Merge pull request #9566 from aczechowski/cz-20240205-brokenlinks

broken links
2025-05-11 04:47:23 +00:00 · 2024-02-05 17:54:36 -06:00 · 2024-02-05 17:54:36 -06:00 · 6102837c49
commit 6102837c49
parent 4dc2719990 6f333718f4
2 changed files with 71 additions and 79 deletions
--- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
+++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
@ -98,17 +98,6 @@ To validate a UE-V settings location template with the UE-V template generator:

    After you validate the settings location template for an application, you should test the template. Deploy the template in a lab environment before you put it into a production environment in enterprise.

-## Next steps
-
-## <a href="" id="share"></a>Share settings location templates with the Template Gallery
-
-Before you share a settings location template on the UE-V template gallery, ensure it doesn't contain any personal or company information. You can use any XML viewer to open and view the contents of a settings location template file. The following template values should be reviewed before you share a template with anyone outside your company.
-
- Template Author Name - Specify a general, non-identifying name for the template author name or exclude this data from the template.
- Template Author Email - Specify a general, non-identifying template author email or exclude this data from the template.
-
-Before you deploy any settings location template that you've downloaded from the UE-V gallery, you should first test the template to ensure that the application settings synchronize settings correctly in a test environment.
-
 ## Related topics

 [Administering UE-V](uev-administering-uev.md)
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@ -1,5 +1,5 @@
 ---
-title: 4913(S) Central Access Policy on the object was changed. 
+title: 4913(S) Central Access Policy on the object was changed
 description: Describes security event 4913(S) Central Access Policy on the object was changed.
 ms.pagetype: security
 ms.mktglfcycl: deploy
@ -7,14 +7,13 @@ ms.sitesec: library
 ms.localizationpriority: low
 author: vinaypamnani-msft
 ms.date: 09/08/2021
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: reference
 ---

-# 4913(S): Central Access Policy on the object was changed.
-
+# 4913(S): Central Access Policy on the object was changed

 <img src="images/event-4913.png" alt="Event 4913 illustration" width="648" height="557" hspace="10" align="left" />

@ -24,44 +23,45 @@ ms.topic: reference

 This event generates when a [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) on a file system object is changed.

-This event always generates, regardless of the object’s [SACL](/windows/win32/secauthz/access-control-lists) settings.
+This event always generates, regardless of the object's [SACL](/windows/win32/secauthz/access-control-lists) settings.

-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.

-<br clear="all">

 ***Event XML:***
-```
+
+```xml
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 - <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4913</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13570</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-09T23:40:43.118758100Z" /> 
- <EventRecordID>1183666</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
+ <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
+ <EventID>4913</EventID>
+ <Version>0</Version>
+ <Level>0</Level>
+ <Task>13570</Task>
+ <Opcode>0</Opcode>
+ <Keywords>0x8020000000000000</Keywords>
+ <TimeCreated SystemTime="2015-11-09T23:40:43.118758100Z" />
+ <EventRecordID>1183666</EventRecordID>
+ <Correlation />
+ <Execution ProcessID="516" ThreadID="524" />
+ <Channel>Security</Channel>
+ <Computer>DC01.contoso.local</Computer>
+ <Security />
 </System>
 - <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x37901</Data> 
- <Data Name="ObjectServer">Security</Data> 
- <Data Name="ObjectType">File</Data> 
- <Data Name="ObjectName">C:\\Audit Files\\HBI Data.txt</Data> 
- <Data Name="HandleId">0x3d4</Data> 
- <Data Name="OldSd">S:AI</Data> 
- <Data Name="NewSd">S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534)</Data> 
- <Data Name="ProcessId">0x884</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data> 
+ <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
+ <Data Name="SubjectUserName">dadmin</Data>
+ <Data Name="SubjectDomainName">CONTOSO</Data>
+ <Data Name="SubjectLogonId">0x37901</Data>
+ <Data Name="ObjectServer">Security</Data>
+ <Data Name="ObjectType">File</Data>
+ <Data Name="ObjectName">C:\\Audit Files\\HBI Data.txt</Data>
+ <Data Name="HandleId">0x3d4</Data>
+ <Data Name="OldSd">S:AI</Data>
+ <Data Name="NewSd">S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534)</Data>
+ <Data Name="ProcessId">0x884</Data>
+ <Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
 </EventData>
 </Event>
 ```
@ -82,7 +82,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/

 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policy on the object.

-   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
+-   **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Formats vary, and include the following ones:

    -   Domain NETBIOS name example: CONTOSO

@ -90,17 +90,17 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/

    -   Uppercase full domain name: CONTOSO.LOCAL

-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+    -   For some [well-known security principals](/windows-server/identity/ad-ds/manage/understand-security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".

-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".

-   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+-   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."

 **Object**:

-   **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+-   **Object Server** \[Type = UnicodeString\]: has "**Security**" value for this event.

-   **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **“File”** for this event.
+-   **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **"File"** for this event.

    The following table contains the list of the most common **Object Types**:

@ -118,7 +118,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/

 <!-- -->

-   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+-   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "[4663](event-4663.md)(S): An attempt was made to access an object." This parameter might not be captured in the event, and in that case appears as "0x0".

 **Process:**

@ -128,7 +128,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/

    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.

-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
+    You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID** field.

 -   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.

@ -136,29 +136,30 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/

 -   **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object).

-    SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name, you need to do the following steps:
+    SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is "**S-1-17-1442530252-1178042555-1247349694-2318402534**". To resolve this SID to the real Central Access Policy name, you need to do the following steps:

-1.  Find Central Access Policy Active Directory object in: “CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX” Active Directory container.
+1.  Find Central Access Policy Active Directory object in: "CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX" Active Directory container.

-2.  Open object’s “**Properties**”.
+2.  Open object's "**Properties**".

-3.  Find “**msAuthz-CentralAccessPolicyID**” attribute.
+3.  Find "**msAuthz-CentralAccessPolicyID**" attribute.

-4.  Convert hexadecimal value to SID (string). Here you can see more information about how to perform this action: <https://social.technet.microsoft.com/Forums/scriptcenter/en-US/11585f2c-ed0d-4c2b-a2b6-ef2aa07b3745/how-to-convert-sid>.
+4.  Convert hexadecimal value to SID (string).

 <img src="images/adsi-edit.png" alt="ADSI Edit illustration" width="763" height="454" hspace=10" align="left" />

-> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example “**S:AI**”.
+> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example "**S:AI**".

 -   **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.

-> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-> 
+> [!NOTE]
+> The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+>
 > Example:
-> 
-> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-> 
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
+>
+> `*O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)`
+>
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
 > See the list of possible values in the table below:

 | Value | Description                          | Value | Description                     |
@ -193,13 +194,13 @@ Example: D:(A;;FA;;;WD)

 - entry\_type:

-“D” - DACL
+"D" - DACL

-“S” - SACL
+"S" - SACL

 - inheritance\_flags:

-"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+"P" - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.

 "AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" isn't also set.

@ -231,7 +232,7 @@ Example: D:(A;;FA;;;WD)

 "NP" - NO PROPAGATE: only immediate children inherit this ace.

-"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+"IO" - INHERITANCE ONLY: ace doesn't apply to this object, but may affect children via inheritance.

 "ID" - ACE IS INHERITED

@ -262,24 +263,26 @@ Example: D:(A;;FA;;;WD)
 - inherit\_object\_guid: N/A
 - account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.

-For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
+For more information about SDDL syntax, see these articles:
+
+- [2.5.1.1 Syntax](/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070)
+- [ACCESS_MASK](/windows/win32/secauthz/access-mask)

 ## Security Monitoring Recommendations

 For 4913(S): Central Access Policy on the object was changed.

-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+> [!IMPORTANT]
+> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).

-   If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
+-   If you need to monitor events related to specific Windows object types ("**Object Type**"), for example **File** or **Key**, monitor this event for the corresponding "**Object Type**."

-   If you need to monitor all changes to specific files or folders (in this case, changes to the Central Access Policy), monitor for the “**Object Name**” that corresponds to the file or folder.
+-   If you need to monitor all changes to specific files or folders (in this case, changes to the Central Access Policy), monitor for the "**Object Name**" that corresponds to the file or folder.

-   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+-   If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value.

-   You can monitor to see if “**Process Name**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+-   You can monitor to see if "**Process Name**" isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).

-<!-- -->
+-   If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**."

-   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
-   If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in “**New Security Descriptor**” to see if it matches the expected policy.
+-   If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in "**New Security Descriptor**" to see if it matches the expected policy.