin permissions, they'll be prompted. If they respond *No* or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic.
|
||||
|
||||
- If the user is not a local admin, they will not be prompted. In most cases, block rules will be created.
|
||||
- If the user isn't a local admin, they won't be prompted. In most cases, block rules will be created.
|
||||
|
||||
In either of the scenarios above, once these rules are added they must be deleted in order to generate the prompt again. If not, the traffic will continue to be blocked.
|
||||
|
||||
@ -118,11 +118,11 @@ In either of the scenarios above, once these rules are added they must be delete
|
||||
|
||||
### Known issues with automatic rule creation
|
||||
|
||||
When designing a set of firewall policies for your network, it is a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience.
|
||||
When designing a set of firewall policies for your network, it's a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience.
|
||||
|
||||
The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues.
|
||||
The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues.
|
||||
|
||||
To determine why some applications are blocked from communicating in the network, check for the following:
|
||||
To determine why some applications are blocked from communicating in the network, check for the following instances:
|
||||
|
||||
1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt.
|
||||
|
||||
@ -148,7 +148,7 @@ Firewall rules can be deployed:
|
||||
|
||||
Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles.
|
||||
|
||||
The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy.
|
||||
The rule-merging settings either allow or prevent local administrators from creating their own firewall rules in addition to those rules obtained from Group Policy.
|
||||
|
||||
|
||||
|
||||
@ -160,12 +160,12 @@ equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under e
|
||||
|
||||
If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
|
||||
|
||||
Admins may disable *LocalPolicyMerge* in high security environments to maintain tighter control over endpoints. This can impact some apps and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device
|
||||
Administrators may disable *LocalPolicyMerge* in high-security environments to maintain tighter control over endpoints. This setting can impact some applications and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device
|
||||
Management (MDM), or both (for hybrid or co-management environments).
|
||||
|
||||
[Firewall CSP](/windows/client-management/mdm/firewall-csp) and [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging.
|
||||
|
||||
As a best practice, it is important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
|
||||
As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
|
||||
|
||||
In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes.
|
||||
|
||||
@ -177,7 +177,7 @@ supported in application rules. We currently only support rules created using th
|
||||
|
||||
## Know how to use "shields up" mode for active attacks
|
||||
|
||||
An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It is an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.
|
||||
An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.
|
||||
|
||||
Shields up can be achieved by checking **Block all
|
||||
incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*.
|
||||
@ -190,9 +190,9 @@ incoming connections, including those in the list of allowed apps** setting foun
|
||||
|
||||
*Figure 7: Legacy firewall.cpl*
|
||||
|
||||
By default, the Windows Defender Firewall will block everything unless there is an exception rule created. This setting overrides the exceptions.
|
||||
By default, the Windows Defender Firewall will block everything unless there's an exception rule created. This setting overrides the exceptions.
|
||||
|
||||
For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there is an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access will not work as long as shields up is activated.
|
||||
For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated.
|
||||
|
||||
Once the emergency is over, uncheck the setting to restore regular network traffic.
|
||||
|
||||
@ -203,7 +203,7 @@ What follows are a few general guidelines for configuring outbound rules.
|
||||
- The default configuration of Blocked for Outbound rules can be
|
||||
considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default.
|
||||
|
||||
- It is recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use.
|
||||
- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use.
|
||||
|
||||
- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments).
|
||||
|
||||
|
||||
@ -29,9 +29,9 @@ All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary
|
||||
|
||||
>**Note:** If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
|
||||
|
||||
This means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone.
|
||||
This recommendation means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone.
|
||||
|
||||
The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows.
|
||||
The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices aren't expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows.
|
||||
|
||||
In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed.
|
||||
|
||||
|
||||
@ -31,20 +31,20 @@ Devices in the boundary zone are trusted devices that can accept communication r
|
||||
|
||||
The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it.
|
||||
|
||||
These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision.
|
||||
These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the extra risk. The following illustration shows a sample process that can help make such a decision.
|
||||
|
||||
|
||||
|
||||
The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied.
|
||||
The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk can't be mitigated, membership must be denied.
|
||||
|
||||
You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
|
||||
You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically similar to those settings and rules for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
|
||||
|
||||
[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section discusses creation of the group and how to link it to the GPOs that apply the rules to members of the group.
|
||||
|
||||
## GPO settings for boundary zone servers running at least Windows Server 2008
|
||||
|
||||
|
||||
The boundary zone GPO for devices running at least Windows Server 2008 should include the following:
|
||||
The boundary zone GPO for devices running at least Windows Server 2008 should include the following components:
|
||||
|
||||
- IPsec default settings that specify the following options:
|
||||
|
||||
|
||||
@ -27,13 +27,13 @@ ms.technology: windows-sec
|
||||
|
||||
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
|
||||
|
||||
One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the devices that receive this information.
|
||||
One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it's considered unsolicited inbound traffic to the devices that receive this information.
|
||||
|
||||
## Design requirements
|
||||
|
||||
One possible solution to this is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it cannot authenticate.
|
||||
One possible solution to this design example is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it can't authenticate.
|
||||
|
||||
A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it cannot join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically-protected documents, encrypted in such a way that their origin can be positively confirmed.
|
||||
A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it can't join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically protected documents, encrypted in such a way that their origin can be positively confirmed.
|
||||
|
||||
In this case, Woodgrove Bank used Active Directory Certificate Services to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server.
|
||||
|
||||
@ -51,11 +51,11 @@ The non-Windows device can be effectively made a member of the boundary zone or
|
||||
|
||||
Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization.
|
||||
|
||||
The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This does not require including new rules, just adding certificate-based authentication as an option to the existing rules.
|
||||
The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This certificate-based authoring doesn't require including new rules, just adding certificate-based authentication as an option to the existing rules.
|
||||
|
||||
When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because the majority of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type.
|
||||
When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because most of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type.
|
||||
|
||||
By using the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member.
|
||||
With the help of the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member.
|
||||
|
||||
Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
|
||||
|
||||
|
||||
@ -27,13 +27,13 @@ ms.technology: windows-sec
|
||||
|
||||
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
|
||||
|
||||
Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices cannot join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol.
|
||||
Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices can't join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows can't join a domain for various reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol.
|
||||
|
||||
To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that do not run Windows.
|
||||
To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that don't run Windows.
|
||||
|
||||
The same principles of the domain and server isolation designs apply to this design. Only devices that can authenticate (in this case, by providing a specified certificate) can communicate with the devices in your isolated domain.
|
||||
|
||||
For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but are not part of the Active Directory domain. For other devices, you will have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner.
|
||||
For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but aren't part of the Active Directory domain. For other devices, you'll have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner.
|
||||
|
||||
For more info about this design:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user