@ -27,7 +27,7 @@ You can access these audit policy settings through the Local Security Policy sna
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
**Account Logon**
## Account Logon
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
@ -36,7 +36,7 @@ Configuring policy settings in this category can help you document attempts to a
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
**Account Management**
## Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
@ -47,7 +47,7 @@ The security audit policy settings in this category can be used to monitor chang
- [Audit Security Group Management](audit-security-group-management.md)
- [Audit Security Group Management](audit-security-group-management.md)
- [Audit User Account Management](audit-user-account-management.md)
- [Audit User Account Management](audit-user-account-management.md)
**Detailed Tracking**
## Detailed Tracking
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
@ -57,7 +57,7 @@ Detailed Tracking security policy settings and audit events can be used to monit
- [Audit Process Termination](audit-process-termination.md)
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
- [Audit RPC Events](audit-rpc-events.md)
**DS Access**
## DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (ADDS). These audit events are logged only on domain controllers. This category includes the following subcategories:
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (ADDS). These audit events are logged only on domain controllers. This category includes the following subcategories:
@ -66,7 +66,7 @@ DS Access security audit policy settings provide a detailed audit trail of attem
- [Audit Directory Service Changes](audit-directory-service-changes.md)
- [Audit Directory Service Changes](audit-directory-service-changes.md)
- [Audit Directory Service Replication](audit-directory-service-replication.md)
- [Audit Directory Service Replication](audit-directory-service-replication.md)
**Logon/Logoff**
## Logon/Logoff
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
@ -82,11 +82,11 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Special Logon](audit-special-logon.md)
- [Audit Special Logon](audit-special-logon.md)
**Object Access**
## Object Access
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access).
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
This category includes the following subcategories:
This category includes the following subcategories:
@ -105,7 +105,7 @@ This category includes the following subcategories:
- [Audit SAM](audit-sam.md)
- [Audit SAM](audit-sam.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
**Policy Change**
## Policy Change
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
@ -116,7 +116,7 @@ Policy Change audit events allow you to track changes to important security poli
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
**Privilege Use**
## Privilege Use
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
@ -124,7 +124,7 @@ Permissions on a network are granted for users or computers to complete defined
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
**System**
## System
System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
@ -134,7 +134,7 @@ System security policy settings and audit events allow you to track system-level
- [Audit Security System Extension](audit-security-system-extension.md)
- [Audit Security System Extension](audit-security-system-extension.md)
- [Audit System Integrity](audit-system-integrity.md)
- [Audit System Integrity](audit-system-integrity.md)
**Global Object Access**
## Global Object Access Auditing
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
@ -82,7 +82,7 @@ This URL will match that seen in the Firewall or network activity.</td>
<td>Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
<td>Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
The service could not contact the external processing servers at that URL.</td>
The service could not contact the external processing servers at that URL.</td>
<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity).</td>
<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).</td>
</tr>
</tr>
<tr>
<tr>
<td>6</td>
<td>6</td>
@ -145,7 +145,7 @@ It may take several hours for the endpoint to appear in the portal.</td>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
The service could not contact the external processing servers at that URL.</td>
The service could not contact the external processing servers at that URL.</td>
<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).</td>
@ -81,7 +81,7 @@ Investigate the details of an alert raised on a specific machine to identify oth
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
- The [Machines view](#Investigate-machines-in-the-Windows-Defender-ATP-Machines-view)
- The [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
@ -81,7 +81,7 @@ The default Administrator account is initially installed differently for Windows
In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.
In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.
In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#security-considerations).
In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**.
@ -30,8 +30,8 @@ The TPM Services Group Policy settings are located at:
| [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| X|
| [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| X|
| [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| | X| X| X|||
| [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| | X| X| X|||
| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||
| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||
| [Standard User Individual Lockout Threshold](#individual)| X| X| X| X|||
| [Standard User Individual Lockout Threshold](#bkmk-individual)| X| X| X| X|||
| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X||||
| [Standard User Total Lockout Threshold](#bkmk-total)| X| X| X| X||||
### <a href="" id="bkmk-tpmgp-addsbu"></a>Turn on TPM backup to Active Directory Domain Services
### <a href="" id="bkmk-tpmgp-addsbu"></a>Turn on TPM backup to Active Directory Domain Services
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Justinha