deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

smb hardening

Browse Source
This commit is contained in:
J. Decker 2016-04-28 11:09:11 -07:00
parent 33314f5bde
commit 552ffb8381
1 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
windows/keep-secure/windows-10-security-guide.md
View File

@ -355,7 +355,10 @@ Table 3. Threats and Windows 10 mitigations
<th align="left">Windows 10 mitigation</th>
</tr>
</thead>
<tbody>
<tbody><tr class="odd">
<td align="left"><p>"Man in the middle" attacks, when an attacker reroutes communications between two users through the attacker's computer without the knowledge of the two communicating users</p></td>
<td align="left"><p>Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Firmware bootkits replace the firmware with malware.</p></td>
<td align="left"><p>All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.</p></td>
@ -395,6 +398,22 @@ Table 3. Threats and Windows 10 mitigations
The sections that follow describe these improvements in more detail.
**SMB hardening improvements for SYSVOL and NETLOGON connections**
In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).
- **What value does this change add?**
This change reduces the likelihood of man-in-the-middle attacks.
- **What works differently?**
If SMB signing and mutual authentication are unavailable, a Windows 10 or Windows Server 2016 computer wont process domain-based Group Policy and scripts.
> **Note:** The registry values for these settings arent present by default, but the hardening rules still apply until overridden by Group Policy or other registry values.
For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](http://go.microsoft.com/fwlink/p/?LinkId=789216) and [MS15-011 & MS15-014: Hardening Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=789215).
**Secure hardware**
Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors.