From 3032b04c2567878417e4890ae7260557a0a4d1a5 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 22 Nov 2022 14:28:02 -0500 Subject: [PATCH 01/11] updates --- windows/security/docfx.json | 8 +- .../access-control/access-control.md | 104 +++---- .../access-control/local-accounts.md | 253 +++++++----------- .../additional-mitigations.md | 13 +- .../credential-guard-considerations.md | 16 +- .../credential-guard-how-it-works.md | 16 +- .../credential-guard-known-issues.md | 16 +- .../credential-guard-manage.md | 19 +- ...redential-guard-not-protected-scenarios.md | 17 +- .../credential-guard-protection-limits.md | 45 ++-- .../credential-guard-requirements.md | 22 +- .../credential-guard-scripts.md | 33 +-- .../credential-guard/credential-guard.md | 21 +- .../credential-guard/dg-readiness-tool.md | 20 +- 14 files changed, 210 insertions(+), 393 deletions(-) diff --git a/windows/security/docfx.json b/windows/security/docfx.json index b923e0d70f..bb2804df03 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -65,13 +65,15 @@ }, "fileMetadata": { "author":{ - "/identity-protection/hello-for-business/*.md": "paolomatarazzo" + "identity-protection/**/*.md": "paolomatarazzo" }, "ms.author":{ - "/identity-protection/hello-for-business/*.md": "paoloma" + "identity-protection/**/*.md": "paoloma" }, "ms.reviewer":{ - "/identity-protection/hello-for-business/*.md": "erikdau" + "identity-protection/hello-for-business/*.md": "erikdau", + "identity-protection/credential-guard/*.md": "zwhittington", + "identity-protection/access-control/*.md": "sulahiri" } }, "template": [], diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index f900a31aa3..deea4c3766 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -1,19 +1,12 @@ --- -title: Access Control Overview (Windows 10) -description: Access Control Overview +title: Access Control Overview +description: Description of the access controls in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: sulahiri -manager: aaroncz -ms.collection: - - M365-identity-device-management ms.topic: article -ms.localizationpriority: medium -ms.date: 07/18/2017 +ms.date: 11/22/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.technology: itpro-security --- @@ -21,89 +14,66 @@ ms.technology: itpro-security This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. -## Feature description - +## Feature description Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource. -Shared resources are available to users and groups other than the resource’s owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it. +Shared resources are available to users and groups other than the resource's owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it. Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce access control in the following ways: -- Deny access to unauthorized users and groups - -- Set well-defined limits on the access that is provided to authorized users and groups +- Deny access to unauthorized users and groups +- Set well-defined limits on the access that is provided to authorized users and groups Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management. This content set contains: -- [Dynamic Access Control Overview](dynamic-access-control.md) - -- [Security identifiers](security-identifiers.md) - -- [Security Principals](security-principals.md) - - - [Local Accounts](local-accounts.md) - - - [Active Directory Accounts](active-directory-accounts.md) - - - [Microsoft Accounts](microsoft-accounts.md) - - - [Service Accounts](service-accounts.md) - - - [Active Directory Security Groups](active-directory-security-groups.md) - -## Practical applications +- [Dynamic Access Control Overview](dynamic-access-control.md) +- [Security identifiers](security-identifiers.md) +- [Security Principals](security-principals.md) + - [Local Accounts](local-accounts.md) + - [Active Directory Accounts](active-directory-accounts.md) + - [Microsoft Accounts](microsoft-accounts.md) + - [Service Accounts](service-accounts.md) + - [Active Directory Security Groups](active-directory-security-groups.md) +## Practical applications Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security: -- Protect a greater number and variety of network resources from misuse. - -- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. - -- Enable users to access resources from a variety of devices in numerous locations. - -- Update users’ ability to access resources on a regular basis as an organization’s policies change or as users’ jobs change. - -- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones). - -- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs. +- Protect a greater number and variety of network resources from misuse. +- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. +- Enable users to access resources from a variety of devices in numerous locations. +- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change. +- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones). +- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs. ## Permissions - Permissions define the type of access that is granted to a user or group for an object or object property. For example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat. By using the access control user interface, you can set NTFS permissions for objects such as files, Active Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user, group, or computer. It is a good practice to assign permissions to groups because it improves system performance when verifying access to an object. For any object, you can grant permissions to: -- Groups, users, and other objects with security identifiers in the domain. - -- Groups and users in that domain and any trusted domains. - -- Local groups and users on the computer where the object resides. +- Groups, users, and other objects with security identifiers in the domain. +- Groups and users in that domain and any trusted domains. +- Local groups and users on the computer where the object resides. The permissions attached to an object depend on the type of object. For example, the permissions that can be attached to a file are different from those that can be attached to a registry key. Some permissions, however, are common to most types of objects. These common permissions are: -- Read - -- Modify - -- Change owner - -- Delete +- Read +- Modify +- Change owner +- Delete When you set permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print. When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770962(v=ws.11)). -**Note**   -Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)). - - +> [!NOTE] +> Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)). ### Ownership of objects @@ -115,7 +85,6 @@ Inheritance allows administrators to easily assign and manage permissions. This ## User rights - User rights grant specific privileges and sign-in rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories. User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**. @@ -124,15 +93,10 @@ For more information about user rights, see [User Rights Assignment](/windows/de ## Object auditing - With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer. For more information about auditing, see [Security Auditing Overview](../../threat-protection/auditing/security-auditing-overview.md). ## See also -- For more information about access control and authorization, see [Access Control and Authorization Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)). - - - - +- For more information about access control and authorization, see [Access Control and Authorization Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)). diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 6d48d39a9a..7fa46f2d3f 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -1,71 +1,35 @@ --- -title: Local Accounts (Windows 10) +title: Local Accounts description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: sulahiri -manager: aaroncz +ms.date: 22/11/2022 ms.collection: - - M365-identity-device-management - highpri ms.topic: article -ms.localizationpriority: medium -ms.date: 06/17/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.technology: itpro-security --- # Local Accounts -This reference article for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. +This article describes the default local user accounts for Windows operating systems, and how to manage the built-in accounts on a member or standalone workstation/server. -## About local user accounts +## About local user accounts -Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users. +Local user accounts are stored locally on the device. These accounts can be assigned rights and permissions on a particular device, but on that device only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users. -This article describes the following: +## Default local user accounts -- [Default local user accounts](#sec-default-accounts) +The *default local user accounts* are built-in accounts that are created automatically when the operating system is installed. The default local user accounts can't be removed or deleted and don't provide access to network resources. - - [Administrator account](#sec-administrator) +Default local user accounts are used to manage access to the local device's resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the *Users* folder. The Users folder is located in the Local Users and Groups folder in the local *Computer Management* Microsoft Management Console (MMC). *Computer Management* is a collection of administrative tools that you can use to manage a single local or remote device. - - [Guest Account](#sec-guest) +Default local user accounts are described in the following sections. Expand each section for more information. - - [HelpAssistant account (installed by using a Remote Assistance session)](#sec-helpassistant) - - - [DefaultAccount](#defaultaccount) - -- [Default local system accounts](#sec-localsystem) - -- [How to manage local accounts](#sec-manage-accounts) - - - [Restrict and protect local accounts with administrative rights](#sec-restrict-protect-accounts) - - - [Enforce local account restrictions for remote access](#sec-enforce-account-restrictions) - - - [Deny network logon to all local Administrator accounts](#sec-deny-network-logon) - - - [Create unique passwords for local accounts with administrative rights](#sec-create-unique-passwords) - -For information about security principals, see [Security Principals](security-principals.md). - -## Default local user accounts - -The default local user accounts are built-in accounts that are created automatically when you install Windows. - -After Windows is installed, the default local user accounts can't be removed or deleted. In addition, default local user accounts don't provide access to network resources. - -Default local user accounts are used to manage access to the local server’s resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this article. - -Default local user accounts are described in the following sections. - -### Administrator account +
+
+Administrator The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation. @@ -99,7 +63,10 @@ In this case, Group Policy can be used to enable secure settings that can contro > > - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled. -### Guest account +
+
+
+Guest The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it's a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is entirely necessary. @@ -113,8 +80,11 @@ When enabling the Guest account, only grant limited rights and permissions. For In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user. -## HelpAssistant account (installed with a Remote Assistance session) +
+
+
+HelpAssistant The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. @@ -124,9 +94,9 @@ HelpAssistant is the primary account that is used to establish a Remote Assistan The SIDs that pertain to the default HelpAssistant account include: -- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services. +- SID: `S-1-5--13`, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services. -- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. +- SID: `S-1-5--14`, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used. @@ -145,7 +115,11 @@ For details about the HelpAssistant account attributes, see the following table. |Safe to move out of default container?|Can be moved out, but we don't recommend it.| |Safe to delegate management of this group to non-Service admins?|No| -### DefaultAccount +
+ +
+
+DefaultAccount The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016. The DSMA is a well-known user account type. @@ -169,10 +143,10 @@ Today, Xbox automatically signs in as Guest account and all apps run in this con All the apps are multi-user-aware and respond to events fired by user manager. The apps run as the Guest account. -Similarly, Phone auto logs in as a “DefApps” account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. +Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users. -For this purpose, the system creates DSMA. +For this purpose, the system creates DSMA. #### How the DefaultAccount gets created on domain controllers @@ -182,25 +156,37 @@ If the domain was created with domain controllers running an earlier version of #### Recommendations for managing the Default Account (DSMA) Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account. +
-## Default local system accounts +## Default local system accounts -### SYSTEM -The SYSTEM account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account’s user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups. +
+
+SYSTEM + + +The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups. On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account. > [!NOTE] > To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them. -### NETWORK SERVICE +
+
+
+NETWORK SERVICE + The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account). +
+
+
+LOCAL SERVICE -### LOCAL SERVICE The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account). +
-## How to manage local user accounts - +## How to manage local user accounts The default local user accounts, and the local user accounts you create, are located in the Users folder. The Users folder is located in Local Users and Groups. For more information about creating and managing local user accounts, see [Manage Local Users](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731899(v=ws.11)). @@ -221,11 +207,11 @@ The simplest approach is to sign in to your computer with a standard user accoun The other approaches that can be used to restrict and protect user accounts with administrative rights include: -- Enforce local account restrictions for remote access. +- Enforce local account restrictions for remote access. -- Deny network logon to all local Administrator accounts. +- Deny network logon to all local Administrator accounts. -- Create unique passwords for local accounts with administrative rights. +- Create unique passwords for local accounts with administrative rights. Each of these approaches is described in the following sections. @@ -274,57 +260,57 @@ The following table shows the Group Policy and registry settings that are used t 3. In the console tree, right-click **Group Policy Objects**, and > **New**. - ![local accounts 1.](images/localaccounts-proc1-sample1.png) + ![local accounts 1.](images/localaccounts-proc1-sample1.png) 4. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer. - ![local accounts 2.](images/localaccounts-proc1-sample2.png) + ![local accounts 2.](images/localaccounts-proc1-sample2.png) 5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. - ![local accounts 3.](images/localaccounts-proc1-sample3.png) + ![local accounts 3.](images/localaccounts-proc1-sample3.png) 6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps: - 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**. + 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**. - 2. Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**. + 2. Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**. - 3. Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**. + 3. Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**. 7. Ensure that the local account restrictions are applied to network interfaces by following these steps: - 1. Navigate to Computer Configuration\\Preferences and Windows Settings, and > **Registry**. + 1. Navigate to Computer Configuration\\Preferences and Windows Settings, and > **Registry**. - 2. Right-click **Registry**, and > **New** > **Registry Item**. + 2. Right-click **Registry**, and > **New** > **Registry Item**. - ![local accounts 4.](images/localaccounts-proc1-sample4.png) + ![local accounts 4.](images/localaccounts-proc1-sample4.png) - 3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**. + 3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**. - 4. Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**. + 4. Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**. - 5. Select (**…**), browse to the following location for **Key Path** > **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. + 5. Select (**…**), browse to the following location for **Key Path** > **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. - 6. In the **Value name** area, type **LocalAccountTokenFilterPolicy**. + 6. In the **Value name** area, type **LocalAccountTokenFilterPolicy**. - 7. In the **Value type** box, from the drop-down list, select **REG\_DWORD** to change the value. + 7. In the **Value type** box, from the drop-down list, select **REG\_DWORD** to change the value. - 8. In the **Value data** box, ensure that the value is set to **0**. + 8. In the **Value data** box, ensure that the value is set to **0**. - 9. Verify this configuration, and > **OK**. + 9. Verify this configuration, and > **OK**. - ![local accounts 5.](images/localaccounts-proc1-sample5.png) + ![local accounts 5.](images/localaccounts-proc1-sample5.png) 8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following: - 1. Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path. + 1. Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path. - 2. Right-click the **Workstations** OU, and > **Link an existing GPO**. + 2. Right-click the **Workstations** OU, and > **Link an existing GPO**. - ![local accounts 6.](images/localaccounts-proc1-sample6.png) + ![local accounts 6.](images/localaccounts-proc1-sample6.png) - 3. Select the GPO that you created, and > **OK**. + 3. Select the GPO that you created, and > **OK**. 9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy. @@ -354,55 +340,33 @@ The following table shows the Group Policy settings that are used to deny networ #### To deny network logon to all local administrator accounts -1. Start the **Group Policy Management** Console (GPMC). +1. Start the **Group Policy Management** Console (GPMC) +1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO). +1. In the console tree, right-click **Group Policy Objects**, and > **New**. +1. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer + ![local accounts 7.](images/localaccounts-proc2-sample1.png) +1. In the details pane, right-click <**gpo\_name**>, and > **Edit** + ![local accounts 8.](images/localaccounts-proc2-sample2.png) +1. Configure the user rights to deny network logons for administrative local accounts as follows: +1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and > **User Rights Assignment** +1. Double-click **Deny access to this computer from the network** +1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK** +1. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows: +1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment** +1. Double-click **Deny log on through Remote Desktop Services** +1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK** +1. Link the GPO to the first **Workstations** OU as follows: + - Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path + - Right-click the **Workstations** OU, and > **Link an existing GPO** + - Select the GPO that you created, and > **OK** +1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy. +1. Create links to all other OUs that contain workstations. +1. Create links to all other OUs that contain servers. -2. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO). + > [!NOTE] + > You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers. -3. In the console tree, right-click **Group Policy Objects**, and > **New**. - -4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer. - - ![local accounts 7.](images/localaccounts-proc2-sample1.png) - -5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. - - ![local accounts 8.](images/localaccounts-proc2-sample2.png) - -6. Configure the user rights to deny network logons for administrative local accounts as follows: - - 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and > **User Rights Assignment**. - - 2. Double-click **Deny access to this computer from the network**. - - 3. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**. - -7. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows: - - 1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment**. - - 2. Double-click **Deny log on through Remote Desktop Services**. - - 3. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**. - -8. Link the GPO to the first **Workstations** OU as follows: - - 1. Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path. - - 2. Right-click the **Workstations** OU, and > **Link an existing GPO**. - - 3. Select the GPO that you created, and > **OK**. - -9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy. - -10. Create links to all other OUs that contain workstations. - -11. Create links to all other OUs that contain servers. - - > [!NOTE] - > You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers. - - -### Create unique passwords for local accounts with administrative rights +### Create unique passwords for local accounts with administrative rights Passwords should be unique per individual account. While it's true for individual user accounts, many enterprises have identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments. @@ -410,19 +374,6 @@ Passwords that are left unchanged or changed synchronously to keep them identica Passwords can be randomized by: -- Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools. - -- Configuring [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) to accomplish this task. - -- Creating and implementing a custom script or solution to randomize local account passwords. - -## See also - - -The following resources provide additional information about technologies that are related to local accounts. - -- [Security Principals](security-principals.md) - -- [Security Identifiers](security-identifiers.md) - -- [Access Control Overview](access-control.md) +- Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools +- Configuring [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) to accomplish this task +- Creating and implementing a custom script or solution to randomize local account passwords diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 92b3296a71..62fc73012c 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -1,16 +1,11 @@ --- title: Additional mitigations description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article ms.date: 08/17/2017 -ms.technology: itpro-security +ms.topic: article +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Additional mitigations diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 69d69300a1..729349823b 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -1,21 +1,11 @@ --- title: Advice while using Windows Defender Credential Guard (Windows) description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article ms.date: 08/31/2017 +ms.topic: article appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.technology: itpro-security --- diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md index 55fe9628bb..a44d84d5f4 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md @@ -1,21 +1,11 @@ --- title: How Windows Defender Credential Guard works description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article ms.date: 08/17/2017 +ms.topic: conceptual appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.technology: itpro-security --- diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 2c5fe11327..0407517885 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -1,21 +1,11 @@ --- title: Windows Defender Credential Guard - Known issues (Windows) description: Windows Defender Credential Guard - Known issues in Windows Enterprise -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article ms.date: 01/26/2022 +ms.topic: article appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.technology: itpro-security --- # Windows Defender Credential Guard: Known issues diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 33cab5403d..1a956703ff 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -1,25 +1,12 @@ --- title: Manage Windows Defender Credential Guard (Windows) description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: zwhittington -manager: aaroncz -ms.collection: - - M365-identity-device-management +ms.collection: - highpri ms.topic: article -ms.custom: - - CI 120967 - - CSSTroubleshooting appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.technology: itpro-security --- # Manage Windows Defender Credential Guard diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 5ff4d5dadc..ae48c7a815 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -1,22 +1,11 @@ --- title: Windows Defender Credential Guard protection limits & mitigations (Windows) description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article ms.date: 08/17/2017 +ms.topic: article appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Windows Defender Credential Guard protection limits and mitigations diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md index 6444af7ea5..79de8e7f00 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md @@ -1,41 +1,30 @@ --- title: Windows Defender Credential Guard protection limits (Windows) description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article ms.date: 08/17/2017 +ms.topic: article appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Windows Defender Credential Guard protection limits Some ways to store credentials are not protected by Windows Defender Credential Guard, including: -- Software that manages credentials outside of Windows feature protection -- Local accounts and Microsoft Accounts -- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server 2016 domain controllers. It also doesn't protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise. -- Key loggers -- Physical attacks -- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. -- Third-party security packages -- Digest and CredSSP credentials - - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.- -- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is. -- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host. -- Windows logon cached password verifiers (commonly called "cached credentials") -don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. +- Software that manages credentials outside of Windows feature protection +- Local accounts and Microsoft Accounts +- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS. +- Key loggers +- Physical attacks +- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. +- Third-party security packages +- Digest and CredSSP credentials + - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. +- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.- +- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is. +- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host. +- Windows logon cached password verifiers (commonly called "cached credentials") +don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. ## See also diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 2e2a82219b..6112d90366 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -1,26 +1,14 @@ --- -title: Windows Defender Credential Guard Requirements (Windows) +title: Windows Defender Credential Guard requirements description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: zwhittington -manager: aaroncz -ms.collection: - - M365-identity-device-management -ms.topic: article ms.date: 12/27/2021 +ms.topic: article appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- -# Windows Defender Credential Guard: Requirements +# Windows Defender Credential Guard requirements For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md index 8b39b99573..867ad14148 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md @@ -1,23 +1,20 @@ --- title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows) description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article -ms.date: 08/17/2017 -ms.technology: itpro-security +ms.date: 11/22/2022 +ms.topic: reference +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- -# Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies +# Windows Defender Credential Guard: scripts for certificate authority issuance policies -Here is a list of scripts mentioned in this topic. +Expand each section to see the PowerShell scripts: -## Get the available issuance policies on the certificate authority +
+
+Get the available issuance policies on the certificate authority Save this script file as get-IssuancePolicy.ps1. @@ -207,8 +204,12 @@ write-host "There are no issuance policies which are not mapped to groups" ``` > [!NOTE] > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. -  -## Link an issuance policy to a group + +
+ +
+
+Link an issuance policy to a group Save the script file as set-IssuancePolicyToGroupLink.ps1. @@ -489,3 +490,5 @@ write-host $tmp -Foreground Red > [!NOTE] > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. + +
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md index 950eb3a95c..fe35c4ca75 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ b/windows/security/identity-protection/credential-guard/credential-guard.md @@ -1,24 +1,13 @@ --- title: Protect derived domain credentials with Windows Defender Credential Guard (Windows) description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: - - M365-identity-device-management - - highpri +ms.date: 11/22/2022 ms.topic: article -ms.date: 03/10/2022 +ms.collection: + - highpri appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Protect derived domain credentials with Windows Defender Credential Guard diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index bfb971ef4f..b4e156aa00 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -1,21 +1,11 @@ --- title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: erikdau -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 -ms.technology: itpro-security +ms.date: 11/22/2022 +ms.topic: reference +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool From a0d3f024380c65878885339837e35b5054a3b174 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 23 Nov 2022 10:37:22 -0500 Subject: [PATCH 02/11] updates --- windows/security/TOC.yml | 238 +++++++++--------- .../access-control/local-accounts.md | 111 ++++---- 2 files changed, 166 insertions(+), 183 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index c364767760..d0acdd1a6d 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -45,45 +45,45 @@ href: /windows-hardware/design/device-experiences/oem-highly-secure - name: Operating system security items: - - name: Overview - href: operating-system.md - - name: System security - items: - - name: Secure the Windows boot process - href: information-protection/secure-the-windows-10-boot-process.md - - name: Trusted Boot - href: trusted-boot.md - - name: Cryptography and certificate management - href: cryptography-certificate-mgmt.md - - name: The Windows Security app - href: threat-protection/windows-defender-security-center/windows-defender-security-center.md - items: - - name: Virus & threat protection - href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md - - name: Account protection - href: threat-protection\windows-defender-security-center\wdsc-account-protection.md - - name: Firewall & network protection - href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md - - name: App & browser control - href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md - - name: Device security - href: threat-protection\windows-defender-security-center\wdsc-device-security.md - - name: Device performance & health - href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md - - name: Family options - href: threat-protection\windows-defender-security-center\wdsc-family-options.md - - name: Security policy settings - href: threat-protection/security-policy-settings/security-policy-settings.md - - name: Security auditing - href: threat-protection/auditing/security-auditing-overview.md - - name: Encryption and data protection - href: encryption-data-protection.md - items: - - name: Encrypted Hard Drive - href: information-protection/encrypted-hard-drive.md - - name: BitLocker - href: information-protection/bitlocker/bitlocker-overview.md - items: + - name: Overview + href: operating-system.md + - name: System security + items: + - name: Secure the Windows boot process + href: information-protection/secure-the-windows-10-boot-process.md + - name: Trusted Boot + href: trusted-boot.md + - name: Cryptography and certificate management + href: cryptography-certificate-mgmt.md + - name: The Windows Security app + href: threat-protection/windows-defender-security-center/windows-defender-security-center.md + items: + - name: Virus & threat protection + href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md + - name: Account protection + href: threat-protection\windows-defender-security-center\wdsc-account-protection.md + - name: Firewall & network protection + href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md + - name: App & browser control + href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md + - name: Device security + href: threat-protection\windows-defender-security-center\wdsc-device-security.md + - name: Device performance & health + href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md + - name: Family options + href: threat-protection\windows-defender-security-center\wdsc-family-options.md + - name: Security policy settings + href: threat-protection/security-policy-settings/security-policy-settings.md + - name: Security auditing + href: threat-protection/auditing/security-auditing-overview.md + - name: Encryption and data protection + href: encryption-data-protection.md + items: + - name: Encrypted Hard Drive + href: information-protection/encrypted-hard-drive.md + - name: BitLocker + href: information-protection/bitlocker/bitlocker-overview.md + items: - name: Overview of BitLocker Device Encryption in Windows href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md - name: BitLocker frequently asked questions (FAQ) @@ -155,21 +155,21 @@ href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md - name: Decode Measured Boot logs to track PCR changes href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md - - name: Personal Data Encryption (PDE) - items: - - name: Personal Data Encryption (PDE) overview - href: information-protection/personal-data-encryption/overview-pde.md - - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) - href: information-protection/personal-data-encryption/faq-pde.yml - - name: Configure Personal Data Encryption (PDE) in Intune - href: information-protection/personal-data-encryption/configure-pde-in-intune.md - - name: Configure S/MIME for Windows - href: identity-protection/configure-s-mime.md - - name: Network security - items: - - name: VPN technical guide - href: identity-protection/vpn/vpn-guide.md - items: + - name: Personal Data Encryption (PDE) + items: + - name: Personal Data Encryption (PDE) overview + href: information-protection/personal-data-encryption/overview-pde.md + - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) + href: information-protection/personal-data-encryption/faq-pde.yml + - name: Configure Personal Data Encryption (PDE) in Intune + href: information-protection/personal-data-encryption/configure-pde-in-intune.md + - name: Configure S/MIME for Windows + href: identity-protection/configure-s-mime.md + - name: Network security + items: + - name: VPN technical guide + href: identity-protection/vpn/vpn-guide.md + items: - name: VPN connection types href: identity-protection/vpn/vpn-connection-type.md - name: VPN routing decisions @@ -192,17 +192,17 @@ href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md - name: Optimizing Office 365 traffic with the Windows VPN client href: identity-protection/vpn/vpn-office-365-optimization.md - - name: Windows Defender Firewall - href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - - name: Windows security baselines - href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md - items: + - name: Windows Defender Firewall + href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + - name: Windows security baselines + href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + items: - name: Security Compliance Toolkit href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md - name: Get support href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md - - name: Virus & threat protection - items: + - name: Virus & threat protection + items: - name: Overview href: threat-protection/index.md - name: Microsoft Defender Antivirus @@ -219,8 +219,8 @@ href: /microsoft-365/security/defender-endpoint/exploit-protection - name: Microsoft Defender for Endpoint href: /microsoft-365/security/defender-endpoint - - name: More Windows security - items: + - name: More Windows security + items: - name: Override Process Mitigation Options to help enforce app-related security policies href: threat-protection/override-mitigation-options-for-app-related-security-policies.md - name: Use Windows Event Forwarding to help with intrusion detection @@ -230,9 +230,9 @@ - name: Windows Information Protection (WIP) href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md items: - - name: Create a WIP policy using Microsoft Intune - href: information-protection/windows-information-protection/overview-create-wip-policy.md - items: + - name: Create a WIP policy using Microsoft Intune + href: information-protection/windows-information-protection/overview-create-wip-policy.md + items: - name: Create a WIP policy in Microsoft Intune href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md items: @@ -244,26 +244,26 @@ href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md - name: Determine the enterprise context of an app running in WIP href: information-protection/windows-information-protection/wip-app-enterprise-context.md - - name: Create a WIP policy using Microsoft Configuration Manager - href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md - items: + - name: Create a WIP policy using Microsoft Configuration Manager + href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md + items: - name: Create and deploy a WIP policy in Configuration Manager href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md - name: Create and verify an EFS Data Recovery Agent (DRA) certificate href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md - name: Determine the enterprise context of an app running in WIP href: information-protection/windows-information-protection/wip-app-enterprise-context.md - - name: Mandatory tasks and settings required to turn on WIP - href: information-protection/windows-information-protection/mandatory-settings-for-wip.md - - name: Testing scenarios for WIP - href: information-protection/windows-information-protection/testing-scenarios-for-wip.md - - name: Limitations while using WIP - href: information-protection/windows-information-protection/limitations-with-wip.md - - name: How to collect WIP audit event logs - href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md - - name: General guidance and best practices for WIP - href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md - items: + - name: Mandatory tasks and settings required to turn on WIP + href: information-protection/windows-information-protection/mandatory-settings-for-wip.md + - name: Testing scenarios for WIP + href: information-protection/windows-information-protection/testing-scenarios-for-wip.md + - name: Limitations while using WIP + href: information-protection/windows-information-protection/limitations-with-wip.md + - name: How to collect WIP audit event logs + href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md + - name: General guidance and best practices for WIP + href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md + items: - name: Enlightened apps for use with WIP href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md - name: Unenlightened and enlightened app behavior while using WIP @@ -272,36 +272,36 @@ href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md - name: Using Outlook Web Access with WIP href: information-protection/windows-information-protection/using-owa-with-wip.md - - name: Fine-tune WIP Learning - href: information-protection/windows-information-protection/wip-learning.md - - name: Disable WIP - href: information-protection/windows-information-protection/how-to-disable-wip.md + - name: Fine-tune WIP Learning + href: information-protection/windows-information-protection/wip-learning.md + - name: Disable WIP + href: information-protection/windows-information-protection/how-to-disable-wip.md - name: Application security items: - - name: Overview - href: apps.md - - name: Windows Defender Application Control and virtualization-based protection of code integrity - href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - - name: Windows Defender Application Control - href: threat-protection\windows-defender-application-control\windows-defender-application-control.md - - name: Microsoft Defender Application Guard - href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md - - name: Windows Sandbox - href: threat-protection/windows-sandbox/windows-sandbox-overview.md - items: + - name: Overview + href: apps.md + - name: Windows Defender Application Control and virtualization-based protection of code integrity + href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - name: Windows Defender Application Control + href: threat-protection\windows-defender-application-control\windows-defender-application-control.md + - name: Microsoft Defender Application Guard + href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md + - name: Windows Sandbox + href: threat-protection/windows-sandbox/windows-sandbox-overview.md + items: - name: Windows Sandbox architecture href: threat-protection/windows-sandbox/windows-sandbox-architecture.md - name: Windows Sandbox configuration href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md - - name: Microsoft Defender SmartScreen overview - href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md - items: + - name: Microsoft Defender SmartScreen overview + href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + items: - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md - - name: Configure S/MIME for Windows - href: identity-protection\configure-s-mime.md - - name: Windows Credential Theft Mitigation Guide Abstract - href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md + - name: Configure S/MIME for Windows + href: identity-protection\configure-s-mime.md + - name: Windows Credential Theft Mitigation Guide Abstract + href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md - name: User security and secured identity items: - name: Overview @@ -342,15 +342,15 @@ items: - name: Local Accounts href: identity-protection/access-control/local-accounts.md - - name: User Account Control - href: identity-protection/user-account-control/user-account-control-overview.md - items: - - name: How User Account Control works - href: identity-protection/user-account-control/how-user-account-control-works.md - - name: User Account Control security policy settings - href: identity-protection/user-account-control/user-account-control-security-policy-settings.md - - name: User Account Control Group Policy and registry key settings - href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md + - name: User Account Control + href: identity-protection/user-account-control/user-account-control-overview.md + items: + - name: How User Account Control works + href: identity-protection/user-account-control/how-user-account-control-works.md + - name: User Account Control security policy settings + href: identity-protection/user-account-control/user-account-control-security-policy-settings.md + - name: User Account Control Group Policy and registry key settings + href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md - name: Smart Cards href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md items: @@ -396,14 +396,14 @@ href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md - name: Cloud services items: - - name: Overview - href: cloud.md - - name: Mobile device management - href: /windows/client-management/mdm/ - - name: Windows 365 Cloud PCs - href: /windows-365/overview - - name: Azure Virtual Desktop - href: /azure/virtual-desktop/ + - name: Overview + href: cloud.md + - name: Mobile device management + href: /windows/client-management/mdm/ + - name: Windows 365 Cloud PCs + href: /windows-365/overview + - name: Azure Virtual Desktop + href: /azure/virtual-desktop/ - name: Security foundations items: - name: Overview diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 7fa46f2d3f..85c1d02be5 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -1,7 +1,7 @@ --- title: Local Accounts description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. -ms.date: 22/11/2022 +ms.date: 11/22/2022 ms.collection: - highpri ms.topic: article @@ -222,7 +222,7 @@ Each of these approaches is described in the following sections. ### Enforce local account restrictions for remote access -The User Account Control (UAC) is a security feature in Windows that has been in use in Windows Server 2008 and in Windows Vista, and the operating systems to which the **Applies To** list refers. UAC enables you to stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change how often UAC notifies you. +User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you. UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command. @@ -254,70 +254,49 @@ The following table shows the Group Policy and registry settings that are used t #### To enforce local account restrictions for remote access -1. Start the **Group Policy Management** Console (GPMC). +1. Start the **Group Policy Management** Console (GPMC) +1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO) +1. In the console tree, right-click **Group Policy Objects > New** + :::image type="content" source="images/localaccounts-proc1-sample1.png" alt-text="local accounts"::: +1. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer + :::image type="content" source="images/localaccounts-proc1-sample2.png" alt-text="local accounts"::: +1. In the details pane, right-click <**gpo\_name**>, and > **Edit** + :::image type="content" source="images/localaccounts-proc1-sample3.png" alt-text="local accounts"::: +1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps: -2. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO). + - Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options** + - Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK** + - Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK** -3. In the console tree, right-click **Group Policy Objects**, and > **New**. +1. Ensure that the local account restrictions are applied to network interfaces by following these steps: - ![local accounts 1.](images/localaccounts-proc1-sample1.png) + - Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry** + - Right-click **Registry**, and > **New** > **Registry Item** -4. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer. + :::image type="content" source="images/localaccounts-proc1-sample4.png" alt-text="local accounts"::: - ![local accounts 2.](images/localaccounts-proc1-sample2.png) + - In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace** + - Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE** + - Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System` + - In the **Value name** area, type `LocalAccountTokenFilterPolicy` + - In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value + - In the **Value data** box, ensure that the value is set to **0** + - Verify this configuration, and > **OK** -5. In the details pane, right-click <**gpo\_name**>, and > **Edit**. + :::image type="content" source="images/localaccounts-proc1-sample5.png" alt-text="local accounts"::: - ![local accounts 3.](images/localaccounts-proc1-sample3.png) +1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following: -6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps: + - Navigate to the `*Forest*\\*Domain*\*OU*` path + - Right-click the **Workstations > Link an existing GPO** - 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**. + :::image type="content" source="images/localaccounts-proc1-sample6.png" alt-text="local accounts"::: - 2. Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**. - - 3. Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**. - -7. Ensure that the local account restrictions are applied to network interfaces by following these steps: - - 1. Navigate to Computer Configuration\\Preferences and Windows Settings, and > **Registry**. - - 2. Right-click **Registry**, and > **New** > **Registry Item**. - - ![local accounts 4.](images/localaccounts-proc1-sample4.png) - - 3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**. - - 4. Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**. - - 5. Select (**…**), browse to the following location for **Key Path** > **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. - - 6. In the **Value name** area, type **LocalAccountTokenFilterPolicy**. - - 7. In the **Value type** box, from the drop-down list, select **REG\_DWORD** to change the value. - - 8. In the **Value data** box, ensure that the value is set to **0**. - - 9. Verify this configuration, and > **OK**. - - ![local accounts 5.](images/localaccounts-proc1-sample5.png) - -8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following: - - 1. Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path. - - 2. Right-click the **Workstations** OU, and > **Link an existing GPO**. - - ![local accounts 6.](images/localaccounts-proc1-sample6.png) - - 3. Select the GPO that you created, and > **OK**. - -9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy. - -10. Create links to all other OUs that contain workstations. - -11. Create links to all other OUs that contain servers. + - Select the GPO that you created, and > **OK** +1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy +1. Create links to all other OUs that contain workstations +1. Create links to all other OUs that contain servers ### Deny network logon to all local Administrator accounts Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials. @@ -325,8 +304,6 @@ Denying local accounts the ability to perform network logons can help prevent a > [!NOTE] > To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group. - - The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts. |No.|Setting|Detailed Description| @@ -341,12 +318,16 @@ The following table shows the Group Policy settings that are used to deny networ #### To deny network logon to all local administrator accounts 1. Start the **Group Policy Management** Console (GPMC) -1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO). -1. In the console tree, right-click **Group Policy Objects**, and > **New**. +1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO) +1. In the console tree, right-click **Group Policy Objects**, and > **New** 1. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer + ![local accounts 7.](images/localaccounts-proc2-sample1.png) + 1. In the details pane, right-click <**gpo\_name**>, and > **Edit** + ![local accounts 8.](images/localaccounts-proc2-sample2.png) + 1. Configure the user rights to deny network logons for administrative local accounts as follows: 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and > **User Rights Assignment** 1. Double-click **Deny access to this computer from the network** @@ -356,15 +337,17 @@ The following table shows the Group Policy settings that are used to deny networ 1. Double-click **Deny log on through Remote Desktop Services** 1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK** 1. Link the GPO to the first **Workstations** OU as follows: + - Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path - Right-click the **Workstations** OU, and > **Link an existing GPO** - Select the GPO that you created, and > **OK** -1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy. -1. Create links to all other OUs that contain workstations. -1. Create links to all other OUs that contain servers. - > [!NOTE] - > You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers. +1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy +1. Create links to all other OUs that contain workstations +1. Create links to all other OUs that contain servers + +> [!NOTE] +> You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers. ### Create unique passwords for local accounts with administrative rights From 30e66f5ac86ea71a3b77182cb7b8fc9e14075af4 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 28 Nov 2022 15:19:09 -0500 Subject: [PATCH 03/11] updates --- windows/security/TOC.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 8cfebcc879..250dc19e5d 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -312,12 +312,13 @@ href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md - name: Enterprise Certificate Pinning href: identity-protection/enterprise-certificate-pinning.md - - name: Protect derived domain credentials with Credential Guard - href: identity-protection/credential-guard/credential-guard.md + - name: Credential Guard items: + - name: Protect derived domain credentials with Credential Guard + href: identity-protection/credential-guard/credential-guard.md - name: How Credential Guard works href: identity-protection/credential-guard/credential-guard-how-it-works.md - - name: Credential Guard Requirements + - name: Requirements href: identity-protection/credential-guard/credential-guard-requirements.md - name: Manage Credential Guard href: identity-protection/credential-guard/credential-guard-manage.md @@ -327,11 +328,11 @@ href: identity-protection/credential-guard/credential-guard-protection-limits.md - name: Considerations when using Credential Guard href: identity-protection/credential-guard/credential-guard-considerations.md - - name: "Credential Guard: Additional mitigations" + - name: Additional mitigations href: identity-protection/credential-guard/additional-mitigations.md - - name: "Credential Guard: Known issues" + - name: Known issues href: identity-protection/credential-guard/credential-guard-known-issues.md - - name: Protect Remote Desktop credentials with Remote Credential Guard + - name: Remote Credential Guard href: identity-protection/remote-credential-guard.md - name: Configuring LSA Protection href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json From f2a1079e3564ccafe03ae85e7583f55c88fe1b67 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 5 Dec 2022 11:36:23 -0500 Subject: [PATCH 04/11] updates --- windows/security/TOC.yml | 41 +++++++++++----------------------------- 1 file changed, 11 insertions(+), 30 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index a098ccd30b..70275d478d 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -154,41 +154,22 @@ - name: "BitLocker and TPM: other known issues" href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues - name: Decode Measured Boot logs to track PCR changes -<<<<<<< HEAD - href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md - - name: Personal Data Encryption (PDE) - items: - - name: Personal Data Encryption (PDE) overview - href: information-protection/personal-data-encryption/overview-pde.md - - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) - href: information-protection/personal-data-encryption/faq-pde.yml - - name: Configure Personal Data Encryption (PDE) in Intune - href: information-protection/personal-data-encryption/configure-pde-in-intune.md - - name: Configure S/MIME for Windows - href: identity-protection/configure-s-mime.md + href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes + - name: Personal Data Encryption (PDE) + items: + - name: Personal Data Encryption (PDE) overview + href: information-protection/personal-data-encryption/overview-pde.md + - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) + href: information-protection/personal-data-encryption/faq-pde.yml + - name: Configure Personal Data Encryption (PDE) in Intune + href: information-protection/personal-data-encryption/configure-pde-in-intune.md + - name: Configure S/MIME for Windows + href: identity-protection/configure-s-mime.md - name: Network security items: - name: VPN technical guide href: identity-protection/vpn/vpn-guide.md items: -======= - href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes - - name: Personal Data Encryption (PDE) - items: - - name: Personal Data Encryption (PDE) overview - href: information-protection/personal-data-encryption/overview-pde.md - - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) - href: information-protection/personal-data-encryption/faq-pde.yml - - name: Configure Personal Data Encryption (PDE) in Intune - href: information-protection/personal-data-encryption/configure-pde-in-intune.md - - name: Configure S/MIME for Windows - href: identity-protection/configure-s-mime.md - - name: Network security - items: - - name: VPN technical guide - href: identity-protection/vpn/vpn-guide.md - items: ->>>>>>> f25e6e8be24efd068196678e6e0e556d66fe2c0a - name: VPN connection types href: identity-protection/vpn/vpn-connection-type.md - name: VPN routing decisions From a543c98b81e90855a8236ef7d85752d89b1ca1cb Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:11:11 -0500 Subject: [PATCH 05/11] updates --- .../access-control/local-accounts.md | 68 +++++++------------ .../credential-guard-how-it-works.md | 1 - 2 files changed, 24 insertions(+), 45 deletions(-) diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 4ae765d140..eebf25ce06 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -1,7 +1,7 @@ --- title: Local Accounts description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. -ms.date: 11/22/2022 +ms.date: 12/05/2022 ms.collection: - highpri ms.topic: article @@ -13,17 +13,17 @@ ms.technology: itpro-security # Local Accounts -This article describes the default local user accounts for Windows operating systems, and how to manage the built-in accounts on a member or standalone workstation/server. +This article describes the default local user accounts for Windows operating systems, and how to manage the built-in accounts. ## About local user accounts -Local user accounts are stored locally on the device. These accounts can be assigned rights and permissions on a particular device, but on that device only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users. +Local user accounts are stored locally on the device. These accounts can be assigned rights and permissions on a particular device, but on that device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users. ## Default local user accounts The *default local user accounts* are built-in accounts that are created automatically when the operating system is installed. The default local user accounts can't be removed or deleted and don't provide access to network resources. -Default local user accounts are used to manage access to the local device's resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the *Users* folder. The Users folder is located in the Local Users and Groups folder in the local *Computer Management* Microsoft Management Console (MMC). *Computer Management* is a collection of administrative tools that you can use to manage a single local or remote device. +Default local user accounts are used to manage access to the local device's resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the *Users* folder. The Users folder is located in the Local Users and Groups folder in the local *Computer Management* Microsoft Management Console (MMC). *Computer Management* is a collection of administrative tools that you can use to manage a local or remote device. Default local user accounts are described in the following sections. Expand each section for more information. @@ -31,19 +31,21 @@ Default local user accounts are described in the following sections. Expand each
Administrator -The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation. +The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation. -The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions. +The Administrator account has full control of the files, directories, services, and other resources on the local device. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time by changing the user rights and permissions. The default Administrator account can't be deleted or locked out, but it can be renamed or disabled. -From Windows 10, Windows 11 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. +Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. + +Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation. **Account group membership** -By default, the Administrator account is installed as a member of the Administrators group on the server. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer. +By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device. -The Administrator account can't be deleted or removed from the Administrators group, but it can be renamed. +The Administrator account can't be removed from the Administrators group. **Security considerations** @@ -53,9 +55,7 @@ You can rename the Administrator account. However, a renamed Administrator accou As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Don't use the Administrator account to sign in to your computer unless it's entirely necessary. For more information, see [Run a program with administrative credentials](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732200(v=ws.11)). -In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers. - -In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)). +Group Policy can be used to control the use of the local Administrators group automatically. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)). > [!IMPORTANT] > @@ -68,11 +68,11 @@ In this case, Group Policy can be used to enable secure settings that can contro
Guest -The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it's a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is entirely necessary. +The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary. **Account group membership** -By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers. +By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a device. **Security considerations** @@ -108,7 +108,7 @@ For details about the HelpAssistant account attributes, see the following table. |--- |--- | |Well-Known SID/RID|`S-1-5--13 (Terminal Server User), S-1-5--14 (Remote Interactive Logon)`| |Type|User| -|Default container|`CN=Users, DC=, DC=`| +|Default container|`CN=Users, DC=`| |Default members|None| |Default member of|Domain Guests

Guests| |Protected by ADMINSDHOLDER?|No| @@ -121,14 +121,13 @@ For details about the HelpAssistant account attributes, see the following table.
DefaultAccount -The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016. -The DSMA is a well-known user account type. -It's a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic. -The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop. +The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic. -The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-\-503 +The DSMA is disabled by default on the desktop SKUs and on the Server operating systems with the desktop experience. -The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of S-1-5-32-581. +The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: `S-1-5-21-\-503`. + +The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of `S-1-5-32-581`. The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM). @@ -199,7 +198,7 @@ You can't use Local Users and Groups on a domain controller. However, you can us You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using various PowerShell cmdlets and other scripting technologies. -### Restrict and protect local accounts with administrative rights +### Restrict and protect local accounts with administrative rights An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement". @@ -218,9 +217,7 @@ Each of these approaches is described in the following sections. > [!NOTE] > These approaches do not apply if all administrative local accounts are disabled. - - -### Enforce local account restrictions for remote access +### Enforce local account restrictions for remote access User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you. @@ -257,11 +254,8 @@ The following table shows the Group Policy and registry settings that are used t 1. Start the **Group Policy Management** Console (GPMC) 1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO) 1. In the console tree, right-click **Group Policy Objects > New** - :::image type="content" source="images/localaccounts-proc1-sample1.png" alt-text="local accounts"::: 1. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer - :::image type="content" source="images/localaccounts-proc1-sample2.png" alt-text="local accounts"::: 1. In the details pane, right-click <**gpo\_name**>, and > **Edit** - :::image type="content" source="images/localaccounts-proc1-sample3.png" alt-text="local accounts"::: 1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps: - Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options** @@ -272,9 +266,6 @@ The following table shows the Group Policy and registry settings that are used t - Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry** - Right-click **Registry**, and > **New** > **Registry Item** - - :::image type="content" source="images/localaccounts-proc1-sample4.png" alt-text="local accounts"::: - - In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace** - Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE** - Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System` @@ -283,21 +274,16 @@ The following table shows the Group Policy and registry settings that are used t - In the **Value data** box, ensure that the value is set to **0** - Verify this configuration, and > **OK** - :::image type="content" source="images/localaccounts-proc1-sample5.png" alt-text="local accounts"::: - 1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following: - Navigate to the `*Forest*\\*Domain*\*OU*` path - Right-click the **Workstations > Link an existing GPO** - - :::image type="content" source="images/localaccounts-proc1-sample6.png" alt-text="local accounts"::: - - Select the GPO that you created, and > **OK** 1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy 1. Create links to all other OUs that contain workstations 1. Create links to all other OUs that contain servers -### Deny network logon to all local Administrator accounts +### Deny network logon to all local Administrator accounts Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials. @@ -321,13 +307,7 @@ The following table shows the Group Policy settings that are used to deny networ 1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO) 1. In the console tree, right-click **Group Policy Objects**, and > **New** 1. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer - - ![local accounts 7.](images/localaccounts-proc2-sample1.png) - 1. In the details pane, right-click <**gpo\_name**>, and > **Edit** - - ![local accounts 8.](images/localaccounts-proc2-sample2.png) - 1. Configure the user rights to deny network logons for administrative local accounts as follows: 1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and > **User Rights Assignment** 1. Double-click **Deny access to this computer from the network** @@ -358,5 +338,5 @@ Passwords that are left unchanged or changed synchronously to keep them identica Passwords can be randomized by: - Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools -- Configuring [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) to accomplish this task +- Configuring [Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) to accomplish this task - Creating and implementing a custom script or solution to randomize local account passwords diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md index 9f189e45d2..3286ad1879 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md @@ -1,7 +1,6 @@ --- title: How Windows Defender Credential Guard works description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. -ms.topic: article ms.date: 08/17/2017 ms.topic: conceptual appliesto: From e1366068b0b98a350bc737f357d604f378e4fe48 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Mon, 5 Dec 2022 09:56:13 -0800 Subject: [PATCH 06/11] Update use-device-guard-signing-portal-in-microsoft-store-for-business.md --- ...vice-guard-signing-portal-in-microsoft-store-for-business.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index 48758015d3..b333b3e915 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -32,7 +32,7 @@ ms.technology: itpro-security > > You can continue to use the current Device Guard Signing Service v2 (DGSS) capabilities until that time. DGSS will be replaced by the [Azure Code Signing service (ACS)](https://aka.ms/AzureCodeSigning) and will support your Windows Defender Application Control (WDAC) policy and catalog file signing needs. -The Device Guard Signing Service v2 (DGSS) is a code signing service that comes with your existing Microsoft Store for Business and Education tenant account. You can use the DGSS to sign catalog files and Windows Defender Application Control (WDAC) policies +The Device Guard Signing Service v2 (DGSS) is a code signing service that comes with your existing Microsoft Store for Business and Education tenant account. You can use the DGSS to sign catalog files and Windows Defender Application Control (WDAC) policies. ## Set up permissions for DGSS signing in the Microsoft Store for Business and Education From 2a3ae44bad8bf36ca99605d5e87481e7781014e1 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Mon, 5 Dec 2022 13:25:59 -0600 Subject: [PATCH 07/11] Update how-user-account-control-works.md Acro edits. --- .../user-account-control/how-user-account-control-works.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 8070c8bf35..7f59ec2edf 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -70,7 +70,7 @@ The elevation prompt color-coding is as follows: **Shield icon** -Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item. +Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screenshot of the **Date and Time Properties** Control Panel item. :::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties"::: @@ -138,7 +138,7 @@ The slider will never turn UAC completely off. If you set it to **Never notify** Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on. -Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. +Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative app that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization. From 8d2192c26da9cfde806a51605ecc4de0a2201ee2 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 7 Dec 2022 09:03:41 -0500 Subject: [PATCH 08/11] Metadata updates --- .../do/images/elixir_ux/readme-elixir-ux-files.md | 2 +- windows/deployment/do/mcc-enterprise-appendix.md | 2 +- windows/deployment/do/mcc-enterprise-deploy.md | 2 +- .../deployment/do/mcc-enterprise-prerequisites.md | 2 +- .../do/mcc-enterprise-update-uninstall.md | 2 +- .../do/mcc-isp-cache-node-configuration.md | 2 +- .../do/mcc-isp-create-provision-deploy.md | 2 +- windows/deployment/do/mcc-isp-faq.yml | 3 +-- windows/deployment/do/mcc-isp-signup.md | 2 +- windows/deployment/do/mcc-isp-support.md | 2 +- windows/deployment/do/mcc-isp-update.md | 2 +- windows/deployment/do/mcc-isp-verify-cache-node.md | 2 +- windows/deployment/do/mcc-isp-vm-performance.md | 2 +- .../do/waas-delivery-optimization-faq.yml | 2 +- windows/deployment/windows-autopatch/index.yml | 2 +- .../overview/windows-autopatch-faq.yml | 2 +- .../references/windows-autopatch-privacy.md | 2 +- .../auditing/advanced-security-auditing-faq.yml | 2 +- .../windows-defender-application-control/index.yml | 13 +++++-------- 19 files changed, 23 insertions(+), 27 deletions(-) diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md index f97aed1785..cec9cc3df6 100644 --- a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -3,7 +3,7 @@ title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diag manager: aaroncz description: Elixir images read me file keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: nidos diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md index ef710a3929..f95dde786a 100644 --- a/windows/deployment/do/mcc-enterprise-appendix.md +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -2,7 +2,7 @@ title: Appendix manager: aaroncz description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: w10 +ms.prod: windows-client author: amymzhou ms.author: amyzhou ms.localizationpriority: medium diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index 74ef198811..cfca05d872 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -2,7 +2,7 @@ title: Deploying your cache node manager: dougeby description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node -ms.prod: w10 +ms.prod: windows-client author: amymzhou ms.localizationpriority: medium ms.author: amyzhou diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md index 84faf8d670..d18c687dae 100644 --- a/windows/deployment/do/mcc-enterprise-prerequisites.md +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -2,7 +2,7 @@ title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education manager: dougeby description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: w10 +ms.prod: windows-client author: amymzhou ms.localizationpriority: medium ms.author: amyzhou diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md index 60d0df68e3..c9e523b662 100644 --- a/windows/deployment/do/mcc-enterprise-update-uninstall.md +++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md @@ -2,7 +2,7 @@ title: Update or uninstall Microsoft Connected Cache for Enterprise and Education manager: dougeby description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: w10 +ms.prod: windows-client author: amymzhou ms.localizationpriority: medium ms.author: amyzhou diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md index ae5404b2ae..3add251a38 100644 --- a/windows/deployment/do/mcc-isp-cache-node-configuration.md +++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md @@ -3,7 +3,7 @@ title: Cache node configuration manager: aaroncz description: Configuring a cache node on Azure portal keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: amyzhou diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index 7ef7e28969..3793fb5ba7 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -3,7 +3,7 @@ title: Create, provision, and deploy the cache node in Azure portal manager: aaroncz description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: nidos diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index 19f6da7226..a50448410d 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -8,13 +8,12 @@ metadata: author: amymzhou ms.author: amymzhou manager: aaroncz - audience: ITPro ms.collection: - M365-security-compliance - highpri ms.topic: faq ms.date: 09/30/2022 - ms.custom: seo-marvel-apr2020 + ms.prod: windows-client title: Microsoft Connected Cache Frequently Asked Questions summary: | **Applies to** diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index 291a69a7ab..f771550548 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -3,7 +3,7 @@ title: Operator sign up and service onboarding manager: aaroncz description: Service onboarding for Microsoft Connected Cache for ISP keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: nidos diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md index a321ac671c..98f791e422 100644 --- a/windows/deployment/do/mcc-isp-support.md +++ b/windows/deployment/do/mcc-isp-support.md @@ -3,7 +3,7 @@ title: Support and troubleshooting manager: aaroncz description: Troubleshooting issues for Microsoft Connected Cache for ISP keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client audience: itpro author: nidos ms.localizationpriority: medium diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md index c6bdfe27c8..abe18781c3 100644 --- a/windows/deployment/do/mcc-isp-update.md +++ b/windows/deployment/do/mcc-isp-update.md @@ -3,7 +3,7 @@ title: Update or uninstall your cache node manager: aaroncz description: How to update or uninstall your cache node keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: amyzhou diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md index 22f8b3de86..0769116c88 100644 --- a/windows/deployment/do/mcc-isp-verify-cache-node.md +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -3,7 +3,7 @@ title: Verify cache node functionality and monitor health and performance manager: aaroncz description: How to verify the functionality of a cache node keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: amyzhou diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md index 6cb5ab9b45..97ee999b1e 100644 --- a/windows/deployment/do/mcc-isp-vm-performance.md +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -3,7 +3,7 @@ title: Enhancing VM performance manager: aaroncz description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: amyzhou diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 0fe613a87a..89d2d5567f 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -4,7 +4,7 @@ metadata: description: The following is a list of frequently asked questions for Delivery Optimization. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.reviewer: aaroncz - ms.prod: m365-security + ms.prod: windows-client ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml index ee3fd80449..fe94531f9b 100644 --- a/windows/deployment/windows-autopatch/index.yml +++ b/windows/deployment/windows-autopatch/index.yml @@ -7,12 +7,12 @@ metadata: title: Windows Autopatch documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. # Required; article description that is displayed in search results. < 160 chars. keywords: device, app, update, management - ms.service: w11 #Required; service per approved list. service slug assigned to your service by ACOM. ms.topic: landing-page # Required author: tiaraquan #Required; your GitHub user alias, with correct capitalization. ms.author: tiaraquan #Required; microsoft alias of author; optional team alias. ms.date: 05/30/2022 #Required; mm/dd/yyyy format. ms.custom: intro-hub-or-landing + ms.prod: windows-client ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 7f5b4cf23e..b9f94b3dc8 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -2,7 +2,7 @@ metadata: title: Windows Autopatch - Frequently Asked Questions (FAQ) description: Answers to frequently asked questions about Windows Autopatch. - ms.prod: w11 + ms.prod: windows-client ms.topic: faq ms.date: 08/26/2022 audience: itpro diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index 4850fddac3..7554a7ebe2 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -2,7 +2,7 @@ title: Privacy description: This article provides details about the data platform and privacy compliance for Autopatch ms.date: 11/08/2022 -ms.prod: w11 +ms.prod: windows-client ms.technology: windows ms.topic: reference ms.localizationpriority: medium diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index f7e415c185..edae4a8bb0 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -2,7 +2,7 @@ metadata: title: Advanced security auditing FAQ (Windows 10) description: This article lists common questions and answers about understanding, deploying, and managing security audit policies. - ms.prod: m365-security + ms.prod: windows-client ms.technology: mde ms.localizationpriority: none author: dansimp diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index 5dd1e3fd49..6602ab9a3c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -4,14 +4,11 @@ title: Application Control for Windows metadata: title: Application Control for Windows description: Landing page for Windows Defender Application Control -# services: service -# ms.service: microsoft-WDAC-AppLocker -# ms.subservice: Application-Control -# ms.topic: landing-page -# author: Kim Klein -# ms.author: Jordan Geurten -# manager: Jeffrey Sutherland -# ms.update: 04/30/2021 + ms.topic: landing-page + author: vinaypamnani-msft + ms.author: vinpa + manager: aaroncz + ms.date: 12/07/2022 # linkListType: overview | how-to-guide | tutorial | video landingContent: # Cards and links should be based on top customer tasks or top subjects From 5ef7c01ad4dc9e6af309b5b73b4c10b211dfa1bc Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 7 Dec 2022 09:29:33 -0500 Subject: [PATCH 09/11] update --- .../windows-autopatch/references/windows-autopatch-privacy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index 7554a7ebe2..2b8f0abea0 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -3,7 +3,7 @@ title: Privacy description: This article provides details about the data platform and privacy compliance for Autopatch ms.date: 11/08/2022 ms.prod: windows-client -ms.technology: windows +ms.technology: itpro-updates ms.topic: reference ms.localizationpriority: medium author: tiaraquan From 9557bff4f529dd3f9faecd72a15274e582b88829 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 7 Dec 2022 07:39:33 -0800 Subject: [PATCH 10/11] Minor changes to deploying WDAC with script related topics --- .../TOC.yml | 2 +- .../deploy-wdac-policies-with-script.md | 25 +++++++++++++------ .../operations/citool-commands.md | 10 ++++---- 3 files changed, 24 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 6e21277b67..f9355db522 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -115,7 +115,7 @@ href: operations/known-issues.md - name: Managed installer and ISG technical reference and troubleshooting guide href: configure-wdac-managed-installer.md - - name: Managing WDAC Policies with CI Tool + - name: CITool.exe technical reference href: operations/citool-commands.md - name: WDAC AppId Tagging guide href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 9beafe889b..555d544b8f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -10,7 +10,7 @@ ms.reviewer: aaroncz ms.author: jogeurte ms.manager: jsuther manager: aaroncz -ms.date: 10/06/2022 +ms.date: 12/03/2022 ms.technology: itpro-security ms.topic: article ms.localizationpriority: medium @@ -29,13 +29,22 @@ ms.localizationpriority: medium This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. -> [!NOTE] -> To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool. - -## Deploying policies for Windows 10 version 1903 and above - You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). +## Deploying policies for Windows 11 22H2 and above + +You can use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the example below with the actual path to your WDAC policy binary file. + +```powershell +# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = from the Policy XML) +$PolicyBinary = "" +citool.exe --update-policy $PolicyBinary --json +``` + +## Deploying policies for Windows 11, Windows 10 version 1903 and above, and Windows Server 2022 and above + +To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool. + 1. Initialize the variables to be used by the script. ```powershell @@ -58,7 +67,9 @@ You should now have one or more WDAC policies converted into binary form. If not & $RefreshPolicyTool ``` -## Deploying policies for Windows 10 versions earlier than 1903 +## Deploying policies for all other versions of Windows and Windows Server + +Use WMI to apply policies on all other versions of Windows and Windows Server. 1. Initialize the variables to be used by the script. diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md index 88273c3c74..e9f786a561 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md @@ -3,15 +3,15 @@ title: Managing CI Policies and Tokens with CiTool description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool author: valemieux ms.author: jogeurte -ms.reviewer: jogeurte +ms.reviewer: jsuther1974 ms.topic: how-to -ms.date: 08/07/2022 +ms.date: 12/03/2022 ms.custom: template-how-to ms.prod: windows-client ms.technology: itpro-security --- -# Manage Windows Defender Application Control (WDAC) Policies with CI Tool +# CITool.exe technical reference CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CI Tool to update and manage policies. CI Tool is currently included in Windows 11, version 22H2. @@ -21,7 +21,7 @@ CI Tool makes Windows Defender Application Control (WDAC) policy management easi |--------|---------|---------| | --update-policy `` | Add or update a policy on the current system | -up | | --remove-policy `` | Remove a policy indicated by PolicyGUID from the system | -rp | -| --list-policies | Dump information about all policies on the system, whether they are active or not | -lp | +| --list-policies | Dump information about all policies on the system, whether they're active or not | -lp | ## Token Commands @@ -32,7 +32,7 @@ CI Tool makes Windows Defender Application Control (WDAC) policy management easi | --list-tokens | Dump information about all tokens on the system | -lt | > [!NOTE] -> Regarding --add-token, if `` is specified, a pre-existing token with `` should not exist. +> Regarding `--add-token`, if `` is specified, a pre-existing token with `` should not exist. ## Miscellaneous Commands From d77e64187033f31805c3fde518d2a9e6defebfb1 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Wed, 7 Dec 2022 14:52:57 -0500 Subject: [PATCH 11/11] Added a description for the 3114 event --- .../event-id-explanations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index abe6093543..3e50353eed 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -189,3 +189,4 @@ A list of other relevant event IDs and their corresponding description. | 3110 | Windows mode change event was unsuccessful. | | 3111 | The file under validation didn't meet the hypervisor-protected code integrity (HVCI) policy. | | 3112 | The file under validation is signed by a certificate that has been explicitly revoked by Windows. | +| 3114 | Dynamic Code Security opted the .NET app or DLL into Application Control policy validation. The file under validation didn't pass your policy and was blocked. |