@ -79,8 +79,8 @@ Groups are characterized by a scope that identifies the extent to which the grou
- Domain Local
**Note**
In addition to these three scopes, the default groups in the **Builtin** container have a group scope of Builtin Local. This group scope and group type cannot be changed.
> [!NOTE]
> In addition to these three scopes, the default groups in the **Builtin** container have a group scope of Builtin Local. This group scope and group type cannot be changed.
@ -111,8 +111,8 @@ The following table lists the three group scopes and more information about each
<td><p>Accounts from any domain in the same forest</p>
<p>Global groups from any domain in the same forest</p>
<p>Other Universal groups from any domain in the same forest</p></td>
<td><p>Can be converted to Domain Local scope</p>
<p>Can be converted to Global scope if the group is not a member of any other Universal groups</p></td>
<td><p>Can be converted to Domain Local scope if the group is not a member of any other Universal groups</p>
<p>Can be converted to Global scope if the group does not contain any other Universal groups</p></td>
<td><p>On any domain in the same forest or trusting forests</p></td>
<td><p>Other Universal groups in the same forest</p>
<p>Domain Local groups in the same forest or trusting forests</p>
@ -620,8 +620,8 @@ Members of the Account Operators group cannot manage the Administrator user acco
The Account Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
**Note**
By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved.
> [!NOTE]
> By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved.
@ -686,8 +686,8 @@ Members of the Administrators group have complete and unrestricted access to the
The Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
**Note**
The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.
> [!NOTE]
> The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.
Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.
@ -2056,8 +2056,8 @@ When a member of the Guests group signs out, the entire profile is deleted. This
A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account.
> [!NOTE]
> A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account.
The Guest account does not require a password. You can set rights and permissions for the Guest account as in any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we recommend that it stay disabled.
@ -2125,8 +2125,8 @@ This security group has not changed since Windows Server 2008.
Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.
**Note**
Prior to Windows Server2012, access to features in Hyper-V was controlled in part by membership in the Administrators group.
> [!NOTE]
> Prior to Windows Server2012, access to features in Hyper-V was controlled in part by membership in the Administrators group.
@ -2252,8 +2252,8 @@ Members of the Incoming Forest Trust Builders group can create incoming, one-way
To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups.
**Note**
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
> [!NOTE]
> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
@ -2261,8 +2261,8 @@ For more information, see [How Domain and Forest Trusts Work: Domain and Forest
The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
**Note**
This group cannot be renamed, deleted, or moved.
> [!NOTE]
> This group cannot be renamed, deleted, or moved.
@ -2359,17 +2359,15 @@ Members of the Network Configuration Operators group can have the following admi
- Enter the PINunblock key(PUK)for mobile broadband devices that support a SIM card.
**Note**
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
> [!NOTE]
> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
The Network Configuration Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
**Note**
This group cannot be renamed, deleted, or moved.
> [!NOTE]
> This group cannot be renamed, deleted, or moved.
This security group has not changed since Windows Server 2008.
@ -2434,26 +2432,23 @@ Members of the Performance Log Users group can manage performance counters, logs
- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right.
**Warning**
If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
> [!WARNING]
> If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
- Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
**Note**
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
> [!NOTE]
> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
The Performance Log Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
**Note**
This account cannot be renamed, deleted, or moved.
> [!NOTE]
> This account cannot be renamed, deleted, or moved.
This security group has not changed since Windows Server 2008.
@ -2524,13 +2519,13 @@ Specifically, members of this security group:
- Cannot create or modify Data Collector Sets.
**Warning**
You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group.
> [!WARNING]
> You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group.
**Note**
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved.
> [!NOTE]
> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved.
@ -2590,15 +2585,13 @@ This security group has not changed since Windows Server 2008.
Members of the Pre–Windows2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running WindowsNT4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running WindowsNT4.0 or earlier.
**Warning**
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
> [!WARNING]
> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
The Pre–Windows2000 Compatible Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
@ -3243,8 +3236,8 @@ This security group was introduced in Windows Server2012, and it has not chang
Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites.
**Important**
In Windows Server2008R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server2008R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers.
> [!WARNING]
> In Windows Server2008R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server2008R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers.
However, Windows Server2008R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see:
@ -3489,8 +3482,8 @@ For more information about this security group, see [Terminal Services License S
The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
**Note**
This group cannot be renamed, deleted, or moved.
> [!NOTE]
> This group cannot be renamed, deleted, or moved.
@ -3624,11 +3617,10 @@ Members of this group have access to the computed token GroupsGlobalAndUniversal
The Windows Authorization Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
**Note**
This group cannot be renamed, deleted, or moved.
> [!NOTE]
> This group cannot be renamed, deleted, or moved.
This security group has not changed since Windows Server 2008.
<table>
@ -3704,8 +3696,8 @@ The WinRMRemoteWMIUsers\_ group applies to versions of the Windows Server operat
In Windows Server2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers\_\_ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions.
**Note**
The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console.
> [!NOTE]
> The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console.
@ -22,7 +22,7 @@ Learn more about how to secure documents and other data across your organization
|-|-|
| [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
| [Encrypted Hard Drive](encrypted-hard-drive.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
| [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. |
| [Kernel DMA Protection](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to PCI accessible ports, such as Thunderbolt™ 3 ports. |
| [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
| [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. |
| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
Here you will find information about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs
Here you will find information about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs.
* [Understand malware & other threats](understanding-malware.md)
See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
@ -93,6 +93,12 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
> [!NOTE]
> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub. Watch this video for a quick overview of the Microsoft Services Hub.
@ -85,9 +85,9 @@ You'll need to take the following steps if you choose to onboard servers through
Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie).
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
### Turn on Server monitoring from the Microsoft Defender Security Center portal
@ -156,6 +156,7 @@ Support for Windows Server, provide deeper insight into activities happening on
1. Run the following PowerShell command to verify that the passive mode was configured:
@ -185,7 +186,7 @@ The following capabilities are included in this integration:
> Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
> [!IMPORTANT]
> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default.
@ -233,7 +234,7 @@ To offboard the server, you can use either of the following methods:
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
@ -50,7 +50,7 @@ File, folder, and process exclusions support the following wildcards:
Wildcard | Description | Example | Matches | Does not match
---|---|---|---|---
\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/\*/\*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/*/*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
? | Matches any single character | `file?.log` | `file1.log`<br/>`file2.log` | `file123.log`
@ -65,5 +65,11 @@ The option to **Consult a threat expert** is available in several places in the
-<i>**File page actions menu**</i><BR>
> [!NOTE]
> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub. Watch this video for a quick overview of the Microsoft Services Hub.
- [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Denise Vangel-MSFT